[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]


                                 

                         [H.A.S.C. No. 117-32]

                                HEARING

                                   ON

                   NATIONAL DEFENSE AUTHORIZATION ACT

                          FOR FISCAL YEAR 2022

                                  AND

              OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS

                               BEFORE THE

                      COMMITTEE ON ARMED SERVICES

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             FIRST SESSION

                               __________

                  SUBCOMMITTEE ON CYBER, INNOVATIVE 
                 TECHNOLOGIES, AND INFORMATION SYSTEMS

                                   ON

                        OPERATIONS IN CYBERSPACE

                    AND BUILDING CYBER CAPABILITIES 
                    ACROSS THE DEPARTMENT OF DEFENSE
                               __________

                              HEARING HELD
                              MAY 14, 2021

                                     
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]

                              __________

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
45-604                      WASHINGTON : 2021                     
          
----------------------------------------------------------------------------------- 
   
SUBCOMMITTEE ON CYBER, INNOVATIVE TECHNOLOGIES, AND INFORMATION SYSTEMS

               JAMES R. LANGEVIN, Rhode Island, Chairman

RICK LARSEN, Washington              ELISE M. STEFANIK, New York
SETH MOULTON, Massachusetts          MO BROOKS, Alabama
RO KHANNA, California                MIKE GALLAGHER, Wisconsin
WILLIAM R. KEATING, Massachusetts    MATT GAETZ, Florida
ANDY KIM, New Jersey                 MIKE JOHNSON, Louisiana
CHRISSY HOULAHAN, Pennsylvania,      STEPHANIE I. BICE, Oklahoma
    Vice Chair                       C. SCOTT FRANKLIN, Florida
JASON CROW, Colorado                 BLAKE D. MOORE, Utah
ELISSA SLOTKIN, Michigan             PAT FALLON, Texas
VERONICA ESCOBAR, Texas
JOSEPH D. MORELLE, New York

                Josh Stiefel, Professional Staff Member
                Sarah Moxley, Professional Staff Member
                         Caroline Kehrli, Clerk
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page

              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS

Gallagher, Hon. Mike, a Representative from Wisconsin, 
  Subcommittee on Cyber, Innovative Technologies, and Information 
  Systems........................................................     3
Langevin, Hon. James R., a Representative from Rhode Island, 
  Chairman, Subcommittee on Cyber, Innovative Technologies, and 
  Information Systems............................................     1

                               WITNESSES

Eoyang, Mieke, Deputy Assistant Secretary of Defense for Cyber 
  Policy, Office of the Under Secretary of Defense for Policy....     4
Nakasone, GEN Paul M., USA, Commander, U.S. Cyber Command, and 
  Director, National Security Agency.............................     6

                                APPENDIX

Prepared Statements:

    Eoyang, Mieke................................................    36
    Langevin, Hon. James R.......................................    33
    Nakasone, GEN Paul M.........................................    54

Documents Submitted for the Record:

    [There were no Documents submitted.]

Witness Responses to Questions Asked During the Hearing:

    Mrs. Bice....................................................    65
    Ms. Escobar..................................................    65
    Mr. Larsen...................................................    65

Questions Submitted by Members Post Hearing:

    Mr. Kim......................................................    69
    Mr. Moore....................................................    69
  
  
  OPERATIONS IN CYBERSPACE AND BUILDING CYBER CAPABILITIES ACROSS THE 
                         DEPARTMENT OF DEFENSE

                              ----------                              

                  House of Representatives,
                       Committee on Armed Services,
       Subcommittee on Cyber, Innovative Technologies, and 
                                       Information Systems,
                              Washington, DC, Friday, May 14, 2021.
    The subcommittee met, pursuant to call, at 11:03 a.m., in 
room 2118, Rayburn House Office Building, Hon. James R. 
Langevin (chairman of the subcommittee) presiding.

 OPENING STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE 
FROM RHODE ISLAND, CHAIRMAN, SUBCOMMITTEE ON CYBER, INNOVATIVE 
             TECHNOLOGIES, AND INFORMATION SYSTEMS

    Mr. Langevin. The subcommittee will come to order.
    Before I begin my opening statement, I want to welcome our 
witnesses. I am just going to read some technical information 
since this is a hybrid hearing and some members will be joining 
us remotely.
    Welcome to today's hearing, ``Operations in Cyberspace and 
Building Cyber Capabilities across the Department of Defense.'' 
We have convened.
    This is a hybrid hearing, and we are joined by members who 
are participating remotely. Members who are joining remotely 
must be visible on screen for the purposes of identity 
verification, establishing and maintaining a quorum, 
participating in the proceeding, and voting. Those members must 
continue to use the software platform's video function while in 
attendance unless they experience connectivity issues or other 
technical problems that render them unable to participate on 
camera. If a member experiences difficulties, they should 
contact the committee staff for assistance.
    Video of members' participation will be broadcast in the 
room and via the television internet feeds. Members 
participating remotely must seek recognition verbally, and they 
are asked to mute their microphones when they are not speaking. 
Members who are participating remotely are reminded to keep the 
software platform's video function on the entire time they 
attend the proceeding. Members may leave and rejoin the 
proceeding. If members depart for a short while for reasons 
other than joining a different proceeding, they should leave 
their video function on. If members will be absent for a 
significant period or depart to join a different proceeding, 
they should exit the software platform entirely and then rejoin 
it if they return.
    Members may use the software platform's chat feature to 
communicate with staff regarding technical or logistical 
support issues only. I have designated a committee staff member 
to, if necessary, mute unrecognized members' microphones to 
cancel any inadvertent background noise that may disrupt the 
proceeding.
    So I would like to welcome our witnesses, General Paul 
Nakasone, the Commander of U.S. Cyber Command and the Director 
of National Security Agency, and Mieke Eoyang, the Deputy 
Assistant Secretary of Defense for Cyber Policy. Welcome to you 
both.
    In past hearings, General Nakasone has been joined by the 
Assistant Secretary of Defense for Homeland Defense and Global 
Security. However, with the challenges faced in that role, we 
are thankful that Ms. Eoyang is able to step in, and the 
committee appreciates your cooperation and collaboration.
    So it is truly incredible how much has changed since our 
last cyber posture hearing on March 4, 2020. The world has been 
upended by a pandemic, changing the lives of literally every 
person on the planet. In the realm of cyber matters, the men 
and women of the Department of Defense, including our soldiers, 
sailors, airmen, Marines, and guardians, have had no respite, 
continuing to operate and defend Americans' interests in 
cyberspace.
    Despite the pandemic, our adversaries and competitors have 
not let up their cyber campaigns. In the last 6 months alone, 
the media has reported almost nonstop on arguably some of the 
most significant cyber incidents ever to affect our Nation, 
from SolarWinds to Hafnium to, just in the last week, the 
attack against Colonial Pipeline by the DarkSide criminal 
collective. So if there were any doubters that cyberspace is an 
active and contested warfighting domain, I would hope that the 
last year has changed those perspectives.
    Yet, incredibly, it still appears to this committee that 
cyber does not always have the focus for much of the 
Department's senior uniformed and civilian leadership that it 
requires, despite our forces engaging adversaries in this 
domain every single day. I point this out. Recently, the Air 
Force removed cyber from its mission statement, even though a 
report from the Office of Secretary of Defense concluded that 
the inclusion of cyber in the Air Force mission statement is 
the single reason why Air Force personnel have vastly outpaced 
other services in pursuing cyber-related certifications.
    Candidly, it is frustrating that the people in this room, 
both members and witnesses, seem to be fighting an uphill 
battle to put cyber front and center in the Department. Out of 
five officially recognized warfighting domains, the senior 
civilian official for air, sea, land, and space domains are 
military service secretaries. Yet, with all due respect to Ms. 
Eoyang and her spectacularly overworked team, the senior 
civilian for cyber is four rungs lower than her counterparts 
overseeing other domains.
    So we also have to account for the ways in which cyberspace 
operations occur within and affect the information environment. 
One of the most illustrative examples of how the Department's 
structure can hinder rather than enable operations is its own 
organization chart. The DOD's Joint Publication 313 notes that 
cyberspace is one of many information-related capabilities, 
designed to affect the information domain alongside 
psychological operations and electromagnetic spectrum 
operations. Yet each of the information-related capabilities is 
handled by a separate entity and siloed within the Department, 
ensuring that we cannot leverage our capabilities to the 
maximum extent possible. This needs to change.
    In our current age of great power competition, conflict in 
the ``gray zone'' below the level of armed conflict has never 
been more relevant to our strategic thought. For numerous 
reasons, challenges with attribution, easily altered payloads, 
and ease of proliferation, cyber is the ideal tool for the gray 
zone conflict. The information domain, including cyberspace, is 
where our forces are engaged against our adversaries daily.
    As the Nation comes to realize that this domain is as 
important as any other, we need the Defense Department to adapt 
to ensure that any conflict with adversaries remains in the 
information space as much as possible and never moves into the 
kinetic realm.
    As we push the Department to adapt toward the information 
environment, congressional oversight has never been more 
necessary. It is the mechanism by which we monitor the 
activities of the executive branch and ensure compliance with 
relevant statute. While I understand that transitions can 
result in disconnects or misunderstandings, I anticipate 
hearing from the committee staff that any issues that may have 
arisen will be quickly resolved to our satisfaction. So I am 
happy to add detail in private, but we will leave it at that 
for now.
    So, with that, I now want to thank our witnesses again for 
appearing before us today. As a reminder, after this open 
session, we will move to the CVC auditorium for a closed, 
member-only session.
    With that, I want to turn now to Ranking Member Gallagher 
for his remarks.
    [The prepared statement of Mr. Langevin can be found in the 
Appendix on page 33.]

    STATEMENT OF HON. MIKE GALLAGHER, A REPRESENTATIVE FROM 
WISCONSIN, SUBCOMMITTEE ON CYBER, INNOVATIVE TECHNOLOGIES, AND 
                      INFORMATION SYSTEMS

    Mr. Gallagher. Thank you, Mr. Chairman. And thank you to 
General Nakasone and Ms. Eoyang for being here today.
    Cyberspace is the ultimate gray zone in which operations 
often do not fit neatly into either traditional kinetic 
warfighting or nontraditional activities. Adversaries like 
China and Russia, as well as nonstate actors, are continuously 
exploiting the gray zone and probing our networks and 
exploiting our vulnerabilities in cyberspace. I mean, just in 
recent months, we have had SolarWinds. We have had Microsoft 
Exchange. We had Russian cyber actors last week shut down a 
major U.S. pipeline, highlighting the cyber threat posed to our 
critical infrastructure from actors anywhere in the world and 
how actors all over the world can reach out and touch all of 
our constituents, no matter where our districts are.
    I just would say, though our cyber adversaries are diffuse 
and evolving and they prove time and again that our cyber 
networks are only as strong as the weakest link, our operations 
and capabilities have also evolved, in large part due to the 
work of this subcommittee and the leadership of General 
Nakasone at U.S. Cyber Command and, in particular, General, the 
input that you provided to the Cyberspace Solarium Commission 
over the last 2 years, which took up a lot of Representative 
Langevin and my work over the last couple of years.
    But as we continue to harden our networks and improve our 
capabilities, the President's budget must focus on modernizing 
DOD's [Department of Defense's] platforms. We must consider 
cutting legacy platforms out of date for modern conflict and 
investing in emerging technologies in cyber. And I believe I 
speak for everyone here when I say I hope to see a budget that 
recognizes the importance of our Cyber Mission Force; invests 
in necessary cyber infrastructure, including technology and 
human capital; highlights necessary cyber authorities; and 
really pushes the Department out of its silos and into a 
streamlined structure that prioritizes cyber agility and 
responsiveness.
    Our Cyber Mission Force has also matured, but we must 
continue to identify cyber talent and train, equip, and support 
our cyber force to improve our capabilities across the cyber 
continuum and maintain superiority over hostile cyber actors. 
So we took a lot of pivotal steps in this direction in last 
year's NDAA [National Defense Authorization Act], and I know we 
will continue to make progress towards our cyber goals again 
this year, but the fundamental shift in thinking about cyber 
will take more than just directives in the NDAA. It will 
require leaders at DOD and throughout the government and in 
Congress to think strategically and acknowledge that cyber is 
now the critical domain to every facet of our national 
security.
    And with that, Mr. Chairman, I look forward to hearing from 
our witnesses today, and I yield back.
    Mr. Langevin. Thank you, Ranking Member Gallagher, for your 
remarks.
    With that, I will now turn it over to Ms. Eoyang and 
General Nakasone for 5 minutes of remarks each.
    Ms. Eoyang, you are recognized. You may proceed.

   STATEMENT OF MIEKE EOYANG, DEPUTY ASSISTANT SECRETARY OF 
  DEFENSE FOR CYBER POLICY, OFFICE OF THE UNDER SECRETARY OF 
                       DEFENSE FOR POLICY

    Ms. Eoyang. Thank you, Chairman Langevin, Representative 
Gallagher, and members of the committee. I am pleased to be 
here with General Nakasone, the Commander of U.S. Cyber 
Command, to report the progress that the Department of Defense 
has made in achieving the Department's objectives in 
cyberspace.
    This afternoon, I am testifying in my role as the Deputy 
Assistant Secretary of Defense for Cyber Policy. In that role, 
I am responsible for advising the Secretary and Deputy 
Secretary on cyberspace policy and the development of the 
Department's cyber strategy and other cyberspace policy.
    Congress has demonstrated that it views cyber defense as a 
priority through not only its legislative work, but through 
Member service on the Solarium Commission. And for that, we are 
grateful for your ongoing support for this crucial issue in a 
broad and bipartisan manner.
    To start, I would like to offer our perspective on the 
current global strategic context. As you note, 2020 was a year 
of turmoil, with a global pandemic drastically altering our 
day-to-day reality and increasing our dependence on the 
internet. Our adversaries took notice of our growing reliance 
on technology. Cyber criminals and nation-state actors alike 
took advantage of COVID-19 by unleashing ransomware on 
healthcare facilities, targeting vaccine production and supply 
chains, exploiting fears to spread disinformation, and even 
disrupting pipeline companies.
    As a result, the cyberspace domain is both more important 
and more contested than it has been in recent memory. Enhancing 
the security of cyberspace, both in the United States and 
around the world, is a top priority as the President's Interim 
National Security Strategic Guidance prioritizes cybersecurity 
and pledges to expand investments needed to defend the Nation 
against malicious cyber activity and cyberattack.
    Our competitors are using their cyber capabilities to seek 
political, economic, information, and military advantages, and 
to undermine our security by engaging in malicious cyber 
activity. The DNI [Director of National Intelligence] assesses 
that cyber threats from nation-states--particularly China, 
Russia, Iran, and North Korea--and their surrogates will remain 
acute, both in day-to-day competition and to seek advantage in 
armed conflict.
    As Secretary Austin said at his confirmation hearing in 
January, China is the pacing threat for the Department, 
including in cyber operations. China uses cyber operations to 
erode U.S. military overmatch and economic vitality, stealing 
U.S. intellectual property and research. Chinese malicious 
cyber activity continues to this day.
    Russia also continues to be a highly sophisticated and 
capable adversary, integrating malicious cyber activities, 
including espionage, influence operations, and mutually 
reinforcing ways to achieve its objectives. They engage in a 
wide range of malign cyber activities, including attempts to 
interfere with U.S. elections, spreading ransomware such as 
NotPetya, efforts to disrupt the postponed Tokyo Olympics, and 
the most recent SolarWinds attack.
    In addition to using cyberspace as an offensive tool, China 
and Russia view the internet as a mechanism to control and 
intimidate their own populations. While the United States 
advocates for an open, interoperable, secure, and reliable 
internet, China and Russia have created and employed a digital 
authoritarian model using their technological and cyberspace 
capabilities to manipulate narratives, repress free speech, 
surveil their citizens, and quash dissent domestically. China 
seeks to export digital authoritarianism to other repressive 
regimes, remaking the internet in its image.
    Beyond China and Russia, we remain concerned about the 
cyber threat posed by Iran and North Korea. And further, 
nation-state actors, such as criminals, terrorists, and violent 
extremists, continue to leverage the internet to advance their 
agendas. The line between nation-state and criminal actors is 
increasingly blurry as nation-states turn to criminal proxies 
as a tool of state power, then turn a blind eye to the cyber 
crime perpetrated by the same malicious actors. This is a 
common practice for Russia, whose security services leverage 
cyber criminals while shielding them from prosecution for 
crimes they commit for personal benefit.
    We have also seen some states allow their government 
hackers to moonlight as cyber criminals. This is not how 
responsible states behave in cyberspace, nor can responsible 
states condone shielding of this criminal behavior.
    The President has made clear also the need to strengthen 
our alliances. The Department is driving new approaches to do 
that, and we continue hunt forward operations with partners 
even during pandemic and cyber exercises, such as Cyber Flag, 
to help our allies prepare for adversary actions.
    President Biden is currently conducting a review of 
national strategy, which will culminate in the issuance of two 
key documents: the National Security Strategy and the National 
Cyber Strategy. The President's guidance will inform our own 
upcoming defense-level review of the National Defense Strategy 
and follow on the Department's second ever Cyber Posture 
Review, which will evaluate our ability to execute national and 
departmental-level strategies to achieve our goals in 
cyberspace. We look forward to delivering the strategy and 
posture review to Congress once they are completed.
    Thank you for the opportunity to appear before you today, 
and I look forward to the members' questions.
    [The prepared statement of Ms. Eoyang can be found in the 
Appendix on page 36.]
    Mr. Langevin. Thank you, Ms. Eoyang.
    And, General Nakasone, you are now recognized for 5 
minutes.

 STATEMENT OF GEN PAUL M. NAKASONE, USA, COMMANDER, U.S. CYBER 
        COMMAND, AND DIRECTOR, NATIONAL SECURITY AGENCY

    General Nakasone. Chairman Langevin, Ranking Member 
Gallagher, and distinguished members of the subcommittee, I am 
honored to be here and testify beside Secretary Eoyang and 
represent the men and women of U.S. Cyber Command.
    Three major incidents over the past 6 months demonstrate 
the importance of cyber security to our Nation. Well-resourced 
and sophisticated adversaries are exploiting gaps in the 
Nation's ability to monitor U.S. cyberspace infrastructure 
while conducting operations from within the boundaries of the 
United States.
    The SolarWinds incident occurred through the highly skilled 
means of an adversary against a U.S. company supply chain. At 
nearly the same time, the server hack associated with Microsoft 
Exchange showcased the ability of another adversary to exploit 
vulnerabilities and attack systems around the world. The 
Colonial Pipeline ransomware attack also demonstrate a growing 
trend of companies and even government agencies being held 
hostage by malicious cyber actors. These cases demonstrate the 
broadening scope, scale, and sophistication employed by some 
adversaries.
    The United States Government, in tandem with industry 
partners, must improve its defensive posture to prevent and/or 
minimize the impacts, while contesting and defeating those who 
would exploit such vulnerabilities and target American 
companies and citizens. Cybersecurity is national security.
    Over the past year, I emphasized the importance of 
defending the election against foreign interference. We did 
this through the Election Security Group, a combined team from 
U.S. Cyber Command and the National Security Agency. We built 
on lessons from earlier operations and honed partnerships with 
the Federal Bureau of Investigation and the Department of 
Homeland Security Cybersecurity and Infrastructure Security 
Agency, sharing information with those who needed it as fast as 
possible. We also worked with the National Guard Bureau to 
create a mechanism that enabled Guard units to share 
information about incidents quickly, easily, and uniformly.
    U.S. Cyber Command [CYBERCOM] conducted more than two dozen 
operations to get ahead of foreign threats before they 
interfered with or influenced our elections in 2020. I am proud 
of the work the command and the Election Security Group 
performed as part of a broader government effort to deliver a 
safe, secure 2020 election.
    CYBERCOM is building on recent guidance from the 
Department, seeking to promote readiness, improve training, and 
attract high-end talent. The cyberspace environment has changed 
significantly over the past years. To your point, Chairman, 
even over the past 14 months, we have seen a tremendous 
difference in the environment. Adversaries are demonstrating a 
changed risk calculus. They are undertaking malign activities 
in cyberspace at greater scope, scale, and sophistication. They 
desire to take on the U.S. in cyberspace below the level of 
armed conflict.
    To defend our security and our interests in this 
environment, U.S. Cyber Command must continue to adapt, 
innovate, partner, and succeed against such adversaries. The 
men and women at U.S. Cyber Command look forward to working 
with this committee and are truly grateful for the support 
Congress has given to our command.
    Again, thank you for your support, and I look forward to 
your questions.
    [The prepared statement of General Nakasone can be found in 
the Appendix on page 54.]
    Mr. Langevin. Thank you, General Nakasone, Ms. Eoyang, for 
your testimony here today. Before we begin procedure questions, 
I just want to thank you again for your commitment to the 
national security of the United States. And I wanted to just 
point out as a matter of personal privilege, we all recognize 
that our Nation is one giant melting pot, and I think diversity 
is something to be celebrated. And I think this may be an 
historic first for this committee in that we have two members 
of the AAPI [Asian Americans and Pacific Islanders] community 
testifying before us at the same time. So pretty cool to note. 
And thank you again.
    [Inaudible.]
    Mr. Langevin. Very good.
    I want to thank you both for being here, again, for your 
testimony, your commitment to the national security of the 
United States, and thank you for your remarks.
    We are going to now proceed with questions. Each member 
will be recognized for 5 minutes, beginning with myself.
    And, Ms. Eoyang, I want to start with you, if I could. So 
the Assistant Secretary of Defense for Special Operations and 
Low-Intensity Conflict is responsible for information 
operations, but the Assistant Secretary of Defense for Homeland 
Defense and Global Security is responsible for cyberspace 
operations. Can you explain the logic as to why two separate 
chains are established for operations within the same 
information environments?
    Ms. Eoyang. Mr. Chairman, I appreciate the question here. I 
think--I am not sure that I can give the full history on how 
that evolved from the Department's perspective in terms of why 
those two things are in separate silos. Agree that there is a 
fair amount of overlap there, but as you may know, the PSYOPS 
[psychological operations]/information ops had traditionally 
been held in the special operations community. And as 
cyberspace grew up, it went through a number of evolutions and 
has found itself within the Homeland Defense and Global 
Security arena in part because of the focus, I think, on the 
homeland security aspects of cybersecurity. But, certainly, 
there are some coordination challenges in the division between 
the two.
    Mr. Langevin. So, to that point, you know, how do you and 
the Deputy Assistant Secretary of Defense for Special 
Operations and Counterterrorism, a position that owns the 
information and operations portfolio for OSD [Office of the 
Secretary of Defense] Policy, coordinate and collaborate?
    Ms. Eoyang. I am in regular communication with my 
colleagues, and we are collaborating at all levels between our 
two offices, Mr. Chairman.
    Mr. Langevin. That is something that we are going to have 
to continue to work on, I think too, though.
    General Nakasone, one of the Cyberspace Solarium 
Commission's key outstanding questions was whether the Cyber 
Mission Force, designed now 9 years ago, was properly sized. 
You may remember that I asked you about this at last year's 
hearing. We spoke about this yesterday when you and I met also 
in my office, but last year, you had replied that you needed 
more relevant data.
    And without discussing the contents of the President's 
budget before its release, can you tell us about whether you 
acquired the information necessary to make a decision on the 
size of the force and what insights you gleaned from this 
information?
    General Nakasone. Chairman, thank you. We do have the data. 
And again, to your point, not to get ahead of the budget 
submission, but in general terms, I would anticipate that as we 
lay out the case, we have to look at some critical elements 
that will influence the future size of the Cyber Mission Force, 
now 133 teams. In the future, we have to account for the 
growing importance of space. I think we have to account for the 
importance of what we are seeing with malign cyber actors, 
whether or not it is Russian cyber actors, Chinese cyber 
actors, Iranian cyber actors, and their intent.
    And I think the last piece is that we are in a period of 
strategic competition, and I think the word is ``competition.'' 
So we have to have that balance of, not only what we are going 
to support our fellow combatant commands if conflict was to 
break out, but, also, if our adversaries are operating below 
the level of armed conflict every single day, what type of 
force do we need to be able to ensure that we can counteract 
that, much in the same way that we have done in our support to 
the national elections.
    Mr. Langevin. Thank you, General. And, recently, one of 
your subordinate commands, Army Cyber Command, established an 
Information Warfare Operations Center. At nearly the exact same 
time, U.S. Army Special Operations Command at Fort Bragg 
separately established an Information Warfare Center. So 
acknowledging that this is Army specific, it points to a wider 
issue about lack of clarity on mission sets and an absence of 
direction inside the Department. How do you distinguish what 
Cyber Command and its cyber focus subordinate commands do 
versus what Special Operations Command and its SOF [special 
operations forces]-centric subordinate elements do?
    General Nakasone. Chairman, I have a very, very close and 
enduring partnership with U.S. Special Operations Command under 
the leadership of General Rich Clark. We talk frequently on 
this.
    To provide a bit of perspective on this, I see it as only 
natural that Special Operations Command, as they operate across 
all the different domains, also has the capability within 
cyberspace. I think the delineation is, you know, what is the 
focus of U.S. Special Operations Command, what is the focus of 
U.S. Army Cyber Command, what is the overall focus of U.S. 
Cyber Command. I think we have worked through that.
    I think to your point, there is still work to do on our 
doctrine. We will continue to advocate for that work, but we 
all realize that it is more than, you know, just conducting one 
cyberspace operations. It is the entire information domain that 
we have to understand and be able to operate within.
    Mr. Langevin. Thank you, General.
    I will hold there and turn to the ranking member for his 
questions now.
    Mr. Gallagher. Thank you.
    General, you mentioned the challenge in the Colonial 
Pipeline context of ransomware and criminal groups, and I think 
it is safe to say that challenge is only going to grow in the 
short term. Part of the problem that strikes me is an 
authorities problem. I would be curious, to the extent you can 
answer in open session, what tools you believe you have in your 
kit to get at that challenge. Because I believe you also 
mentioned that as NSA [National Security Agency] Director, you 
are limited in obviously monitoring domestic U.S. IT 
[information technology] infrastructure.
    Do you think your CYBERCOM forces could be provided under 
DSCA [Defense Support to Civil Authorities] to DHS [Department 
of Homeland Security], for example, and used to conduct a sort 
of monitoring analysis under DHS authorities at least until DHS 
builds its own capabilities? How do we get at this in the short 
term while we sort of build out a longer term answer?
    General Nakasone. Ranking Member, I think to your initial 
point, it is really important to look at this as a broader 
element and how do we get after this criminal activity. I think 
this is a whole-of-government effort. In the United States, it 
is most appropriate that lead Federal agencies, obviously, 
Department of Homeland Security, Federal Bureau of 
Investigation. I don't think there is any problem with the 
authorities in terms of what it's stated out to do.
    But as we look at ransomware and as we continue to peel 
this back, as we see criminal actors that are operating outside 
the United States, I think what the administration obviously is 
moving towards is how do we have a whole-of-government approach 
that brings together our levers of power that includes 
diplomacy, and certainly our economic and, if necessary and if 
authorized, outside the United States, what the Department of 
Defense might do.
    To your last point, Ranking Member, with regards to support 
for anything like this, well-established processes, as you 
know, Defense Support to Civil Authorities, and I think that 
those would be executed if lead Federal agencies needed to have 
that support.
    Mr. Gallagher. Well, as we attempt to step back and look at 
it holistically, I think it is fair, at least with one lens, to 
look at it as not just as this attack isolated but as a Russia 
problem, right. And part of the problem is you have, at times, 
opaque relationships between the Russian Government and 
criminal groups.
    Do we have the sufficient analytical capacity to tease out 
those relationships, make those distinctions? Is there more 
regional expertise that we need to apply to this problem? I 
would be curious to the extent--again, the extent you can 
answer in this session, how you think about those opaque 
relationships and our ability to better understand them.
    General Nakasone. Quite simply, I think about it in terms 
of how do I provide the most intelligence I can as the Director 
of the National Security Agency or Commander of U.S. Cyber 
Command that provides both a viewpoint on intent and capability 
of our adversaries. I think, you know, as any director of a 
combat support agency would share with you is we need to do 
more. And we can talk a little bit more in closed session 
today, but, again, I think that overall, we have work to do 
across U.S. Cyber Command and the National Security Agency.
    Mr. Gallagher. And then finally, one of the Cyberspace 
Solarium Commission recommendations that we are working on 
right now is this concept of systemically important critical 
infrastructure, which this case obviously brings up. Do you 
support the idea of creating a codified relationship between 
the United States Government and critical functions?
    General Nakasone. Congressman, I would say I support 
anything that is going to ensure the security of our critical 
infrastructure and key resources. My experience has been with 
elections, but there are 16 other sectors. And I think that 
what the administration has laid out in the 100-day plan 
initially with regards to energy is a great start where we need 
to figure out how do we bring the whole parts of the government 
and, particularly important, how do we bring the private sector 
into a greater partnership to ensure that we have outcomes that 
will lead to greater resiliency and obviously security.
    Mr. Gallagher. Thank you. I guess the clock doesn't count 
down when you are up this high on the dais, which is 
interesting. But in the interest of time, I will still yield 
back.
    Mr. Langevin. Well, we follow the lead of the chair and the 
ranking member on the full committee that the chair and ranking 
member of the subcommittee are not on the clock. But with that, 
I want to now thank you for your line of questions, and I also 
want to commend the ranking member for his leadership as co-
chair of the Cyberspace Solarium Commission. I was proud to 
serve on the Commission with you, and really appreciate your 
commitment to our national security. That report went a long 
way, I think, toward getting us to a stronger place in 
cyberspace.
    With that, I want to recognize now Mr. Larsen for 5 
minutes.
    Mr. Larsen. Thank you, Mr. Chair. Ranking Member Gallagher 
will see the clock ticking now that we are on the others.
    General Nakasone----
    Mr. Langevin. I am watching it very closely.
    Mr. Larsen. General Nakasone, section 1729 of the NDAA 
required a conference and evaluation by the SECDEF [Secretary 
of Defense] basically on how to use the cyber capabilities of 
the National Guard. Do you have an update on the status of that 
evaluation?
    General Nakasone. Congressman, I would have to defer to the 
Secretary if she has one. I personally don't have one, but 
certainly we can take that for the record, if necessary, 
Congressman.
    [The information referred to can be found in the Appendix 
on page 65.]
    Mr. Larsen. That is good. Thanks. Perhaps, Secretary?
    Ms. Eoyang. Mr. Larsen, I just wanted to clarify. Since we 
have had a number of congressional interest provisions on 
National Guard, exactly which of the provisions are we 
referring to?
    Mr. Larsen. Cyber capabilities and interoperability of the 
National Guard. It requires a comprehensive evaluation by 
SECDEF on the mechanisms by which the Department is able to 
improve the utilization of cyber capabilities resident in the 
National Guard.
    Ms. Eoyang. Our understanding is that we should have an 
answer for you later this summer on that topic.
    Mr. Larsen. All right. I have a list of questions that are 
really more appropriate for a different setting, but I do want 
to ask--where did my question go here? Oh. Perhaps for General 
Nakasone. Can you highlight, perhaps, how you are leveraging 
commercial threat information providers, and then how do you 
share that information?
    General Nakasone. Congressman, we have a number of 
different relationships with the private sector. Sincerely, in 
terms of being able to understand better the vulnerabilities 
that exist in our private--in the same private companies is 
critical for us. This is obviously sometimes a means upon which 
we have early alerts to problems that might exist in the 
private sector.
    At the command, I assure you that any type of data is 
looked at, screened, and carefully evaluated for U.S. persons 
data. And if by rare occasion that we do have that, we will 
certainly minimize, and we have processes and procedures upon 
which to deal with that.
    Mr. Larsen. And then in last year's NDAA, we authorized 
some language that has CYBERCOM participating and contributing 
to the Joint Cyber Planning Office at CISA [Cybersecurity and 
Infrastructure Security Agency]. How will you plan to implement 
that provision?
    General Nakasone. Congressman, we have had some experience 
in working very closely with CISA, and it began with the 
election. One of the things that I directed were a series of 
planners to go over and to work closely with CISA as we put 
together our strategy for securing the 2020 election. What we 
found is that this truly is value added. The way that we do 
planning operations is something that I think is very helpful 
as we take a look at broad-based problems like election 
security. We are going to continue to support that. That has 
been an element that the Secretary has emphasized to us, and in 
very close partnership, obviously, with CISA. So this will be 
just the first of many steps as we go to work this closely.
    Mr. Larsen. All right. And one final question, and this is 
kind of related to the operations of NSA. But Congress has just 
been notified, General, that there was a decision made to close 
the NSA's onsite childcare center, creating a tough situation 
for employees or parents. Can you speak a little bit about that 
decision?
    General Nakasone. Congressman, we were alerted several 
weeks ago by the private company that runs the childcare center 
that they were intending to close at the end of June. We have 
spent the past several weeks doing a series of different 
activities. First of all, working closely with those families 
that are affected to ensure that they have information and 
leads to other childcare facilities within the area. Secondly, 
taking a look at mid- and long-term plans. As you know, we are 
in the midst of a fairly large construction work at Fort Meade, 
and so this was, I think, part of the impetus where the private 
company decided to close at the end of June. But, clearly, it 
begins with our engagement with the families that are affected, 
and it has my personal interest, sir.
    Mr. Larsen. Well, I am glad to hear that. Pre-pandemic, we 
had a childcare crisis in the country. The pandemic has 
exacerbated that. We have taken action through the American 
Rescue Plan to try to alleviate some of that, but we don't need 
to deliberately add to the problems of folks. So thanks for 
updating me.
    I yield back.
    Mr. Langevin. Right on time, Larsen. Very good. I thank the 
gentleman for his line of questions.
    Mr. Rogers is now recognized for 5 minutes.
    Mr. Rogers. Thank you, Mr. Chairman.
    General Nakasone, the threats that you have described that 
we face from adversaries in the cyber world, how imminent are 
they?
    General Nakasone. Well, I think--Congressman, to your 
point, I think that what we are seeing right now are 
adversaries that are increasing their scope, scale, and 
sophistication. What do I mean by that? I mean that it no 
longer is just a simple guessing of passwords or perhaps a 
phishing email that our adversaries are starting to use. They 
are using things like supply chain operations, as we saw in 
SolarWinds, or they are utilizing zero-day vulnerabilities, 
those vulnerabilities that the provider doesn't know about but 
that an adversary can utilize, as we saw with Microsoft.
    And so this is the world in which our adversaries are 
operating below the level of armed conflict trying to do three 
primary things: They are looking to steal our intellectual 
property; they are looking to, you know, steal our personal 
identification, whether or not that is, you know, passwords or 
that is Social Security numbers or that is email addresses; and 
they are looking to conduct interference and influence 
operations either against our electoral processes or within our 
economy.
    Mr. Rogers. Are they looking to do that in the future or 
are they looking to do that now?
    General Nakasone. Oh, they are doing that now, Congressman.
    Mr. Rogers. Yeah. So you would urge this committee to act 
with haste on whatever you are going to recommend for us to do 
in this year's NDAA?
    General Nakasone. Congressman, I would certainly focus 
internally, and I am going to be ensuring that whatever we are 
doing, we are doing at a pace that is accelerated.
    Mr. Rogers. Well, my point is, if you are going to need any 
additional statutory authority, you need to let us know, 
because we are ready to act.
    I talked to you yesterday about the committee's welcoming 
of the recommendation from the National Defense Strategy 
Commission, the suggestion of a Digital Service Academy to help 
train up personnel to take on this challenge, and you mentioned 
that you also had a retention issue. Can you talk more to the 
committee about the challenges you face with retention of 
quality personnel in this area?
    General Nakasone. So, Congressman, you asked me yesterday 
about how the services were doing in terms of providing us 
military and civilian members to outfit our 133 teams, and my 
response is they do a spectacular job of doing that. It is not 
the fact that our services don't do a great job in recruiting 
and the fact that they do a great job in training, and then we 
develop them at U.S. Cyber Command. At the end of the day, what 
I think the most about is how do I retain this superior force, 
particularly those individuals that are so much more capable 
than their peers. And so retention is something that means a 
lot to us.
    And, you know, one of the things that I continue to work 
closely with the services is how do we ensure that the best of 
the best decide to stay with us, or if they are going to leave 
us, how do they become part of our Reserve Component, our 
National Guard, our Reserve force, or how do they continue to 
contribute within the broader U.S. Government.
    Mr. Rogers. Do you think you are going to need some 
statutory leeway to be able to accommodate that challenge?
    General Nakasone. So this is a point where that we will 
work closely, obviously, with the Joint Staff and the Office of 
Secretary of Defense to come back with some recommendations, 
because I think that we have a growing amount of data that can 
be helpful here for the Department to make an overall request.
    Mr. Rogers. Great. Well, I look forward to receiving that, 
and thank you for your service.
    I yield back.
    Mr. Langevin. Thank you, Mr. Rogers.
    I will next go to Mr. Moulton. Welcome back from paternity 
leave, and congratulations, Seth. And you are now recognized 
for 5 minutes.
    You are on mute.
    Mr. Moulton. How is that?
    Mr. Langevin. Go right ahead. You are recognized.
    Mr. Moulton. Sorry. I was unmuted, but I was on the wrong 
microphone, apparently. My apologies.
    Mr. Chairman, thank you for your remarks. It is good to be 
back.
    And to build off some of your comments on the need for 
coordination between info operations and cyber operations, 
General Nakasone, a few weeks ago the DC police was attacked by 
the hacking group Babuk, which is reportedly a Russian-speaking 
group. They accessed and published hundreds of confidential 
documents, clearly damaging the public's confidence in the 
police in the process.
    In the past year, we have also seen influence operations by 
Russian entities to undermine confidence in the police and 
exacerbate societal tensions related to the police, so it is 
not a stretch to imagine that an adversary could use a 
combination of cyberattacks, like the one conducted by Babuk, 
and influence operations to undermine faith in public 
institutions further. In fact, Russia has clearly tried to do 
just that in our elections by hacking our electoral 
organizations while also running disinformation campaigns to 
undermine the public's faith in the process.
    How is your organization posturing itself to defend against 
that kind of layered attack?
    General Nakasone. Congressman, we are well-postured to 
ensure that we provide the appropriate support to the lead 
Federal agencies involved. Let me give you several examples.
    So, first of all, I will begin with the elections. Our 
focus at U.S. Cyber Command, at the National Security Agency, 
is outside the United States to provide the insights on our 
adversaries into what they are doing. We are well-practiced at 
this, and I think we have demonstrated our proficiency in both 
the 2018 and 2020 elections in doing this.
    In terms of the recent concerns about domestic violence, 
again, our focus is outside the United States for foreign 
actors that might be doing one of three things: First of all, 
generating content that might be utilized within the United 
States; secondly, any type of violent activities that are being 
called for by a foreign actor; and then thirdly, any type of 
information that is being passed internally with regards to 
gathering against the United States in any location. We work 
closely with the FBI [Federal Bureau of Investigation] on that. 
We work closely with the Department of Homeland Security. We 
will continue to do that now and well into the future.
    Mr. Moulton. General, how would you characterize the 
interagency process and how effectively you are able to work 
with these different agencies?
    It strikes me, as an observer, that the lines of authority 
are not particularly clear and it is hard to delineate who is 
responsible for which operations, especially when, even just 
given the example you just described, it is very easy to see 
how a foreign actor like Russia can easily have a single 
operation that goes into the territory of multiple U.S. 
organizations.
    General Nakasone. Congressman, I think the authorities, at 
least from my perspective as both the commander and the 
director, are clearly stated, and I know them very well. And I 
know that our focus is outside the United States. I know that 
our focus is enabling our partners within the United States.
    And I think--I come back to the elections. There could not 
have been a closer partnership between U.S. Cyber Command, the 
National Security Agency, the Federal Bureau of Investigation, 
and the Department of Homeland Security. To give you an 
example----
    Mr. Moulton. General, we are just short on time. Just to 
give you an example of the problem here is that if the rest of 
us don't see that partnership or understand how it works, then 
you can have a situation where, you know, you have briefed us 
that the last election was the most secure in American history, 
and yet half the people in Washington today, all of one party, 
are trying to make the case that it wasn't.
    So how do we improve that understanding, even if it is just 
a public understanding, of how these lines of authority work?
    General Nakasone. So, Congressman, in terms of the 
election, you know, I speak to attempts by foreign adversaries 
trying to interfere and influence our electoral process, and I 
am very proud of the work that has been done and in partnership 
with FBI and DHS on this.
    Mr. Moulton. Yes. But you are not answering my question, 
General, which is that if public perception does not understand 
how this interagency coordination works, then it is easy to 
think that these operations are not successful.
    Ms. Eoyang. Mr. Moulton, if I may. Mr. Moulton, if I may.
    Mr. Moulton. Yes, absolutely.
    Ms. Eoyang. It is something that the Department works with 
whole of government to protect our elections, and I think we 
are very clear with the public about the work that we do in 
this space. But we do not operate domestically, and so we have 
to engage with the rest of government to make sure that the 
American people are resilient to misinformation and 
disinformation, and we will continue to work with our 
interagency partners on that.
    Mr. Moulton. Yeah. I mean, that is my point. And I know my 
time has expired, Mr. Chairman, but I think we clearly need to 
do work on that. And, you know, if I had time, I was going to 
ask, you know, when I visit a Marine unit on the ground, are 
they going to say that they are integrated with Cyber Command. 
My questions all revolve around this coordination. It is very 
difficult to do. And I am not trying to suggest that I don't 
have confidence in your ability to follow your lines of 
authority, but let's make sure that they work well, not only 
internally, but that we can communicate them effectively to the 
American public.
    Thank you, Mr. Chairman.
    Mr. Langevin. Thank you, Mr. Moulton.
    Mr. Gaetz, you are now recognized for 5 minutes.
    Mr. Gaetz. Thank you, Mr. Chairman, and thank you for 
holding this very important and timely hearing.
    Millions of our fellow Americans are suffering right now in 
their quality of life, in their ability to interact with their 
jobs and their families as a consequence of a lack of 
resilience to these foreign cyber threats. And, General, I 
wanted to ask you, in circumstances where this opaqueness 
exists that Ranking Member Gallagher referenced regarding the 
connections between malicious cyber actors and state actors, 
how should we think about the concept of deterrence and our 
capability to deter against some of these more asymmetric 
threats?
    General Nakasone. Congressman, I think that in terms of 
thinking about deterrence, it really is thinking about how do 
we impose costs, and that is the way we have approached it at 
U.S. Cyber Command within the Department. In terms of operating 
outside the United States, when we see elements that are 
operating, how do we try to impose the largest cost possible, 
whether or not that is through being able to expose them, 
whether or not that is being able to share the information with 
a series of partners that we have, or whether or not when 
authorized to conduct operations against them.
    Mr. Gaetz. Can our fellow Americans who are dealing with 
the impact of this last cyberattack assume that the imposition 
of some cost is what is being contemplated by the Department of 
Defense now?
    General Nakasone. So while I won't get into, obviously, any 
of the operations that are being considered, what I would say 
is that, you know, my role as the Commander of U.S. Cyber 
Command is to provide a series of operational opportunities or 
courses of action for the Secretary and the President to 
consider.
    Mr. Gaetz. And I want to, again, delineate the types of 
options that we would like to task you to develop as they 
relate to state actors versus nonstate actors. I understand 
that with governments, exposure and embarrassment can be a high 
cost. Do you agree that with more asymmetric threats, the costs 
have to be more direct and economic and kinetic?
    General Nakasone. Congressman, what I would say is my 
experience is that the type of threats that you have described 
that are nonstate in nature, our response has to be persistent, 
that it can't be a one-time effort. It has to be persistently 
that we are going to enable our partners and to act when 
authorized.
    Mr. Gaetz. I also want to associate myself with the 
comments of the ranking member of the full committee regarding 
the workforce and recruitment. We all know why you have 
retention problems. It is because the private sector pays 
multiples what we would be able to pay people. And while pay 
certainly isn't the only thing that motivates folks, it 
certainly can contribute to a lack of retention of some of this 
high-end talent.
    It used to be the case, you know, not too long ago that the 
brightest minds in Silicon Valley were working on cyber and 
munitions and lasers, and the Department of Defense was the 
most important customer and often the most important investor. 
And now I am concerned that the brightest minds in America are 
working on likes and shares and memes and other activities that 
don't directly connect to the mission of the Department. And so 
I think it is essentially critical for us to follow the thread 
that Ranking Member Rogers laid out to actually develop more of 
that pipeline earlier, understanding that there will be some 
attrition. But a Digital Service Academy seems to be an 
inspirational, patriotic, nationalist thing for us to be able 
to do. I think it would inspire a great deal of confidence, 
both in the public and the private sector.
    Is there any advice you would give us going forward to 
perhaps flesh out that idea from Ranking Member Rogers?
    General Nakasone. So I think--I couldn't agree more in 
terms of just the spirit of what both you and Congressman 
Rogers has described with regards to opportunities future for 
talent. I would only add, what we have to do collectively as, 
obviously, the Department and the government, is to make it as 
easy as possible for people to go from the private sector into 
the public sector. And I think we still have work to do there.
    Mr. Gaetz. Yeah. I mean, I recall even from our first 
orientation, the challenges presented by some of the 
limitations and exclusions that the Department puts on people 
for decisions or recreation that they engaged in that then 
could disqualify them, and I would hope we would want to cast a 
wide net for high-quality talent that can make that 
contribution.
    And, again, the earlier you get started with--you know, we 
get to nominate these great patriots to service academies now, 
and we see how in the 9th and 10th grade, they are already 
making choices to try to earn those nominations and those 
appointments. And so I think that building that pipeline sooner 
would certainly be very helpful.
    I thank the chairman, and I yield back.
    Mr. Langevin. Thank you, Mr. Gaetz.
    Ms. Houlahan is now recognized for 5 minutes.
    Ms. Houlahan. Thank you, Chairman. I really appreciate the 
chance to ask questions.
    This one is for General Nakasone, and it is nice to see you 
again. I am really interested in digital citizenship and 
digital literacy. I think it is incredibly important, 
especially in this time when we are, frankly, as a nation and 
as a world, unclear on where the truth lies. I am wondering if 
you could tell us how you, frankly both of you, are ensuring 
that your cyber professionals are trained on how to identify 
and root out disinformation. And if there is any specific 
training that you are using for your own team, is there 
anything that we could leverage or take advantage of to expand 
to all of the DOD employees to be able to educate them in 
sussing out the truth as well?
    General Nakasone. So, Congresswoman, I will begin, and if 
the Secretary wants to jump in. So I begin in terms of our 
work, we have a very, very structured analytic development 
program at U.S. Cyber Command that walks our analysts through 
being able to understand the information that is presented.
    I think, to your point, this is a dynamic environment, and 
so our training continues to evolve. We continue to see our 
adversaries utilize new means upon which they are trying to 
influence, and that is one of the areas that we have focused on 
is being able to have that ability to meter our training fairly 
rapidly.
    Ms. Houlahan. And is there anything that you can think of 
that would be applicable to the broader DOD at large?
    Ms. Eoyang. If I may, Congresswoman. I know that this is a 
priority for the Secretary, increasing the resilience of the 
DOD workforce, and it is something that he has been working on 
as we have gone through and responded to the events of January 
6.
    And I think, to echo General Nakasone's comments about the 
analytic work force, not just at NSA, but at all of DOD's 
intelligence elements, we do teach a fair amount of critical 
thinking to large parts of our workforce.
    Ms. Houlahan. I would love to follow up with you both on 
whether there is any applicability to the larger workforce and 
not just the analytical aspects of our DOD workforce but the 
body as a whole.
    The next question. I would like to very much associate 
myself with the remarks of Mr. Gaetz, and I know Mr. Rogers as 
well, are interested in this concept of the Digital Service 
Academy. I as well am very keen on exploring that and advancing 
that as well. But in the meantime, highly skilled STEM 
[science, technology, engineering, and mathematics] 
professionals are definitely something that we are competing 
with with the civilian economy. And I was wondering if you 
could speak a little bit about the Cyber Excepted Service and 
how it has either positively or negatively impacted DOD's cyber 
missions, and what we can do in this space more to enhance our 
workforce capabilities. Maybe General Nakasone speaks first.
    General Nakasone. Thank you, Congresswoman. I am a huge 
supporter of Cyber Excepted Service. What are we seeing with 
it? We are seeing that it is an avenue for us to be able to go 
to recruiting fairs and offer final job opportunities and 
opportunities for young people to come and consider a career 
with U.S. Cyber Command.
    The other element is, is that I think it takes into account 
that we have to hire differently, and so we are seeing a 
dramatic drop in the number of processing days for those that 
are hired under Cyber Excepted Service. Let me give you an 
example. Traditionally, it has taken about 110 days to bring 
someone into our civilian workforce. Under Cyber Excepted 
Service, we are seeing that drop to somewhere in the 60-day 
range, so that is a tremendous drop for us. That means that we 
get people into our workforce much quicker. It is a much better 
sign for those that are coming into U.S. Cyber Command that we 
are serious about talent as our number one priority.
    Ms. Houlahan. Ms. Eoyang, do you have anything further to 
contribute to that?
    Ms. Eoyang. I think that General Nakasone is right, and 
building a strong and vibrant cyber workforce is certainly a 
priority, and we have been working with our colleagues in 
personnel and readiness to try and improve that.
    Thank you.
    Ms. Houlahan. And with the last couple minutes or couple 
seconds of my time, is there anything further that we could be 
doing in addition to things like the Digital Service Academy 
and programs such as these that we can make sure that we are 
including in this round of the NDAA? Ms. Eoyang.
    General Nakasone. So, Congresswoman, if I might, let me 
highlight DreamPort, which is an initiative that this committee 
has supported. I think you will recall that DreamPort in 2018 
was stood up. It is an unclassified facility just outside of 
Fort Meade that we utilize for a number of different 
initiatives, initiatives such as bringing young people in, a 
series of high school interns for the summer, an ability to 
bring together commercial industry with U.S. Cyber Command to 
talk about key topics like, you know, new architectures for our 
networks.
    But what I have seen when I have gone over to a place like 
DreamPort, a very small investment can have tremendous impact 
on young people in terms of exciting them about coming into and 
thinking about cyber as a career.
    Ms. Houlahan. Thank you. As a former high school----
    Ms. Eoyang. The only other thing that I would add that----
    Ms. Houlahan. Go ahead.
    Ms. Eoyang. I am sorry. The only other thing that I would 
add to what General Nakasone says is that many of the people in 
our workforce, they come to us because they are motivated by 
the mission, that money is not their primary motivator. And so 
the Congress' continued support for the ways in which we can 
bolster the training and education of our workforce to help 
them deepen their support to the mission, we appreciate the 
support that you have given us so far, and we hope that that 
would continue in the future.
    Thank you.
    Ms. Houlahan. Thank you, ma'am. And I yield back.
    Mr. Langevin. Thank you, Ms. Houlahan.
    Mr. Franklin is now recognized for 5 minutes.
    Mr. Franklin. Thank you, Mr. Chairman.
    And my first question would be for Ms. Eoyang and it is a 
follow-up, really, to what Mr. Gaetz was referring to before, 
asking about regarding the attacks we are seeing that are 
coming from both nation-states and nonstate actors. 
Specifically, with the nonstate actors that are being 
financially backed by these states, do our tactics differ on 
how we attack or how we deter those attacks, depending on 
whether they are coming from the nation-states or nonstate 
actors?
    Ms. Eoyang. Certainly, nonstate actors who are engaging in 
financially motivated crimes, the lead for responding to those 
actors are the FBI and DOJ [Department of Justice]. The 
challenge, I think, that we have is that when those attacks 
first come across the networks and impact us, when we see that 
malicious activity, it is always a challenge of attribution to 
be able to pull it apart and figure out who are the state 
actors and who are the nonstate actors. Which elements of 
government would then be tasked with the lead to disrupt that 
activity varies based on location and whether or not they are 
criminal or not. But certainly it is clear that for nation-
states who are playing in this hybrid space, we consider that 
irresponsible state behavior and would continue to call it out 
where we see it.
    Mr. Franklin. All right. Thank you.
    In both of your testimonies, you make clear that the U.S. 
can't go it alone here and we have this great need to work with 
our allies when it comes to cyber specifically. In what ways 
can you see that we can strengthen our current relationships? 
And then, how do we go about building out new ones? And with 
some of our tactics like, you know, hunt forward, has that 
position changed over time, depending on which partner country 
we are referring to?
    Ms. Eoyang. Congressman, I would just say that as the 
President has indicated, strengthening and reinforcing our 
relationships with our alliances and partners is a very high 
priority for him. We have demonstrated our commitment to 
working with allies and partners in the face of the threat. We 
have expanded our participation in Cyber Flag, and the 
President continues to maintain a high interest and support for 
hunt forward operations. I will let General Nakasone speak to 
the specifics of that, but we continue to build relationships 
with partners and allies.
    General Nakasone. Congressman, I would just add, hunt 
forward operations, where we are obviously coming at the 
request of a foreign government, worked through the Department 
of Defense and the Department of State, has been, I think, a 
tremendous ability for us to show our commitment to 
partnerships. And, you know, just during the defense of the 
2020 elections, 11 different missions in 9 different countries, 
you can see the importance that the Department places on this.
    Mr. Franklin. Great. Thank you. That is all I have, Mr. 
Chairman. I yield back.
    Mr. Langevin. Thank you, Mr. Franklin.
    Ms. Slotkin is now recognized for 5 minutes.
    Ms. Slotkin. Great. Thank you, Mr. Chairman. And thank you 
to our witnesses for showing up here. You guys have such an 
important mission.
    I want to associate myself with the comments that 
Representative Gallagher said at the top of the session here. I 
think it would be so important to really present a truly 
transformational budget on cyber, you know, whenever you guys 
submit it. I think that this committee is crying out for it. I 
think that the country is crying out for it.
    And we know that that will come at the expense of older 
systems, legacy systems, pork, and that Congress has a 
responsibility to help you with that, which we don't always 
live up to. But I just want to encourage you to be bold and 
provide something that really helps move us into the 21st 
century so we can maintain our military edge.
    I guess the question I have for both of you is, I am 
running this task force, along with Mr. Gallagher, on the 
Defense Department's supply chains and our vulnerabilities. And 
cyber has come up at every single session that we have had 8 
weeks in a row.
    So can you tell us, particularly in the wake of SolarWinds, 
kind of what CYBERCOM is doing to look at supply chain 
vulnerabilities, either access by foreigners or just, you know, 
whether it is intentional or benign? Can you talk to me about 
supply chain issues?
    General Nakasone. Congresswoman, what we have done in the 
wake of SolarWinds is, again, taken apart and better understand 
exactly what the adversary was able to do, and from that, 
working with the National Security Agency and the Department of 
Defense, have looked at the defense industrial base to be able 
to share that information.
    I would offer to you, however, that we are also getting a 
tremendous amount of support and information from defense 
industrial base companies that provide us kind of an indicator, 
and I would be more than happy to follow up with that in a 
future session.
    Ms. Slotkin. Okay. The other thing I guess I would ask is, 
you know, in Michigan, we host a multi-domain exercise that is 
Army, Air Force, and has now been integrating cyber into, you 
know, the giant exercise. Tell me about what you have done to 
try and encourage the cyber component of multi-domain exercises 
all over world.
    General Nakasone. Congresswoman, what we have done is 
twofold. One is to try to encourage and support the Guard, not 
only in exercises, but in real world. And so we created a 
capability called the Cyber 9-Line, which allows any element 
within the Guard, Air or Army, to be able to access our big 
data platform, to share information at an unclassified level 
with the simple use of a common access card, which is your ID 
card. Every single element within the United States, the 54 
elements of the Guard in our States and territories, has 
utilized that.
    The second piece is, is continuing to support, not only 
within our exercises, Cyber Flag, as the Secretary mentioned, 
but also within Guard exercises to have robust cyber play.
    Ms. Slotkin. Okay. And I guess, you know, this is more of a 
comment than it is a question. But along the lines of what 
Representative Moulton was saying, it is so hard to explain to 
the American public what we are doing to respond when they see 
these very visible attacks, whether they are from a foreign 
entity, ransomware, or whatnot.
    Our constituents, they are on the front lines of these 
attacks, and yet they can't feel--they don't know what their 
country is doing to respond. And I know that that is a 
difficult position for you all. What you do should be under the 
radar, but I would just note that there is a real sense that 
there is just no deterrence on a cyberattack, that a Russian 
group, a Chinese group can just attack us with impunity. They 
can steal a million records, you know, the SF-86 forms of a 
million Federal workers, and we put out a strongly worded press 
release.
    So we are going to need to figure out how to not just do it 
in the shadows but communicate to the American people that we 
are not leaving ourselves open as this becomes kind of the 
primary form of attack on the average American citizen. So I 
will leave it at that.
    Thanks very much, and I yield back.
    Mr. Langevin. Thank you, Ms. Slotkin.
    Mr. Fallon is now recognized for 5 minutes. Mr. Fallon, are 
you with us?
    Mr. Fallon. Yes. Sorry, Mr. Chairman. Can you hear me?
    Mr. Langevin. We can hear you now, yeah.
    Mr. Fallon. Oh, wonderful, thank you.
    Well, my colleagues have asked some very good questions, 
excellent questions. And I wanted to ask Secretary Eoyang, the 
Cyber Mission Force has only reached full operational capacity 
by 2018. And given that personal computers and the internet 
have been a part of our daily lives for 30-plus years, why do 
you think it took so long to gain this capability and capacity?
    Ms. Eoyang. Congressman, I think--while I wasn't here in 
the Department in 2018, I think that it is a growing 
recognition of the importance that cyber plays.
    Prior to this, many of the cyber response capabilities for 
the Department were resident in the services, but as we 
realized the need to integrate and think about those things 
more broadly, the Cyber National Mission Force was stood up. 
And I am happy to let General Nakasone speak to what the 
evolution of that has been and the capability that they have 
developed.
    I think we are at the beginning of being able to see the 
role of the Cyber Mission Force and its integration into the 
rest of DOD's responses, but I think that its role will 
continue to grow for us in the Department.
    General Nakasone. Congressman, I would say, we began 
building the force in 2014 based upon a decision at the 
Department. The command stood up in 2010. Twenty-eighteen was a 
pivotal year for us. It is not just the fact that we achieved 
full operational capability. With the help of this committee, 
with the help of Congress, we received the right authorities 
within the NDAA that identified cyber as a traditional military 
activity, and that was instrumental for the work that we did in 
the 2018 midterm elections.
    The force is mature, it is moving on, it is getting better, 
it is innovating, it is improving. You know, I can't speak to 
the length of time to why it took us until 2018 to finish it, 
but what I can speak to is, is that I am very proud of the work 
that it has done and where we are headed.
    Mr. Fallon. Well, General, I would say, thank you for your 
answer. But I would be little bit more concerned not so much 
that we finished the beginning really, or we had the end of the 
beginning in 2018, but we didn't start till 2014. I think this 
is something that probably should have been done back when you 
were a company grade officer in the 1990s, and it is 
unfortunate that it hasn't happened. It seems like we are 
playing a little catch-up.
    Since 2018, General, what do you see as the notable 
accomplishments that have been achieved by your command?
    General Nakasone. Congressman, I would begin with security 
of the elections in 2018 and 2020, a much different result that 
came about based upon, again, the authorities that came to us 
from both the legislative and the executive branch.
    There are other series of operations that have been 
conducted since then, that I would welcome to be able to 
comment this afternoon in a different forum. But I think I 
would close with just the ability for the services and the 
Department to evolve pretty quickly in terms of, not only the 
fact that we stood up a force, but the fact that the services 
now have established cyber services and cyber branches, and 
then being able to move quickly to react to how we need to 
outfit those forces.
    Mr. Fallon. General, what kind of collaboration exists 
between CYBERCOM and DHS's CISA?
    General Nakasone. Daily collaboration, Congressman. As I 
mentioned, we have a series of planners that are there. We have 
worked such initiatives as, you know, the protection of the 
vaccines within this country. We have also looked at a series 
of exercises to posture ourselves for support to DHS in the 
event of a crisis. So it is an ongoing, robust relationship 
with CISA.
    Mr. Fallon. Thank you, General, Secretary. And thank you, 
Mr. Chairman. I yield back.
    Mr. Langevin. Thank you, Mr. Fallon.
    Ms. Escobar is recognized for 5 minutes.
    Ms. Escobar. Thank you, Mr. Chairman. Really appreciate the 
opportunity. Many thanks also to our witnesses for their 
service to our country, as well as for bringing their expertise 
to this subcommittee.
    You know, as our daily lives and as more of our security 
and the utilities that we depend on migrate toward the web, and 
as we see recent attacks like what we saw with Colonial 
Pipeline, the urgency of this issue could not be more pressing 
for our committee.
    I am very interested in exploring innovation. And, General, 
you mentioned innovation and, Secretary Eoyang, you did as 
well. But, Secretary Eoyang, I would like to explore a little 
bit more the Department's initiatives to engage institutions of 
higher learning, not just for recruitment when it comes to 
cyberspace, but also as partners for this badly needed 
innovation.
    The University of Texas at El Paso in my home district is a 
National Center of Academic Excellence in cyber operations. And 
so I am curious about just how much the Department prioritizes 
collaboration with universities, you know, as you described 
DOD's key partners outside the U.S. Government. And I want to 
give you a chance to elaborate on this and, again, not just in 
terms of recruitment, but also as a key partner.
    Ms. Eoyang. Yes, absolutely, Congresswoman. Research 
universities like UTEP [University of Texas at El Paso] and 
others, who have a focus on cyber, do provide tremendous 
benefit to the Nation. Universities, as part of our research 
and engineering efforts in the Department, are a key source of 
ideas and innovation for us, and we have prioritized funding to 
those institutions.
    We will have to--we can reengage with you when the 
President's budget is submitted about specifics related to 
that.
    General Nakasone. Congresswoman, if I might just add to the 
Secretary's comments. As you well know, the National Security 
Agency sponsors over 300 Centers of Academic Excellence in the 
United States, of which I believe UTEP, as you indicated, is 
one of them.
    We will continue to do that as an agency. It is critical, 
not only in the sense, as you noted, with regards to the 
development of our young people, but also in the development of 
curriculum that changes and matters to what our universities 
are working on. So I think this is a rich partnership that we 
will certainly continue well into the future.
    Ms. Escobar. General, I really appreciate that. And, you 
know, one of the things that I would add, in addition to 
bringing that innovation that universities and institutions of 
higher learning can bring, an institution, as you know, like 
UTEP, which is a Hispanic-serving institution, brings badly 
needed diversity to the way that we operate as a country, as a 
government. And so I appreciate that, and I look forward to 
continuing to work with you all on ways to expand opportunities 
for institutions like UTEP, but also to really rely on that 
innovation that I think will help get us out from being behind 
the curve and to being more in front of it.
    Secretary Eoyang, one last thing. I want to explore the 
Pathfinder program. You said you partner with DHS on this, in 
which you assist private companies by enhancing their ability 
to protect their own networks. Can you describe the results of 
the Pathfinder initiatives?
    Ms. Eoyang. So I believe we owe Congress a more fulsome 
answer on our analysis of the Pathfinder program, but as we see 
today with the interruption of Colonial Pipeline, the 
Department's ability to partner with private sector in order to 
be able to help them identify threats on their networks is an 
important defensive step that we can take to help secure the 
whole of nation. And I think perhaps General Nakasone has some 
thoughts on additional public-private partnerships in that 
area.
    General Nakasone. So, Congresswoman, I think my experience 
has been, we have worked closely with both the financial and 
the energy sectors on that. If we might have--if I can take 
that for the record, though, to provide you a more fulsome 
answer.
    [The information referred to can be found in the Appendix 
on page 65.]
    Ms. Escobar. That would be great. I appreciate it. Thank 
you both. Mr. Chairman, I yield back.
    Mr. Langevin. Thank you, Ms. Escobar.
    Mrs. Bice is now recognized for 5 minutes.
    Mrs. Bice. Thank you, Mr. Chairman, for holding this very 
important hearing. And thank you to both the witnesses for 
joining us today to share your perspectives.
    I appreciated your comment, General, in the beginning that 
cybersecurity is national security, and I think that the things 
that we have seen over the last, you know, week or two 
especially, have highlighted the importance and the swiftness 
at which this issue needs to be addressed.
    As both of you know, the DOD currently relies on thousands 
of data centers that are often stovepiped, disconnected, and in 
many cases, have reached their limits of life service. They can 
no longer be upgraded to meet current cyber threats our Nation 
is facing.
    I understand there is a directive for DOD agencies to 
migrate to milCloud 2.0, but the adoption has been slow. For 
both of the witnesses, but specifically to Secretary Eoyang, 
could you provide me with your perspective on the migration to 
milCloud 2.0 and the degree to which the migration can help 
address DOD's current cyber vulnerabilities?
    Ms. Eoyang. So as you know, the Department takes a number 
of steps to defend its networks and its data, but as to the 
specifics of migration, I will have to take that for the 
record. I want to make sure that I have coordinated that with 
my CIO [Department of Defense Chief Information Officer] 
colleagues.
    Thank you.
    [The information referred to can be found in the Appendix 
on page 65.]
    General Nakasone. What I would add to that, Congresswoman, 
is, what we have learned over the past 6 to 12 months is that 
we have to think about defense differently. In terms of as we 
move to, you know, cloud-based capabilities to secure our data, 
many people think that we will just put it into the cloud. It 
doesn't work quite that way.
    And so ensuring we have the right contracts written, 
ensuring that we have our defensive forces trained to a higher 
degree in terms of their abilities, ensuring we have the big 
data capabilities that are necessary, that is what I would add 
to it.
    Mrs. Bice. Follow-up question specific to that topic, and 
that is, do you believe that we are investing enough in 
cybersecurity?
    And I will elaborate on that. I feel like we tend to focus 
when we are looking at budgets, on people and, you know, 
equipment, but we are not looking at that cyberspace as much as 
I believe maybe we should be, and maybe some of the things that 
we are seeing now are highlighting some of that.
    Ms. Eoyang. Certainly, we have tremendous risk in 
cyberspace, and we are facing persistent adversaries in this 
space. I think that the questions of the resourcing are things 
that we have to take into consideration in light of the other 
demands that are placed upon the Department and the Nation. 
While we certainly could make use of additional funds, whether 
or not--how that all works out, we are happy to engage the 
committee when the President's budget is released.
    General Nakasone. Congresswoman, I am at a bit of a 
disadvantage because you are asking the combatant commander in 
charge of cyber to comment on a question like that. Here is 
what I would say: We have to use every single dollar that is 
provided to us by Congress in probably a much more efficient 
way.
    And the way I would characterize that is that, working 
very, very closely with the DOD Chief Information Officer, 
where do we prioritize our last dollar of defense. He has done 
a tremendous job, John Sherman, in laying that out. We have 
clear guidance from the Secretary that accountability means 
something with regards to cybersecurity.
    So it is not just the fact that we need more money. We need 
to be able to use the money that we have to the most efficient 
benefit of our Department.
    Mrs. Bice. On that note, do you believe that flexibility in 
making those acquisitions in a timely fashion would be of 
benefit to you? Because one of the concerns I have is that we 
spend a lot of time planning, developing, and then procuring, 
but it could be 2 years by the time that actually takes place, 
and at that point, the technology that we are acquiring is no 
longer, you know, of use in many cases.
    How do we address the timeliness of making sure that we are 
keeping up with these cybersecurity challenges?
    Ms. Eoyang. I do think this is one of those areas where we 
have to think differently, given the speed of the threat. The 
traditional acquisition models that the Department has used for 
concrete weapons systems may not be applicable to cyber, given 
the speed of things, but that is something that we need to work 
out with our colleagues in Acquisition and Sustainment, and 
happy to come back to you guys with some additional thoughts on 
that.
    General Nakasone. I appreciate the committee's elimination 
of the $75 million cap on acquisition, in the last NDAA. That 
was incredibly important for us, because we are starting to now 
grow this ability to do acquisition at the command. We need to 
go faster on that, but that is an example of something that 
helped us tremendously.
    Mrs. Bice. Thank you for your time today. Mr. Chair, I 
yield back.
    Mr. Langevin. Thank you, Mrs. Bice.
    Mr. Morelle is now recognized for 5 minutes.
    Mr. Morelle. Thanks very much, Mr. Chair, for this 
important hearing. And I want to not only thank you but thank 
the witnesses for their considerable contributions to the 
country.
    And, General, it is nice to see you. I had an opportunity 
with the freshman class in 2019 to visit with you at Fort Meade 
and was very impressed with the operation, and I know how 
critical this is.
    I want to just--and these may have been questions, as I am 
thinking about it, may have been asked in one form, but maybe 
you could just drill down a little.
    I have some questions about how private industry, the 
private sector innovation can help CYBERCOM address increased 
cyberattacks, whether they can, whether, in your opinion, some 
of those [inaudible] I know the private sector is working on 
it.
    Secondly is whether or not the command is well-positioned 
to implement cutting-edge technology from the private sector. 
So is it available? Is there help out there that you think you 
could use? Are you positioned to be able to implement help and 
resources and innovation in the private sector?
    And finally, are there obstacles preventing you from 
acquiring and implementing technology that we need to address, 
that we need to help you, you know, through the NDAA or other 
means to help you with a greater collaboration?
    And I would ask of both witnesses.
    General Nakasone. Congressman, just to start out, I would 
say that, is there initiatives in the private sector that could 
certainly help us? Yes, most definitely. And we see that. We 
are working with the Defense Innovation Unit. We are working 
through a series of partnerships that have been established.
    And then we are bringing it to, you know, a common location 
like our DreamPort facility where it is unclassified. We can 
have a discussion. They can understand in the private sector 
what our priorities are. That is among the most important 
things that we have to do at the command, is list each of the 
challenges that we need assistance on. Private sector is seeing 
that. They understand that.
    The other piece is that I think that perhaps what we have 
to do even more prevalently is be able to have the culture that 
sometimes we don't have to develop it, that it has been 
developed in the private sector. So when we talk about new 
architectures for our network, there is a lot of networks in 
the United States, a lot of really well-run networks in the 
United States; we should be able to leverage that quite 
rapidly, and that is what we are doing.
    The last piece, in terms of obstacles, if I might, again, 
just working through our folks and then back to the Department, 
if I can provide some thoughts on that as well.
    Mr. Morelle. Thank you, General.
    Madam Secretary, do you have any additional thoughts?
    Ms. Eoyang. I think that obviously the private sector has 
been----
    Mr. Morelle. I am sorry. I can't hear the Secretary.
    Ms. Eoyang. Sorry. The private sector has a tremendous 
amount of capability and innovation. I think the Department is 
looking for innovative ways to be able to bring that innovation 
in to benefit our mission. The challenge, I think, is while the 
private sector may move fast and break things, we, in the 
Department, can't afford to have things break. We need to move 
fast and fix things. So we welcome private sector partnership 
to work on that.
    Thank you.
    Mr. Morelle. Very good.
    Mr. Chair, I think this is an important subject. I would 
love to continue to be a part of the conversation and be 
helpful to both the Secretary and the General as they meet what 
are emerging and obviously very serious threats. With that, I 
will yield back, Mr. Chair.
    Mr. Langevin. Thank you, Mr. Morelle.
    Mr. Moore is now recognized for 5 minutes.
    Mr. Moore. Thank you, Chairman. Obviously, a very pertinent 
and important conversation today, so I am glad and appreciate 
having the time and the witnesses for being here.
    I think the American public would be able to categorize 
this as these things--these issues keep happening. We have got 
Colonial, we have got SolarWinds.
    My two questions are for General Nakasone. They are about 
deterrence and talent. So let me jump into the first one.
    We have now set a precedent, we are naming Russia as the 
culprit in a couple of these situations, in these attacks. Is 
that a plan going forward? Is it meant to be a deterrent for 
future hacks? Will it be a deterrent? Could you provide some 
context on our approach to that and even more broadly with 
respect to deterrence?
    General Nakasone. If I might start, and then I am certain 
that the Secretary may have some comments on that as well.
    Mr. Moore. Please.
    General Nakasone. So with regards to what we are seeing by 
adversaries operating against us in cyberspace, this is going 
to continue. And so the Department's position in terms of 
defend forward, operating outside the United States, and U.S. 
Cyber Command's ability to do persistent engagement is what we 
are doing, and we need to do more of it. We need to be able to 
enable our partners better, and we need to act, when 
authorized, more effectively, and I think that this will be 
certainly where we are headed.
    In terms of specific options regarding any of the 
adversaries, I would defer that until this afternoon. But there 
are, from my vantage point, a series of options that we 
continue to develop and provide when necessary for a number and 
a range of opportunities for the Secretary and the President's 
determination.
    Mr. Moore. Excellent.
    Ms. Eoyang. Congressman, thank you for that very important 
question. I think deterrence is certainly the Department's goal 
when it comes to cyberspace, but I think we need to be specific 
about what kinds of deterrents and against which types of 
adversaries.
    Since some of the activity that you referenced is what we 
would consider cyber espionage, and while we would expect that 
there is nothing that an adversary could do to deter U.S. 
intelligence-gathering efforts, there is likewise, we may not 
be able to deter adversary activity in that space to zero. That 
is not to say we can't impose costs, both by calling it out and 
making their lives harder, and engaging through other means to 
try and limit the scope of that activity. And I think that 
there are other ways that we can think about deterrence by 
denial.
    I would just note that in terms of cyberattacks that would 
rise to the level of an armed attack, we have not seen that 
type of attack from the adversary on the U.S., from a nation-
state adversary on the U.S. And we would, I think, continue to 
maintain a strong deterrence posture against any type of attack 
of that nature.
    Mr. Moore. Excellent. Thank you. And I look forward to 
discussing more through our closed briefing.
    Quickly, just with respect to the pool of cyber talent in 
the DOD, how, ultimately, are we going to be competitive with 
the commercial industry? How can we better avoid the attrition 
that we oftentimes see within the DOD that is both an expense 
and, you know, a dearth of talent that exists?
    General Nakasone. So, Congressman, I would begin. Our 
number one competitive advantage in this space is our mission. 
There is nowhere you can do some of the things that you can do 
at U.S. Cyber Command, legally, in the United States. And so 
that is something that we continue to obviously reinforce with 
our members.
    The second is that we have world-class facilities. Whether 
or not you are in Fort Meade or Georgia, Texas, Hawaii, 
Colorado, anyplace that we are operating, one of the things 
that we have been the beneficiaries of is a very, very high 
standard of facility that we operate.
    And thirdly, one of the things that we continue to 
obviously leverage are a series of financial incentives that 
the service's Cyber Excepted Service has provided to us. But it 
will never be about money. It needs to be about what we are 
doing in the mission and the folks that they are working with.
    Mr. Moore. Excellent. Welcome any other thoughts, 
Secretary.
    Ms. Eoyang. Thank you, Congressman. We really appreciate 
the committee's focus on this. And while we seek to retain the 
best possible cyber talent for the Department, we do have the 
benefit of, as we train cyber personnel, General Nakasone's 
personnel complete their military service and return to the 
private sector, we are also helping to fill a shortage of cyber 
talent across the Nation.
    So while we need to make sure that we can meet our 
retention requirements and readiness requirements, it is not a 
complete loss for the Nation because we send more people out 
there to defend in the private sector space as well.
    Mr. Moore. Excellent. Looking forward to discussing more.
    I will yield back. Thank you.
    Mr. Langevin. Very good. Thank you, Mr. Moore.
    And with that, I want to thank our witnesses for their 
testimony, the members for their questions. To our witnesses, I 
know that members had some questions that required follow-up 
and members may have additional questions. I ask that you 
respond in writing at the earliest opportunity.
    And with that, we are going to close out the open session 
of this hearing, and we will move now to CVC-200 for the 
classified portion.
    With that, the hearing stands adjourned. Thank you.
    [Whereupon, at 12:32 p.m., the subcommittee proceeded in 
closed session.]
     
=======================================================================

                            A P P E N D I X

                              May 14, 2021
      
=======================================================================


              PREPARED STATEMENTS SUBMITTED FOR THE RECORD

                              May 14, 2021

=======================================================================
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
      
=======================================================================


              WITNESS RESPONSES TO QUESTIONS ASKED DURING

                              THE HEARING

                              May 14, 2021

=======================================================================

      

              RESPONSE TO QUESTION SUBMITTED BY MR. LARSEN

    General Nakasone. USCYBERCOM defers to Office of Secretary of 
Defense.   [See page 11.]
                                 ______
                                 
             RESPONSE TO QUESTION SUBMITTED BY MS. ESCOBAR
    General Nakasone. Cyber Command participated in two Pathfinder 
initiatives with Department of Homeland Security (DHS).
    The first was with DHS, the Treasury, and the Financial Systemic 
Analysis & Resilience Center (recently renamed to simply the Analysis & 
Resilience Center) to look at vulnerabilities in one of the financial 
sector's most critical systems, the Wholesale Payment System. The 
results of this collaboration over a 15 month period were collaborative 
analysis, mitigation development, and information sharing to provide 
better threat identification and early warning to improve security of 
critical financial infrastructure.
    For the second, USCYBERCOM partnered with DHS, Energy, and a 
private energy sector reliability coordinator in order to evaluate ICS/
SCADA vulnerabilities highlighted by Energy's Cybersecurity Risk 
Information Sharing Program (CRISP) and DHS's Automated Indicator 
Sharing (AIS) System. This effort demonstrated the usefulness of CRISP 
and AIS to utility companies, reliability coordinators, Treasury and 
DHS, and underscored the requirements that remain for USCYBERCOM to 
derive impactful information from these sharing initiatives to drive 
military cyber operations.
    Perhaps the most important outcome from these Pathfinder efforts 
was the acknowledgement and increasing understanding of how USCYBERCOM 
must interoperate with DHS as the lead federal agency for CIKR 
cybersecurity. We have demonstrated this understanding successfully, on 
a small scale, through efforts enabled by legislation like Sec. 1650 of 
the 2019 NDAA. As a result of this legislation, USCYBERCOM continues to 
support DHS with personnel that provide a critical and sustained link 
between our Departments. Additionally, it is important to note, the 
Pathfinder efforts are not the only venues or conduits for 
collaboration but have been important in testing new processes and 
developing useful routines and habits, which CYBERCOM has found 
valuable.   [See page 24.]
                                 ______
                                 
              RESPONSE TO QUESTION SUBMITTED BY MRS. BICE
    Ms. Eoyang. DOD-authorized commercial cloud services, such as 
milCloud 2.0, provide a computing infrastructure that can be more 
secure than the legacy computing infrastructure. However, milCloud 2.0 
infrastructure alone may be insufficient to address potential 
vulnerabilities in the software components and IT operations that 
compose the complete system. This is because Cloud computing generally 
consists of three layers: Infrastructure as a Service (IaaS), Platform 
as a Service (PaaS), and Software as a Service (SaaS). MilCloud 2.0 
only targets the IaaS layer, and thus it is still necessary to redesign 
legacy applications to take full advantage of the Cloud, including 
updating any out-of-date software components. Fully addressing the 
range of potential application vulnerabilities often necessitates 
adopting strong access management tools and policies for access to 
cloud resources, implementing effective security automation, and 
improving the application's cybersecurity controls.   [See page 24.]

    
=======================================================================


              QUESTIONS SUBMITTED BY MEMBERS POST HEARING

                              May 14, 2021

=======================================================================

      

                     QUESTIONS SUBMITTED BY MR. KIM

    Mr. Kim. Section 1729 of the FY21 NDAA requires the Secretary of 
Defense to conduct an evaluation of the statutes, rules, regulations 
and standards that pertain to the use of the National Guard for the 
response to and recovery from significant cyber incidents. This 
evaluation is due to be submitted to Congress no later than June 29. 
Can you provide an update on this study, including when Congress should 
expect to see the results and any preliminary findings?
    Ms. Eoyang. DOD completed the evaluation and intends to deliver its 
results no later than June 29, 2021, as required by section 1729 of the 
National Defense Authorization Act for Fiscal Year 2021 (NDAA for FY 
2021).
    Mr. Kim. Recently, NSA purchased a cybersecurity curriculum for use 
in its educational programs to build talents within DOD to address 
future workforce needs in the critical cyberspace field. However, it is 
my understanding that DHS's Cybersecurity and Infrastructure Security 
Agency (CISA) already owns and operates a more comprehensive curriculum 
for cybersecurity through Cyber.org that achieves the same goals and is 
available to NSA for use. Can you explain why the purchase of this 
additional curriculum was necessary and assess the level of information 
sharing and cooperation between various agencies when it comes to 
workforce development programming in the cyberspace field?
    General Nakasone. NSA did not purchase the referenced cybersecurity 
curriculum to use in its educational programs; the National Cryptologic 
Foundation (formerly Museum), a private entity separate from NSA, 
procured this product for use in its Center for Cyber Education and 
Innovation.
    CISA's Cyber.org program focuses on K-12 curriculum, whereas NSA's 
cyber education programs focus on college-prep curriculum for the 
pipeline into Centers of Academic Excellence. That said, NSA is a 
partner with CISA, and all efforts are fully coordinated to achieve 
complementary programs for cyber education, with collaboration on 
informational materials to provide clarity to government partners and 
educators on the attributes and recommended usage of their programs, 
and how to access materials and resources. For instance, NSA's GenCyber 
Program uses the Cyber.org curriculum.
                                 ______
                                 
                    QUESTIONS SUBMITTED BY MR. MOORE
    Mr. Moore. The DOD currently relies on over 2,500 data centers that 
in many cases have reached the limits of their service life and can no 
longer be upgraded to meet current cyber threats. How will migration to 
the cloud address these shortcomings?
    Ms. Eoyang. Cloud environments enable data center consolidation by 
allowing organizations to focus less on servers and storage and more on 
software applications and the data environment. DOD has used its Data 
Center Optimization Initiative (DCOI), a Department-wide effort to 
optimize data centers for greater efficiency, performance, security, 
and affordability, as an opportunity to evaluate which applications 
should be retired, consolidated, or replaced, and to migrate needed 
applications to the Department's cloud services. By 2025, this will 
allow the Department to close a projected 2,100 data centers that have 
reached the end of their service lives.
    The reduced and re-ordered data center inventory has also enabled 
DOD to manage cyber vulnerabilities more effectively and to focus 
investments in cyber security in its enterprise data centers. The DOD's 
DCOI end-state is projected to have approximately 1,500 data centers 
Department wide.
    Mr. Moore. The DOD's Cloud Strategy identifies three clouds: 
milCloud 2.0, the Defense Enterprise Office Solution (DEOS), and the 
JEDI general purpose cloud. 4th estate agencies were directed to move 
to new systems, but adoption has been slow. Will the DOD enforce the 
2018 mandate directing cloud migration by the 4th estate?
    Ms. Eoyang. Yes. DOD is enforcing the 2018 mandate by directing the 
14 Fourth Estate agencies to migrate to cloud services through the 
Cloud and Data Center Optimization Initiative, a subset of the 
Department's DCOI.
    Mr. Moore. The DOD's Cloud Strategy identifies three clouds: 
milCloud 2.0, the Defense Enterprise Office Solution (DEOS), and the 
JEDI general purpose cloud. 4th estate agencies were directed to move 
to new systems, but adoption has been slow. Will the DOD enforce the 
2018 mandate directing cloud migration by the 4th estate?
    General Nakasone. USCYBERCOM defers to the office of the DOD CIO 
within OSD.

                                  [all]