tv Politics and Public Policy Today CSPAN October 5, 2015 6:00pm-7:01pm EDT
will continue and probably m accelerate until weal establisht andin demonstrate the capabilitu tos deter malicious state sponsored activity. reack credible deterrent depends on norms of cyberbehavior by the international community. so in summary, the cyberthreats toed, u.s. and economic securi have been increasing and diverse, sophisticated and harmful. there are a variety of entities that work the cyberproblem. law enforcement intelligence and sector specific agencies like treasury and energy. and every day each of these vidl centers andly entities get bett at what they do individually. i believe now we've reached the point where we think it's time to knit together all the intelligence these separate activities need to defend our ae networks because while these we entities may be defending tellig differenten networks, they're ur often defending against the sams threats. that's one reasoney the preside directed me to form a small ig center to integrate cyberthreate and intelligence. and i strongly believe the time
has come for the creation of such a center to parallel the uh centers that we operate for o counterterrorism, counter nters proliferation and counter intelligence and security.eratio with that, let me turn to deputy secretary work. >> chairman mccain, ranking member reed, distinguished members of the committee, thank you very much for inviting us here this morning to talk about the threats of cyber. this committee has led the way in discussing the threats and the response to these threats t ded the department looks forward to working with the committee to get betterpa. in this regard. as dni clapper said, cyberintrusions and attacks by both state and nonstate actors i have increased dramatically in c recent years and increasely d troubling are the scale of state sponsored cyberactors breaching u.s., government and business networks. these adversaries continually
adapt, threatening our networks and systems of the department od defense, our nation's critical infrastructure, and u.s. companies and interests globally. the recent spate of cyberevents to include the intrusion into opm, the attacks on sony and thf joint staff networks by athlete separate statees actors is not y just espionage of convenience, but threat to our national security.one as one of our responses to this growing threat we released in 2015 the dod cyberstrategy, he which will guide the developmend of our cyberforces and strengthen our cybersecurity and cyberdeterrent posture. that is its aim. the department is pushing hard to achieve the department's three core missions as defined in the strategy. the first and absolutely most important mission is to defend dod network systems and ategy. t information. secretary carter has made this t the number one priority in the t department, and we are really getting after it now. second, to defend the nation mad
against cyberevents of subsequent consequence, and third, to provide cybersupport operational and contingency plans. the u.s. cybercommand may be conducted to direct cyberoperations in coordination with other governmentta agencie as appropriate to deter to defeat strategic threats and other demands.al my submitted statement to mr. chairman contains additional detail on how we're moving out to achieve these three strategic goals. but i would like to highlight ay particular focus on deterrents,h especially since i knower this n key in the minds of most of the members here. i want to acknowledge up-front that the secretary and i recognize that we are notde whe we need to be in our deterrent posture. we do believe that there are some things that the department is doing that are working, but we need to improve in this areat but out question. and that's why we've revised oud cyberstrategy. the deterrencecy is a function perception. it works by convincing any
potential adversary that the ft costs of conducting the attack e far outweigh any potential y any benefits and therefore the thre main pillars of our current ms cyberstrategy in terms of ence, deterrents are denial,co resilience, and cost imposition. denial means preventing the cyberadversary from achieving his objectives. resilience is that our systems will continue to perform their o essential military taskings evey when they are contested and cost imposition is the ability to make our adversaries to pay a much higher price. i would like to briefly discuss these three elements, to deny the attacker the ability to mili adversely impact our military wn weweions, we have to better defend our own information networks and data. and we think the investments we have made in these capabilities are starting to bear fruit. but we recognize the technical y upgrades are only part of the fl solution.networ nearly everyk single one of th
successful network exploitations that we have had to deal with can be traced to one or more human errors, which allowed an entry into our network. so raising the level of individual cybersecurity t awareness and performance is absolutely paramount. accordingly, we're working to oi transform oungr cybersecurity culture, something that we humn ignored for a long time, either long-term by improving human performance and accountability in this regard. as part of this effort, we haver just recently published a cybersecurity discipline rought implementation plan and a scorecard that is brought befors the secretary and meec every month, and they're critical to achieving this goal of mitigating risks to dod missions. this scorecard holds commandersa accountable forcc hardening and protecting their end points and critical systems, and also have them hold accountable their personnel. thd direct, asng i said, the compliance reporting to the secretary and me on a monthly basis.e
the first scorecard was published in august of this year, and it is being added to t and improved as we go. a denial also means defending the nation againster t cyberthreats significant consequence. the president has directed dod o working in partnership with our other agencies t to be preparedo blunt and stop the most dangerous cyberevents there may be times where the president and the secretary of defense directs dod and others to conduct a hey defensive cyberoperation to stop a cyberattack from impacting oum national interests. and that means building and just maintaining theha capabilities do just that. this is a challenging mission ci requiring high-end capabilitiess and extremely high trained teams.de we're building our cybermissiond force and deepening our partnership with law enforcement in the intelligence community to do that.ci o the second principle is improving resiliency by reducing the ability of our adversaries to attack us through cyberspace
and by protecting our ability to protect missions in a degraded a cyberenvironment. ourpote adversaries view, dod s dependency as a potential wartime vulnerability. we view our ability to fight through cyber attacks as a critical mission function that n means normalizing cybersecurity ass, b part of our mission assue efforts, building redundancy when possible, training constantly to operate in a contested cyberenvironment. adversaries have to see thattts adese cyberattacks will not provide them a significant operational advantage.va and the third aspect of ing a deterrence isca having to demonstrate a capability to respond through cyber or noncybermeans to impose costs on a potential adversary. the administration has made clear that we will respond to cyber attacks in a time, mannerf and place of our choosing, and the department has developed cyberoptions to hold an succe migressor at risk in cyberspace if required. successfully executing our missions requires a whole of government and whole of nation approach. and for that reason, dod
continues to work with our partners and the other federal departments, agencies and the e private sector and our partnersr around the worlds, to address te sharedrs challenges we face. secretary carter has placed particular emphasis on sis o partnering with the private t sector. the department doesn't have all w of the answers and is working with industry. we think it will be very, very critical. finally, our relationship with congress is absolutely critical. the secretary and i very much appreciate the support provided to dod cyberactivities throughouty .an from the very beginning, and wea understand and we arere lookingt forward tohe the national defen authorization act to see if there are other improvements on c we have -- we can do. i encourage continued efforts to pass legislation on cybersecurity information sharing. we think that is absolutely rele critical. data breach notification and law enforcement provisions related t to cybersecurity, which were included in the president's legislative proposal submitted earlier this year.i
i know you agree that the american people expects us to defend the country against threats of significant consequence. the secretary and i look forward to working with the committee and congress to make sure that we take every step possible to e confront the substantial risks k we face in the cyber realm.o thank you again for inviting us. here today and giving the attention that you have always given to this urgent matter.man. i'd like to pass it on now to admiral rogers, if that is okay, mr. chairman. >> sir. >> chairman mccain, ranking member reed and distinguished >> members of the committee, i am m honored to appearit before you today to discuss u.s. cyberpolicy and the state ofpo cyberthreats worldwide. i'd like to thank you for convening this forum and for your efforts in this important area.for i'm also honored to be sitting g alongside director clapper and deputy secretary of defense work. it gives me. great pride to appear before you today to nd te highlight and commend the unifor accomplishments of the uniformee and civilian personnel of u.s. cybercommand. i'm both grateful for and
humbled by the opportunity i have been given to lead our cyberteam in the important worki they do in defense of our nation and our department. we're being challenged as never before to defend our nation's interest and values in cyberspace against state groupsd and individuals that are using s sophisticated capabilities to s conduct cyberaggression and rtao cyberexploitation. the targets of their efforts extend well beyond government and in privately owned businesses and personally identifiable information. our military is in constant and contact with agile, learning ngv adversaries iner cyberspace, apt adversaries that have showny th capacity and the willingness to take action against soft targetn in the united states. and w there areer countries that are integrating cyberoperations into a total strategic concept for advancing their regional ates a ambitions. they use rocyberoperations to influence the perception and actions of states around them and to shape what we see as our options for supporting allies and friends in a crisis. well need to deter these activities by showing that they
are unacceptable, unprofitable, and risky for the instigators. u.s. cybercommand is building sr capabilities that can contribute to cross domain deterrents. we are hardening our networks and showing it won't be easy. or we're creating the mission for us trained and ready like any other maneuver element that is defending dod networks, supporting joint force commanders and helping to defend critical infrastructure within our nation. we are partnering with federal, foreign, and industry partners and exercising together od regularly to rehearse concepts l and responses topi destructive cyber attacks against critical infrastructures.naher we are generating options for rt commanders andac policymakers da across all phases of the conflict andisk particularly in phase zero to hold at risk what ouronti adversaries truly valued the demand outstrips supply, but we continue to rapidly mature
and the hard work of the men and women of the u.s. cybercommand and our cybercomponents as well as our broader partners. i would like to assure the committee that u.s. cybercommand has made measurable progress. we're achieving significant operational outcomes and we have a clear path ahead. with that, thank you again, mr. chairman, and members of the convening this forum, inviting all of us to speak. our progress has been made possible in no small part because of support from this committee and other su stakeholders. committ unity of effort within our st department and across the u.s. t government within this mission set ismego essential, and i appreciate our continued. partnership as we build our nation's cyberdiagnosefenses an welcome your question. >> thank you, admiral and thank you, witnesses.edch director clapper, chief dempseys was asked about various threats to united states security. he said in a whole range of do y threats we have the significant advantage except in cyber.
do you agree with that assessment? it >> it's probably true. we haven't i guess exhibited what our potential capability bh there is. one of the that's implicit reasons i have highlighted cyberthreats in theu last three years of my worldwide threat assessments. >> i thank you. and you have done that i think at least to great effect before' this committee. as a relative humidity of the leader -- the chinese leader in. washington, there was some ll agreement announced between the united states and china.chinese do you believe that that will result in an elimination of chinese cyberattacks? >> well, hope springs eternal.o i think we will have to watch what their behavior is, and it , will be incumbent on the
intelligence community i think to depict, portray to our policymakers what behavior changes if any result from this agreement. >> are you optimistic? >> no.>> >> thank you. admiral rogers, you recently stated, quote, there is a perception, quote, there is little price to pay for engaging in some pretty aggressive le behaviors. and because ofic a lack of(úb repercussions, you see actors, o nationns states, indeed willingo do more. and this was what you said. what is required? what action is required to deter these attacks since there is do little price to pay? arti do h we have to do to maket a heavy price to pay? >> i think we have to clearly articulate in broad terms what . is acceptable and unacceptable enormous. clearly develo to c articulate that as a nation we i are developing a set of capabilities. we are prepared to use those o capability if there is requiredn
they're not necessarily our preference. we clearly want to engage in a o dialogue with those around us.nt but on the other hand, we do have to acknowledge the current situation we find ourselves in.u i don't think there is anyone pt ino would agree thatab it is acceptable and it is in our best long-term interests as a nationt >> i say with respect. i understand it's not acceptable.s and but in other words, what would enact a price? would it be relations in other areas? would it bed counterattacks? in other words, what actions would be in our range of arsenals to respond?those >> so i think it's potentially all of those things. the first comment i would make, i think sony is a very instructive example. one of the things i always remind people of, you need to mm think aboutor deterrents much mi broadly, not just focus in the cyberarena. i thought the response to sony where we talked about the economic options as a nation weu would exercise was a good way te remind the world around us that there is a broad set of than
capabilities and levers nd. available to us as a nation, and we're prepared to do more than just respond in kind, if you will. >> director clapper, one of the things that has been disappointing to the committee is that in the fizz cal year, iw required the president to w develop anhe integrated policy. the project is now a year late. can you tell us where we are in that process and what you feel is what might bring the administration in compliance? >> you're asking me about policr development? >> yes. >> i think i would defer to secretary work on that. >> well, mr. chairman, as we oe have said over and over, we tany believe our cyberdeterrent strategy is constantly evolving and getting stronger. >> i'm talking about a policy,
not a strategy, mr. secretary.. dequired a policy the fiscal dear '14 national defense authorization act. >> the policy is still in development.ve we believe we have a good cyberstrategy. the policy has been outlined in broad strokes by the -- >> not broad enough, i would think. does it describe whether we deter or where we respond or whether we in other words as far as i know and the committee knows that there has been no specific policy articulated in compliance with the requirement to the defense authorization u act. if yoube believe that it has, i would be very interested in hearing how it has. >> i believe the broad strokes are -- >> i'm not asking broad strokeses. suppose there isve a suber atta like the one on opm do.ck, do we have a policy as to what we t do? >> yes, we do. >> what is that?
>> the first is -- first we deny and then first find out:00 and forensics. >> i'm not asking the terattac methodology. i'm asking the policy. do you respond by counter attacking? do you respond by enact other measures? what do we do in case of a cyberattack? >> we respond in a time, manner and place -- >> does?o thatwe mean we countn attack? >> that may be one of the the actions. >>ons. that's not a policy, secretary work that is an exercise in options. we have not got a policy. and for you to sit there and tell me that you do a broad strategy frankly is not ateg in compliance with the law. senator reed? >> thank you very much, mr. chairman, . director clapper, we're constantly engaged euphemistically operations with many other nations and their involved in information operations, as you indicated in
your testimony influence the tc. opinion, disguise activities, disrupt, et cetera. what agencies are under your purview or outside your purview are actually engaged in information operations for the united states in the cyberworld? >> actually, sir, from a perspecti intelligence perspective, we would feed that we don't at least what iiváóç can speak to publicly engage in that as part of our normal intelligence activities. so weel feedli other arms, supp other arms of the government not only the state department, and a those responsible for messaging. the national counterterrorism mm center has an office that is devoted to in countering violenc extremism context helping to develop themes or recommending themes based on what we glean
from intelligence for potential vulnerabilities and messages that would appear to various groups to obfuscate the message, disrupt it, or compete with it.c tht generally speaking, intelligence writ large doesn't actively engage in information operations. >> from your perspective, are these other agencies that you e provide information too adequately resourced and staffed so they can use it effectively, getting a lot of >> i t good insights and sitting around, wondering what they can do? >> if i were king, which i'm not, i think i would have a much more robust capabilities from the standpoint of the resource commitment to counter messagingl de and that would fall outside the purview of intelligence for the state department as well as other agencies? >> correct. >> i think we're all old enougha to remember the voice of america
when it was a pretty dominant sort of source of information. >> well, personal opinion only, not company policy, i would i think perhaps, you know, usia on steroids that would address these messages more broadly and robustly. but that's strictly personal opinion. >> but i think in terms of what you're observing, particularly h some of our competitors have extraordinarily robust information operations. the they don't lack for resources oe personnel. and they're constantly engaged in these information operations. enhancing their image, discrediting their opponents, actively engaging local groups in other countries of interest, et cetera. cohect re sort of on sidelines unmore? >> i think that's quite right. and in contrast to us, the russian intelligence services are very active and very aggressively engaged in
messaging. >> thank you. >> admiral rogers, this issue of encryption that director comey pointed to, i think your thoughts would be very helpful. >> to the issue that we find ourselves, this is less for me on the cybercommittee and much more on the nsa side is de and communications around us commun increasingly goingic into singly encryption where every g aspectt the path is encrypted and the data and the communication is protected.ficult at a level that with the current state of technology is difficult to overcome. clearly that's in the best interests of the nation in broad terms. and strong encryption is important to a strong internet d defense and a well defended as internet is in our best thin t interests as a nation and the world's best interests. within that broad framework, tht though, the challenge we're ing trying to figure out is realizing that that communication laath is used by
verywf law-abiding citizens, nation states and companies engaged in lawful activity is also being used by criminals, terrorists, nation states who would attempt to generate advantage against the united states and against her allies and partners. and so we're trying to figure out how do we balance these two important imperatives of privacy and security. and realizing it's a technical world around us is changing in a foundational way. so we're trying to come to grips broadly with how do we deal with the reality of the technical world around us and yet the broader legal and social empiretives. i'm the first to acknowledge we do not have a gdefined away he of us. in the end, how do we get the best minds of the nation to deal with this? there is no problem we can't overcome when we work together in an integrated way between the private sector, industry, business, the academic way. brthink that's the way ahead in broad terms. >> t >> thank you very much.haairm
thank you, mr. anchairman. >> thank you, mr. chairman. senator inhofe is chairing an epw committee. that's why he couldn't be here today. you have given us a good summard on the threats that we face and the threats that are actually occurring today. and i appreciate that. a senator mccain asked you about d reporting on the policy that out congress has asked you to report on. and that not having been done, mr. secretary, in the 2014 ndaat the senate and house agreed on a provision that required the services to report on the reats cybervulnerabilities of weapons and communication systems. connected by networks. something that came out of our e strategicxp subcommittee on a bipartisan basis and was atell eventually expanded to include all weapon systems, not just h satellitesth and missiles and national missile defense.
we don't have that final report. i believe it's overdue.ud this budget i believe hasge $20u million in it to help fund this effort. what can you tell us about that? ifrst, let me say it may take some itime.ve if it does, that's i understand. but i don't think we've had any report from the dod to state what progress you have made and how much longer it will take. >> well, again, on both of the points, on the policy we expect that is in the final are tr deliberations. it's an interagency effort. generally trying to establish . enormous and deterrents is central to the policy. again, it's the denial, resilience and cost imposition.o i'm the first to admit that we n are the farthest ahead on the e denial and the resilience parts. those are the areas where we are moving faster. the cost imposition part, because we have elected to retain the retaliatory mechanism of cyberattacks at the national
level, just like nuclear weapons, because of the risk of escalation -- oh, i'm sorry, sir. >> the vulnerabilities of our weapons systems? >> it is a big, big problem.g pe most -- many of the weapon have wistems that we have now were not battle to withstand a concerted cyberthreat. so going through every single e one of the weapon systems, what frank kendall has done is he has prioritized the weapons systems and he is working through very carefully. i expect this work to be done very soon. we now have new requirements in our kpps, our key performance parameters for new missiles. y >> so you have assigned an d individual? >> absolutely. responsible for this? >> yes. frank kendall is the one who is going through all of the different -- working with, obviously, our cio, also the beo lobercommand and all of our cyberexperts. but he ioks responsible for takg
a look at the weapons systems, r and also requiring kpps, key performance parameters for new weapons systems so that when we build them. that will have cyberdefenses built in from the beginning.aini >> what about our defense have contractors, admiral rogers? ina they maintain and build these systems and have highly r insu sensitiveff information. we satisfied they're sufficientlyecte protected? >> so we certainly acknowledge there is a vulnerability there. we have been very public about our concerns about foreign nation states trying to access some of our key operational technologies through penetrations and the cleared o e us.us andontract arena for we have made changes to the contractual relationships between us and those companies where they a have to meet minim cybersecurity requirements. they have to inform uswe now of penetrations. we're clearly not where we needm to be. but we continue toog make progress. >> rewell, i think it's a bipartisan commitment on dong help you with that, secretary a work.mone ify, it takes more money, let u know. we'll have to evaluate it.of the
and i also understand that some of the protections can be done without much cost. some may require considerable costs. so we hope you will complete thatrs. admiral roger, you i believe last week reported in "the los angeles times" about the threat from china. you note one thing, that they ty are involved in obtaining u.s. a commercial and trade date that s in advanced nation ally.f i was told that one of their company companies bid on a contract, and that the chinese had got all the bid data from e the web and is his comment sitse hard ton win a bid when your competitor knows what you're bidding. that kind of thing happening? >> it has been.>> we have been very i public of it that. i think that'sthe reflected in agreement that you saw raised v during the president of china's visit last week where we were very explicit about that k when
concern. up.my time is w but i would just ask, you're nor allowed if you saw an american business being damaged through improper action, you're not allowed to advise them or share any information with them while our adversaries do assist their businesses? is that basically correct?orks? >> the way this works flight ist i would provide information and insight both my intelligence hac as the director of nsa. if under that authority i became aware of activity, i would share the insights with dhs and the fbi who have a mission associated with interfacing with the private sector in a much more direct way than i do.pink a >> thank you, mr. chairman.and and thank allbe three of you fo your service and for being here today. which country is the most committed and determined and successful hacker of the u.s.? >> could you say that one more c time? > which country do you believe is the most committed, successful hacker of the u.s.?
>> if you look at volume and nation statewide, nation state wise, china, the prc has been a the one that we've been the most vocal about. they're not the only one by any stretch of the imagination. >> i thought the last time you were here i recall you saying that you had more concerns over russia having more of the ability or the expertise to do us damage. >> i thought your question was really focused more on volume. if the perspective is had mo capability, if you will, then w. have been very public about ium. saying i would probably put thed russians at a higher capabilityi >> but it seems like china is more committed and determined to do it? >> they certainly do it at a volume level. >> got you. i understand. and director clapper, if i may, i know that you just said no, et emphatically no you don't believe that this agreement that the president of china and our president has made last week will work.agreem
with that, is there any penalties in this agreement if one or the other violates it? or is it just basically what we have agreed and let it go at that? as you understand it. don' >> the terms i have seen i don't think it treats specifically penalties. there certainly are implied penalties.th i think the threat of economic sanctions that which brought mr. mung to this country i think is illustrative of what would mean something to the chinese if they transgress or violate this agreement. and i think as admiral rogers was discussing earlier, with respect to sanctions, there certainly are whole government possibilities here.ions don't have to do necessarily a cybereye for an eye. kit be some other form fo
retaliation. but i don't think to answer your question, at least what i'm aware of that there are specific penalties if the agreement is violated. >> and that's why i think you were pretty quick in saying you don't think it will work you.ed. said no to that when i think the chairman asked you.>> the >> well, the reason i said no, of course is the extent to whic chineseha purloining of our dat our intellectual property is pretty pervasive. thing is a question about extent to which the government actually orchestrates all of it or not. so i think we're in -- to borrow a president reagan term, trust but verify mode, at least as far as intelligence is concerned. and we are inherently skeptics. >> i have a question for you secretary, and then you can go ahead and add to that.rities
there is a -- the recent news article that examined similarities between china's j-31 fight and our f-35 strike finder. and what they have been able to do in such a rapid period of time without any r & d, do you o believe that that gives them a s competitive advantage?i unde i mean, i understand there might be some differences as far as in the software, in the weaponry and this and that. but they're making leaps which are uncommon at the behest of us. and we know this, i understand, but we're not taking any actions against them. >> well, i would like to work this in to your and follow up. u >> yes you go ahead. els, >> at w the highest levels, hav made it clear that we believe chinese actions in the cybersphere are totally unacceptable as a nation state. and we made that clear in a wide variety of different ways. and i would characterize the immigrant that we have as a confidence building measure with the chinese where we are asking them to prove to us that they are serious about what they say,
about what they will do to control these efforts. so there were really four things that we agreed to do.ll do firstto we would give timely responses to informationrs whene say hey, we believe that there e is a problemre here.informat and we have agreed to exchange c information on ecybercrimes. we have grid to possibly collect electronic evidence and to we wu mitigateld malicious cyberactivy that is oh kourng our soil.ot we both agree we would not knowingly enable cybertheft of intellectual property. we've told them it's a problem. it's unacceptable. they have said that they will work to curb that. then we have agreed to have herw commonas effort to promote internationacol norms.ave a thing is we'll can have a high level joint mechanism where we can meet at . least twice a year and say look, this is just not working.ing you're not coming through with what you have said.
so this isn't a treaty or anything like that. it's a confidence building measure for us to find out if china is going to act responsibly.. i agree totally with director clapper. they've got to prove to us. and we know that they have stolen information from our defense contractors. s >> right.form >> and it has helped them develop systems. and we have hardened our systemw through the defense industrial base initiative. and we're trying to make -- >> we know that the j-20 is pretty much mirroring our f-22. we know their j-31 is pretty much mirroring our f-35. when we know this and the cost g to the american taxpayers and let them get a -- why wouldn't we take hard actions against them? or why wouldn't we come down? i just don't understand why we wouldn't retaliate.just from a financial standpoint. >> there are a wide variety of a cost imposition w options that have. they're developed through the inner agency.. and again, it's not necessarily
kind -- tit for tat. it is proportional response. and we're working through all of those right now. >> my time is up, sir.just m if i could follow up on that later, if we could meet with yo later. >> absolutely, sir. >> i appreciate it. >> senator, if i may just add a word here about this is a point admiral rogers has made in the past about terminology, lexicon, nomenclatu nomenclature, definitions are important. what this represents of course is espionage. >>is absolutely. >> cyberespionage. and of course we too practice i. cyberespionage in a public forum to say how successful we are, but we're not bad at it. so when we talk about what are we going to do for -- to countet espionage or punish somebody or espionage, well, ink
think it's a good idea to at least think about the old saw that people live in glass houses shouldn't throw rocks. >> got you.rockre >> so it's okay for them to say steal our secrets that are most important. >> liv i didn't say that.ass >> because we live in a glass h house that is astounding. >> i did not say it's a good thing.g th. i'm just saying that both nations engage in this.for >> i want to thank all of you for being here. with regard to the chinese, i want to follow up on we've talked about the stealing of thn highest secrets in terms of our weapons system. but what aboutnal the 21 millio people whose background check te and personal information has , been of course associated publicly with the chinese and the fact that we know that 5 million sets of fingerprints has
well leading to potential vulnerability for our citizens. and if you put that in the i context of these other issues that we have raised, it seems to me -- at i looked very careful for example, secretary work, at some of the language you've been using. you gaveo a speech at the royal united services institute in london. you said deterrence must be demonstrated to be effective. secretary clapper, in your prepared statement you said thea muted response by most victims o to most cyberattacks has createe a permissive environment. envi so i'm trying to figure out based on what you said we're not in a permissive environment in light of what they have stolen on our weapons systems, but also this huge infringement on 21 million people in this country.n and also, could you comment on the vulnerability that of data and where we are in terms of it can be used against us. >> first, that is an assessmente of what was taken.>> first
we actually don't know in terms .isspecifics but that's i think frames the magnitude of this theft. and it is potentially very serious, has very serious implications. first, close toint home from th standpoint of the intelligence inteunity, and the potential for identifying people who may be under coverage status just one small example. and of course it poses all kinds of potential, and unfortunately this is going to be a gift that keeps on giving for years. it'st's a very serious situation. what we have tried tioo do is o educate people what to look for and how to protect themselves.te but, again, this is a huge ging theft. and it has potentially damaging
implications for lots of people. intelligence people and lots of people in the department and >>i other employees of government. >> i think what you're hearing from some of d us up here what e we going to do about it is the issue as opposed to a shared agreement on generic principlesi with the chinese. this is a pretty significant issue that is. going to impact millions of americans. i'm not hearing what we're going to do about it, but that may be a higher level decision going ub to the president.evel but it seems to me d if queer ak going to talk about deterrence, if we don't follow up with you action, and if you look at that bembined with the testimony we heard last week about the artificial islands being built h by the chinese andin the fact tt we won't even go within i believe it's 12 nautical miles o of those islands, if youu put that all from the chinese perspective, i think you think hmm, we can pretty much do what we want to do because we haven't seen a response.
now i'm not asking from all of you to answer that because it probably needs to be answered by the president and his national security team.e might but it seems to me that they n'e aren't seeing a responseen righo now from us.y and therefore we're going to o e see, continue to see bad ther behavior from the chinese.aviorr before i go, have i an important question on another topic.y secretary work, and that is yesterday we heard public reports about a potential violation of the inf treaty by the russians and that essentially russia flight tested a new ground-launched cruise 1 missile this month that u.s. intelligence agencies say further violates the 1987 inf se treaty. and of coursare this is going bk also to the reports as early as 2008 of the russia conducting tests of another ground-launched cruise missile in potential
violation of the inf treaty that we have raised with them. and when secretary carter came before our committee on his se confirmation, he listed three po potential responses to these inf violations. so now we have the russians violating the inf treaty yet again. and i guess my question is secretary carteried rightly identified that we should orce o respond either through missilern defense, counter force, or countervailing measures. what are we doing about it? >> senator, this is a long-standing issue that we have been discussing with the russians. the system that you're talking about is in development. di has not been fielded yet. we have had different discussions with them on our perception of the violation of the inf and they have come back. this is still in discussions, and we have notth decided on and particular action at this pointf >> so are you saying you don't h think they violated the inf treaty? >> we believe very strongly that
they did. >> that's what i thought. so what are we going to do abouh it? becaust.enow they're claiming they haven't going back to the 2008 violations. and now here we have another situation. >> it's still -- because they bt have not fielded the system, we are still in the midst of . negotiating this position. we are giving ours. but if they do field a system that violates the inf, i would o expect us to take one of the three options that secretary carter outlined before the committee. >> so my time is up, but i see two consistent themes here, both with the chinese and the russian. a lot of talk, no action, peopl unfortunately. and people take their cuesue fr that. and that worries me. thank you, all.yo >> thank you, mr. chairman. director clapper, you testified before the house intelligence committee recently that while the united states makes tion b distinctions between poses to cyberattacks conducted for
economic purposes or to gain foreign intelligence, i would -- that's the espionage arena i think that you're referring to, or to cause damage, our adversaries do not. woul would you consider the opm breach to the extent that we believe it is a state actor who did that, that that would be in the category of espionage? >> yes. that was the tenor of the discussion at the hearing that admiral rogers and i engaged ins and of course that has to do d e with, as i mentioned earlier, senator manchin, the definition of nomenclature and terms and the definition of these terms. so the what the theft of we them data, as egregious as it was, we wouldn't necessarily consider it as an attack. rather it would be a form of
theft or espionage. >> and as you say, other countries, including our own engages in such activities. my understanding of the recent o agreement between the united states and china, though, has tt do with commercial cybertheft. and i think that's a very different category that has to do with obtaining information about corporations, et cetera. and there that that is in the category of economic attacks. so director clapper, would you consider that kind of an clappe agreement to ber, helpful? i realize that you are skeptical. but to theg extent that we're defining a particular kind of cyberattack and that we're contemplating through this agreement an ability of our twod countries to engage in high level dialogue regarding these
kinds of attacks, is that a helpful situation? >> well, it would be. it would be very helpful if, of course, the chinese actually live up to what they agree to.wf and what the agreement pertained to is theft of data for economic purposes, to give chinese commercial concerns an adva advantage, or their defense industries an advantage.ntages as opposed to i don't believe that we've agreed with the chinese to stop spying on each other. >> yes. >> and so for purely espionage purposes, there is a distinction. >> mr. secretary, you can weigh in on this also.>> mr. s to the extent that we created an potential for dialogue or an environment where there is a we process to be followed and in the cases where we suspect commercial cyberattacks that at least we have a way that we can talk to the chinese.ibutio
because you also mentioned director clapper that are attribution is not the easiest thing, although we are getting better at who actually, who were the actors that did these cyber attacks. so one hopes that even with a hb great dealer of skepticism goin forward that this agreement may create the space for us to have more than a conversation, but one that would lead to some kind of a change in behavior on the part of the state actors. mr. secretary, feel free to give us your opinion. >> senator, i think that's exactly right. as director clapper said, first you have to find out the geographical location from wherf the attack came from.behavior then you have to identify the es actor, and then you to identify whether the government of that geographic space was controllin the actor. o >> recognizing that'sf not the easiest to do,no yes. >> and what we have done is we have confronted china, and china
in some cases saidin slook, tha was a hacker that was inside our country but we had no control of him. what this allows us to do is say okay, what are you going to do than? that's a cybercrime. are you going to provide us the information we need to prosecute this tperson, or are you going o take care of it on your own?to so i believe this type of believ confidence building measure andt this way to discuss these things will -- the proof will be in the pudding how the chinese react td this. >> mr. secretary,ho i think yout mentioned that this particular s agreement allows -- contemplates meeting at least twice a year. e >> aryes. >> is there anything that prevents more frequent dialoguee between our two countries in suspected cases of commercial cyber attacks?ber ev >> senator, i believe if there was a significant cyberevent that we suspected the chinese ol they suspected us that we would be able to meet. this is going to be a high level joint dialogue. oue chinese will have it at the ministerial level. our u.s. secretary of homeland security and u.s. attorney general will co-lead on our part. pa of thi
we're going to have the first meeting of this group by the end of this calendar year, and then he least twice a year. so i believe that as director clapper is, i think all of us have some healthy skepticism cei about this. but i believe it's a good confidence building measure and a good first step, and we will see if it leads to better behavior on the part of the chinese. >> thank you. of >> ms. secretary, i can't help m but encomment.fied t we have identified the pla, the building in which they operate. and please don't deceive this committee as if we don't know who is responsible for it.we that is just -- that is just very disingenuous there have een been public reports that we havh identified the pla building in which these cyberattacks come from. senator ernst? >> thank you, mr. chairman. thank you, gentlemen for joining us today. admiral roger, i'll start with e you, sir. two of the president's nine of lines of efforts in defeating ir isil are first exposing isis'
true nature, and second, ow. disrupting the foreign fighter t flow. and over the weekend, the "new york times" reported that 30,000 recruits joined isis over the past year.us recru and that's double the previous recruitment year., earlier this month in reference to isis recruiting, the state department's ambassador at large and coordinator for counterterrorism said that isis' recruiting trend is still upward, and this information came of no surprise to her.ily the ambassador also said the upward trend was primarily due to internet and social media. so do you believe the two lin administration's efforts have sd far succeeded on these two lines of effort in cyberspace and social media? just please, simple yes or no. >> no. >> okay. in light of that, with the record recruiting numbers for
isis, how would you assess the r effectiveness of the u.s. state government's effort in cyberspace? what specifically is your away assessment of the state department's think again, turn away program in support of efforts to disrupt isis' onlinei recruiting effort? >> senator, i'm not in position to comment on state department, the specifics of the program.n i honestly and just not knowledgeable about it. broadly to get to your broader point, i have always believed that we must contest isil in the information domain every bit as aggressively as we are contesting them on the battle field. that the information dynamic is an essential component of their vision, their strategy and ultimately their success. and we have got to be willing to attempt to fight them in that domain like we are on the battlefield. we clearly are not there t yet. >> i agree. i think we are failing in this d effort, and some of the programs
that we have seen obviously are not working.s ngo are there areas that you could p recommend the u.s. better partner with various ngos or co privateun entities to more effectively counter the isis propaganda? >> again, contesting the y fr propaganda piece broader than cyber command. i will say from a technical and operational perspective, we broadly with the dod, uthori cyber tycommand and centcom are looking at what's in the realm o of possibilities as in what canl we do to help contest them in f this domain. >> okay. we have a larger problem coming forward, too, in regards to isis and isil in the middle east. we seem to see the emergence ofn a trifecta between syria, iran, and russia.
and now it seems that iraq has u begun information sharing with russia, with iran, with syria. director clapper, can you speak to that and the broader implications of russia emerging as a leader in looeftd while wer seem to be o frittering away ou opportunity with isil? >> there's certainly the objective. quthink they have several objectives here.hey have one of which is that i think protect their base, their presence in syria.a ergo their build-up in the northwest part of syria. clearly want to prop up assad. and i think a belated motivation for them is fighting isil. as far as the joint intelligence arrangement is concerned, can'tl
go into detail here in this say forum, but i will say there are -- each of the parties entering into this are a little suspicious of just what is entailed here. so we'll have to see just how robust the capability that actually provides. >> okay. i appreciate that. secretary, do you have any thoughts on the emergence of russia with the intelligence sharing, how that might impact the operations that we have ongoing in iraq against isis? >> i think we were caught by surprise that iraq entered into this agreement with syria and iran and russia. obviously we are not going to share intelligence with either syria or russia or iran. so we are in the process of working to try to find out exactly what iraq has said, certainly we're not going to provide any classified information or information that
would help those actors on the d battlefield. really what we're trying to do is deconflict. that is the primary purpose of a the discussion between president obama and president putin yesterday is if you are going to act on this battlefield, we have to deconflict. the other thing we have made clear is they would like to do the military first followed by l political transition. we need -- we believe those things have to go in parallel. and that has been our consistent message. this is early days. we're still in the midst of ive discussing what exactly this means. so i don't have any definitive . answers for you at this point, senator. >> well, in am very concerned that we have abdicated our role in the middle east and in so many other areas as has been pointed out earlier, grave concern to all of us. i think we need to be working much more diligently on this. thank you, mr. chair. >> thank you, mr. chairman.all of
gentlemen, thank you for your public teservice. admiral, i'm t concerned about l of these private telecoms that are going encrypt. if you have encryption of everything, how in your opinion does that affect section 702 and 215 collection programs? >> it certainly makes it mother nature difficult. >> does -- it more difficult. >> does the administration have a policy on this? >> no. this is a complicated issue with a lot of valid perspectives. we're still, il think, righ collectivelyt trying to work what's the right way ahead recognizing that there's a lot of valid perspectives. but from the respective of cybercommand and nsa, i look ati the issue, there's a huge a huge challenge for us c here that we
have got to deal with. >> a huge challenge. und i have a policy position. and that is that the telecoms better cooperate with the united states government, or else it just magnifies the ability for the bad guys to utilize the , internet to achieve their purposes. speaking of that, we have a ourl fantasticve u.s. military. we are able to protect ourselves. b it's ae -- it's the best militay the world. but we have a vulnerability in that, and it's a cyberattack. you want to see if you can make me feel any better about our ability to protect ourselves
going forward? >> so i would tell you that theu current state ofld capability ie the department, if i just look at where we were 18 months ago,s two years ago, is significantly improved. we currently defeat probably ds 99%-some odd attempts on daily t basis. the capability in terms of the amount o of teams, their capability just continues to improve. our speed, our t agility. the challenge fundamentally is we are trying to overcome decades of a thought process in which redundancy, defensibility and reliability were never core design characteristics for our networks, where we assumed in the development of our weapons systems that external you interfaces, if you will, with yc the outside world were not something to be overly concerned it. they represented opportunity for us to remotely monitor activity, to generate data as to how aircraft, for example, or ships'
hulls were doing in different sea states around the world.to w all positives if you're trying e to develop the next generation, for example, cruiser/destroyer for the navy. but a world in which those public interfaces, if you were,e increasingly represent also rati potential points of vulnerability. you get this class of strategies, if you will. and that's where we find ourselves now. so one of the things i try to remind people is it took us decades to get here. we are not going to fix the set of problems a few years. this takes dedicated the prioritization, dedicated eople commitment, resources, and if we've got to do it in a smart y. way. we've got to prioritize, figure do i out what's the greatest rior vulnerability anitd where is th greatest concern for us. >> senator, is it okay if i jump in for a second? t >> hatyes. i just want to add to that. and for us to let our potential enemies understand that we have the capability ofo doing to the what they do to us, however that
gets more complicated when you'rein dealing with a rogue group of a dozen people stuck in a room somewhere that are not part of a nation state.f >> yes, sir, mr. secretary. >> well, i was going to echo what admiral rogers said. when secretary carter came in, he said, look, we are absolutely not n where we need to be, and made job number one defense of s the networks. so we're going from 15,000 enclaves to less than 5 hundred. we're grg 1,000 defendable firewalls to less than 200. somewhere between 50 and 200.tee are you absolutely right. we have recognized this is a terrible vulnerability. we are working first to defend our, as we talked about earlier, we're looking at our systems, and we're also trying to change the culture. right now, if you discharge a o weapon, you are held accountablt for that. that's a negligent discharge, one of the worst things you can do. what we need to do is have a