[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]



                                     

                         [H.A.S.C. No. 115-121]
 ________________________________________________________________                        
 
                     INTERAGENCY CYBER COOPERATION:

                      ROLES, RESPONSIBILITIES AND

                     AUTHORITIES OF THE DEPARTMENT

                     OF DEFENSE AND THE DEPARTMENT

                          OF HOMELAND SECURITY

                               __________

                             JOINT HEARING

                               before the

           SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES

                                 of the

                      COMMITTEE ON ARMED SERVICES

                          meeting jointly with

      SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION

                                 of the

                     COMMITTEE ON HOMELAND SECURITY

                          [Serial No. 115-78]

                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                              HEARING HELD

                           NOVEMBER 14, 2018
                           
                           
                                     
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]






                              ______

             U.S. GOVERNMENT PUBLISHING OFFICE 
 33-477                  WASHINGTON : 2019


                                     
  

                      COMMITTEE ON ARMED SERVICES
           SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES

                ELISE M. STEFANIK, New York, Chairwoman

BILL SHUSTER, Pennsylvania           JAMES R. LANGEVIN, Rhode Island
RALPH LEE ABRAHAM, Louisiana         RICK LARSEN, Washington
LIZ CHENEY, Wyoming, Vice Chair      JIM COOPER, Tennessee
JOE WILSON, South Carolina           JACKIE SPEIER, California
FRANK A. LoBIONDO, New Jersey        MARC A. VEASEY, Texas
DOUG LAMBORN, Colorado               TULSI GABBARD, Hawaii
AUSTIN SCOTT, Georgia                BETO O'ROURKE, Texas
JODY B. HICE, Georgia                STEPHANIE N. MURPHY, Florida
(Vacancy)
                Katie Sutton, Professional Staff Member
              Lindsay Kavanaugh, Professional Staff Member
                          Neve Schadler, Clerk
                                 ------                                

                     COMMITTEE ON HOMELAND SECURITY

                   MICHAEL T. McCAUL, Texas, Chairman
LAMAR SMITH, Texas                   BENNIE G. THOMPSON, Mississippi
PETER T. KING, New York              SHEILA JACKSON LEE, Texas
MIKE ROGERS, Alabama                 JAMES R. LANGEVIN, Rhode Island
LOU BARLETTA, Pennsylvania           CEDRIC L. RICHMOND, Louisiana
SCOTT PERRY, Pennsylvania            WILLIAM R. KEATING, Massachusetts
JOHN KATKO, New York                 DONALD M. PAYNE, Jr., New Jersey
WILL HURD, Texas                     FILEMON VELA, Texas
MARTHA McSALLY, Arizona              BONNIE WATSON COLEMAN, New Jersey
JOHN RATCLIFFE, Texas                KATHLEEN M. RICE, New York
DANIEL M. DONOVAN, Jr., New York     J. LUIS CORREA, California
MIKE GALLAGHER, Wisconsin            VAL BUTLER DEMINGS, Florida
CLAY HIGGINS, Louisiana              NANETTE DIAZ BARRAGAN, California
THOMAS A. GARRETT, Jr., Virginia
BRIAN K. FITZPATRICK, Pennsylvania
RON ESTES, Kansas
DON BACON, Nebraska
DEBBIE LESKO, Arizona
                   Brendan P. Shields, Staff Director
                   Steven S. Giaier,  General Counsel
                    Michael S. Twinchek, Chief Clerk
                  Hope Goins, Minority Staff Director
                                 ------                                

      SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION

                    JOHN RATCLIFFE, Texas, Chairman
JOHN KATKO, New York                 CEDRIC L. RICHMOND, Louisiana
DANIEL M. DONOVAN, Jr., New York     SHEILA JACKSON LEE, Texas
MIKE GALLAGHER, Wisconsin            JAMES R. LANGEVIN, Rhode Island
BRIAN K. FITZPATRICK, Pennsylvania   VAL BUTLER DEMINGS, Florida
DON BACON, Nebraska                  BENNIE G. THOMPSON, Mississippi 
MICHAEL T. McCAUL, Texas (ex             (ex officio)
    officio)
             Kristen M. Duncan, Subcommittee Staff Director
           Moira Bergin, Minority Subcommittee Staff Director
           
                            C O N T E N T S

                              ----------                              
                                                                   Page

              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS

Langevin, Hon. James R., a Representative from Rhode Island, 
  Ranking Member, Subcommittee on Emerging Threats and 
  Capabilities, Committee on Armed Services......................     3
Ratcliffe, Hon. John, a Representative from Texas, Chairman, 
  Subcommittee on Cybersecurity and Infrastructure Protection, 
  Committee on Homeland Security.................................     5
Richmond, Hon. Cedric L., a Representative from Louisiana, 
  Ranking Member, Subcommittee on Cybersecurity and 
  Infrastructure Protection, Committee on Homeland Security......     6
Stefanik, Hon. Elise M., a Representative from New York, 
  Chairwoman, Subcommittee on Emerging Threats and Capabilities, 
  Committee on Armed Services....................................     1

                               WITNESSES

Manfra, Jeanette, Assistant Secretary, Office of Cybersecurity 
  and Communications, National Protection and Programs 
  Directorate, U.S. Department of Homeland Security..............     8
Rapuano, Hon. Kenneth, Assistant Secretary of Defense for 
  Homeland Defense and Global Security, and Principal Cyber 
  Advisor, U.S. Department of Defense............................    10
Shwedo, Lt Gen Bradford J., USAF, Director for Command, Control, 
  Communications and Computers/Cyber, Chief Information Officer, 
  Joint Chiefs of Staff..........................................    12

                                APPENDIX

Prepared Statements:

    Jackson Lee, Hon. Sheila, a Representative from Texas, 
      Subcommittee on Cybersecurity and Infrastructure 
      Protection, Committee on Homeland Security.................    38
    Manfra, Jeanette.............................................    46
    Rapuano, Hon. Kenneth........................................    55
    Stefanik, Hon. Elise M.......................................    35

Documents Submitted for the Record:

    [There were no Documents submitted.]

Witness Responses to Questions Asked During the Hearing:

    Ms. Jackson Lee..............................................    69
    Mr. Langevin.................................................    69
    Mr. Larsen...................................................    69

Questions Submitted by Members Post Hearing:

    Mr. Brooks...................................................    77
    Ms. Stefanik.................................................    73
    Mr. Suozzi...................................................    78
    
    
                     INTERAGENCY CYBER COOPERATION:

                ROLES, RESPONSIBILITIES AND AUTHORITIES

  OF THE DEPARTMENT OF DEFENSE AND THE DEPARTMENT OF HOMELAND SECURITY

                              ----------                              

        House of Representatives, Committee on Armed 
            Services, Subcommittee on Strategic Forces, 
            Meeting Jointly with the Committee on Homeland 
            Security, Subcommittee on Cybersecurity and 
            Infrastructure Protection, Washington, DC, 
            Wednesday, November 14, 2018.

    The subcommittees met, pursuant to call, at 3:04 p.m., in 
room 2118, Rayburn House Office Building, Hon. Elise M. 
Stefanik (chairwoman of the Subcommittee on Emerging Threats 
and Capabilities) presiding.

 OPENING STATEMENT OF HON. ELISE M. STEFANIK, A REPRESENTATIVE 
FROM NEW YORK, CHAIRWOMAN, SUBCOMMITTEE ON EMERGING THREATS AND 
           CAPABILITIES, COMMITTEE ON ARMED SERVICES

    Ms. Stefanik. The subcommittee will come to order.
    Welcome to this joint hearing of the Armed Services 
Subcommittee on Emerging Threats and Capabilities [ETC] with 
the Homeland Security Subcommittee on Cybersecurity and 
Infrastructure Protection [CIP].
    Today, we will examine interagency cyber cooperation and 
the roles, responsibilities, and authorities of the Department 
of Homeland Security [DHS] and the Department of Defense [DOD]. 
Holding this joint hearing has been a priority for this 
subcommittee for the past few months, and we are pleased that 
it has come together today.
    This is a timely opportunity to hear about recent 
interagency coordination efforts, and the status of related FY 
[fiscal year] 2019 NDAA [National Defense Authorization Act] 
provisions. This is a critically important topic that will 
shape our oversight going forward as we consider the long-term 
policy frameworks needed for the United States cyber 
enterprise.
    Our committee, and ETC in particular, has performed 
significant oversight of the cyber organization, operations, 
and mission force development within DOD. With this joint 
hearing, we can now take a broader focus on the cyber 
organization and capabilities within the entire United States 
Government.
    Cyber threats posed by both state and nonstate adversaries 
continue to grow and evolve at a rapid pace. These threats are 
not just to our military weapons and systems, but also to our 
Nation's critical infrastructures. Attacks against the electric 
grid, the financial sector, or our healthcare system, could 
have profound impacts on our daily way of life and economic 
security.
    As we have seen in recent years, cyberattacks, such as 
WannaCry ransomware, can have significant adverse economic 
impacts, and bring the private sector and government services 
to a standstill. And since the average response time to detect 
a cyberattack is measured in months, not minutes or hours, we 
must improve our abilities to detect and respond to malicious 
cyber activity.
    This year, three important cyber strategies were released 
by the White House, the Department of Defense, and the 
Department of Homeland Security. These strategies all recognize 
the importance of a whole-of-government approach to addressing 
the challenges posed by securing our Nation in cyberspace. They 
will be an important step in building a cohesive U.S. cyber 
enterprise.
    And while this hearing today isn't solely about election 
security, it affords us the timely opportunity to hear about 
the significant interagency efforts recently aimed at ensuring 
the security of our 2018 midterm elections. Protecting the 
elections required a broad approach led by the Department of 
Homeland Security that included contributions from the 
Department of Defense and many other partners.
    Our subcommittee, in collaboration with the Homeland 
Security Committee, have been active in addressing the issue of 
improving cooperation between the two departments. In this 
year's fiscal year 2019 National Defense Authorization Act, we 
established a pilot program that allows the DOD to provide 
technical cybersecurity personnel to the Department of Homeland 
Security in order to enhance security and resiliency of 
critical infrastructure. I look forward to hearing the status 
of this pilot program at this hearing.
    Also in this year's NDAA, we created a National Security 
Artificial Intelligence [AI] Commission that will be important 
in identifying the impact AI will have in the cyber domain. As 
our adversaries continue to improve at increasing speeds, we 
must similarly grow our abilities to defend against these 
threats.
    I believe that we will only be successful if the U.S. can 
leverage the capabilities and authorities of all its 
departments and agencies in a united approach. We must reduce 
wasted resources on overlapping and duplicative efforts in 
government to make sure that we are using our cyber defense 
resources sensibly.
    Both agencies here today have made great strides in 
building their cyber capabilities over the last few years. To 
build upon that progress, I firmly believe we need to continue 
to work to build interagency partnerships to ensure that whole-
of-government approach to countering this growing cyber threat.
    Let me welcome our witnesses here today: Ms. Jeanette 
Manfra, Assistant Secretary for the Office of Cybersecurity and 
Communications at the Department of Homeland Security; Mr. Ken 
Rapuano, Assistant Secretary of Defense for Homeland Defense 
and Global Security, and Principal Cyber Advisor at the DOD; 
and Lieutenant General Bradford Shwedo, Director of Command, 
Control, Communications and Computers, Cyber, and Chief 
Information Officer [CIO] at the Joint Chiefs of Staff. We look 
forward to your testimony.
    And before I turn to my friend and ranking member, Jim 
Langevin of Rhode Island, for his opening remarks, I want to 
take a moment to thank him for his hard work and dedication 
over the past 2 years of the 115th Congress. It really has been 
a highlight of my time in Congress working with you, Jim, and I 
look forward to partnering with you in the future in a 
collaborative and bipartisan approach.
    I now want to recognize my friend, Jim Langevin.
    [The prepared statement of Ms. Stefanik can be found in the 
Appendix on page 35.]

  STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM 
RHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON EMERGING THREATS 
         AND CAPABILITIES, COMMITTEE ON ARMED SERVICES

    Mr. Langevin. Thank you, Chairwoman Stefanik. And I want to 
begin by thanking you and Chairman Ratcliffe for convening the 
joint hearing on such an important topic. And likewise, I want 
to say what a pleasure it has been working with you over this--
for the last 2 years as you chaired the subcommittee, and it 
has been collaborative and bipartisan, and I, too, look forward 
to continuing our working relationship as well. So thank you 
for that also.
    So the challenges in cyberspace affect all aspects of our 
national and homeland security, and I am glad that these two 
subcommittees, both of which--on which I sit, are collaborating 
to better understand the cooperation between the agencies that 
we oversee.
    I want to thank our witnesses for being here today as well, 
and I look forward to hearing your testimony.
    But before I do go any further, I also must congratulate 
Chairman McCaul and Ranking Member Thompson of the Homeland 
Security Committee for their work shepherding the NPPD 
[National Protection and Programs Directorate] reorganization 
bill through the House last night. It has been a bit of a slog, 
as it often is with our friends on the other side of the 
Capitol, but after 3 years, I am proud they will soon be 
officially opening the Cybersecurity and Infrastructure 
Security Agency [CISA] at Department of Homeland Security.
    The legislation headed by--the legislation headed to 
President Trump for his signature reaffirms Congress' intent 
that the Department of Homeland Security take the lead role in 
protecting civilian government and critical infrastructure, 
something I look forward to hearing more about from our 
witnesses today.
    In particular, I would like to congratulate you, Assistant 
Secretary Manfra, and I hope that you will pass along my 
congratulations to Under Secretary Krebs as well. The new 
agency will be well served, I know, by your leadership as well 
as the inaugural executive team. So--and also, let me say what 
a pleasure it was to have you up in Rhode Island recently, and 
I appreciate your contributions there that you made to our 
Cyber Advisory Committee that I put together.
    But beyond the implications of this is this existing new 
development. We are here this afternoon to discuss 
collaboration between two agencies with important but distinct 
cybersecurity roles. Now, again, I was privileged enough to 
have--to host Assistant Secretary Manfra back in my district 
late last month to hear about some of this collaboration with 
respect to election security.
    Our elections are obviously the cornerstone of our 
democracy and it is essential that they be protected from any 
interference, foreign or domestic. As we saw in 2016, the 
threat is real and it demands a whole-of-government response. 
Recognizing this, DHS and DOD worked together in the weeks 
leading up to the election to remove any legal or operational 
obstacles that would prevent timely defense support of civil 
authorities in the case of a cyber incident targeting our 
elections that exceeded DHS's asset response capabilities.
    I was also pleased that DOD was able to work with National 
Guard personnel activated under State Active Duty status, 
including some of our excellent network defenders right in 
Rhode Island in order to share sensitive intelligence on 
Election Day.
    The efforts of both those departments paid off. And due to 
their work and the diligence of local election officials, last 
week's voting went off without any major cybersecurity 
incident, but we cannot let the success blind us to the 
tremendous challenges that remain ahead.
    As highlighted in the recent cyber strategies that have 
come out of DHS, DOD, and the White House, our adversaries 
continue to look for ways to gain an advantage by exploiting 
our vulnerabilities in cyberspace. And while Congress has been 
abundantly clear about DHS's primacy in defending civilian 
networks in the United States, coordination, collaboration, and 
information sharing with the DOD will be critical to the 
defense of the homeland.
    So I hope to hear from our witnesses today how these 
collaborations are succeeding, and, frankly, where more work 
needs to be done. I want to better understand how, in a time of 
crisis, DOD will be able to prioritize the requests coming from 
DHS while achieving its mission to protect the DODIN 
[Department of Defense Information Network], the DIB [Defense 
Industrial Base], and other defense critical infrastructure, 
and maintain capability and capacity for conducting title 10 
cyber operations.
    So understanding that DHS can and must have the capability 
to take on more of the domestic mission without relying 
exclusively on DOD for support, I hope that witnesses will 
address that--what capability building is and should be going 
on to better empower the new CISA. I also hope the witnesses 
will talk about how they are ensuring collaboration works its 
way down to the operational level, so that Homeland Security 
equities are fully considered throughout the entire decision-
making chain.
    Recent policy developments from the administration, from 
national security policy memorandum 13, to the recently signed 
joint memorandum, will help frame the U.S. Government's 
collective response to cyber threats, and I trust the 
administration will be fully transparent with our committees in 
providing these documents and candid assessments of their 
implementation.
    Finally, I look forward to hearing a status update on the 
report required in section 1653 of the FY 2019 NDAA about cyber 
civil support teams and the feasibility of using their unique 
authorities to better defend the Nation. So cybersecurity is a 
team sport; only by working together can we reduce our risk and 
ensure a bright future where the internet remains open, 
reliable, interoperable, and secure.
    So with that, again, I want to thank our witnesses for 
being here today, and I yield back to the Chair. Thank you.
    Ms. Stefanik. Thank you, Jim.
    I want to welcome Chairman John Ratcliffe of Texas from the 
Cybersecurity and Infrastructure Protection Subcommittee of the 
Homeland Security Committee to today's hearing, and now I yield 
to him for his opening remarks.

STATEMENT OF HON. JOHN RATCLIFFE, A REPRESENTATIVE FROM TEXAS, 
  CHAIRMAN, SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE 
           PROTECTION, COMMITTEE ON HOMELAND SECURITY

    Mr. Ratcliffe. Thank you, Chairwoman Stefanik. I am excited 
to have the opportunity to hold this hearing with you. These 
joint events always provide some unique insights and 
perspectives that would be hard to explore under a single 
committee purview.
    We are here today to discuss something that is vital to our 
national security. Cybersecurity affects every single American, 
every single day. That is because cybersecurity is national 
security. So it is imperative that the Department of Homeland 
Security and the Department of Defense work hand in glove to 
protect our Nation's systems and to provide assistance to our 
critical infrastructure partners.
    That assistance comes in many forms, and that is part of 
the reason why we are here today: to explore the roles and 
responsibilities of the two departments, and to better 
understand how they can effectively and efficiently work 
together to keep our Nation safe from malicious cyber actors.
    Whether we are talking about the Chinese stealing sensitive 
information on our Navy submarines or the Iranians attempting 
to target defense contracting systems, nation-state actors 
remain poised to use any cyber vulnerabilities or gaps in our 
defense to get a competitive advantage to use against us later.
    That is why I am grateful to have representatives from the 
Department of Defense here today. I look forward to hearing how 
they, as the sector-specific agency, are partnering with the 
Defense Industrial Base to ensure that our Nation's capacity to 
wage war remains unmatched.
    I am also pleased to have a representative from the 
Department of Homeland Security here to lay out the multitude 
of roles that DHS has in this space, and I am confident that 
Assistant Secretary Manfra will do her usual superb job of 
illustrating the Department's broad array of responsibilities 
and authorities. Those include overseeing all 16 critical 
infrastructure sectors, and partnering with industry to share 
information and build capacity, and protecting Federal networks 
from the daily inundation of cyberattacks.
    The Department has statutory authority to carry out all of 
these responsibilities, and it is imperative that DHS continues 
to take the lead in this regard. A civilian-led system embodies 
the foundation that this democracy was built on.
    Despite the respective individual roles, the most effective 
way to keep our country's cyber ecosystem safe is through DOD 
and DHS cooperation. We can't have a stovepiping of efforts; we 
can't have a fractured set of agendas; and we cannot have a 
disjointed front line in defending against our cyber 
adversaries and threats.
    We need to ensure cooperative approaches to cybersecurity, 
approaches like section 1650 of the NDAA which allows for DOD 
personnel to assist Homeland Security with cybersecurity-
related efforts. This was an effective tool that was used to 
help bolster DHS's preparedness in the lead-up to the elections 
just last week.
    There are other approaches, like project pathfinder, which 
seeks to keep our financial sector safe by streamlining 
information sharing, and using it to defend forward. I have 
faith that both departments can and will work through any 
growing pains that may be encountered. And I look forward to 
hearing from our witnesses today on both the past successes 
that we have had at keeping this Nation safe, but more 
importantly, on how we can continue that success going into the 
future.
    Finally, in what is my last hearing as the chairman of this 
subcommittee, I want to thank all of the CIP members, both 
Republican and Democratic, for their excellent work this 
Congress. The 115th Congress has been defined by bipartisan 
success when it comes to legislation and oversight on the issue 
of cybersecurity, and our committee has paved that path.
    I hope that we can continue to carry this momentum and 
energy forward into the 116th Congress, and work in a 
bipartisan manner to ensure the integrity of our national 
security because cybersecurity is national security.
    Again, I thank our witnesses and I yield back.
    Ms. Stefanik. Thank you.
    The gentleman from Louisiana, the Ranking Member, Cedric 
Richmond--actually, he is here. I was just going to put your 
opening statement in for the record. When you get up here, I 
will recognize you for any opening remarks.

  STATEMENT OF HON. CEDRIC L. RICHMOND, A REPRESENTATIVE FROM 
 LOUISIANA, RANKING MEMBER, SUBCOMMITTEE ON CYBERSECURITY AND 
   INFRASTRUCTURE PROTECTION, COMMITTEE ON HOMELAND SECURITY

    Mr. Richmond. Good afternoon. I want to thank Chairwoman 
Stefanik and Chairman Ratcliffe for holding today's joint 
hearing to assess interagency coordination of cybersecurity 
activities at the Department of Homeland Security and at the 
Department of Defense.
    Last night, after years of debate and negotiation, Congress 
sent H.R. 3359, the Cybersecurity and Infrastructure Security 
Agency Act, to the President's desk. This bipartisan 
legislation confirms, once again, that Congress intends for DHS 
to be the primary Federal civilian interface with the private 
sector on cybersecurity.
    I look forward to working with DHS to help the 
Cybersecurity and Infrastructure Security Agency mature into an 
operational component and develop the capabilities needed to 
meet the challenges ahead, from securing election 
infrastructure to protecting the grid. The Department of 
Defense will be an integral partner as DHS carries out its 
mission to help secure civilian networks.
    I understand that DOD and DHS recently signed an agreement 
clarifying how they will coordinate certain cyber activities. 
Although I have not seen that agreement, I am hopeful that it 
will provide clarity for the Department's roles and 
responsibilities. I look forward to reviewing the agreement and 
ask that it be submitted to our committee as soon as possible.
    Moving forward, the success of DOD and DHS's collaboration 
rests on whether the following three things happen: One, DOD 
and DHS must implement the agreement of understanding at both 
the policy and operational levels; two, DOD and DHS must 
communicate and adhere to their respective roles and 
responsibilities as they engage with agencies across the 
Federal Government and with the private sector; and three, the 
administration must request and Congress must provide the 
funding and the resources necessary for DOD and DHS to carry 
out their missions.
    To my first point, too often I hear testimony from 
principals about how well their agencies are coordinating, only 
to learn from folks in the field that it isn't the case. To me, 
the problem seems to be that as Federal agencies work to 
delineate roles and responsibilities on cybersecurity they 
reach an agreement on a policy level without involving the 
operational folks. That invites frustration, confusion, and, at 
times, mission creep.
    Accordingly, I will be interested in learning how DOD and 
DHS plan to socialize their new agreement on cyber roles and 
responsibilities throughout their organizations, from policy 
operations and solicit buy-in.
    On the second point, it is important that the respective 
cyber missions of DOD and DHS are communicated and clearly 
understood throughout the Federal Government and among critical 
infrastructure owners and operators. Toward that end, I will, 
once again, note my strong concern that the White House has 
eliminated the Cybersecurity Coordinator.
    A White House Cybersecurity Coordinator would be in the 
best position to ensure the full capabilities from across the 
Federal Government are brought to bear to protect against cyber 
threats without sowing confusion about who should be doing 
what.
    Finally, we have to provide DOD and DHS with the resources 
it takes to do their jobs. As everyone here will acknowledge, 
the cyber threats we are facing are evolving, and we have 
called on DHS to help secure the Federal Government, State and 
local governments, and critical infrastructure from breaches by 
state and nonstate actors. But DOD's cyber funding outpaces 
DHS's cyber funding by about 8 to 1. If we expect DHS to be 
DOD's civilian equivalent for cybersecurity, we need to fund it 
that way.
    I thank the witnesses for being here, and I look forward to 
hearing their testimony.
    With that, Madam Chairman, I yield back the balance of my 
time.
    Ms. Stefanik. Thank you, Ranking Member Richmond. Your time 
was perfect for your opening statement.
    Immediately following the conclusion of this open hearing, 
the Members will transition to Rayburn 2212 for a closed, 
classified briefing from our witnesses.
    Without objection, the witnesses' prepared statements will 
be made a part of the record. I ask that the witnesses please 
try to keep your remarks to no more than 5 minutes.
    And, Ms. Manfra, we will begin with you. You are recognized 
for 5 minutes.

 STATEMENT OF JEANETTE MANFRA, ASSISTANT SECRETARY, OFFICE OF 
   CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTION AND 
   PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY

    Ms. Manfra. Thank you, ma'am.
    Chairman Ratcliffe, Chairwoman Stefanik, Ranking Member 
Richmond, Ranking Member Langevin, and members of the 
committee, thank you for today's opportunity to testify 
regarding the Department of Homeland Security's ongoing and 
collaborative efforts to strengthen the cybersecurity of our 
Nation's critical infrastructure. This is a core Homeland 
Security mission.
    But first, I would like to thank you for your leadership on 
establishing the Cybersecurity and Infrastructure Security 
Agency at the Department. The National Protection and Programs 
Directorate will now have a name which accurately reflects the 
reality of what we do: We secure cyberspace, the institution, 
systems, and services that help businesses thrive, and 
government, of all levels, operate.
    Last night the House passed the legislation by unanimous 
consent, and the bill is now headed to the President's desk. 
This accomplishment could not have been achieved without the 
strong leadership of our partners here in the House of 
Representatives, and we know this demonstrates your own 
commitment to ensuring our national security.
    For the last 10 years, I have worked to advance the 
Department's cybersecurity and critical infrastructure mission. 
Prior to joining DHS, I was an Army officer, so I believe I 
have a unique perspective on how we can better strengthen the 
DOD and DHS partnership, and I am personally invested in making 
this happen.
    I am proud of the progress that we have made to date, and 
looking forward to talking more about our progress ahead. 
Cybersecurity threats remain one of the most significant 
strategic risks for the United States, threatening our national 
security, economic prosperity, and public health and safety.
    Rarely is a cyber event sector-specific. Our adversaries 
target systems that are cross-sector, and the growing 
interdependencies of cross-sectors demand an integrated 
approach. Establishing CISA highlights the central role we play 
across the Federal Government and our responsibility to all 
critical infrastructure in making manifest this integrated 
approach.
    As we have learned, the information in Federal operations 
must not be siloed. This is one of the key lessons learned from 
9/11. To combat a threat that is transnational and operates in 
the seams between agencies and the public and private divide, a 
whole-of-nation approach is required. We see these same lessons 
applied, amplified by the speed of technological change to 
cyberspace.
    At NPPD, and soon at CISA, our vision is to fully realize 
this national effort, challenging old organizational 
institutional divides across the Federal Government and between 
the public and private sectors that impede our ability to 
provide for a collective defense in cyberspace.
    Collective defense, the idea that the risks we face in a 
dense, interconnected, technological environment are shared, is 
the only model and way forward. Threats and risks do not 
conform to our divisions; neither should we. We believe it is 
our responsibility to make this a reality. We will forge a 
national understanding of threat and risk and coordinate across 
the Federal Government and private sector to detect and respond 
to cyber threats wherever they occur.
    We serve as an information and operations integrator 
focused on delivering organization-specific and cross-sector 
risk management support to enhance the resiliency of our 
Nation's critical infrastructure. Our National Cybersecurity 
and Communications Integration Center, or the NCCIC, provides a 
broad range of capabilities to assist private sector entities 
across all sectors of critical infrastructure, including 
energy, finance, communications, emergency services, and health 
care.
    It is best to think of the NCCIC as the point of fusion for 
cybersecurity threat detection, response, and coordination for 
both the public and the private sectors. We bring together the 
intelligence community, law enforcement, sector-specific 
agencies, international partners, the private sector, and the 
Department of Defense to carry out this mission.
    The challenge of effectively coordinating homeland security 
and homeland defense missions is not new, but it is amplified 
and complicated by the global, borderless, interconnected 
nature of cyberspace where strategic threats can manifest in 
the homeland without advanced warning.
    DHS and DOD recently finalized agreement, which reflects 
the commitment of both departments in collaborating to improve 
the protection and defense of the homeland from strategic cyber 
threats. This agreement clarifies roles and responsibilities 
between our organizations to enhance our government's readiness 
to respond to cyber threats and establish coordinated lines of 
efforts to secure, protect, and defend the homeland.
    In order to achieve these objectives, our departments are 
adopting a threat-informed, risk-based approach that ensures 
the resilient delivery of national critical functions and 
services. We will jointly prioritize a set of high-priority 
national critical functions and non-DOD-owned mission critical 
infrastructure that is most critical to the military's ability 
to fight and win wars, and project power.
    Based on this prioritization, we will forge a common 
understanding of strategic cyber threats that can enable 
private sector network defenders, critical infrastructure 
owners and operators, and government actors to proactively 
secure their networks and operations.
    And finally, our departments are coordinating to inform and 
mutually support our respective planning and operational 
activities. With our knowledge of the domestic risk landscape 
and our work with the private sector we will inform DOD's 
``defend forward'' efforts to preempt, defeat, and deter 
malicious cyber activity outside the U.S. that is targeting our 
critical infrastructure.
    And DOD's ``defend forward'' operation will inform and 
guide our efforts at DHS to anticipate adversary action, 
understand potential risk to critical infrastructure, and 
empower our private sector stakeholders with the information 
they need to secure their enterprise.
    Our vision is to continue to be the central axle for 
cybersecurity across the Federal Government, ensuring both 
Federal and private sector partners have a full and complete 
understanding of the threats we face and are prepared to defend 
against them.
    I look forward to further outlining our efforts to 
safeguard and secure cyberspace. Thank you. I look forward to 
your questions.
    [The prepared statement of Ms. Manfra can be found in the 
Appendix on page 46.]
    Ms. Stefanik. Thank you.
    Mr. Rapuano.

   STATEMENT OF HON. KENNETH RAPUANO, ASSISTANT SECRETARY OF 
DEFENSE FOR HOMELAND DEFENSE AND GLOBAL SECURITY, AND PRINCIPAL 
           CYBER ADVISOR, U.S. DEPARTMENT OF DEFENSE

    Secretary Rapuano. Chairwoman Stefanik, Chairman Ratcliffe, 
Ranking Members Langevin and Richmond, and members of the 
committees, thank you for your opportunity to testify on 
interagency cyber cooperation between the Department of Defense 
and the Department of Homeland Security.
    Last week's midterm elections serve as a timely inflection 
point to review the close collaboration between our two 
departments. I appreciate the opportunity to discuss the sea 
change in our partnership, and thank you for your broad and 
continued support for the Department's cyber missions.
    Before reviewing the Department's strategic posture for 
cyberspace, I would like to offer a few observations on the 
threat environment. As the National Defense Strategy and the 
2018 DOD Cyber Strategy make clear, the homeland is no longer a 
sanctuary from cyber threats.
    The United States strategic competitors are conducting 
cyber-enabled campaigns to erode U.S. military advantages, 
threaten our infrastructure, and reduce our economic 
prosperity. In particular, we are engaged in a long-term 
competition with China and Russia. These states have expanded 
the competition to include persistent campaigns in and through 
cyberspace with activities that individually fall below the 
threshold of armed conflict but collectively pose a long-term 
strategic risk to the Nation as well as to our allies and 
partners.
    Nested within the National Security and National Defense 
Strategies, the 2018 DOD Cyber Strategy prioritizes the 
challenge of great power competition, and recognizes that the 
Department must adapt a proactive posture to compete with and 
counter determined and rapidly maturing adversaries.
    It makes clear that DOD's focus on cyberspace, like in 
other domains, is to defend forward. That is, to prevent or 
mitigate threats before they reach American soil. This focus 
complements the DHS cybersecurity strategy's emphasis on 
domestic preparedness and risk management.
    Together, the DOD and DHS strategies form a natural, 
mutually supporting approach to defense in depth. With these 
new strategies in place, DOD and DHS have worked together to 
establish a framework to drive domestic preparedness and 
critical infrastructure protection efforts.
    Secretary Mattis and Secretary Nielsen recently signed a 
joint memorandum that frames how DHS and DOD will secure and 
defend the homeland from cyber threats. This is a major step 
forward in fostering closer cooperation, and marks a sea change 
in the level of collaboration between our departments.
    Implementation of the joint memo is already underway. 
Yesterday, I joined my DHS and Joint Staff colleagues to sign 
the joint DOD-DHS Cyber Protection and Defense Steering Group 
Charter. Established at the direction of Secretaries Mattis and 
Nielsen, this steering group will apply senior leadership 
energy to enhance the U.S. Government's readiness against cyber 
threats.
    This fall, Department of Defense and DHS cooperated closely 
to ensure that all appropriate Federal Government tools and 
resources were available to protect and defend the 2018 midterm 
elections from foreign interference. DOD provided standing 
approval for DOD personnel to support DHS cyber incident 
response activities in the event a significant cyber incident 
impacted elections infrastructure.
    The National Guard also played an important role in 
election support. Governors from several States used National 
Guard personnel in State status to support election 
cybersecurity in accordance with State law and policy.
    Beyond elections, DOD is focused on how to improve 
collaboration with DHS and the critical infrastructure sectors. 
Through a series of pathfinder initiatives, we are enabling 
private sector entities to defend their networks by sharing 
relevant threat information. In turn, these pathfinders will 
enable the Department of Defense to leverage private sector 
threat information to inform DOD cyberspace operations.
    We are also strengthening the Defense Industrial Base 
sector partnership to improve the security and resilience of 
the Defense Industrial Base critical infrastructure. This 
approach aligns with the National Defense Strategy guidance to 
enhance joint force lethality and reform departmental 
procedures.
    DOD is coordinating with DHS's National Policy and Programs 
Division to establish a joint plan for future cyber incident 
response. By identifying roles, responsibilities, and 
coordination mechanisms, we are establishing a baseline for 
efficient and effective interagency operations.
    Lastly, I would be remiss if I didn't highlight the 
National Guard's contribution to DOD and the Nation. We fully 
recognize the National Guard's two complementary roles as an 
integral part of the total force and as a State capability.
    Section 1653 of the FY 2019 NDAA, which requires an 
assessment of the feasibility and advisability of establishing 
cyber civil support teams, provides an opportunity to review 
and refine the role of the National Guard. My team will lead 
this review.
    Thank you again for the opportunity to appear before you 
today. As you can see, the Department has undertaken extensive 
work with DHS to improve defense of the homeland and national 
critical infrastructure, but there is much left to do. I look 
forward to working with Congress as we address the challenges 
facing the homeland, and I welcome your questions today. Thank 
you.
    [The prepared statement of Secretary Rapuano can be found 
in the Appendix on page 55.]
    Ms. Stefanik. Thank you.
    Lieutenant General Shwedo.

  STATEMENT OF LT GEN BRADFORD J. SHWEDO, USAF, DIRECTOR FOR 
  COMMAND, CONTROL, COMMUNICATIONS AND COMPUTERS/CYBER, CHIEF 
           INFORMATION OFFICER, JOINT CHIEFS OF STAFF

    General Shwedo. Chairwoman Stefanik, Chairman Ratcliffe, 
Ranking Members Langevin and Richmond, and members of the 
committees, good afternoon and thank you for the opportunity to 
testify today on the Department of Defense and Department of 
Homeland Security cyber collaboration and information sharing.
    I would like to take this opportunity to thank Congress for 
its quick action in improving the National Defense 
Authorization Act for fiscal year 2019, providing new 
authorities that allow the joint force to conduct cyberspace 
operations to disrupt, defeat, and deter malicious cyber 
activities. Thank you for your broad and continued support.
    Since the elevation of United States Cyber Command 
[CYBERCOM] from a sub-unified command to a combatant command, 
cooperation on cyber issues between DOD and DHS have been 
streamlined through Cyber Command, and it has prospered. Close 
cooperation between the departments has exponentially added 
value in areas such as intelligence sharing, cyberspace 
operations, and cyber policy development.
    As Mr. Rapuano indicated, midterm elections provided a 
real-world platform to showcase interdepartmental collaboration 
in cyberspace. The cyberspace capabilities of the Department of 
Defense and DHS has increased through partnership and working 
together to secure the Nation's election systems.
    The 2018 National Defense Strategy, 2018 DOD Cyber 
Strategy, and the draft 2018 National Military Strategy all 
reflect what DOD senior leaders refer to as a changing nature 
and character of war. Russian and Chinese military thinkers 
have closely studied the United States and devised strategies 
to achieve their objectives short of armed conflict. They are 
doing this with actions below the threshold of armed conflict, 
leveraging propaganda, diplomacy, economic pressures, and 
threats to coerce nations.
    Our joint forces need the best intelligence, information 
technology [IT], and training, and they need it quickly. The 
joint force is committed to act in concert with our interagency 
partners to share threat intelligence to enhance the whole-of-
government defenses and our collective ability to respond to 
malicious cyberspace activities.
    Sharing intelligence, indications, and warning are one of 
six lines of effort specified in the joint memorandum between 
DOD and DHS referenced by ASD [Assistant Secretary of Defense] 
Rapuano earlier. Together, the joint memorandum and charter 
provide guidelines to vector the departments in sharing 
information, reducing the timeline on actionable intelligence, 
and paving the way for proactive collaboration in the defense 
of our Nation.
    This requirement to share intelligence and information is 
bidirectional, and it is not confined to the sectors owned and 
operated by DOD and DHS. To that end, we are engaged to set 
pathfinder efforts with DHS and with sector-specific agencies 
charged with the security of critical infrastructure.
    The National Defense Strategy establishes the Chairman of 
the Joint Chiefs of Staff, General Dunford, as the global 
integrator with the understanding that the evolved nature and 
character of war make it unlikely that the impacts of a 
conflict will be confined to a single geographic area of 
operation.
    The U.S. homeland can now be impacted directly by events 
that 20 years ago would only generate indirect or collateral 
effects. In the cyber domain, this shift requires the joint 
force to take on at least two additional roles: one is the 
global integration in cyber and the other is coordination of 
cyberspace activities.
    The Joint Staff is taking on the global integration role to 
synchronize collaborative efforts to ensure impacts from one 
theater of operations does not affect the other, and are 
intentional and supportive rather than collateral.
    During the closed-door session, I will provide operational 
details regarding ongoing efforts that illustrate the close 
cooperation among the departments with regard to election 
security and critical infrastructure pathfinders.
    Thank you again for the opportunity to appear before you 
today. Our relationships with Federal, State, local industry 
and international partners is critical to everything the 
Department is doing in the cyber domain. We appreciate your 
continued strong support in providing the authorities that 
allow us to strengthen these partnerships and build strong 
programs to protect and defend our Nation.
    I look forward to your questions. Thank you.
    Ms. Stefanik. Thank you to each of the witnesses for your 
testimony.
    My first question has to do with many of the themes we have 
heard already, is this whole-of-government approach. Obviously, 
we need to ensure that we are not siloing information, but at 
the same time, we also need to ensure that we are not seeing 
mission creep, because when it comes to our oversight and our 
jurisdiction, we want to make sure that each agency has the 
resources available for each department.
    But I would like to know what efforts are being taken to 
ensure that each department focuses specifically their efforts 
on their lanes of responsibility to prevent mission creep. Ms. 
Manfra, we will start with you.
    Ms. Manfra. Thank you, ma'am, for the question.
    I think what we have decided to do is take real-world 
scenarios. And so we talked a little bit about the pathfinder 
initiatives, also with the elections, but working through 
specific real-world areas where we do need to share 
information, and having both the lawyers and the operators 
working side by side, working with the operators in terms of 
what information would be useful for you to have access in 
order to do your job, and then working with the lawyers to 
ensure that we are not going outside the bounds of what is 
appropriate from an authority perspective.
    And I defer to my DOD colleagues. We feel very comfortable 
that this is the right approach. And as we learn from each one 
of these sort of initiatives, whether it is with the financial 
sector or the energy sector or elections, we are learning 
lessons that can be applied more broadly.
    Ms. Stefanik. Mr. Rapuano.
    Secretary Rapuano. So we are extremely conscious of what 
our focus and priority is in terms of defending the Nation 
against exigent threats. The transformation in terms of the way 
the Department of Defense looks at the homeland with regard to 
vulnerability to cyber, particularly with regard to critical 
infrastructure, is that significant threat to national critical 
infrastructure is a national security concern.
    It remains a DHS mission, and the role that we play and 
that we very clearly defined in all of our engagements as well 
as the memorandum of understanding with DHS is that we provide 
civil support to civil authorities in those cases, in those 
areas where the needs exceed DHS capability and their unique 
skills and capabilities that the Department offers.
    Ms. Stefanik. Lieutenant General Shwedo, did you want to 
add?
    General Shwedo. Sure. You know, just one point that Ranking 
Member Richmond brought up. Often, there is a frustration 
because we go through exercises to try and figure out some of 
the details of these relationships. These elections gave us a 
real-world platform where we started working out a lot of these 
things.
    And we actually had a meeting yesterday where we sat down, 
and there isn't always concurrence on a point of view. The good 
news is, we are taking these opportunities in a real-world 
scenario as opposed to some theoretical wargame, and I feel we 
are gaining a lot of ground.
    And actually, there was a discussion about letting our 
staffs come together and make out the equivalent of a three-
ring binder and figure out so we can move very fast with, ``We 
think it is scenario B,'' bang, so we can get them faster, in 
their lane, the support they need, and the mission set 
associated with it. So once again, we are taking advantage of 
the opportunity right now.
    Ms. Stefanik. And my last question in the minute I have 
left, we have heard in previous hearings and briefings that 
there is no common cyber operating picture that is shared 
between DOD, DHS, and FBI [Federal Bureau of Investigation]. 
What efforts are being taken to address this shortfall?
    Ms. Manfra. I can start, ma'am. You know, I think whether 
we--there are tools that are available to have a common 
operational picture in terms of incidents that we are working 
to share, but it does get back to the earlier point, is we have 
to be very precise in terms of what information agencies have 
the authority to view.
    And so we are working very closely--kind of going back to 
that--what do the operators need to do their mission and then, 
how do we create the environment where we can share the 
information appropriately, so ensuring names are anonymized and 
those types of things. And so I think we have made more 
progress in this area than we have in the previous decade in 
just the last few months, very much focused on the elections.
    But that is how we are approaching it in terms of we have 
great technology that is available to us and that allows us to 
share information, that allows us to look for patterns, those 
types of things. We want to leverage that, but we have to do it 
in the appropriate legal frameworks. And so we are getting all 
those lawyers and operators together to work through specific 
instances to make sure we can get to that common view.
    Ms. Stefanik. Thank you. My time is about to expire.
    Mr. Langevin, you are recognized.
    Mr. Langevin. Thank you, Madam Chair.
    Ms. Manfra, one of the key challenges we face with 
interagency cooperation is prioritization given limited 
resources and agencies with different mission sets. So how is 
the standup of the new National Risk Management Center helping 
to inform efforts to understand the vulnerabilities of critical 
functions, and how are you ensuring that these lessons are 
diffused throughout the interagency, particularly through the 
Department of Defense?
    Ms. Manfra. So the work of the National Risk Management 
Center is filling a key gap that we identified, which was 
looking at the systems and the functions across the country. So 
it is taking a more functional approach instead of thinking 
about specific assets or organizations, but it is looking at 
defining what we are calling national critical functions as one 
of its key efforts.
    And that effort working with industry will then be able to 
inform how our department, how other departments and other 
sector-specific agencies, such as DOD, are participating in 
this. And so we are defining it from a mission and industry 
from a business perspective, and then once we have these 
national critical functions identified, which we will have by 
the end of the year, then we are going to assess the risk to 
those. And DHS and DOD will be working this together, and as 
well as other agencies that have a role in there.
    And then that starts to be able to trickle down, and so 
that we can focus on are we prioritizing all of our resources 
towards protecting and preparing ourselves for responding to 
the, you know, disruption or the denial of some of those key 
functions and services. So that is really the--kind of the core 
of the National Risk Management Center, and it is how it is 
going to help inform myself, but also the other agencies.
    Mr. Langevin. Okay. And to both you and to Mr. Rapuano, I 
am pleased obviously that Secretaries Mattis and Nielsen have 
recently signed a joint memorandum. We have discussed that, 
touched on that a bit today, and I certainly look forward to 
reviewing it. How are your departments working to ensure that 
collaboration goes beyond just the principal level and happens 
operationally as well?
    Ms. Manfra. From my perspective at DHS, the core of the 
collaboration is actually happening at the operational level. 
Our Deputy Director for Operations within the NCCIC has been 
our lead for collaborating with her counterparts across DOD. 
And then we are identifying other collaboration points, so 
whether that is on the operation side or the planning elements, 
and then the steering group will be that mechanism by which we 
oversee that collaboration and ensure that we are actually 
making tangible progress on these outcomes. But much--the bulk 
of what we are doing is actually happening at the operational 
level.
    Mr. Langevin. Okay.
    Secretary Rapuano. I would echo that. Our staffs work very 
closely in terms of in my organization, as well as the Joint 
Staff. The real working level work is at U.S. Cyber Command 
working with Secretary Manfra's folks on the operational piece 
of the equation.
    We also have direct interests at the Department of Defense 
as the sector lead for the Defense Industrial Base, and we are 
collaborating more and more on that, based on the threats that 
are manifesting associated with, again, particularly Russia and 
China, as well as defense-critical assets for which we have 
dependencies on commercial-critical infrastructure. So that is 
another area of focus and area of collaboration with DHS.
    Mr. Langevin. So I may come back to a couple questions, but 
I wanted to get this clarified, too. Mr. Rapuano, what is the 
status of the report required in the FY 2019 NDAA on cyber 
civil support teams?
    Secretary Rapuano. So we are currently working that--the 
response to that. I can get you the details in terms of when 
specifically we will be getting that to you.
    [The information referred to can be found in the Appendix 
on page 69.]
    Mr. Langevin. Okay. That is something that we would need to 
follow up on, and I just want to get a status report, and we 
look forward to seeing the final version.
    But let me go back. Mr. Rapuano, can you describe your 
approach to bringing DHS in on pathfinder conversations with 
the financial sector and DOE [Department of Energy]?
    And, Ms. Manfra, if we have time, can you--can we better--
how can we better ensure DHS's unique perspective as the 
Federal lead for cyber defense is represented in interagency 
policy decision making, especially when the Department's--our 
relative newness with--the Department's relative newness means 
that it has not traditionally been included? Mr. Rapuano.
    Secretary Rapuano. I would just start by saying, with 
regard to the pathfinder and financial sector, it wasn't a 
question of bringing DHS in. We were engaged from the very 
beginning with DHS on that, as well as the Department of the 
Treasury.
    One of the interesting facets of the financial sector is 
they have a very sophisticated--significant investments in 
cyber protections. And the outlook and approach there was 
looking at what best practices may they have developed because 
of the time and attention they played that we could be applying 
to other critical infrastructure sectors.
    And the energy focus for both of us is a high priority, 
because energy is considered to be really one of the 
fundamental foundational elements of critical infrastructure 
for which many of the others depend on. So, again, that has 
been something we have been engaging with DHS on from the 
beginning.
    Mr. Langevin. Thank you.
    Ms. Manfra. I can answer very briefly. We are absolutely 
included in all the relevant conversations related to cyber 
operations, whether those are at the NSC [National Security 
Council] or with DOD or other agencies. While we are new, we--
you know, we have a Secretary who is very knowledgeable in 
cyber and myself and my boss, Under Secretary Krebs. We are in 
every one of those conversations where we need to be.
    Mr. Langevin. Thank you.
    Ms. Stefanik. Mr. Ratcliffe.
    Mr. Ratcliffe. Thank you, Chairwoman.
    Ms. Manfra, I want to start with you. It has been publicly 
reported that 50 DOD personnel were reassigned to the NCCIC in 
the lead-up to last week's midterm elections. Can you go into a 
little more detail into the nature of their mission within DHS 
during that time? I am curious what operational role DOD 
personnel played, if any, that wasn't just situational 
awareness.
    Ms. Manfra. We had 11 personnel that came over, integrated. 
We do have liaison officers that have been long established 
with DOD that come from CYBERCOM. They have been integrated.
    Part of the conversation that we had in pre--in setting up 
pre-negotiating, if you will, the requests for assistance, 
should we need it, if we needed search support on Election Day 
or after, was that it would be helpful to have some DOD 
personnel that would be fulfilling that request to have some 
familiarity with our organization. So they came over for a 
couple of days just to become a little bit more familiar. They 
are still serving in that liaison role, but it was about 11 
people that did come over.
    Mr. Ratcliffe. Okay. I want to follow up a little bit on 
the discussion about pathfinder as it relates to the financial 
sector. As you know, Cybersecurity Act of 2015 offered 
liability protections to private organizations for sharing 
cyber threat information with DHS.
    And that protection, of course, was intended to incentivize 
the private sector companies to share information with the 
Federal Government. But I am not sure--I am a little concerned 
that the financial sector organizations are sharing information 
directly with DOD, and I am wondering, if that is the case, are 
those organizations still offered liability protections?
    Ms. Manfra. To be clear, sir, they are sharing it with DHS. 
We are partnering with DOD in, as I mentioned, working through 
the legal constructs to ensure that DOD can have access to the 
information as well. So it is sort of the through the DHS 
framework and the construct that we are bringing DOD into being 
a part of.
    I would defer to DOD on the liability protections.
    Mr. Ratcliffe. Do you want to expand on that?
    Secretary Rapuano. I am not tracking the liability 
protections, but as Secretary Manfra notes, we really work with 
and through DHS in terms of the interface with the private 
sector. We bring the expertise and unique capabilities that the 
Department has, but we are very conscious of not crossing over 
the lines in terms of sensitive or proprietary information. So 
we really use DHS as a gatekeeper or filter, so to speak.
    Mr. Ratcliffe. Okay. So let me follow up on that with you, 
Mr. Rapuano, and you, General Shwedo, in terms of, you know, 
what we are hearing from DHS stakeholders is that there is a 
general agreement about rules of the road at the high level, 
but maybe not at the command level. So I am thinking of 
responses to domestic cyber activity like the ransomware attack 
on the city of Atlanta or NSA's [National Security Agency's] 
knowledge about hackers that attacked Sony Pictures.
    I guess I want to be real clear: are DOD elements looping 
in DHS to ensure civilian cybersecurity equities are considered 
before or after the fact?
    General Shwedo. So I will tell you, sir, you know, as we 
are going through pathfinders, et cetera, we are very cognizant 
of all the laws, and that is why you will hear Mr. Rapuano say 
we go through DHS. As it stands right now, we follow to the 
letter of the law, and that is much of the discussion that you 
hear between the two elements as we go forward.
    We get requests for support from DHS, and then we turn it 
to over to lawyers on both sides of the street to make sure 
that we are following the piece. But any belief that somebody 
is going VFR direct \1\ [visual flight rules, direct] to the 
Department of Defense is not what is happening. We work through 
DHS on all of our support.
---------------------------------------------------------------------------
    \1\ Air Force slang term concerning a pilot's ability to go 
straight to his destination; from aviation term meaning a simple flight 
plan.
---------------------------------------------------------------------------
    Secretary Rapuano. Just to add to that, DHS has the 
domestic protection mission. DOD is supporting DHS in the form 
of defense support to civil authorities through DHS's 
authorities. So, again, we are working very closely with DHS. 
DHS comes to us if they have got needs that are beyond what 
they can within their own capability sets employ, but if we 
were to employ them, it would be through DHS authorities.
    Mr. Ratcliffe. Okay. I very much appreciate that 
clarification. Thank you. I yield back.
    Ms. Stefanik. Mr. Richmond.
    Mr. Richmond. Thank you.
    Lieutenant General Shwedo, you answered pretty much my 
first question about collaboration between organizations, so 
let me focus for a moment on the funding aspect. With respect 
to securing civilian cyberspace, the role of civilian agencies 
in the military is well-defined. Congress has decided that 
outside of national emergencies, DHS, and not the armed 
services or the intelligence community, should lead these 
efforts.
    So the question is about funding. Right now, DOD has an $8 
billion budget for cyber, given DHS has basically $1 billion 
for critical infrastructure. Considering that 85 percent of 
critical infrastructure is privately owned, how do we balance 
that, and at what level would you say that a mission like that 
should be funded? And that is for the entire panel.
    General Shwedo. So, sir, the first piece is, you know, 
comparing the two budgets, first of all, Cyber Command is 
responsible for not only defensing--defensive actions here, but 
they also have a combatant command responsibility to ensure 
cyber warfare going on and the other piece. So that is one 
difference.
    The other piece is, I think if you look at the 
responsibility, and we are still talking about how to fund some 
of these things, Mr. Rapuano will talk about it, but we have 
talked everything from--and this is part of the pathfinder, 
which has been a wonderful experience, is talking about the 
equivalent of a cyber Stafford Act and other things, because we 
are very cognizant of how funding in a bunch of different 
directions could get pretty bad.
    The last part is, there is going to be a responsibility for 
a lot of these companies and other people that we have been 
talking about earlier to have their portion of cyber defense. 
For them to just put their hands up in the air and say we are 
not going to fund it anymore, I think, would also be a bill 
that we could not afford, but I will turn this over to Mr. 
Rapuano.
    Secretary Rapuano. I would just add that when you look at 
the DOD's budget, and the figure $8 billion is often used, the 
great majority of that funding does not go to U.S. Cyber 
Command. The great majority of that funding goes to development 
of weapon systems with cyber resilience and cybersecurity 
capabilities to the services.
    Cyber Command, I believe, is under $500 million a year in 
terms of its funding, closer to $300 million, I believe. We can 
check that fact. But it is a very small percentage of the 
overall $8 billion, which is going into weapon systems and the 
Defense Information System and the CIO [Chief Information 
Officer].
    Ms. Manfra. From a DHS perspective, sir, we are a, you 
know--well, fairly new agency and we have been growing 
steadily. I would say that, you know, absolutely support the 
President's budget, appreciate the assistance through the 
omnibus and additional resources to assist us with the 
elections and helping with additional capabilities to civilian 
agencies.
    But to help understand the scope, there are 99 civilian 
agencies that I am responsible for assisting with 
cybersecurity. There are--just in, you know, one sector alone, 
there are hundreds of thousands of companies that operate our 
water and wastewater treatment plants. So there is a massive 
scope and scale in what we are trying to secure.
    We are very grateful to Congress for the authorities that 
we have been given, and we look forward to working with you to 
ensure that we have the capability and the capacity to deliver.
    Mr. Richmond. Well, this is one of those golden moments. 
And, Lieutenant General, you kind of mentioned the Stafford 
Act. I am, you know, a survivor of Katrina and Rita. We don't 
hold the Stafford Act out to be the great example of anything, 
and I really wish this committee had--at least Homeland had 
jurisdiction over the Stafford Act so we could improve it.
    But, Assistant Secretary Manfra, here is your opportunity 
to say, I think we have enough resources to protect the 
privately owned critical infrastructure; I think we don't. And 
what we don't want to happen--especially since my district is 
the first largest petrochemical district in the United States--
what we don't want is Monday morning quarterback to say we 
didn't have the resources, we didn't have the support, we 
didn't get X, Y, and Z done.
    So I guess my question is, as we head into budgeting and 
all the other stuff, do you think you have the resources to 
accomplish the mission that is so critical to everyone up here? 
So that is basically the question.
    Ms. Manfra. Sir, what I would say is that, as is 
demonstrated with the additional resources that you gave us for 
elections, we can do more with more.
    Mr. Richmond. Thank you. And I yield back.
    Ms. Stefanik. Mr. Bacon.
    Mr. Bacon. Thank you all, all three for being here. I am 
grateful for your expertise and your hard work.
    My first question is to General Shwedo, who I have worked 
with for quite a while. He has got a lot of experience in cyber 
warfare. And I would just like you to explain to our country 
and our citizens why this topic is so important that we don't 
have seams or overlapping, and if you could put it in the 
context of what would you anticipate on day one of a major 
cyberattack, say, from Russia or China.
    This obviously would be a military directed attack at us, 
but will those targets be only towards military, or would you 
anticipate it being a wide array of targets in our country? If 
you could just elaborate what you would anticipate.
    General Shwedo. So I will just give an overview. We can 
definitely talk in detail in a closed session. But what we are 
seeing is, from both Russia and China, they prefer to stay 
below the level of the threshold of armed conflict. And you 
will find that we are seeing more and more when we see Ukraine 
and other countries, when you see power and other things start 
going out.
    My concern is sometimes the citizenry is the soft 
underbelly, and I think that is kind of where you are going 
with the question, is we--and that is why this is so important, 
is we need to ensure that we shore up that, and that is part of 
the discussion we are having today as opposed to just throwing 
up our hands and saying we fight foreign wars.
    We are not going to launch in and start taking over things 
in the United States. We are very cognizant to what DHS has to 
do, and that is why it is so important to make sure that we get 
it right when we go through these pathfinders, to make sure we 
get it right, that we get them the information and the support 
they need as it goes forward.
    But I do believe your--the portion of your question is spot 
on. I do believe that it is going to be wide ranging. And I 
think if they get their way, just like the sons and daughters 
of Sun Tzu, they would prefer to not fight force on force. They 
would prefer to get their way below the level of the threshold 
of armed conflict, because the world has seen what happens when 
they go toe to toe with us, and that is not the preferred COA 
[course of action] they would like to go with.
    Mr. Bacon. So just to resummarize, it would be a military 
attack from their own cyber capabilities, but very likely the 
focus will be on areas covered by DHS. And this is why it is so 
important that we don't have these seams or overlapping things. 
It is very important that we have it right, because we know day 
one will not be a December 7 type attack. They will be going 
after our energy grid, our financial sector, all those things 
that would create havoc. And so it requires significant 
cooperation between DOD and DHS to get this right.
    And my next question will be to Ms. Manfra. We passed a 
bill earlier this year that gave DHS responsibility over 
industrial control systems. It is sitting in the Senate right 
now. How important is it to you and DHS that we get this out of 
the Senate and signed by the President?
    Ms. Manfra. Well, first of all, sir, I want to thank you 
all for recognizing the uniqueness of industrial control 
systems. These are the systems that really underpin most of our 
critical infrastructure. And DHS has had a unique role to play 
in industrial control systems, having some of the most 
recognized globally experts in our ICS-CERT [Industrial Control 
Systems Cyber Emergency Response Team]. So very much appreciate 
the acknowledgment that we need to have this leadership role 
and looking forward to continuing to work with the Senate and 
others to codify that.
    Mr. Bacon. We need to give a nudge over there, I think, get 
that signed--or voted on and sent over to the President.
    My final question is this, and it gets back to really the 
focus of your-all's time here today. Do any of you see where we 
have overlapping responsibilities where it is creating 
problems? Do you need more delineation through legislation? Do 
you have any recommendations for us in that area? So do we have 
areas of overlap or do we have areas of seams that we need to 
do better on? Thank you.
    Ms. Manfra. Sir, I don't see any areas of overlap. We have 
definitely identified that there is a potential for seams and 
so we are working to address those, going back to starting at 
these national critical functions. And I know DOD is thinking 
about what is critical to their capability as well.
    And so working together to ensure that we are bringing the 
full force of both of our authorities. I do believe that they 
are very complementary. I don't believe that they are 
duplicative or overlapping in any way. And so we are just going 
to continue to ensure that we can operationalize those 
authorities so that we can both do our missions.
    Mr. Bacon. Mr. Rapuano, anything to add?
    Secretary Rapuano. So as Secretary Manfra notes, we are in 
the process right now of looking at what our critical national 
functions are. And typically, because we looked at the homeland 
as a sanctuary traditionally over time and with the threat of 
cyber in particular, the homeland is no longer that sanctuary. 
We are looking at all of our dependencies as the Department of 
Defense and our ability to project power, where they are in 
critical infrastructure and how we can better ensure their 
resilience, so in the event of a conflict----
    Ms. Stefanik. Time is expired.
    Secretary Rapuano [continuing]. We will be able to leverage 
them. Thank you.
    Mr. Bacon. Thank you. I yield.
    Ms. Stefanik. Mrs. Demings, you are recognized for 5 
minutes. Mrs. Demings, you are recognized for 5 minutes.
    Mrs. Demings. Thank you so much, Madam Chair. And thank you 
to our witnesses for being with us today.
    This question is really for the entire panel, and I do 
appreciate the information that you shared with us thus far in 
this very critical area. And my question goes back to 
collaboration, cooperation. A question was asked earlier about 
resources, and I think we do better when we have the ability to 
share information and better work together.
    So my question is, how are DHS and DOD working together on 
supply chain risk, especially in light of the growing overlap 
between the Defense Industrial Base and traditionally civilian 
sectors of U.S. critical infrastructure?
    Ms. Manfra. I can start, ma'am. This is actually one of our 
key areas of focus, given the exact point that you just made, 
that the many civilian agencies use many of the same companies 
that are in the Defense Industrial Base and that DOD uses. 
There is a series of actions, some of which we can talk about 
in the closed hearing as well, that we are ensuring that we are 
coordinating. So that we are using our authorities to drive 
better risk practices, both with the agencies that I have the 
directive authority under with civilian FISMA [Federal 
Information Security Management Act] agencies, as well as on 
the DOD side, but that we are also sharing information, and 
that we are coordinating and ensuring that if we are aware of a 
compromise of a vendor for one agency, that both of our 
agencies are aware of that and we can take coordinated action.
    Mrs. Demings. Thank you.
    Secretary Rapuano.
    Secretary Rapuano. I thank you for the question. It is a 
very significant focus and concern, in terms of the supply 
chain and the dependency that we have on it for our weapon 
systems and communications capabilities.
    We are focused in the interagency with DHS, but other key 
agencies, Commerce and others, in terms of identifying where 
the vulnerabilities are and how do we identify how we can 
restructure and better protect critical supply elements 
necessary for the economy and the military.
    Mrs. Demings. And General Shwedo.
    General Shwedo. Yes, ma'am. So this clearly falls under the 
information sharing piece, and we are aggressively looking for 
these back doors, et cetera. And as soon as we find one, we go 
back to the relationship with DHS, or dependent on who is the 
recipient of this back door, to ensure that we start sharing 
the information, because we understand that there's multiple 
actors in this realm and we are trying to get after it.
    Mrs. Demings. How would you say the White House is 
coordinating these efforts, and how are roles and 
responsibilities currently aligned?
    Ms. Manfra. The National Security Council is working 
through much of this. As Mr. Rapuano noted, there is OMB, the 
Office of Management and Budget. When you are thinking about 
Federal procurement policy, legal teams need to get together 
from Department of Justice, et cetera.
    So this is a whole-of-government effort that is being 
managed by the White House. Then there are specific things that 
DHS and DOD are committing to do with each other because of our 
unique authorities and oversight over the networks that we have 
the oversight on.
    Mrs. Demings. Secretary Rapuano, would you like to add 
anything to your original answer?
    Secretary Rapuano. I would just concur with Secretary 
Manfra that this is a whole-of-government focus, because there 
are a number of different agencies with authorities and 
responsibilities and expertise, and it has been working very 
closely, at least from my observation.
    General Shwedo. I would just end with it has to be a whole-
of-government approach. We have got to make sure that we track 
it down in all aspects. So absolutely, that is where it has to 
come from, and it has to go down to the lowest levels.
    Mrs. Demings. And you feel like you are on target with 
reaching your mission and your goals in that area?
    General Shwedo. So, ma'am, you know, the supply chain 
challenge is incredibly hard. And this is one of those ones we 
cannot fall off the target. We have got to stay focused on this 
the entire time.
    And I unfortunately hate to tell you we will never, quote, 
``get there.'' We are going to have to continually, because 
there are always going to be bad guys that are going to be 
shaking windows and shaking back doors, trying to get into our 
systems, weapon systems, any supply chain piece, commercial 
off-the-shelf. They are going to do anything that they can. 
Sons and daughters of Sun Tzu, they will go like water to the 
least defended place and try to place their back door there.
    Mrs. Demings. Thank you all.
    And, Madam Chair, I yield back.
    Ms. Stefanik. Thank you, Mrs. Demings.
    Mr. Scott.
    Mr. Scott. Thank you, Madam Chair.
    And, ma'am, when you mention the word ``procurement'' in 
this particular field, I imagine you could spend weeks in 
committee meetings on that, and we will be looking forward to 
your input on how we best handle procurement.
    I want to mention one other thing before I get to my 
specific question. We have got people effectively doing the 
same job from different agencies. And my question gets back to 
compensation and employee benefits and managing a workforce 
that comes through different agencies. If you have got 
tremendous discrepancies in pay, that can lead to problems in 
the management of your team.
    Is that an issue that you have been able to address or is 
that something that you are going to need legislative help 
with?
    Ms. Manfra. Sir, we actually have received legislative help 
on this in a bill passed a few years ago.
    Mr. Scott. Okay.
    Ms. Manfra. We are working to create what we call the Cyber 
Talent Management System. We have been able to leverage some 
existing authorities, direct-hire authority, retention 
incentives, to reward those who have achieved certain 
certifications in difficult-to-retain positions, those types of 
things, that have really reduced our attrition rate.
    The Cyber Talent Management System, I really believe once 
we get this in place, it will really just be a complete 
revolution in how you think about public service and civil 
service, and we are really excited to get that on board. And I 
am working with Suzette Kent, the Federal CIO, to think about 
how do we ensure that all civilian agencies have the ability to 
recruit and retain quality talent. And so that is also a big 
initiative. You will see some of that in the National Cyber 
Strategy as well, thinking about that workforce of the future.
    Mr. Scott. It is certainly an area where in the private 
sector, they can make significantly more money, and they are 
truly public servants in doing the work that they are.
    My question gets specifically to the National Guard. I know 
the Army Guard and the Air Guard have established cyber units 
to support U.S. Cyber Command. In what cases can these units 
support their home States under State authority or other States 
on a State-to-State basis?
    And, General, that may be best for you. How do you expect--
--
    General Shwedo. Actually, I will defer to Mr. Rapuano. He 
is working on this issue right now.
    Mr. Scott. Okay. That is fine. Perfect. Thank you.
    Secretary Rapuano. So as recently as the elections, we had 
a number of circumstances where State National Guard were 
supporting the State elections process with their cyber 
expertise and skills. As I noted in my statement, we are 
looking at the orientation and structuring of National Guard 
support to the civil side of the equation, and that would be 
with Federal assistance, in terms of a mission force 
capability.
    But I think as you know, the National Guard, we go with the 
total force construct in the Department of Defense, which means 
that you want to have maximum flexibility to utilize all of 
your force structure to hit your priorities. And if you are 
segmenting significant chunks of it for particular missions for 
particular supported elements, you might lose that.
    So we are balancing in the assessment what the gain/loss is 
associated with dedicating certain elements of the Guard to 
cyber domestic missions versus having them in reserve for 
military missions. So that is a work in progress.
    General Shwedo. All I would say just on the end is this is 
really where the come together with DHS, because we have to 
have that whole-of-government approach before we throw too many 
National Guard members. DHS may be having support teams in 
there, so that is going to be part of the calculus in covering 
down on all of our bets to a cyber incident. So those are some 
of the conversations.
    The last part, we are learning a lot as it goes forward 
with--just in one scenario, Mr. Rapuano had to sign a waiver to 
a policy to allow National Guardsmen to get TS/SCI [Top Secret/
Sensitive Compartmented Information] information when, because 
they were in Guard status, they were limited to Secret. So, 
once again, we are learning a lot as we go through.
    Mr. Scott. It is certainly a different type of mission, but 
I think that as time goes on, we are going to need to pull on 
the Guard just for the manpower that it is going to take to 
handle this mission. But thank you for what you do.
    And, ma'am, I yield the 15 seconds.
    Ms. Stefanik. Mr. Larsen.
    Mr. Larsen. Thank you. Thanks for coming out.
    I want to build on what Mr. Scott said, Mr. Rapuano. So in 
your testimony you say that you are responsible for leading 
this with the DHS, but are you the leader on this, looking at 
[section] 1653? Are we calling you when there is a question?
    Secretary Rapuano. Well, we work with the Joint Staff, and 
we work with----
    Mr. Larsen. Yeah, but you are doing the evaluation?
    Secretary Rapuano. Yes, yes.
    Mr. Larsen. Your name will be on----
    Secretary Rapuano. OSD [Office of the Secretary of Defense] 
policy is----
    Mr. Larsen. OSD policy. Then do you have a timeline for the 
evaluation?
    Secretary Rapuano. I don't. I can come back to you with a 
timeline.
    Mr. Larsen. You don't yet have an estimate of when you are 
going to get back to us?
    Secretary Rapuano. February.
    Mr. Larsen. February?
    Secretary Rapuano. Hot off the presses.
    Mr. Larsen. As part of the budget or separately?
    Secretary Rapuano. Separately.
    Mr. Larsen. Separately. Thank you.
    And you mentioned a few criteria. Have you outlined the top 
criteria that you will use to evaluate the pilot program?
    Secretary Rapuano. Well, it is really a trade space 
analysis, looking at the various missions and capabilities, 
looking at the contingency planning, looking at the global 
synchronization/prioritization process that the Joint Staff 
runs, to best understand what the best return on investment is 
in terms of military capability invested against a certain 
range of problems and contingencies.
    Mr. Larsen. It sounds like a pretty broad--a fairly broad 
answer then still.
    Secretary Rapuano. Well, the study has--I have not plugged 
into the study in the last several weeks, so it has advanced 
beyond the last element of information I have from it.
    Mr. Larsen. Okay. So I think there are three States, 
including my State, that are in the pilot. If I am not 
mistaken, Washington--I am sorry, I am not mistaken that my 
State is Washington. Washington, Ohio, and Hawaii I think are 
the States.
    Are you looking at different models for the CSTs [civil 
support teams] or are they all using the same model?
    Secretary Rapuano. I don't have that level of detail.
    Mr. Larsen. Thanks. And you are looking at cost, obviously, 
Federal portion versus State portion?
    Secretary Rapuano. Costing is part of the assessment.
    Mr. Larsen. Cost is part of the assessment.
    And then as part of this, are you embedded with the CSTs, 
with the pilot projects in each State, or are you providing 
them an evaluation tool, they are getting back to you on that?
    Secretary Rapuano. I don't have that level of detail. I can 
come back to you with more of the framing in terms of how the 
study is being worked.
    Mr. Larsen. Could you do that, please?
    Secretary Rapuano. Yes.
    [The information referred to can be found in the Appendix 
on page 69.]
    Mr. Larsen. It is essentially the gist of my questions. And 
if either General or Ms. Manfra have any comments with regards 
to the questions I have, that is fine. Great.
    Thank you very much. I yield back.
    Ms. Stefanik. Mr. Hice.
    Mr. Hice. Thank you, Madam Chair.
    Secretary Manfra, let me begin with you. The cybersecurity 
strategy places some emphasis on the issue of supply chain 
risks, and that, of course, is a big concern to many of us, 
particularly in recent weeks, as there have been some reports 
of at least possible compromise in some microelectronics.
    So I am curious what you all are doing, what you plan to do 
in this regard, specifically with Federal networks, but also 
with other stakeholders, national as well as global.
    Ms. Manfra. Thank you for the question, sir. We are 
addressing both the civilian network challenge as well as the 
national and, frankly, global issue.
    On the Federal side, what I mentioned is both working, 
started with things like requiring the removal of Kaspersky 
last year when we directed that all agencies had to remove 
Kaspersky-branded products.
    And what we have been doing since then is working with the 
intelligence community, the Department of Defense, GSA [General 
Services Administration], OMB, and working through what are the 
barriers to civilian agencies being able to best manage third-
party risk.
    It is a fairly monumental problem and it does require 
thinking about things like procurement and, which, you know, is 
challenging, but we are taking it on, and we are doing it with 
all agencies at the table.
    On sort of in the complementary effort, one of the other 
National Risk Management Center initiatives is actually about 
supply chain specifically. So we have an entire initiative. We 
stood up a supply chain task force with our partners in the IT 
and the communications industry. Every major player that has a 
role in delivering technology both to the government and to the 
broader citizenry in our country and, frankly, globally.
    And we are working through both to get their perspective on 
what the Federal government could be doing better, but also how 
can we make the ecosystem more secure so we are not so 
dependent on technology that is developed and delivered from 
countries that we are not okay with the laws that they have in 
place. It is a very challenging problem, but I think we have 
the right mechanisms in place.
    Mr. Hice. So you are pleased with the direction things are 
going?
    Ms. Manfra. I am absolutely pleased. I always wish that you 
could revise procurement policy a little bit faster, but it is 
a process that we have to go through.
    Mr. Hice. Mr. Rapuano, would you like to respond to that as 
well?
    Secretary Rapuano. Just very quickly. We are very focused 
on the vulnerabilities with regard to supply chain. We have 
concerns about the DODIN, the DOD information system; defense 
critical assets, in terms of looking very closely at potential 
vulnerabilities in the supply chain; and the Defense Industrial 
Base, in terms of the contract relationships. What are the 
requirements? How do we reduce the risk associated with 
contaminated supply, essentially.
    Mr. Hice. Are you likewise satisfied with the direction we 
are going to have an appropriate defense?
    Secretary Rapuano. We have a lot of time and effort focused 
on it right now. It is a big challenge.
    Mr. Hice. It is.
    Okay. Madam Chair, I see the clock says I am expired. I 
don't know if that is accurate.
    Ms. Stefanik. You have 1 minute, 30 seconds.
    Mr. Hice. Okay.
    Ms. Stefanik. Actually, it reset, so I will give you 30 
more seconds, Jody.
    Mr. Hice. Okay. Well, 30 more seconds isn't going to give 
me time to go into another question. But General, let me just 
ask you your perspective on the supply chain issue.
    General Shwedo. Sir, as said, this is a huge problem, and 
the bottom line is this is where the info sharing is so 
powerful. And we need to make sure that we get it rapidly to 
all the affected players. And that is one of the strengths of 
this exercise we are going through right now, because in the 
past, on our side we weren't always able to share it as well as 
we are right now. So yes, it is a much better future, but we 
have got a lot of work to do, sir.
    Mr. Hice. Well, I am pleased to hear that. And, again, 
thank you for the work that each of you are doing. Obviously, 
this is an issue that impacts every agency and every department 
across the board, and at the heart of it is the defense and 
national security issues. So thank you for what you are doing 
in that regard.
    And thank you, Madam Chair. I yield back.
    Ms. Stefanik. Thank you, Mr. Hice. Sorry about the time, 
but glad you got your questions in.
    Ms. Jackson Lee, you are recognized for 5 minutes.
    Ms. Jackson Lee. Thank you to the Chair and multiple Chairs 
and multiple Ranking Members. Thank you to the panel that has 
made this presentation for us.
    I am not eager to engage in hyperbole, but I do think that 
a potential cyberattack is something that we all should be 
concerned about as much as it would be pervasive enough to 
cross all of the elements of which we would be concerned, 
whether it deals with the question of war and peace, whether it 
is a domestic internal action, or whether or not it happens to 
impact the Nation's electric grid, water and sewage, the normal 
functions, transportation. It is an amazing reach that we have 
that I think this hearing is extremely important.
    And I do think it is important to raise the question 
regarding the creation of the cyber defense, and to start off 
with my first question, which I think has been asked, but I 
would like to hear how effective the collaboration is with the 
cyber responsibilities of DHS and those of DOD. So we have DHS, 
we have DOD, and if you could just take a quick moment. Do you 
think it is fully integrated, it is parallel, that the 
distinctive duties are clear, the commands are clear, the 
working relationships could be better, or they are growing? I 
would be interested in that, Secretaries, and then to our 
Lieutenant General.
    Ms. Manfra. Ma'am, thank you for the question. From my 
perspective, I think we have come a very, very long way. And 
while there is absolutely room to continue to grow, I am very 
confident that we are on the right path.
    As I briefly mentioned before, our approach is really about 
bringing the policy personnel, the legal teams, and the 
operators in the room together and thinking about what is it we 
need to accomplish our missions and how can we use our 
complementary authorities and capabilities to best do that. And 
I think that is the right approach.
    We have already realized a great deal, whether that is on 
elections or in other spaces. There is definitely room to 
continue to integrate our teams and we are setting the stage to 
make that happen, but I think we have demonstrated that this 
can work in real-world scenarios, and I am very satisfied with 
the track that we are on.
    Ms. Jackson Lee. Thank you.
    Secretary Rapuano. I would agree with every point that 
Secretary Manfra made. We are looking at and moving out on 
integrating the policies, plans, and the implementation at the 
operational level.
    As noted throughout this testimony, there are a lot of 
challenges in this space. There are a lot of cross-cutting 
equities within the government and between the government and 
the private sector. That is what we are focusing on and 
prioritizing amongst them and then really focusing our efforts 
at the highest priorities.
    Ms. Jackson Lee. General.
    General Shwedo. Yes, ma'am. I would just follow up with the 
good thing about what we are going through right now is it is 
not theoretical. We are actually going through real-world 
scenarios and we are seeing results, not just at the 
operational, but at the tactical level.
    Whenever you see a Kaspersky or election manipulation, et 
cetera--and we will talk more about this when we go to the 
closed door--we are seeing at the lowest levels this 
information is getting where it needs to be and we are seeing 
results of what happens when the information gets there.
    So we have got more work to do on where we get the 
relationship so we can be faster, because in the world of cyber 
it is all about speed, but I would say we are on a good path 
right now.
    Ms. Jackson Lee. In your next answer, you might mention--
when you said ``speed,'' I spent a day with Aspen Institute 
dealing with cybersecurity, and quantum was a very major aspect 
of it and how fast it is.
    So let me ask this question very quickly, if the Chair 
would indulge me. First of all, I introduced H.R. 3202, the 
Cyber Vulnerability Disclosure Reporting Act, and it passed the 
House. And it is to create a safe place for the private sector 
to feel safe enough or secure enough to submit to the 
government its vulnerabilities, since we know they have 85 
percent or more of our cyber in the hands of the private 
sector.
    So I appreciate as I ask this question if you would 
incorporate the concept of zero day possibilities, but working 
with the private sector, but specifically I want to ask about 
the WannaCry and NotPetya attacks as examples of disruptive 
cyber events that may have--or that had far-reaching 
implications. The impact of these type attacks were felt most 
acutely abroad, with much of the U.S. cyber infrastructure not 
seeing the full effect of these attacks.
    But can you give examples of some of the far-reaching 
consequences for WannaCry and NotPetya to the United States, 
and what are some of the more pressing issues regarding Russia 
interference in the recent Federal election? If you could do 
that, incorporated with the potential of fast quantum 
technology and how we should be looking at that in terms of our 
defense. Secretary.
    Ms. Stefanik. We will have to take those answers for the 
record. The time is expired.
    [The information referred to can be found in the Appendix 
on page 69.]
    Ms. Stefanik. We will now move to the closed session in 
Rayburn 2212 immediately and get through as much of that as 
possible before they call votes.
    Thank you very much to the witnesses.
    [Whereupon, at 4:30 p.m., the subcommittee proceeded in 
closed session.]



      
=======================================================================




                            A P P E N D I X

                           November 14, 2018

=======================================================================

      



      
=======================================================================


              PREPARED STATEMENTS SUBMITTED FOR THE RECORD

                           November 14, 2018

=======================================================================

      

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
      
    

      
=======================================================================


              WITNESS RESPONSES TO QUESTIONS ASKED DURING

                              THE HEARING

                           November 14, 2018

=======================================================================

      

             RESPONSE TO QUESTION SUBMITTED BY MR. LANGEVIN

    Secretary Rapuano. Section 1653 of the National Defense 
Authorization Act for Fiscal Year 2019 requires an assessment of the 
feasibility and advisability of establishing State Cyber Civil Support 
Teams. My team, in collaboration with the Department of Homeland 
Security, is as of November 14, 2018, in the final stages of drafting 
that report and our intent is to deliver the final version to Congress 
in 2019. [Note: the final report was submitted to Congress in May 
2019].   [See page 16.]
                                 ______
                                 
             RESPONSE TO QUESTIONS SUBMITTED BY MR. LARSEN
    Secretary Rapuano. Washington, Ohio, and Hawaii National Guard 
personnel are participating in a pilot program to evaluate the utility 
of using National Guard (NG) cyber elements to support DOD missions. 
The NG pilot program employs select Army National Guard (ARNG) and Air 
National Guard (ANG) personnel to conduct DOD cyber training 
activities, both on and off the DOD Information Network (DODIN), with 
the incidental benefit of helping to protect defense critical 
infrastructure. DOD is cooperating with DHS on this program.
    The pilot program currently underway differs significantly from the 
cyber civil support team (CST) concept as described in Section 1653 of 
the National Defense Authorization Act for Fiscal Year 2019. Most 
importantly, Section 1653 directs the Department to assess the 
feasibility and advisability of CSTs ``organized . . . for the purpose 
of assisting State authorities,'' which would ``[operate] principally 
under the command and control of the Chief Executive of the State.'' 
The cyber elements are participating in the NG pilot program for the 
purpose of accomplishing DOD training while providing incidental 
benefit to DOD mission assurance.
    As of November 14, 2018, my team, in collaboration with the 
Department of Homeland Security, is in the final stages of drafting the 
report required by Section 1653, and our intent is to deliver the final 
version to Congress in 2019. The report will include cost assessments 
for several different models considered in the assessment, including 
the NG pilot program currently underway. [Note: the final report was 
submitted to Congress in May 2019].   [See page 26.]
                                 ______
                                 
          RESPONSES TO QUESTIONS SUBMITTED BY MS. JACKSON LEE
    Ms. Manfra. [The information was not available at the time of 
printing.]   [See page 29.]
    Secretary Rapuano. In May 2017, WannaCry infected hundreds of 
thousands of computers around the world, causing extensive damage. In 
June 2017, NotPetya encrypted and essentially ruined hard drives on 
thousands of Ukrainian computers, and then quickly spread well beyond 
Ukraine, causing billions of dollars in damages to businesses across 
Europe and as far away as the United States. Both WannaCry and NotPetya 
exploited a vulnerability in Windows that the Microsoft Corporation had 
patched weeks earlier.
    We currently have no indication that any foreign adversary intended 
to manipulate votes or attack elections infrastructure in the 2018 U.S. 
midterm elections. However, we continue to see a pervasive messaging 
campaign by Russia to try to weaken and divide the United States.
    Quantum computing has the potential to increase information 
processing speed exponentially. The addition of quantum computing 
affects both exploit and counter-exploit activities. The increased 
speed for an adversary to identify vulnerabilities and develop exploits 
could be matched by the speed in which security researchers identify 
exploitable products and notify the vendor, who would produce a 
software update or service patch.   [See page 29.]
    General Shwedo. [The information is retained in the subcommittee 
files.]   [See page 29.]



      
=======================================================================


              QUESTIONS SUBMITTED BY MEMBERS POST HEARING

                           November 14, 2018

=======================================================================

      

                  QUESTIONS SUBMITTED BY MS. STEFANIK

    Ms. Stefanik. Ms. Manfra, you are likely aware of the DOD's 
SharkSeer cybersecurity program, which orchestrates 23 commercial 
technologies to provide automated cyber defense for the DOD information 
network. It is my understanding that since becoming fully operational, 
SharkSeer has increased DOD detection rates by 886 percent and has 
discovered over 2 billion unique cyber events. I also understand that 
SharkSeer's automated means for detecting, analyzing and responding to 
nation-state cyber events has replaced the need for nearly 90 personnel 
to generate mitigations; now, only a few personnel are needed to 
approve automated work flows and interactive mitigations are executed 
in minutes rather than days--this means that DOD's security 
architecture is not only more secure, it's also more cost effective. In 
short, by any measurement, this a very successful program that could be 
replicated to protect a broader range of Federal networks.
    Ms. Manfra, based on what I have described and what you know 
independently about the SharkSeer program, do you think there's an 
opportunity to leverage a similar architecture consisting of 
commercial-off-the-shelf technologies to protect civilian networks? Are 
you planning to collaborate with DOD on such an architecture?
    Ms. Manfra. [The information was not available at the time of 
printing.]
    Ms. Stefanik. What are DOD and DHS doing individually and 
collectively to manage risk associated with Internet of Things (IOT) 
and Operational Technology (OT) devices that are already deployed on 
government networks but lack sufficient security capability?
    Ms. Manfra. [The information was not available at the time of 
printing.]
    Ms. Stefanik. DHS has worked hard over the past few years, via the 
CDM program, to ensure that all internet-enabled devices that connect 
to a Federal civilian network can be identified and that such devices 
comply with network policies. I understand that DOD has developed a 
similar program referred to as Comply to Connect that is used by 
several of the service branches and DOD agencies, but is not fully 
rolled out enterprise-wide.
    Please give me a sense as to how important it is that civilian 
networks be able to identify all of the devices, including IOT devices 
and Operational Technology devices, that seek to connect and that all 
such devices comply with network policies?
    Ms. Manfra. [The information was not available at the time of 
printing.]
    Ms. Stefanik. In September, the President signed an election 
security executive order that requires the Director of National 
Intelligence, in consultation with the heads of any other appropriate 
executive departments and agencies, to conduct an assessment on any 
election interference by a foreign government. This assessment is due 
45 days after the election.
    As an action from this hearing, we would like to request a copy of 
that assessment, when complete. If appropriate, the results of the 
assessment may also be included in the next quarterly cyber operations 
briefing.
    Ms. Manfra. [The information was not available at the time of 
printing.]
    Ms. Stefanik. In September, we had a briefing that discussed the 
DOD efforts to protect the 2018 midterm elections. In this closed 
setting, can you provide an update on the DOD and DHS efforts?
    Ms. Manfra. [The information was not available at the time of 
printing.]
    Ms. Stefanik. We have heard anecdotally that many of the current 
interagency cyber relationships have been ad hoc and are based on 
personal connections. Can you describe any frameworks that could be 
used to formalize these relationships and interactions? What level 
would these frameworks best be applied at?
    Ms. Manfra. [The information was not available at the time of 
printing.]
    Ms. Stefanik. The FY19 NDAA authorized a pilot program to provide 
Department of Defense technical personnel to the Department of Homeland 
Security to improve critical infrastructure cybersecurity. Can you give 
a status of this pilot program? What lessons have we already learned?
    Ms. Manfra. [The information was not available at the time of 
printing.]
    Ms. Stefanik. Where do you see the most value in expanding our 
current partnerships? Are there lessons learned from our interagency 
interactions that could be applied to strengthening our international 
partnerships?
    Ms. Manfra. [The information was not available at the time of 
printing.]
    Ms. Stefanik. Mr. Rapuano, you are likely aware of the DOD's 
SharkSeer cybersecurity program, which orchestrates 23 commercial 
technologies to provide automated cyber defense for the DOD information 
network. It is my understanding that since becoming fully operational, 
SharkSeer has increased DOD detection rates by 886 percent and has 
discovered over 2 billion unique cyber events. I also understand that 
SharkSeer's automated means for detecting, analyzing and responding to 
nation-state cyber events has replaced the need for nearly 90 personnel 
to generate mitigations; now, only a few personnel are needed to 
approve automated work flows and interactive mitigations are executed 
in minutes rather than days--this means that DOD's security 
architecture is not only more secure, it's also more cost effective. In 
short, by any measurement, this a very successful program that could be 
replicated to protect a broader range of Federal networks.
    Mr. Rapuano, can you please share your general views on both the 
efficacy and the cost-effectiveness of the SharkSeer program? Has the 
DOD shared its learnings from the SharkSeer program with DHS as you 
coordinate on cybersecurity best practices?
    Secretary Rapuano. The National Security Agency (NSA) Sharkseer 
cybersecurity program integrates commercial-off-the-shelf technologies 
and threat intelligence to provide real-time detection, alerting, 
analysis, and mitigation of malware activity on national security 
systems and other government organization end point operations. In 
October 2016, NSA, in partnership with Defense Information Systems 
Agency (DISA), completed the worldwide deployment of Sharkseer 
perimeter defense capabilities at the ten DOD NIPRNet Internet Access 
Points. Section 1641 of the National Defense Authorization Act for 
Fiscal Year 2019 directs the transfer of the Sharkseer program from the 
NSA to DISA no later than March 1, 2019, for continued enterprise-wide 
operations. Sharkseer has been successful and cost effective to date.
    Yes, DOD shares lessons learned from Sharkseer with DHS. Also, 
there are more than 800 registered users of the Sharkseer program, 
including DHS.
    Ms. Stefanik. Mr. Rapuano, in the 5 years since Edward Snowden's 
theft of classified information from the National Security Agency (NSA) 
became public, insider attacks--both malicious or accidental--have 
continued to embarrass and damage U.S. national security. One of the 
most recent insider attacks on a Federal agency involved a former NSA 
developer, Nghia Hoang Pho, who was found guilty of illegally 
exfiltrating a high volume of classified material, including 
sophisticated collection tools, between 2010 and 2015. According to 
former NSA Director Admiral Mike Rogers, Mr. Pho's actions ``left the 
NSA with no choice but to abandon certain important initiatives, at 
great economic and operational cost.'' The human element in 
cybersecurity is a critical weakness and our efforts to date have not 
been sufficiently effective.
    As we modernize our networks and move to a cloud environment with 
shared services, what are the Department of Defense and the Department 
of Homeland Security doing individually and together from a people, 
process, and technology perspective, to better manage risk from 
insiders in near real time while avoiding undue infringement upon the 
civil liberties of employees and contractors that support the 
government?
    Secretary Rapuano. In accordance with Executive Order 13587, 
Structural Reforms to Improve the Security of Classified Networks and 
the Responsible Sharing and Safeguarding of Classified Information, 
dated October 7, 2011, DOD is implementing a strategic and layered 
approach to strengthen the mitigation of insider threats as it relates 
to technology, people, and processes, including the governance and 
management of efforts to counter insider threats.
    First, with respect to technology, the Department is actively 
improving both user and network monitoring to mitigate insider threats 
more effectively. DOD organizations are employing user activity 
monitoring tools to monitor individual user activities on computers 
accessing and storing information and analyzing that activity. In 
addition, we are developing new tactics, techniques, and procedures 
that increase our ability to detect and report cyber insider threat 
events on information networks.
    Second, with respect to people and processes, the insider threat 
must be addressed through understanding individuals and their 
interaction points with the Department. Thus, the Department is 
investing in the area of insider threat social and behavioral sciences 
(SBS) and considers this one of its strategic pillars. DOD researchers 
and social scientists have partnered with industrial and academic 
entities to conduct a number of SBS projects that will help understand 
the human behaviors of DOD personnel and contractors. Building on the 
outcome of these projects, we are modernizing and strengthening the 
hiring process and changing organizational processes and culture to 
encourage reporting (including identification for self-help). We must 
be able to detect and manage at-risk employees to mitigate potential 
threats as early as possible.
    Lastly, the Department takes a proactive approach to ensure 
appropriate protections of the privacy and civil liberties of DOD 
personnel and contractors. Accordingly, all insider threat and cyber 
security-related policy and procedures are reviewed and cleared by the 
DOD Privacy, Civil Liberties, and Transparency Division prior to 
release or implementation
    Ms. Stefanik. Mr. Rapuano, network traffic traversing both civilian 
and military IT systems is increasing exponentially in volume. As the 
overall volume increases, Gartner predicts that by 2019, 80% of that 
traffic will be encrypted. What are the DOD and DHS doing to ensure 
that appropriate network traffic, whether inbound, outbound, or moving 
laterally, can be de-crypted, inspected by the appropriate 
cybersecurity tools, and re-crypted?
    Secretary Rapuano. The Department of Defense is testing a number of 
ways that we might improve cybersecurity. The Defense Information 
Systems Agency is conducting a pilot program for inbound and outbound 
traffic designed to inspect encrypted traffic exiting and entering DOD 
enclaves at Internet Access Points (IAPs). We are learning a great deal 
from this pilot program and are making adjustments to enhance both 
performance and security based on what we are learning.
    For lateral traffic, the Joint Regional Security Stack (JRSS) 
team--a network enclave security capability that monitors and inspects 
network traffic--is testing capabilities and working on solving 
significant performance challenges from the greater traffic volumes. 
Decisions on undertaking a pilot program and specific deployments are 
not yet finalized.
    Ms. Stefanik. What are DOD and DHS doing individually and 
collectively to manage risk associated with Internet of Things (IOT) 
and Operational Technology (OT) devices that are already deployed on 
government networks but lack sufficient security capability?
    Secretary Rapuano. DOD established cybersecurity policy in 2014, 
articulating security expectations for all DOD information technology 
(IT), including IOT and OT devices, as described in DOD Instruction 
8500.01, Cybersecurity, and DOD Instruction 8510.01, the Risk 
Management Framework (RMF) for DOD Information Technology (IT). Through 
implementation of these policies, DOD is actively managing risk on 
systems already deployed on government networks, based on the 
criticality of the system. DOD will continue to update these policies 
to strengthen cybersecurity requirements for all end points, reducing 
the ``weak links'' in DOD networks and rewarding makers of OT and IOT 
devices for prioritizing security as much as cost and convenience.
    The National Institute of Standards and Technology (NIST) is 
leading the development of commercial cybersecurity standards and 
national cybersecurity standards, and DOD is engaged in the development 
of both standards to ensure that DOD security requirements are 
integrated into future generations of products.
    Ms. Stefanik. DHS has worked hard over the past few years, via the 
CDM program, to ensure that all internet-enabled devices that connect 
to a Federal civilian network can be identified and that such devices 
comply with network policies. I understand that DOD has developed a 
similar program referred to as Comply to Connect that is used by 
several of the service branches and DOD agencies, but is not fully 
rolled out enterprise-wide.
    What further resources does DOD need to ensure that Comply to 
Connect is utilized throughout the DOD network and what other 
impediments may exist?
    Secretary Rapuano. Comply-To-Connect (C2C) is a unified 
cybersecurity framework designed to reduce the Department's network 
attack surface through identification of all connected devices and 
enforcement of proper device configuration. C2C maintains continuous 
situational awareness of all device types connecting to the network and 
regulates access for devices with the greatest network exposure in 
accordance with DOD cybersecurity policies. DOD employs many of the 
cybersecurity toolsets used by the Continuous Diagnostics and 
Mitigation program.
    The Department has programed funding to support the deployment of 
key elements of a C2C model starting in fiscal year (FY) 2020. Efforts 
in FY 2019 will lead to decisions about final product solutions, the 
number of cybersecurity frameworks the Department will support, and 
whether the Department will embrace a managed service construct to 
accelerate C2C deployment across all DOD networks. The Department's 
priorities for C2C were reflected in the President's FY20 Budget.
    Ms. Stefanik. In September, the President signed an election 
security executive order that requires the Director of National 
Intelligence, in consultation with the heads of any other appropriate 
executive departments and agencies, to conduct an assessment on any 
election interference by a foreign government. This assessment is due 
45 days after the election.
    As an action from this hearing, we would like to request a copy of 
that assessment, when complete. If appropriate, the results of the 
assessment may also be included in the next quarterly cyber operations 
briefing.
    Secretary Rapuano. On December 21, 2018, Director of National 
Intelligence Coats submitted the Intelligence Community's report on 
foreign interference in the 2018 U.S. midterm elections to the 
President and appropriate Executive departments and agencies, as 
directed by Section 1(a) of Executive Order 13848, dated September 12, 
2018, Imposing Certain Sanctions in the Event of Foreign Interference 
in a United States Election.
    According to that report, ``the Intelligence Community does not 
have intelligence reporting that indicates any compromise of our 
Nation's election infrastructure that would have prevented voting, 
changed vote counts, or disrupted the ability to tally votes. Russia 
and other foreign countries, including China and Iran, conducted 
influence activities and messaging campaigns targeted at the United 
States to promote their strategic interests.''
    I defer the request for a copy of this report to the Office of the 
Director of National Intelligence.
    Ms. Stefanik. In September, we had a briefing that discussed the 
DOD efforts to protect the 2018 midterm elections. In this closed 
setting, can you provide an update on the DOD and DHS efforts?
    Secretary Rapuano. [The information is retained in the subcommittee 
files.]
    Ms. Stefanik. We have heard anecdotally that many of the current 
interagency cyber relationships have been ad hoc and are based on 
personal connections. Can you describe any frameworks that could be 
used to formalize these relationships and interactions? What level 
would these frameworks best be applied at?
    Secretary Rapuano. There are a number of means, both formal and 
informal, through which DOD interacts with other departments and 
agencies on matters related to cyberspace. In accordance with the 
Cybersecurity Information Sharing Act of 2015 and PPD-41 (United States 
Cyber Incident Coordination), DOD actively characterizes and assesses 
foreign cybersecurity threats and informs DHS of current and potential 
malicious cyberspace activity. DOD intelligence components may provide 
technical assistance to U.S. Government departments and agencies upon 
request through established relationships. In addition, the Secretary 
of Defense may approve providing DOD support to civil authorities in 
accordance with applicable law and policy. Further, the President has 
issued national policy that provides a framework for interagency 
consultation on certain types of cyber operations.
    The Secretaries of Defense and Homeland Security signed a joint 
memorandum on defending the homeland from strategic cyber threats in 
October 2018. This memorandum frames how DHS and DOD will secure and 
defend the homeland. Specifically, it created a Cyber Protection and 
Defense (CPD) Steering Group (SG) to guide DOD-DHS cyber collaborative 
efforts. The CPD Steering Group recently approved its charter to 
formalize DOD-DHS collaborative efforts and prescribed next steps with 
the Department of the Treasury on engaging with the Financial Sector.
    Section 1650 of the National Defense Authorization Act for Fiscal 
Year 2019 authorizes the Secretary of Defense to provide, assign, or 
detail up to 50 technical cybersecurity personnel to DHS on a non-
reimbursable basis to enhance cybersecurity cooperation, collaboration, 
and unity of Government efforts. DOD is currently in the process of 
drafting and coordinating Section 1650 implementation requirements and 
identifying priority areas for collaboration between DOD and DHS 
personnel.
    In addition, it is worth noting that, in 2008, National Security 
Presidential Directive-54/Homeland Security Presidential Directive-23 
established the National Cyber Investigative Joint Task Force (NCI-JTF) 
as the focal point for all government agencies to coordinate, 
integrate, and share information related to all domestic cyber threat 
investigation. NCI-JTF is composed of more than 20 partnering agencies 
across law enforcement, the Intelligence Community, and DOD.
    Ms. Stefanik. The FY19 NDAA authorized a pilot program to provide 
Department of Defense technical personnel to the Department of Homeland 
Security to improve critical infrastructure cyber security. Can you 
give a status of this pilot program? What lessons have we already 
learned?
    Secretary Rapuano. Section 1650 of the National Defense 
Authorization Act for Fiscal Year 2019 authorizes the Secretary of 
Defense to provide, assign, or detail up to 50 technical cybersecurity 
personnel to the Department of Homeland Security (DHS) on a non-
reimbursable basis to enhance cybersecurity cooperation, collaboration, 
and unity of Government efforts. Use of this authority requires the 
establishment of procedures relating to U.S. persons information.
    DOD is currently in the process of coordinating Section 1650 
implementation requirements, including procedures for the protection of 
U.S. person information, and identifying priority areas for 
collaboration between DOD and DHS personnel. We are leveraging lessons 
learned from the placement of DOD personnel at DHS during the 2018 U.S. 
midterm elections as we develop the implementation procedures for 
Section 1650. For example, the protocols and processes employed by DOD 
personnel at the National Cybersecurity and Communications Integration 
Center (NCCIC) during the elections can be used by DOD personnel 
provided, assigned, or detailed to DHS pursuant to Section 1650. 
Similarly, our experience during the elections validated the utility of 
placing a DOD coordination element at the NCCIC when national-level 
crises arise.
    Ms. Stefanik. Where do you see the most value in expanding our 
current partnerships? Are there lessons learned from our interagency 
interactions that could be applied to strengthening our international 
partnerships?
    Secretary Rapuano. DOD strives to improve cooperative efforts with 
its partners but also sees value in expanding the ways in which those 
partners can inform and enable DOD missions. For example, DOD leverages 
its intelligence and operational capabilities to provide indications 
and warning of malicious cyber activity to other Federal partners and, 
as appropriate, the private sector. However, for these partnerships to 
be effective, DOD's partners also must provide information and threat 
intelligence to DOD to inform DOD's conduct of cyber operations.
    The importance of mutual information sharing applies in the 
international context as well. Many of the United States' allies and 
partners possess advanced cyber capabilities that complement our own. 
The Department will seek to strengthen the capacity of these allies and 
partners, and, at the same time, increase DOD's ability to leverage its 
partners' unique skills, resources, capabilities, and perspectives. 
Information-sharing relationships with allies and partners will 
increase the effectiveness of combined cyber operations and enhance our 
collective cybersecurity posture.
    Ms. Stefanik. What are DOD and DHS doing individually and 
collectively to manage risk associated with Internet of Things (IOT) 
and Operational Technology (OT) devices that are already deployed on 
government networks but lack sufficient security capability?
    General Shwedo. [The information is retained in the subcommittee 
files.]
    Ms. Stefanik. In September, the President signed an election 
security executive order that requires the Director of National 
Intelligence, in consultation with the heads of any other appropriate 
executive departments and agencies, to conduct an assessment on any 
election interference by a foreign government. This assessment is due 
45 days after the election.
    As an action from this hearing, we would like to request a copy of 
that assessment, when complete. If appropriate, the results of the 
assessment may also be included in the next quarterly cyber operations 
briefing.
    General Shwedo. [The information is retained in the subcommittee 
files.]
    Ms. Stefanik. In September, we had a briefing that discussed the 
DOD efforts to protect the 2018 midterm elections. In this closed 
setting, can you provide an update on the DOD and DHS efforts?
    General Shwedo. [The information is retained in the subcommittee 
files.]
    Ms. Stefanik. We have heard anecdotally that many of the current 
interagency cyber relationships have been ad hoc and are based on 
personal connections. Can you describe any frameworks that could be 
used to formalize these relationships and interactions? What level 
would these frameworks best be applied at?
    General Shwedo. [The information is retained in the subcommittee 
files.]
    Ms. Stefanik. The FY19 NDAA authorized a pilot program to provide 
Department of Defense technical personnel to the Department of Homeland 
Security to improve critical infrastructure cyber security. Can you 
give a status of this pilot program? What lessons have we already 
learned?
    General Shwedo. [The information is retained in the subcommittee 
files.]
    Ms. Stefanik. Where do you see the most value in expanding our 
current partnerships? Are there lessons learned from our interagency 
interactions that could be applied to strengthening our international 
partnerships?
    General Shwedo. [The information is retained in the subcommittee 
files.]
                                 ______
                                 
                   QUESTIONS SUBMITTED BY MR. BROOKS
    Mr. Brooks. In 2017, Congress realized that there was a pressing 
need for someone to take the reigns and develop a capability that would 
allow for real time active cyber defense methods to be operationally 
fielded to protect small and medium sized businesses and organizations 
within the critical defense and industry infrastructure arena. SAC-D 
appropriated, and Congress funded, both in FY18 and FY19, the creation 
of a Cyber Security Operations Center (CSOC) to utilize DOD 
capabilities and experience to provide this capability to industry as 
an active defense measure, incorporating and leveraging off of a number 
of previously funded government and private initiatives. In light of 
the recently published National Cyber Strategy, and more pointedly the 
recently signed joint DOD/DHS MOA mandating the cooperation of these 
two Agencies in the cyber domain, what are the current plans for DHS to 
jointly utilize the Congressionally funded DOD CSOC being developed 
under the oversight of the Threat Systems Management Office (TSMO) 
within the PEO STRI to provide active defense cyber security measures 
to industries and organizations within the DOD/DHS realm of critical 
infrastructure?
    Ms. Manfra. [The information was not available at the time of 
printing.]
    Mr. Brooks. In 2017, Congress realized that there was a pressing 
need for someone to take the reigns and develop a capability that would 
allow for real time active cyber defense methods to be operationally 
fielded to protect small and medium sized businesses and organizations 
within the critical defense and industry infrastructure arena. SAC-D 
appropriated, and Congress funded, both in FY18 and FY19, the creation 
of a Cyber Security Operations Center (CSOC) to utilize DOD 
capabilities and experience to provide this capability to industry as 
an active defense measure, incorporating and leveraging off of a number 
of previously funded government and private initiatives. In light of 
the recently published National Cyber Strategy, and more pointedly the 
recently signed joint DOD/DHS MOA mandating the cooperation of these 
two Agencies in the cyber domain, what are the current plans for DHS to 
jointly utilize the Congressionally funded DOD CSOC being developed 
under the oversight of the Threat Systems Management Office (TSMO) 
within the PEO STRI to provide active defense cyber security measures 
to industries and organizations within the DOD/DHS realm of critical 
infrastructure?
    Secretary Rapuano. [The information is retained in the subcommittee 
files.]
    Mr. Brooks. In 2017, Congress realized that there was a pressing 
need for someone to take the reigns and develop a capability that would 
allow for real time active cyber defense methods to be operationally 
fielded to protect small and medium sized businesses and organizations 
within the critical defense and industry infrastructure arena. SAC-D 
appropriated, and Congress funded, both in FY18 and FY19, the creation 
of a Cyber Security Operations Center (CSOC) to utilize DOD 
capabilities and experience to provide this capability to industry as 
an active defense measure, incorporating and leveraging off of a number 
of previously funded government and private initiatives. In light of 
the recently published National Cyber Strategy, and more pointedly the 
recently signed joint DOD/DHS MOA mandating the cooperation of these 
two Agencies in the cyber domain, what are the current plans for DHS to 
jointly utilize the Congressionally funded DOD CSOC being developed 
under the oversight of the Threat Systems Management Office (TSMO) 
within the PEO STRI to provide active defense cyber security measures 
to industries and organizations within the DOD/DHS realm of critical 
infrastructure?
    General Shwedo. [The information is retained in the subcommittee 
files.]
                                 ______
                                 
                   QUESTIONS SUBMITTED BY MR. SUOZZI
    Mr. Suozzi. Please describe the current process for sharing cyber 
threat intelligence information between DOD and DHS, including 
classified indications and warnings. How is this done with other U.S. 
departments and agencies?
    In your open testimony, you stressed the importance of receiving 
threat intelligence back from these partners. What is the process for 
receiving that information?
    Ms. Manfra. [The information was not available at the time of 
printing.]
    Mr. Suozzi. Please describe the current process for sharing cyber 
threat intelligence information between DOD and DHS, including 
classified indications and warnings. How is this done with other U.S. 
departments and agencies?
    In your open testimony, you stressed the importance of receiving 
threat intelligence back from these partners. What is the process for 
receiving that information?
    Secretary Rapuano. In accordance with the Cybersecurity Information 
Sharing Act of 2015 and Presidential Policy Directive 41, United States 
Cyber Incident Coordination, DOD actively characterizes and assesses 
foreign cybersecurity threats and informs DHS of current and potential 
malicious cyberspace activity. DOD intelligence components, such as the 
National Security Agency (NSA), may provide technical assistance to 
U.S. Government departments and agencies when requested. In addition, 
the Secretary of Defense may approve providing DOD support to civil 
authorities in accordance with applicable law and policy. Specifically, 
three DOD centers are part of the established Federal Cybersecurity 
Centers designed to enhance information sharing, maintain situational 
awareness of cyber threats and incidents, and serve as conduits to DHS 
through its National Cybersecurity and Communications Integration 
Center (NCCIC) and Office of Intelligence and Analysis. These centers 
include NSA's Cybersecurity Threat Operations Center (NCTOC), the DOD 
Cyber Crime Center (DC3), and U.S. Cyber Command's (USCYBERCOM's) Joint 
Operations Center (JOC).
      The NCTOC is the 24/7/365 NSA element that characterizes 
and assesses foreign cybersecurity threats, and informs partners, such 
as DHS, of current and potential malicious cyberspace activity through 
its analysis of foreign intelligence with a focus on adversary computer 
network attacks, capabilities, and exploitations.
      DC3 supports DOD's law enforcement, counterintelligence, 
information assurance, network defense, and critical infrastructure 
protection communities through digital forensics, focused threat 
analysis, and training. The Secretary of Defense may elect to use DC3 
to provide analytical and technical capabilities to DHS mission 
partners conducting national cyber incident response.
      The USCYBERCOM JOC directs the U.S. military's cyber 
operations and defense of the Department of Defense Information Network 
(DODIN). USCYBERCOM manages both the threat and asset response for the 
DODIN during incidents affecting the DODIN and shares cyber threat 
intelligence information as needed.
    DOD shares cyber threat intelligence information with other Federal 
departments and agencies using a similar process in close collaboration 
with the Intelligence Community and the remaining Federal Cybersecurity 
Centers. Operated by the Office of the Director of National 
Intelligence, the Cyber Threat Intelligence Integration Center (CTIIC) 
is central to intelligence integration, analysis, and supporting 
activities for the Federal Government. The CTIIC has DOD participation, 
including by the Defense Intelligence Agency and NSA, and provides 
integrated all-source analysis of intelligence related to foreign cyber 
threats or related cyber incidents affecting U.S. national interests. 
CTIIC coordinates development of Federal intelligence information for 
the other Federal cybersecurity centers and Federal stakeholders. In 
coordination with the Defense Intelligence Enterprise, this could 
include pursuing declassification of intelligence and/or ``tear-line'' 
reports at different classification levels, as appropriate to the 
circumstances of the incident and to overall U.S. equities. DOD is also 
a member of the Cyber Unified Coordination Group that leverages DOD 
centers for their enhanced coordination procedures, above steady-state 
capacity, and/or operational or support personnel used to share cyber 
threat intelligence information.
    The requirement to share intelligence and information is bi-
directional, and it is not confined to DOD and DHS. Although the 
National Cyber Incident Response Plan outlines the when, what, and how 
to report cyber incidents to the Federal Government, most industry and 
private sector entities are reluctant to share related cyber threat 
information or submit a request for technical assistance. Private 
sector entities experiencing cyber incidents are encouraged to report a 
cyber incident to DHS's NCCIC, the local field offices or national 
centers of Federal law enforcement agencies, or their sector specific 
agency. DOD is prepared to work with other Federal departments and 
agencies, when authorized to do so, to help affected entities 
understand the incident, link related incidents, and share information 
to resolve the situation rapidly and in a manner that protects privacy 
and civil liberties.
    Mr. Suozzi. Please describe the current process for sharing cyber 
threat intelligence information between DOD and DHS, including 
classified indications and warnings. How is this done with other U.S. 
departments and agencies?
    In your open testimony, you stressed the importance of receiving 
threat intelligence back from these partners. What is the process for 
receiving that information?
    General Shwedo. [The information is retained in the subcommittee 
files.].