[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]
[H.A.S.C. No. 116-43]
SECURING THE NATION'S INTERNET ARCHITECTURE
__________
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON INTELLIGENCE AND EMERGING THREATS AND CAPABILITIES
OF THE
COMMITTEE ON ARMED SERVICES
MEETING JOINTLY WITH THE
SUBCOMMITTEE ON NATIONAL SECURITY
OF THE
COMMITTEE ON OVERSIGHT AND REFORM
[Serial No. 116-57]
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTEENTH CONGRESS
FIRST SESSION
__________
HEARING HELD
SEPTEMBER 10, 2019
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
__________
U.S. GOVERNMENT PUBLISHING OFFICE
40-505 PDF WASHINGTON : 2020
--------------------------------------------------------------------------------------
COMMITTEE ON ARMED SERVICES
SUBCOMMITTEE ON INTELLIGENCE AND EMERGING THREATS AND CAPABILITIES
JAMES R. LANGEVIN, Rhode Island, Chairman
RICK LARSEN, Washington ELISE M. STEFANIK, New York
JIM COOPER, Tennessee SAM GRAVES, Missouri
TULSI GABBARD, Hawaii RALPH LEE ABRAHAM, Louisiana
ANTHONY G. BROWN, Maryland K. MICHAEL CONAWAY, Texas
RO KHANNA, California AUSTIN SCOTT, Georgia
WILLIAM R. KEATING, Massachusetts SCOTT DesJARLAIS, Tennessee
ANDY KIM, New Jersey MIKE GALLAGHER, Wisconsin
CHRISSY HOULAHAN, Pennsylvania MICHAEL WALTZ, Florida
JASON CROW, Colorado, Vice Chair DON BACON, Nebraska
ELISSA SLOTKIN, Michigan JIM BANKS, Indiana
LORI TRAHAN, Massachusetts
Josh Stiefel, Professional Staff Member
Peter Villano, Professional Staff Member
Caroline Kehrli, Clerk
------
COMMITTEE ON OVERSIGHT AND REFORM
SUBCOMMITTEE ON NATIONAL SECURITY
STEPHEN F. LYNCH, Massachusetts, Chairman
JIM COOPER, Tennessee JODY B. HICE, Georgia, Ranking
PETER WELCH, Vermont Minority Member
HARLEY ROUDA, California PAUL A. GOSAR, Arizona
DEBBIE WASSERMAN SCHULTZ, Florida VIRGINIA FOXX, North Carolina
ROBIN L. KELLY, Illinois MARK MEADOWS, North Carolina
MARK DeSAULNIER, California MICHAEL CLOUD, Texas
STACEY E. PLASKETT, Virgin Islands MARK E. GREEN, Tennessee
BRENDA L. LAWRENCE, Michigan CLAY HIGGINS, Louisiana
Dave Rapallo, Staff Director, Committee on Oversight and Reform
Dan Rebnord, Staff Director, Subcommittee on National Security
Amy Stratton, Clerk
C O N T E N T S
----------
Page
STATEMENTS PRESENTED BY MEMBERS OF CONGRESS
Hice, Hon. Jody B., a Representative from Georgia, Ranking
Member, Subcommittee on National Security, Committee on
Oversight and Reform........................................... 8
Langevin, Hon. James R., a Representative from Rhode Island,
Chairman, Subcommittee on Intelligence and Emerging Threats and
Capabilities, Committee on Armed Services...................... 1
Lynch, Hon. Stephen F., a Representative from Massachusetts,
Chairman, Subcommittee on National Security, Committee on
Oversight and Reform........................................... 6
Stefanik, Hon. Elise M., a Representative from New York, Ranking
Member, Subcommittee on Intelligence and Emerging Threats and
Capabilities, Committee on Armed Services...................... 4
WITNESSES
Manfra, Jeanette, Assistant Director for Cybersecurity,
Cybersecurity and Infrastructure Security Agency, U.S.
Department of Homeland Security................................ 9
Rinaldo, Diane, Acting Assistant Secretary for Communications and
Information, and Administrator, National Telecommunications and
Information Administration, U.S. Department of Commerce........ 11
Wilson, B. Edwin, Deputy Assistant Secretary of Defense for Cyber
Policy, Office of the Under Secretary of Defense for Policy,
U.S. Department of Defense..................................... 12
APPENDIX
Prepared Statements:
Langevin, Hon. James R....................................... 43
Manfra, Jeanette............................................. 46
Rinaldo, Diane............................................... 54
Wilson, B. Edwin............................................. 61
Documents Submitted for the Record:
[There were no Documents submitted.]
Witness Responses to Questions Asked During the Hearing:
Mr. Waltz.................................................... 73
Questions Submitted by Members Post Hearing:
Ms. Houlahan................................................. 82
Mr. Kim...................................................... 81
Ms. Stefanik................................................. 77
SECURING THE NATION'S INTERNET ARCHITECTURE
----------
House of Representatives, Committee on Armed
Services, Subcommittee on Intelligence and
Emerging Threats and Capabilities, Meeting
Jointly with the Committee on Oversight and
Reform, Subcommittee on National Security,
Washington, DC, Tuesday, September 10, 2019.
The subcommittees met, pursuant to call, at 2:01 p.m., in
room 2118, Rayburn House Office Building, Hon. James R.
Langevin (chairman of the Subcommittee on Intelligence and
Emerging Threats and Capabilities) presiding.
OPENING STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE
FROM RHODE ISLAND, CHAIRMAN, SUBCOMMITTEE ON INTELLIGENCE AND
EMERGING THREATS AND CAPABILITIES, COMMITTEE ON ARMED SERVICES
Mr. Langevin. The subcommittee will come to order.
So, good afternoon, everyone. I am pleased to welcome
everyone here today to the joint hearing with the Committee on
Oversight and Reform Subcommittee on National Security about
the security of the Nation's internet architecture. I am
particularly thankful to my good friend Congressman Lynch from
Massachusetts, my neighbor in New England, and his staff for
working so diligently in making today possible, along with the
ranking members of both subcommittees.
Today we are here to conduct what I believe is much-needed
oversight regarding the security of the internet's underlying
architecture, namely, the components, physical sites, and the
assets that are necessary for the internet to operate.
Defending the United States assets in this global
telecommunications network requires a whole-of-government
approach, and I am concerned that the government is not
approaching the subject in a cohesive or comprehensive manner,
creating significant risk for the Nation.
Both the Oversight subcommittee and the Armed Services
subcommittee are seeking a better understanding of the
policies, regulations, and guidelines and interagency
agreements that govern the protection of this critical
infrastructure. To the extent that there are gaps, we are also
interested in learning whether legislative solutions may be
needed.
Most people think of the internet as the sites they visit,
the applications they use, and the emails they send. In other
words, the people's understanding of what the internet is, is
very much tied to how they engage with it. However, this leaves
out an entire architecture that enables the flow of information
around the world and into people's palms. This architecture
includes the high-capacity cables buried under the ground and
laid below the sea, the cable landing stations that connect the
cables from continent to continent, and the internet exchange
points, or IXPs, that serve as a clearinghouse for data between
internet service providers and content delivery networks. These
are all examples of physical sites and tangible items that are
required for the internet to operate effectively.
While these physical sites are critical components of the
cyber landscape, they are generally viewed as distinct from the
network's protocols and software that are more familiar to
people's understanding of the internet. However, they are just
as important to internet operations. After all, unplugging a
network cable is just as effective as a denial-of-service
attack, maybe even more so.
From the government's perspective, attacking the subject of
internet architecture security is difficult, due to the
departments' and agencies' overlapping jurisdictions,
responsibilities, and capabilities. And I am concerned that the
executive branch has fragmented internet architecture security
among multiple departments as opposed to conceptualizing the
internet as a single ecosystem with departments working
collaboratively.
For example, the Department of Homeland Security serves as
the government lead for all critical infrastructure, and as the
sector-specific agency for the telecommunications sector.
Meanwhile, the Department of Commerce's National
Telecommunications and Information Administration, or NTIA, is
principally responsible for advising the President on
telecommunications and information policy issues, and develops
national policies on internet use and cybersecurity.
Separately, the Department of Defense is broadly
responsible for defense of the Nation. Independent regulatory
agencies, like the Federal Communications Commission, also have
important responsibilities for ensuring security. To top it all
off, many of these exchange points are connected to
international providers.
So I have no doubt that these agencies work together
broadly. However, I am very worried that by carving out
discrete lanes in the road, there are seams left unaddressed in
the middle, and I am concerned that internet architecture
security is one of those seam issues.
Holistic internet architecture security has been generally
neglected, I believe, with organizations remaining firmly in
their lanes rather than approaching the problem collectively.
So, for example, the Department of Homeland Security serves as
the government lead for--so, in any event, separately, the
Department of Defense--and DOD [Department of Defense] is
broadly responsible for defense of the Nation.
Our Nation's newest cybersecurity organization, the
Cybersecurity and Infrastructure Security Agency, has
recognized the inherent challenges in using the critical sector
framework, particularly with respect to interdependencies
between sectors.
The National Risk Management Center's National Critical
Functions Set explicitly recognizes internet architecture
functions, such as ``Operate Core Network'' and ``Provide
Internet Routing, Access, and Connection Services.'' I am
hopeful that this new framing will help stimulate more cross-
agency and cross-sector discussion, interaction, and policy
development.
So the purpose of today's hearing is to better understand
how the interagency is approaching internet architecture
security, including with respect to engagement with the private
sector. In particular, I will be interested in hearing from the
witnesses how their agencies deal with the fact that internet
architecture security is not purely a cyber problem and it is
not a purely physical problem. In order to effectively reduce
our risks, DOD will have to engage actively and eagerly non-
security-centric agencies such as NTIA and regulatory bodies
such as the Federal Communications Commission, and vice versa.
Our country's cyber experts will have to sit down with
specialists in physical security and electrical distribution
professionals, because at the end of the day, it won't matter
if these sites and systems are taken offline by cyberattack,
sabotage, or natural disaster.
There is no greater sign of how cross-cutting this issue is
than the fact that the IETC [Intelligence and Emerging Threats
and Capabilities] Subcommittee is joined today by the Oversight
Committee's National Security Subcommittee. Even within the
House of Representatives, we are inclined to handle things
within caucuses or within committees; but in recognition of the
problem's scale, we are here today tackling this issue
together, because that is exactly what it will take at the end
of the day.
So, with that, and before turning to the Ranking Member
Stefanik and then to Chairman Lynch and Ranking Member Hice,
let me take a minute just to introduce today's witnesses.
Ms. Jeanette Manfra serves as the inaugural Assistant
Director for Cybersecurity with the Department of Homeland
Security's Cybersecurity and Infrastructure Security Agency
[CISA]. Ms. Manfra served as Assistant Secretary with the
Office of Cybersecurity Communications at CISA's predecessor
organization, the National Protection and Programs Directorate,
before assuming her current role. Ms. Manfra has held numerous
other roles within DHS [Department of Homeland Security], and
she has also served on the National Security Council staff.
Before joining DHS, Ms. Manfra served in the U.S. Army as a
communications specialist and as a military intelligence
officer. I have known Jeannette now for several years, and I
have great confidence in her and Director Krebs' leadership at
CISA.
Joining us also today we have Deputy Assistant Secretary of
Defense for Cyber Policy, Mr. Ed Wilson. In his capacity as the
director of--in his capacity, he supports the Secretary of
Defense and other senior leaders by formulating, recommending,
integrating, and implementing policies and strategies to
improve DOD's ability to operate in cyberspace. Prior to this
duty, General Wilson retired from the United States Air Force
after serving on Active Duty for over 32 years, to include the
triple-hatted role of Commander, 24th Air Force; Commander, Air
Forces Cyber; and Commander, Joint Force Headquarters-Cyber.
Welcome, and General, thanks for your service.
And finally, Ms. Diane Rinaldo is the Acting Assistant
Secretary for Communications and Information for the Department
of Commerce and the Administrator of the National
Telecommunications and Information Administration. Ms. Rinaldo
also serves as the Deputy Assistant Secretary for
Communications and Information. I have closely tracked several
of NTIA's cybersecurity initiatives, including on cybersecurity
vulnerabilities, disclosure and software component
transparency, and I appreciate her continued support in that
agency for multi-stakeholder processes to improve internet
security. I will also note that Ms. Rinaldo is a proud veteran
of the House Permanent Select Committee on Intelligence, where
she and I worked before, where she served as the lead committee
staffer on our information-sharing legislation, the
Cybersecurity Act of 2015.
So I welcome all of our witnesses today. And, with that, I
want to turn to Ranking Member Stefanik for any comments that
she may have.
[The prepared statement of Mr. Langevin can be found in the
Appendix on page 43.]
STATEMENT OF HON. ELISE M. STEFANIK, A REPRESENTATIVE FROM NEW
YORK, RANKING MEMBER, SUBCOMMITTEE ON INTELLIGENCE AND EMERGING
THREATS AND CAPABILITIES, COMMITTEE ON ARMED SERVICES
Ms. Stefanik. Thank you, Jim. I want to start by thanking
both Chairman Langevin and Chairman Lynch for holding such an
important and cross-cutting hearing. I am also pleased to be
here with my fellow ranking member, Mr. Hice.
We are fortunate that we are joined by such an excellent
interagency panel of witnesses to guide us today. Ms. Manfra,
it is great to see you again before this committee. When last
we spoke, it was regarding election security, and I am pleased
that today's hearing will span many of the other important
missions of your organization, the CISA.
Ms. Rinaldo, given the important role that NTIA plays, we
are fortunate to have you here as well. And since, as the
chairman mentioned, you are a former professional staff member
from HPSCI [House Permanent Select Committee on Intelligence],
we can say welcome back to the House.
And, Mr. Wilson, it is always great to see you back before
the subcommittee. We look forward to hearing how the Department
of Defense supports these agencies and our broader national
security objectives.
As we look to further improve the security of our Nation's
internet architecture, we should remind ourselves of the
urgency of this task. First, the physical enormity of the topic
and related challenges are worth mentioning. The world's
internet architecture and, by extension, our domestic
infrastructure is highly integrated with varying levels of
resiliency and redundancy. In some cases, there are
international norms, although laws and policies often vary by
country and by sector. There are many points of failure in this
physical internet, and it remains so contested and complex that
even risk managers lack full awareness on how to identify and
mitigate threats or weaknesses.
Second, our own intelligence community provides sobering
assessments on adversarial use and exploitation of the
internet. The DNI [Director of National Intelligence], in the
most recent Worldwide Threat Assessment, has noted that, quote,
``Our adversaries and strategic competitors will increasingly
use cyber capabilities, including cyber espionage, attack, and
influence, to seek political, economic, and military advantage
over the United States and its allies and partners,'' end
quote.
And the physical internet architecture we will talk about
today is the highway upon which these adversaries travel. So
what is crystal clear, going into today's hearing, is that our
adversaries understand our vulnerabilities and will not
hesitate to exploit these weaknesses to further their strategic
and economic objectives.
We are no longer peerless and security is not assured. In
fact, we see these same adversaries, most notably China and
Russia, adapting to and learning from our own weaknesses by
building what amounts to their own state-controlled internet
architecture to monitor, control, and influence their own
populations. These very same controls will make it harder for
us to preserve and protect geopolitical, offensive, and
strategic options for our Nation and our economy.
As I have said many times before, cyber threats from state
and non-state adversaries are real, pervasive, and growing.
They leverage and integrate cyber information and
communications technologies for geopolitical and economic gain
in a seamless way. Yet while these adversaries continue to use
the internet as a means to achieve strategic objectives, I
remain concerned that we as a Nation do not yet have a holistic
strategy in place to mitigate, deter, or oppose their advances.
This is particularly true regarding the security of our
physical internet architecture, the topic for today's timely
hearing.
Although not the lead agency on this topic, I am pleased
that the Department of Defense is represented at the table
today, since they play such an important role in this area, not
the least of which may be providing expertise to other agencies
during sensitive national emergencies.
We all know that DOD research played a central role in the
development of today's internet through the creation of ARPANET
[Advanced Research Projects Agency Network]. And today, the
Defense Advanced Research Projects Agency, or DARPA, continues
to advance our national security through projects related to
the resiliency of our Nation's internet architecture, and
various other sectors, such as the electrical grid, through
their Information Innovation Office.
In the oversight we have conducted on the Armed Services
Committee, I feel confident saying that we have improved our
military cyberspace and information warfare capabilities, and
also improved our resilience in many areas. And while a great
deal of broader interagency cooperation and coordination has
taken place over the past few years, much work remains to
secure our Nation's internet architecture and related sectors,
to ensure we remain fast, agile, and resilient even during
times of crisis.
And although today's panel is comprised of government
experts, we should not forget about the important role that the
private sector and defense innovation and industrial bases
play, so that we develop a truly whole-of-nation strategy to
understand and mitigate these vulnerabilities. Only then will
our Nation be prepared for the 21st century challenges we face.
Our witnesses, again, are very well-qualified to help us
navigate these multidimensional problems, and I thank them for
being here today.
Thank you, again, to the chairman. And, with that, I yield
back.
Mr. Langevin. I thank the ranking member.
And now, I would like to recognize and turn to my partner,
my colleague, the chairman of the Government Oversight and
Reform's Subcommittee on National Security, Mr. Lynch.
STATEMENT OF HON. STEPHEN F. LYNCH, A REPRESENTATIVE FROM
MASSACHUSETTS, CHAIRMAN, SUBCOMMITTEE ON NATIONAL SECURITY,
COMMITTEE ON OVERSIGHT AND REFORM
Mr. Lynch. Thank you very much, Mr. Chairman.
Good afternoon to our distinguished panel of witnesses.
Thank you for your willingness to help the subcommittees with
our work.
Before I begin, I would like to first personally thank my
good friend Chairman Jim Langevin and his staff, as well as
Ranking Members Stefanik and Hice and their staff, for their
cooperation and willingness to collaborate with us on this very
important hearing.
Mr. Langevin, in particular, has been a strong and longtime
advocate for improving the infrastructure of our country in
this measure, and ensuring that necessary cybersecurity
safeguards are in place to protect the United States against
the multitude of threats that we face each and every day. He
has made this issue a priority and it is one that I share, as
chairman of the House Oversight Subcommittee on National
Security.
Today's hearing will examine how Federal departments and
agencies work together to protect the critical architecture
upon which U.S. internet and telecommunications systems depend.
By working together on the issue, we hope that our
subcommittees will better understand and be better positioned
to identify and fill gaps and vulnerabilities across the
various Federal agencies and private sector for the purpose of
protecting our Nation's internet infrastructure.
Uninterrupted and secure access to the internet is critical
to daily life in the 21st century. Our constituents rely on the
internet to search for jobs, access bank accounts, read the
news, and communicate with family. Companies in every industry,
from Midwest manufacturers to the financial sector in New York,
need the internet to participate in the national and
international economy. The U.S. military requires reliable and
secure access to the internet to conduct overseas operation,
and it is also tasked with protecting our networks from cyber
intrusions by foreign actors.
Improving secure and reliable access to the internet is
also vital to economic development and promoting livelihoods in
less-developed countries or areas. In fact, our committee, I
just came back from last weekend, in a congressional delegation
to Jakarta, where I met with young entrepreneurs from the
Indonesian financial technology sector, who all highlighted the
need and importance of expanding internet connectivity across
Indonesia, more than 7,000 islands, to bring additional
customers into the digital financial market, and to bank the
unbanked.
Given our growing dependence on the internet, even
temporary disruptions, regardless of whether they are
intentional or accidental, can have serious and cascading
effects across industries and among our Nation's critical
infrastructure sectors. Yet no single U.S. Government entity is
responsible for securing the internet and its underlying
architecture. Instead, we have multiple departments and
agencies, which have various jurisdictional roles, including
the Department of Homeland Security, the Department of Defense,
the Department of Commerce, from which we are fortunate to have
representatives before us today, in addition to the White
House, the Department of Energy, the Department of Justice, the
Federal Communications Commission, which all have a role to
play in securing this infrastructure.
Adding to the complexity of this task is the fact that the
physical components of our Nation's telecommunications
infrastructure, such as fiberoptic cables and data centers and
internet exchange points, are largely owned by the private
sector. This means that coordination and communication within
the Federal Government, and across the public and private
sectors, are all crucial to the internet security.
The challenge we therefore face is that when everyone is in
charge, then nobody is in charge. And while internet activity
appears to move seamlessly across digital pathways, this
movement is cemented in real physical architecture and
infrastructure. The security, which has often been taken for
granted, in physical fiber cables buried under our streets and
under international waters, carries this traffic from point A
to point B. Data centers and internet exchange points serve to
store and transfer this traffic from network to network.
All of these physical assets can be damaged by natural
disasters, human-caused accidents, or intentional attacks by
sophisticated malign actors. As Ranking Member Stefanik has
noted and as former Director of National Intelligence Dan Coats
highlighted in his 2019 Worldwide Threat Assessment, we know
that our adversaries are already probing U.S. electric utility
grids, election systems, pipelines, and financial networks for
any signs of weakness. China, Russia, Iran, and North Korea are
all increasingly using cyber operations to steal data,
disseminate misinformation, and I quote, ``to disrupt critical
infrastructure,'' close quote.
Russia, Director Coats said, and I quote, ``is mapping out
critical infrastructure with the long-term goal of being able
to cause substantial damage,'' close quote. Multiple open
source reports in recent years have also noted increased
foreign military activity around undersea data cables, raising
concerns that hostile actors could be looking for ways to
interfere with this critical infrastructure.
To our witnesses, I realize that some of today's questions
may drift into topics not suitable for an unclassified hearing.
With that in mind, I just ask that you do your best to answer
members' questions as candidly as possible, but you should not
disclose any classified or sensitive security information.
Instead, please let us know that you would prefer not to
respond for national security reasons in an unclassified
setting, and we can move on to the next question. We will,
however, reserve the right to request that that information be
disclosed in a more appropriate setting at a later date.
So, Mr. Chairman, I want to thank you, again, for your
courtesy in holding this important hearing with me, and with
that, I yield back.
Mr. Langevin. Thank you, Chairman Lynch. And I appreciate
your dedication to national security issues. It has been great
partnering with you on this topic and look forward to others as
well.
With that, I would like to recognize Ranking Member Hice
for comments.
STATEMENT OF HON. JODY B. HICE, A REPRESENTATIVE FROM GEORGIA,
RANKING MEMBER, SUBCOMMITTEE ON NATIONAL SECURITY, COMMITTEE ON
OVERSIGHT AND REFORM
Mr. Hice. Thank you very much, Mr. Chairman, and I would
like to thank you and Ranking Member Stefanik for hosting this.
And always an honor to work with Chairman Lynch. We appreciate
you having us here today, as members of the Subcommittee on
National Security as part of the Committee on Oversight and
Reform. We appreciate you having us here, and for having this
important hearing.
You know, I sometimes have been, with this hearing,
somewhat struck by the reactions of different people to this
topic. Some may look at this as not among the most flashy
topics, but it has got to be among the most important. And more
and more, whether we realize it or not, our lives are happening
on the internet. Whether it be in commerce or energy or health
care or national security, our lives are impacted greatly by
the topic and the discussion today. And that is why it is
imperative for us to be able to come together and to have a
heart-to-heart, honest, open discussion as to what is involved
in keeping our Nation's infrastructure safe and secure.
And so I want to sincerely say thank you to each of our
witnesses for your role and for you being a part of this
hearing today, and I look forward to hearing how you are
engaging the various stakeholders, whether they be in
government or in the private sector. I want to personally
better understand how we are taking a whole-of-government
approach to this issue, and if we are not, then I want us to
talk about how we get there.
I am also curious to know how each of your components are
working together. And there are a lot of seats, if you will, at
the internet architecture table, if we can put it that way. And
if there are too many seats, we need to know about that; if
there need to be fewer seats, we need to know about that.
The internet, for a lot of people, is an unknown territory,
but for those of us here in Congress, this is certainly an area
that we need to dig deeper into, and make sure that we are
secure. And, you know, this is not something that we can say
this is in the future. This is where we are currently living.
And so, we have got to address this straight up. And so, I
deeply thank you for being here. I look forward to our
discussion today.
And, again, many thanks to you, Mr. Chairman. And with
that, I yield back.
Mr. Langevin. Thank you, Ranking Member Hice.
With that, the chair now recognizes Ms. Manfra, Director
Manfra, for her opening statement for 5 minutes. Ms. Manfra,
the floor is yours.
STATEMENT OF JEANETTE MANFRA, ASSISTANT DIRECTOR FOR
CYBERSECURITY, CYBERSECURITY AND INFRASTRUCTURE SECURITY
AGENCY, U.S. DEPARTMENT OF HOMELAND SECURITY
Ms. Manfra. Thank you, sir. Chairman Langevin, Chairman
Lynch, Ranking Member Stefanik, Ranking Member Hice, and
members of the subcommittees, thank you for today's opportunity
to discuss this very important issue around securing our
Nation's internet architecture, and, specifically, our role,
the Cybersecurity and Infrastructure Security Agency, or CISA,
role in securing that.
Safeguarding and securing cyberspace has long been a core
Homeland Security mission. In today's globally interconnected
world, our critical infrastructure and American way of life
face a wide array of serious risks. Nation-state adversaries
and competitors seek to advance their objectives through
various hybrid tactics, including subtle actions that
significantly weaken the foundations of U.S. power, degrade
society's functions, and increase adversaries' ability to hold
our critical infrastructure at risk.
As network devices further weave into our lives and
businesses, their vulnerabilities provide additional attack
vectors. Global supply chains introduce risks of malicious
activity in software and hardware. Many of these risks are
complex and dispersed geographically and across stakeholders.
To meet this urgent national security need, Congress
established CISA last year. CISA is the Nation's risk adviser,
and we are uniquely positioned to serve this role. By statute,
and at the President's direction, we lead the Nation's risk
management efforts by bringing together diverse stakeholders to
collaboratively identify risks, prioritize them, develop
solutions, and drive those solutions, to ensure the stability
of our most crucial systems.
An important note is that we don't just think about threat
or vulnerability or consequence; we think about them all
together and how they interact in order to establish risk. And
so, we try to understand things, how could an adversary
actually accomplish something, can they have an actual
consequence. So when I talk about risk management, that is how
we frame it.
So, as the Nation's risk adviser, we must also unify two
strategic goals across all of our mission space. We must
simultaneously mobilize strong public-private partnerships to
defend against the most urgent threats and hazards, while not
losing sight of the need to build a more secure tomorrow. Our
foremost responsibility is to safeguard the American people,
and we prioritize our efforts at all levels to focus on the
greatest risks facing the homeland. In order to successfully
accomplish this, we must be able to understand and manage this
risk holistically. And, again, that means we must understand
both threat and vulnerability and the consequence, and we must
also understand how that manifests across the country.
This is why we established the National Risk Management
Center. CISA, while often referred to as a cyber agency, is
more than just cyber. In fact, we have a long history in
thinking about infrastructure security holistically, both
against natural and man-made hazards. By establishing the
National Risk Management Center within CISA, this brings
together all our different disciplines to better understand
what is the risk to the Nation as a whole.
Our first important step was to reframe the conversation.
Instead of thinking about industry-specific activities, but to
think about cross-cutting functions, because in the end,
adversaries are interested in causing consequences to the
functioning of our society, or holding those at risk.
Therefore, we worked across multiple sectors of the economy and
government partners to establish the first set of national
critical functions in early April of this year. These national
critical functions support the operations of nearly all
businesses, public safety organizations, and government, and
are so vital that their disruption, corruption, or dysfunction
would have a debilitating effect on our Nation.
The global internet architecture includes an array of
components that enable these national critical functions. Going
forward, we will prioritize our efforts and resources, both
within CISA and across the government, to ensure we are
reducing risk to these functions and bringing the full power of
the U.S. Government to bear to do so.
At CISA, our vision is to fully realize this national
effort that I just described. This means breaking down the old
organizational and institutional divides that impede our
ability to provide for our collective defense in cyberspace.
Our adversaries are targeting systems that are across sector,
and the growing interdependencies demand an integrated
approach. To achieve this integrated approach, we are working
and we will continue to work with numerous stakeholders,
including my colleagues joining me today.
Specifically, we have been working with the National
Telecommunications and Information Administration, or NTIA, for
many years on multiple internet governance issues from Domain
Name System, or DNS, issues to participating in our multi-
stakeholder process to publish a report on botnets.
We also have expanded our partnership with DOD. Almost a
year ago, DHS and DOD finalized an agreement which reflects the
commitment of both departments to this important issue. This
agreement clarifies roles and responsibilities to enhance U.S.
Government readiness to respond to cyber threats, and
establishes coordinated lines of efforts to secure, protect,
and defend the homeland.
Today's national security challenges require innovation in
government as well as in the economy and throughout the world,
and I am proud to be working with two partners who share that
desire for innovation and partnership.
The heart of CISA's purpose is to mobilize a collective
defense of our Nation's critical infrastructure, and we cannot
do this alone. My colleagues on this panel represent some of
those critical partnerships in order to achieve this goal.
Tomorrow is the anniversary of the September 11th attacks
on our country. As we learned from that event 18 years ago,
information and Federal operations must not be siloed. We see
these same lessons amplified and complicated by the global,
borderless, interconnected nature of cyberspace, where
strategic threats can manifest in the homeland without advance
warning.
I thank you again for starting this important conversation
and holding this hearing, and I look forward to further
discussing our efforts. Thank you, and I look forward to your
questions.
[The prepared statement of Ms. Manfra can be found in the
Appendix on page 46.]
Mr. Langevin. Thank you, Director Manfra.
Administrator Rinaldo, you are recognized next.
STATEMENT OF DIANE RINALDO, ACTING ASSISTANT SECRETARY FOR
COMMUNICATIONS AND INFORMATION, AND ADMINISTRATOR, NATIONAL
TELECOMMUNICATIONS AND INFORMATION ADMINISTRATION, U.S.
DEPARTMENT OF COMMERCE
Ms. Rinaldo. Chairman Langevin, Chairman Lynch, Ranking
Member Stefanik, Ranking Member Hice, and members of the
committee, thank you for the opportunity to testify today on
the role of the U.S. Government in securing the Nation's
internet architecture.
The National Telecommunications and Information
Administration in the Department of Commerce is responsible for
advising the President on telecommunications and information.
NTIA collaborates with other Commerce bureaus and executive
branch agencies to advocate for domestic and international
policies that preserve the open internet and advance the key
U.S. interests.
NTIA is involved in a host of policy issues that affect the
security of critical elements of our Nation's
telecommunications infrastructure. Our support includes working
with our interagency partners to enhance the security of our
Nation's telecommunications supply chain. We are supporting the
Secretary of Commerce on the implementation of the Executive
order on securing the information and communications technology
and services supply chain.
NTIA is the lead executive branch expert agency on issues
relating to the Domain Name System, a critical component of the
internet architecture. The DNS functions similar to an address
book for the internet by allowing users to identify websites,
mail servers, and other internet destination using easy-to-
understand names.
NTIA supports a multi-stakeholder approach to the
coordination of the DNS to ensure long-term viability of the
internet. NTIA collaborates across the government on numerous
efforts related to the security of the Nation's internet
architecture.
We have been working closely with the National Security
Council and the interagency colleagues on implementing the
National Cyber Strategy. In that effort, we share our
activities across the interagency and look for synergies to
maximize the impact of the strategy. NTIA will continue to
participate in these efforts.
One significant example of NTIA's contribution to the
protection of the internet infrastructure is our work with NIST
[National Institute of Standards and Technology] and DHS on the
Botnet Report, delivered to the President in May of 2018.
Botnet attacks can have large and damaging effects, and they
put the broader network at risk.
Botnets now capitalize on the sheer number of Internet of
Things connections and devices. We have seen attacks that have
topped a terabyte per second. Dealing with an attack of this
magnitude can take time, which is a major concern when dealing
with critical infrastructure.
The Botnet Report outlines a positive vision for the
future, cemented by six principal themes and five complementary
goals that would improve the resilience of the internet
ecosystem. The Departments of Commerce and Homeland Security
developed the report through an open and transparent process
for the specific purpose of identifying stakeholder actions as
opposed to government regulation.
We are tracking progress through a document known as the
Botnet Road Map. More than half of the identified tasks are
already in progress or completed. At the end of this year, the
Departments of Commerce and Homeland will provide a status
update to the President that reviews progress, tracks the
impact of the road map, and sets further priorities.
NTIA's cybersecurity multi-stakeholder processes also
contribute to the security of the Nation's internet
architecture. Most recently, we have been working on a software
component bill of materials. Most modern software is not
written completely from scratch, but includes existing
components from the open source and commercial software world,
which can be challenging to track. Our ultimate objective is to
foster a more resilient ecosystem through industry-led, market-
based cybersecurity solutions.
Over the past three decades, the internet has been
transformational for the American economy. America's
established leadership in technology has resulted in millions
of jobs and remarkable prosperity. Because of this, we must
work harder than ever to ensure that the infrastructure
supporting the internet is secure. NTIA is committed to
coordinating across the Federal Government and engaging with
the private sector to ensure the United States can continue to
harness the economic benefits of this vital part of the economy
for American businesses and for American workers.
Thank you for this opportunity to testify, and I look
forward to your questions.
[The prepared statement of Ms. Rinaldo can be found in the
Appendix on page 54.]
Mr. Langevin. Thank you, Ms. Rinaldo.
Mr. Wilson, you are now recognized for 5 minutes.
STATEMENT OF B. EDWIN WILSON, DEPUTY ASSISTANT SECRETARY OF
DEFENSE FOR CYBER POLICY, OFFICE OF THE UNDER SECRETARY OF
DEFENSE FOR POLICY, U.S. DEPARTMENT OF DEFENSE
Mr. Wilson. Chairman Langevin, Chairwoman Stefanik, Ranking
Member Hice, and Ranking Member Stefanik, my apologies,
Chairman Lynch, and the members of the subcommittee, thank you
for the opportunity to testify before you today.
Mr. Langevin. Can you pull the mic a little closer to you,
General?
Mr. Wilson. Absolutely. Is that better, sir?
Mr. Lynch. You might want to turn it on.
Mr. Langevin. Is it on?
Mr. Wilson. I have got a green light. My apologies.
Chairman Langevin, Chairman Lynch, Ranking Member Stefanik,
Ranking Member Hice, it is really an honor to be here before
you and the subcommittee members. It is good to be back in this
Chamber, as well, testifying again. I look forward to
discussing the role of the U.S. Government in securing the
Nation's internet architecture alongside my counterparts from
the Department of Homeland Security and Department of Commerce.
It is a critically important topic. We understand the sense of
urgency behind this.
First, on behalf of Secretary Esper, thank you for the
tremendous support that Congress has given the Department of
Defense in our effort to improve our overall defense posture
related to cyber threats. We have made significant progress,
but with your support we continue to make significant progress
to deter, disrupt, and defeat strategic malicious cyber threats
directed at our national interests. Despite this progress, we
understand there is much more that needs to be done. And, with
that, we have been very, very focused on the progress ahead.
As the 2018 National Defense Strategy and the 2018 DOD
Cyber Strategy make clear, the U.S. homeland is no longer a
sanctuary from cyber threats. Our strategic competitors, such
as China and Russia, are conducting persistent cyber-enabled
campaigns to erode U.S. military advantage, threaten our
Nation's critical infrastructure, and reduce our economic
prosperity, which includes threats to our telecommunications
and information technology sectors.
These campaigns are being conducted below the threshold of
armed conflict, but collectively pose long-term strategic risk
to the Nation, our allies, and our partners. In response, the
Department adopted a proactive posture to compete with and
counter determined and rapidly maturing cyber adversaries. Our
objective is to prevent or mitigate significant threats before
they reach U.S. soil. We refer to this strategy as defending
forward. It is the core of our DOD Cyber Strategy.
This approach is focused on enabling our interagency,
industry, and international partners to strengthen their
resilience, close vulnerabilities, and defend critical networks
and systems, while simultaneously imposing costs on adversary
malicious cyber actors when called upon. Towards this end, the
Department is continually working with our partners, both
domestically and internationally, to strengthen the resilience
of networks and systems that contribute to current and future
military advantages.
The Department previously focused its defensive efforts
almost exclusively on military platforms, systems, and
networks. However, the evolving cyber threat [and] increasingly
proactive activities of key competitors have demonstrated
vulnerabilities that extend beyond our DOD systems and
networks. The vulnerability of critical infrastructure to
cyberattacks means that adversaries could disrupt military
command and control, banking and financial operations, the
transportation sector, the energy sector, various means of
communication, and a variety of other sectors. As a result,
supporting U.S. Government efforts in securing and defending
the Nation's critical infrastructure is a key priority under
our DOD Cyber Strategy.
Partnerships are an essential element of our National
Defense Strategy. We understand that our interagency,
international, and industry partners are vital to ensuring that
DOD can operate and project power in a contested cyber
environment. DOD's role in defending the homeland is outwardly
focused, like it is in any other domain of operations, focused
on strategic threats and supports our interagency partners,
including the Department of Homeland Security and the other
sector-specific agencies.
The U.S. Government has a limited and specific role to play
in defending against attacks on our Nation's internet
architecture, including through our trusted relationships with
industry. As we all recognize, security was not a primary
consideration when the internet was designed and fielded.
Although computers and network technologies underpin U.S.
military warfighting superiority by enabling the joint force to
gain the information advantage, strike at long distances, and
exercise global command and control, the private sector was and
operates now well over 90 percent of the interdependent
networks of information technology infrastructure across the
cyberspace domain. At the same time, the Nation's
telecommunications infrastructure is primarily owned by
commercial entities.
Our adversaries target our Nation's weakest links, and
vulnerabilities are consistently found across the full scope of
the internet ecosystem, be it government or industry.
The Department, which views the challenges it faces in
performance of its critical missions principally through a
national security lens, is nonetheless highly dependent on
privately owned infrastructure, decisions concerning which are
regularly guided by ordinary business or economic
considerations. Recognizing this inherent tension, defending
national critical infrastructure, including the Nation's
internet architecture, from significant foreign malicious cyber
activity has become an area of interest and emphasis for the
Department.
A large-scale disruption or degradation of national
critical infrastructure would constitute a national security
concern, as would threats to the DOD critical technology
information, other controlled unclassified information,
processes stored on non-DOD-owned systems and networks, which
demands a close cooperation alongside our partners.
This reinvigorated partnership alongside the FBI [Federal
Bureau of Investigation], intelligence community, was
instrumental to the whole-of-government efforts to protect and
defend the 2018 U.S. midterm elections from foreign
interference. We continue to leverage the lessons from this
experience and these activities to help shape and further
improve how we secure 2020 elections and other ongoing efforts
related to protecting and defending the Nation's critical
infrastructure.
Again, thank you for the opportunity to appear before you
today and for the continued support you and your staffs provide
as we address these challenges. I look forward to your
questions.
[The prepared statement of Mr. Wilson can be found in the
Appendix on page 61.]
Mr. Langevin. Thank you, Mr. Wilson.
We are going to go and do questions at this point. Members
are recognized for 5 minutes. Before we go to that, though, I
just want to mention that we are expecting votes in just a few
minutes, so we will get through as many of the questions as
possible. So if we can all stick to as close to 5 minutes in
questions and answers, that will move things along.
So, with that, I want to begin for all of our witnesses the
question: What role does the National Security Council and the
White House play in facilitating and coordinating amongst all
the Federal agencies, and can you describe efforts led by the
White House to address internet architecture security? Ms.
Manfra, if we could start with you.
Ms. Manfra. Thank you for the question, sir. Well, the
National Security Council, as a policy coordination body,
focuses on, from the cyber perspective, but also on the
resilience side, areas that we need to either identify or
implement policies as an interagency body.
They coordinated the National Cyber Strategy, which was
released some time ago. And in focusing specifically on, as an
example, things like the DNS ecosystem, supply chain for our
ICT [information and communication technologies] ecosystem, and
as well as other threats that may come up, coordinating both
the policy and any kind of response that we may need to do,
either urgently or in the long term.
Mr. Langevin. Ms. Rinaldo or Mr. Wilson, can you comment on
any aspects of interactions with the White House on
coordination?
Ms. Rinaldo. Yes. As Ms. Manfra said, the White House
routinely convenes meetings to bring us together to talk about
issues as the cyber strategy, supply chain, as well as other
issues that come up, as needed. It is an opportunity to bring
not only my two fellow witnesses to the table, as well as other
parts of the government that may have equities in these
processes as well.
So they are fairly routine, and with the cyber strategy we
have due out, so we regularly meet to see where we are on the
process of implementing that.
Mr. Langevin. Thank you.
Mr. Wilson.
Mr. Wilson. And I would just add, in the series of sessions
that we do do across the interagency led by the NSC [National
Security Council] team----
Mr. Langevin. Can you pull that microphone a little closer?
Mr. Wilson. Can do. I am going to put on my command voice
and project, if that is okay then. My apologies.
As we do, we look at a lot at the threat, we bring in
especially the intelligence community to understand the threat,
as well as a series of functional reviews that we do with
recommendations that follow. And that could be the report that
was referenced earlier about the botnet. It could be work that
is going on regarding ransomware across the interagency.
Sometimes it will start domestically, but then we will
bring in a larger team if we see some initial work at the
direction of the NSC team. And so, depending on the topic,
there is usually a series, but many times, we are organized to
be able to address specific threats and understand that threat
so that we have the right actions.
Mr. Langevin. Ms. Manfra, what is the role of law
enforcement agencies, such as the FBI and CISA's own Federal
Protective Service [FPS], in protective or defensive functions
such as hardening cable landing stations and IXPs that are
owned and operated by the private sector?
Ms. Manfra. Sir, we have a very close partnership with the
FBI in particular, specifically on some of these issues. The
FBI is able to kind of cross both on the intelligence side as
well as law enforcement authority, both to take actions, you
know, legal actions, if needed, through the justice process
against those who may not be following legal laws related to
how they are deploying their systems as well as conducting
investigations that we may be gathering from intelligence
sources, so working domestically to further investigation to
determine is there an issue.
Other law enforcement entities are not as involved on the
internet architecture issue itself, though they have the
ability to collect information, or if they have a related case,
to share that information.
FPS is primarily focused on physical protection of
government buildings, and we have worked with them on ensuring
that building owners are thinking holistically about cyber and
physical threats to their buildings, but not particularly
relevant, probably, to the internet architecture conversation.
Mr. Langevin. I think that is--again, the whole purpose of
this hearing is so we get a better understanding of what we
need to continue to focus on, in terms of hardening these
sites.
Let me just----
Mr. Wilson. Chairman Langevin, if I could maybe just add
on, the DOD has a very active role alongside DHS as well, both
domestically and internationally. And so we work with industry
partners, but domestically, especially with DHS, to understand
what information flows are moving through, so from a command
and control perspective or communications flow to our forces to
do assessments, and to understand that we have enough capacity
and diversity of undersea cable, you know, capability to be
able to execute our DOD missions.
To go into more detail, I probably need to go into a
classified session, but just to make you aware that we have a
very active relationship alongside our interagency partners,
very tied to our mission and execution of the DOD missions
around the world. So it is more of an international
perspective.
Mr. Langevin. Thank you.
I believe my time is expired, so I am going to stop there.
We are going to have some follow-up questions I would like to
submit for the record, and I ask you to respond to those. And,
with that, I believe votes have been called.
I am going to yield to Ranking Member Stefanik and,
hopefully, we can get through her questions.
Ms. Stefanik. Great.
Given the complexities of the ecosystem that we are talking
about today, I want to focus on supply chain security and
integrity, which many of you referenced in your opening
statement. I would like to understand in more detail, given how
complex the global telecommunications supply chain already is,
combined with emerging technologies like 5G, Internet of
Things, even cloud computing, how are you specifically
improving our supply chain security? Ms. Rinaldo, I will start
with you. That is question one.
The second one is, are there any specific technologies you
are more concerned about than others in securing our supply
chain; and specifically, what collaboration needs to happen
with industry and the private sector? So, Ms. Rinaldo, I will
start with you.
Ms. Rinaldo. Great, thank you. As you may know, on May 15th
of this year, the President issued Executive Order 13873,
securing the information and communications technology and
services supply chain, which gives the Secretary of Commerce
IEEPA [International Emergency Economic Powers Act] authority,
emergency powers to act on national security concerns with the
implementation of infrastructure into our telecommunications
networks.
This is something that NTIA is working with the Secretary's
office on. We are currently developing the interim-final rule
of the regulations on how this process will work out. We
believe that we are on track to have that delivered to the
President the middle of October.
But as well, through our multi-stakeholder processes, which
we are probably most known for, is an opportunity for us to
meet with technologists, policy makers, academia, civil society
to talk about these important issues. The thing that I really
love about NTIA is that we are able to pull back to the 50,000-
foot level and look, and then hone in on certain issues and go
down and tackle certain concerns or issues. And this is the
format that we use.
So we talk about vulnerabilities. We are currently working
on the software bill of materials specific to supply chain. We
definitely have concerns moving forward, especially as we move
to fifth-generation technologies. And I think it really gives
us an opportunity, as we talked about, is it, you know, baked
in or bolted on, that it gives us the opportunity to bake in
security as we move forward.
Ms. Stefanik. Ms. Manfra.
Ms. Manfra. Yes, ma'am. I will just touch high level, and
then we can--always happy to come back and go in more depth.
There is a lot to talk about on supply chain.
As Diane noted, around the Executive order, that is a key
component of the administration's approach, we at CISA have
also stood up an ICT Supply Chain Task Force, which is mostly
made up of private sector, but also colleagues across the
government, to focus on what are the most important things that
we can actually make progress on, what are the tangible things
we can do. And they have been working along a few of those
lines, particularly around procurement, government procurement,
which, to segue into what we are doing for government
procurement, following up on the law that was passed last
December around Federal acquisition security and supply chain
chaired by Grant [Schneider], but an interagency body to look
at how do we reform and modernize our Federal procurement
system to ensure that we are taking mission risk, I will call
it, into account when we are procuring and maintaining IT
[information technology] products and services.
So those are some of the things that we are doing. Specific
technology, I would say it is not necessarily a specific type
of technology that is concerning. What we have, really, from a
DHS perspective is we really think of it as a framework that
started with our experience in Kaspersky, but that you have to
really look at where is this product or data being held, what
are the laws of the country that mandate how that data or
products are treated, but you also have to look at what is the
level of access that that piece of software, or that piece of
hardware, that somebody would be able to gain access to. And at
various pieces of software, you have tremendous access into a
computer.
So that, combined with a country's laws that we have
concern about that would compel access, those things together
are what would cause us concern. So we are looking at a lot of
things and across the government is how do we understand things
like foreign ownership and controlling influence? How do we
understand what that means to risk? But looking at it through
that framework. And then, of course, what would always be the
consequence, that somebody who had that access and those laws,
is there any sort of significant consequence? So it is less
about the technology and more about the context that that
technology lives.
Ms. Stefanik. My time is expired. Mr. Wilson, I will take
yours for the record since we have expired.
I yield back.
[The information referred to was not available at the time
of printing.]
Mr. Langevin. I thank the ranking member. So votes have
been called. We are going to recess at this point. We will
return right after. There are three votes, so hopefully we will
get through those quickly and we will come right back, and then
Chairman Lynch will be up next for questions.
The committee stands in recess.
[Recess.]
Mr. Langevin. The subcommittee will come to order. I will
next recognize the chairman of the Oversight and Reform
Committee, National Security, Mr. Lynch.
Mr. Lynch. Thank you, Mr. Chairman. Again, I really
appreciate your willingness to come here and help us grapple
with these problems. Recently, I have had groups ask to meet
with me about the need for more funding from the government for
infrastructure security. And when you sort of look at the
landscape here, you know, you have Facebook and Apple and
Google and other private sector players that have a major role
here, and that have an intense investment, I think, in
maintaining security themselves.
Do you think there is a significant role here to play in
funding the necessary improvements to our infrastructure on the
part of, you know, internet companies, including mobile banking
and others, much the same way that, you know, we have a gas tax
for the users of our roads and highways that goes into the
transportation trust fund and helps with an enormous part of
the funding for that infrastructure?
Have you thought about this from a funding side in terms of
how we have to continually maintain the integrity of the
internet architecture, and in a way of doing that over the long
term? So I would offer it to the three of you, if you have
thought about this aspect of it. Ms. Manfra.
Ms. Manfra. Yes, sir, I can start. Yes, the funding
question is something we grapple with in a lot of areas. I will
say, when you are talking about those companies that provide
the internet architecture, the ecosystem that we are talking
about, as you noted, they have a lot of economic incentives to
have a secure and reliable infrastructure. So I don't know that
we have considered sort of funding those organizations. They
are also doing very well, as I understand it, and have a fair
amount of funding. There are other elements when you get into
State and local organizations and others that I think is a
separate conversation.
I will say when we think about how the government could
provide resources in this space in either complementing private
sector investment or driving change, it would be in the area of
standards and research and development. In how do we think
about--what sort of--there are some standards bodies, there
could potentially be new standards bodies, or existing ones
that evolve, to think about things like 5G, and as our, kind
of, overall internet architecture evolves, the government
thinking about how do we participate in that process either
through resourcing or participation.
And, importantly, I think in research and development, how
do we think of new ways to build more resilient infrastructure,
both resilient from a physical perspective and a cyber. So
those would be the areas that we have most thought about the
funding.
Mr. Lynch. Thank you. Ms. Rinaldo.
Ms. Rinaldo. When you look at the ecosystem as a whole,
most private companies underpin the internet architecture. So
what added benefit can government bring them to help move the
ball? At NTIA, we currently work with the private sector
through our webinars. We have a broadband group that actually
reaches out to rural areas to talk to local providers on how
can we help them improve their security and their resiliency.
We work through the American Broadband Initiative, which
the President initiated last year. We lead that on behalf of
the government, to, again, have these conversations on how can
we as a government help improve security and resiliency? And
one of the things that we hear back is information sharing,
something as--Chairman Langevin, we talked about just before
the hearing that I have been working on for a very long time.
What information can we pass as a government to local
providers, to vendor manufacturers, to ensure that they are
getting the quality of information to help them protect their
products that are being implemented throughout the supply
chain?
Mr. Lynch. Thank you. Mr. Wilson.
Mr. Wilson. I would just echo. I think when we look from a
DOD perspective, we look for the nexus when it revolves around
national security. And so, we are very active in standards
boards, not just domestically, but globally, associated with
the internet. In addition, we look at capability that could be
brought to bear from a DOD perspective.
We are very active in the research and development, it was
highlighted in the introductory comments, the defense--the
DARPA team. Also, our service laboratories, and I would also
have to tip my hat to the Department of Energy lab environment.
They do some great work in this arena. There is a lot of
partnering that goes on to bring innovation to the game--to
this table in terms of solutions. To be really a catalyst for
change. And there is several different----
Mr. Lynch. What about cost sharing, that is what I am
asking. From the private sector, you know, they are the major
beneficiaries, these private companies that are, you know,
hugely successful.
Mr. Wilson. Uh-huh. So in the Department of Defense, we use
a vehicle such as cooperative research and development
agreements with industry partners, really a sharing of either
personnel in intellectual property as well as resources. So we
may have a range in the Department of Defense where we can do,
you know, experimentation, et cetera. So we use several
different vehicles along those lines to be able to get after
high-priority requirements.
Again, we look for the national security nexus when it
comes to research and development standards, et cetera.
Mr. Lynch. Okay. Thank you very much, Mr. Chairman. I yield
back.
Mr. Langevin. Thank you very much. And Mr. Hice--
Representative Hice is now recognized.
Mr. Hice. Thank you very much, Mr. Chairman. Mr. Wilson,
while you were talking, we will just keep going here. About
this time last year, the Department of Defense released a cyber
strategy where it was highlighted the need to conduct
cyberspace operations. It is very intriguing to me, and
specifically to determine and to make sure that we are able to
maintain our U.S. military advantage, and at the same time, to
defend our national interest.
And in an interesting quote, and also, quote: To prepare
military and cyber capabilities to be used in the event of a
crisis or conflict. Those three areas are extremely important
to me, and I know in my own district, Fort Gordon, the Cyber
Center of Excellence resides there and they are very much
involved in all three of these areas.
Obviously, without going into classified information, but
would you be able to share some of the specific actions that
the Department has taken in light of that cyber strategy to--
just some insight on how things are going to protect our
infrastructure?
Mr. Wilson. Absolutely. So in August of last year, the
Secretary signed, Secretary Mattis at the time, signed out the
DOD Cyber Strategy. Some very core missions. Number one being
the ability to operate DOD joint force. So kinetic forces
alongside all the other forces in a cyber contested
environment, to be able to build resiliency into our joint
force. That was priority one from Secretary Mattis'
perspective.
In addition, we wanted to be able to bring cyber effects
operations, defensive and offensive, alongside our normal
kinetic operations. And so, we have been hard at work at doing
that. We have worked with Congress, with authorities, to be
able to execute in that arena. We usually are pretty--we do
some really good work in the area of hostilities in competition
with the revisionist powers we have seen, that they are
operating below our normal traditional response mechanisms. And
so, we have been very focused on that, so the strategy
addresses that.
Down at Fort Gordon, they are doing some great work,
Lieutenant General Fogarty and team, in terms of--that is the
ARCYBER, the Army Cyber team. They are focused right now in
CENTCOM [U.S. Central Command] theater, AFRICOM theater, the
Africa Command, doing some fantastic work.
When it comes to critical infrastructure, there was a
recognition that the Department of Defense had a role. And I
think if you had asked us maybe 2 or 3 years ago, it wasn't as
clear. We brought a strategy forward called the ``defend
forward.'' We focus in the Department, just like we do in any
other domain of operations, on external threats to the Nation,
and so in cyberspace we do the same things. We focus on those
external threats. We want to be able to see those threats,
understand those threats, see indications and warnings if there
is attack on critical infrastructure for the Nation, or DOD
forces or allies. And we want to be postured and prepared to be
able to respond to those attacks; preferably in a preemptive
fashion, if needed, versus waiting to take a strike and then
have to be----
Mr. Hice. Would you believe--how are we doing is kind of
what I want to know. Are we prepared offensively? Are we
prepared defensively? Are we prepared in the event of a crisis
here? I mean, where are we on these three areas? On a scale of
1 to 10, I mean, are we----
Mr. Wilson. So it depends on which category, and it is best
done in a classified setting, but maybe I can put a backdrop
behind it. We are making tremendous progress. Over the last
year, we have executed operations which we have briefed in the
Armed Services updates, and we are getting ready to do one here
shortly, across different--several different mission types. And
so, that is going very well on the offensive side.
On the defensive side, we are building tremendous
resiliency in the force; we have a long way to go. So, if you
are talking about the network, we have tremendous activity
going on end point security zero trust environment, and the
team is doing really good work. We also have activity going on
associated with weapons systems to make them more resilient.
And then we are beginning to look at defensive cyber effects
operations broadly to be able to mitigate risk to the best of
our ability.
Mr. Hice. Okay. Well, Mr. Chairman, I don't have time to
get into the next question, so I will go ahead and yield back.
Thank you.
Mr. Langevin. Thank you. Mr. Kim, I recognize you for 5
minutes.
Mr. Kim. Thank you, Mr. Chairman. I thank you so much for
being here and being able to have an interagency discussion
about this. I would like to just hone in on just some of my
understandings about some vulnerabilities and try to get a
better sense of how different agencies and departments are
honed in on this.
A concern that we have is certainly about the different
nodes in which the information is coming to us through internet
exchange points. We have one in New Jersey and we understand
some of the vulnerabilities that come with that. When
information is being transmitted through, let's say, the
undersea cables, through the internet exchange points, I, from
my understanding, is that the undersea cables is something
under the jurisdiction of DOD. The internet exchange points are
ones under the jurisdiction and oversight of DHS.
So I guess my understanding is how do we structure the
preparations or the coordination that is involved in that to
try to understand if we were to have any disruptions along
those points that we can understand what role different
agencies and departments play? Are there particular exercises
that are being done? Are there other ways that we can
understand who all is engaged, because from what I understand,
it's lots of different departments and agencies and offices
that are involved in that type of process.
So if you don't mind, I would love to just hear from across
the board what we can be doing on that front, and who are the
main actors that need to be at that table?
Ms. Manfra. Thank you for the question, sir. I don't know
that I would use the term ``jurisdiction.'' You know, we
don't--I wouldn't say we have jurisdiction over internet
exchange points, and I would defer to DOD, but I don't think
they have jurisdiction over undersea cables. What it is more
is, we have some interagency bodies, such as Team Telecom and
things like CFIUS [Committee on Foreign Investment in the
United States], other sort of bodies where we work together,
our three agencies plus others, to understand the risk and make
decisions, and are able to intervene, if necessary, in market
decisions in those particular cases.
In other areas where there is not a specific investment or
acquisition happening, we continue to work together. You know,
once you start getting further beyond the borders of U.S.
waters, obviously, there are others who start to have insight,
but we recognize the connectedness of that. So specifically on
undersea cables, we worked with the DNI, 2 years ago, issued a
report on threats to undersea cables, working very closely with
the DOD, DNI, and others to both better understand the threat,
but then on the DHS side, given sort of our authorities and the
public private partnerships, what can we do to counter that
threat, build more resilience, and, of course, DOD has
capabilities to use those tools as well as NTIA.
So it is not so much that here is clear jurisdiction and it
ends at this part of the internet architecture, and then the
next person picks it up. It is really largely private sector
led in all cases, and what we have are different tools to
analyze and make assessments and take action if we have some
concerns. Is there potential--more tools and better
cooperation? Absolutely, we can always continue to improve the
coordination, and that is why I think we have got those
national critical functions focused on, you know, how is the
stability of the internet overall? How are we focusing on that?
What are those different mechanisms and those tools and those
partners? That is how I would--I hope that is helpful.
Mr. Kim. No, that is helpful. Any of the other witnesses
want to jump in on this? Mr. Wilson.
Mr. Wilson. From a DOD perspective, what we really focus
and understand, try to understand the threat. So we work with
the intelligence community, and then our own insights. Also, we
do assessments so that we understand our reliance on cable
landing sites or any type of infrastructure. And then we
constantly are planning and coming up with contingencies. So
based on that reliance, we want to understand if that is lost,
in whatever fashion, however complex that looks like, our
ability to roll off and conduct operations maybe in a minimized
fashion with high-priority taskings. So that is a natural
rhythm that we move through in our war plan and OPLAN
[operations plan] activities. In addition, in our Tier 1
exercises, we do exercise in the loss of critical
infrastructure, which might include cable landing sites or
other undersea cables; that is a normal battle rhythm of
activity that we look at.
Just, I would point to maybe day-to-day. We do have--there
is just, you know, anchor drags and cable losses, and so just
naturally, we see in a day-to-day fashion the loss of
capability, whether it is natural disasters or man-made
calamities out there under the sea, we see that happen on
occasion on a very routine basis. And so we are constantly
having to already do this for a living, if you will, to
maintain mission.
Mr. Kim. Yeah.
Mr. Wilson. So we gain a lot of insight, and we do a lot of
after-actions and lessons learned, based on those experiences.
And so a pretty deep well of knowledge there and we share and
work hand in hand with DHS. We have natural rhythms. They see
our tasking orders, we share that from a cyber perspective.
Mr. Kim. Well, thank you for your insights. Mr. Chairman, I
yield back.
Mr. Langevin. Thank you, Mr. Kim. Mr. Banks is recognized.
Mr. Banks. Thank you, Mr. Chairman. I think we all agree as
the DOD moves toward an increasingly internet-integrated
warfighting posture, it is critically important to identify
vulnerabilities in software and hardware within the DOD
network.
Mr. Wilson, as identified in DOD's 2019 Digital
Modernization Strategy, DOD utilizes 10,000 operational IT
systems. I am concerned about the number of access points
within the DOD network. Does DOD have a complete inventory of
all items that can access the network?
Mr. Wilson. Today, the answer would be we do not. We are
driving very, very diligently to have insight and to be able to
see. We have several modernization efforts and several
initiatives underway, end point security and visibility being
the number one. So that we have visibility to all those end
points. Ten thousand end points, sir, would probably be a low
estimate.
So when you just look at end users out there, given we have
several million people inside the Department of Defense, that
number is much higher than that. And so, we need to be able to
have visibility to be able to mitigate risk. And so step one
has been insight, and end point security initiative that has
been underway. We are really driving hard. We are getting
tremendous traction alongside the services and our Fourth
Estate in the DOD enterprise.
In addition, we have an initiative underway called Zero
Trust where we are driving, so that we validate and limit the
movement so if something is exploited inside the network, that
we contain that to the best of our ability. So Admiral Norton
and the DISA [Defense Information Systems Agency] team are hard
at work on that alongside the service components. And so, it
has been a high-priority task. The deputy is taking reviews on
all of these initiatives plus more on a very routine basis, so
the sense of urgency is high on this one.
Mr. Banks. Good. Ms. Manfra, you testified that the CISA
works across government and industry to ensure the national
security and the emergency preparedness community has access to
priority telecommunications and restoration. Are government
agencies able to keep up with industry in issuing security
updates?
Ms. Manfra. I think much of what we use is industry
products. So it is more about ensuring the behavior that people
are actually, if you are referring to patching and those sorts
of things. We have had a lot of work that we have done around
this to focus behavior on those types of things. Are they
patching vulnerabilities that are identified? And we have
actually made a tremendous amount of progress.
I think we--I think we are able to keep up with them. In
some cases, we are actually leading industry. There is work
that we have done under one of our directives to improve web
and email security, and the government went from least secure
by an independent auditor to actually leading all industries in
the security of our websites.
So I think that there is--and I think that is what we need
to be doing. We should be not just talking about it, but
actually leading and putting these things in place. But it is a
mix of behavior and resource. Sometimes there is technical
challenges and we work with agencies in particular to assist
them on that.
But if that is getting at your question.
Mr. Banks. Yes. Mr. Wilson, back to you. How does the role
of the CIO [Chief Information Officer] coordinate with the DISA
regarding the responsibility of the DOD IT security?
Mr. Wilson. So the DOD CIO, by statute, has responsibility
for the standards and technology and the fielding of
capability. DISA is their operations arm. And so, DISA has
purview, and there is two roles, organizing, training, and
equipping alongside the services, all of our IT fielding.
In addition, the DISA commander, Admiral Norton, also wears
what we call the Joint Force Headquarters commander hat for the
DODIN, the DOD Information Network. So in that role, she is
able to direct activity in terms of orders out to the DOD at
large. And so that kind of is the arm that is able to execute
operationally day to day to mitigate risk. If there is an
incident, to be able to harness the power of the Department at
large and be able to mitigate that risk, to be able to drive
initiatives like the Zero Trust activity that I just
highlighted.
So DOD CIO is responsible statutorily for the Department in
terms of standards and compliance. And then the operation arm
is DISA that reports up through the DOD CIO.
Mr. Banks. Okay. Thank you very much. I yield back.
Mr. Langevin. Thank you. Mr. Higgins is now recognized.
Mr. Higgins. Thank you, Mr. Chairman. Ladies and gentlemen,
thank you for being here this afternoon. I have two questions.
One is very basic and the other is rather not. So let's handle
the basic question first. How do you ladies and gentlemen feel
about securing our undersea submarine cables that transmit most
of our signals? How do you feel about that? Where are we right
there?
Ms. Manfra. Well, sir, I would argue that----
Mr. Higgins. It has been identified as an area of potential
threat.
Ms. Manfra. Yes.
Mr. Higgins. And this could disrupt internet services
globally, and have serious economic impact, and perhaps
military implications, communications, et cetera. So without
getting into the weeds or revealing anything that shouldn't be
spoken of, what is your opinion? Is there more that should be
done and could be done?
Ms. Manfra. Yes, sir. This is a high priority for us, both
my agency and those here, as well as others that aren't
represented, and we are very focused on this. And, yes, there
is absolutely more that we will do and can do--is the short
answer.
Mr. Higgins. You concur, sir?
Mr. Wilson. Yes. For the Department of Defense, it is core
to what we do. And so I would just kind of maybe walk back
through. One, we want to understand the threat against undersea
cables in particular, because we are relying on them. Any time
that the DOD is relying on any kind of capability, we want to
understand the threat to it, where the vulnerabilities are, and
then----
Mr. Higgins. Those threats and vulnerabilities, in your
opinion, are being addressed?
Mr. Wilson. We understand the threat, and we understand the
vulnerabilities. So the next is, how do you mitigate those
risks? For us in the military, that would be an operations--the
execution of our operations day to day. So we have a very
robust effort that we continually look and assess undersea
cables, because it is the crux of and we rely on it for lot of
our communications----
Mr. Higgins. So in the interest of time, and thank you for
answering, please, just all of you, stay in very efficient
communications with both of these committees, whereby we can
give you anything you need because it would be a disaster for
the world if those things got hit.
So let's move to my question that is actually my concern. I
am concerned about national security issues regarding
protection from emerging technologies sponsored by nation-
states with global aspirations and strategies like China.
Specifically, I am talking about quantum computing. We have a
responsibility to protect the people's treasure, and, of
course, we have a responsibility to provide national security.
But are we talking about investing money on protecting ones
and zeros, long streams of ones and zeros, when China could be
on the verge of using entangled photons to communicate. They
recently had this public data and satellite transmission to two
separate land stations 1,200 miles apart, and achieved quantum
entanglement successfully.
A professor from LSU [Louisiana State University] in my
home State of Louisiana, a physics professor that spends a
large part of the year at the University in Shanghai, the
Science and Technology of China university, stated that he
believes China will go dark in 2 to 3 years, meaning we won't
be able to--we won't be able to understand and read their
communications. So if they reach a point through quantum
computing before we do, because we are spending money on VHS
tapes while the world moved to DVD, if they reach a point of
quantum entanglement and quantum computing efficiently and we
can't read them, then how would we know that they are reading
us? Remainder of my time, please, whoever feels qualified to
answer that question.
Ms. Manfra. Sir, first, I would offer that I think us and
potentially some other agencies would be happy to come in and
have a longer conversation about this, both quantum computing
and other emerging technologies are definitely top of mind, not
just our agencies, but many others. And I would argue that the
U.S. Government is investing a lot in ensuring that we continue
to maintain leadership in this space. And while, yes, we
absolutely have to----
Mr. Higgins. So we can look forward to a SCIF [Sensitive
Compartmented Information Facility] briefing on this?
Ms. Manfra. Yes, sir, we will----
Mr. Higgins. I would ask the chairman to consider that.
Mr. Langevin. Okay.
Mr. Wilson. And I would just add. I think quantum computing
is at the core. Digital modernization at large, 5G, quantum
computing, AI [artificial intelligence], large data or big data
analytics, et cetera, are all converging. And so, in the
Department of Defense, we see that as opportunity to field the
right kinds of capability, both for productivity, but for
effectiveness--mission effectiveness, but we also are looking
at it through the lens of risk. So how do we mitigate that risk
alongside our interagency partners?
We have the challenge of low-end and high-end conflict. And
so, we have a reliance and we are becoming more reliant on
those capabilities, so it is of utter importance. But we would
love to join----
Mr. Higgins. Thank you. So we look forward to a more
extensive briefing in a secure setting. Thank you, Mr.
Chairman.
Mr. Langevin. I thank the gentleman. Ms. Wasserman Schultz.
Ms. Wasserman Schultz. Thank you, Mr. Chairman. Ms. Manfra,
earlier this year CISA released a list of 56 national critical
functions. You defined these as functions, quote, ``so vital to
the United States that their disruption, corruption, or
dysfunction would have a debilitating effect on security,
national economic security, and national public health and
safety.'' Is that correct?
Ms. Manfra. Yes, ma'am.
Ms. Wasserman Schultz. As it pertains to internet
architecture, how does the identification of these 56 critical
functions alter CISA's approach to protecting our Nation's
internet infrastructure?
Ms. Manfra. Thank you for the question, ma'am. What it does
is more holistically defines what functions we are concerned
about. So, previously, while it is important to continue to
have these sector-specific approaches, but when we are talking
to the IT community and the communications community, we felt
it was important to narrow in a little bit more on what
specifically. So are we talking about routing and addressing.
Are we talking about the internet exchange point conversation
and physical infrastructure that supports the internet.
So we felt it was important to start to disentangle so it
is not just all, here is an IT and communications broad
structure. Industry already thought this way. It was really us
sort of catching up. And we will now shift how we prioritize
our resources and our engagements to ensure that we have the
right people in the room and we are taking the right actions
against those critical functions.
Ms. Wasserman Schultz. Thank you. And how does this change
CISA's outreach and coordination with the private sector and
with your partners at other agencies?
Ms. Manfra. What it really means is we were going to ensure
that the right players are in the room. We have great
partnerships with the IT and communications industries, but as
we started to think about a functional approach, which is,
frankly, the way the adversaries are thinking about it, we
recognize that not all of the correct players were in those
conversations.
So, we want to ensure that the owners and the operators,
the providers of services, are also a part of whether it is
just information sharing back and forth so they can give us
information about what may be going on, or we can provide them
information. But also, they are part of this broader policy
conversation when we are thinking about risks and what we want
to do about it.
Ms. Wasserman Schultz. Thank you. That list of national
critical functions includes providing internet-based content
information and communications services, and it also includes
conducting elections. Is that correct?
Ms. Manfra. Yes, ma'am.
Ms. Wasserman Schultz. Of course, our internet architecture
is connected to election security in many places across the
country. So let me start by asking you a question that I have
asked CISA Director Krebs multiple times since May of this
year.
Russia intentionally influenced our 2016 elections and is
expected to try again in 2020. Has the President received a
comprehensive briefing from CISA on potential Russian influence
in the 2020 elections?
Ms. Manfra. My understanding is the President has received
briefings and continues to receive briefings on threats.
Ms. Wasserman Schultz. No, no, I am asking you, has he
received a comprehensive briefing from CISA on potential
Russian influence in the 2020 elections?
Ms. Manfra. He has not directly received a briefing from
us, but he has received comprehensive briefings that we have
informed.
Ms. Wasserman Schultz. Okay. That is new information
because as that--since the last time I spoke with Director
Krebs where he said no, or he was not aware that--small
briefings here and there, that is different than a
comprehensive briefing, specifically given to the President of
the United States, on Russia's desire and intention to
influence the 2020 election. So since the last time I asked
him, that comprehensive briefing for the President of the
United States has taken place?
Ms. Manfra. Ma'am, to be honest, I am not in the meetings
where the President receives these, but I do understand that
the President has received multiple briefings on----
Ms. Wasserman Schultz. Okay. So essentially, you are giving
me the same answer that Director Krebs--he has not, to your
knowledge, had a comprehensive briefing from CISA on this risk?
Ms. Manfra. We have not directly provided him with
briefing.
Ms. Wasserman Schultz. Okay. Okay. Are there plans to brief
the President on this critical issue in a comprehensive way
from CISA?
Ms. Manfra. I have would have to defer to others on that.
Ms. Wasserman Schultz. And, lastly, are you familiar with
the Quadrennial Homeland Security Review?
Ms. Manfra. Yes, ma'am.
Ms. Wasserman Schultz. That is a critical document that is
used for assessing the Department's overall security strategy
and what it views as the most pressing threats to U.S.
security, including threats to critical infrastructure.
Congress mandates that DHS produce this review every 4 years.
Can you tell me the last time DHS submitted a Quadrennial
Homeland Security Review to Congress?
Ms. Manfra. Off the top of my head, I can't remember the
exact year.
Ms. Wasserman Schultz. It is 2013 or 2014.
Ms. Manfra. Okay.
Ms. Wasserman Schultz. And the most recent version of this
document was due to Congress in December 2017, but more than 20
months later, DHS has not submitted this critical document.
What is the status of the now long overdue 2018 Quadrennial
Homeland Security Review?
Ms. Manfra. Ma'am, I have to get back to you on that.
Ms. Wasserman Schultz. Okay. If you could. The bottom line,
Mr. Chairman, is not having an up-to-date Quadrennial Homeland
Security Review makes it more difficult for Congress to
evaluate DHS's strategy and coordinate with Federal agencies,
which you very effectively answered on homeland security
priorities, including our internet architecture.
So I would ask that you take it back to your bosses that it
is time to comply with the law. And if you actually take this
issue seriously, making sure that this report is issued in a
timely fashion is essential. Thank you, I yield back.
Mr. Langevin. I thank the gentlelady. And Mr. Waltz is
recognized for 5 minutes.
Mr. Waltz. Thank you, Mr. Chairman. Ms. Manfra, obviously,
DHS defends the homeland and defends our critical
infrastructure here, including our internet infrastructure. And
Mr. Wilson, DOD, in a number of briefings, has described its
posture now as defending forward in both classified and
unclassified briefings, and I have received a number of
briefings on what those activities have entailed, particularly
as it pertained to 2018 and our elections there.
Is there any discussion in the Department--in the Defense
Department, in particular amongst the interagency of moving to
a deterrent strategy, rather than a purely defensive strategy,
whether we are defending forward or defending the homeland.
What I mean by that is, you know, to use as an analogy,
terrorism.
We cannot bat 1,000, so to speak, using a baseball analogy.
At some point, we have to alter our adversary's decision
dynamic, and I think some members have described it as perhaps
blinking the lights in the Kremlin or holding their assets at
risk. What is the Department, from a policy standpoint, are
they moving that direction? Have you made a decision not to
move that direction, and we take a purely defensive posture? We
could talk across a number of domains, obviously, where we have
a deterrent strategy to stop and try and alter the behavior
rather than simply defend against it. Does that make sense? And
I would welcome your thoughts.
Mr. Wilson. Absolutely, sir. So last year, as part of our
cyber posture review, we delivered a report to Congress, really
hit two pieces. That was in early September. One was a holistic
assessment of our ability to execute the missions as
articulated in our DOD Cyber Strategy. So we did a gap
assessment that is a classified report that we can make
available.
In addition, we were asked to do some work on deterrence.
Specifically, deterrence in cyberspace. And so a couple of the
key takeaways: One, we believe that deterrence comes in a few
flavors, it is not just consequences. We think the first step
is deterrence by denial. So we want to deny adversaries the
benefit of what they are trying to achieve through a cyber
effects operation, or any other type of activity directed at
the U.S., our allies, or the Nation at large. And so, that is
where you see the partnership between DHS and the other
departments and agencies of the U.S. Government, where we have
stepped in and began to assist, enable, support the resiliency
of our critical infrastructure segments. Not just focused on
DOD systems, networks, weapon systems, et cetera. So our focus
is much broader because we do rely and we see the importance of
denying an adversary the benefit.
In addition, we look very hard at the ability, if called
upon, to deliver consequences, not just kinetically, or in all
the other domains of operation that the Department has, but
also in the domain of cyberspace. And so, a lot of assistance
from Congress with regards to some clarity on authorities. We
have also in the strategy tried to articulate our role uniquely
focused against external threats. And, in addition, the NSC
team in the White House has led us and the interagency through
a process with a new National Security Presidential Memorandum
13, which focuses on the decision process for either offensive
or defensive cyber effects operations. The details of that we
would have to go into a classified session, but that has been
in play and I think just----
Mr. Waltz. I would like to follow up and better understand
that. And then also, better understand how that has been
communicated to our adversaries, because obviously deterrence
is only effective if they understand the consequences.
Mr. Wilson. Absolutely. So strategy, a clarity of
authorities, and then the process for making decisions have
been very key in the consequences part. In addition, we look at
deterrence, really what I would describe as entanglement. So
how do we entangle ourselves, or use and leverage one of our
strengths as a Nation in the international arena?
So how do we bring alongside our close partners and operate
together, and make the complexity of a targeting problem for an
adversary more difficult. And then, lastly, how do we
strategically communicate any actions we are taking across as a
whole of government, not just the----
Mr. Waltz. Just in the interest of time, I will take that
for follow-up. Thank you and we will reach out to your staff.
Very quickly. Who has--I know there was a question earlier, and
I apologize if I am repeating it, on undersea cables. Who has
authority on--or who has responsibility for defending undersea
cables that directly affect the United States, its ability to
communicate in our economy and international waters? It is just
not clear to me, and if anyone wants to send that for the
record, in the interest of time, Mr. Chairman, I believe my
time is expired, I would appreciate it.
Ms. Manfra. I think it would probably be best if we
followed up with more details.
Mr. Waltz. Thank you.
[The information referred to can be found in the Appendix
on page 73.]
Mr. Langevin. Ms. Stefanik.
Ms. Stefanik. Thank you, Chairman Langevin. Mr. Wilson, my
question is for you. With respect to helping secure our
Nation's infrastructure and even responding to an incident or
an attack upon our critical infrastructure, can you clarify the
role that U.S. Cyber Command and U.S. Northern Command plays
and the relationship between the two? What role does DISA play
here? And are there clear chains of command so that these
organizations and commands understand their particular role?
Who is responsible for what? And then, how do they interface
with DHS?
Mr. Wilson. So if there is an attack on the Nation that
involves kind of a multi-domain attack, so kinetic strikes
against the Nation, NORTHCOM [U.S. Northern Command] has the
point. They have the lead for the defense of the Nation. So
from a supporting/supported relationship, NORTHCOM is point. If
there are activities that would require a cyber effects
operations, or any type of response, Cyber Command would be in
support of NORTHCOM in those instances.
If there is a unique, and it is a fairly contained, but
very focused on a cyber security threat or activity, then there
is a decision to be made, and in most cases, then we would look
to Cyber Command to be the lead, and they would be the
supported command, because it would be really contained within
their purview, in direct coordination with and lots of
communication and coordination so we are all on the same sheet
of music.
So that activity, we have exercised that on many occasions,
and that is maturing. I think if you had asked just a few years
ago, that was a bit cloudy. I think we are doing great work in
that front. Our Tier 1 exercises is beginning to really mature
those relationships and the command and control activity that
goes alongside those.
DHS is alongside in anything domestically along with FBI
representation, and so, when required, if it is a domestic
incident, there would be support either provided to DHS as part
of our normal defense support to civil authorities, or DSCA
roles, there is a mechanism to put that in play, and then we
would institute that.
Ms. Stefanik. Let me ask a more specific--let me use a more
specific example. As we are heading towards 2020, obviously one
of the focuses of every Member of Congress is making sure that
we have secure resilient elections. And we are well-positioned
to ensure that the lessons learned from 2016 in terms of our
vulnerabilities that we are being offensive in terms of
protecting our elections infrastructure.
So in that case, you know, let's say there are cyber
effects, how does that responsibility--can you go through that
decision-making process for that particular example. So online
election system as part of a critical infrastructure, who is
responsible for what?
Mr. Wilson. So we look at it through three really lines of
effort, or lines of operation. The first is associated with
election security infrastructure. So, in support of the DHS
team, because they have purview, and so whether that is
information, intelligence information sharing, activity
directed at helping to secure, share any threats, any
indicators of compromise, to make sure that the robust defenses
that are in place to secure elections infrastructure. So that
is kind of job one, if you will, for elections support.
The second line of effort we have within the DOD, and
General Nakasone is at the helm here, is associated with
disinformation, or malign influence. And so, FBI has point with
regards to disinformation associated with elections or any
other activity in the United States as a law enforcement
activity. And, so, likewise, the combined team of U.S. Cyber
Command and NSA [National Security Agency] would provide
support to the FBI in the form of information sharing, any
intelligence indicators we may have alongside the intelligence
community. So we are one of many that would be supporting.
FBI does the vast majority of outreach to, like, social
media to give them heads up that there is issues, that there is
a threat associated with, you know, a malign actor, Russia or
whoever, using social media to spread disinformation or try to
sway the public as part of the elections, or just day to day.
And then, the last would be if we are called upon as a
Department of Defense to deliver consequences in any form,
whether it be cyber effects operations or anything else, then
that is wholly within the Department of Defense, and we have
the procedures, ma'am, as you have been briefed on with regards
to the process for approval on those as part of the NSPM-13
[National Security Presidential Memorandum-13] process.
And so, we have executed some of those in the past, as you
have been briefed, I can't get into details in this forum. So
we are postured to be able to execute those types of operations
in the future from an offensive or defensive activity. At
times, we may partner with international partners, like we did
during the 2018 election, and close partners and providing
support in that arena, in what we would describe as hunt
forward as part of our defend forward construct.
Those are the structures we have used that was very
successful. We have gone in and looked at the after-actions and
are tuning that, but we are well underway with all three of
those lines of efforts for the 2020 elections.
Ms. Stefanik. Yeah, I think fine-tuning that is going to
continue to be important, because as you laid out, the
infrastructure, the disinformation, and the third bucket, you
have a lot of agencies who are in the mix, whether it is U.S.
Cyber Command, NSA, DHS, FBI, so making sure that there is--
DOD--there is a holistic approach and an understanding of who
is responsible, because oftentimes, the attacks, and we saw
this in 2016, it was multifaceted, it checked multiple boxes.
And thanks for the leniency. I yield back.
Mr. Langevin. Excellent points. And it is one thing when we
know the bad actor or what is coming; for example, we need to
be prepared for the upcoming 2020 elections. And just as in
2018, we had a whole-of-government, whole-of-nation approach,
we will do that again, I am confident, in 2020. The American
people should know that.
It is the things that we can't anticipate coming up that--
this is well-harmonized and the left hand knows what the right
hand is doing. So it is going to be well thought-out, and it
becomes muscle memory going forward.
Thank you, Ranking Member. Chairman Lynch is now recognized
for 5 minutes.
Mr. Lynch. Thank you very much. So we have about 2,600
internet companies, and I think there are no less than 90
undersea fiber cables that feed both the United States and its
territories. The trend has been that those cables are clustered
on a select number of landing stations. Is that clustering
effect, even though it creates redundancy, I guess, because you
got all these cables, which is good, the redundancy is good,
but the vulnerability that that prevents is--excuse me, that
that presents, is that a problem for us? Ms. Manfra.
Ms. Manfra. I would say----
Mr. Lynch. And by the way, the maps that show the cable are
all publicly available, so I am not giving up any----
Ms. Manfra. No, you are not, sir.
Mr. Lynch [continuing]. National secrets there.
Ms. Manfra. Most of what we actually see in the risks for
some of the co-location and consolidation comes from natural
hazards or accidents.
Mr. Lynch. Okay.
Ms. Manfra. And now that does also mean that other threats
could potentially take advantage of that, and we have done--
usually we are working jointly with the FBI, working to, you
know, understand, do physical security assessments of those
cable landing stations, helping the owners of those--of that
particular infrastructure, improve both their physical security
and the resilience, as well as----
Mr. Lynch. Okay.
Ms. Manfra [continuing]. Kind of how it gets passed from
the cable landing station into sort of the rest of the internet
ecosystem. So there is some--there is definitely concern around
some of that consolidation, but it usually manifests itself
when you have, say, a hurricane or something like that. So they
have already built a lot of resilience into that to combat some
of these natural disasters.
Mr. Lynch. Okay. Let me just rephrase the question a little
bit more generally. Do you repeatedly and continuously monitor
and do threat assessments on individual aspects of our internet
architecture?
Ms. Manfra. Yes, sir, we do.
Mr. Lynch. Once a year? Is that what we do it?
Ms. Manfra. It depends. We do probably--I don't know that
we would do any of them once a year. Many of these would be
assessments that, ideally, they could use for multiple years,
and would offer multiyear approaches to improving some of the
security. But in some of the areas where we have maybe
identified some weaknesses, or perhaps we have some threat
intelligence that they may be a target, we do prioritize
engagement, and we will continue to elevate the prioritization
of those. I think this is really in the last few years that we
have started to prioritize this.
Mr. Lynch. Speaking very generally, what keeps you up at
night? What do you worry about most when we look at the whole,
you know, the scheme of our internet architecture? What do you
think--and, again, being sensitive to the nature of the
question, what do you think we should be doing to, you know,
better protect ourselves?
Ms. Manfra. When it comes to internet architecture, I think
increased visibility, and working with those companies and
ensuring resilience. There is a lot of talk about security, but
I think resilience in this space, and it is already something
that the community understands.
So having a lack of resilience, and whether that is through
market pressures or others, would be a concern in that somebody
could take advantage of that, and you would have single points
of failure. I am not saying that we have that now, but that we
would get to a point where we did, and the adversary would be
able to have real, you know, catastrophic consequences as a
result.
Mr. Lynch. So the redundancy aspect of it, in many cases.
Ms. Manfra. Oftentimes, resiliency through redundancy.
There are other mechanisms for resiliency, but yes, redundancy,
I think, is important.
Mr. Lynch. Okay. Thank you very much.
I will yield back.
Mr. Langevin. Thank you.
And on that point on the redundancy and the resiliency,
obviously, things happen. There are physical failures. We
talked about the anchor drags, and so, it is not the first time
that a node has been damaged. And how quickly, give us a sense
of how that can be reconstituted, or you have that resiliency,
so you have another way of performing the same function through
some other mechanism. And with that, also, how many points of
failure then become on the scale of more catastrophic or
serious, where resiliency is harder, and it takes longer?
Ms. Manfra. I will take a stab at that, and then I can--so,
it is hard to provide sort of one answer to that, because I
think it depends on which part of it you are talking about.
When you are talking about submarine cables, cable landing
stations, internet exchange points, that part, you know, that
is a knowable universe of who owns that; and so, it means it is
also a little bit, I think, simpler, in terms of who we are
engaging with and how we improve the security and the
resilience.
You know, I think we have identified some really good best
practices. And, honestly, industry has really led largely
through telecommunications companies needing to build
resilience in hurricanes, or whatever. So they have created
mutual assistance agreements, essentially, in terms of when you
are thinking about roaming. And if one company can't handle a
customer set, because their infrastructure has gone down, they
have agreements in place. And they have been doing this for a
while. I think that is starting to evolve in broader than just
these TELCOs [telephone companies], and that is something that
we definitely welcome and want to encourage.
You also have to think about as the market is sort of--
there are new players now coming into the market that didn't
typically have cable landing stations or submarine cables. So
how do we kind of think about these different market players,
whether that is providing mutual assistance or the government
ensuring that we prioritize?
We learned about this, whether it was, you know, Puerto
Rico, Virgin Islands, some of these significant events in the
Caribbean that had impact to critical nodes of our
communications infrastructure. How do we ensure that working
with FEMA [Federal Emergency Management Agency], that we are
prioritizing the restoration of those services or we are
helping industry prioritize the restoration of those services?
Ms. Rinaldo. I think we often hear that the internet was
not built with security in mind, but it was built upon to be
resilient, and it is very resilient.
You know, a couple of things: With a routing cable, if
there is a glitch, it can reroute traffic. It does reroute
traffic. For the DNS system, DNS--NTIA represents the United
States at ICANN [Internet Corporation for Assigned Names and
Numbers] on these issues. We lead the DNS Interagency Working
Group. There are the authoritative route servers, but there are
also more than 1,000 route server instances, or anycasts, that
are distributed all throughout the world. And this is done for
security, for stability. It is done for the consumer.
So there are many instances that resiliency has been built
into the system, and even to this day, we keep building and
making sure that the system remains and is stable, because it
is such a driver of our economic lives in this country as well
as how we operate.
Mr. Langevin. Mr. Wilson, do you have anything to add on
that?
Mr. Wilson. Chairman Langevin, I would just add that, you
know, just based on experience, the answer is it depends, in
terms of a cable outage. If there is a cable outage at sea and
you are, you know, a 2-day steam out to, you know, fix that
cable, the diversity and the resiliency of the architecture can
work around that.
As cables converge and if there is an incident like in a
harbor or something, that may have more consequential outcomes.
However, it is closer, so the remedy is typically quicker. In a
lot of cases, it is just a physical restoration of services.
So the answer is, it depends. It can be very quick, a
matter of hours. It can be several days, if not more, depending
on the location and the type of fix action that is required.
But I would just echo that these systems are built with
resiliency.
Chairman Lynch, to your question, what is the threat? I
think it would be the miscalculation of an adversary that is
trying to seek or take--seek an outcome. It miscalculates with
regards to how they go about doing it, the WannaCry-like
incident that maybe has much more implications, worldwide or
globally, than what an actor would have anticipated. That is
what, I guess, keeps me up in the middle of the night.
Mr. Langevin. So I want to just go back to the role of
CYBERCOM and NORTHCOM in defending physical sites that are part
of the internet architecture ecosystem. Do you have that worked
out? And we have kind of touched upon that, but who has primary
responsibility in defending those sites?
Mr. Wilson. So for the Department of Defense, we have very
good knowledge about which systems we rely on. We have good
plans in terms of mitigation with regards to moving to
secondary or tertiary capability, whether that is cable systems
or whatever portion of the architecture.
When it comes to defending--most of these are owned and
operated by commercial vendors, in terms of these heavy-haul
systems that we are talking about. So defending is a bit of a
different question. It is the resiliency that is built in. But
we understand our reliance, and if we need to take action to,
if it is not happening naturally, is to be able to bring online
other systems.
Many times for the Department, that may be prioritization
of mission. In other words, we may have to go without that
broadband or that very large bandwidth support in terms of
comms. We may have to go to a much more minimized posture. We
understand how to do that, and we have moved to that
contingency action, set of actions. That is part of how we do
business day in and day out.
Mr. Langevin. Thank you.
I guess the last question that I will have is for Ms.
Rinaldo. Given NTIA's role in international standards bodies,
can you speak to how this issue is viewed by other countries
and your international counterparts?
Ms. Rinaldo. Thank you for the question. Yes. We represent
the United States at ICANN, as well as we are very active in
standards bodies 3GPP [Third Generation Partnership Project],
IETF [Internet Engineering Task Force], as well as others, ITU
[International Telecommunication Union], which is the
telecommunications arm for the U.N [United Nations]. We have
great allies around the world. We coordinate with them often.
We coordinate with them through different conferences as well
as bilats throughout the course of the year. We want to make
sure that as we face threats to our infrastructure, threats to
the networks, that we are speaking with one voice and making
sure that we are pushing back.
There are more of us than them, so we want to make sure
that we continue these conversations, so when foreign
adversaries do pose threats, that we keep having those lines of
communication open. And these four that do occur around the
world, it is an amazing opportunity to not only exchange notes,
but to further deepen those bonds.
Mr. Langevin. Thank you.
With that, Mr. Higgins is now recognized for 5 minutes.
Mr. Higgins. Thank you, Mr. Chairman.
Mr. Wilson, if a United States Navy ship is fired upon by
an identified approaching vessel, an aggressor, do we return
fire?
Mr. Wilson. There are standard rules of engagement
regarding----
Mr. Higgins. Yes, sir.
Mr. Wilson. Absolutely.
Mr. Higgins. If a soldier in a theater of engagement is
fired upon by an identified aggressor, do we return fire?
Mr. Wilson. Yes.
Mr. Higgins. Ms. Manfra, do you see the comparison? So
please explain to America what the difference of our policy is
when we come under cyberattack, our policy regarding preemptive
attack, or our policy regarding return fire. If the aggressor
can be identified, there is a growing consensus on the part of
that group that if we can identify these guys, why don't we
strike back?
Ms. Manfra. Well, sir, I think the Department of Defense is
doing a lot of work to be well-postured and to do just that. I
think it is important, though, to not conflate every cyber
incident as having the same consequences, shooting on one of
our sailors or soldiers.
Mr. Higgins. Why not? If we come under cyber fire, why
would we not return cyber fire?
Ms. Manfra. I would say two things: Cyber fire, it could
often just be a--it could be a data breach. I would argue that
that is not an act of war. That is why we focus so much on the
consequences.
Mr. Higgins. Well, let's talk about that with America for a
moment.
Ms. Manfra. Okay, sir.
Mr. Higgins. If a database--let's refer to it as that--
comes under missile attack, is that an act of war? If it is
destroyed by a missile that is an act of war, but if it is
destroyed by cyber, that is not? These are legitimate
questions.
Ms. Manfra. A very legitimate question, sir, and one that a
lot of people are thinking very hard about. I just--I would
say----
Mr. Higgins. Let me compare it to sniper fire.
Ms. Manfra. From my perspective, sir----
Mr. Higgins. Like returning sniper fire, very targeted
return fire.
Ms. Manfra. We have a long history of defining what it
means to escalate and to have an act of war. And the digital,
sort of, modernization of our economy has forced us to think
differently about that. I don't want to suggest that we are not
returning fire when we are attacked. I only mean to suggest
that it is important to understand what the consequences are
that they are achieving and that we use the right tools.
It is not always necessary to return a cyber fire, as you
said, sir, with a cyber gun. There are many other tools that
the government has and does use, but I think one of the things
that I am proudest of is the work that we are doing with DOD to
ensure that both of us are postured and positioned to not only
defend what we can domestically, but so that DOD is better
postured to take such actions.
Mr. Higgins. Very well. That was an intelligent answer. Let
me just close by saying that America is not accustomed to
hiding when we come under fire. And Americans watching right
now, they think we are returning fire, and we are largely not,
not to the standards that it is common knowledge that if a Navy
ship comes under fire, that other ship is about to get
something back.
Ms. Manfra. Yes, sir.
Mr. Higgins. If a soldier comes under fire, we are going to
return that with superior fire and training. But cyberattack is
legitimate, is dangerous. It threatens our commerce, our
industry, our grid, our internet infrastructure, our military,
our financial institutions. It is certainly a legitimate
threat. We are talking about it today. And America expects us
to return fire.
Ladies and gentlemen, sir, thank you for being here today.
Mr. Chairman, I yield.
Mr. Langevin. I thank the gentleman.
I want to thank all of our witnesses for your testimony
today. Members may have additional questions, and we would ask
that you be responsive in answering those questions and
submitting them to the committee.
Again, I want to thank you for the important topics we have
discussed today. The answers--obviously, this is going to be an
ongoing dialogue. It is something we have to pay continued
attention to. I also just want to thank Chairman Lynch and
Ranking Member Stefanik and Ranking Member Hice for their
participation and support of this hearing.
I yield to Mr. Lynch for any final comments that he would
like to make before we adjourn.
Mr. Lynch. I think these witnesses have suffered enough. I
think we should probably let them go.
Mr. Langevin. Very good. I thank you all for being here and
what you do on behalf of the country.
This meeting stands adjourned.
[Whereupon, at 4:42 p.m., the subcommittees were
adjourned.]
=======================================================================
A P P E N D I X
September 10, 2019
=======================================================================
PREPARED STATEMENTS SUBMITTED FOR THE RECORD
September 10, 2019
=======================================================================
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
=======================================================================
WITNESS RESPONSES TO QUESTIONS ASKED DURING
THE HEARING
September 10, 2019
=======================================================================
RESPONSE TO QUESTION SUBMITTED BY MR. WALTZ
Ms. Manfra. The majority of submarine cables are privately owned by
a mix of domestic and foreign entities. The protection of these cables
is a complex question, considering they travel through domestic and
international waters, some of which are contested areas. While the U.S.
and its allies have significant interest in ensuring the safety and
continued functionality of submarine cables, it will require a
``concerted effort'' from the United States and its allies to ensure
the confidentiality, integrity, and availability of the data that
traverses subsea systems, in addition to the physical security of the
cable and cable landing station. While DHS is the communications
sector-specific agency per PPD-21, the current responsibility for
defending undersea cables landing in the United States involves a
``whole of government'' approach, which includes the Navy in our
Exclusive Economic Zone (EEZ) and the Coast Guard within our 12 mile
nautical sovereignty zone. Team Telecom--primarily made up of executive
branch agencies DOD, DHS, and DOJ--acts as an advisory committee to the
FCC in matters related to foreign investment into US domestic
communications infrastructure. Letters of Assurance (LOAs) and Network
Security Agreements (NSAs) are memorandums of understanding between the
USG and the cable owners/operators that govern the location of assets,
types of principal equipment, physical access controls, and other
relevant factors surrounding the functionality and protection of
undersea cable systems. DOD, DHS, and DOJ enforce Team Telecom
agreements through periodic compliance and mitigation visits to cable
landing sites, network operations centers, and other relevant
infrastructure. The Department of Justice and Federal Bureau of
Investigation investigate and prosecute criminal acts and espionage-
related activities. These activities are informed by reporting from the
intelligence community and various other federal agencies. [See page
30.]
=======================================================================
QUESTIONS SUBMITTED BY MEMBERS POST HEARING
September 10, 2019
=======================================================================
QUESTIONS SUBMITTED BY MS. STEFANIK
Ms. Stefanik. As you think about our vulnerabilities, are insider
threats an area of concern with respect to our Nation's internet
architecture, from either within government or even industry and the
private sector? How do you monitor for insider threats? Are there
policies in place that allow you to have a dialogue and understand
insider threats from within industry and the private sector, or is this
difficult given privacy issues?
Ms. Manfra. Malicious insiders pose a serious threat to
organizations in the public and private sectors, including those that
own, operate and support our internet architecture. Insiders'
authorized access and detailed knowledge of critical assets offers them
opportunities to compromise information, sabotage infrastructure, or
inflict harm upon co-workers. While insider-threats will always remain
a concern, it is possible to significantly limit the amount of damage a
bad insider can do by properly implementing hardware, software, and
procedural controls to sensitive networks To help counter this threat,
the Cybersecurity and Infrastructure Security Agency (CISA) strongly
advocates for an engaged workforce, one that is trained to recognize
and report suspicious behavior or activity and can help defend against
insider threats. Personnel security, as well as technical and
procedural countermeasures, can also assist in detecting suspicious
behavior and minimizing the risk that insider threats present. In
addition to free educational materials, CISA's Protective Security
Advisors work with organizations throughout the U.S. to learn how they
are prepared to deal with insider threats, and to help organizations
develop capabilities to mitigate potential insider threats through in-
person training workshops. Voluntary information sharing and
collaboration with industry and private-sector organizations on the
value of insider threat programs and mitigation techniques has been a
valuable tool in CISA's infrastructure security and cybersecurity
missions.
Ms. Stefanik. Given the private sector and industry own the
overwhelming majority of communications infrastructure, how do you
engage on a recurring basis with the private sector, especially major
carriers and telecommunications companies? What are the recurring
themes in these conversations? Are there policy differences, or
specific problems you are currently working through?
Ms. Manfra. Information and Communication Technology (ICT) Supply
Chain Risk Management Task Force
The Communications Sector co-chairs the ICT Supply Chain
Risk Management Task Force (Task Force).
The Task Force was formed in 2018, with strategic
mandates to provide a forum for the collaboration of private sector
owners and operators of ICT critical infrastructure and to provide
advice and recommendations to the U.S. Department of Homeland Security
(DHS) on means for assessing and managing risks associated with the ICT
supply chain.
The working groups have developed policy recommendations
and guidance documents for the Federal Acquisition Security Council's
consideration. The Task Force has produced an Interim Report on its
activities for the first year and will begin its year-two activities in
the fall of 2019. National Critical Functions
DHS, through the CISA National Risk Management Center
(NRMC), released a set of National Critical Functions in April 2019.
The Communications Sector actively participated in this work effort and
will continue to be a key partner as CISA begins to build a risk
register that will add a more prioritized and strategic overlay to
CISA's critical infrastructure protection efforts.
Tri-Sector Executive Working Group
Actively participates as a member of this Critical
Infrastructure Partnership Advisory Council Working Group that was
established by the NRMC to collaborate, to understand, prioritize, and
manage systemic risk, and plan for and respond to cross sector
incidents. Specifically, the Communications Sector, along with the
Financial Services Sector and Electricity Sub-sector worked together to
(1) better understand systemic risk that might impact all three
sectors; (2) build cross-sector incident response playbooks; and (3)
direct the development of better intelligence collection requirements
to these sectors.
National Security Telecommunications Advisory Committee
The President's National Security Telecommunications
Advisory Committee (NSTAC) provides industry-based analysis and
recommendations to the President and the Executive Branch regarding a
wide range of policy and technical issues related to
telecommunications, information systems, information assurance,
infrastructure protection, and other national security and emergency
preparedness (NS/EP) concerns.
President Ronald Reagan created the NSTAC when he signed
Executive Order (EO) 12382, President's National Security
Telecommunications Advisory Committee. The NSTAC is composed of up to
30 Presidentially-appointed senior executives, who represent various
elements of the telecommunications and information technology
industries. The NSTAC meets quarterly to report its activities, while
providing recommendations to the President on policy and enhancements
to NS/EP telecommunications.
The NSTAC recently completed a study of the technology
capabilities critical to NS/EP functions in the evolving ICT ecosystem.
The goal was to determine what Government measures and policy actions
could be taken to manage near-term risks, support innovation, and
enhance vendor diversity in this industry. Specifically, the NSTAC
analyzed threats to supply chain security and resiliency that exist due
to the diminishing number of trusted manufacturers producing ICT
components.
In September 2019, the NSTAC submitted its
recommendations in the NSTAC Report to the President on Advancing
Resiliency and Fostering Innovation in the ICT Ecosystem. In the
report, the NSTAC recommended that the President create a new role
within the White House called the Senior Advisor to the President for
ICT Resiliency; and develop a national strategy on advancing resiliency
and fostering innovation in the ICT ecosystem, empowering whole-of-
nation resources to pursue a more fundamentally safe internet
environment for critical services.
On October 17, 2019, the NSTAC kicked off its next study,
examining the importance of software-defined networking (SDN). This
study will examine the importance of SDN; identify the challenges and
opportunities related to SDN; and assess the utilization of SDN and
corresponding mitigation issues. The goal of the study is for the NSTAC
to (1) develop a strategic plan and best practices for deploying SDN in
Federal networks and critical infrastructure; and (2) provide the
Government with a better understanding of how SDN can potentially
address security challenges including ICT supply chain risks.
Network Security Information Exchange
The Network Security Information Exchange (NSIE) is an
information sharing forum charged with devising strategies for
mitigating cyber threats to the Public Network (PN). The NSIE's primary
objective is to enhance the security of communications networks
required for NS/EP.
CISA participates in bi-monthly joint NSIE meetings,
which include membership across U.S. Government and industry. NSIE
membership also includes industry and Government participation from the
Five Eyes. Industry participation includes major carriers and
telecommunications companies (i.e., NSTAC NSIE members, including AT&T,
Verizon, etc.). CISA provides NSIE leadership in the form of the U.S.
Government NSIE chair and program manager.
Joint NSIE meetings include a closed session, where NSIE
members share information on emerging network security challenges,
vulnerabilities, and mitigation strategies.
The NSIE periodically assesses risks to the PN from
electronic intrusions. In December 2014, the NSIE completed An
Assessment of the Risk to the Cybersecurity of the Public Network,
which focused on how changes in technology have affected the PN and
recommended effective mitigation strategies. NSIE members plan to
update the risk assessment in 2020, and may examine new issues such as
DNS encryption, log management, workforce training, 5G, and insider
threat. CISA will support development of the document.
National Security and Emergency Preparedness (NS/EP) Communications
The Department maintains a unique contractual
relationship with the private sector, through major carriers and
telecommunications companies to fulfill responsibilities of EO 13618,
Assignment of National Security and Emergency Preparedness
Communications Functions.
CISA's Emergency Communications Division conducts a bi-
monthly Service Provider Council forum to address nonproprietary
telecommunications service matters dealing with NS/EP Communications
requirements for priority service capabilities within the carrier
networks as they upgrade switching technologies to all internet
protocol based.
Ms. Stefanik. With regard to emerging technologies, specifically 5G
technology, and the exponential increase in the number of connected
devices and services in the very near future, how exactly are you
factoring this technological evolution into your strategies and your
coordination with the private sector, to fully understand the impacts
and risks?
Are there any policy limitations or laws limiting your approach?
How about the challenges with spectrum, the limited availability, and
the potential for dynamic spectrum sharing technologies to help manage
the on-ramp of things such as 5G?
Ms. Rinaldo. The National Telecommunications and Information
Administration (NTIA) is taking a multifaceted approach to address the
challenges of the proliferation of 5G. This starts with assessing how
such technologies will alter the communications marketplace and the
impact they will have on numerous adjacent industries and applications.
Consistent with the Administration's view that the private sector must
lead in 5G development and deployment, NTIA works to support U.S.
technological leadership by making sufficient spectrum available,
facilitating broadband deployment, ensuring U.S. networks are secure,
supporting industry in global technology standards development, and
promoting needed research, development, testing and evaluation efforts.
Access to spectrum is critical to 5G. Although spectrum is a limited
resource, NTIA has been very successful in its continuing collaboration
with the Federal Communications Commission to make additional spectrum
bands available for commercial use while ensuring federal agencies have
the spectrum needed to perform their important missions. In some
instances, exclusive-use licenses are made available but, because of
the congested nature of the spectrum environment, increasingly most
spectrum bands are shared, including between federal government and
non-federal government users. Traditional, static methods of sharing,
principally by excluding new entrants from using specific frequencies
or from operating in specific geographic areas, are starting to be
replaced by more dynamic sharing models, such as the newly launched
Citizens Broadband Radio Service (CBRS) 3.5 GHz band. CBRS represents a
significant advance in dynamic spectrum sharing and may prove
applicable to future spectrum management frameworks.
Ms. Stefanik. As you think about our vulnerabilities, are insider
threats an area of concern with respect to our Nation's internet
architecture, from either within government or even industry and the
private sector? How do you monitor for insider threats? Are there
policies in place that allow you to have a dialogue and understand
insider threats from within industry and the private sector, or is this
difficult given privacy issues?
Ms. Rinaldo. Every organization faces internal threats, including
Internet infrastructure organizations. Identifying and responding to
these threats requires careful risk management practices, which can
include practices ranging from controlling use of administrative
privileges, to data loss and theft prevention, to physical security of
key assets. A number of resources exist to help organizations assess
insider risks and develop an insider threat program, including those
published by the Cybersecurity and Infrastructure Security Agency, the
National Institute for Standards and Technology, and the SANS
Institute. For its part, NTIA participates in interagency discussions
with our federal partners, and works through a range of industry fora
to help the private sector better address their cybersecurity risks,
including insider threats.
Ms. Stefanik. Given the private sector and industry own the
overwhelming majority of communications infrastructure, how do you
engage on a recurring basis with the private sector, especially major
carriers and telecommunications companies? What are the recurring
themes in these conversations? Are there policy differences, or
specific problems you are currently working through?
Ms. Rinaldo. NTIA engages with the private sector, including major
carriers and telecommunications companies, in multiple ways. For
example, NTIA is an active participant in the Government Coordinating
Councils (GCC) for the Communications (CGCC) and Information Technology
(ITGCC) sectors, and regularly attends both the ``joint'' and ``quad''
meetings with private sector participants. These Department of Homeland
Security and Sector-Specific Agency-led councils provide a useful forum
for bringing together government and private sector organizations. NTIA
has established its leading role in cybersecurity through use of the
multistakeholder process to convene stakeholders to address pressing
cybersecurity concerns. These efforts have broad participation from
industry, academia, research institutions, and federal departments and
agencies. Our multistakeholder process efforts have addressed a wide
range of topics, including software component transparency, Internet of
Things (IOT) component upgrades and software patching, and coordinated
vulnerability disclosure. NTIA's current multistakeholder process
brings stakeholders who draft documents that are approved by a
consensus of the stakeholders on how to develop a ``software bill of
materials'' that list the components that make up software--a concept
similar to a food ingredients list for products on grocery store
shelves. The goal of the multistakeholder process is to increase
transparency around the use of third-party software components so that
when vulnerabilities are detected, there is a way to quickly respond to
and recover from risks.
Ms. Stefanik. As you think about our vulnerabilities, are insider
threats an area of concern with respect to our Nation's internet
architecture, from either within government or even industry and the
private sector? How do you monitor for insider threats? Are there
policies in place that allow you to have a dialogue and understand
insider threats from within industry and the private sector, or is this
difficult given privacy issues?
Given DOD's connections to the Defense Industrial Base, what unique
responsibilities does the Department have as the lead for the DIB as a
critical sector?
Mr. Wilson. Insider threats to the Department, the Defense
Industrial Base (DIB), and Defense Critical Infrastructure are of great
concern to the Department. The Office of the Under Secretary of Defense
for Intelligence (USDI) is the overall lead for countering insider
threats in DOD. As the Sector Specific Agency (SSA) for the DIB, DOD
facilitates its DIB partners' efforts to improve the security and
resilience of DIB networks and systems, in close coordination with the
Department of Homeland Security (DHS), the Federal Bureau of
Investigation (FBI), and others. In addition, USDI and the Office of
the Chief Information Officer (CIO) have forged a partnership to secure
networks within the perimeter to monitor for potential insider threats.
The National Industrial Security Program (NISP) is administered by the
Defense Counterintelligence and Security Agency (DCSA) on behalf of the
Department of Defense and 33 other Federal departments and agencies.
Under the NISP, cleared industrial facilities are required to have an
insider threat program consistent with E.O. 13587 and the National
Insider Threat Policy and Minimum Standards for Executive Branch
Insider Threat Programs. The intent is to ensure that insider threat
programs at commercial facilities are organized and run like those
found at Executive Branch departments and agencies. Many of the major
defense contractors have established corporate insider threat programs.
The Department remains committed to enabling robust security practices
beyond cleared facilities in partnership with the private sector.
Recently, both the White House Office of Science and Technology Policy
(OSTP) and the Under Secretary of Defense for Research and Engineering
sent letters to the U.S. research community to increase awareness of
insider threats like foreign talent programs that seek to undermine,
exploit, and erode our world class research enterprise. DOD shares
insider threat related data with industry partners, as permitted by
law. Through a series of pathfinder initiatives, the Department is
focused on improving its collaboration with DHS, other SSAs, and
appropriate private sector entities--including select critical
infrastructure partners--by sharing threat information, conducting
collaborative analysis of vulnerabilities and threats, and, when
authorized, mitigating those risks. These pathfinders, in turn, enable
the Department and its Federal partners to leverage private sector
threat information to support DOD's mission.
Ms. Stefanik. Given the private sector and industry own the
overwhelming majority of communications infrastructure, how do you
engage on a recurring basis with the private sector, especially major
carriers and telecommunications companies? What are the recurring
themes in these conversations? Are there policy differences, or
specific problems you are currently working through?
Who specifically in the Department of Defense does this outreach
and maintains awareness?
Mr. Wilson. DHS serves as the SSA for the Communications and
Information Technology Sectors, and works closely with DOD, the
Department of Justice (DOJ), the Department of Commerce, the Federal
Communications Commission (FCC), the General Services Administration,
the Intelligence Community, and the private sector to address both
short-term and longer-term challenges regarding risks to
telecommunications networks. Within DOD, the Office of the Chief
Information Officer is the lead for the Department's participation on
Team Telecom, an interagency working group of representatives from
Federal government entities, including the DHS and DOJ co-chairs,
charged with ensuring the national security of our telecommunications
networks and infrastructure. Team Telecom is involved in reviewing
foreign acquisitions of U.S. communications infrastructure as well as
evaluating FCC Section 214 license applications to operate or provide
telecommunications networks in the United States for national security,
public safety, and law enforcement concerns.
______
QUESTIONS SUBMITTED BY MR. KIM
Mr. Kim. There was mention of individual agency exercises, but what
about real-world exercises between different agencies? Who do you think
should be invited to these exercises? And what are the roles for
private companies and State and local governments? And who should be in
charge of running these?
Ms. Manfra. CISA conducts exercises with agencies to help increase
cybersecurity preparedness and resilience. Some exercises are internal
to a single agency, while others include multiple agencies or even
private sector partners. One noteworthy effort is Cyber Storm, CISA's
biannual capstone cyber exercise. This includes multiple federal
agencies, as well as state and international governments, and the
private sector. The exercise engages players in the discovery of and
response to a widespread cyber incident. Agencies walk through their
plans and procedures to share information, coordinate with partners,
and simulate response actions. Currently, approximately 150
organizations are slated to participate in Cyber Storm 2020.
Participants vary, based on the specific goal and objectives of the
exercise. CISA usually recommends a cross-section of people who have a
role in cybersecurity. This can include senior leadership,
cybersecurity or information technology (IT) security staff, incident
response teams, analysts, legal, public affairs, human resources (HR),
or the data or system owners. Private companies and state and local
governments often participate in exercises as players. Cyber Storm is
one example of an exercise that engages all stakeholders in one
coordinated effort. CISA also conducts exercises for major events like
the Super Bowl, which bring together government and private sector to
talk about how they would share information or respond to a cyber
incident that would have impacts across their organizations. CISA is
well-positioned to run these types of exercises for various reasons.
First, we have responsibilities for federal cybersecurity and asset
response, so the exercises outputs inform potential plans and
procedures and help educate people on CISA's role. Second, CISA has
existing relationships across federal agencies, state and local
governments, and the private sector, which enables us to engage a wide
swath of stakeholders in exercises. Finally, CISA has analysts and
subject matter experts looking at cyber threats daily, who can feed
that information into exercises to ensure they address current and
realistic threats and vulnerabilities.
Mr. Kim. There was mention of individual agency exercises, but what
about real-world exercises between different agencies? Who do you think
should be invited to these exercises? And what are the roles for
private companies and State and local governments? And who should be in
charge of running these?
Ms. Rinaldo. The Department of Commerce is a member of the Federal
Emergency Management Agency's (FEMA) Exercise Implementation Committee
and the National Security Council's (NSC) Exercise and Evaluation Sub-
Policy Coordinating Committee. NTIA participates in national level
exercises, coordinated among Commerce agencies at the Department level.
NTIA's level of participation is determined by the specifics of the
exercise and its relevance to NTIA's statutory responsibilities. For
example, NTIA participates in the Eagle Horizon and CyberStorm
exercises. Eagle Horizon is the mandatory, annual, integrated
continuity exercise for all federal executive branch departments and
agencies, as required by National Continuity Policy. CyberStorm is the
Department of Homeland Security's biennial exercise series to
strengthen cyber preparedness in the public and private sectors. The
Department also coordinates participation in senior official exercises
directed by the NSC. These exercises are held at the Assistant
Secretary through Secretary level. In addition to NTIA's direct
participation in national-level exercises, members of the First
Responder Network Authority (FirstNet Authority) and FirstNet personnel
from AT&T have engaged with state, local, and tribal entities through
demonstrations and independent exercise activities. Typically, FirstNet
will collaborate with a state or local entity to conduct the exercise.
This summer, FirstNet participated in FEMA's Shaken Fury exercise near
Memphis, Tennessee, involving a series of tabletop, functional, and
full-scale exercises in partnership with the U.S. Department of Energy,
U.S. Northern Command, state and local governments, and the private
sector.
Mr. Kim. There was mention of individual agency exercises, but what
about real-world exercises between different agencies? Who do you think
should be invited to these exercises? And what are the roles for
private companies and State and local governments? And who should be in
charge of running these?
Mr. Wilson. The Federal Emergency Management Agency (FEMA) is the
lead for the National Exercise Program (NEP), which addresses National
response across Federal, State, and local levels, and includes non-
governmental organization, private sector, and private citizen
participation, depending on the scenario. NEP exercises are mandatory
for Executive Branch departments and agencies and are used to address
multi-agency coordination in the performance of National Essential
Functions. For example, in 2020, DOD will participate in the FEMA-led
National Level Exercise, which is focused on domestic cyber incidents
and is intended to link together a broad range of interagency exercises
around a common theme. Additionally, each Federal department and agency
hosts exercises to inform their respective missions, learn lessons, and
improve mission readiness. The goals and objectives of an exercise
drive the scope, scenarios, and participation. Although some exercises
are internally focused on an individual department or agency, others
include broad interagency and other participation. DOD hosts a range of
internal and interagency exercises, and supports and participates in
exercises hosted by DHS, the Department of Energy, the Intelligence
Community, and others. In August 2019, DOD hosted a table-top exercise
to improve DOD's ability to provide Defense Support of Civil
Authorities (DSCA) in response to a cyber incident. The exercise
included representatives from DOD, other Federal departments and
agencies, the energy sector, and State and local governments. U.S.
Northern Command (USNORTHCOM) hosted a table-top exercise in October
2019 focused on improving DOD's operational coordination structure for
DSCA responses to cyber incidents, with the goal of improving and
streamlining interagency integration in advance of a cyber incident.
U.S. Cyber Command (USCYBERCOM) hosts the annual CYBER GUARD exercise,
which focuses on refining DOD's readiness to respond to a domestic
cyber incident. CYBER GUARD includes a wide range of participants from
Federal departments and agencies and other entities.
______
QUESTIONS SUBMITTED BY MS. HOULAHAN
Ms. Houlahan. I also serve on the Foreign Affairs Committee. I am
curious what collaboration has looked like and will look like for each
of your respective agencies as the Department of State stands up the
Bureau of Cyberspace Security and Emerging Technologies and as other
agencies consider creating similar teams? Further, do you see a need
for the Presidential Policy Directive 21 (PPD-21), which divvies up
responsibilities within the Federal Government for cyber, to be updated
to reflect the emergence of these new departments?
Ms. Manfra. DHS collaborates and coordinates on international cyber
engagements with the U.S. Departments of State, Defense, Justice,
Commerce, and other federal agencies. At present, CISA and the U.S.
Department of State's Office of the Coordinator for Cyber Issues
collaborate on a range of issues from cyber capacity building and
critical infrastructure protection, to cybersecurity awareness. As
State stands up the Bureau of Cyberspace Security and Emerging
Technologies, DHS expects coordination to increase and for additional
partnership with international counterparts on cybersecurity. This new
office at State will help enhance the outreach to international
partners and be in direct support of what is already stated in
Presidential Policy Directive 21 (PPD-21), which currently provides
that ``the Department of State, in coordination with DHS, Sector
Specific Agencies, and other Federal departments and agencies, shall
engage foreign governments and international organizations to
strengthen the security and resilience of critical infrastructure
located outside of the United States and to facilitate the overall
exchange of best practices and lessons learned for promoting the
security and resilience of critical infrastructure on which the Nation
depends.'' As PPD-21 already provides for this role for the State
Department, CISA does not see the need to update PPD-21.
Ms. Houlahan. I often ask our witnesses to speak on two workforce
challenges facing our government, as well as our society. First, do you
feel your organization has the necessary expertise to execute your
mission? Is our workforce being adequately prepared to meet these
emerging threats? Do you have any concerns that this pipeline is
lacking? Finally, what sorts of challenges does your organization face
when recruiting technical experts when competing with the private
sector? What could we do to support these recruitment efforts?
Ms. Manfra. 1. The United States depends on the reliable
functioning of critical infrastructure. Cybersecurity threats exploit
the increased complexity and connectivity of critical infrastructure,
potentially placing the Nation's security, economy, and public safety
and health at risk. Paramount to equipping the Federal Government and
the nation's critical infrastructure entities with cybersecurity
information and assistance is a workforce with the right competencies,
knowledge, skills, and abilities to underpin CISA's mission
capabilities, in support of the National Cybersecurity Strategy and
Risk Management Framework. CISA recruits and builds these competencies
through buying, building, and borrowing talent. CISA focuses on hiring
the best and brightest talent and augments its capability through
contractors. Training is paramount to mission success and CISA
continues to cultivate and capitalize on opportunities to invest in its
employees and equip them with maturation of current skills, as well as
expand upon them. While CISA employs superior talent, expertise is not
a static endeavor; but rather, a continuous effort. Through training,
CISA strives to prepare a cybersecurity workforce with the skills to be
more resilient and excel at mission capability requirements.
2. The President's Management Agenda laid out a long-term vision
for modernizing the Federal Government's key areas that will improve
the ability deliver mission outcomes. To drive the management
priorities, the Administration created Cross-Agency Priority (CAP)
Goals, centered on ``Modernizing Government for the 21st century.'' One
of the three CAP Goals calls for investing in people and creating the
``Workforce for the 21st Century.'' This theme is carried throughout
the National Cybersecurity Strategy and the DHS Cybersecurity Strategy,
calling for the use of innovative solutions to ``keep pace with the
current pace of change.'' The systematic approach to meet CISA's
workforce needs incorporates the concepts of buying, building, and
borrowing talent. DHS has largely been focused on buying talent through
the existing hiring system and the future enhanced Cyber Talent
Management System. The DHS Office of the Chief Human Capital Officer
(OCHCO) is leading the effort to prepare for the launch of the CTMS and
create the DHS Cybersecurity Excepted Service. The effort will
modernize talent management to align to and keep pace with the
cybersecurity work of the Department by taking a comprehensive approach
to recruit and retain talent modeled after industry best practices.
Competition in the marketplace to recruit and retain cyber
professionals continues to grow, along with the demand for cyber
defense experts to protect our nation's networks and information
systems. To overcome these challenges, the Administration has focused
on efforts under the Federal CAP Goal, Developing a Workforce for the
21st Century, to improve service to America through enhanced alignment
and strategic management of the Federal workforce. To further build
upon the work already done and increase employee engagement, on May 2,
2019, the Administration published the Executive Order on America's
Cybersecurity Workforce, with the direction to strengthen the
cybersecurity capability of the Federal workforce through increased
integration and skills enhancement opportunities under a rotational
program. The Federal Cybersecurity Rotation Program is a career
broadening opportunity for cybersecurity practitioners to expand their
cybersecurity competencies, expand the depth of their Federal
cybersecurity knowledge and experiences, and strengthen their skills.
It will allow current Federal employees to gain exposure to a range of
cybersecurity functional areas to improve their cybersecurity
perspective and learning agility through stretch assignments. The
program will also expand upon the successful Federal Cybersecurity
Reskilling Academy, executed by OMB, OPM and the Department of
Education in FY 2019, DHS will develop non-cyber federal employees who
are interested in a cyber-career and have the necessary competencies by
assessing their capability and aligning training and career broadening
opportunities to develop them into cyber practitioners. Participants
will gain development and skill enhancement through required and
blended learning approaches such as work role-specific tours,
conferences, cohort networking and training events, leveraging web-
based virtual labs, and mentoring, in addition to the on-the-job
experience. CISA is working alongside the Department of Veterans
Affairs and Department of Defense to create career pathways using the
NIST NICE Cybersecurity Workforce Framework, which build upon the
workforce development programs suggested in the report's
recommendations. CISA looks to continue to build upon training and
education programs that transform, elevate, and sustain the learning
environment to grow a dynamic and diverse cybersecurity workforce.
Further, the CISA is working with the Department of Veterans Affairs,
Department of Defense, and Office of Personnel Management to identify
and leverage tools to assess aptitude and skills related to cyber
positions. Many of these efforts, including the cataloguing of
cybersecurity positions using the NIST framework, the rotational
program and the reskilling academy are highlighted in the
Administration's Solving the Federal Cyber Workforce Shortage paper
included in the June 2018 Delivering Government Solutions in the 21st
Century. In a field that experiences as much change as cybersecurity,
updating employee skills that will be critical as the threat landscape
evolves is important. However, employee development can have a
beneficial effect on retention. Providing a well-defined career path,
as well as associated trainings, that clearly map how a cybersecurity
employee can grow within the organization, may contribute to retention.
If provided a path to improve, acquire new skills, and progress along
an exciting career path, whether it be technical or leadership in
nature, employees will stay engaged and thus will be less likely to
separate. Support to publish these career pathways on the NIST NICE
website will benefit both the public and private sector. CISA believes
it has exercised all available opportunities to recruit and retain
talent to the extent allowable.Finally, investment in the resources
necessary for the HR IT to recruit and serve existing employees is
critical to success. The current DHS HR IT solutions are predominately
disjointed and some business processes are still paper-based; which
adversely impacts the ability of DHS HR professionals to deliver high
quality, effective services to the DHS workforce, including the
recruitment and hiring of highly skilled personnel to meet the DHS
mission. The Administration has recognized this and has included an
increase of $10.5M in the DHS Management Directorate's Fiscal Year 2021
Budget to continue enhancements of the HR IT Portfolio and provide
advanced automation capabilities across the DHS HR community, DHS
workforce, and in some cases, family members of the DHS workforce.
These improvements will provide DHS employees with self-service
capabilities and will have profound effects on the DHS workforce and
its readiness to support the DHS mission. This funding will support
recruitment requirements and allow for a top-notch customer service
organization capable of supporting a workforce to be on par and
consistent with its private sector competition. CISA will work through
the budget process to support this critical investment moving forward.
Ms. Houlahan. Google has announced that they are considering making
change to the DNS settings on their Chrome browser and Android
operating system that would, reportedly, have the effect of displacing
DNS services provided by ISPs and other third parties and making Google
the centralized encrypted DNS provider by default for most of the
Internet. Is DHS/CISA aware of Google's plans? What are some of the
implications of Google's plan to centralize DNS data? Specifically, how
will Google's plan affect malware detection tools used to protect this
nation's Critical Infrastructure?
Ms. Manfra. The characterization that Google will become ``the
centralized encrypted DNS provider by default for most of the
Internet'' is incorrect. Google's plan, as shared in a September 10
blog post, is that the DNS settings for Chrome will be upgraded to a
secure connection, only if the current DNS provider offers a secure
connection. As Kenji Baheux, Chrome Product Manager, says in the post,
``the DNS service will not change, only the protocol will. As a result,
existing content controls of your current DNS provider, including any
existing protections for children, will remain active.'' The post then
describes in greater detail how this will occur and provides steps for
users who prefer an insecure connection to opt-out. Microsoft has also
made an announcement to offer DNS over HTTPS at the operating system
level in a similar way Chrome does it within the browser. Mozilla
Firefox is planning a change that would move users by default to a
single, encrypted DNS provider, but Mozilla offered extensive
documentation to continue supporting enterprise IT use cases; network-
provided DNS can still be made mandatory. While only a single DNS
provider is currently offered, Mozilla has made clear they are
``working to build a larger ecosystem.'' CISA believes both approaches
are thoughtful and helpful in driving users to more secure services.
However, CISA also recognizes the side effects of increased DNS-over-
HTTPS (DOH) use can cause--those enterprises that do not manage their
assets effectively to lose visibility into DNS traffic leaving their
endpoints. This also may inhibit CISA's ability to prevent malicious
domains from resolving in civilian executive branch networks using
EINSTEIN 3 Accelerated intrusion prevention capabilities. Centralizing
DNS resolution to any service operator could provide that entity with
unique insights into the DNS behavior of users. It could also deprive
enterprise network security operations, cybersecurity service
providers, and internet service providers of that same insight.
However, as noted, enterprise policies can still be set on managed
devices to require the use of an enterprise's preferred DNS provider.
At the same time, CISA believes that Google and Mozilla's effort is
intended to have positive security and privacy impacts of individual
end users of their products, and to improve the performance of their
systems. Not all malware detection mechanisms rely on the analysis of
DNS activity. CISA has always recommended that critical infrastructure
organizations thoughtfully employ defense-in-depth strategies that
allow for the detection and prevention of unauthorized access by
multiple means. However, in cases where DNS monitoring is used to
detect unauthorized activity on Android devices and the Chrome web
browser in the business networks of critical infrastructure entities,
Google's plan could create a blind spot for network security analysts
where those devices are not configured to abide by enterprise policies.
Ms. Houlahan. The process of DNS resolution today is very
decentralized--it involves many DNS resolvers working in concert to
power the Internet for this country and globally. What impact would
centralization of DNS resolution would have in terms of our nation's
cyber preparedness, resiliency, and security?
Ms. Manfra. CISA seeks to champion technologies that help secure
DNS and does not intend to re-engineer the distributed architecture of
DNS infrastructure. Our intent is to re-route federal DNS traffic from
untrusted service providers (some of which may be owned and operated by
foreign entities), to trusted, U.S. owned recursive DNS service
provider. CISA provided service will still offer distributed and
resilient infrastructure in order to support our nation's preparedness,
resiliency, and security. The service will provide managed federal DNS
infrastructure that supports the latest DNS technologies (e.g. DNS over
HTTPS and DNS over TLS), applies consistent protections and state of
the art threat feeds, and provides CISA with visibility into the
federal DNS traffic for analysis and feature enhancements.
Ms. Houlahan. I also serve on the Foreign Affairs Committee. I am
curious what collaboration has looked like and will look like for each
of your respective agencies as the Department of State stands up the
Bureau of Cyberspace Security and Emerging Technologies and as other
agencies consider creating similar teams? Further, do you see a need
for the Presidential Policy Directive 21 (PPD-21), which divvies up
responsibilities within the Federal Government for cyber, to be updated
to reflect the emergence of these new departments?
Ms. Rinaldo. NTIA does not see a need to revise PPD-21 based on the
creation of new agencies. PPD-21 is flexible in that it assigns general
responsibilities primarily at the department level, and relevant new
agencies would be tasked at the direction of their departmental
leadership. NTIA collaborates regularly with departments and agencies
on cybersecurity issues. Newly established agencies' missions will be
incorporated into the interagency policy process and work flow.
Ms. Houlahan. The process of DNS resolution today is very
decentralized--it involves many DNS resolvers working in concert to
power the Internet for this country and globally. What impact would
centralization of DNS resolution would have in terms of our nation's
cyber preparedness, resiliency, and security?
Ms. Rinaldo. NTIA is actively monitoring recent protocol
developments and implementations to encrypt Domain Name System (DNS)
queries, such as DNS-over-Transport Layer Security and DNS-over-
Hypertext Transfer Protocol Secure. NTIA staff regularly consult with
DNS technologists and experts to understand the impact that new DNS
security implementations may have on the Internet ecosystem. The
Internet's decentralized architecture, including the DNS, Transmission
Control Protocol/Internet Protocol, and physical infrastructure, has
been one of its greatest strengths. It has contributed to innovations
in connectivity and network performance, allowing companies to pursue
economies of scale in telecommunications, content delivery, Web
services, and other sectors and to offer greater connection speed and
reliability for American consumers. The new protocol implementations
represent a shift from current DNS resolution practice, but NTIA is
closely monitoring these developments and working to ensure that such
implementations do not introduce cyber threats to the Internet
ecosystem or compromise its overall resiliency and security.
Ms. Houlahan. I also serve on the Foreign Affairs Committee. I am
curious what collaboration has looked like and will look like for each
of your respective agencies as the Department of State stands up the
Bureau of Cyberspace Security and Emerging Technologies and as other
agencies consider creating similar teams? Further, do you see a need
for the Presidential Policy Directive 21 (PPD-21), which divvies up
responsibilities within the Federal Government for cyber, to be updated
to reflect the emergence of these new departments?
Mr. Wilson. DOD has been apprised of Department of State plans to
reorganize internally. DOD does not anticipate a change in how DOD
interacts with the Department of State on cyberspace issues as a result
of the reorganization. At this time, because broad department
responsibilities will not change as the result of internal departmental
organizational changes, DOD does not anticipate a need to update PPD-
21. Further, DOD encourages the critical infrastructure Sector Specific
Agencies (SSAs) identified in PPD-21 to establish or bolster
cybersecurity and cyber resilience measures to assure the protection
and continued function of systems, capabilities, and assets for which
they are responsible. Through a series of pathfinder initiatives, DOD
is focused on improving its collaboration with DHS, other SSAs, and
appropriate private sector entities--including select critical
infrastructure partners--by sharing threat information, conducting
collaborative analysis of vulnerabilities and threats, and, when
authorized, mitigating those risks. These pathfinders, in turn, enable
DOD and its Federal partners to leverage private-sector threat
information to support DOD's mission.
Ms. Houlahan. In nuclear policy, the concept of deterrence is
founded in our understanding of our adversaries' nuclear capabilities
and our adversaries' understanding our own nuclear capabilities. It is
my understanding that we don't have as thorough an understanding of our
adversaries' capabilities when it comes to cyber. What work is being
done to establish global nuclear norms? What steps are being taken to
improve our partners' cybersecurity capabilities, especially those
countries at most risk of cyber attack from our adversaries? Which
department or agency is leading that effort?
Mr. Wilson. The Department of Defense works closely with the
Department of State to deter malicious cyber activity and foster
stability in cyberspace in part through the identification and
promotion of peacetime norms of responsible state behavior in
cyberspace. The 2015 report of the United Nations Group of Government
Experts (UN GGE) on Information and Communications Technologies in the
Context of International Security was instrumental in promoting certain
cyberspace norms, and the GGE process is scheduled to resume in
December 2019. As the lead foreign affairs agency, the Department of
State has the lead role in coordinating foreign assistance, including
cyberspace-related capacity-building assistance for international
partners. DOD works to build the cyber capacity of its international
partners, and the 2018 DOD Cyber Strategy lists expanding DOD cyber
cooperation with international partners as one of the Department's key
cyberspace objectives. DOD recently issued DOD International Cyberspace
Security Cooperation Guidance to DOD components to facilitate and
prioritize cyberspace capacity-building with allies and partners.
Ms. Houlahan. The process of DNS resolution today is very
decentralized--it involves many DNS resolvers working in concert to
power the Internet for this country and globally. What impact would
centralization of DNS resolution would have in terms of our nation's
cyber preparedness, resiliency, and security?
Mr. Wilson. Centralization of Domain Name System (DNS) resolution
offers the idea of improved efficiency of system administration and has
the potential to reduce the costs for resources. However, the impact of
centralization of DNS resolution comes at the expense of security.
Further, having a national or international centralized DNS name space
would not be scalable. The DNS hierarchy was designed to be
distributed; this distribution provides technical diversity,
resiliency, and stability.
DNS centralization would result in greater vulnerability of
specific targeted attacks and could increase the risk and threat
levels. Globally, any attempt by one country to centralize DNS of
independently managed country code domains and generic database Top
Level Domains would most likely not be approved by the multi-
stakeholder Internet Governance organizations and model that governs
today's Internet. To clarify, a centralized DNS created by the United
States would likely create opposition by foreign entities (e.g.,
countries, corporations). This would likely culminate in the generation
of a fragmented or splintered Internet.
[all]