[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]
[H.A.S.C. No. 116-14]
HEARING
ON
NATIONAL DEFENSE AUTHORIZATION ACT
FOR FISCAL YEAR 2020
AND
OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS
BEFORE THE
COMMITTEE ON ARMED SERVICES
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTEENTH CONGRESS
FIRST SESSION
__________
SUBCOMMITTEE ON INTELLIGENCE AND EMERGING THREATS AND
CAPABILITIES HEARING
ON
FISCAL YEAR 2020 BUDGET REQUEST
FOR U.S. CYBER COMMAND AND
OPERATIONS IN CYBERSPACE
__________
HEARING HELD
MARCH 13, 2019
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
___________
U.S. GOVERNMENT PUBLISHING OFFICE
36-300 WASHINGTON : 2019
SUBCOMMITTEE ON INTELLIGENCE AND EMERGING THREATS AND CAPABILITIES
JAMES R. LANGEVIN, Rhode Island, Chairman
RICK LARSEN, Washington ELISE M. STEFANIK, New York
JIM COOPER, Tennessee SAM GRAVES, Missouri
TULSI GABBARD, Hawaii RALPH LEE ABRAHAM, Louisiana
ANTHONY G. BROWN, Maryland K. MICHAEL CONAWAY, Texas
RO KHANNA, California AUSTIN SCOTT, Georgia
WILLIAM R. KEATING, Massachusetts SCOTT DesJARLAIS, Tennessee
ANDY KIM, New Jersey MIKE GALLAGHER, Wisconsin
CHRISSY HOULAHAN, Pennsylvania MICHAEL WALTZ, Florida
JASON CROW, Colorado, Vice Chair DON BACON, Nebraska
ELISSA SLOTKIN, Michigan JIM BANKS, Indiana
LORI TRAHAN, Massachusetts
Josh Stiefel, Professional Staff Member
Peter Villano, Professional Staff Member
Caroline Kehrli, Clerk
C O N T E N T S
----------
Page
STATEMENTS PRESENTED BY MEMBERS OF CONGRESS
Langevin, Hon. James R., a Representative from Rhode Island,
Chairman, Subcommittee on Intelligence and Emerging Threats and
Capabilities................................................... 1
Stefanik, Hon. Elise M., a Representative from New York, Ranking
Member, Subcommittee on Intelligence and Emerging Threats and
Capabilities................................................... 3
WITNESSES
Nakasone, GEN Paul M., USA, Commander, U.S. Cyber Command, and
Director, National Security Agency............................. 8
Rapuano, Kenneth P., Assistant Secretary of Defense for Homeland
Defense and Global Security, and Principal Cyber Advisor, U.S.
Department of Defense.......................................... 6
APPENDIX
Prepared Statements:
Langevin, Hon. James R....................................... 33
Nakasone, GEN Paul M......................................... 50
Rapuano, Kenneth P........................................... 36
Documents Submitted for the Record:
[There were no Documents submitted.]
Witness Responses to Questions Asked During the Hearing:
Ms. Stefanik................................................. 69
Questions Submitted by Members Post Hearing:
Mr. Larsen................................................... 73
FISCAL YEAR 2020 BUDGET REQUEST
FOR U.S. CYBER COMMAND AND
OPERATIONS IN CYBERSPACE
----------
House of Representatives,
Committee on Armed Services,
Subcommittee on Intelligence and Emerging Threats and
Capabilities,
Washington, DC, Wednesday, March 13, 2019.
The subcommittee met, pursuant to call, at 2:19 p.m., in
room 2118, Rayburn House Office Building, Hon. James R.
Langevin (chairman of the subcommittee) presiding.
OPENING STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE
FROM RHODE ISLAND, CHAIRMAN, SUBCOMMITTEE ON INTELLIGENCE AND
EMERGING THREATS AND CAPABILITIES
Mr. Langevin. The subcommittee will come to order.
I want to welcome everyone to today's hearing on the fiscal
year 2020 budget request for the military operations in
cyberspace. I was unavoidably detained, so I apologize to
everyone for making you wait, but I am glad we could get this
underway.
Technology and the internet have fundamentally changed how
citizens, the Nation, the military, and our adversaries in the
world operate. We have more access to information and lower
barriers to conduct commerce. We collectively benefit from the
opportunities afforded by the technology that we incorporate
into our lives. However, the connections that we rely on also
create vulnerabilities and new potential avenues for our
adversaries to exploit at our Nation's expense.
Cyber, as we understand it in government, will always be
something that creates risk to go along with its great promise.
The issues that stem from our increasing dependence on
technology will never be purely military or solely for the
military to solve. Technology has increased the
interconnectedness of our society, and the problems that have
come with it will only be solved with interconnected,
interdisciplinary approaches.
The Department [of Defense] will have to work in new ways
with stakeholders from agencies as varied as the Department of
Commerce and the Department of Education and with
nongovernmental stakeholders such as private industry and
academia.
The executive branch will have to work diligently to
address and solve the cyber challenges facing the Nation. Yet
this administration has taken actions that call into question
the seriousness with which it views this emerging domain. Most
notably, the administration eliminated the cybersecurity
coordinator position at the National Security Council.
Relatedly, there are several documents pertaining to cyber
that Congress has repeatedly requested from the administration
and has yet to receive. This includes recent guidance
pertaining to operations in cyberspace. Such documents are
important to creating a congressional framework for oversight.
Withholding these critical documents from Congress impacts our
ability to appropriately support the command and may have far-
reaching consequences for the National Defense Authorization
Act.
At the Cabinet level, the Department of Defense, the U.S.
Cyber Command have no shortage of challenges in front of them,
issues that often develop and change as fast as the
technological landscape. Today we will hear about some of those
challenges, including personnel recruitment and retention as
well as efforts to protect critical infrastructure in tandem
with domestically oriented departments and agencies.
The Cyber Mission Force achieved full operational
capability [FOC] last year. This was a notable event, but it
would be a mistake to assume that FOC is synonymous with
readiness. We must begin to examine the differing standards by
which the services are training the teams and whether CYBERCOM
[U.S. Cyber Command] is adequately fulfilling its mandate to
set training standards and ensure compliance.
Readiness is especially important in the context of the
current strategic landscape, which has evolved significantly
over the last year. In the fall, the DOD [Department of
Defense] released a new cyber strategy that articulated the
intent to defend forward and operate across the full spectrum
of conflict through persistent engagement.
DOD also completed the inaugural Cyber Posture Review.
Under the auspices of new guidance from the administration and
the new DOD strategy, CYBERCOM played a crucial role in
defending the 2018 elections from interference.
The military's actions in cyberspace were also enabled by
multiple provisions in the fiscal year 2019 National Defense
Authorization Act [NDAA]. This includes the provision to
recognize the activities conducted in cyberspace as traditional
military activities.
The fiscal year 2019 NDAA also allowed the National Command
Authority to take direct and proportional action in cyberspace
against Russia, China, North Korea, and Iran upon determination
of a cyberattack against the homeland or U.S. citizens.
Congress and this subcommittee will continue to support
military operations and provide the legal authority to enable
CYBERCOM success against adversaries in cyberspace. However, we
will also remain judicious in our oversight responsibilities to
ensure that the Department operates in a manner that enhances
stability in cyberspace and that is consistent with both
congressional intent and American values.
So I commend CYBERCOM for its efforts during the 2018
elections. However, as a Nation, we can never rest on our
laurels. We need to examine the strategic impacts that CYBERCOM
operations and other whole-of-government efforts had on an
actor seeking to interfere in our elections. Much like the
traditional battlefield, we must measure the impact of our
operations to assess our warfighting effectiveness toward the
larger objectives and ensure that our strategic vision reflects
the realities of our engagement in cyberspace.
CYBERCOM's ability to execute its operations is closely
tied to and enabled by its partnership with the National
Security Agency [NSA]. These organizations will always have a
robust partnership given the dynamism of cyberspace and NSA's
deep expertise and enabling role in military cyberspace
operations.
At this time, there is still one individual that leads both
of these organizations. This arrangement is quite unique within
the national security establishment and the intelligence
community. However, this arrangement allows for the CMF [Cyber
Mission Force] to mature, enables better synchronization of
cyberspace operations, and permits proper consideration of the
intelligence and military objectives in the domain.
Before any significant changes are implemented in the dual-
hat arrangement, this subcommittee expects a robust
understanding of how and why it is necessary to split the
leadership function of NSA Director and CYBERCOM commander. I
believe it would be premature to split these organizations in
the immediate future.
CYBERCOM is a maturing organization, and I am proud of the
work that we have done on the subcommittee to support its
maturation. I have often said that we will never again see
modern warfare without a cyber component, so CYBERCOM's
continued development will remain an urgent priority.
But it is therefore important that we build for the long
term with this sustainable, scalable approach to integrating
CYBERCOM into DOD operations and into our whole-of-government
approach to protecting our Nation's cyberspace. This is no
small task, especially given the newness of this domain. But
working together with full transparency, I am confident that we
can head off any problems early and ensure that we reap the
benefits of a free, open, interoperable, and secure internet.
Before I close, I want to just introduce our two witnesses,
which I will do in just a minute. But before I do that, I am
going to turn it over to the ranking member for her comments.
[The prepared statement of Mr. Langevin can be found in the
Appendix on page 33.]
STATEMENT OF HON. ELISE M. STEFANIK, A REPRESENTATIVE FROM NEW
YORK, RANKING MEMBER, SUBCOMMITTEE ON INTELLIGENCE AND EMERGING
THREATS AND CAPABILITIES
Ms. Stefanik. Thank you, Chairman Langevin. Welcome to our
witnesses. Secretary Rapuano, welcome back to the committee.
And General Nakasone, welcome to your first posture hearing
since assuming command in May of last year.
It is fitting that we begin our fiscal year 2020 posture
hearing series with cyber policy and U.S. Cyber Command, given
the importance of this topic to our overall national security
and, indeed, our society as a whole.
The Director of National Intelligence [DNI] in his most
recent Worldwide Threat Assessment stated, quote, ``At present,
China and Russia pose the greatest espionage and cyber attack
threats, but we anticipate that all our adversaries and
strategic competitors will increasingly build and integrate
cyber espionage, attack, and influence campaigns into their
efforts to influence U.S. policies and advance their own
national security interests,'' end quote.
In our oversight role as a subcommittee, we have seen China
and Russia aggressively leverage and integrate cyber
information and communication technologies in a seamless way,
while also utilizing top-down, government-driven agendas and
strategies. As I have said before, dictators have that
advantage, and their use of technologies and information is as
much about exerting control over their own populations as it is
confronting free societies like ours.
Since our last Cyber Command posture hearing and over the
course of the last year, a lot has happened. Given this, I
consider us to be at a major inflection point. We have seen
Cyber Command fully elevated as a functional combatant command,
and the force has achieved full operational capability, or FOC.
Recent changes to Presidential cyber policies and
strategies, as well as authorities granted in the NDAA, have
focused the mission set, yielded impressive operational
results, and postured our Nation for strategic challenges
ahead. And while we have seen these successes, the DNI's recent
testimony reminds us that our adversaries are not giving us any
room to breathe.
Case in point: While many of our recent operational
successes have been related to securing our 2018 midterm
elections, I can assure you that the adversarial influence
campaign for the 2020 elections is already underway.
Further, while most of our cyber forces are fully capable
on paper, they are not fully ready in practice. Standards and
capabilities have yet to be defined and understood across each
of the services. Relationships and responsibilities are still
being worked out between Cyber Command, regional combatant
commanders, and each of the services.
In short, we continue to mature, and the road ahead to true
cyber readiness remains long. I am confident that our witnesses
before us today fully understand these challenges and I look
forward to our dialogue.
It is worth noting that our military cyber forces are only
as good as the technology they depend on, and if we don't
concurrently modernize our information and communication
technologies across the Department, we will continue along with
one hand tied behind our back.
And when I think about the promise of emerging and
revolutionary technologies such as artificial intelligence, 5G,
high-performing computing, and even quantum computing, my
enthusiasm is unfortunately dampened when I am reminded of our
Achilles' heel that is the Department's outdated and vulnerable
IT [information technology] infrastructure.
So in our conversation today and moving forward, as we
build the National Defense Authorization Act for fiscal year
2020, we must continually keep in mind that IT modernization,
cybersecurity, and information assurance are primary
prerequisites for the future of warfare, where information and
data are strategic resources to be fully protected, preserved,
and enabled.
The Department can and must do better in this area. As
before, I trust each of our witnesses here today understand
these challenges.
Lastly, I would be remiss if I didn't mention the
importance of congressional oversight of current operations,
including cyber operations. Now, more than ever, it is critical
that the DOD communicates with this committee early and often
on all aspects of cyber operations and related intelligence
activities.
This will ensure that we, as your principal oversight
committee, remain fully and currently informed so that we can
resource you properly and provide relevant authorities that
allow us to stay well ahead of our adversaries in cyberspace
and information warfare.
I look forward to talking about that in our closed
classified session. We have a lot to talk about. So again,
thank you, and I yield back to Chairman Langevin.
Mr. Langevin. I want to thank the ranking member.
I want to now welcome our witnesses here today, starting
with Mr. Kenneth Rapuano, who serves as both the Assistant
Secretary of Defense for Homeland Defense and Global Security
and as the Principal Cyber Advisor to the Secretary of Defense.
Prior to returning to government service, Mr. Rapuano
worked for the federally funded research and development
corporations, focusing on issues related to homeland security,
counterterrorism, and countering weapons of mass destruction.
Mr. Rapuano served as the Deputy Homeland Security Advisor
in the George W. Bush administration. He served 21 years in
Active Duty and the Reserves as a Marine Corps infantry and
intelligence officer, and we want to welcome Mr. Rapuano here
today.
Also, General Paul Nakasone serves in three capacities
currently: Commander of U.S. Cyber Command, Director of the
National Security Agency, and the Chief of the Central Security
Service.
Before his current role, he commanded U.S. Army Cyber
Command and has served as a career intelligence officer through
his 32 years in uniform. This is General Nakasone's first
appearance before the subcommittee since assuming command of
CYBERCOM.
General Nakasone, it is a pleasure to welcome you here
today.
And I thank both of you for your service to the country and
thank you again for being here today.
As a reminder, after this open session, we are going to
move into room 2216 for a closed, member-only session.
So with that, before opening statements, though, I do have
to note that Secretary Rapuano's statement was delivered only
this morning. That is more than 40 hours past the committee
rules deadline and only 6 hours before the start of this
hearing. Getting the testimony that late does the subcommittee
a disservice, and really it does the Department a disservice.
I know that there are many hoops that you have to go
through before the statement in the interagency is approved,
but that is way past the time that is acceptable, especially
given the importance of today's topic and the subcommittee's
continued interest in advancing our Nation's cyber
capabilities.
So although I am going to allow for the reading of the
statement today, in the future I expect full compliance with
the committee rules, as outlined by the staff and as outlined
in your official invitation letters.
So with that, we will now hear from our witnesses and then
we are going to move to the question-and-answer period.
Secretary Rapuano, we will start with you.
STATEMENT OF KENNETH P. RAPUANO, ASSISTANT SECRETARY OF DEFENSE
FOR HOMELAND DEFENSE AND GLOBAL SECURITY, AND PRINCIPAL CYBER
ADVISOR, DEPARTMENT OF DEFENSE
Secretary Rapuano. Thank you, Chairman Langevin, Ranking
Member Stefanik, and members of the committee. I am pleased to
be here with General Nakasone, Commander of U.S. Cyber Command,
to report on the significant progress the Department of Defense
has made over the last year in regard to cyber strategy and
operations.
Over the last year, the Department published a new, more
proactive strategy for cyberspace and is moving forward with
implementation of that strategy, using the first-ever Cyber
Posture Review and the elevation of U.S. Cyber Command.
Our new approach has been enabled by the issuance of new
Presidential guidance on cyberspace authorities and
legislation. We leveraged all of these tools last year as we
worked with our partners to ensure the security of the 2018
U.S. midterm elections.
The DOD Cyber Strategy makes clear that the ongoing
campaigns of malicious cyber activity conducted by states like
China and Russia are a strategic threat. Our competitors are
conducting long-term, strategically focused campaigns in and
through cyberspace that include stealing sensitive Department
of Defense information to undermine our military advantages and
place our critical infrastructure at risk.
For this reason, DOD Cyber Strategy embraces a proactive
and assertive approach during day-to-day competition to deter,
disrupt, and defeat these threats. Our systems must be cyber-
hardened, resilient, and secure. We must defend national
critical infrastructure from attacks, a new area of emphasis
for the Department of Defense, and secure Department of Defense
information wherever it resides.
This strategy prioritizes expanding cyber cooperation with
our interagency, industry, and international partners to
advance our mutual interests. The Defense Cyber Strategy
mandates that the Department of Defense cyberspace forces must
be defending forward, disrupting threats at the source before
they reach U.S. networks. The Department must routinely operate
in non-U.S. networks in order to observe threats as they are
forming and have the ability to disrupt them.
This is critical to increasing military readiness. We
cannot be fully prepared to take effective action in a
potential conflict unless we have already developed the tools,
accesses, and experience through our actions day to day.
We have worked in partnership with Congress to ensure that
the authorities and policies currently in place governing
cyberspace operations enable our strategic approach to
competing and prevailing in this domain.
Several changes during 2018 have been particularly
impactful. This includes the President's approval of an updated
policy on U.S. cyber operations.
The 2019 NDAA affirms the President's authority to counter
active, systemic, and ongoing campaigns in cyberspace by our
adversaries against the government and people of the United
States, as well as clarifies that certain cyber operations and
activities are traditional military activities. Thank you very
much for your support.
We have also focused on how our cyber forces operate in the
homeland. For example, we are currently reissuing a memorandum
detailing how National Guard personnel can use certain DOD
information, networks, software, and hardware for cyberspace op
[operation] activities in State status.
We have also devoted focused attention during the last year
to building and enhancing our relationships with other U.S.
Government department and agencies, industry, and our allies
and partners. Last year, the Department signed a joint
memorandum of understanding with the Department of Homeland
Security detailing how our two departments can cooperate in
order to secure and defend the homeland from cyber threats.
The theft of sensitive DOD information from our defense
industrial base [DIB] is something that puts our future
military technological advantage at risk. DOD is intensifying
its efforts with industry and across the U.S. Government to
implement cybersecurity protections and to share cyber threat
information with our DIB partners.
The Department continues to work to strengthen the capacity
of our international allies and partners to increase DOD's
ability to leverage its partners' unique skills, resources,
capabilities, and perspectives to enhance our cybersecurity
posture.
We advocate for our allies and partners to secure their
telecom networks and supply chains. We are also pressing our
global partners to hold states that are acting irresponsibly in
cyberspace accountable for their actions.
The Cyber Posture Review [CPR] identified gaps between
where we are today and where we need to go to achieve our
strategic objectives and drove the development of actionable
lines of effort that are guiding the work of our Principal
Cyber Advisor [PCA] team.
For example, the CPR made it clear that when it comes to
cybersecurity we need to more effectively prioritize how we are
spending money, allocating resources, and how we recruit and
retain the most qualified people.
Our PCA team has also worked with the DOD Chief Information
Officer to identify the top 10 areas where we face the greatest
risk. We are currently working through pilot programs to
complete and implement solutions for these challenges.
Another new Department initiative is the Protecting
Critical Technology Task Force, established last year to
integrate and accelerate the disparate DOD technology
protection activities occurring across the Department and
develop new, innovative solutions for currently unaddressed
problems.
In conclusion, our new strategy has provided us with a
roadmap for achieving our objectives in cyberspace, which we
are rapidly implementing. We have expanded authorities that
enable our mission to defend forward, and we are doubling down
on collaborating with other departments and agencies, industry,
and international partners and allies.
I look forward to working with you and our critical
stakeholders to ensure that the United States military will
continue to compete, deter, and win in cyberspace.
Thank you.
[The prepared statement of Secretary Rapuano can be found
in the Appendix on page 36.]
Mr. Langevin. Thank you, Mr. Secretary.
General Nakasone, the floor is yours.
STATEMENT OF GEN PAUL M. NAKASONE, USA, COMMANDER, U.S. CYBER
COMMAND, AND DIRECTOR, NATIONAL SECURITY AGENCY
General Nakasone. Chairman Langevin, Ranking Member
Stefanik, and distinguished members of the committee, thank you
for your enduring support and the opportunity to testify today
about the hardworking men and women of the United States Cyber
Command. I am honored to lead them. I am also honored to sit
alongside Assistant Secretary of Defense Rapuano.
As the commander of U.S. Cyber Command, I am responsible
for conducting full-spectrum cyberspace operations supporting
three mission areas: defend the Nation against cyber threats,
defend the Department of Defense information networks, and
enable our joint force commanders in pursuit of their mission
objectives.
In the cyber domain, we are in constant contact with our
adversaries, who continue to increase in sophistication and
remain a threat to our national security interests and economic
wellbeing.
The National Security Strategy highlighted the return of
great power competition. Beyond the near-peer competitors of
China and Russia, rogue regimes like Iran and North Korea
continue to grow their capabilities. Using aggressive methods,
adversaries have until recently acted with little concern for
consequences.
The DOD Cyber Strategy identifies the need to defend
forward during day-to-day competition with our adversaries.
This strategy aims to maintain our superiority in cyberspace
through protection of our critical infrastructure and networks.
At U.S. Cyber Command, we implement the DOD strategy by
adopting an approach of persistent engagement, persistent
presence, and persistent innovation.
This past year witnessed the elevation of U.S. Cyber
Command to combatant command status, the opening of our
Integrated Cyber Center, and our shift from building the force
to the readiness of the force.
The defense of the 2018 midterm elections posed a
significant strategic challenge to our Nation. Ensuring a safe
and secure election was our number one priority and drove me to
establish a joint U.S. Cyber Command-National Security Agency
effort called the Russia Small Group.
The Russia Small Group tested our new operational approach.
With direction from the President and the Secretary of Defense,
the Russia Small Group enabled partnerships and action across
the government to counter a strategic threat.
Our response demonstrated the value of a tight-knit
relationship between U.S. Cyber Command and the National
Security Agency, bringing together intelligence, cyber
capabilities, interagency partnerships, and our willingness to
act.
Through persistent engagement, we enabled critical
interagency partners to act with unparalleled coordination and
cooperation. Through persistent presence, U.S. Cyber Command
and NSA contested adversarial actions, improving early warning
and threat identification in support of DHS [Department of
Homeland Security] and the Federal Bureau of Investigation.
Beyond the interagency, we partnered and engaged with
allies in public and private sectors to build resiliency. For
the first time, we sent our cyber warriors abroad to secure
networks outside of the DOD Information Network. Our operations
allowed us to identify and counter threats as they emerged to
secure our own elections and prevent similar threats
interfering in those of our partners and allies.
The Russia Small Group effort demonstrated that persistent
engagement, persistent presence, and persistent innovation
enables success. Effective cyber defense requires a whole-of-
nation effort. Our actions are impacting our adversaries. Our
shift in approach allows us to sustain key competitive
advantages while increasing our cyber capabilities.
As we review lessons learned from securing the 2018 midterm
elections, we are now focused on potential threats we could
face in 2020.
Looking forward, we need to continue to build a warrior
ethos, similar to other warfighting domains. Cyber warriors are
and will continue to be in constant contact with our
adversaries. There are no operational pauses or sanctuaries. We
must ensure sufficient capacity and capability, people,
technology, and infrastructure, which we are decisively focused
on now.
Through persistent presence, we are building a team of
partners that enable us and them to act more effectively. The
complex and rapid pace of change in this environment requires
us to leverage cyber expertise broadly across public and
private sectors, academia, and industry. Therefore, we aspire
to increase our effectiveness and capabilities through
persistent innovation across these partnerships.
Cyber defense is a team effort. Critical teammates such as
the National Guard and Reserve are integral parts of our cyber
force. They provide strategic depth and provide the Nation a
reserve capacity of capable cyber warriors.
Finally, improving readiness is my key focus area. I
continue to work with the services and the Department to
accurately measure and maintain readiness, manning, training,
equipping, and an ability to perform the mission.
After a year of change and progress, we see 2019 as the
year of opportunity. We have much work ahead of us as CYBERCOM
matures. I assure you that our people merit the trust you have
placed in them and that, with your support, they will
accomplish a task that our Nation expects.
Thank you again for inviting me here on behalf of U.S.
Cyber Command and for your continued support. I look forward to
your questions.
[The prepared statement of General Nakasone can be found in
the Appendix on page 50.]
Mr. Langevin. Thank you, General.
I want to thank both General Nakasone and Secretary Rapuano
for your testimony.
We are going to now go to questions, myself and then the
ranking member, and then we will go to members in the order of
their appearance according to seniority.
General, let me start with you. You assessed one year ago
to the Senate Armed Services Committee that the Cyber Mission
Force and all of its--133 of its teams would be fully
operationally capable by June of 2018. Yet, given the different
training regimes, the services, there are differences among the
teams themselves.
So I just wanted to say, how do you set performance metrics
for the 133 teams within the Cyber Mission Force, and how does
Cyber Command assess and measure the readiness of all of its
teams?
General Nakasone. Chairman, with regards to readiness, we
take a look at two factors: first of all, a measure of
quantity, and, secondly, a measure of quality.
The measure of quantity is very familiar to all of the
military services. It is the manning, the training, the
equipping of a force. It is very easy to calculate it. It is
one that our services excel at.
One of the things that we have done at U.S. Cyber Command
is establish a joint training standard. That is very important
to get at the point of your question with regards to leveling
the playing field. One joint standard is important for all our
teams to be able to operate under. So whether or not it is a
Marine team, an Army team, an Air Force team, that same
training standard has been established by U.S. Cyber Command.
I mentioned the quantity aspect. Let me now shift to the
quality aspect of how we measure readiness. We can have all the
teams that are fully manned, fully equipped, and fully trained,
but if you don't have the access, if you don't have the
authorities, if you don't have the intelligence, if you don't
have the platform, if you don't have the capabilities to
accomplish your mission, that is something in cyberspace that
puts you uniquely in a very, very difficult position.
So I see that measurement of both quality and quantity as
something we will continue to work towards at U.S. Cyber
Command.
Mr. Langevin. So let me ask this other follow-up question.
So how do you ensure that the teams also are continuously
trained and then certified and recertified and prepared for the
missions at the individual and the team levels? Since we can't,
you know, believe that, you know, it is one and done once it is
certified, but, again, the recertification process.
General Nakasone. Chairman, I think you are speaking of
collective training, as we take a look at how our teams are
able to perform together. We evaluate that through a number of
different mannerisms.
First of all, the ability to do a real-world mission, being
able to evaluate what they are doing on a daily basis. Also
within exercise. We have a series of exercises that are set up
where we are able to measure the training standard of that
team. And then finally, we set parameters in terms of ensuring
each team has annual evaluations by third parties. This is
something that we have instituted over the past several months.
I think it is very effective in terms of being able to take a
snapshot in time.
However, with that being said, let me make sure that I
reiterate, the teams that we have today are operating every
single day against our adversaries. They are very, very capable
people, and we will continue to measure their capability. But
one of the benefits of working at U.S. Cyber Command is there
is never a lack of training opportunities. It is real world
every single day.
Mr. Langevin. Thank you. And again to you, General, in your
prepared testimony, you noted the incalculable value of the
CYBERCOM-NSA relationship when discussing Joint Task Force
Ares.
Last Wednesday, Defense One ran a story that you
recommended to then-Secretary Mattis in August 2018 that NSA
and CYBERCOM be split in 2020. Can you comment on the veracity
of the story? And if the story is accurate, can you please
explain your recommendations?
General Nakasone. Chairman, a year ago, when I testified
for my confirmation hearings, one of the points that I made in
both the Senate Armed Services Committee and the Senate Select
Committee on Intelligence was that in my first 90 days as both
the commander and the director, I would conduct an assessment
of the dual hat and provide those recommendations to the
Secretary of Defense and the Chairman of the Joint Chiefs. I
completed that assessment in August. The assessment was
classified, and it was provided to the Secretary and the
Chairman.
I am familiar with the article. I will tell you that the
article is not accurate and that, you know, the topics and the
actual facts behind that are classified. And so if I could save
that, perhaps, for closed testimony.
Mr. Langevin. Fair enough. Thank you. We will follow up on
that then, sure, in the closed session.
To Mr. Rapuano, can you describe DOD and specifically
CYBERCOM's support to homeland defense, specifically as it
relates to the defending-forward concept in the strategy? How
is the Department supporting DHS efforts in coordinating with
FBI [Federal Bureau of Investigation]?
And how does the Department coordinate with the
Cybersecurity and Infrastructure Security Agency at DHS, which
has the lead role in protecting civilian government and
critical infrastructure?
You know, I think it is important for people to understand,
we talk about defending forward and being more proactive, who
has responsibility for what though. You know, what is critical
infrastructure supposed to do on their own? What is DHS--what
is their responsibility? And then also what is DOD, CYBERCOM,
NSA's responsibility in all of this, and how does it fit
together seamlessly?
Secretary Rapuano. Thank you, Chairman Langevin.
I would start by saying, of course, that the one mission
that only DOD has the authority capabilities, including the
breadth and scope, to conduct is warfighting overseas,
addressing adversaries overseas and threats overseas.
That said, we have a renewed focus on supporting our fellow
agencies domestically. We really start that in a tri-approach.
First is sharing intelligence and warning, and we do that
with the Department of Homeland Security and the FBI. And they
provide that information, DHS, to State and local governments;
and the FBI, to commercial and other entities.
We defend forward in terms of identifying the source of
malevolent cyber activities that are threatening U.S. critical
infrastructure or other equities, including malign-influence-
type activities that were a significant concern during the
recent elections process.
We also have the defense support to civil authorities. As I
noted in my statement, we have a memorandum of understanding
with DHS to facilitate and expedite our defense support to
civil authorities, including DHS but other agencies as well,
when they have needs that go beyond what their capacity is to
respond to a particular circumstance or threat associated with
cyber.
So we are working closely with them. I met with their
leadership this week. We meet routinely now to discuss how we
move forward, to discuss priorities. We are adding details in
terms of how we can facilitate and expedite different levels of
support, how we can develop and maintain real-time, full-time
connectivity with the Department. We have detailees who perform
those kind of roles, and we are looking to instantiate it in
the longer-term context.
Mr. Langevin. Thank you, Secretary.
The Chair now recognizes the ranking member for questions.
Ms. Stefanik. Thank you.
Secretary Rapuano, you mentioned that the new cyber
strategy highlights defend forward and persistent presence as
major aspects of our new posture. And your statement also
outlined some of the steps we are taking to shift to this
footing.
But from a policy perspective and with respect to
escalation dynamics, have we thought about potentially when and
if this more forward and persistent posture could be
interpreted as escalatory in nature by our adversaries and
perhaps preemptively trigger escalation or retribution?
Secretary Rapuano. Absolutely. Escalation is a significant
concern with all military operations.
In what we call activities in the gray zone or below the
spectrum of armed conflict, cyber is an especially attractive
tool to our adversaries. And we have noted China and Russia as
significant concerns in that context, and we see them applying
asymmetric warfare below the spectrum of conflict against us.
We have come to the conclusion--and that is what informed
the strategy--that continuing to not respond to those behaviors
and those threats that will manifest in a cumulative context--
no one of these activities has clearly crossed that line in
which a kinetic or military strike would be a response. So if
we ignore them, they will continue them, and they will
undermine our security in a strategic way.
We have a process that is very risk-based in terms of
informing the risk-benefit assessment associated with how we
target malevolent activities, how we achieve access. It is a
process mentioned that was enshrined in the Presidential
memorandum providing policy guidance to the process that takes
place.
The first requirement is a Presidential determination for
certain types of operations. That then goes into a coordination
process in terms of engaging on the development of the concept
of operations, particularly with those agencies with the most
equities involved. And then, ultimately, there is a
deconfliction execution process in terms of, if there are
conflicts between key equities or elements or there are
concerns, for example, about the potential for unintended
escalation, those issues are addressed.
So we do have a very thoughtful process but also a process
designed to operate with the speed of relevance.
Ms. Stefanik. Thank you.
General Nakasone, what exactly does our cyber posture look
like when we defend forward with persistent engagement? Does
this simply mean that we are positioned to conduct more
offensive operations or positioned to conduct more collection
activities?
And when you answer that, can you also touch upon the
interagency aspects and how we work with our international
partners?
General Nakasone. Ranking Member Stefanik, if you think
about persistent engagement, I would offer two different
components that are very, very important, that are foundational
to persistent engagement.
First of all is the idea of enabling. How do we enable our
partners? That partner could be Department of Homeland
Security, the Federal Bureau of Investigation. It could be
another service. It could be another member of our interagency.
It could be an allied partner.
A big portion of what we do in persistent engagement, as
Assistant Secretary of Defense Rapuano said, is providing
information or intelligence. If I might give you an example.
During the security of the midterm elections, U.S. Cyber
Command, working in partnership with the National Security
Agency, provided indicators of compromise to the Federal Bureau
of Investigation and the Department of Homeland Security. That
is an example of enablement.
The other foundational concept of persistent engagement is
to act. Just as the Secretary mentioned, act is everything from
understanding what our adversaries are doing within their
networks; providing early warning; ensuring that we understand
the malware, the infrastructure, the other capabilities that an
adversary might be accumulating to perhaps conduct an action
against the United States.
But it is also the idea of sending teams forward. So we
sent defensive teams forward in November to three different
European countries. That is acting outside of our borders that
impose cost against our adversaries.
Those are the two fundamental components of persistent
engagement: enabling and acting.
Ms. Stefanik. My final question is for you, General
Nakasone. You have been given flexible acquisition authorities
that, frankly, the command has yet to fully use or mature into.
So my question is to figure out if this unique acquisition
authority for your command is even still needed, certainly
since over the years we have worked to give the services more
flexible acquisition authorities.
Can you provide this committee with an update on why you
think you need this unique acquisition authority and what the
current state of implementation is? And then specifically, how
would you define cyber-peculiar acquisitions, as it is called
in the law?
General Nakasone. If I might start with the question of a
quick status update.
So this year, in fiscal year 2019, I believe the amount was
$75 million for acquisition. And we have executed right now
about $44 million of that. We would anticipate by the end of
the fiscal year to execute about $60 million to $65 million.
That is not $75 million, and I obviously accept the fact that
we are short of that.
But what did we invest it in? And I think it is important
that we outline this. One, we invested it in tools, significant
tools for how we operate with our teams. Secondly, big data
analysis. Thirdly, an opportunity for our developers to operate
off-site at a facility to look at new networks, new
capabilities, new infrastructures. It was done rapidly. It was
done, I think, obviously, very effectively and certainly within
the law.
We are not to the point yet where I am satisfied with
regards to operating at the amount that has been authorized for
us, but we will get there. And I think the important piece is,
when I think of why it is so important to us, our adversaries
are rapidly changing. And we see that every single day as we
operate against them. The authorities that you have granted our
command to be able to do this is a first start for us to be
able to operate at their speed.
The last thing I would say is, we have 10 openings that,
you know, are foundational for what we do for that acquisition
authority. We have filled six of them. We will fill the final
four by the end of the year, and I think this will be extremely
helpful for us to be able to execute the moneys.
Thank you.
Ms. Stefanik. And just to follow up, how do you define
cyber-peculiar? Because that is how it is written.
General Nakasone. So if I might take that for the record,
Ranking Member, just to make sure that I have that fully
accurate.
[The information referred to can be found in the Appendix
on page 69.]
Ms. Stefanik. Thank you. I yield back.
Mr. Langevin. I thank the ranking member.
Mr. Brown is now recognized for 5 minutes.
Mr. Brown. Thank you, Mr. Chairman.
In the most recently enacted Defense Authorization Act, we,
the Congress, directed the Department to study the feasibility
and advisability of the establishment of Reserve Component
cyber civil support teams to be assigned to each State due to
the lapse in appropriation associated with the 35-day recent
government shutdown. The Department did request an extension to
submitting that report to Congress.
Can you give us a status, and not just, you know, when you
anticipate to submit that to Congress, but give us a little
flavor on, you know, what kind of either conclusions, findings,
or recommendations might be in that report?
Secretary Rapuano. Certainly, Congressman.
The Department traditionally has not assigned unique
specialty areas to the National Guard, like cyber, but we have
been exploring whether and where--really where the National
Guard can best support DOD missions, specifically things like
defense critical infrastructure, infrastructure for which we
are dependent on for power projection as well as weapons
systems.
The defense industrial base is another area that is
critical to us, and we are at risk, as I noted in my statement,
of losing our asymmetric superiority to others who are stealing
our technology.
So those are areas that we are very focused on and believe
there is a potential role for the National Guard. And we
actually have a cyber mission assurance team that is looking at
the potential role there.
In response to your question about the 2019 NDAA 1653
tasker, we have a report that is in drafting process right now.
We will get it to you all by the end of April. I really can't
go into details on it, but it is really looking about the trade
space and the return on investment from a total force
perspective and how and where those roles would be most
consistent with the other priorities of the Department.
Mr. Brown. Thank you.
Question regarding the cyber workforce. Everyone is
competing for a limited pool of highly skilled and highly
talented, technically trained personnel. What thoughts do you
have about the role of AI [artificial intelligence] in reducing
the demand signal for a cyber workforce?
Secretary Rapuano. Well, we are looking at all the tools
available out there, you know, in terms of where do we need to
buy either tools or capabilities, where do we need to hire
people for that human potential component of it. It is well-
recognized that hiring in the cyber field is very challenging
just based on the very high demand signal, so we have a number
of programs; CES [Cyber Excepted Service] is prime amongst them
in terms of a new tool.
AI we are looking at very hard in terms of where we can
leverage AI and other advanced capabilities, analytic
capabilities to perform some of those activities.
I might turn it over to General Nakasone. I know his team
looks at this very closely too.
General Nakasone. So, Congressman, I think that AI and
machine learning certainly has a place as we take a look at
some of the activities that we do day in and day out within our
force.
But I would offer, the people that make AI go, the people
that ensure that our algorithms are right for machine learning,
they are the folks that I am most focused on. Because I would
call them--they are the 10X or the 20X folks that do their
mission 10 times or 20 times better than anyone else. That is
the competition that we are in today.
So I would just offer--I give great kudos to the services
for recruiting a great base of folks, and that is both military
and civilian. I think we do a good job of training them; it is
getting better. The hard part and the one that we work at every
single day is the retention part. That is the one that is most
impactful for us.
Mr. Brown. And you mentioned the CES, Cyber Excepted
Service. Can you tell us a little bit about your experience
with that? And is it working? Is it effective? Tell us about
that.
General Nakasone. Cyber Excepted Service, which just came
on board roughly over the past year, we at U.S. Cyber Command
were the first phase of that.
I can give you the metrics of now we are looking at a drop
of 60 percent with regards to the hiring capabilities and the
timeline to hire someone. So we have metrics that show us 111
days before CES. Now it is at about 44 days.
We have done over 21 different fairs. We have interviewed
over 2,700 people. We have, you know, provided over 90
acceptances for job applications.
My perspective, early phase, I am a supporter of it, and I
look forward to continuing to utilize it.
Mr. Brown. Great. And I hope the University of Maryland at
College Park is giving you a talent pool to work with.
I yield back, Mr. Chairman.
Mr. Langevin. Thank you, Mr. Brown.
You know, on the topic of the workforce and training, we
recently had testimony in reference to the Cyber Excepted
Service as a whole, and it is underresourced at this time. And
I think it is important for it to have full support and full
resourcing.
Can you comment on that, Secretary?
Secretary Rapuano. Yes, I can. I share your concern, Mr.
Chairman. I have engaged with Dana Deasy, our CIO [Chief
Information Officer], as well as the Under Secretary for
Personnel and Readiness. This is a priority. The challenge with
the Department is we have a lot of priorities, but everyone
acknowledges there is no higher priority than this.
So we are looking at additional resources that we can get.
We have already put essentially two more people onto it,
because we had a couple of them taken for another priority
group, and that has been addressed. But we need to supplement
them going forward, and we believe we have a path to resources
to do that in a relatively near term.
Mr. Langevin. Okay. Thank you. I think that has to be a
high priority, and certainly more support for the Cyber
Excepted Service is going to have the support of this
subcommittee and the committee as a whole.
Secretary Rapuano. Thank you. It very much is.
Mr. Langevin. Thank you.
Mr. Waltz is now recognized for 5 minutes.
Mr. Waltz. Thank you, Mr. Chairman.
I am also interested, very interested, with my colleague
Mr. Brown in the Guard and Reserve and the role that they can
play, and I would be very interested in seeing that report. I
have had the same conversations with General Kadavy, the head
of the Army Guard. I mean, it seemed, you know, that the
challenge is with recruiting, the challenge is with keeping up
with the civilian sector and the pace of technology and who
bridges those two worlds.
One of the questions I have asked him is, when you are
recruiting your cyber force into the Guard and Reserve, are you
taking, you know, the civilian occupation into account? Are we
recruiting people who are truck drivers during the day and then
into the cyber force, or people who are actually in the IT
sector in Silicon Valley, in that space, so that you can
leverage those two and build upon those two?
And it is not clear to me. I would be interested if the
report addresses that, if that is taken into account in the
recruiting on the front end, particularly for the Guard so that
you can build those going forward.
Do you have any additional comments on where that is going?
So, I mean, just to be candid, talking to the Guard about
counting tanks, counting aircraft, parity in fielding, that is
important. They need to be interoperable with the force. But
where they can uniquely, you know, take this leading role--and
leveraging those civilian sector skills, I think, is something
we should take a hard look at.
Secretary Rapuano. Yes. While I cannot speak to the details
of how the National Guard right now is conducting their
recruiting, I am familiar enough with their process to know
that they do look at what are those specialty areas that the
individual is being recruited for and what skills do they bring
in addition to the basic elements of education.
Mr. Waltz. Okay.
Secretary Rapuano. So that is something. And then, again,
it will be based on how the specialties develop and evolve and
potentially expand.
Mr. Waltz. Thank you. I am eager to see the report.
General Nakasone, can you just talk to me about plans or
what is in place or what is coming down the pipe to just kind
of share and collaborate cyber threats ostensibly at network
speed, ostensibly at cloud scale with the top U.S. companies,
with industry, I mean, so we can leverage the full resources of
the U.S. Government and respond to our critical infrastructure?
Have we thought about--or is there--and forgive my
ignorance, if there is a cybersecurity cooperative agreement
with industry to detect, respond, mitigate cyber threats? I
know DHS has theirs, but I keep hearing consistently, frankly,
that it is not being utilized to its full extent and, frankly,
not useful to industry. I didn't know the relationship with
your command and industry.
General Nakasone. Congressman, we have been working closely
within the Department on an initiative called the Pathfinder
program. The Pathfinder program--and this is an outgrowth from
the Secretary of Defense and the Secretary of Homeland
Security's memorandum of agreement to work together to look at
joint ways that we can address the critical infrastructure
sectors.
As you are aware, 17 different critical infrastructure
sectors. We have started with the first one to look at, working
very, very closely with the financial industry, working closely
with the Department of Treasury, and the Department of Homeland
Security, how do we share data, how do we share it rapidly. One
of the things that we have done over the past several months is
had four different means of sharing data.
But it is more than just sharing data, because we are not
going to get out of this issue with just sharing. It is also
our technical experts talking to their technical experts,
talking to the Department of Homeland Security.
It shows great promise. And as they move on from the
financial industry, I think that energy and other industries
right behind it will be the beneficiaries of this.
Mr. Waltz. Along those lines, how are the delays in moving
and DOD moving into the cloud architecture, how is that
affecting your warfighting mission?
General Nakasone. So it hasn't affected my warfighting
mission. I would offer that our ability to share right now is
at a level that certainly is able for me to accomplish what I
need to be able to do.
I think, to your point, though, how do we increase our
lethality in the future as a force, I think this is one of the
areas that we are working towards. As the Department moves to
its investment in the cloud experience, this is one of the
things we are working very, very closely with the Department,
NSA, and Cyber Command to ensure that we are well-postured for
it.
Mr. Waltz. Thank you. Then a final question, just in the
interest of time, and maybe we will take this for the closed
session, but I would be very interested.
Data is the new gold, new oil, whatever you want to call
it, the coin of the realm. And back to your issue of
collaborating, particularly with sensitive data, with an eye
towards AI and 5G, because we can't really get to one without
the other.
But I will yield my time and look forward to the closed
session. Thank you.
Mr. Langevin. Thank you, Mr. Waltz.
Mr. Kim is now recognized for 5 minutes.
Mr. Kim. Thank you, Chairman.
Thank you so much for coming and speaking with us today.
I actually just wanted to take a step back for a second
here and just get some of your thoughts and advice here.
The issue of cyber threats is pervasive in my district. It
is something that people worry about constantly, especially
given the news and given all the talks about Russia and China.
And I will tell you that these concerns are ones that I hear at
town halls, and they come up in a lot of different meetings. I
think there is a lot of confusion about what it is that we are
doing and what the capabilities are on the other side.
So I would start this by urging the two of you to think
about ways that we can invest in lifting up some of that veil,
making sure that--I understand the difficulties and the
sensitivities of the work you are doing. But as a new command,
I think it is important for the American people to understand
what it is that you are working towards, what it is that we are
trying to do, and what it is that we are trying to defend
against.
Because this is a different type of threat than the
American people in my district, in Burlington County and Ocean
County, to understand compared to conventional, traditional.
With that, I want you to just imagine yourself with me in
my district at a town hall when I get these questions. I would
like to hear from you what you would say in response to someone
who is saying, are we getting outgunned by China and Russia?
Where are our capabilities and our personnel and our resources
compared to these near-peers?
When we are talking and looking at our cyber budget, how
does that stack up with how our competitors are spending and
moving forward in this? How would you respond to someone in
that way without having to get into the classified material?
Secretary Rapuano. I will start, and then I can hand it
over to General Nakasone.
I think when you look at the United States and you look at
it, certainly, from a Department of Defense perspective, we
operate around the world. We have to have systems that can
communicate and engage around the world. So that presents a lot
of surface for adversaries in terms of who are looking to
target us.
We have an open system in terms of the internet. You may
have heard that China has the Great Firewall of China. So we
prize free communication of information. So an open internet is
something that is consistent with the way that we have operated
in the world from early on, and we would like to maintain that.
So it is not an apple-for-apple in terms of our
vulnerabilities and adversary vulnerabilities is something that
I would offer.
We have just increased, as you know from the budget, the
budget for cyber, $9.6 billion and 10 percent increase over
last year. So that is in recognition of the importance of this
area, the evolution of the threat, which we see. We believe
that we are developing the critical capabilities necessary to
address the threat, but, as you know, it is a very complex and
diverse threat. So walking through each of those areas can take
a little bit of effort.
But I would just say that I think that, with the advent of
this strategy and authorities from a national defense
perspective, we have made tremendous progress. We are making
the necessary investment to keep up with the threat and be able
to prevail, if necessary, in all warfighting domains, including
cyber.
General Nakasone.
General Nakasone. Congressman, I think I would begin, if I
had an opportunity to speak at your town hall, by saying the
National Security Strategy identifies our threats very well. We
talk about, you know, strategic and great power competition in
the realm of both China and Russia. They are near-peer
competitors. They have been able over the past 17 to 20 years
to shrink the gap.
And then there are rogue nation-states, such as Iran and
North Korea, that continue to conduct malfeasance in the
domain.
But with that being said, there is still a gap between
those actors and ourselves. And while I obviously hear a number
of the different challenges that we have, I would also offer to
your town hall that there are some strengths that are
endemically part of the United States.
First of all, partnerships. We have a series of
partnerships--partnerships with other allied countries,
partnerships with academia, partnerships with industry--that I
think are second to none.
Secondly, innovation. When we think about innovation, where
do we think about? We think about Silicon Valley. We think
about Austin. We think about Boston. We think about sectors
within the United States. That is very, very important because
we are in, obviously, a domain that is rapidly changing.
The other piece I would say is we are well-resourced. Thank
you very much for, obviously, the resourcing that you have done
for our efforts over this budget. I think that is tremendously
powerful for us.
And the last thing is that we are also a country--and I
would say, certainly within the Department of Defense, that we
learn our lessons. And so we have learned our lessons. And I
think that over the past several months we have been able to,
obviously, apply those lessons in a manner that has addressed
some of the actions of our adversaries.
Mr. Kim. Well, I look forward to working with all of you on
how it is we can better explain this to the American people.
Thank you.
I will yield back.
Mr. Langevin. Thank you, Mr. Kim.
Before we go to Mr. Bacon, Mr. Secretary, you mentioned the
$9.6 billion cyber budget request. And can you tell me what
does the $9.6 cyber budget encompass? Is it IT as well as
military cyber operations? And what is the totality of the
budget for CMF and operations?
Secretary Rapuano. So I will leave CMF to General Nakasone,
but just in terms of the broad brush of the budget, it really
starts with cybersecurity. So that is both hardware and
software. We have to reduce the risk to DOD information
systems.
Then it really gets to cyber operations. General Nakasone
mentioned the tools, the training, all of the elements
necessary for us to conduct cyber operations effectively.
And the third is the R&D [research and development] across
all of these areas that we must continue to support so we can
out-innovate our adversaries.
Mr. Langevin. So give me, the committee, just kind of an
understanding between those three categories, which--the
various--the percentages, if you will, what is going to----
Secretary Rapuano. Well, I mean, I think General Nakasone
has more details on the splits.
General Nakasone. Within that, Chairman, of the $9.6
billion, $532 million to the headquarters of U.S. Cyber
Command. That is roughly 6 percent of the budget. And then $1.9
billion for a build an infrastructure. That is infrastructure
across all of our four different locations that we have our
teams. That will be--roughly 87 percent of that will go to the
services, and the rest, about $200 million of that will stay
within U.S. Cyber Command.
Mr. Langevin. All right. That is helpful. Thank you.
Mr. Bacon, you are now recognized for 5 minutes.
Mr. Bacon. Thank you, Mr. Chairman.
And appreciate both of you being here and appreciate your
leadership on cyber.
A couple questions for General Nakasone.
I read that you were recommending the NSA and Cyber split
sometime in 2020. Is that indeed your position?
General Nakasone. Congressman, I had seen the article that
was written. That is not accurate.
And last year about this time, during my confirmation
testimony, I had indicated I would do a 90-day assessment. I
did that assessment, provided it to the Secretary of Defense
and the Chairman. The assessment is classified, so we can talk
about it later in closed session.
But, again, to your point, that was not accurate. And,
again, the final decision, obviously, rests with----
Mr. Bacon. Right.
General Nakasone [continuing]. Not with me, so----
Mr. Bacon. But maybe is it fair enough to say that you
now--you would say your position is to keep them together then,
the two commands, under one four-star?
General Nakasone. So again, I think on this topic,
Congressman, it is much more accurate for me to be able to talk
in closed session----
Mr. Bacon. Okay.
General Nakasone [continuing]. Just to bring out the facts.
Mr. Bacon. Just my view on it, without probing for your
position, I just don't see how you can have them separate. I
have worked in this community a little bit, with my 30 years in
the Air Force, and our cyber teams are a good mix of
intelligence and cyber folks that will probe or defend.
And it seems to me, from a cyber perspective, it is a
symbiotic relationship with NSA. You can't do the two separate.
I would be a little afraid, if you had two four-star generals,
one in charge of the intelligence force and one in charge of
the cyber portion, you could be pulling that team apart in two
different directions.
And so I have always been a proponent that you need a
unified leadership under one four-star and have the two three-
stars guiding the two different ships.
But it just doesn't make sense to me from my experience in
there. So I hope, at least my view or at least my
recommendation would lean towards how we have it. I think we
have it right.
How many cyber teams do we have?
General Nakasone. We have 133, Congressman.
Mr. Bacon. And is there a requirement for more, or is it
about right?
General Nakasone. So right now what we are doing is,
through a series of both exercises and real world, looking at
our force in total. My anticipation is after we have taken a
thorough look at that we will make some recommendations. But
right now 133 is what we have, and we are able to do our
missions with them.
Mr. Bacon. And all 133 are FOC, or fully operational?
General Nakasone. Right. They are fully operational.
Mr. Bacon. I have done exercises in the past in the Air
Force, and we would do a full planning where you have your air
targeting order or air tasking order and you build this whole
plan, and then everybody leaves the room and cyber will come in
and say, here are some other options.
Are we doing a better job now integrating cyber into the
COCOM [combatant command] planning, where it is really baked in
from the start, not an add-on after the fact?
General Nakasone. While I hate to speak for my fellow COCOM
commanders, I would say yes.
Mr. Bacon. I hope so.
General Nakasone. A couple things that have enabled us:
first of all, the ability to put cyber operational integrated
planning elements--those are planning elements that are well-
versed in cyber--at each of the combatant commands. That has
helped.
Secondly, that we have had a lot of operational experience
in places like Afghanistan, Iraq, other places around the world
where we have been able to do this. And even with the midterm
elections, working with U.S. European Command, General
Scaparrotti and myself, learned a tremendous amount of lessons
in the way we need to do this.
Mr. Bacon. Well, I am glad to hear that. I am glad we are
evolving to where it is baked in from the beginning. Because I
have been there where you do all your combat planning or this
or that in space, and then everybody leaves, and it's like,
okay, now what do I do with cyber? It should be integrated in
from the beginning.
One last question. You know, there is a lot of convergence
between cyber and electronic warfare [EW]. How much do you
think cyber should be involved with electronic warfare? Is that
a totally separate science, from your perspective?
General Nakasone. So from my perspective, having worked
this both as the Army service commander and now as the
commander of U.S. Cyber Command, these are non-kinetic
capabilities. And being able to synchronize non-kinetic
capabilities, whether or not it is EW or cyber or information
operations, bringing that closer together provides tremendous
amount of capability for our commanders. And so that is why
that close working relationship, I think, is very important.
Mr. Bacon. So you would say the cyber role with EW would be
more of a planning--to use an EW weapon versus a cyber weapon,
but Cyber Command within itself would not have the EW weapons
system. Do I have that right?
General Nakasone. Yeah, so how we organize it, I think that
is still to be determined. But in terms of the planning
capability and synchronizing that, I definitely see that this
is one where we would provide a synchronized look and say, hey,
this is an opportunity for our combat commanders to leverage.
Mr. Bacon. And from my background, the NSA has a great team
working on the EW side, or at least on the ELINT [electronic
intelligence], and we couldn't do it without you.
Sir, with that, I will yield back, Mr. Chairman.
General Nakasone. So, Congressman, I would just offer that
I agree with that.
Mr. Bacon. Okay. Good. You get to take praise both ways.
General Nakasone. It goes both ways.
Mr. Langevin. On the EW issue, General, let me ask this. I
know that after--I think it was Secretary Ash Carter that stood
up the EW EXCOM [Electronic Warfare Executive Committee]. And
what interaction do you all have with that body as they avail
you with our EW capability? Do either one want to comment on
that?
General Nakasone. So I am not familiar with the EW EXCOM.
That may have been renamed. There is a working body right now
that discusses electronic warfare at the Vice Chairman level
with the Deputy Secretary that normally we have, but I think it
is the same purpose, and, again, the idea of how do we bring
this together in a more compactful manner.
Mr. Langevin. Okay. Thank you. Thank you.
And on Mr. Bacon's comment on the splitting of dual hats--
see, bipartisanship isn't dead--I think you and I are
definitely in sync on that one. So thanks for your comments on
that.
Ms. Houlahan is recognized for 5 minutes.
Ms. Houlahan. Thank you, Chairman.
And thank you very much for your testimony today,
gentlemen.
And, General, thank you for allowing us all to come as
freshmen and tour your amazingly powerful facility.
My questions, I have two, a fairly unrelated one. The first
one is to General Nakasone.
The President's budget does call for a pretty big
investment in developing what he is terming a Space Force.
Obviously, the space domain is very important for cyber
operations.
And I was hoping--and this relates, I think, to
Representative Bacon's comments and questioning--if you could
talk a little bit about the relationship between CYBERCOM and
the Air Force currently as it relates to the space domain and
satellites in particular.
And help me assess whether or not the creation of a Space
Force would either complicate CYBERCOM's work, help CYBERCOM's
work, be redundant to CYBERCOM's work. How do you see that
unfolding?
General Nakasone. So we have worked very closely with the
Air Force on the development of our cyber capabilities, to the
first part of your question. In fact, roughly 39 of our 133
teams are from the U.S. Air Force. So we have a very strong
working relationship with the Air Force and a very, very good
joint force headquarters in Lackland Air Force Base in Texas
that we have been reliant upon for many missions.
In terms of space, we at U.S. Cyber Command are in close
partnership with not only the Air Force but U.S. Space Command,
working with General Raymond, in terms of how do we ensure a
couple of things: first of all, the defense of his networks. So
working between U.S. Cyber Command, the National Security
Agency, USSPACECOM, how do we ensure the criticality of his
communications?
Secondly, what are the options for full-spectrum operations
that we might be able to conduct from space that impact cyber?
We are very, very excited about the possibility of the, you
know, instantiation of U.S. Space Command. Being the newest kid
on the block, I think that they would obviously provide, as the
Department and the administration have indicated, a great
capability.
We see the importance of space every single day, not only
for our intelligence gathering, but also for looking at
possible options as we look at adversaries for the future.
Ms. Houlahan. So do you have any reticence at all in terms
of the interaction of what would be a new force? Or are you
looking forward to that opportunity to integrate with something
like that?
General Nakasone. Really looking forward to integrating
with it. I think they are a great capability. We see the
importance of space, whether or not we are on the defensive
side or the offensive side. And this is one of the areas that
we think is going to create capability.
Ms. Houlahan. Thank you so much for the answer to that
question.
My second one, fairly unrelated, has to do with memory
chips and the fact that we only manufacture about 20 percent of
the world's memory chips.
And I am wondering if you could comment, either one of you,
on whether or not you feel as though we need to have organic
capability of doing that domestically, whether for defense or
civilian purposes, and how you think we as a Congress might be
helpful in helping that, if you, in fact, believe that we
should be more independent in that area.
Secretary Rapuano. I will just give a high level on that.
We are very concerned about supply-chain security,
particularly for sensitive systems or systems that may provide
access to adversaries. So we are looking at the entire supply
chain to understand where and what systems might be most
vulnerable and how we can improve the surety associated with
these chips and other elements.
Ms. Houlahan. Sir, do you have any other----
General Nakasone. Yeah. So I think that the Secretary has
characterized it well, in terms of, one the areas that we have
to ensure--and this is the world in which we live, where they
are being made today--is we have to have verification.
And the way that we do that verification, whether or not it
is appropriately written into our contracts or whether or not
it is being conducted, you know, periodically to ensure the
veracity of these chips and their assurance that they will be,
obviously, effective in their doing is really important to us.
Ms. Houlahan. Can you comment--I have another 49 seconds or
so--on anything that we as a Congress can be doing to be
helpful to begin the process of allowing us to be a little bit
more independent in that area?
Secretary Rapuano. Well, I would just say that we are
working very closely with industry, as well as with the
crosscutting teams associated with the assessment, the
vulnerability assessment, to inform what the most effective
approach is going to be to ensuring the surety of, first,
national defense systems, but it expands more widely to that.
So there are locations in the United States where secure
chips are built, but it is not at the scale that would cover
all the needs, if there are concerns of a range of systems that
could be entry points. So I don't know that we are at the point
right now, but we may be coming to that point going forward.
Ms. Houlahan. Thank you very much, gentlemen.
I yield back.
Mr. Langevin. The Chair recognizes Mrs. Trahan.
Mrs. Trahan. Thank you, Mr. Chairman.
So recognizing that scaling is--I mean, that that is a
challenge no matter what industry you are in, in terms of the
Cyber Mission Force, the 4,400 people, 133 teams, can you just
give us a sense of how this team needs to grow in the next 2 to
3 years not just to meet the threat or catch up but, you know,
to lead on cybersecurity?
General Nakasone. Congresswoman, I think the piece I would
offer is--so we have 133 teams on the Active side. The piece
that we are focusing now is the growth on the Reserve and the
National Guard side.
So the Army is going to build 21 additional teams. They are
defensive teams. They will be built, all of the National Guard
teams done by 2022 and all of the Army Reserve teams done by
2024. Twenty-one more teams is a tremendous amount of capacity
that brings to us. I think it is the strategic depth that we as
a Nation need.
To your point, then, one of the areas that we are starting
to think through is, how do we effectively use that new
capacity that is going to come on board in the next couple
years? That is what we are starting to assess now, to the point
of, are there critical infrastructure partnerships that we
should start forming now with the teams that are coming on? Are
there other mission sets that make a lot of sense for this new
capacity?
So we are excited about that. The Army has moved out on
that, and they are ahead of schedule in building those teams.
Mrs. Trahan. Great.
So you had mentioned, General Nakasone, that the biggest
challenge is retention. Can you comment on the challenges or,
you know, the root cause of retaining our talent?
General Nakasone. I think that if you think about the
talent that I was describing, the people that really are, you
know, 10 or 20 times better than their peers, the first
challenge is that they are looking for great missions that they
can work. And that is one of the things that we think we offer,
many times. I mean, it is hard to imagine places that you could
go to do the things that we do in our mission force at the
National Security Agency.
But that is only so far. And I think that the other piece
of it is that we realize that there may be folks that want to
come into the Army, whether or not it is as a military or
civilian member, that only want to stay for 5 or 6 years. Not
everyone is like yourself, in terms of staying 20 or 25 or 30,
I guess now, years.
Mrs. Trahan. I just got here. I just got here.
General Nakasone. Myself, I should say.
But that is a little bit of change in our thinking. And so
we have to change, too, and say, if they are only going to be
here 5 or 6 years, how do we effectively use them? Because
those 5 or 6 years, they can be really, really impactful for
the Nation.
Mrs. Trahan. Sure. And, you know, optimizing around that,
once you know what your churn rate is, I think is important.
And so I guess my follow-on question--I came from business
operations, so you will have to forgive me. But if retention is
an issue and we know that folks are going to churn after 5
years, is the Guard enough to fill the pipeline, given, you
know, the cost of training and onboarding and, you know, the
current churn rate or even your projected churn rate? Is that
enough?
And I guess where I am going--you can answer that question,
but I will just give you my end question. Is there anything
that Congress can be doing to address cybersecurity education,
workforce development, those challenges with filling your
pipeline beyond, you know, what we are thinking about today?
General Nakasone. I think the last point that you made with
regards to building a supply base is really important.
So when we look to recruit, we are looking for, you know, a
population that is science, technology, engineering,
mathematics enabled. And so, as we think about this as a
Nation, we think about it, obviously, in the Department of
Defense as, how do we engender that type of support within our
young people?
I know at the National Security Agency we are working
through a series of different camps that we sponsor from K-12.
Last year, we touched 13,000 young people and 3,000 teachers,
for a fairly small investment. That is the kind of, I guess,
population that we are trying to develop so not only that the
Department can recruit from but, obviously, our Nation can as
well.
Mrs. Trahan. Thank you.
Did you have anything to comment, Mr. Secretary?
Secretary Rapuano. I was just going to note that--and this
is certainly embodied in Cyber Excepted Service, which we very
much appreciate from Congress--but it is a soup-to-nuts in
terms of, as General Nakasone mentioned, how and where do we
best recruit? How do we develop an understanding amongst this
talent pool about what we offer within the Department of
Defense? And then it is, how do we ensure that they are getting
professional development, horizontally and vertically?
And, ultimately, as all very capable people who are driven,
they want to understand and they want to have offered to them
ability to advance. So how are we ensuring that we are doing
that so we are able to keep the best and the brightest? We know
that a number of them will rotate out, but we want to build a
certain percentage that are going to stay over the longer term.
Mrs. Trahan. Yep. I couldn't agree more. I mean, look, this
is an enormous opportunity for our economy while also, you
know, securing our country. So thinking through and co-
producing programs beyond K-12 to get people the credentials
that they need to serve, I think, is a noble partnership on our
behalf.
Thank you. I yield back.
Mr. Langevin. Thank you, Mrs. Trahan.
I just wanted to mention, General Nakasone, you had
mentioned the collaboration and synchronization with the Space
Force. But now, obviously, that also could mean that you are
going to be competing with their people, talent, and dollars
for resources as well. So another challenge you are going to
have to deal with.
Ms. Slotkin is recognized for 5 minutes.
Ms. Slotkin. Thank you. I apologize for being late. We had
another subcommittee hearing right in the middle.
My question actually goes back to something that
Congressman Kim was talking about. I am a former Pentagon
Assistant Secretary, and I cannot explain to people in public
what we are doing to push back. And all of the people that come
to my--you know, on cyberattacks. I am sorry. Let me finish my
sentence.
People will ask me, from the small township officials to
the average person who has had their credit card data taken by
a corporation, ``It feels like we are being smacked in the face
every single day. You know, Elissa, you are from the Pentagon.
What are we doing to actually fight back?''
And it is concerning to me that I can't tell them--I don't
want to tell them anything classified, but I want to be able to
say, we are not just sitting down and taking it, and here are
some things I can say in an unclassified basis.
And then, secondly, just help me understand, you know, if
you grow up in the defense world, you grew up with a model of
deterrence, right? Conventionally, nuclear weapons. We need to
maintain a strong deterrent. And I would love your help in
understanding how we are doing that in the cyber realm. What
are we doing to deter what feels like constant attacks on us in
a way that, again, reassures me and others who are concerned
that there is some price to pay for the constant barrage that
we are receiving?
Secretary Rapuano. I will take your second question and
have General Nakasone take your first.
Deterrence is really about denying benefits and imposing
consequences on adversaries in a way that is predictable enough
for them that it dissuades or deters them from continuing them.
Historically, we have not done that in cyberspace. And that
really is the paradigm shift that is really laid out in our
strategy.
The third component of that is strategic messaging. How do
we ensure that we, in concert with allies and partners, the
rest of the international community that also abhors this kind
of malevolent cyber activities, how do we galvanize this, in
some sense or sometimes silent majority, to really focus on
those actors who are creating the most problems?
So that is really what defending forward is all about. That
is what persistent engagement at the combatant-command level is
all about. It is the engagement, and it is about addressing the
source of these threats.
General Nakasone. Congresswoman, to your first point, I
would turn back to, again, the recent elections, and what did
we as a government do to ensure safe and secure elections. I
think that, you know, the model of bringing together, whether
or not it was the Department of Defense, the Federal Bureau of
Investigation, Department of Justice, Department of Homeland
Security, throughout the summer, very, very public appearances
in terms of we are going to ensure a safe and secure election.
So we did work very, very closely with the Department of
Homeland Security to protect our election infrastructure. We
did work very, very closely with the Federal Bureau of
Investigation to stop influence operations from other non-
nation-states and nation-states from impacting our people. And
we did, you know, obviously, conduct actions to ensure that any
adversary that was attempting to interfere with our democratic
processes, that we would address.
That is different than what we had done in the past, as the
Secretary had mentioned. And I think that that is a very, very
good model of where we need to move forward. Because we have to
make sure that obviously our adversaries and certainly the
American people understand that this is something that is
obviously worth defending.
Ms. Slotkin. So just so I understand, you think that our
response to attempts to meddle in our elections, that response
provided some pain or put some pain on those who were trying to
meddle, and therefore they won't do it again?
General Nakasone. So I certainly can't assert they won't do
it again. But they should certainly know, after what has
occurred, that we are not going to stand back and be responsive
in our approach, that we are going to defend, obviously, one of
the most important things that we have in our Nation, which is
our democratic processes.
Ms. Slotkin. Thank you. I yield back.
Mr. Langevin. Thank you for the line of questioning.
And whether it is election operations or other things in
the gray zone conflict, I think it is important that we meet
them at every challenge. And I think we are going to see more
and more of this conflict in the gray zone below the threshold
of armed conflict. And I think we ignore those activities, I
think, at our detriment.
And so, you know, we have to run the board and confront
them everywhere. Anytime that our enemies or adversaries do
something that goes unanswered, I think it just emboldens them
further, in my opinion. So I think that is all part of the
whole concept that we have now undertaken of defending forward.
It is confronting them when and where we have to meet them.
Unless Mr. Cooper or Mr. Conaway have questions, we are
going to now go to the closed session. So the committee stands
in recess until the closed session begins.
Thank you.
[Whereupon, at 3:45 p.m., the subcommittee proceeded in
closed session.]
=======================================================================
A P P E N D I X
March 13, 2019
=======================================================================
=======================================================================
PREPARED STATEMENTS SUBMITTED FOR THE RECORD
March 13, 2019
=======================================================================
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
=======================================================================
WITNESS RESPONSES TO QUESTIONS ASKED DURING
THE HEARING
March 13, 2019
=======================================================================
RESPONSE TO QUESTION SUBMITTED BY MS. STEFANIK
General Nakasone. Section 807 of the FY 2016 NDAA does not
specifically define cyber-peculiar. However, the 2016 DOD
implementation plan submitted pursuant to Section 807 of the FY 2016
NDAA provides ``cyber operations-peculiar (CO-peculiar)'' and ``cyber
capability-peculiar'' equipment, capabilities and services as
``Equipment, materiel, supplies, non-materiel solutions, and services
required for select joint CO-peculiar requirements or established DOD
Agency-provided service or product.'' In the Report on USCYBERCOM
Acquisition Authority submitted pursuant to the Joint Explanatory
Statement accompanying Section 1635 of the FY19 National Defense
Authorization Act, dated Oct 2018, USCYBERCOM defined cyber-peculiar
capabilities and services as: Any acquisition effort that supports or
facilitates any of the three Cyberspace Missions as defined in Joint
Pub 3-12; Offensive Cyber Operations, Defensive Cyber Operations, or
Department of Defense Information Network operation. These three
mission types comprehensively cover the activities of the cyberspace
forces. [See page 14.]
=======================================================================
QUESTIONS SUBMITTED BY MEMBERS POST HEARING
March 13, 2019
=======================================================================
QUESTIONS SUBMITTED BY MR. LARSEN
Mr. Larsen. Given adversary exfiltration of sensitive data from the
DIB: How can the Department of Defense work to promote cybersecurity
within the DIB? What tools exist to require robust cybersecurity as
part of the contracting process? How does the Department help the DIB
detect and report cyber incidents? What potential consequences exist
for a contractor that fails to practice robust cybersecurity?
Secretary Rapuano. The Department of Defense (DOD) promotes
cybersecurity within the defense industrial base (DIB) through two
primary means: a voluntary information sharing program with DIB
entities and through requirements directed by the Defense Federal
Acquisition Regulation Supplement (DFARS).
Voluntary Information Sharing: DOD's DIB Cybersecurity
(CS) Program enhances and supplements DIB participants' capabilities to
safeguard DOD information that resides on or transits DIB unclassified
networks or information systems. Under the DIB CS Program, DOD and DIB
participants share unclassified and classified cyber threat information
to bolster public and private cybersecurity postures and receive
technical assistance from the DOD Cyber Crime Center (DC3) including
analyst-to-analyst exchanges, mitigation and remediation strategies,
and best practices.
Mandatory Reporting Requirements: DFARS 252.204-7012
directs contractors to rapidly report cyber incidents to DOD when
incidents are discovered that affect a covered contractor information
system or the covered defense information residing therein, or that
affects the contractor's ability to perform the requirements of the
contract that are designated as operationally critical support. When
contractors discover malicious software in connection with a reported
cyber incident, that malicious software must be submitted to DC3.
Minimum Cybersecurity Standards: DFARS 252.204-7012
requires contractors to safeguard covered defense information that
resides on a contractor's internal unclassified information system by
implementing the security requirements in National Institute of
Standards and Technology (NIST) Special Publication 800-171
``Protecting Controlled Unclassified Information in Nonfederal
Information Systems and Organizations.'' Contractors that fail to
implement DFARS 252.204-7012 requirements when applicable to contract
performance may be subject to contractual, administrative, and civil
remedies by DOD.
[all]