WEBVTT 00:01.481 --> 00:03.203 - The Subcommittee will come to order. 00:04.769 --> 00:06.919 I wanna welcome everyone to today's hearing 00:07.840 --> 00:10.320 on the fiscal year 2020 budget request 00:10.320 --> 00:12.320 for the military operations in cyberspace. 00:12.320 --> 00:15.040 I was unavoidably detained, so I apologize 00:15.040 --> 00:16.640 to everyone for making you wait, 00:16.640 --> 00:18.940 but I'm glad we can get this underway. 00:18.940 --> 00:21.360 Technology and the internet have fundamentally 00:21.360 --> 00:24.740 changed how citizens, the nation, the military, 00:24.740 --> 00:27.120 and our adversaries in the world operate. 00:27.120 --> 00:29.650 We have more access to information, 00:29.650 --> 00:34.180 and lower barriers to conduct commerce. 00:34.180 --> 00:36.760 We collectively benefit from the opportunities afforded 00:36.760 --> 00:38.820 by the technology that we incorporate 00:38.820 --> 00:40.520 into our lives, however, 00:40.520 --> 00:42.070 the connections that we rely on 00:42.070 --> 00:45.560 also create vulnerabilities and new potential avenues 00:45.560 --> 00:47.520 for our adversaries to exploit 00:47.520 --> 00:49.063 at our nation's expense. 00:50.100 --> 00:53.030 Cyber, as we understand, and in government, 00:53.030 --> 00:55.990 will always be something that creates risk 00:55.990 --> 00:59.670 to along with it's great promise. 00:59.670 --> 01:02.380 The issues that stem from our increasing dependence 01:02.380 --> 01:05.470 on technology would never be purely military 01:05.470 --> 01:08.170 or solely for the military to solve. 01:08.170 --> 01:11.110 Technology has increased the interconnectedness 01:11.110 --> 01:14.930 of our society and the problems that have come with it 01:14.930 --> 01:18.220 will only be solved with interconnected 01:18.220 --> 01:20.330 interdisciplinary approaches. 01:20.330 --> 01:24.320 The department will have to work in new ways 01:24.320 --> 01:26.340 with stakeholders from agencies 01:26.340 --> 01:27.980 as varied as the Department of Commerce 01:27.980 --> 01:29.560 and the Department of Education, 01:29.560 --> 01:31.580 and with non-governmental stakeholders 01:31.580 --> 01:34.403 such as private industry and academia. 01:36.170 --> 01:38.780 The executive branch will have to work diligently 01:38.780 --> 01:42.120 to address and solve the cyber challenges 01:42.120 --> 01:43.570 facing the nation. 01:43.570 --> 01:47.420 Yet this administration has taken actions 01:47.420 --> 01:49.990 that call into question the seriousness 01:49.990 --> 01:53.550 with which it views this emerging domain. 01:53.550 --> 01:55.470 Most notably the administration eliminated 01:55.470 --> 01:57.460 the cybersecurity coordinator position 01:57.460 --> 02:00.420 at the National Security Council. 02:00.420 --> 02:04.280 Relatedly, there are several documents 02:04.280 --> 02:07.280 pertaining to cyber that Congress has repeatedly 02:07.280 --> 02:09.430 requested from the administration 02:09.430 --> 02:11.810 and is yet to receive. 02:11.810 --> 02:13.310 This includes recent guidance 02:13.310 --> 02:15.860 pertaining to operations in cyberspace. 02:15.860 --> 02:17.450 Such documents are important 02:17.450 --> 02:20.560 to creating a congressional framework for oversight. 02:20.560 --> 02:23.000 Withholding these critical documents 02:23.000 --> 02:24.890 from Congress impacts our ability 02:26.831 --> 02:30.453 to appropriately support, and the command, 02:32.250 --> 02:34.880 and may have far-reaching consequences 02:34.880 --> 02:38.080 for the National Defense Authorization Act. 02:38.080 --> 02:40.200 At the cabinet level, the Department of Defense, 02:40.200 --> 02:44.120 the U.S. Cyber Command have no shortage of challenges 02:44.120 --> 02:46.830 in front of them, issues that often develop 02:46.830 --> 02:51.540 and change as fast at the technological landscape. 02:51.540 --> 02:53.790 Today we'll hear about some of the challenges 02:53.790 --> 02:56.480 including personnel recruitment and retention 02:56.480 --> 02:59.040 as well as efforts to protect critical infrastructure 02:59.040 --> 03:02.070 in tandem with domestically oriented 03:02.070 --> 03:04.083 departments and agencies. 03:06.880 --> 03:08.910 The Cyber Mission Force achieved full 03:08.910 --> 03:11.080 operational capability last year. 03:11.080 --> 03:13.200 Now this was a notable event, 03:13.200 --> 03:15.140 but it would be a mistake to assume 03:15.140 --> 03:18.430 that FOC is synonymous with readiness. 03:18.430 --> 03:21.670 We must begin to examine the differing standards 03:21.670 --> 03:25.550 by which the services are training their teams 03:25.550 --> 03:28.560 and whether Cybercom is adequately fulfilling 03:28.560 --> 03:30.840 its mandate to set training standards 03:30.840 --> 03:32.430 and ensure compliance. 03:32.430 --> 03:36.040 Readiness is especially important in the context 03:36.040 --> 03:38.730 of the current strategic landscape 03:38.730 --> 03:42.430 which has evolved significantly over the last year. 03:42.430 --> 03:45.720 In the fall, the DoD released a new Cyber Strategy 03:45.720 --> 03:48.980 that articulated the intent to defend forward 03:48.980 --> 03:53.060 and operate across the full spectrum of conflict 03:53.060 --> 03:54.660 through persistent engagement. 03:54.660 --> 03:58.430 DoD also completed the inaugural cyber posture review. 03:58.430 --> 04:00.120 Under the auspices of new guidance 04:00.120 --> 04:03.300 from the administration and the new DoD strategy, 04:03.300 --> 04:05.240 Cybercom played a crucial role 04:05.240 --> 04:10.040 in defending the 2018 elections from interference. 04:10.040 --> 04:11.780 The military's actions in cyberspace 04:11.780 --> 04:14.020 were also enabled by multiple provisions 04:14.020 --> 04:17.590 in the fiscal year 2019 National Defense Authorization Act. 04:17.590 --> 04:19.930 This includes the provision recognizing activities 04:19.930 --> 04:23.933 conducted in cyberspace as traditional military activities. 04:25.040 --> 04:29.870 The FY19 NDAA also allowed the National Command Authority 04:29.870 --> 04:32.610 to take direct and proportional action in cyberspace 04:32.610 --> 04:35.190 against Russia, China, North Korea, and Iran, 04:35.190 --> 04:37.530 upon determination of a cyber attack 04:37.530 --> 04:40.200 against the homeland or U.S. citizens. 04:40.200 --> 04:42.520 Congress and this subcommittee will continue 04:42.520 --> 04:44.550 to support military operations 04:44.550 --> 04:47.060 and provide the legal authority to enable Cybercom 04:47.060 --> 04:50.120 success against adversaries in cyberspace. 04:50.120 --> 04:52.100 However we will also remain judicious 04:52.100 --> 04:54.320 in our oversight responsibilities 04:54.320 --> 04:56.070 to ensure that the department operates 04:56.070 --> 04:58.940 in a manner that enhances stability in cyberspace 04:58.940 --> 05:02.500 and that it's consistent with both congressional intent 05:02.500 --> 05:04.070 and American values. 05:04.070 --> 05:05.890 So I commend Cybercom for its efforts 05:05.890 --> 05:08.620 during the 2018 elections, however, as a nation, 05:08.620 --> 05:10.363 we can never rest on our laurels. 05:11.425 --> 05:13.960 We need to examine the strategic impacts 05:13.960 --> 05:18.960 that Cybercom operations and other whole-of-government 05:20.670 --> 05:25.150 efforts had on an act of seeking to interfere 05:25.150 --> 05:26.940 in our elections. 05:26.940 --> 05:28.850 Much like the traditional battlefield, 05:28.850 --> 05:31.010 we must measure the impact of our operations 05:31.010 --> 05:33.120 to assess our warfighting effectiveness 05:33.120 --> 05:35.560 toward the larger objectives, 05:35.560 --> 05:36.840 ensure that our strategic vision 05:36.840 --> 05:41.640 reflects the realities of our engagement in cyberspace. 05:41.640 --> 05:43.770 Cybercom's ability to execute its operations 05:43.770 --> 05:47.040 is closely tied to and enabled by partnership 05:47.040 --> 05:48.960 with the National Security Agency. 05:48.960 --> 05:51.840 These organizations will always have a robust partnership 05:51.840 --> 05:53.637 given the dynamism of cyberspace 05:53.637 --> 05:57.080 and NSA's deep expertise and enabling role 05:57.080 --> 05:59.950 in military cyberspace operations. 05:59.950 --> 06:04.030 At this time there is still one individual 06:04.030 --> 06:06.200 that leads both of these organizations. 06:06.200 --> 06:07.830 This arrangement is quite unique 06:07.830 --> 06:10.370 within the national security establishment 06:10.370 --> 06:12.010 and the intelligence community. 06:12.010 --> 06:15.810 However, this arrangement allows for the CMF to mature, 06:15.810 --> 06:19.690 enables better synchronization of cyberspace operations 06:19.690 --> 06:24.387 and permits proper consideration of the intelligence 06:24.387 --> 06:27.510 and military objectives in the domain. 06:27.510 --> 06:30.340 Before any significant changes are implemented 06:30.340 --> 06:32.250 in the dual hat arrangement, 06:32.250 --> 06:35.120 this subcommittee expects a robust understanding 06:35.120 --> 06:37.320 of how and why it is necessary 06:37.320 --> 06:41.210 to split the leadership function of NSA director 06:41.210 --> 06:43.250 and Cybercom commander. 06:43.250 --> 06:44.930 I believe it would be premature 06:44.930 --> 06:48.133 to split these organizations in the immediate future. 06:49.303 --> 06:51.570 Cybercom is a maturing organization 06:51.570 --> 06:55.090 and I'm proud of the work that we have done 06:55.090 --> 06:58.760 on the subcommittee to support its maturation. 06:58.760 --> 07:01.030 I have often said that we will never again 07:01.030 --> 07:04.140 see modern warfare without a cyber component. 07:04.140 --> 07:06.730 So Cybercom's continued development 07:06.730 --> 07:09.260 will remain an urgent priority. 07:09.260 --> 07:12.970 But it is therefore important that we build 07:12.970 --> 07:17.970 for the long term with it's sustainable scalable approaches 07:18.900 --> 07:22.080 to integrating Cybercom into DoD operations 07:22.080 --> 07:23.940 and into our whole-of-government approach 07:23.940 --> 07:26.600 to protecting our nation in cyberspace. 07:26.600 --> 07:29.860 This is no small task, especially given the the newness 07:29.860 --> 07:31.560 of this domain. 07:31.560 --> 07:34.390 But working together with full transparency, 07:34.390 --> 07:39.390 I'm confident that we can head off any problems early 07:39.400 --> 07:41.780 and ensure that we reap the benefits 07:41.780 --> 07:44.720 of a free, open, and interoperable, 07:44.720 --> 07:45.973 and secure internet. 07:46.870 --> 07:49.510 Before I close, I wanna just introduce 07:49.510 --> 07:54.510 our two witnesses, which I will do in in just a minute, 07:54.860 --> 07:59.820 but before I do that I'm going to turn it over 07:59.820 --> 08:04.530 to the Ranking Member for her comments. 08:04.530 --> 08:05.740 - Thank you Chairman Langevin. 08:05.740 --> 08:08.070 Welcome to our witnesses, Secretary Rapuano, 08:08.070 --> 08:09.610 welcome back to the committee, 08:09.610 --> 08:12.650 and General Nakasone, welcome to your first Posture Hearing 08:12.650 --> 08:15.700 since assuming command in May of last year. 08:15.700 --> 08:18.770 It is fitting that we begin our fiscal year 2020 08:18.770 --> 08:21.500 Posture Hearing series with cyber policy, 08:21.500 --> 08:23.720 and U.S. Cyber Command, given the importance 08:23.720 --> 08:26.500 of this topic to our overall national security, 08:26.500 --> 08:29.010 and indeed our society as a whole. 08:29.010 --> 08:30.620 The Director of National Intelligence, 08:30.620 --> 08:34.040 in his most recent worldwide threats assessment 08:34.040 --> 08:37.427 stated, quote, "At present, China and Russia 08:37.427 --> 08:41.077 "pose the greatest espionage and cyber attack threats, 08:41.077 --> 08:43.737 "but we anticipate that all our adversaries 08:43.737 --> 08:46.837 "and strategic competitors will increasingly build 08:46.837 --> 08:49.537 "and integrate cyber espionage, attack, 08:49.537 --> 08:51.697 "and influence campaigns into their efforts 08:51.697 --> 08:54.027 "to influence U.S. policies, 08:54.027 --> 08:56.880 "and advance their own national security interests," 08:56.880 --> 08:58.040 end quote. 08:58.040 --> 09:00.150 In our oversight role as a subcommittee, 09:00.150 --> 09:02.920 we have seen China and Russia aggressively leverage 09:02.920 --> 09:04.800 and integrate cyber information 09:04.800 --> 09:08.540 and communications technologies in a seamless way 09:08.540 --> 09:11.420 while also utilizing top-down government-driven 09:11.420 --> 09:13.200 agendas and strategies. 09:13.200 --> 09:16.500 As I have said before, dictators have that advantage, 09:16.500 --> 09:18.980 and their use of technologies and information 09:18.980 --> 09:21.300 is as much about exerting control 09:21.300 --> 09:23.020 over their own populations 09:23.020 --> 09:26.310 as it is confronting free societies like ours. 09:26.310 --> 09:28.710 Since our last Cyber Command Posture Hearing 09:28.710 --> 09:30.490 and over the course of the last year, 09:30.490 --> 09:31.550 a lot has happened. 09:31.550 --> 09:32.870 Given this, I consider us to be 09:32.870 --> 09:35.000 at a major inflection point. 09:35.000 --> 09:37.430 We have seen Cyber Command fully elevated 09:37.430 --> 09:39.350 as a functional combatant command 09:39.350 --> 09:40.840 and the force has achieved 09:40.840 --> 09:43.870 full operational capability or FOC. 09:43.870 --> 09:47.390 Recent changes to presidential cyber policies 09:47.390 --> 09:50.320 and strategies as well as authorities 09:50.320 --> 09:53.600 granted in the NDAA, have focused the mission set, 09:53.600 --> 09:55.760 yielded impressive operational results, 09:55.760 --> 09:58.880 and postured our nation for strategic challenges ahead. 09:58.880 --> 10:01.310 And while we have seen these successes, 10:01.310 --> 10:03.610 the DNI's recent testimony reminds us 10:03.610 --> 10:07.630 that our adversaries are not giving us any room to breathe. 10:07.630 --> 10:09.090 Case in point, while many 10:09.090 --> 10:10.860 of our recent operational successes 10:10.860 --> 10:14.280 have been related to securing our 2018 midterm elections, 10:14.280 --> 10:17.210 I can assure you that the adversarial influence campaign 10:17.210 --> 10:20.280 for the 2020 elections is already underway. 10:20.280 --> 10:22.540 Further while most of our cyber forces 10:22.540 --> 10:24.520 are fully capable on paper, 10:24.520 --> 10:27.150 they are not fully ready in practice. 10:27.150 --> 10:29.610 Standards and capabilities have yet to be defined 10:29.610 --> 10:32.240 and understood across each of the services. 10:32.240 --> 10:34.090 Relationships and responsibilities 10:34.090 --> 10:37.000 are still being worked out between cyber command, 10:37.000 --> 10:40.420 regional combatant commanders, and each of the services. 10:40.420 --> 10:42.310 In short we continue to mature, 10:42.310 --> 10:45.510 and the road ahead to true cyber readiness remains long. 10:45.510 --> 10:47.840 I am confident that our witnesses before us today 10:47.840 --> 10:49.500 fully understand these challenges 10:49.500 --> 10:51.390 and I look forward to our dialogue. 10:51.390 --> 10:53.930 It's worth noting that our military cyber forces 10:53.930 --> 10:57.010 are only as good as the technology they depend on, 10:57.010 --> 10:59.860 and if we don't concurrently modernize 10:59.860 --> 11:02.530 our information and communication technologies 11:02.530 --> 11:05.330 across the department, we will continue along 11:05.330 --> 11:08.280 with one hand tied behind our back. 11:08.280 --> 11:09.590 And when I think about the promise 11:09.590 --> 11:12.260 of emerging and revolutionary technologies 11:12.260 --> 11:15.370 such as artificial intelligence, 5G, 11:15.370 --> 11:18.540 high-performing computing, and even quantum computing, 11:18.540 --> 11:21.010 my enthusiasm is unfortunately dampened 11:21.010 --> 11:23.480 when I am reminded of our Achilles heel 11:23.480 --> 11:25.130 that is the department's outdated 11:25.130 --> 11:27.700 and vulnerable IT infrastructure. 11:27.700 --> 11:29.980 So in our conversation today, and moving forward 11:29.980 --> 11:32.410 as we build the National Defense Authorization Act 11:32.410 --> 11:35.950 for FY20, we must continually keep in mind 11:35.950 --> 11:38.950 that IT modernization, cybersecurity, 11:38.950 --> 11:41.980 and information assurance, are primary prerequisites 11:42.930 --> 11:45.990 for the future of warfare, where information and data 11:45.990 --> 11:48.700 are strategic resources to be fully protected, 11:48.700 --> 11:50.400 preserved, and enabled. 11:50.400 --> 11:53.710 The department can and must do better in this area. 11:53.710 --> 11:56.010 As before, I trust each of our witnesses here today 11:56.010 --> 11:57.850 understand these challenges. 11:57.850 --> 11:59.940 Lastly, I would be remiss if I didn't mention 11:59.940 --> 12:01.750 the importance of congressional oversight 12:01.750 --> 12:04.900 of current operations including cyber operations. 12:04.900 --> 12:06.950 Now, more than ever, it is critical 12:06.950 --> 12:09.720 that the DoD communicates with this committee 12:09.720 --> 12:12.820 early and often on all aspects of cyber operations 12:12.820 --> 12:15.010 and related intelligence activities. 12:15.010 --> 12:17.300 This will ensure that we, as your principal 12:17.300 --> 12:20.600 oversight committee, remain fully and currently informed 12:20.600 --> 12:22.510 so that we can resource you properly 12:22.510 --> 12:24.170 and provide relevant authorities 12:24.170 --> 12:26.510 that allow us to stay well ahead 12:26.510 --> 12:29.730 of our adversaries in cyberspace and information warfare. 12:29.730 --> 12:31.400 I look forward to talking about that 12:31.400 --> 12:33.160 in our closed classified session. 12:33.160 --> 12:35.120 We have a lot to talk about, so again thank you 12:35.120 --> 12:37.213 and I yield back to Chairman Langevin. 12:38.285 --> 12:40.340 - Well, thank you Ranking Member. 12:40.340 --> 12:43.383 I want to now welcome our witnesses here today. 12:44.263 --> 12:46.460 Starting with Mr. Kenneth Rapuano, 12:46.460 --> 12:49.330 who serves as both the Assistant Secretary of Defense 12:49.330 --> 12:51.630 for Homeland Defense and Global Security, 12:51.630 --> 12:53.500 and as the principal cyber adviser 12:53.500 --> 12:55.970 to the Secretary of Defense. 12:55.970 --> 12:57.860 Prior to returning to government service, 12:57.860 --> 13:00.810 Mr. Rapuano worked for the federally funded 13:00.810 --> 13:03.400 research and development corporations 13:03.400 --> 13:07.060 focusing on issues related to homeland security, 13:07.060 --> 13:08.920 counterterrorism, and countering weapons 13:08.920 --> 13:10.100 of mass destruction. 13:10.100 --> 13:13.990 Mr. Rapuano served as the Deputy Homeland Security Advisor 13:13.990 --> 13:16.200 in the George W. Bush administration. 13:16.200 --> 13:18.240 He served 21 years in active duty 13:20.127 --> 13:22.690 and the reserve as a Marine Corps infantry 13:22.690 --> 13:23.980 and intelligence officer. 13:23.980 --> 13:28.513 And I want to welcome Mr. Rapuano here today. 13:29.800 --> 13:31.660 Also, General Paul Nakasone 13:31.660 --> 13:34.290 serves in three capacities currently, 13:34.290 --> 13:36.170 Commander of U.S. Cyber Command, 13:36.170 --> 13:38.250 Director of the National Security Agency, 13:38.250 --> 13:41.340 and the Chief of the Central Security Service. 13:41.340 --> 13:43.960 Before his current role, he commanded U.S. Army 13:43.960 --> 13:45.660 Cyber Command and has served 13:45.660 --> 13:47.770 as a career intelligence officer 13:47.770 --> 13:50.710 through his 32 years in uniform. 13:50.710 --> 13:52.290 This is General Nakasone's first appearance 13:52.290 --> 13:54.240 before the Subcommittee since assuming 13:54.240 --> 13:55.790 command of Cybercom. 13:55.790 --> 13:59.650 General Nakasone, it's a pleasure to welcome you here today 13:59.650 --> 14:02.520 and I thank both of you for your service 14:02.520 --> 14:06.913 to the country, and thank you again for being here today. 14:07.970 --> 14:10.700 As a reminder after this open session, 14:10.700 --> 14:13.860 we're gonna move into the, into room 2216 14:13.860 --> 14:17.163 for closed member only session. 14:18.060 --> 14:21.660 So with that, before opening statements though, 14:21.660 --> 14:25.630 I do have to note that Secretary Rapuano's statement 14:25.630 --> 14:27.570 was delivered only this morning. 14:27.570 --> 14:31.020 It's more than 40 hours past the committee rules deadline 14:31.020 --> 14:34.500 and only six hours before the start of this hearing. 14:34.500 --> 14:37.290 Getting the testimony that late 14:37.290 --> 14:40.020 does the Subcommittee a disservice 14:42.086 --> 14:44.300 and really it does the department disservice. 14:44.300 --> 14:45.410 I know that there's many hoops 14:45.410 --> 14:47.010 that you have to go through 14:47.010 --> 14:51.670 before the statement in the interagency is approved, 14:51.670 --> 14:56.670 but that's way past the time that's acceptable, 14:57.720 --> 15:00.450 especially given the importance of today's topic 15:00.450 --> 15:02.120 and the subcommittee's continued interest 15:02.120 --> 15:05.740 in advancing our nation's cyber capabilities. 15:05.740 --> 15:07.070 So although I'm going to allow 15:07.070 --> 15:08.270 for the reading of the statement today, 15:08.270 --> 15:10.680 in the future I expect full compliance 15:10.680 --> 15:13.610 with the committee rules as outlined by the staff, 15:13.610 --> 15:17.350 and as outlined in your official invitation letters. 15:17.350 --> 15:20.930 So with that, we'll now we hear from our witnesses 15:20.930 --> 15:21.763 and then we're gonna move 15:21.763 --> 15:23.470 to the question and answer period. 15:23.470 --> 15:25.470 Secretary Rapuano, we'll start with you. 15:26.530 --> 15:27.910 - Thank You Chairman Langevin, 15:27.910 --> 15:30.890 Ranking Member Stefanik, and members of the committee. 15:30.890 --> 15:33.230 I'm pleased to be here with General Nakasone, 15:33.230 --> 15:35.200 Commander of U.S. Cyber Command 15:35.200 --> 15:37.170 to report on the significant progress 15:37.170 --> 15:40.020 the Department of Defense has made over the last year 15:40.020 --> 15:44.140 in regard to cyber, and strategy, and operations. 15:44.140 --> 15:46.340 Over the last year, the department published 15:46.340 --> 15:49.610 a new, more proactive strategy for cyberspace 15:49.610 --> 15:52.010 and is moving forward with implementation 15:52.010 --> 15:54.430 of that strategy using the first ever 15:54.430 --> 15:57.250 Cyber Posture Review and the elevation 15:57.250 --> 15:59.200 of U.S. Cyber Command. 15:59.200 --> 16:00.980 Our new approach has been enabled 16:00.980 --> 16:03.700 by the issuance of new presidential guidance 16:03.700 --> 16:07.130 on cyberspace authorities and legislation. 16:07.130 --> 16:09.430 We leveraged all of these tools last year 16:09.430 --> 16:10.760 as we worked with our partners 16:10.760 --> 16:15.420 to ensure the security of the 2018 U.S. midterm elections. 16:15.420 --> 16:17.900 The DoD Cyber Strategy makes clear 16:17.900 --> 16:21.290 that the ongoing campaigns of malicious cyber activity 16:21.290 --> 16:24.320 conducted by states like China and Russia 16:24.320 --> 16:26.530 are a strategic threat. 16:26.530 --> 16:29.110 Our competitors are conducting long-term, 16:29.110 --> 16:31.540 strategically focused campaigns 16:31.540 --> 16:34.460 in and through cyberspace, that include stealing 16:34.460 --> 16:36.950 sensitive Department of Defense information 16:36.950 --> 16:39.310 to undermine our military advantages 16:39.310 --> 16:42.180 and place our critical infrastructure at risk. 16:42.180 --> 16:45.080 For this reason, DoD Cyber Strategy 16:45.080 --> 16:48.380 embraces a proactive and assertive approach 16:48.380 --> 16:50.520 during day-to-day competition 16:50.520 --> 16:54.420 to deter, disrupt, and defeat these threats. 16:54.420 --> 16:56.670 Our systems must be cyber hardened, 16:56.670 --> 16:58.920 resilient, and secure. 16:58.920 --> 17:01.440 We must defend national critical infrastructure 17:01.440 --> 17:03.840 from attacks, a new area of emphasis 17:03.840 --> 17:05.640 for the Department of Defense, 17:05.640 --> 17:08.350 and secure Department of Defense information 17:08.350 --> 17:10.220 wherever it resides. 17:10.220 --> 17:14.310 The strategy prioritizes expanding cyber cooperation 17:14.310 --> 17:18.270 with our interagency, industry, and international partners 17:18.270 --> 17:20.500 to advance our mutual interests. 17:20.500 --> 17:22.450 The Defense Cyber Strategy mandates 17:22.450 --> 17:24.850 that the Department of Defense cyber space forces 17:24.850 --> 17:28.020 must be defending forward, disrupting threats 17:28.020 --> 17:31.020 at the source before they reach U.S. networks. 17:31.020 --> 17:33.410 The department must routinely operate 17:33.410 --> 17:36.580 in non-US networks in order to observe threats 17:36.580 --> 17:40.053 as they are forming and have the ability to disrupt them. 17:41.110 --> 17:43.940 This is critical to increasing military readiness. 17:43.940 --> 17:46.820 We cannot be fully prepared to take effective action 17:46.820 --> 17:49.880 in a potential conflict unless we have already developed 17:49.880 --> 17:52.520 the tools, accesses, and experience 17:52.520 --> 17:54.560 through our actions day-to-day. 17:54.560 --> 17:56.500 We have worked in partnership with Congress 17:56.500 --> 17:58.610 to ensure that the authorities and policies 17:58.610 --> 18:02.510 currently in place governing cyberspace operations 18:02.510 --> 18:04.730 enable our strategic approach to competing 18:04.730 --> 18:06.820 and prevailing in this domain. 18:06.820 --> 18:08.790 Several changes during 2018 18:08.790 --> 18:10.960 have been particularly impactful. 18:10.960 --> 18:12.850 This includes the president's approval 18:12.850 --> 18:16.840 of an updated policy on U.S. cyber operations. 18:16.840 --> 18:21.060 The 2019 NDAA affirms the president's authority 18:21.060 --> 18:25.280 to counteractive systemic and ongoing campaigns 18:25.280 --> 18:27.680 in cyberspace by our adversaries 18:27.680 --> 18:30.670 against the government and people of the United States 18:30.670 --> 18:33.960 as well as clarifies that certain cyber operations 18:33.960 --> 18:37.690 and activities are traditional military activities. 18:37.690 --> 18:40.160 Thank you very much for your support. 18:40.160 --> 18:43.450 We have also focused on how our cyber forces operate 18:43.450 --> 18:44.620 in the homeland. 18:44.620 --> 18:47.860 For example, we are currently reissuing a memorandum 18:47.860 --> 18:50.350 detailing how National Guard personnel 18:50.350 --> 18:53.880 can use certain DoD information, networks, 18:53.880 --> 18:57.980 software, and hardware for cyberspace op activities 18:57.980 --> 18:59.800 in state status. 18:59.800 --> 19:01.950 We have also devoted focused attention 19:01.950 --> 19:05.340 during the last year to building and enhancing 19:05.340 --> 19:08.070 our relationships with other U.S.government department 19:08.070 --> 19:12.210 and agencies, industry, and our allies and partners. 19:12.210 --> 19:14.920 Last year the department signed a Joint Memorandum 19:14.920 --> 19:17.720 of Understanding with the Department of Homeland Security 19:17.720 --> 19:20.550 detailing how our two departments can cooperate 19:20.550 --> 19:22.670 in order to secure and defend the homeland 19:22.670 --> 19:24.390 from cyber threats. 19:24.390 --> 19:26.710 The theft of sensitive DoD information 19:26.710 --> 19:28.650 from our Defense Industrial Base 19:28.650 --> 19:31.610 is something that puts our future military technological 19:31.610 --> 19:33.310 advantage at risk. 19:33.310 --> 19:36.270 DoD is intensifying its efforts with industry 19:36.270 --> 19:38.140 and across the U.S.government 19:38.140 --> 19:40.710 to implement cybersecurity protections 19:40.710 --> 19:42.850 and to share cyber threat information 19:42.850 --> 19:44.700 with our DIB partners. 19:44.700 --> 19:46.410 The department continues to work 19:46.410 --> 19:47.780 to strengthen the capacity 19:47.780 --> 19:50.200 of our international allies and partners 19:50.200 --> 19:52.940 to increase DoD's ability to leverage its partners' 19:52.940 --> 19:56.860 unique skills, resources, capabilities, and perspectives, 19:56.860 --> 19:59.360 to enhance our cybersecurity posture. 19:59.360 --> 20:01.430 We advocate for our allies and partners 20:01.430 --> 20:05.000 to secure their telecom networks and supply chains. 20:05.000 --> 20:07.610 We are also pressing our global partners 20:07.610 --> 20:11.460 to hold states that are acting irresponsibly in cyberspace, 20:11.460 --> 20:13.410 accountable for their actions. 20:13.410 --> 20:16.080 The Cyber Posture Review identified gaps 20:16.080 --> 20:17.670 between where we are today 20:17.670 --> 20:20.840 and where we need to go to achieve our strategic objectives 20:20.840 --> 20:24.720 and drove the development of actionable lines of effort 20:24.720 --> 20:26.030 that are guiding the work 20:26.030 --> 20:28.410 of our principal cyber advisor team. 20:28.410 --> 20:30.500 For example the CPR made it clear 20:30.500 --> 20:32.800 that when it comes to cybersecurity, 20:32.800 --> 20:35.500 we need to more effectively prioritize 20:35.500 --> 20:37.220 how we are spending money, 20:37.220 --> 20:40.570 allocating resources, and how we recruit and retain 20:40.570 --> 20:42.510 the most qualified people. 20:42.510 --> 20:44.360 Our PCA team has also worked 20:44.360 --> 20:47.040 with the DoD Chief Information Officer 20:47.040 --> 20:48.940 to identify the top 10 areas 20:48.940 --> 20:51.060 where we face the greatest risk. 20:51.060 --> 20:53.330 We are currently working through pilot programs 20:53.330 --> 20:57.020 to complete and implement solutions for these challenges. 20:57.020 --> 20:58.240 Another new department initiative 20:58.240 --> 21:01.660 is the Protecting Critical Technology Task Force, 21:01.660 --> 21:04.290 established last year to integrate and accelerate 21:04.290 --> 21:07.740 the disparate DoD technology protection activities 21:07.740 --> 21:09.500 occurring across the department, 21:09.500 --> 21:11.540 and develop new innovative solutions 21:11.540 --> 21:13.950 for currently unaddressed problems. 21:13.950 --> 21:17.200 In conclusion, our new strategy has provided us 21:17.200 --> 21:20.730 with a roadmap for achieving our objectives in cyberspace 21:20.730 --> 21:22.770 which we are rapidly implementing. 21:22.770 --> 21:25.090 We have expanded authorities that enable our mission 21:25.090 --> 21:27.490 to defend forward and we are doubling down 21:27.490 --> 21:30.280 on collaborating with other departments and agencies, 21:30.280 --> 21:33.600 industry, and international partners and allies. 21:33.600 --> 21:35.300 I look forward to working with you 21:35.300 --> 21:36.960 and our critical stakeholders 21:36.960 --> 21:39.360 to ensure that the United States military 21:39.360 --> 21:43.310 will continue to compete, deter, and win in cyberspace. 21:43.310 --> 21:44.143 Thank you. 21:47.600 --> 21:48.690 - Thank you Mr. Secretary. 21:48.690 --> 21:51.190 General Nakasone, the floor is yours. 21:51.190 --> 21:53.590 - Chairman Langevin, Ranking Member Stefanik, 21:53.590 --> 21:55.630 and distinguished members of the committee. 21:55.630 --> 21:57.770 Thank you for your enduring support 21:57.770 --> 21:59.170 and the opportunity to testify today 21:59.170 --> 22:00.760 about the hard-working men and women 22:00.760 --> 22:02.490 of the United States Cyber Command. 22:02.490 --> 22:03.780 I'm honored to lead them. 22:03.780 --> 22:05.930 I'm also honored to sit alongside 22:05.930 --> 22:08.430 Assistant Secretary of Defense Rapuano. 22:08.430 --> 22:10.330 As the commander of U.S. Cyber Command, 22:10.330 --> 22:12.650 I'm responsible for conducting full spectrum 22:12.650 --> 22:15.830 cyberspace operations supporting three mission areas, 22:15.830 --> 22:18.180 defend the nation against cyber threats, 22:18.180 --> 22:20.760 defend the Department of Defense information networks, 22:20.760 --> 22:23.390 and enable our joint force commanders 22:23.390 --> 22:25.780 in pursuit of their mission objectives. 22:25.780 --> 22:28.390 In the cyber domain we are in constant contact 22:28.390 --> 22:30.500 with our adversaries who continue to increase 22:30.500 --> 22:32.800 in sophistication and remain a threat 22:32.800 --> 22:34.290 to our national security interests 22:34.290 --> 22:36.070 and economic well-being. 22:36.070 --> 22:38.200 The National Security strategy highlighting the return 22:38.200 --> 22:41.330 of great power competition, beyond the near-peer competitors 22:41.330 --> 22:44.860 of China and Russia, rogue regimes like Iran and north Korea 22:44.860 --> 22:47.050 continue to grow their capabilities. 22:47.050 --> 22:49.470 Using aggressive methods, adversaries have, 22:49.470 --> 22:54.320 until recently, acted with little concern for consequences. 22:54.320 --> 22:56.640 The DoD's Cyber Strategy identifies the need 22:56.640 --> 22:58.920 to defend forward during day-to-day competition 22:58.920 --> 23:00.440 with our adversaries. 23:00.440 --> 23:02.650 This strategy aims to maintain our superiority 23:02.650 --> 23:04.350 in cyberspace through protection 23:04.350 --> 23:06.600 of our critical infrastructure and networks. 23:06.600 --> 23:08.900 At U.S. Cyber Command we implement the DoD strategy 23:08.900 --> 23:12.540 by adopting an approach of persistent engagement, 23:12.540 --> 23:15.470 persistent presence, and persistent innovation. 23:15.470 --> 23:16.950 This past year witnessed the elevation 23:16.950 --> 23:19.550 of U.S. Cyber Command to combatant command status, 23:19.550 --> 23:21.490 the opening of our integrated Cyber Center, 23:21.490 --> 23:23.460 and our shift from building the force 23:23.460 --> 23:25.350 to the readiness of the force. 23:25.350 --> 23:27.430 The defense of the 2018 midterm elections 23:27.430 --> 23:30.290 posed a significant strategic challenge to our nation. 23:30.290 --> 23:31.840 Ensuring a safe and secure election 23:31.840 --> 23:34.900 was our number-one priority, and drove me to establish 23:34.900 --> 23:38.200 a joint U.S. Cyber Command National Security Agency effort 23:38.200 --> 23:39.990 called the Russia Small Group. 23:39.990 --> 23:42.950 The Russia Small Group tested our new operational approach 23:42.950 --> 23:44.210 with direction from the President 23:44.210 --> 23:45.170 and the Secretary of Defense, 23:45.170 --> 23:47.210 the Russia Small Group enabled partnerships 23:47.210 --> 23:48.820 in action across the government 23:48.820 --> 23:50.730 to counter a strategic threat. 23:50.730 --> 23:52.430 Our response demonstrated the value 23:52.430 --> 23:55.200 of a tight-knit relationship between U.S.Cyber Command 23:55.200 --> 23:57.060 and the National Security Agency, 23:57.060 --> 23:59.910 bringing together intelligence, cyber capabilities, 23:59.910 --> 24:03.270 interagency partnerships, and our willingness to act. 24:03.270 --> 24:04.520 Through persistent engagement, 24:04.520 --> 24:06.870 we enabled critical interagency partners 24:06.870 --> 24:11.010 to act with unparalleled coordination and cooperation. 24:11.010 --> 24:12.617 Through persistent presence, U.S. Cyber Command 24:12.617 --> 24:15.400 and NSA contested adversarial actions, 24:15.400 --> 24:18.000 improving early warning and threat identification 24:18.000 --> 24:21.490 in support of DHS and the Federal Bureau of Investigation. 24:21.490 --> 24:24.260 Beyond the interagency we partnered and engaged with allies 24:24.260 --> 24:27.000 in public and private sectors to build resiliency. 24:27.000 --> 24:29.230 For the first time we sent our cyber warriors abroad 24:29.230 --> 24:32.690 to secure networks outside of the DoD information network. 24:32.690 --> 24:35.450 Our operations allowed us to identify and counter threats 24:35.450 --> 24:37.390 as they emerge to secure our own elections 24:37.390 --> 24:39.490 and prevent similar threats interfering 24:39.490 --> 24:41.700 in those of our partners and allies. 24:41.700 --> 24:42.960 The Russia Small Group effort 24:42.960 --> 24:44.500 demonstrated that persistent engagement, 24:44.500 --> 24:46.840 persistent presence, and persistent innovation 24:46.840 --> 24:48.360 enables success. 24:48.360 --> 24:51.423 Effective cyber defense requires a whole-of-nation effort. 24:52.460 --> 24:55.390 Our actions are impacting our adversaries. 24:55.390 --> 24:57.260 Our shift in approach allows us to sustain 24:57.260 --> 24:59.610 key competitive advantages while increasing 24:59.610 --> 25:01.450 our cyber capabilities. 25:01.450 --> 25:02.910 As we review lessons learned 25:02.910 --> 25:05.910 from securing the 2018 midterm elections, 25:05.910 --> 25:08.390 we are now focused on potential threats 25:08.390 --> 25:10.360 we could face in 2020. 25:10.360 --> 25:12.610 Looking forward, we need to continue to build 25:12.610 --> 25:16.440 a Warrior Ethos similar to other warfighting domains. 25:16.440 --> 25:18.730 Cyber warriors are, and will continue to be, 25:18.730 --> 25:21.700 in constant contact with our adversaries. 25:21.700 --> 25:24.300 There are no operational pauses or sanctuaries. 25:24.300 --> 25:27.490 We must ensure sufficient capacity and capability, 25:27.490 --> 25:30.400 people, technology, and infrastructure, 25:30.400 --> 25:32.803 which we are decisively focused on now. 25:33.670 --> 25:35.300 Through persistent presence, we are building 25:35.300 --> 25:37.870 a team of partners that enable us and them 25:37.870 --> 25:39.770 to act more effectively. 25:39.770 --> 25:42.350 The complex and rapid pace of change in this environment 25:42.350 --> 25:44.810 requires us to leverage cyber expertise 25:44.810 --> 25:47.280 broadly across public and private sectors, 25:47.280 --> 25:49.630 academia, and industry. 25:49.630 --> 25:51.870 Therefore, we aspire to increase our effectiveness 25:51.870 --> 25:54.910 and capabilities through persistent innovation 25:54.910 --> 25:56.513 across these partnerships. 25:57.450 --> 25:59.370 Cyber defense is a team effort. 25:59.370 --> 26:01.610 Critical teammates such as the National Guard and Reserve 26:01.610 --> 26:03.730 are integral parts of our cyber force. 26:03.730 --> 26:05.220 They provide strategic depth 26:05.220 --> 26:08.120 and provide the nation a reserve capacity 26:08.120 --> 26:10.310 of capable cyber warriors. 26:10.310 --> 26:14.210 Finally, improving readiness is my key focus area. 26:14.210 --> 26:16.360 I continue to work with the services and the department 26:16.360 --> 26:19.410 to accurately measure and maintain readiness, 26:19.410 --> 26:21.990 manning, training, equipping, in an ability 26:21.990 --> 26:23.760 to perform the mission. 26:23.760 --> 26:26.120 After our year of change and progress, 26:26.120 --> 26:29.290 we see 2019 as a year of opportunity. 26:29.290 --> 26:32.490 We have much work ahead of us as Cybercom matures. 26:32.490 --> 26:34.610 I assure you that our people merit the trust 26:34.610 --> 26:37.150 you have placed in them, and that with your support 26:37.150 --> 26:40.450 they will accomplish the task that our nation expects. 26:40.450 --> 26:42.530 Thank you again for inviting me here. 26:42.530 --> 26:44.070 on behalf of U.S. Cyber Command, 26:44.070 --> 26:45.900 and for your continued support. 26:45.900 --> 26:47.550 I look forward to your questions. 26:49.560 --> 26:50.460 - Thank you General. 26:50.460 --> 26:52.550 I wanna thank both General Nakasone 26:52.550 --> 26:55.203 and Secretary Rapuano for your testimony. 26:56.810 --> 26:58.410 We're gonna now go to questions 26:59.868 --> 27:03.000 and we'll, myself and then the Ranking Member 27:03.000 --> 27:04.890 and then we'll go to members in the order 27:04.890 --> 27:07.743 of their appearance according to seniority. 27:08.690 --> 27:10.323 General, let me start with you. 27:11.670 --> 27:13.230 You assessed one year ago 27:13.230 --> 27:18.217 that the Senate Armed Services Committee, 27:19.060 --> 27:21.600 that the Cyber Mission Force 27:21.600 --> 27:25.130 and all of its 133 of its teams 27:25.130 --> 27:28.954 would be fully operation and capable 27:28.954 --> 27:33.954 by June of 2018, yet given the different training regimes, 27:34.320 --> 27:36.230 of the services, they're a difference 27:36.230 --> 27:39.250 among the teams themselves. 27:39.250 --> 27:43.990 So I just wanted to say, how do you set performance metrics 27:43.990 --> 27:47.227 for the 133 teams within the Cyber Mission Force 27:47.227 --> 27:52.040 and how does Cyber Command assess and measure 27:52.040 --> 27:53.993 the readiness of all of its teams? 27:55.530 --> 27:58.300 - Chairman, with regards to readiness, 27:58.300 --> 28:00.790 we take a look at two factors. 28:00.790 --> 28:04.370 First of all a measure of quantity, 28:04.370 --> 28:06.820 and secondly a measure of quality. 28:06.820 --> 28:09.050 The measure of quantity is very familiar 28:09.050 --> 28:11.850 to all of the military services. 28:11.850 --> 28:15.930 It's the manning, the training, the equipping of a force. 28:15.930 --> 28:17.790 It's very easy to calculate it, 28:17.790 --> 28:21.140 it's one that our services excel at. 28:21.140 --> 28:22.950 One of the things that we have done 28:22.950 --> 28:24.910 at U.S. Cyber Command is establish 28:24.910 --> 28:27.150 a joint training standard. 28:27.150 --> 28:29.410 That's very important to get at the point of your question 28:29.410 --> 28:32.300 with regards to leveling the playing field. 28:32.300 --> 28:34.450 One joint standard is important 28:34.450 --> 28:36.930 for all our teams to be able to operate under. 28:36.930 --> 28:38.700 So whether or not it's a Marine team, 28:38.700 --> 28:41.030 an Army team, an Air Force team, 28:41.030 --> 28:43.130 that same training standard has been established 28:43.130 --> 28:44.303 by U.S. Cyber Command. 28:45.150 --> 28:47.297 I mentioned the quantity aspect, let me, 28:47.297 --> 28:49.720 let me now shift to the quality aspect 28:49.720 --> 28:51.620 of how we measure readiness. 28:51.620 --> 28:53.900 We can have all the teams that are fully manned, 28:53.900 --> 28:55.890 fully equipped, and fully trained, 28:55.890 --> 28:57.550 but if you don't have the access, 28:57.550 --> 28:58.810 if you don't have the authorities, 28:58.810 --> 29:00.100 if you don't have the intelligence, 29:00.100 --> 29:01.350 if you don't have the platform, 29:01.350 --> 29:02.650 if you don't have the capabilities 29:02.650 --> 29:04.500 to accomplish your mission, that's something 29:04.500 --> 29:06.440 in cyberspace that puts uniquely 29:06.440 --> 29:08.660 in a very, very difficult position. 29:08.660 --> 29:11.390 So I see that measurement of both quality and quantity 29:11.390 --> 29:14.190 as something we will continue to work towards 29:14.190 --> 29:15.670 at U.S. Cyber Command. 29:27.180 --> 29:32.180 - Let me ask this other follow up question. 29:33.550 --> 29:37.433 So how do you ensure that the teams 29:39.830 --> 29:42.270 also are continuously trained 29:42.270 --> 29:45.670 and then certified and recertified 29:45.670 --> 29:49.749 and prepared for the missions that the individual 29:49.749 --> 29:51.400 and the team levels. 29:51.400 --> 29:56.080 Since we can't believe that it's one and done in there 29:56.080 --> 29:59.263 once it's certified, but again, the recertification process. 30:01.546 --> 30:03.730 - Chairman, I think you're speaking of collective training, 30:03.730 --> 30:05.470 as we take a look at how our teams 30:05.470 --> 30:07.580 are able to perform together. 30:07.580 --> 30:10.440 We evaluate that through a number of different mannerisms. 30:10.440 --> 30:12.980 First of all, the ability to do a real world mission, 30:12.980 --> 30:15.340 being able to evaluate what they are doing 30:15.340 --> 30:16.630 on a daily basis. 30:16.630 --> 30:18.140 Also within exercise. 30:18.140 --> 30:20.570 We have a series of exercises that are set up 30:20.570 --> 30:23.670 where we're able to measure the training standard 30:23.670 --> 30:24.880 of that team. 30:24.880 --> 30:28.370 And then finally we set parameters 30:28.370 --> 30:33.090 in terms of ensuring each team has annual evaluations 30:33.090 --> 30:34.700 by third parties. 30:34.700 --> 30:36.090 This is something that we've instituted 30:36.090 --> 30:37.630 over the past several months. 30:37.630 --> 30:40.020 I think it's very effective in terms of being able 30:40.020 --> 30:42.450 to take a snapshot in time. 30:42.450 --> 30:44.947 However, with that being said, let me make sure, 30:44.947 --> 30:47.850 and I reiterate, the teams that we have today 30:47.850 --> 30:49.120 are operating every single day 30:49.120 --> 30:50.710 against our adversaries. 30:50.710 --> 30:52.690 They're very, very capable people 30:52.690 --> 30:54.770 and we will continue to measure their capability, 30:54.770 --> 30:57.940 but one of the benefits of working at U.S. Cyber Command 30:57.940 --> 31:01.630 is there is never a lack of training opportunities, 31:01.630 --> 31:03.343 it's real world every single day. 31:04.530 --> 31:05.363 - Thank you. 31:06.860 --> 31:09.810 And again, to you General. 31:09.810 --> 31:11.400 In your prepared testimony you noted 31:11.400 --> 31:16.400 the incalculable value of the Cybercom/NSA relationship 31:16.630 --> 31:20.250 when discussing Joint task force areas. 31:20.250 --> 31:24.140 Last Wednesday, Defense One, though, ran a story 31:24.140 --> 31:26.320 that you recommended to then Secretary Mattis 31:26.320 --> 31:30.610 in August 2018, that NSA and Cybercom 31:30.610 --> 31:32.620 be split in 2020. 31:32.620 --> 31:35.093 Can you comment on the veracity of the story? 31:36.635 --> 31:39.970 And if the story is accurate, can you please 31:39.970 --> 31:42.593 explain your recommendations? 31:44.280 --> 31:46.790 - Chairman, a year ago when I testified 31:46.790 --> 31:48.400 for my confirmation hearings, 31:48.400 --> 31:51.180 one of the points that I made, 31:51.180 --> 31:52.860 in both the Senate Armed Services Committee 31:52.860 --> 31:54.970 and the Senate Select Committee on Intelligence 31:54.970 --> 31:58.080 was that in my first 90 days as both the commander 31:58.080 --> 32:00.330 and the director, I would conduct an assessment 32:00.330 --> 32:03.130 of the dual hat and provide those recommendations 32:03.130 --> 32:03.963 to the Secretary of Defense 32:03.963 --> 32:05.910 and the Chairman of the Joint Chiefs. 32:05.910 --> 32:08.320 I completed that assessment in August. 32:08.320 --> 32:10.960 Assessment was classified and was provided 32:10.960 --> 32:13.360 to the secretary and the chairman. 32:13.360 --> 32:15.290 I'm familiar with the article. 32:15.290 --> 32:18.560 I will tell you that the article is not accurate 32:18.560 --> 32:23.450 and that the topics and the actual facts behind that 32:25.300 --> 32:27.120 are classified, and so if I could save that 32:27.120 --> 32:29.620 perhaps for closed testimony. 32:29.620 --> 32:31.920 - Fair enough, thank you. 32:31.920 --> 32:34.670 We'll follow up on that then during the closed session. 32:35.660 --> 32:38.333 To Mr. Rapuano. 32:39.510 --> 32:44.510 Can you describe DoD, and specifically Cybercom support 32:45.640 --> 32:49.350 to homeland defense, specifically as it relates 32:49.350 --> 32:53.240 to the defending forward concept in the strategy? 32:53.240 --> 32:55.910 How is the department supporting DHS efforts 32:55.910 --> 32:58.630 in coordinating with FBI? 32:58.630 --> 33:00.530 And how does the department coordinate 33:00.530 --> 33:03.750 with the cyber security and infrastructure Security Agency 33:03.750 --> 33:06.570 at DHS, which is the the lead role, 33:06.570 --> 33:08.940 as the lead role in protecting civilian government 33:08.940 --> 33:12.563 and critical infrastructure? 33:13.610 --> 33:18.610 You know, I think it's important for people to understand. 33:19.180 --> 33:24.180 We talk about defending forward and being more proactive, 33:24.700 --> 33:27.670 who has responsibility for what though, 33:27.670 --> 33:30.520 what is critical infrastructure supposed to do 33:30.520 --> 33:31.860 on their own? 33:31.860 --> 33:34.040 What is DHS, what is their responsibility? 33:34.040 --> 33:39.040 And then also what is DoD, Cybercom, NSA's responsibility 33:39.730 --> 33:42.530 in all of this, and how does it fit together seamlessly? 33:43.720 --> 33:45.830 - Thank you Chairman Langevin. 33:45.830 --> 33:47.480 I would start by saying, of course, 33:47.480 --> 33:49.620 that the one mission that only DoD 33:49.620 --> 33:52.470 has the authority, capabilities, 33:52.470 --> 33:55.700 including the breadth and scope to conduct 33:55.700 --> 33:59.980 is warfighting overseas, addressing adversaries 33:59.980 --> 34:02.760 overseas and threats overseas. 34:02.760 --> 34:05.650 That said, we have a renewed focus 34:05.650 --> 34:08.893 on supporting our fellow agencies domestically. 34:09.770 --> 34:13.650 We really start that in a tri approach. 34:13.650 --> 34:16.140 First is sharing intelligence in warning, 34:16.140 --> 34:19.300 and we do that with the Department of Homeland Security 34:19.300 --> 34:23.450 and the FBI, and they provide that information, 34:23.450 --> 34:26.350 DHS to state and local governments, 34:26.350 --> 34:31.350 and the FBI to commercial and other entities. 34:32.580 --> 34:35.960 We defend forward in terms of identifying the source 34:35.960 --> 34:39.110 of malevolent cyber activities 34:39.110 --> 34:41.750 that are threatening U.S. critical infrastructure 34:41.750 --> 34:44.790 or other equities including malign influence type 34:44.790 --> 34:48.350 activities that were a significant concern 34:48.350 --> 34:50.770 during the recent elections process. 34:50.770 --> 34:53.960 We also have the defense support to civil authorities. 34:53.960 --> 34:58.470 As I noted in my statement, we have a memorandum 34:58.470 --> 35:01.620 of understanding with DHS to facilitate 35:01.620 --> 35:05.080 and expedite our defense support to civil authorities, 35:05.080 --> 35:08.070 including DHS, but other agencies as well, 35:08.070 --> 35:12.540 when they have needs that go beyond what their capacity is 35:12.540 --> 35:14.650 to respond to a particular circumstance 35:14.650 --> 35:17.183 or threat associated with cyber. 35:18.420 --> 35:20.970 So we are working closely with them. 35:20.970 --> 35:22.700 I met with their leadership this week. 35:22.700 --> 35:26.280 We meet routinely now to discuss how we move forward, 35:26.280 --> 35:28.130 to discuss priorities. 35:28.130 --> 35:30.050 We are adding details in terms 35:30.050 --> 35:32.550 of how we can facilitate and expedite 35:32.550 --> 35:35.650 different levels of support, how we can develop 35:35.650 --> 35:39.330 and maintain real-time full-time connectivity 35:39.330 --> 35:40.690 with the department. 35:40.690 --> 35:43.290 We have detailees who perform those kinds of roles 35:43.290 --> 35:45.400 and we're looking to instantiate it 35:45.400 --> 35:47.173 in the longer-term context. 35:48.850 --> 35:50.400 - Thank you Secretary. 35:50.400 --> 35:53.210 The chair now recognizes the Ranking Member for questions. 35:53.210 --> 35:54.043 - Thank you. 35:54.043 --> 35:55.610 Secretary Rapuano, you mentioned 35:55.610 --> 35:57.650 that the new cyber strategy highlights 35:57.650 --> 36:00.970 defend forward and persistent presence 36:00.970 --> 36:03.220 as major aspects of our new posture, 36:03.220 --> 36:05.870 and your statement also outlined some of the steps 36:05.870 --> 36:08.070 we are taking to shift to this footing. 36:08.070 --> 36:09.680 But from a policy perspective, 36:09.680 --> 36:12.780 and with respect to escalation dynamics, 36:12.780 --> 36:16.150 have we thought about potentially when and if 36:16.150 --> 36:18.560 this more forward and persistent posture 36:18.560 --> 36:21.590 could be interpreted as escalatory in nature 36:21.590 --> 36:24.040 by our adversaries, and perhaps preemptively 36:24.040 --> 36:27.323 trigger escalation or retribution? 36:28.530 --> 36:32.740 - Absolutely, escalation is a significant concern 36:32.740 --> 36:35.810 with all military operations. 36:35.810 --> 36:38.410 What we call activities in the gray zone 36:38.410 --> 36:41.140 or below the spectrum of armed conflict, 36:41.140 --> 36:44.140 cyber is an especially attractive tool 36:44.140 --> 36:47.500 to our adversaries, and we've noted China and Russia 36:47.500 --> 36:51.170 as significant concerns in that context, 36:51.170 --> 36:54.770 and we see them applying asymmetric warfare 36:54.770 --> 36:58.720 below the spectrum of conflict against us. 36:58.720 --> 37:00.670 We have come to the conclusion, 37:00.670 --> 37:02.660 and that's what informed the strategy, 37:02.660 --> 37:07.070 that continuing to not respond to those behaviors 37:07.070 --> 37:09.190 and those threats, that will manifest 37:09.190 --> 37:11.470 in a cumulative context. 37:11.470 --> 37:15.660 No one of these activities has clearly crossed that line 37:15.660 --> 37:18.780 in which a kinetic or military strike 37:18.780 --> 37:20.470 would be a response. 37:20.470 --> 37:23.450 So if we ignore them, they will continue them, 37:23.450 --> 37:25.290 and they will undermine our security 37:25.290 --> 37:26.950 in a strategic way. 37:26.950 --> 37:29.550 We have a process that is very risk-based 37:29.550 --> 37:34.050 in terms of informing the risk benefit assessment 37:34.050 --> 37:37.690 associated with how we target malevolent activities, 37:37.690 --> 37:40.260 how we achieve access. 37:40.260 --> 37:43.350 It is a process mentioned that was enshrined 37:43.350 --> 37:45.990 in the presidential memorandum 37:45.990 --> 37:48.580 providing policy guidance to the process 37:48.580 --> 37:50.130 that takes place. 37:50.130 --> 37:53.390 The first requirement is a presidential determination 37:53.390 --> 37:55.460 for certain types of operations. 37:55.460 --> 37:59.800 That then goes into a coordination process 37:59.800 --> 38:03.040 in terms of engaging on the development 38:03.040 --> 38:05.150 of the concept of operations, 38:05.150 --> 38:06.630 particularly with those agencies 38:06.630 --> 38:09.760 with the most equities involved, and then ultimately 38:09.760 --> 38:12.610 there is a deconfliction execution process 38:12.610 --> 38:16.350 in terms of if there are conflicts between key equities 38:16.350 --> 38:18.870 or elements, or are there, there are concerns, 38:18.870 --> 38:21.000 for example, about the potential 38:21.000 --> 38:25.660 for unintended escalation, those issues are addressed. 38:25.660 --> 38:28.630 So we do have a very thoughtful process, 38:28.630 --> 38:31.840 but also a process designed to operate 38:31.840 --> 38:33.740 with the speed of relevance. 38:33.740 --> 38:34.620 - Thank you. 38:34.620 --> 38:36.760 General Nakasone, what exactly 38:36.760 --> 38:38.540 does our cyber posture look like 38:38.540 --> 38:41.630 when we defend forward with persistent engagement. 38:41.630 --> 38:43.860 Does this simply mean that we are positioned 38:43.860 --> 38:46.290 to conduct more offensive operations 38:46.290 --> 38:49.530 or positioned to conduct more collection activities? 38:49.530 --> 38:51.700 And when you answer that, can you also touch upon 38:51.700 --> 38:53.840 the interagency aspects, and how we work 38:53.840 --> 38:55.563 with our international partners? 38:56.840 --> 38:57.970 - Ranking Member Stefanik, 38:57.970 --> 39:00.320 if you think about persistent engagement, 39:00.320 --> 39:03.280 I would offer two different components 39:03.280 --> 39:04.360 that are very, very important, 39:04.360 --> 39:06.750 that are foundational to persistent engagement. 39:06.750 --> 39:09.160 First of all is the idea of enabling. 39:09.160 --> 39:10.700 How do we enable our partners? 39:10.700 --> 39:13.790 That partner could be Department of Homeland Security, 39:13.790 --> 39:16.600 the Federal Bureau of Investigation, 39:16.600 --> 39:18.090 it could be another service, 39:18.090 --> 39:20.190 it could be another member of our interagency, 39:20.190 --> 39:21.970 it could be an allied partner. 39:21.970 --> 39:24.300 A big portion of what we do in persistent engagement 39:24.300 --> 39:26.740 is as Assistant Secretary of Defense Rapuano said, 39:26.740 --> 39:28.880 is providing information or intelligence. 39:28.880 --> 39:30.090 If I might give you an example. 39:30.090 --> 39:32.630 During the security of the midterm elections, 39:32.630 --> 39:35.010 U.S. Cyber Command working in partnership 39:35.010 --> 39:36.330 with the National Security Agency 39:36.330 --> 39:38.290 provided indicators of compromise 39:38.290 --> 39:39.720 to the Federal Bureau of Investigation 39:39.720 --> 39:41.660 and the Department of Homeland Security. 39:41.660 --> 39:43.920 That's an example of an enablement. 39:43.920 --> 39:46.440 The other foundational concept of persistent engagement 39:46.440 --> 39:48.090 is to act. 39:48.090 --> 39:50.190 Just as the the secretary mentioned, 39:50.190 --> 39:52.510 act is everything from understanding 39:52.510 --> 39:55.530 what our adversaries are doing within their networks, 39:55.530 --> 39:58.530 providing early warning, ensuring that we understand 39:58.530 --> 40:00.050 the MAU or the infrastructure, 40:00.050 --> 40:03.010 the other capabilities that an adversary 40:03.010 --> 40:07.550 might be accumulating to perhaps conduct 40:07.550 --> 40:10.290 an action against the United States. 40:10.290 --> 40:14.170 But it's also the idea of sending teams forward. 40:14.170 --> 40:16.450 So we sent defensive teams forward in November 40:16.450 --> 40:18.630 to three different European countries. 40:18.630 --> 40:21.150 That's acting outside of our borders 40:21.150 --> 40:23.810 that impose cost against our adversaries. 40:23.810 --> 40:26.070 Those are the two fundamental components 40:26.070 --> 40:28.763 of persistent engagement, enabling and acting. 40:29.940 --> 40:32.530 - My final question is for you General Nakasone. 40:32.530 --> 40:35.080 You have been given flexible acquisition authorities 40:35.080 --> 40:37.800 that frankly the command is yet to fully use 40:37.800 --> 40:40.130 or mature into, so my question is 40:40.130 --> 40:42.560 to figure out if this unique acquisition authority 40:42.560 --> 40:44.900 for your command is even still needed, 40:44.900 --> 40:47.120 certainly, since over the years, we have worked 40:47.120 --> 40:50.470 to give the services more flexible acquisition authorities, 40:50.470 --> 40:51.970 Can you provide this committee 40:51.970 --> 40:54.530 with an update on why you think you need 40:54.530 --> 40:56.120 this unique acquisition authority, 40:56.120 --> 40:58.380 and what the current state of implementation is. 40:58.380 --> 41:00.610 And then specifically how would you define 41:00.610 --> 41:05.610 cyber-peculiar acquisitions as it is called in the law. 41:06.740 --> 41:08.410 - If I might start with the question 41:08.410 --> 41:09.970 of a quick status update. 41:09.970 --> 41:14.360 So this year in FY19, I believe the amount 41:14.360 --> 41:17.050 was $75 million for acquisition, 41:17.050 --> 41:20.520 and we've executed right now about $44 million of that. 41:20.520 --> 41:23.230 We would anticipate by the end of the FY 41:23.230 --> 41:26.120 to execute about 60 to 65 million. 41:26.120 --> 41:28.590 That's not 75 million, and I obviously 41:28.590 --> 41:30.640 accept the fact that we're short of that. 41:30.640 --> 41:31.990 But what did we invest it in? 41:31.990 --> 41:34.410 And I think it's important that we are outline this. 41:34.410 --> 41:38.360 One, we invested it in tools, significant tools 41:38.360 --> 41:41.360 for how we operate with our teams. 41:41.360 --> 41:43.690 Secondly, big data analysis. 41:43.690 --> 41:46.240 Thirdly, an opportunity for our developers 41:46.240 --> 41:49.280 to operate off-site at a facility to look at 41:49.280 --> 41:52.260 new networks, new capabilities, new infrastructures. 41:52.260 --> 41:53.670 it was done rapidly. 41:53.670 --> 41:57.210 It was done, I think, obviously very effectively 41:57.210 --> 41:58.670 and certainly within the law. 41:58.670 --> 42:01.150 We're not to the point yet where I'm satisfied 42:01.150 --> 42:03.790 with regards to operating at the amount 42:03.790 --> 42:05.010 that's been authorized for us, 42:05.010 --> 42:06.057 but we'll get there. 42:06.057 --> 42:08.000 And I think the important piece is 42:08.000 --> 42:11.180 when I think of why it's so important to us, 42:11.180 --> 42:13.030 our adversaries are rapidly changing. 42:13.030 --> 42:14.420 And we see that every single day 42:14.420 --> 42:16.200 as we operate against them. 42:16.200 --> 42:18.530 The authorities that you've granted our command 42:18.530 --> 42:20.470 to be able to do this is a first start 42:20.470 --> 42:22.873 for us to be able to operate at their speed. 42:23.750 --> 42:27.120 The last thing I would say is we have 10 openings 42:28.028 --> 42:32.320 that are foundational for what we do 42:32.320 --> 42:33.440 for that acquisition authority. 42:33.440 --> 42:35.910 We've filled six of them, we'll fill the final four 42:35.910 --> 42:37.630 by the end of the year, and I think this will be 42:37.630 --> 42:39.970 extremely helpful for us to be able to execute the monies. 42:39.970 --> 42:40.803 Thank you. 42:40.803 --> 42:44.290 - And just to follow up, how do you fine cyber-peculiar? 42:44.290 --> 42:46.200 Because that's how it's written. 42:46.200 --> 42:48.140 - So if I might take that for the record, 42:48.140 --> 42:49.250 Ranking Member, just to make sure 42:49.250 --> 42:51.670 that I have that fully accurate. 42:51.670 --> 42:52.970 - Thank you, I yield back. 42:57.790 --> 42:59.220 - Thank you Ranking Member. 42:59.220 --> 43:01.320 Mr. Brown is now recognized, five minutes. 43:01.320 --> 43:02.790 - Thank you Mr. Chairman. 43:02.790 --> 43:06.950 In the most recently enacted Defense Authorization Act 43:06.950 --> 43:09.970 we, Congress, direct the department to study 43:09.970 --> 43:12.400 the feasibility and advisability of the establishment 43:12.400 --> 43:15.610 of reserve component cyber civil support teams 43:15.610 --> 43:19.100 to be assigned to each state due to the lapse 43:19.100 --> 43:21.430 in appropriation associated with the 35-day 43:21.430 --> 43:23.590 recent government shutdown. 43:23.590 --> 43:28.590 The department did request an extension 43:28.710 --> 43:31.990 to submitting that report to Congress. 43:31.990 --> 43:34.110 Can you give us a status and not just 43:34.110 --> 43:37.350 when you anticipate to submit that to Congress, 43:37.350 --> 43:41.360 but give us a little flavor on where you, 43:41.360 --> 43:43.480 what kind of either conclusions, findings, 43:43.480 --> 43:46.290 or recommendations might be in that report? 43:46.290 --> 43:47.490 - Certainly Congressman. 43:48.880 --> 43:51.970 The department traditionally has not assigned 43:51.970 --> 43:55.180 unique specialty areas to the National Guard 43:55.180 --> 43:58.760 like cyber, but we have been exploring 43:58.760 --> 44:02.220 whether and where, really where the National Guard 44:02.220 --> 44:04.690 can best support DoD missions, 44:04.690 --> 44:07.830 specifically things like defense critical infrastructure, 44:07.830 --> 44:10.070 infrastructure for which we are dependent on 44:10.070 --> 44:15.070 for power projection as well as weapons systems. 44:15.220 --> 44:17.430 The Defense Industrial Base is another area 44:17.430 --> 44:19.890 that's critical to us and we are at risk, 44:19.890 --> 44:21.520 as I noted in my statement, 44:21.520 --> 44:24.930 of losing our asymmetric superiority 44:24.930 --> 44:28.290 to others who are stealing our technology. 44:28.290 --> 44:30.480 So those are areas that we're very focused on 44:30.480 --> 44:32.650 and believe there's a potential role 44:32.650 --> 44:34.620 for the National Guard, and we actually 44:34.620 --> 44:37.070 have a cyber mission assurance team 44:37.070 --> 44:39.370 that is looking at the potential role there. 44:39.370 --> 44:40.580 In response to your question 44:40.580 --> 44:45.580 about the '19 NDAA 1653 tasker, we are. 44:46.890 --> 44:49.500 We have a report that is in drafting process right now. 44:49.500 --> 44:53.730 We will get it to you all by the end of April. 44:53.730 --> 44:56.380 I really can't go into details on it 44:56.380 --> 44:58.590 but it's really looking about the trade space 44:58.590 --> 44:59.760 and the return on investment 44:59.760 --> 45:01.410 from a total force perspective, 45:01.410 --> 45:05.290 and how and where those roles would be most consistent 45:05.290 --> 45:08.020 with the other priorities of the department. 45:08.020 --> 45:09.620 - Thank you. 45:09.620 --> 45:13.100 Question regarding the cyber workforce, 45:13.100 --> 45:16.220 and everyone's competing for a limited pool 45:16.220 --> 45:19.150 of highly skilled, highly talented, 45:19.150 --> 45:21.763 technically trained personnel. 45:23.050 --> 45:27.740 What thoughts do you have about the role of AI 45:27.740 --> 45:32.470 in reducing the demand signal for a cyber workforce? 45:32.470 --> 45:35.980 - Well we're looking at all the tools available out there, 45:35.980 --> 45:39.500 in terms of where do we need to buy either tools 45:39.500 --> 45:42.920 or capabilities, where do we need to hire people 45:42.920 --> 45:45.490 for that human potential component of it. 45:45.490 --> 45:48.050 It's well recognized that hiring in the cyber field 45:48.050 --> 45:50.170 is very challenging, just based on the very high 45:50.170 --> 45:52.810 demand signal, so we have a number of programs. 45:52.810 --> 45:56.340 A CES is prime amongst them in terms of a new tool. 45:56.340 --> 45:58.300 AI we are looking at very hard 45:58.300 --> 46:01.070 in terms of where we can leverage AI 46:01.070 --> 46:04.720 and other advanced capabilities, analytic capabilities, 46:04.720 --> 46:07.430 to perform some of those activities. 46:07.430 --> 46:09.010 I might turn it over to General Nakasone, 46:09.010 --> 46:12.330 I know his team looks at this very closely too. 46:12.330 --> 46:15.210 - So congressman, I think that AI 46:15.210 --> 46:16.890 and machine learning certainly has a place 46:16.890 --> 46:19.160 as we take a look at some of the activities 46:19.160 --> 46:23.030 that we doing day in and day out within our force. 46:23.030 --> 46:26.530 But I would offer, the people that make AI go, 46:26.530 --> 46:28.380 the people that ensure that our algorithms 46:28.380 --> 46:30.540 are right for machine learning, 46:30.540 --> 46:32.980 they're the folks that I'm most focused on 46:32.980 --> 46:37.210 because I would call them, they're the 10X or the 20X folks 46:37.210 --> 46:39.540 that do their mission 10 times or 20 times better 46:39.540 --> 46:41.720 than anyone else, that's the competition 46:41.720 --> 46:43.460 that we're in today. 46:43.460 --> 46:46.470 So I would just offer, I give great kudos 46:46.470 --> 46:49.970 to the services for recruiting a great base of folks, 46:49.970 --> 46:51.770 and that's both military and civilian. 46:51.770 --> 46:54.100 I think we do a good job of training them 46:54.100 --> 46:55.490 and it's getting better. 46:55.490 --> 46:57.520 The hard part, and the one that we work at 46:57.520 --> 46:59.430 every single day is the retention part, 46:59.430 --> 47:02.360 that's the one that's most impactful for us. 47:02.360 --> 47:07.360 - And you mentioned the CES, Cyber Excepted Service. 47:09.880 --> 47:12.100 Can you tell us a little bit about your experience with that 47:12.100 --> 47:14.893 and is it working, is it effective? 47:16.200 --> 47:17.980 Tell us about that. 47:17.980 --> 47:21.480 - Cyber Excepted Service, which just came on board 47:21.480 --> 47:23.270 roughly over the past year. 47:23.270 --> 47:25.650 We at U.S. Cyber Command, we're the first phase of that. 47:25.650 --> 47:28.000 I can give you the metrics of, 47:28.000 --> 47:31.370 now we are looking at a drop of 60% 47:31.370 --> 47:33.580 with regards to the hiring capabilities 47:33.580 --> 47:35.330 and the timeline to hire someone. 47:35.330 --> 47:37.840 So we have metrics that show us 111 days 47:37.840 --> 47:41.850 before CES, now it's at about 44 days. 47:41.850 --> 47:44.170 We have done over 21 different fairs. 47:44.170 --> 47:46.470 We've interviewed over 2,700 people. 47:46.470 --> 47:50.910 We've given over, we've provided over 90 acceptances 47:50.910 --> 47:52.290 for job applications. 47:52.290 --> 47:55.040 My perspective, early phase, I'm a supporter of it. 47:55.040 --> 47:56.750 I look forward to continuing to utilize it. 47:56.750 --> 47:58.300 - Great and I hope the University of Maryland 47:58.300 --> 48:00.150 and College Park is giving you a talent pool 48:00.150 --> 48:00.983 to work with. 48:02.180 --> 48:03.483 I yield back Mr. Chairman. 48:04.460 --> 48:05.593 - Thank you Mr. Brown. 48:06.874 --> 48:10.633 On the topic of the workforce and training, 48:16.960 --> 48:21.960 we recently had testimony in reference 48:21.980 --> 48:26.980 to the Cyber Excepted Service as a whole, 48:27.480 --> 48:32.480 and it's under-resourced at this time. 48:33.290 --> 48:38.290 And I think it's important for it to have full support 48:38.520 --> 48:42.453 and full resourcing, can you comment on that Secretary? 48:43.970 --> 48:45.040 - Yes I can. 48:45.040 --> 48:47.640 I share your concern, Mr. Chairman. 48:47.640 --> 48:52.400 I have engaged within the DCRC I/O, 48:52.400 --> 48:56.620 as well as the undersecretary for personnel and readiness. 48:56.620 --> 48:59.220 This is a priority, and a challenge with the department 48:59.220 --> 49:01.790 as we've got a lot of priorities, but everyone acknowledges 49:01.790 --> 49:03.940 there's no higher priority than this. 49:03.940 --> 49:05.940 So we're looking at additional resources 49:05.940 --> 49:06.773 that we can get. 49:06.773 --> 49:11.773 We've already put essentially two more people 49:12.050 --> 49:14.880 onto it because we had a couple of them taken 49:14.880 --> 49:18.270 for another priority group, and that has been addressed. 49:18.270 --> 49:20.570 But we need to supplement them going forward 49:20.570 --> 49:22.760 and we believe we have a path to resources 49:22.760 --> 49:25.210 to do that in the relatively near term. 49:25.210 --> 49:26.150 - Okay, thank you. 49:26.150 --> 49:28.530 I think that's, it has to be a high priority 49:28.530 --> 49:31.500 and certainly more support for the Cyber Excepted Service 49:31.500 --> 49:34.080 is gonna have the support of this subcommittee 49:34.080 --> 49:36.210 and the committee as a whole. 49:36.210 --> 49:37.750 - Thank you, it very much is. 49:37.750 --> 49:39.170 - Thank you. 49:39.170 --> 49:41.420 Mr. Waltz is now recognized for five minutes. 49:42.850 --> 49:44.100 - Thank you Mr. Chairman. 49:45.500 --> 49:46.887 I'm also interested, very interested, 49:46.887 --> 49:49.450 and my colleague, my colleague Mr. Brown, 49:49.450 --> 49:52.030 and the Guard and Reserve, and the role that they can play 49:52.030 --> 49:54.510 and be very interested in seeing that report. 49:54.510 --> 49:57.520 I've had the same conversations with General Kadavy, 49:57.520 --> 49:59.240 the head of the Army Guard. 49:59.240 --> 50:01.860 It seems that the challenges with recruiting, 50:01.860 --> 50:04.077 the challenges with keeping up with the civilian sector, 50:04.077 --> 50:05.600 and the pace of Technology, 50:05.600 --> 50:08.550 and who bridges those two worlds? 50:08.550 --> 50:10.210 One of the questions I've asked him 50:10.210 --> 50:12.260 is when you're recruiting your cyber force 50:12.260 --> 50:15.200 into the Guard and Reserve, are you taking civilian, 50:15.200 --> 50:17.010 you know the civilian occupation into account? 50:17.010 --> 50:19.250 Are we recruiting people who are truck drivers 50:19.250 --> 50:21.740 during the day and then into the cyber force, 50:21.740 --> 50:24.150 or people who are actually in the IT sector, 50:24.150 --> 50:26.570 in Silicon Valley, in that space, 50:26.570 --> 50:28.550 so that you can leverage those two 50:28.550 --> 50:29.810 and build upon those two. 50:29.810 --> 50:31.670 It's not clear to me, I'd be interested 50:31.670 --> 50:33.310 if the report addresses that, 50:33.310 --> 50:35.150 if that's taken into account in the recruiting 50:35.150 --> 50:37.440 on the front end, particularly for the Guard, 50:37.440 --> 50:39.610 so you can build those going forward. 50:39.610 --> 50:41.210 Do you have any, you have any comment, 50:41.210 --> 50:43.730 any additional comments on where that's going? 50:43.730 --> 50:46.003 So I mean, to be just to be candid, 50:47.250 --> 50:49.000 talking to the Guard about counting tanks, 50:49.000 --> 50:51.920 counting aircraft, parity and fielding, that's important, 50:51.920 --> 50:53.440 they need be interoperable with the force, 50:53.440 --> 50:58.030 but where they can uniquely take this leading role 50:58.030 --> 51:00.420 and leveraging those civilian, 51:00.420 --> 51:02.080 those civilian sector skills, I think, 51:02.080 --> 51:04.500 is something we should take a hard look at. 51:04.500 --> 51:06.780 - Yes, while I cannot speak to the details 51:06.780 --> 51:08.560 of how the National Guard right now 51:08.560 --> 51:09.950 is conducting their recruiting, 51:09.950 --> 51:11.670 I'm familiar enough with their process 51:11.670 --> 51:13.280 to know that they do look at 51:13.280 --> 51:15.380 what are those specialty areas 51:15.380 --> 51:18.770 that the individual is being recruited for, 51:18.770 --> 51:20.390 and what skills do they bring 51:20.390 --> 51:23.820 in addition to the basic elements of education. 51:23.820 --> 51:25.880 So that is something, and then again 51:25.880 --> 51:29.330 it will be based on how the specialties develop 51:29.330 --> 51:32.010 and evolve and potentially expand. 51:32.010 --> 51:34.010 - Thank you, I'm eager to see the report. 51:34.010 --> 51:37.040 General Nakasone, can you just talk to me 51:37.040 --> 51:40.280 about plans, or what's in place, 51:40.280 --> 51:42.400 or what's coming down the pipe, 51:42.400 --> 51:45.030 just kind of share and collaborate cyber threats 51:46.110 --> 51:47.480 ostensibly at network speed, 51:47.480 --> 51:49.363 ostensibly at cloud scale, 51:50.260 --> 51:52.883 with the top U.S.companies, with industry, 51:53.950 --> 51:55.760 to leverage, I mean so we can leverage 51:55.760 --> 51:57.720 the full resources of the U.S. government 51:57.720 --> 51:59.420 and respond to our critical infrastructure 51:59.420 --> 52:01.110 we thought about. 52:01.110 --> 52:02.760 Or is there, and forgive my ignorance, 52:02.760 --> 52:05.250 if there's a cybersecurity cooperative agreement 52:05.250 --> 52:06.900 with industry, detect, respond, 52:06.900 --> 52:08.810 mitigate cyber threat? 52:08.810 --> 52:11.710 I know DHS has there, but I keep hearing consistently, 52:11.710 --> 52:14.410 frankly, that it's not being utilized 52:14.410 --> 52:16.810 to its full extent and frankly not useful to industry. 52:16.810 --> 52:18.830 Did it know the relationship 52:18.830 --> 52:20.540 with your command and industry? 52:20.540 --> 52:21.990 - Congressman we've been working closely 52:21.990 --> 52:25.410 within the department on an initiative 52:25.410 --> 52:27.170 called the Pathfinder program. 52:27.170 --> 52:30.210 The Pathfinder program, and this is an outgrowth 52:30.210 --> 52:32.060 from the Secretary of Defense 52:32.060 --> 52:33.980 and the Secretary of Homeland Security's 52:33.980 --> 52:36.750 Memorandum of Agreement to work together 52:36.750 --> 52:40.170 to look at joint ways that we can address 52:40.170 --> 52:41.710 the critical infrastructure sectors. 52:41.710 --> 52:42.990 As you're aware, 17 different 52:42.990 --> 52:44.600 critical infrastructure sectors, 52:44.600 --> 52:45.870 we've started with the first one 52:45.870 --> 52:47.690 to look at, and working very, very closely 52:47.690 --> 52:49.170 with the financial industry, 52:49.170 --> 52:51.050 working closely with the Department of Treasury, 52:51.050 --> 52:52.890 and the Department of Homeland Security. 52:52.890 --> 52:54.040 How do we share data? 52:54.040 --> 52:55.610 How do we share it rapidly? 52:55.610 --> 52:56.670 One of the things that we've done 52:56.670 --> 52:59.550 over the past several months has had four different means 52:59.550 --> 53:01.190 of sharing data. 53:01.190 --> 53:03.010 But it's more than just sharing data 53:03.010 --> 53:04.980 because we're not gonna get out of this issue 53:04.980 --> 53:06.020 with just sharing. 53:06.020 --> 53:08.040 It's also our technical experts 53:08.040 --> 53:09.530 talking to their technical experts, 53:09.530 --> 53:11.640 talking to the Department of Homeland Security. 53:11.640 --> 53:12.820 This shows great promise. 53:12.820 --> 53:16.430 And as we move on from the financial industry, 53:16.430 --> 53:18.300 I think that energy and other industries 53:18.300 --> 53:21.590 right behind it will be the beneficiaries of this. 53:21.590 --> 53:23.570 - How are, I mean along those lines, 53:23.570 --> 53:26.510 how are the delays in moving and DoD moving 53:26.510 --> 53:28.470 into the cloud architecture, 53:28.470 --> 53:31.610 how is that affecting your warfighting mission? 53:31.610 --> 53:34.150 - So it hasn't affected my warfighting mission. 53:34.150 --> 53:37.320 I would offer that our ability to share right now 53:37.320 --> 53:41.130 is at a level that certainly is able 53:41.130 --> 53:43.800 for me to accomplish what I need to be able to do. 53:43.800 --> 53:45.350 I think to your point though, 53:45.350 --> 53:47.770 how do we increase our lethality in the future 53:47.770 --> 53:49.810 as a force, I think this is one of the areas 53:49.810 --> 53:51.786 that we're working towards. 53:51.786 --> 53:54.973 As the department moves to its investment in the cloud, 53:55.890 --> 53:57.920 the cloud experience, this is one of the things 53:57.920 --> 53:58.870 we're working very, very closely 53:58.870 --> 54:01.090 with the department, NSA, and Cyber Command, 54:01.090 --> 54:03.283 to ensure that we're well postured for it. 54:04.686 --> 54:05.900 - Thank you, then final questions 54:05.900 --> 54:08.500 to the interest of time, and maybe we'll take this 54:08.500 --> 54:10.870 to the closed session, but I'd be very interested, 54:10.870 --> 54:13.670 and data is the new gold, the new oil, 54:13.670 --> 54:16.350 whatever we wanna call it, the coin of the realm, 54:16.350 --> 54:18.720 and back to your issue of collaborating, 54:18.720 --> 54:20.790 particularly the sensitive data, 54:20.790 --> 54:22.500 with an eye towards AI and 5G, 54:22.500 --> 54:24.450 because we can't get to, really get to one with the other 54:24.450 --> 54:27.750 but I yield my time and look forward to closed session. 54:27.750 --> 54:29.130 Thank you. 54:29.130 --> 54:29.963 - [Jim] Thank you, Mr. Waltz. 54:29.963 --> 54:31.890 Mr. Kim's now recognized, five minutes. 54:31.890 --> 54:33.580 - Thank you Chairman. 54:33.580 --> 54:36.130 Thank you so much for coming and speaking with us today. 54:36.130 --> 54:38.190 I actually just wanted to take a step back 54:38.190 --> 54:40.580 for a second here and just get some of your thoughts 54:40.580 --> 54:41.670 and advice here. 54:41.670 --> 54:45.890 The issue of cyber threats is pervasive in my district, 54:45.890 --> 54:48.720 it's something that people worry about constantly, 54:48.720 --> 54:49.870 especially given the news, 54:49.870 --> 54:52.860 and given all the talks about Russia and China. 54:52.860 --> 54:54.860 And I'll tell you that these concerns 54:54.860 --> 54:56.830 are ones that I hear at town halls 54:56.830 --> 54:58.550 and they come up in a lot of different meetings. 54:58.550 --> 55:00.240 I think there's a lot of confusion 55:00.240 --> 55:01.980 about what it is that we're doing 55:01.980 --> 55:04.420 and what the capabilities are on the other side. 55:04.420 --> 55:07.950 So I start this by urging the two of you 55:07.950 --> 55:09.890 to think about ways that we can invest 55:09.890 --> 55:11.810 in lifting up some of that veil, 55:11.810 --> 55:14.970 making sure that I understand the difficulties 55:14.970 --> 55:17.310 and the sensitivities of the work you're doing. 55:17.310 --> 55:19.700 But as a new command, I think it's important 55:19.700 --> 55:21.640 for the American people to understand 55:21.640 --> 55:23.550 what it is that you're working towards, 55:23.550 --> 55:24.900 what it is that we're trying to do, 55:24.900 --> 55:27.070 and what it is we're trying to defend against. 55:27.070 --> 55:29.100 Because this is a different type of threat 55:29.100 --> 55:30.880 than the American people in my district, 55:30.880 --> 55:32.680 in Burlington County, in Ocean County, 55:32.680 --> 55:36.490 to understand compared to conventional and traditional. 55:36.490 --> 55:39.130 With that, I want you to just imagine yourself 55:39.130 --> 55:41.400 with me in my district at a town hall, 55:41.400 --> 55:42.730 when I get these questions. 55:42.730 --> 55:45.030 I'd like to hear from you what you would say 55:45.030 --> 55:47.400 in response to someone who's saying, 55:47.400 --> 55:50.540 are we getting outgunned by China and Russia? 55:50.540 --> 55:53.810 Where are our capabilities, and our personnel, 55:53.810 --> 55:57.310 and our resources compared to these near-peers? 55:57.310 --> 56:00.040 When we are talking and looking at our cyber budget, 56:00.040 --> 56:03.960 how does that stack up with how our competitors 56:03.960 --> 56:06.380 are spending and moving forward in this? 56:06.380 --> 56:09.340 How would you respond to someone in that way 56:09.340 --> 56:12.380 without having to get into the classified material? 56:12.380 --> 56:14.000 - I'll start and then I can hand it over 56:14.000 --> 56:15.363 to General Nakasone. 56:16.720 --> 56:19.780 I think that when you look at the United States 56:19.780 --> 56:20.820 and you'd look at it, certainly, 56:20.820 --> 56:23.670 from a Department of Defense perspective, 56:23.670 --> 56:26.050 we operate around the world. 56:26.050 --> 56:28.760 We have to have systems that can communicate 56:28.760 --> 56:31.130 and engage around the world. 56:31.130 --> 56:34.970 So that presents a lot of surface for adversaries 56:34.970 --> 56:38.210 in terms of who are looking to target us. 56:38.210 --> 56:41.120 We have an open system in terms of the internet. 56:41.120 --> 56:42.380 You may have heard that China 56:42.380 --> 56:47.380 has the great Firewall of China. 56:47.460 --> 56:52.130 So we prize free communication of information. 56:52.130 --> 56:56.340 So an open internet is something that is consistent 56:56.340 --> 56:58.760 with the way that we've operated in the world 56:58.760 --> 57:01.930 from early on, we would like to maintain that. 57:01.930 --> 57:03.880 So it's not an apple for apple 57:03.880 --> 57:05.630 in terms of our vulnerabilities 57:05.630 --> 57:07.290 and adversary vulnerabilities, 57:07.290 --> 57:09.530 it's something that I would offer. 57:09.530 --> 57:11.170 We have just increased, as you know, 57:11.170 --> 57:14.696 from the budget, the budget for cyber, 57:14.696 --> 57:18.530 9.6 billion, and 10% increase over last year. 57:18.530 --> 57:22.150 So that's in recognition of the importance 57:22.150 --> 57:23.760 of this area. 57:23.760 --> 57:28.000 The evolution of the threat which we see. 57:28.000 --> 57:31.900 We believe that we are developing the critical capabilities 57:31.900 --> 57:34.600 necessary to address the threat. 57:34.600 --> 57:37.750 But as you know, it is a very complex 57:37.750 --> 57:39.270 and diverse threat. 57:39.270 --> 57:41.860 So walking through each of those areas 57:42.918 --> 57:44.750 can take a little bit of effort 57:44.750 --> 57:47.830 but I would just say that I think that with the advent 57:47.830 --> 57:49.440 of this strategy and authorities 57:49.440 --> 57:51.780 from a national defense perspective 57:51.780 --> 57:53.430 we have made tremendous progress, 57:53.430 --> 57:55.600 we are making the necessary investment 57:56.630 --> 58:00.540 to keep up with the threat and be able to prevail, 58:00.540 --> 58:04.710 if necessary, in all warfighting domains including cyber. 58:04.710 --> 58:05.593 General Nakasone. 58:07.050 --> 58:09.490 - Congressman, I think I'd begin 58:09.490 --> 58:11.560 if I had an opportunity to speak at your town hall 58:11.560 --> 58:14.120 by saying, the national security strategy 58:14.120 --> 58:17.160 identifies our threats very well. 58:17.160 --> 58:20.700 We talk about strategic and great power competition 58:20.700 --> 58:22.540 in the realm of both China and Russia. 58:22.540 --> 58:24.380 They're near-peer competitors. 58:24.380 --> 58:27.050 They've been able over the past 17 to 20 years 58:27.050 --> 58:28.810 to shrink the gap. 58:28.810 --> 58:30.270 And then there are rogue nation states 58:30.270 --> 58:33.690 such as Iran, and North Korea, that continue 58:35.949 --> 58:38.900 to conduct malfeasance in the domain. 58:38.900 --> 58:41.310 But with that being said, there is still a gap 58:41.310 --> 58:43.980 between those actors and ourselves. 58:43.980 --> 58:46.900 And while I obviously hear a number 58:46.900 --> 58:48.270 of the different challenges that we have, 58:48.270 --> 58:51.460 I would also offer to your town hall 58:51.460 --> 58:53.880 that there are some strengths that are endemically 58:53.880 --> 58:55.900 part of the United States. 58:55.900 --> 58:57.640 First of all, partnerships. 58:57.640 --> 58:58.960 We have a series of partnerships, 58:58.960 --> 59:01.080 partnerships with other allied countries, 59:01.080 --> 59:03.820 partnerships with academia, partnerships with industry, 59:03.820 --> 59:05.480 that I think are second to none. 59:05.480 --> 59:07.510 Secondly, innovation. 59:07.510 --> 59:10.270 When we think about innovation, where do we think about? 59:10.270 --> 59:12.090 We think about Silicon Valley, 59:12.090 --> 59:14.430 we think about Austin, we think about Boston, 59:14.430 --> 59:16.640 we think about sectors within the United States, 59:16.640 --> 59:19.610 that's very, very important because we are in, 59:19.610 --> 59:21.810 obviously, a domain that's rapidly changing. 59:22.770 --> 59:25.450 The other piece I would say is we're well resourced. 59:25.450 --> 59:27.550 Thank you very much for obviously the resourcing 59:27.550 --> 59:32.370 that you've done for our efforts over this budget. 59:32.370 --> 59:34.737 I think that is tremendously powerful for us. 59:34.737 --> 59:37.900 And the last thing is is that we're also a country 59:37.900 --> 59:40.890 and I would say certainly within the Department of Defense 59:40.890 --> 59:42.170 that we learn our lessons. 59:42.170 --> 59:44.420 And so we have learned our lessons, 59:44.420 --> 59:46.770 and I think that over the past several months 59:46.770 --> 59:49.690 we've been able to obviously apply those lessons 59:49.690 --> 59:52.370 in a manner that has addressed some of the actions 59:52.370 --> 59:53.280 of our adversaries. 59:53.280 --> 59:55.200 - Well I look forward to working with all of you 59:55.200 --> 59:56.457 on how it is we can better explain this 59:56.457 --> 59:58.890 to the American people, thank you. 59:58.890 --> 01:00:00.210 I yield back. 01:00:00.210 --> 01:00:01.253 - Thank you Mr. Kim. 01:00:02.230 --> 01:00:03.663 Before we go to Mr. Bacon, 01:00:04.680 --> 01:00:09.680 Mr. Secretary, you mentioned the $9.6 billion 01:00:09.680 --> 01:00:14.410 cyber budget request, and can you tell me 01:00:14.410 --> 01:00:19.200 what does the 9.6 cyber budget encompass? 01:00:19.200 --> 01:00:23.880 Is it IT as well as military cyber operations? 01:00:23.880 --> 01:00:27.380 And what is the totality of the budget 01:00:27.380 --> 01:00:30.530 for CNF, CMF and operations. 01:00:32.860 --> 01:00:35.340 - I'll leave CMF to General Nakasone, 01:00:35.340 --> 01:00:38.580 but just in terms of the broad brush of the budget 01:00:38.580 --> 01:00:40.860 it really starts with cybersecurity. 01:00:40.860 --> 01:00:45.540 So that's both hardware and software. 01:00:45.540 --> 01:00:49.530 We have to reduce the risk to DoD information systems. 01:00:49.530 --> 01:00:52.850 Then it really gets to cyber operations. 01:00:52.850 --> 01:00:55.520 General Nakasone mentioned the tools, 01:00:55.520 --> 01:00:58.100 the training, all of the elements necessary 01:00:58.100 --> 01:01:01.700 for us to conduct cyber operations effectively. 01:01:01.700 --> 01:01:05.610 And the third is the R&D across all of these areas 01:01:05.610 --> 01:01:07.660 that we must continue to support 01:01:07.660 --> 01:01:09.610 so we can out-innovate our adversaries. 01:01:10.900 --> 01:01:14.530 - So give me, the committee, just a kind of an understanding 01:01:14.530 --> 01:01:15.900 between those three categories, 01:01:15.900 --> 01:01:20.330 which the various, the percentages if you will. 01:01:20.330 --> 01:01:21.163 What's going to most. 01:01:21.163 --> 01:01:24.080 - Well, I think General Nakasone has more details 01:01:24.080 --> 01:01:25.340 on the splits. 01:01:25.340 --> 01:01:28.678 - Within that, Chairman, of the $9.6 billion, 01:01:28.678 --> 01:01:32.040 $532 million to the headquarters of U.S. Cyber Command, 01:01:32.040 --> 01:01:33.550 that's roughly 6% of the budget, 01:01:33.550 --> 01:01:37.790 and then $1.9 billion for a build in infrastructure. 01:01:37.790 --> 01:01:40.150 That's infrastructure across all of our 01:01:40.150 --> 01:01:43.310 four different locations that we have our teams. 01:01:43.310 --> 01:01:47.050 That will be roughly 87% of that will go to the services 01:01:47.050 --> 01:01:49.603 and the rest about $200 million of that will stay 01:01:49.603 --> 01:01:51.123 within U.S. Cyber Command. 01:01:52.210 --> 01:01:54.003 - All right, that's helpful, thank you. 01:01:55.040 --> 01:01:57.120 Mr. Bacon, I recognize, five minutes. 01:01:57.120 --> 01:01:58.850 - Thank you Mr. Chairman, and appreciate 01:01:58.850 --> 01:01:59.960 both of you being here and I appreciate 01:01:59.960 --> 01:02:01.580 your leadership in cyber. 01:02:01.580 --> 01:02:03.730 A couple of questions for General Nakasone. 01:02:04.620 --> 01:02:07.297 I read that you were recommending the NSA 01:02:07.297 --> 01:02:10.320 and cyber split some time in 2020, 01:02:10.320 --> 01:02:11.853 is that indeed your position? 01:02:14.170 --> 01:02:16.850 - Congressman I had seen the article that was written, 01:02:16.850 --> 01:02:18.510 that is not accurate. 01:02:18.510 --> 01:02:22.310 And the last year about this time 01:02:22.310 --> 01:02:24.560 during my confirmation testimony 01:02:24.560 --> 01:02:26.640 I had indicated I'd do a 90-day assessment. 01:02:26.640 --> 01:02:28.607 I did that assessment, provided the Secretary of Defense 01:02:28.607 --> 01:02:29.563 and the Chairman. 01:02:30.470 --> 01:02:33.120 The assessment's classified, so we can talk about it 01:02:33.120 --> 01:02:35.650 later in closed session, but again, to your point, 01:02:35.650 --> 01:02:38.590 that was not accurate, and again the final decision, 01:02:38.590 --> 01:02:41.010 obviously, rests with the. - Right. 01:02:41.010 --> 01:02:41.843 - Not with me. 01:02:41.843 --> 01:02:43.320 - But maybe is it fair enough to say 01:02:43.320 --> 01:02:45.470 that you now, you would say your position 01:02:45.470 --> 01:02:48.010 is to keep them together then? 01:02:48.010 --> 01:02:50.580 The two commands, under one four-star. 01:02:50.580 --> 01:02:53.720 - So, again, I think on this, on this topic Congressman, 01:02:53.720 --> 01:02:56.100 it's much more accurate for me to be able to talk 01:02:56.100 --> 01:02:58.940 in closed session, just to bring out the facts. 01:02:58.940 --> 01:03:03.150 - Just my view on it, without probing for more, 01:03:03.150 --> 01:03:05.010 your position, I just don't see 01:03:05.010 --> 01:03:06.670 how you could have them separate. 01:03:06.670 --> 01:03:08.610 I've worked in this community a little bit 01:03:08.610 --> 01:03:10.680 with my 30 years in the Air Force, 01:03:10.680 --> 01:03:14.500 and our cyber teams are a good mix of intelligence 01:03:14.500 --> 01:03:19.010 and cyber, cyber folks that will probe or defend, 01:03:19.010 --> 01:03:20.860 and it seems to me from a cyber perspective 01:03:20.860 --> 01:03:22.740 it's a symbiotic relationship with NSA, 01:03:22.740 --> 01:03:24.760 you can't do the two separate. 01:03:24.760 --> 01:03:26.040 I'd be if a little afraid 01:03:26.040 --> 01:03:27.810 if you had two four-star generals, 01:03:27.810 --> 01:03:29.250 one in charge of the intelligence portion, 01:03:29.250 --> 01:03:31.060 and one in charge of the cyber portion. 01:03:31.060 --> 01:03:32.800 You could be pulling that team apart 01:03:32.800 --> 01:03:34.540 in two different directions. 01:03:34.540 --> 01:03:36.030 And so I've always been a proponent 01:03:36.030 --> 01:03:38.090 that you need a unified leadership 01:03:38.090 --> 01:03:40.350 under one four-star, and have the two three-stars 01:03:40.350 --> 01:03:41.570 guiding the two different ships, 01:03:41.570 --> 01:03:43.120 but it just doesn't make sense to me 01:03:43.120 --> 01:03:45.423 from my experience in there, so I hope, 01:03:46.365 --> 01:03:48.680 at least my view, or at least my recommendation 01:03:48.680 --> 01:03:50.250 would lean towards how we have it. 01:03:50.250 --> 01:03:51.450 I think we have a right. 01:03:52.470 --> 01:03:54.093 How many cyber teams do we have? 01:03:55.296 --> 01:03:57.071 - We have 133, congressmen. 01:03:57.071 --> 01:03:59.360 And is there a requirement for more, 01:03:59.360 --> 01:04:00.870 or is it about right? 01:04:00.870 --> 01:04:02.530 - So right now what we're doing is, 01:04:02.530 --> 01:04:04.580 through a series of both exercises and real world, 01:04:04.580 --> 01:04:08.740 looking at our forces in total. 01:04:08.740 --> 01:04:11.100 My anticipation is after we've taken a thorough look at that 01:04:11.100 --> 01:04:12.210 we'll make some recommendations, 01:04:12.210 --> 01:04:14.417 but right now 133 is what we have, 01:04:14.417 --> 01:04:16.320 and we're able to do our missions with that. 01:04:16.320 --> 01:04:20.180 - And all 133 are FOC, are fully operational? 01:04:20.180 --> 01:04:21.913 - Right they are fully operational. 01:04:22.750 --> 01:04:24.800 - When I've done exercises in the past, 01:04:24.800 --> 01:04:28.780 in the Air Force, and we would do a full planning 01:04:28.780 --> 01:04:33.420 where you have, your targeting order or air tasking order 01:04:33.420 --> 01:04:35.090 and you build this whole plan 01:04:35.090 --> 01:04:35.970 and then everybody leaves the room 01:04:35.970 --> 01:04:38.670 and cyber would come in and say here's some other options. 01:04:38.670 --> 01:04:40.490 Are we doing a better job job now 01:04:40.490 --> 01:04:43.470 integrating cyber into the COCOM planning, 01:04:43.470 --> 01:04:45.300 where it's really baked in from the start 01:04:45.300 --> 01:04:47.463 and not an add-on after the fact. 01:04:48.945 --> 01:04:50.850 - Well I hate to speak for my fellow COCOM commanders, 01:04:50.850 --> 01:04:52.197 I would say yes. 01:04:52.197 --> 01:04:53.661 - [Don] I hope so. (laughs) 01:04:53.661 --> 01:04:55.230 - A couple things that have enabled us, 01:04:55.230 --> 01:04:58.170 first of all, the ability to put cyber operational 01:04:58.170 --> 01:04:59.440 integrated planning elements. 01:04:59.440 --> 01:05:02.700 Those are planning elements that are well-versed 01:05:02.700 --> 01:05:04.760 in cyber at each of the combatant commands, 01:05:04.760 --> 01:05:05.593 that has helped. 01:05:05.593 --> 01:05:08.420 Secondly, that we've had a lot of operational experience, 01:05:08.420 --> 01:05:10.840 in places like Afghanistan, Iraq, 01:05:10.840 --> 01:05:13.920 other places around the world we've been able to do this, 01:05:13.920 --> 01:05:15.690 and even with the midterm elections, 01:05:15.690 --> 01:05:17.620 working with U.S. European Command, 01:05:17.620 --> 01:05:19.450 General Scaparrotti and myself. 01:05:19.450 --> 01:05:20.850 Learned a tremendous amount of lessons 01:05:20.850 --> 01:05:23.260 in the way we need to do this. 01:05:23.260 --> 01:05:24.127 - I'm glad to hear that. 01:05:24.127 --> 01:05:27.210 Better evolving to where it's baked-in from the beginning, 01:05:27.210 --> 01:05:28.760 'cause I've been there where you do all your 01:05:28.760 --> 01:05:31.250 combat planning or this or that space, 01:05:31.250 --> 01:05:33.510 and then everybody leaves and it's like okay, 01:05:33.510 --> 01:05:35.560 now we do a cybers, but it should be integrated in 01:05:35.560 --> 01:05:37.340 from the beginning. 01:05:37.340 --> 01:05:39.910 And one last question, you know there's a lot of convergence 01:05:39.910 --> 01:05:42.060 between cyber and electronic warfare. 01:05:42.060 --> 01:05:44.780 How much do you think cyber should be involved 01:05:44.780 --> 01:05:46.135 with electronic warfare? 01:05:46.135 --> 01:05:48.580 Or is that a totally separate science 01:05:48.580 --> 01:05:49.763 from your perspective? 01:05:51.800 --> 01:05:54.250 - So from my perspective, having worked this both 01:05:54.250 --> 01:05:56.230 as the Army Service Commander and now 01:05:56.230 --> 01:05:58.700 as the Commander of U.S.Cyber Command, 01:05:58.700 --> 01:06:00.430 these are non-kinetic capabilities, 01:06:00.430 --> 01:06:02.880 and being able to synchronize non-kinetic capabilities, 01:06:02.880 --> 01:06:05.010 whether or not it's EW, or cyber, 01:06:05.010 --> 01:06:07.860 or information operations, bringing that closer together 01:06:07.860 --> 01:06:10.640 provides tremendous amount of capability 01:06:10.640 --> 01:06:11.840 for our commanders. 01:06:11.840 --> 01:06:13.870 And so that's why that close-working relationship, 01:06:13.870 --> 01:06:15.190 I think, is very important. 01:06:15.190 --> 01:06:17.220 - So you would say the cyber role of EW 01:06:17.220 --> 01:06:18.650 would be more of a planning. 01:06:18.650 --> 01:06:21.830 Do you use a EW weapon versus a cyber weapon? 01:06:21.830 --> 01:06:24.520 But Cyber Command within itself would not have 01:06:24.520 --> 01:06:28.993 the EW weapon system, do I have that right? 01:06:30.590 --> 01:06:32.200 - Yeah, so how we organize it, 01:06:32.200 --> 01:06:33.780 I think that's still to be determined, 01:06:33.780 --> 01:06:35.570 but in terms of the planning capability 01:06:35.570 --> 01:06:37.190 and synchronizing it, I definitely see 01:06:37.190 --> 01:06:39.410 that this is one where we'd provide a synchronized look 01:06:39.410 --> 01:06:41.150 and say, hey, this is an opportunity 01:06:41.150 --> 01:06:43.453 for our combatant commanders to leverage. 01:06:44.760 --> 01:06:47.620 - And from my background, the NSA does a great team 01:06:47.620 --> 01:06:50.307 working on the EW side, or at least on the ELAP, 01:06:50.307 --> 01:06:51.960 and we couldn't do it without you. 01:06:51.960 --> 01:06:54.240 So with that, I yield back, Mr. Chairman. 01:06:54.240 --> 01:06:55.340 - [Paul] So Congressman, I would just offer 01:06:55.340 --> 01:06:56.509 that I agree with that. 01:06:56.509 --> 01:06:57.690 - [Don] (chuckles) Good, I get it. 01:06:57.690 --> 01:07:00.730 So you get to take praise both ways. (chuckles) 01:07:00.730 --> 01:07:02.063 - [Paul] It goes both ways. 01:07:03.550 --> 01:07:07.580 - On the EW issue, General, let me ask this. 01:07:07.580 --> 01:07:12.580 I know that after, I think it was Secretary Ash Carter 01:07:14.550 --> 01:07:19.080 that stood up to EW XCOM, and what interaction 01:07:19.080 --> 01:07:22.000 do you all have with that body 01:07:22.000 --> 01:07:24.490 as they evaluate our EW capability, 01:07:24.490 --> 01:07:26.660 if either one wanna comment on that? 01:07:26.660 --> 01:07:29.220 - So I'm not familiar with the EW XCOM, 01:07:29.220 --> 01:07:30.800 that may have been renamed. 01:07:30.800 --> 01:07:32.640 There's a working body right now 01:07:32.640 --> 01:07:34.330 that discusses electronic warfare 01:07:34.330 --> 01:07:38.240 at the vice-chairman level with the deputy secretary 01:07:38.240 --> 01:07:41.040 that normally we have, but I think it's the same purpose. 01:07:41.040 --> 01:07:43.210 And, again, the idea of how do we bring this together 01:07:43.210 --> 01:07:45.350 in a more compactful manner. 01:07:45.350 --> 01:07:47.527 - Okay, thank you, thank you. 01:07:47.527 --> 01:07:52.230 And Mr. Bacon's comment on the splitting the dual hats, 01:07:52.230 --> 01:07:53.880 see, bipartisanship isn't dead. 01:07:53.880 --> 01:07:57.240 I think you and I are definitely in sync on that one. 01:07:57.240 --> 01:07:59.913 So thanks for your comments on that. 01:08:01.390 --> 01:08:04.270 Ms Houlahan is recognized for five minutes. 01:08:04.270 --> 01:08:06.220 - Thank you Chairman, and thank you very much 01:08:06.220 --> 01:08:07.940 for your testimony today gentlemen. 01:08:07.940 --> 01:08:10.360 And General thank you for allowing us all 01:08:10.360 --> 01:08:11.640 to come as freshmen and tour 01:08:11.640 --> 01:08:15.320 your amazingly powerful facility. 01:08:15.320 --> 01:08:18.610 My questions, I have two, and a fairly unrelated one. 01:08:18.610 --> 01:08:21.130 The first one is to General Nakasone. 01:08:21.130 --> 01:08:24.000 The President's budget does call for a pretty big investment 01:08:24.000 --> 01:08:26.710 in developing what he's terming a Space Force. 01:08:26.710 --> 01:08:29.080 Obviously the space domain is very important 01:08:29.080 --> 01:08:31.350 for cyber operations, and I was hoping, 01:08:31.350 --> 01:08:32.183 and this relates, I think, 01:08:32.183 --> 01:08:35.240 to Mister Representative Bacon's comments and questioning. 01:08:35.240 --> 01:08:37.640 If you could talk a little bit about the relationship 01:08:37.640 --> 01:08:40.080 between Cybercom and the Air Force currently 01:08:40.950 --> 01:08:42.370 as it relates to the space domain 01:08:42.370 --> 01:08:44.140 and satellites in particular, 01:08:44.140 --> 01:08:45.620 and help me assess whether or not 01:08:45.620 --> 01:08:47.130 the creation of a Space Force 01:08:47.130 --> 01:08:49.530 would either complicate Cybercom's work, 01:08:49.530 --> 01:08:52.970 help Cybercom's work, be redundant to Cybercom's work? 01:08:52.970 --> 01:08:55.243 How do you see that unfolding? 01:08:56.540 --> 01:08:59.640 So we have worked very closely with the Air Force 01:08:59.640 --> 01:09:01.290 on the development of our cyber capabilities 01:09:01.290 --> 01:09:02.800 to the first part of your question. 01:09:02.800 --> 01:09:05.340 In fact roughly 39 of our 133 teams 01:09:05.340 --> 01:09:06.960 are from the U.S. Air Force, 01:09:06.960 --> 01:09:09.840 so a very strong working relationship with the Air Force, 01:09:09.840 --> 01:09:11.890 and a very, very good joint force headquarters 01:09:11.890 --> 01:09:13.620 in Lackland Air Force Base in Texas 01:09:13.620 --> 01:09:17.540 that we've been reliant upon for many missions. 01:09:17.540 --> 01:09:20.540 In terms of, in terms of space, 01:09:20.540 --> 01:09:22.950 we at U.S. Cyber Command are in close partnership 01:09:22.950 --> 01:09:26.160 with not only the Air Force, but U.S. Space Command, 01:09:26.160 --> 01:09:27.390 working with General Raymond 01:09:27.390 --> 01:09:30.650 in terms of how do we ensure a couple things. 01:09:30.650 --> 01:09:32.380 First of all, the defense of his networks. 01:09:32.380 --> 01:09:34.697 So working between U.S. Cyber Command, 01:09:34.697 --> 01:09:37.090 the National Security Agency, U.S. Space Com, 01:09:37.090 --> 01:09:40.350 how do we ensure the criticality of his communications? 01:09:40.350 --> 01:09:43.290 Secondly, what are the options for full-spectrum operations 01:09:43.290 --> 01:09:46.390 that we might be able to conduct from space 01:09:46.390 --> 01:09:47.613 that impact cyber? 01:09:48.640 --> 01:09:51.600 We're very, very excited about the possibility 01:09:51.600 --> 01:09:54.573 of the instantiation of U.S. Space Command. 01:09:55.510 --> 01:09:57.280 Being the the newest kid on the block, 01:09:57.280 --> 01:10:00.460 I think that they would obviously provide, 01:10:00.460 --> 01:10:03.030 as the department and the administration have indicated, 01:10:03.030 --> 01:10:04.320 a great capability. 01:10:04.320 --> 01:10:07.190 We see the importance of space every single day, 01:10:07.190 --> 01:10:09.680 not only for intelligence gathering, 01:10:09.680 --> 01:10:12.540 but also for looking at possible options 01:10:12.540 --> 01:10:14.673 as we look at adversaries for the future. 01:10:16.940 --> 01:10:20.250 - So do you have any reticence at all 01:10:20.250 --> 01:10:22.260 in terms of the interaction of what would be 01:10:22.260 --> 01:10:24.860 a new force, or are you looking forward 01:10:24.860 --> 01:10:29.860 to that opportunity to integrate with something like that? 01:10:29.960 --> 01:10:31.730 - Really looking forward to integrating with it. 01:10:31.730 --> 01:10:32.883 I think there are great capabilities, 01:10:32.883 --> 01:10:35.310 that we see the importance of space 01:10:35.310 --> 01:10:38.140 whether or not we're on the defensive side 01:10:38.140 --> 01:10:40.150 or he offensive side, and this is one of the areas 01:10:40.150 --> 01:10:42.070 that we think has got great capability. 01:10:42.070 --> 01:10:44.630 - Thank you so much for the answer to that question. 01:10:44.630 --> 01:10:46.300 My second one, fairly unrelated, 01:10:46.300 --> 01:10:47.990 has to do with memory chips and the fact 01:10:47.990 --> 01:10:50.620 that we only manufacture about 20% 01:10:50.620 --> 01:10:52.130 of the world's memory chips, 01:10:52.130 --> 01:10:54.040 and I'm wondering if you could comment, 01:10:54.040 --> 01:10:55.760 either one of you, on whether or not 01:10:55.760 --> 01:10:58.330 you feel as though we need to have organic capability 01:10:58.330 --> 01:11:01.420 of doing that domestically, whether for defense 01:11:01.420 --> 01:11:03.680 or civilian purposes, and how you think 01:11:03.680 --> 01:11:05.210 we as a congress might be helpful 01:11:05.210 --> 01:11:07.643 in helping that, if you in fact believe 01:11:07.643 --> 01:11:10.850 that we should be more independent in that area? 01:11:10.850 --> 01:11:14.710 - Well, I'll just give a high level on that. 01:11:14.710 --> 01:11:17.940 We are very concerned about supply chain security, 01:11:17.940 --> 01:11:19.890 particularly for sensitive systems 01:11:19.890 --> 01:11:22.930 or systems that may provide access to adversaries. 01:11:22.930 --> 01:11:25.650 So we are looking at the entire supply chain 01:11:25.650 --> 01:11:28.560 to understand where and what systems 01:11:28.560 --> 01:11:31.160 might be most vulnerable, and how we can improve 01:11:31.160 --> 01:11:35.123 the surety associated with these chips and other elements. 01:11:37.397 --> 01:11:38.230 Anything? 01:11:40.618 --> 01:11:41.620 - Sir, do you have any other? 01:11:41.620 --> 01:11:44.390 - Yeah, so I mean, I think that the secretary 01:11:44.390 --> 01:11:47.350 has characterized it well in terms of one of the areas 01:11:47.350 --> 01:11:49.470 that we have to ensure, and this is the world 01:11:49.470 --> 01:11:50.570 in which we live. 01:11:50.570 --> 01:11:51.650 Where they're being made today, 01:11:51.650 --> 01:11:53.360 is we have to have verification, 01:11:53.360 --> 01:11:54.970 and the way that we do that verification, 01:11:54.970 --> 01:11:56.650 whether or not it's appropriately written 01:11:56.650 --> 01:11:58.200 into our contracts or whether or not 01:11:58.200 --> 01:12:00.140 it's being conducted periodically 01:12:00.140 --> 01:12:04.210 to ensure the veracity of these chips 01:12:04.210 --> 01:12:09.210 and their assurance that they will be obviously effective, 01:12:11.397 --> 01:12:13.597 and they're doing is really important to us. 01:12:14.490 --> 01:12:15.390 - Can you comment. 01:12:15.390 --> 01:12:17.060 I have another 49 seconds or so, 01:12:17.060 --> 01:12:19.090 on anything that we as a congress can be doing 01:12:19.090 --> 01:12:22.040 to be helpful to begin the process 01:12:22.040 --> 01:12:23.790 of allowing us to be a little bit more independent 01:12:23.790 --> 01:12:24.623 in that area? 01:12:26.180 --> 01:12:28.070 - Well, I would just say that we're working 01:12:28.070 --> 01:12:30.990 very closely with industry as well as 01:12:30.990 --> 01:12:34.810 with the cross-cutting teams associated with the assessment, 01:12:34.810 --> 01:12:36.580 the vulnerability assessment, 01:12:36.580 --> 01:12:39.160 to inform what the most effective approach 01:12:39.160 --> 01:12:41.540 is going to be to ensuring the surety 01:12:41.540 --> 01:12:44.780 of, first, national defense systems, 01:12:44.780 --> 01:12:46.880 but it expands more widely to that. 01:12:46.880 --> 01:12:49.470 So there are locations in the United States 01:12:49.470 --> 01:12:50.920 where secure chips are built 01:12:50.920 --> 01:12:52.520 but it's not at the scale 01:12:52.520 --> 01:12:54.390 that would would cover all the needs 01:12:54.390 --> 01:12:58.410 if there are concerns of of a range of systems 01:12:58.410 --> 01:13:00.090 that could be entry points. 01:13:00.090 --> 01:13:03.640 So I don't know that we're at the point right now, 01:13:03.640 --> 01:13:07.233 but we may be coming to that point going forward. 01:13:08.200 --> 01:13:09.570 - Thank you very much gentlemen. 01:13:09.570 --> 01:13:11.100 I yield back. 01:13:11.100 --> 01:13:13.009 - Thank you Ms. Houlahan. 01:13:13.009 --> 01:13:16.342 I recognize Mrs Traham for five minutes. 01:13:18.150 --> 01:13:19.400 - Thank you Mr. Chairman. 01:13:20.590 --> 01:13:23.790 So recognizing that scaling is, 01:13:23.790 --> 01:13:24.760 I mean that that's a challenge 01:13:24.760 --> 01:13:27.060 no matter what industry you're in. 01:13:27.060 --> 01:13:31.060 In terms of the Cyber Mission Force, 01:13:31.060 --> 01:13:34.600 the 4,400 people, 133 teams, 01:13:34.600 --> 01:13:36.680 can you just give us a sense 01:13:36.680 --> 01:13:39.280 of how this team needs to grow 01:13:39.280 --> 01:13:42.040 in the next two to three years, 01:13:42.040 --> 01:13:45.360 not just to meet the threat or catch up, 01:13:45.360 --> 01:13:48.333 but to lead cybersecurity. 01:13:49.210 --> 01:13:51.970 - Congressman, I think the piece I would offer, 01:13:51.970 --> 01:13:54.860 so we have 133 teams on the active side. 01:13:54.860 --> 01:13:56.390 The piece that we're focusing now 01:13:56.390 --> 01:13:58.400 is the growth on the reserve, 01:13:58.400 --> 01:14:00.290 and the National Guard side. 01:14:00.290 --> 01:14:02.810 So the Army is going to build 21 additional teams. 01:14:02.810 --> 01:14:05.670 They're defensive teams, they'll be built, 01:14:05.670 --> 01:14:09.670 all of the National Guard teams done by 2022 01:14:09.670 --> 01:14:13.230 and all of the Army Reserve teams done by 2024. 01:14:13.230 --> 01:14:16.140 21 more teams is a tremendous amount of capacity 01:14:16.140 --> 01:14:16.973 that brings to us. 01:14:16.973 --> 01:14:20.530 I think it's the strategic depth that we as a nation need. 01:14:20.530 --> 01:14:22.530 To your point, then, one of the areas 01:14:22.530 --> 01:14:24.020 that we're starting to think to is 01:14:24.020 --> 01:14:27.270 how do we effectively use that new capacity 01:14:27.270 --> 01:14:29.130 that's gonna come on board in the next couple years. 01:14:29.130 --> 01:14:31.100 That's what we're starting to assess now, 01:14:31.100 --> 01:14:33.240 to the point of are their critical infrastructure 01:14:33.240 --> 01:14:34.960 partnerships that we should start forming now 01:14:34.960 --> 01:14:36.450 with the teams that are coming on? 01:14:36.450 --> 01:14:37.610 Are there other mission sets 01:14:37.610 --> 01:14:40.440 that make make a lot of sense for this new capacity? 01:14:40.440 --> 01:14:42.660 So we're excited about that. 01:14:42.660 --> 01:14:44.080 The Army has moved out on that, 01:14:44.080 --> 01:14:46.150 and they're ahead of schedule in building those teams. 01:14:46.150 --> 01:14:50.870 - Great, so you had mentioned, General Nakasone, 01:14:50.870 --> 01:14:52.943 that the biggest challenge is retention. 01:14:54.230 --> 01:14:56.500 Can you comment on the challenges, 01:14:56.500 --> 01:15:00.223 or the the root cause of some, of retaining our talent? 01:15:03.870 --> 01:15:05.930 - I think that if you think about the talent 01:15:05.930 --> 01:15:08.660 that I was describing, the people that really are 01:15:08.660 --> 01:15:11.730 10 or 20 times better than their peers. 01:15:11.730 --> 01:15:14.210 The first challenge is is that they are looking 01:15:14.210 --> 01:15:18.090 for great missions that they can work, 01:15:18.090 --> 01:15:18.990 and that's one of the things 01:15:18.990 --> 01:15:20.660 that we think we offer many times. 01:15:20.660 --> 01:15:23.120 I mean it's hard to imagine places that you could go 01:15:23.120 --> 01:15:25.360 to do the things that we do in our Mission Force 01:15:25.360 --> 01:15:27.250 or at the National Security Agency. 01:15:27.250 --> 01:15:29.240 But that's only so far, and I think 01:15:29.240 --> 01:15:32.890 that the other piece of it is is that we realize 01:15:32.890 --> 01:15:36.290 that there may be folks that wanna come into the Army, 01:15:36.290 --> 01:15:39.387 whether or not it's as a military or civilian member, 01:15:39.387 --> 01:15:41.660 and only wanna stay for five or six years. 01:15:41.660 --> 01:15:43.980 Not everyone's like yourself in terms of staying 01:15:43.980 --> 01:15:45.761 20 or 25, or 30 I guess years. 01:15:45.761 --> 01:15:46.899 - [Lori] I just got here. 01:15:46.899 --> 01:15:48.239 I just got here. 01:15:48.239 --> 01:15:49.072 (audience laughs) 01:15:49.072 --> 01:15:49.933 - Myself, I should say. 01:15:51.030 --> 01:15:54.300 But that's a little bit of change in our thinking. 01:15:54.300 --> 01:15:55.860 And so we've got to change too, 01:15:55.860 --> 01:15:57.080 and saying if they're only going to be here 01:15:57.080 --> 01:15:59.940 five or six years, how do we effectively use them? 01:15:59.940 --> 01:16:01.343 Because those five or six years, 01:16:01.343 --> 01:16:04.120 they could be really, really impactful for the nation. 01:16:04.120 --> 01:16:06.630 - Sure, and optimizing around that, 01:16:06.630 --> 01:16:08.320 once you know what your churn rate is, 01:16:08.320 --> 01:16:09.230 I think is important. 01:16:09.230 --> 01:16:12.480 And so I guess my, my follow-on question, 01:16:12.480 --> 01:16:14.020 I came from business operations, 01:16:14.020 --> 01:16:15.160 so you'll have to forgive me, 01:16:15.160 --> 01:16:18.220 but if retention is an issue, 01:16:18.220 --> 01:16:21.220 and we know that folks are going to churn after five years, 01:16:21.220 --> 01:16:25.120 is the Guard enough to fill the pipeline 01:16:25.120 --> 01:16:27.950 given the cost of, the cost of training, 01:16:27.950 --> 01:16:31.760 and onboarding, and your current churn rate, 01:16:31.760 --> 01:16:33.150 or even your projected churn rate, 01:16:33.150 --> 01:16:34.210 is that enough? 01:16:34.210 --> 01:16:36.070 And I guess where I'm going, 01:16:36.070 --> 01:16:37.020 you can answer that question, 01:16:37.020 --> 01:16:39.530 but I'll just give you my end question, 01:16:39.530 --> 01:16:41.970 is there anything that Congress can be doing 01:16:41.970 --> 01:16:45.270 to address cybersecurity education, 01:16:45.270 --> 01:16:47.450 workforce development, those challenges 01:16:47.450 --> 01:16:50.070 with filling your pipeline beyond what we've, 01:16:50.070 --> 01:16:51.670 what we're thinking about today? 01:16:54.600 --> 01:16:56.540 - I think the last point that you made 01:16:56.540 --> 01:16:59.100 with regards to building a supply base 01:16:59.100 --> 01:17:00.060 is really important. 01:17:00.060 --> 01:17:04.480 So when we look to recruit, we're looking for a population 01:17:04.480 --> 01:17:06.300 that is science, technology, engineering, 01:17:06.300 --> 01:17:10.100 mathematics enabled, and so as we think about this 01:17:10.100 --> 01:17:11.990 as a nation, we think about it obviously 01:17:11.990 --> 01:17:14.960 in the Department of Defense of how do we engender 01:17:14.960 --> 01:17:18.000 that type of support within our young people? 01:17:18.000 --> 01:17:19.300 I know at the National Security Agency 01:17:19.300 --> 01:17:21.180 we're working through a series of different camps 01:17:21.180 --> 01:17:23.940 that we sponsor from K through 12. 01:17:23.940 --> 01:17:26.080 Last year we touched 13,000 young people 01:17:26.080 --> 01:17:29.820 and 3,000 teachers for a fairly small investment. 01:17:29.820 --> 01:17:31.900 That's the kind of, I guess, population 01:17:31.900 --> 01:17:32.760 that we're trying to develop, 01:17:32.760 --> 01:17:35.200 so not only that the Department can recruit from, 01:17:35.200 --> 01:17:38.010 but obviously our nation can as well. 01:17:38.010 --> 01:17:39.580 - Great, thank you. 01:17:39.580 --> 01:17:41.590 Did you have anything to comment, Mr. Secretary? 01:17:41.590 --> 01:17:43.340 - I was just gonna note that, 01:17:43.340 --> 01:17:46.510 and this is certainly embodied in Cyber Excepted Service, 01:17:46.510 --> 01:17:48.930 which we very much appreciate from Congress, 01:17:48.930 --> 01:17:52.220 but it's a soup to nuts in terms of, 01:17:52.220 --> 01:17:53.840 as General Nakasone mentioned, 01:17:53.840 --> 01:17:55.790 how and where do we best recruit? 01:17:55.790 --> 01:17:57.840 How do we develop an understanding 01:17:57.840 --> 01:18:00.320 amongst this talent pool about what we offer 01:18:00.320 --> 01:18:02.060 within the Department of Defense? 01:18:02.060 --> 01:18:04.600 And then its how do we ensure 01:18:04.600 --> 01:18:06.600 that they are getting professional development 01:18:06.600 --> 01:18:08.750 horizontally and vertically? 01:18:08.750 --> 01:18:12.120 And ultimately, as all very capable people 01:18:12.120 --> 01:18:14.500 who are driven, they wanna understand 01:18:14.500 --> 01:18:17.310 and they want to have offered to them 01:18:17.310 --> 01:18:18.980 ability to advance. 01:18:18.980 --> 01:18:21.110 So how are we ensuring we're doing that 01:18:21.110 --> 01:18:24.350 so we're able to keep the best and the brightest? 01:18:24.350 --> 01:18:26.770 We know that a number of them will rotate out, 01:18:26.770 --> 01:18:29.290 but we wanna build a certain percentage 01:18:29.290 --> 01:18:31.150 that are gonna stay over the longer term. 01:18:31.150 --> 01:18:32.700 - Yep, I couldn't agree more. 01:18:32.700 --> 01:18:36.650 I mean look, this is an enormous opportunity 01:18:36.650 --> 01:18:41.120 for our economy while also securing our country. 01:18:41.120 --> 01:18:44.100 So thinking through and co-producing programs 01:18:44.100 --> 01:18:47.700 beyond K through 12 to get people the credentials 01:18:47.700 --> 01:18:51.690 that they need to serve, I think is a noble partnership 01:18:51.690 --> 01:18:52.700 on our behalf. 01:18:52.700 --> 01:18:53.900 Thank you, I yield back. 01:18:56.450 --> 01:18:57.600 - Thank you Ms. Traham. 01:18:58.580 --> 01:19:01.160 I just wanted to mention, General Nakasone, 01:19:01.160 --> 01:19:05.030 you had mentioned the collaboration synchronization 01:19:05.030 --> 01:19:10.030 with the Space Force, but now obviously 01:19:10.840 --> 01:19:12.780 that also could mean that we're gonna be, 01:19:12.780 --> 01:19:14.900 you're gonna be competing with people, 01:19:14.900 --> 01:19:18.500 talent, and dollars for resources as well. 01:19:18.500 --> 01:19:21.373 So another challenge you're gonna have to deal with. 01:19:23.234 --> 01:19:25.284 Ms Slotkin's recognized for five minutes. 01:19:26.470 --> 01:19:27.303 - Thank you. 01:19:28.230 --> 01:19:30.120 I apologize for being late, we had another 01:19:30.120 --> 01:19:32.750 subcommittee hearing right in the middle. 01:19:32.750 --> 01:19:35.850 My question actually goes back to something 01:19:35.850 --> 01:19:38.670 that Congressman Kim was talking about. 01:19:38.670 --> 01:19:41.010 I'm a former Pentagon assistant secretary 01:19:41.010 --> 01:19:45.920 and I cannot explain to people in public 01:19:45.920 --> 01:19:48.600 what we are doing to push back. 01:19:48.600 --> 01:19:50.980 And all of the people that come to my, 01:19:50.980 --> 01:19:52.960 you know on cyber attacks, sorry, 01:19:52.960 --> 01:19:54.490 let me finish my sentence. 01:19:54.490 --> 01:19:59.490 The people will ask me from the small township officials 01:20:00.590 --> 01:20:02.920 to the average person who's had their credit card data 01:20:02.920 --> 01:20:06.530 taken by a corporation, it feels like 01:20:06.530 --> 01:20:10.040 we're being smacked in the face every single day. 01:20:10.040 --> 01:20:12.380 What are we, let's way you're from the Pentagon, 01:20:12.380 --> 01:20:15.483 what can we, what are we doing to actually fight back? 01:20:16.386 --> 01:20:21.386 And it is concerning to me that I can't tell them, 01:20:23.200 --> 01:20:25.300 I don't wanna tell them anything classified, 01:20:25.300 --> 01:20:27.460 but I want to be able to say 01:20:27.460 --> 01:20:29.580 we're not just sitting down and taking it, 01:20:29.580 --> 01:20:31.100 and here are some things I can say 01:20:31.100 --> 01:20:33.890 it in an unclassified basis. 01:20:33.890 --> 01:20:36.163 And then secondly, just help me understand, 01:20:38.190 --> 01:20:39.440 if you grow up in the defense world, 01:20:39.440 --> 01:20:41.420 you grow up with a model of deterrence right? 01:20:41.420 --> 01:20:44.110 Conventionally nuclear weapons, 01:20:44.110 --> 01:20:47.090 we need to maintain a strong deterrent 01:20:47.090 --> 01:20:49.510 and I would love your help understanding 01:20:49.510 --> 01:20:51.600 how we're doing that in the cyber realm. 01:20:51.600 --> 01:20:53.270 What are we doing to deter 01:20:53.270 --> 01:20:56.510 what feels like constant attacks on us? 01:20:56.510 --> 01:21:00.070 In a way that, again, reassures me and others 01:21:00.070 --> 01:21:03.130 who are concerned that there is some price to pay 01:21:03.130 --> 01:21:05.623 for the constant barrage that we're receiving? 01:21:07.470 --> 01:21:08.950 - I'll take your second question, 01:21:08.950 --> 01:21:12.890 and have General Nakasone take your first. 01:21:12.890 --> 01:21:17.300 Deterrence is really about denying benefit 01:21:17.300 --> 01:21:20.440 and imposing consequences on adversaries 01:21:20.440 --> 01:21:23.370 in a way that's predictable enough for them 01:21:23.370 --> 01:21:27.760 that it dissuades or deters them from continuing them. 01:21:27.760 --> 01:21:31.250 Historically, we have not done that in cyberspace, 01:21:31.250 --> 01:21:34.800 and that really is the paradigm shift 01:21:34.800 --> 01:21:38.730 that is really laid out in our strategy. 01:21:38.730 --> 01:21:42.770 The third component of that is strategic messaging. 01:21:42.770 --> 01:21:45.890 How do we ensure that we in concert with allies 01:21:45.890 --> 01:21:48.600 and partners, the rest of the international community, 01:21:48.600 --> 01:21:51.160 that also, of course, 01:21:51.160 --> 01:21:53.680 this kind of malevolent cyber activities, 01:21:53.680 --> 01:21:57.520 how do we galvanize this in some sense 01:21:57.520 --> 01:22:01.320 or sometimes silent majority, to really focus 01:22:01.320 --> 01:22:04.810 on those actors who are creating the most problems? 01:22:04.810 --> 01:22:09.040 So that is really what defending forward is all about. 01:22:09.040 --> 01:22:11.730 That is what persistent engagement 01:22:11.730 --> 01:22:14.080 at the combatant command level is all about. 01:22:14.080 --> 01:22:16.100 It's the engagement, and it's about 01:22:16.100 --> 01:22:18.793 addressing the source of these threats. 01:22:20.870 --> 01:22:23.290 - Congresswoman, to your first point, 01:22:23.290 --> 01:22:26.370 I would turn back to, again, the recent elections, 01:22:26.370 --> 01:22:30.740 and what did we as a government do 01:22:30.740 --> 01:22:33.063 to ensure a safe and secure elections. 01:22:34.150 --> 01:22:37.880 I think that the model of bringing together, 01:22:37.880 --> 01:22:40.280 whether or not it was the Department of Defense, 01:22:40.280 --> 01:22:41.430 the Federal Bureau of Investigation, 01:22:41.430 --> 01:22:44.460 Department of Justice, Department of Homeland Security, 01:22:44.460 --> 01:22:47.710 throughout the summer, very, very public appearances 01:22:47.710 --> 01:22:50.240 in terms of we are going to ensure 01:22:50.240 --> 01:22:51.970 a safe and secure election. 01:22:51.970 --> 01:22:54.500 So we did work very, very closely 01:22:54.500 --> 01:22:55.720 with the Department of Homeland Security 01:22:55.720 --> 01:22:57.560 to protect our election infrastructure. 01:22:57.560 --> 01:22:59.680 We did work very, very closely 01:22:59.680 --> 01:23:00.970 with the Federal Bureau of Investigation 01:23:00.970 --> 01:23:04.820 to stop influence operations from other non-nation states 01:23:04.820 --> 01:23:07.100 and nation states from impacting our people. 01:23:07.100 --> 01:23:12.100 And we did obviously conduct actions 01:23:12.300 --> 01:23:13.760 to ensure that any adversary 01:23:13.760 --> 01:23:17.583 that was attempting to interfere 01:23:18.950 --> 01:23:21.510 with our democratic processes, that we'd address. 01:23:21.510 --> 01:23:23.590 That's different than what we had done in the past 01:23:23.590 --> 01:23:24.910 as the Secretary had mentioned, 01:23:24.910 --> 01:23:27.500 and I think that that's a very, very good model 01:23:27.500 --> 01:23:29.100 of where we need to move forward. 01:23:29.100 --> 01:23:31.690 Because we have to, we have to make sure 01:23:31.690 --> 01:23:33.500 that obviously our adversaries, 01:23:33.500 --> 01:23:35.660 and certainly the American people understand 01:23:35.660 --> 01:23:39.023 that this is something that is obviously worth defending. 01:23:41.490 --> 01:23:45.560 - So just so I understand, you think that our response 01:23:45.560 --> 01:23:48.443 to attempts to meddle in our elections, 01:23:49.460 --> 01:23:52.810 that response provided some pain 01:23:52.810 --> 01:23:55.690 or put some pain on those who were trying to meddle 01:23:55.690 --> 01:23:57.540 and therefore they won't do it again? 01:23:58.540 --> 01:24:01.890 - So I certainly can't assert they won't do it again. 01:24:01.890 --> 01:24:03.450 But they should certainly know, 01:24:03.450 --> 01:24:06.630 after what has occurred, that we're not gonna stand back 01:24:06.630 --> 01:24:09.120 and be responsive in our approach. 01:24:09.120 --> 01:24:11.627 That we're gonna defend, obviously, 01:24:11.627 --> 01:24:13.410 one of the most important things that we have 01:24:13.410 --> 01:24:16.150 in our nation, which is our democratic processes. 01:24:16.150 --> 01:24:17.450 - Thank you, I yield back. 01:24:19.470 --> 01:24:20.910 - Thank you for the line of questioning. 01:24:20.910 --> 01:24:25.426 And with its election operations, 01:24:25.426 --> 01:24:28.760 or other things in the gray zone conflict, 01:24:28.760 --> 01:24:32.590 I think it's important that we meet them 01:24:32.590 --> 01:24:34.680 at every challenge, and I think we're gonna see 01:24:34.680 --> 01:24:37.300 more and more of this conflict in the gray zone, 01:24:37.300 --> 01:24:39.670 below the threshold of armed conflict. 01:24:39.670 --> 01:24:42.850 I think it, we ignore those activities, 01:24:42.850 --> 01:24:47.460 I think, at our detriment, and so we've gotta run the board, 01:24:47.460 --> 01:24:49.670 and confront them everywhere. 01:24:49.670 --> 01:24:51.150 Anytime that they're doing something 01:24:51.150 --> 01:24:53.750 that, our enemies or adversaries do something, 01:24:53.750 --> 01:24:55.800 that goes unanswered, it, I think, 01:24:55.800 --> 01:24:58.700 just emboldens them further, in my opinion. 01:24:58.700 --> 01:25:03.240 So I think that's all part of the whole concept 01:25:03.240 --> 01:25:06.520 that we've now undertaken of defending forward, 01:25:06.520 --> 01:25:10.643 is this confronting them, where we have to meet them. 01:25:12.490 --> 01:25:14.890 Unless Mr. Cooper or Mr. Conaway have questions, 01:25:16.230 --> 01:25:18.380 we are going to now go to the closed session. 01:25:18.380 --> 01:25:21.353 So the committee stands in recess 01:25:25.040 --> 01:25:28.211 until the closed session begins. 01:25:28.211 --> 01:25:29.044 (gavel bangs) 01:25:29.044 --> 01:25:29.877 Thank you.