[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]


                         [H.A.S.C. No. 117-78]

                      OPERATIONS IN CYBERSPACE AND

      BUILDING CYBER CAPABILITIES ACROSS THE DEPARTMENT OF DEFENSE
                               __________

                                HEARING

                               BEFORE THE

SUBCOMMITTEE ON CYBER, INNOVATIVE TECHNOLOGIES, AND INFORMATION SYSTEMS

                                 OF THE

                      COMMITTEE ON ARMED SERVICES

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             SECOND SESSION
                               __________

                              HEARING HELD

                             APRIL 5, 2022

                                     
                  [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]

                                     
                               __________

                    U.S. GOVERNMENT PUBLISHING OFFICE
                    
48-633                    WASHINGTON : 2023     


SUBCOMMITTEE ON CYBER, INNOVATIVE TECHNOLOGIES, AND INFORMATION SYSTEMS

               JAMES R. LANGEVIN, Rhode Island, Chairman

RICK LARSEN, Washington              JIM BANKS, Indiana
SETH MOULTON, Massachusetts          ELISE M. STEFANIK, New York
RO KHANNA, California                MO BROOKS, Alabama
WILLIAM R. KEATING, Massachusetts    MATT GAETZ, Florida
ANDY KIM, New Jersey                 MIKE JOHNSON, Louisiana
CHRISSY HOULAHAN, Pennsylvania,      STEPHANIE I. BICE, Oklahoma
    Vice Chair                       C. SCOTT FRANKLIN, Florida
JASON CROW, Colorado                 BLAKE D. MOORE, Utah
ELISSA SLOTKIN, Michigan             PAT FALLON, Texas
VERONICA ESCOBAR, Texas
JOSEPH D. MORELLE, New York

                Josh Stiefel, Professional Staff Member
                Sarah Moxley, Professional Staff Member
                           Payson Ruhl, Clerk

                            C O N T E N T S

                              ----------                              
                                                                   Page

              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS

Langevin, Hon. James R., a Representative from Rhode Island, 
  Chairman, Subcommittee on Cyber, Innovative Technologies, and 
  Information Systems............................................     1

                               WITNESSES

Nakasone, GEN Paul M., USA, Commander, U.S. Cyber Command and 
  Director, National Security Agency.............................     5
Plumb, Hon. John F., Incoming Principal Cyber Advisor to the 
  Secretary of Defense, U.S. Department of Defense...............     4

                                APPENDIX

Prepared Statements:

    Banks, Hon. Jim, a Representative from Indiana, Ranking 
      Member, Subcommittee on Cyber, Innovative Technologies, and 
      Information Systems........................................    32
    Langevin, Hon. James R.......................................    29
    Nakasone, GEN Paul M.........................................    43
    Plumb, Hon. John F...........................................    34

Documents Submitted for the Record:

    [There were no Documents submitted.]

Witness Responses to Questions Asked During the Hearing:

    Mr. Moore....................................................    53
    Mr. Moulton..................................................    53

Questions Submitted by Members Post Hearing:

    [There were no Questions submitted post hearing.]

  OPERATIONS IN CYBERSPACE AND BUILDING CYBER CAPABILITIES ACROSS THE 
                         DEPARTMENT OF DEFENSE

                              ----------                              

                  House of Representatives,
                       Committee on Armed Services,
       Subcommittee on Cyber, Innovative Technologies, and 
                                       Information Systems,
                            Washington, DC, Tuesday, April 5, 2022.
    The subcommittee met, pursuant to call, at 4:21 p.m., in 
room 2118, Rayburn House Office Building, Hon. James Langevin 
(chairman of the subcommittee) presiding.

 OPENING STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE 
FROM RHODE ISLAND, CHAIRMAN, SUBCOMMITTEE ON CYBER, INNOVATIVE 
             TECHNOLOGIES, AND INFORMATION SYSTEMS

    Mr. Langevin. The subcommittee will come to order. Well, 
I--we got started later than I had anticipated, than we all had 
anticipated, due to votes.
    But I want to begin by welcoming everyone to today's 
hearing, ``Operations in Cyberspace and Building Cyber 
Capabilities Across the Department of Defense,'' and I'd like 
to begin, of course, by welcoming our witnesses.
    Let me start welcoming, first, General Paul Nakasone, the 
Commander of U.S. Cyber Command and the Director of the 
National Security Agency, and Dr. John Plumb, who was recently 
confirmed as the Assistant Secretary of Defense for Space 
Policy and who serves concurrently as the Principal Cyber 
Advisor to the Secretary of Defense.
    Welcome to you both.
    Dr. Plumb appeared in front of the Intelligence and Special 
Operations Subcommittee on Friday. So this is only his second 
appearance as a witness for the House Armed Services Committee 
and the first on matters related to cyber issues.
    John, I understand that you're a proud Notre Dame alum. I 
know that our Ranking Member Banks is extremely happy to hear 
this and I promise not to hold it against you, and look forward 
to your testimony in just a few minutes.
    By the way, it would be appropriate for me now--right now, 
Ranking Member Banks is in the middle of markup on the--in the 
Labor Committee and so, therefore, I ask unanimous consent for 
Ranking Member Banks to deliver his opening statement later in 
the hearing when he arrives.
    Without objection.
    So, General Nakasone, it's always great to see you as well. 
I have valued our relationship over many years now. And I 
certainly admire your dedication to both your mission and your 
people.
    We warmly welcome both of you to today's proceedings and 
look forward to working together and I look forward to your 
testimony, of course.
    As I'm sure you've heard by now, and for the record, I do 
plan on not seeking reelection at the end of the 117th 
Congress. And after nearly 22 years in Congress, I'm ready to 
chart a new course, and I've cherished my time serving the 
people of Rhode Island's Second Congressional District and the 
men and women in uniform.
    And over the course of my tenure, I've seen cybersecurity 
and cyber issues move from the periphery to the center of 
national security, and I'd like to think and I hope that I've 
played some small role in focusing the Congress on these vital 
matters.
    So, out of curiosity, I looked back at prior years' 
National Defense Authorization Act. In 2001, my first year in 
Congress, the NDAA didn't even mention the word cyber or 
internet, not even once, as a matter of fact, and there 
certainly wasn't a combatant command dedicated to cyberspace 
operations at that time.
    Today, cyber is part of nearly every issue that we deal 
with in national security. For Congress, not only does the word 
cyber appear much more than once but last year was the second 
consecutive year where the NDAA contains an entire chapter or 
title devoted to cyberspace-related matters.
    For the Department, Cyber Command has not only been in 
existence as a unifying combatant command for nearly 4 years 
but is conducting operations day to day in and out--day in and 
day out in defense of our national security.
    In the 3 years that I've had--I've served as chairman of 
the subcommittee, we have had more than 220 separate pieces of 
legislation across 3 NDAAs enacted into law.
    This subcommittee, along with our colleagues from the 
Senate, have tackled, among many other things, cybersecurity of 
weapons systems; cyber warfare personnel pay parity; cyber 
targeting; support to the private sector and critical 
infrastructure; capabilities to defeat ransomware; budgetary 
authorities; cyber requirements for defense contractors; and of 
the most significance to me, the creation of the National Cyber 
Director role in the Executive Office of the President.
    We no longer have to debate whether we will fight wars in 
cyberspace, and to some it may seem crazy that we ever had to 
have that discussion in the first place.
    Cyberspace is recognized--is a recognized domain of warfare 
and for better or for worse our service members and civilians 
are engaged with our adversaries on a daily basis. The 
Department of Defense and military services have also undergone 
a similar transformation.
    We have a dedicated combatant command for cyberspace 
operations. We have soldiers, sailors, airmen, and Marines, 
guardians and coastguardsmen defending our Nation in 
cyberspace, and we have witnessed the incredible outcomes for 
our national defense that we can create through cyber means.
    And yet, for all the progress that we have made on this 
front, there can be a sense of deja vu in the issues that we 
have--we still have to address.
    On workforce matters, for instance, the points that we can 
and should make today are unnervingly similar to what was said 
at hearings 10, 15, and even 20 years ago, statements such as 
we struggle in competing with the private sector for talent, or 
there remains a critical shortfall in our cyber talent.
    Since 2010, this body has legislated on cyber and STEM 
[science, technology, engineering, and mathematics] workforce 
issues through 55 provisions and sometimes we seem no closer 
than we were before. We continue to struggle in elevating 
considerations for cyber domain to a level commensurate with 
how we treat our land, air, sea, and now space domains.
    And I've been in Congress long enough to know that progress 
with any important issue is always incremental. However, 
incremental does not have to be synonymous with glacial.
    So the responsibility of legislators is tremendous, and we 
wield the tools at our disposal as carefully as possible. When 
an issue requires attention, we are judicious in how we direct 
the Department to respond.
    Directive actions are powerful but resorting to these too 
frequently lessens their effect. That's why we often direct 
other actions such as reports, briefings, quarterly updates, 
implementation plans, designation of senior officials, and 
many, many others.
    We use these to make clear the view of Congress. Though we 
use these tools because they're often successful in 
accomplishing the desired end state, it is not an exaggeration 
to say that we have tried to use these alternatives hundreds of 
times in the cyber context.
    However, at a certain point, when we are discussing the 
same issues as our predecessors' predecessors, we have to ask 
ourselves can we continue trying--can we continue trying the 
same types of approaches that don't result in change.
    So if we are repeating the same frustration on an annual 
basis about cybersecurity and the defense industrial base or 
the readiness of our cyber forces or the way in which the 
Department manages cyber issues, then at some point we must 
acknowledge a lack of preparedness to address these critical 
challenges.
    Congress has great obligation to our national security. 
During my final year in these halls, I'm not interested in 
allowing my successor to inherit the same challenges that 
plague us today.
    I look forward to being bold, to pushing for overdue 
changes, and to working collaboratively with our members and 
our witnesses.
    So with that, I again want to thank our witnesses for 
appearing before us today. As a reminder, after this open 
session we will move to Rayburn 2212 for a closed member-only 
session.
    As mentioned, we'll have unanimous consent request for 
Ranking Member Banks at this time we'll wait to--for him to 
arrive or we'll have his records--remarks inserted into the 
record.
    So with that, I want to, again, thank our witnesses for 
appearing before us today and with that, as always, it's great 
to work with my colleagues on both sides of the aisle on these 
important issues and I will stop there.
    And with that, I'd like to turn now to Dr. Plumb and 
General Nakasone for 5 minutes each to--for your remarks.
    Dr. Plumb, please proceed.
    [The prepared statement of Mr. Langevin can be found in the 
Appendix on page 29.]

   STATEMENT OF HON. JOHN F. PLUMB, INCOMING PRINCIPAL CYBER 
ADVISOR TO THE SECRETARY OF DEFENSE, U.S. DEPARTMENT OF DEFENSE

    Dr. Plumb. Thank you very much, Chairman.
    Thanks, Chairman Langevin, thanks, Ranking Member Banks and 
members of the subcommittee. I'm pleased to join General 
Nakasone, Commander of U.S. Cyber Command, to report on the 
progress the Department of Defense is making in achieving our 
objectives in cyberspace.
    As Secretary Austin has made clear, China is the pacing 
challenge for the Department and that includes cyberspace. 
China believes that achieving information dominance in 
cyberspace will enable it to seize and maintain the strategic 
initiative in a crisis or conflict.
    China's malicious ongoing cyber campaigns include 
exfiltrating sensitive info from U.S. public and private sector 
institutions and stealing U.S. intellectual property and 
research from the defense industrial base.
    And while China may be the Department's pacing challenge, 
Russia is the near-term threat today. On March 21st, President 
Biden warned that Russia could conduct malicious cyber activity 
against the United States, including as a response to the 
unprecedented economic costs we have imposed on Russia 
alongside our allies and partners.
    The President stated this warning is based on evolving 
intelligence that the Russian government is exploring options 
for potential cyberattacks.
    And, of course, it's not just Russia and China. Iran and 
North Korea are threat actors of concern and ransomware 
criminals remain a persistent threat.
    The Department recognizes the need to prioritize missions 
to disrupt threats overseas at their source in and through 
cyberspace. In a domain subject to constant change, our success 
in this mission demands the ability to conduct timely offensive 
cyber operations when the threats meet the threshold for action 
as established in policy.
    The existing national policy framework, NSPM-13 [National 
Security Presidential Memorandum], enables the Department's 
offensive cyber operations and it has made important and 
positive contributions to the Department's ability to engage 
the threat.
    The Department will continue to advance and modernize how 
we operate in cyberspace to engage cyber threats effectively 
and in a well-coordinated manner. The Department's superiority 
in cyber domain also depends on maintaining an ability to move 
quickly in a cohesive manner with key partners.
    The close collaboration between the National Security 
Agency and U.S. Cyber Command, which is strengthened by the so-
called dual-hat arrangement, has been a significant enabler of 
that success. The DOD [Department of Defense] is currently 
conducting its 2022 Cyber Posture Review, which is an 
assessment of the Department's organizations, plans, programs, 
and policies germane to cyber operations.
    Once complete, the Cyber Posture Review will inform the 
Department's 2022 cyber strategy. That strategy will provide 
guidance to the Department as to how its cyber combat power 
should be used to implement the National Defense Strategy and 
how in particular cyber operations will advance integrated 
deterrence.
    The strategy will also identify potential solutions and 
paths forward for addressing any gaps identified in the posture 
review.
    In the past year, we have seen cyber actors conduct 
malicious cyber activities at an unprecedented scale. Prominent 
examples include the Russian-led exploitation of the SolarWinds 
software, the Microsoft Exchange Server vulnerability exploited 
by the Chinese group Hafnium, and the Colonial Pipeline 
ransomware operation.
    But the past year has also demonstrated that the 
Department, the U.S. Government, and our private sector 
partners can find creative ways to mitigate and combat these 
cyber threats. And today, today, the U.S. Government and the 
private sector are collaborating in unprecedented ways to 
prepare for potential Russian cyberattacks against the 
homeland.
    DOD will continue to work closely with this committee as we 
seek to strengthen both our defensive and offensive cyber 
capabilities and mature our cyber forces. Our ability to 
successfully operate in cyberspace is essential to U.S. 
national security.
    Thank you again for holding this timely hearing. I look 
forward to your questions.
    [The prepared statement of Dr. Plumb can be found in the 
Appendix on page 34.]
    Mr. Langevin. Thank you, Dr. Plumb.
    General Nakasone, you're recognized for 5 minutes.

 STATEMENT OF GEN PAUL M. NAKASONE, USA, COMMANDER, U.S. CYBER 
         COMMAND AND DIRECTOR, NATIONAL SECURITY AGENCY

    General Nakasone. Chairman Langevin, Ranking Member Banks, 
and distinguished members of the committee, I'm honored to 
testify beside Assistant Secretary Plumb.
    I'm joined today by Command Sergeant Major Sheryl Lyon, the 
U.S. Cyber Command and NSA [National Security Agency] senior 
enlisted leader. We are honored to represent the military and 
civilian members of U.S. Cyber Command.
    Command Sergeant Major Lyon and I want to recognize you, 
Chairman, for your 22 years of service to our Nation. Thank you 
for your advocacy, your passion, your commitment to not only 
U.S. Cyber Command and the National Security Agency, but most 
of all, our Nation.
    Defending the Nation is at the heart of U.S. Cyber 
Command's mission. The command has been integral to the 
Nation's response to the current Russia-Ukraine crisis.
    We have provided intelligence on the growing threat; helped 
to warn government and industry to tighten security within 
critical infrastructure sectors; enhanced resilience on the DOD 
Information Network; accelerated efforts against criminal cyber 
enterprises; and together with interagency and allied partners, 
planned for a range of contingencies.
    Coordinating with the Ukrainians in an effort to help them 
harden their networks, U.S. Cyber Command deployed a hunt 
forward team who sat side by side with our partners to gain 
critical insights that have increased homeland defense for both 
the United States and Ukraine.
    U.S. Cyber Command views 2022 as a year of significant 
opportunity for building our capabilities as we pursue five 
priorities: readiness; operations in defense of the Nation; 
integrated deterrence; recruitment, retention, and training of 
the force; and the joint cyber warfighting architecture and 
enhanced budget control.
    My goal is a command that remains world class, ready, and 
capable of providing options and conducting operations in 
defense of the Nation with wider partnerships and exceptional 
talent.
    These elements will be essential to national security, as 
our Nation faces an array of adversaries who are expanding in 
scope, scale, and sophistication. Cybersecurity is national 
security.
    Speed, agility, and unity of effort brought about by the 
connected relationship between U.S. Cyber Command and the 
National Security Agency is the ingredient that protects the 
United States against our enemies.
    The men and women of United States Cyber Command are 
grateful for the support this committee and Congress has given 
to our command. I look forward to your questions.
    [The prepared statement of General Nakasone can be found in 
the Appendix on page 43.]
    Mr. Langevin. Thank you, General Nakasone. I thank the 
witnesses for the testimony. We'll now move to questions.
    Let me start. This is for both of our witnesses, and just 
for the record and to clarify. So, a media report recently 
claimed that the interagency is considering changes to the 
National Security Presidential Memorandum 13, or NSPM-13.
    So this is an executive branch policy that governs a subset 
of cyberspace operations conducted by departments and agencies 
to include the Department of Defense. So NSPM-13 as a policy 
instrument, I believe, has improved the Nation's ability to 
conduct operations in cyberspace.
    However, it's always important that we do our due diligence 
regarding oversight.
    Dr. Plumb and General Nakasone, could you each speak to 
NSPM-13--how it's been employed to date, and if you're 
anticipating any changes? I'll start with that.
    Dr. Plumb. Thank you, Mr. Chairman. I'll take that first 
and then pass it to General Nakasone.
    But I guess--let me just answer the top piece of this 
question was, one, NSPM-13 has been valuable. It clearly has 
improved the ability to conduct cyber operations, and, you 
know, thank you to this committee and the general's good work 
and all those that have got us this far.
    I also would just say I don't think it's unreasonable or 
new for a new administration to review existing Presidential 
directives and so that is kind of a standard piece, and I think 
that that is a reasonable expectation and it is correct that 
these conversations are ongoing.
    And I think our goal, at least my goal and I know I share 
it with the general, is to make sure that we preserve our 
ability to move at speed.
    Mr. Langevin. Yeah. I agree with you that a review is 
appropriate always for a new administration. But to date, are 
you expecting any significant changes in NSPM-13 right now?
    Dr. Plumb. So I am--I don't want to box anybody in on that. 
I'm not expecting any changes that would make things anything 
except better. But maybe we could pass it to the general and he 
can give you his military insight on that if that's all right.
    Mr. Langevin. Okay. Thank you.
    General.
    General Nakasone. Chairman, in light of NSPM-13 in 2018, I 
think it was one of two major advances in terms of authorities 
and policies that provided us the impetus to take effective 
action in cyberspace.
    The other one, as you recall, was declaring cyber as a 
traditional military activity, which came in the fiscal year 
2019 NDAA. Both of those have been very helpful to us.
    In terms of changes, obviously that's a policy discussion 
that's ongoing now. I'm sure those discussions will continue. I 
know that my discussions with the Under Secretaries and also 
the Secretaries--I've made my military knowledge known in terms 
of what NSPM-13 has meant to us.
    Mr. Langevin. Okay. Thank you. Thank you, General.
    This is obviously something we'll want to continue to 
follow up and I get--you know, having read through the NSPM-13 
document when eventually it was forwarded to the Congress for 
review that, you know, I support its premise and the document 
as it's written and, hopefully, any changes made would make 
it--would make it better, but, hopefully, not a sharp deviation 
from it.
    General, let me just turn to you. In past appearances in 
front of the subcommittee, we have discussed the cyber mission 
force [CMF] and its size.
    With the benefit of time, can you speak to USCYBERCOM's 
[U.S. Cyber Command's] plan to--for planned growth in the CMF? 
Additionally, can you speak to the differences you've 
witnessed, say, from last year to this year and, you know, the 
work that still continues to evolve as the force grows and 
matures?
    General Nakasone. Chairman, as we originally built the 
force in the Department, 133 teams that were dedicated to our 
cyber mission force. The previous Secretary of Defense has 
approved a 14-team growth in the FYDP [Future Years Defense 
Program]. So we're going to grow five more teams this year.
    The question I often get asked is, is this enough? What's 
the number of teams that you need? And this is a study that's 
ongoing right now within the Department to really determine 
what is the final number of teams that we need for the future.
    My sense is we are learning a tremendous amount of our 
operations right now in support of crisis in the Ukraine that 
will likely inform this.
    We're a different force today than we were even 4 years ago 
when I took over, and so my sense is that while 14 teams is 
likely the start, I would not be surprised if the Department 
comes to a determination that more are necessary.
    Mr. Langevin. Thank you, General, and, you know, based on 
your time in command at Fort Meade, can you speak to the 
comparison of authorities between CYBERCOM and SOCOM [U.S. 
Special Operations Command]?
    And, more specifically, are there specific authorities that 
SOCOM has today which are applicable and would be useful for 
you in your operation?
    General Nakasone. Chairman, as you're aware, one of the 
things we did when we designed U.S. Cyber Command well over a 
decade ago was to look at Special Operations Command as perhaps 
an exemplar of where we needed to go.
    What you speak of is what we term service-like 
authorities--what are the service-like authorities that we 
should emulate that U.S. Special Operations Command has today?
    So right now, the authorities they have with regards to 
training; the authorities they have with regards to joint force 
provider and overseeing the provision of teams; and then the 
last piece is acquisition.
    All of those, Chairman, are areas that we think we need to 
be able to emulate more closely to have that service-like 
appearance for what we do.
    This is important for us because, as you are well aware, 
this comes down, at the end of the day, to the personnel, the 
personnel that train, the personnel that are trained on teams, 
and the effectiveness of these teams. All of those areas are 
areas that we're focusing on as we move forward.
    Mr. Langevin. Thank you. Okay. I'm going to stop there. If 
we go to second round or we have the opportunity to go to the 
classified session for more detailed answers, but with that, 
I'm going to yield right now to Mr. Franklin.
    Mr. Franklin. Thank you, Mr. Chairman. You asked some of my 
questions about the growth in the teams. That's encouraging, 
General, to hear that there are 14 more slated. CYBERCOM has 
shown a great deal of commitment to building both capability 
and capacity with the cyber mission force, reaching full 
operational capability ahead of schedule.
    We see further maturing. I do know in the State of Florida 
we have got training units at Corry Station and at Hurlburt 
Field, both successful operations.
    How are we learning from these institutions to help develop 
cyber-related curricula and building sustainable readiness 
across the force?
    General Nakasone. So one of the most important ways that 
we're learning is really twofold, Congressman. One is that our 
force is learning every single day in the operations that we're 
conducting in cyberspace. This is a force that's engaged 
against a variety of adversaries every single day of the year.
    And so the important piece is how do we take those lessons 
learned every day and bring them back to a place like Corry 
Station or Pensacola, and that's one of the things that we 
certainly have done.
    But the second piece is, I think, also important. That is, 
the people that have led our teams, the people that have 
operated on our teams, the people that have been in hunt 
forward missions in different countries, how do we get them 
back into the schoolhouse, that they are the principal trainers 
of our young people that come forward?
    Mr. Franklin. General, the fiscal year 2023 budget contains 
$11.2 billion for cyberspace activities and that's a 7.6 
percent increase year over year, which sounds very strong, and 
a few months ago, I would have thought that would be the case.
    But considering we're now at 7.8 percent inflation, it's 
actually a net decrease. I realize there's a lag time between 
when you all are putting budgets together and when they finally 
get out there. But is your determination that the cyber threat 
to the country is stagnant or decreasing?
    General Nakasone. That is not my determination in terms of 
my view of the future. I think it's increasing in terms of what 
our adversaries present to us as a nation.
    Mr. Franklin. So I know we had a long hearing earlier today 
about the fiscal year 2023 budget, but this is a budget that 
fails to keep pace with inflation.
    Are you are you confident that you will be able to make do 
and, like good soldiers, salute and carry out the plan of the 
day? But is this budget adequate or do you--are you--would you 
be asking us to plus that up?
    General Nakasone. So, Congressman, the amount that's been 
funded to us today is what we need to start with. But we have 
also identified unfunded priorities and we'll provide that to 
the committee as directed by the NDAA.
    Mr. Franklin. Okay. Thank you.
    Dr. Plumb, what is your assessment of our ability to deter 
cyberspace attacks on the U.S. Government and critical 
infrastructure, in general?
    Dr. Plumb. Thanks, Congressman.
    Defending the homeland, deterring cyberattacks of at least, 
I guess I would say, a strategic nature, absolutely essential.
    I think--I guess what I would offer is I don't think cyber 
deterrence is a piece unto itself. So I think deterrence 
comes--you know, we have been using this term integrated 
deterrence. I'm sure you've--you're well aware of it. I know 
everyone here is.
    But you don't deter cyber just with cyber alone. You deter 
with all instruments of national power. And I think, at the 
moment, the President has used the megaphone of the United 
States of America to warn the Russians not to attack critical 
infrastructure.
    At the same time, through Cyber Command and through our 
Department of Homeland Security partners, we have been working 
with private sector and the defense industrial [inaudible] to 
make sure that people's shields are up, that they're ready, 
that they're being alerted to threats.
    So I think part of that is the defense piece. Part of that 
is warning of retaliation. And I think--I actually think that 
is, at the moment, holding.
    Mr. Franklin. Okay. Are there additional tools or resources 
or authorities that would be helpful to help bolster our 
ability to deter these cyber--or cyberspace attacks against the 
country?
    Dr. Plumb. I think on the specific question of tools, I 
would ask the general to answer that. I don't know if that's 
answerable in this session. I don't have any--I believe the 
authorities are in place. I believe the authorities are in 
place at this time.
    Mr. Franklin. General, unclass [unclassified], would that--
anything you would want to offer in this setting?
    General Nakasone. So I have the authorities that I need 
right now, Congressman, to accomplish my mission. Obviously, we 
look at a series of partnerships, and no one department or 
agency can do it all in cyberspace.
    So what we are very focused on is how do we develop 
partnerships with CISA [Cybersecurity and Infrastructure 
Security Agency] and with FBI [Federal Bureau of Investigation] 
and with foreign partners and, most importantly, the private 
sector to ensure that we all have a common vision and a common 
vigilance.
    Mr. Franklin. Thank you, gentlemen.
    I yield back, Mr. Chairman.
    Mr. Langevin. Thank you, Mr. Franklin.
    Mr. Moulton is now recognized.
    Mr. Moulton. Great. Thank you, Mr. Chairman.
    And, gentlemen, thank you very much for being here, for 
your ongoing work.
    This morning, Chairman Milley listed four primary elements 
of national power, one of which is informational, and it sounds 
quite important in that context. And yet, information 
operations is buried in the organizational structure of DOD and 
many experts feel that our capabilities have been significantly 
degraded over the past decade, this as we watch the value of 
information warfare play out on the ground in Ukraine.
    Do you believe that information operations is a warfighting 
function that fundamentally should be in Cyber Command or 
should it be elsewhere in DOD?
    General Nakasone, if you could take a crack at that first, 
please.
    General Nakasone. All right.
    So, Congressman, it already is in Cyber Command. I think 
what I would say is that what have we learned about 
information. Information always has to be paired with our cyber 
operations to make them even more effective.
    Information is only as effective as it is accurate, timely, 
and relevant, and that ability for us to do that needs to pair 
with the type of work we're doing either defensively or 
offensively.
    We have come a long way since 2018 in working the 
information operations, but we still have a long ways to go.
    Mr. Moulton. Thank you, General. I mean, my frustration is 
that, to me, cyber is one of many, many delivery methods for 
information and it doesn't make sense to me that it's buried in 
a command that's just one of the delivery methods rather than 
on a more strategic level.
    But I understand the fact that you own it and you're going 
to defend it.
    Mr. Plumb, what's your view on this? Do we have the right 
organizational structure for information operations, or should 
we be looking at reorganizing within DOD?
    Dr. Plumb. So, Congressman, thanks for the question and, 
obviously, information warfare, if you wish, has been really 
essential, really, over the last month or two here with the 
Russia-Ukraine conflict.
    I guess I would say, on one level, we are conducting 
information operations to a strategic level with the President 
and the White House making announcements.
    Mr. Moulton. I understand that, Mr. Plumb. But I'm asking 
about the organizational structure within DOD.
    Dr. Plumb. So on the organizational structure, I'm going to 
ask you if I can take that for a lookup.
    [The information referred to can be found in the Appendix 
on page 53.]
    Mr. Moulton. Okay.
    Dr. Plumb. I'll say I don't have anything immediate, but I 
don't want to leave something----
    Mr. Moulton. That's fine. If you can take that for the 
record, that would be great.
    General, you mentioned to me earlier that the USMC--the 
Marine Corps--has done a great job of retaining its cyber 
workforce and the Marines are planning further changes and 
reforms to their personnel policies, including directly 
commissioning cyber operators and other specialties into higher 
ranks, as was commonly done with various specialties during 
World War II.
    Do you believe these additional changes are warranted and 
will help further retain the workforce?
    General Nakasone. I do, and I see it already. I've seen it 
in my own service in terms of, first of all, building a branch, 
then taking a look at different initiatives in terms of what 
they do.
    What the Marines have really done very efficiently that I 
applaud is the fact that they've lengthened their tours in 
terms of how long they stay with us.
    Most young men and women that come into the Marine Corps 
that want to be cyber warriors want to do cyber, and so being 
able to do that for 6-plus years at one location has been very, 
very attractive to them and we see that in the payoff with 
regard to the retention numbers.
    Mr. Moulton. General, you described the mission of CYBERCOM 
in your opening statement as defense--defense of the Nation. 
What role do you see for offense and deterrence?
    I know we talk about integrated deterrence but when we 
really talk about having an effective deterrent it means having 
an effective offense. So what--how do you characterize the role 
of offense to the American people?
    General Nakasone. So, Congressman, when I speak of defense 
of the Nation, that is a full spectrum defense to include 
offensive operations. You know, the best defense a lot of times 
is a good offense.
    The way that we have done this at U.S. Cyber Command is the 
idea of persistent engagement--how do we maintain both the 
ability to share information and act against our adversaries.
    We don't want those adversaries to continue to have free 
rein in terms of what they do in cyberspace. So how do we 
ensure that when they steal our intellectual property or when 
they steal our identities or when they try to interfere within 
our elections, we take them on, and that's what we have done 
since 2018.
    Mr. Moulton. But if I can press you a bit on this, I mean, 
it's common knowledge, without going into anything classified, 
that the Chinese are stealing our intellectual property every 
single day.
    They're sometimes effective at getting it from DOD but 
they're effective all the time at getting it from the private 
sector. Do you think we should have a more aggressive 
deterrence with China?
    General Nakasone. So I think in terms of the way that we 
look at our adversaries, such as China, is this needs to be not 
only persistent engagement but how do we look at the 
authorities in terms of what's being done in the United States 
and what is, you know, available for the Chinese to operate so 
freely within our Nation?
    So I think that that has to be a more--a greater 
perspective on how we're going to do this in the future.
    Mr. Moulton. Thank you, Mr. Chairman. I yield back.
    Mr. Moore. Thank you, Chair. Thank you both for being here. 
General Nakasone, it's good to see you again. Appreciate the 
opportunity to talk about these growing and ever important 
issues now.
    Thinking about our adversaries, one thing that's very 
concerning is the cybersecurity of the commercial and 
government entities of many of our adversaries, they're in 
lockstep, right.
    They're operating, you know, I would almost say not even 
necessarily in a commercial way. That may be even just a front, 
right. Like, they're really operating in lockstep where, you 
know, you contrast that with American cyber mentality kind of 
an every man for himself. It's a way to categorize it. I know 
there's nuance to that.
    But I am concerned that we're setting ourselves up to lose 
that competitive edge. Without stronger U.S. cyber public-
private partnerships with regulatory and acquisition authority, 
America's technological--may become an exploitable 
vulnerability.
    A question--I'm interested in this--I'm interested in 
improving our cutting-edge innovation efficiently and 
transitioning those programs of record.
    Few things disincentivize information--innovation more than 
technologies and products languishing in the proverbial sort 
of, let's say, valley of death in the acquisition process.
    I believe we can accelerate the adoption of emerging 
technology and strengthen our defense innovation base by 
empowering unit commanders who are responsible for mission 
outcomes impacted by rapidly changing technologies such as AI 
[artificial intelligence], SAS [statistical analysis software], 
quantum computing.
    Would you support an innovation fund available at the 
installation or the installation command level to provide the 
experts on the ground the flexibility to pursue, develop, and 
integrate new emerging technologies?
    General Nakasone. So, Congressman, I would offer that we 
have some of that today and I think, you know, working with, 
you know, DIU--you know, Defense Innovation Unit--being able to 
work at a facility like we have at USCYBERCOM called DreamPort 
where, you know, private companies are able to understand what 
our needs are and then rapidly adopt it.
    It isn't necessarily a means of not having enough money. 
It's the fact that what we are doing is trying to cut down the 
barriers to make sure that the private sector understands our 
needs and rapidly they're being able to meet those needs. We 
have had some success there.
    We need more. And I think that's, you know, more empowered 
by this idea of being able to have a number of different 
touchpoints such as Defense Innovation Unit and DreamPort 
available to our folks readily.
    Mr. Moore. So DIU's--we have interacted with them from our 
team, have had very positive interactions and I really 
appreciate the shift that we're really trying to make here, 
taking commercial products--taking what's commercially 
available and making it very relevant and useful in our DOD. So 
it's a good--please.
    General Nakasone. So, if I might follow up on it. So meet 
very frequently with Mike Brown, you know, who's the leader of 
DIU. What has been most effective for us is for them to 
understand these are the challenges that we would like to have 
you go and see what the private sector may have. And so they've 
done that readily and I think we're starting to see some of the 
benefits of that.
    Mr. Moore. With it not being as much, as you say, the 
funding issue, more of a regulatory and, you know, that kind of 
conversation, we're welcome to that. I think that you would get 
a lot of support from this committee on helping navigate that.
    Also, General, my bipartisan bill, the Better Cyber Crimes 
Metric Act, passed the House last week. It will improve the way 
Federal Government tracks, measures, and analyzes cyber crime.
    However, I'm concerned we still do not have enough to 
incentivize private businesses and industry to share with the 
government when cyberattacks occur.
    While you and I know--we know this not to be true, many 
business owners have been told that they have low confidence 
the government will do anything if hacks are reported. Do you 
have any recommendations on how to increase the willingness of 
private companies to share information when these attacks do 
take place?
    General Nakasone. Congressman, if I might take that for the 
record, just because I'd like to think about that a bit more. I 
know it's a very difficult question and I want to make sure I 
give a fulsome answer.
    [The information referred to can be found in the Appendix 
on page 53.]
    Mr. Moore. Okay. Excellent. That's--I've interacted with 
our Utah network quite a bit. We have a really awesome group of 
cyber professionals, startups, that's going on, that's being 
taught at our universities.
    It's a burgeoning area and we're really excited about it, 
and they're really engaged and they want to help. They want to 
be involved in the work they're doing for the mission and for 
the pride of their country. So I appreciate any response that 
you have with that.
    We have historically led the world in developing 
cybersecurity initiatives and standards, and as I've talked to 
those experts, they're waiting to implement new forms of 
security approved or recommended by key government entities to 
ensure that businesses are not using technologies that may not 
receive future approval for government use.
    This has undoubtedly slowed the adoption of new 
cybersecurity technologies. What is CYBERCOM doing to help 
inform and assist private partners with legacy security systems 
strained by the rapid proliferation of new computing form 
factors?
    General Nakasone. So, Congressman, our focus has been on 
the defense industrial base [DIB]. That's where the Secretary 
of Defense is a sector risk management authority. And so we 
have worked closely with both the National Security Agency and 
our private DIB partners to make sure that they have both an 
understanding of the threat and understanding of ways that they 
can rapidly get after that threat.
    Mr. Moore. Thank you. My time's up.
    Mr. Langevin. Thank you, Mr. Moore.
    Ms. Escobar is recognized for 5 minutes.
    Ms. Escobar. Thank you so much, Chairman, for holding this 
hearing. It's a great opportunity for the committee to examine 
the functions of CYBERCOM and inform the American public of the 
critical role it plays in our Nation's cyber strategy.
    As more and more of our daily lives move onto the web, it's 
essential that our country have top-of-the line cybersecurity 
defenses. This is especially critical for me because I 
represent El Paso, Texas, a border region with over 800,000 
people that is also home to one of the largest installations in 
the Department of Defense, Fort Bliss.
    General Nakasone and Secretary Plumb, I'm going to ask both 
of you the same question. One of the recurring topics on border 
security over the last years--the last few years has been 
technology.
    I'm a firm believer that appropriate technology can and 
should be used to perform certain security functions and that 
deploying more strategic technology at our land ports, in 
particular--our land ports of entry--can decrease wait times 
for both cars and pedestrians, moving trade and commuters more 
quickly and more securely.
    However, the use of this technology does raise certain 
questions, including how well fortified it is against potential 
adversarial cyberattacks.
    General and Secretary Plumb, you mentioned working in an 
interagency manner with the Department of Homeland Security. Is 
there any interagency collaboration between CYBERCOM, the 
Department of Defense, and the Department of Homeland Security 
on the cybersecurity being provided for the ever-expanding 
technology being used at our borders?
    General Nakasone. Congressman, thank you very much for your 
question and your emphasis on cybersecurity.
    While U.S. Cyber Command does not have that relationship, 
the National Security Agency, of which I head--does have that 
relationship with the Department of Homeland Security to 
provide that type of support with regards to cybersecurity. 
Now, that's something we do regularly with the Border Patrol 
based upon the request of the Department of Homeland Security.
    And so this is something that is an ongoing mission for us 
at NSA and it's something that the DHS [Department of Homeland 
Security] and NSA regularly talk about.
    Ms. Escobar. Great. And, actually, Secretary Plumb--thank 
you so much, General--does the Department view the expansion of 
technology at our borders as another avenue that a foreign 
adversary may seek to exploit if the proper cybersecurity 
precautions are not taken?
    Dr. Plumb. Thank you, Congresswoman. I would say every 
technology has an avenue for exploitation that an adversary 
could use.
    Ms. Escobar. Thank you.
    General, we had a discussion last year about CYBERCOM's 
efforts to recruit a diverse workforce. As I mentioned then, I 
represent the University of Texas at El Paso, which is a 
Hispanic-serving institution with a strong track record with 
the NSA as a National Center of Academic Excellence in cyber 
operations.
    In your written testimony, you mentioned CYBERCOM's 
academic engagement network. I'd like to give you an 
opportunity to expand on the work you've been doing with that 
initiative and others to not just engage with academia but to 
recruit talent that comes from every corner of the country, 
including traditionally underrepresented populations.
    General Nakasone. Congresswoman, I welcome your invitation 
to do that. As you well know, we stood up the Academic 
Engagement Network at U.S. Cyber Command just this year and 
part of that is to be able to recruit a much broader 
demographic of our Nation. We need a force that's reflective of 
our Nation and this is one of the ways that we're doing it.
    I must, in all transparency, tell you that our focus has 
been in San Antonio of late and so maybe we need to go a little 
bit further to the west in Texas to take a look at what El Paso 
has to offer there. But if you don't mind, let me take that up 
in the coming year.
    Ms. Escobar. I would invite you to do that and, in fact, 
would be happy to host you for a visit at the University of 
Texas at El Paso in El Paso, and then would love to follow up 
with you at some point in the near future about any lessons 
that you've learned since the start of the Academic Engagement 
Network, anything that you'd like to share with us so that we 
can continue to build on the work that you've begun.
    Mr. Chairman, my time has just about expired. I yield back.
    Mr. Langevin. Thank you, Ms. Escobar.
    Mr. Fallon is now recognized for 5 minutes.
    [No response.]
    Mr. Langevin. Do we have Mr. Fallon?
    Mr. Fallon. Yes. Yes, sir. Thank you. Thank you.
    Mr. Langevin. Very good. You're recognized for 5 minutes, 
Mr. Fallon.
    Mr. Fallon. I was promoting you.
    [Laughter.]
    Mr. Fallon. Thank you. Listen, I think one of the mistakes 
that the public makes when it comes to cyber defense policy is 
the idea that this is somehow a new realm. However, you know, 
the threats in cyberspace aren't new and they've long since--we 
have long since possessed both offensive and defensive 
capabilities, and competition in cyberspace, of course, is 
almost constant.
    Even though this problem has been an issue for a long time, 
I have a substantial concern that the Department of Defense is 
still not properly positioned to address it in today's rapidly 
evolving landscape.
    My concern is that there are too many--maybe too many chefs 
in the kitchen, if you will. I understand CYBERCOM is a joint 
force comprised of service cyber components from each of the 
branches.
    And on top of that, you have Cyber National Mission Force 
and Joint Force Headquarters and DOD Information Network. I 
mean, already that becomes seven separate commands. Mix in 
CYBERCOM's commander's dual role as Director of the NSA and 
Chief of Central Security Service and you get another one.
    Finally, throw in the rest of the intelligence community, 
the Department of Homeland Security, Department of Justice, et 
cetera, and I think you see where I'm going with this. So what 
do you get? A whole lot of bureaucracy and finger-pointing and 
not a highly adaptable organization ready and willing to fight 
and win.
    Everybody wants to be in charge and everybody wants to, you 
know, maybe get the credit or pass on the blame if that's the 
case.
    Dr. Plumb, can you honestly say that our cyber mission 
force is not hampered by this bureaucracy, and if you think 
there is a bureaucracy issue, what can we do to streamline it?
    Dr. Plumb. Thank you, Congressman. I agree with you that we 
need to make sure that bureaucracy doesn't get in the way of 
delivering military effects where needed.
    I actually think that we are in pretty good shape at the 
moment. There's always room for improvement and always have to 
be--anyone that works in the Pentagon or, really, the 
government knows that you always have to be careful to guard 
your ability to not have more bureaucratic growth slow you.
    I think the trend line, though, for cyber effects in 
particular has--is on--is going in the right direction. As we 
said at the beginning, sir, NSPM-13 has provided improvements 
in the ability to use cyber to advance the national interest 
and my goal in this role is to make sure that that trend line 
continues in a positive direction.
    Mr. Fallon. And do you think there's--what things 
specifically--and you don't need to say it right now if--or if 
you want to get back to us--but how can we maximize efficiency? 
I just want to--I just want us to be thinking along those 
lines.
    General, just for time's sake--General Nakasone, we have 
heard some complaints from within CYBERCOM that, you know, one 
day they work for one person and their priorities. Then the 
next day it changes. How do we create a unified vision and 
mission to set--to avoid subordinate commanders working on, you 
know, pet projects in silos, if you will?
    General Nakasone. So, Congressman, I'm not aware of that. I 
would tell you that there's one person in charge of U.S. Cyber 
Command and that person is me and we haven't--I have not seen 
that in terms of being able to develop options or being able to 
respond to crises for the Nation.
    One of the opportunities that we have here is the fact that 
we have a very flat organization. While we may have a number of 
different headquarters, the teams all fall under the 
operational control of the commander.
    And so while we have different missions that we support 
different commanders, there is no problem in terms of being 
able to develop the options and the requirements and, I would 
tell you, the effects for what our Nation needs.
    Mr. Fallon. General, we recently created a new service in 
the Space Force. You know, cyberspace is a realm, of course, 
that touches everyone everywhere.
    Do you believe there's any merit to creating another 
service designed to support all others, you know, like absent 
of territorial commands from subordinate commanders that can 
focus solely on cyberspace across DOD?
    General Nakasone. Congressman, I don't see this right now. 
One of the areas that I think has been very effective, as the 
chairman had indicated, we have service-like authorities to 
train the force, to be able to provision the force, to be able 
to do acquisition.
    I would be very concerned on a new service in terms of 
what--you know, what you would call the bureaucracy that we'd 
be set up there. We're looking for, you know, our services that 
do a very, very good job of recruiting and training and then 
for us to be able to employ them rapidly.
    Mr. Fallon. Okay. Thank you, Mr. Chairman. I yield back.
    Mr. Langevin. Thank you, Mr. Fallon.
    And now Mr. Larsen is now recognized for 5 minutes.
    Mr. Larsen. Thank you, Mr. Chair. I appreciate that, and 
thanks for coming this afternoon.
    General Nakasone, this is somewhat related to the question 
you just asked but I'm asking it in a different way to maybe 
sort of dig into a little bit about the construct of the 
CYBERCOM integrated planning elements and the joint cyber 
centers, if that's the most optimized mechanism for 
coordination between CYBERCOM and other COCOMs [combatant 
commands].
    General Nakasone. So I've seen it both ways, Congressman. 
I've lived long enough now to see both the joint cyber centers 
and now what we developed over the previous years, the 
integrated planning elements.
    Let me tell you why I think the integrated planning 
elements are really what has been very effective for us. We 
have taken and designed an integrated element that goes to each 
of the combatant commands, the other 10 combatant commands, and 
it varies in size from 39 to 50 folks.
    What that provides the commander are people that really 
understand cyberspace, that understand how we do our 
operations, how we do our planning, how we do our execution.
    They're resident today with General Wolters at U.S. 
European Command. In fact, they are resident today to really 
understand and be able to provide General Wolters' staff the 
options that are necessary, both defensively and offensively, 
that are effective.
    Why do I think this has been effective is because the 
feedback that I'm getting from the commanders is that they 
really value this type of integration.
    Mr. Larsen. So when they are with the COCOM, does COCOM 
then have an operational command of those folks, so they're 
setting the missions, whereas you've--perhaps you've done the 
training and equip part of the mission? Is that how to think 
about this?
    General Nakasone. They go embed themselves within different 
parts of the staff within the COCOM. That's designed by the 
combatant commander.
    Mr. Larsen. Uh-huh. Yeah. Well, maybe take a look at that.
    But a little bit more on that point, though--thanks for 
bringing up EUCOM [U.S. European Command]--and again, I 
apologize. I was out. But there was an article last month, 
``Cyber troops stretched thin in Ukraine,'' and I don't know 
how you can--if you can answer this or not, but how you see 
U.S. capabilities currently coordinating or integrating with 
allies and partners in any--in any current operations that are 
based in EUCOM.
    General Nakasone. So we can talk about this in more detail 
in the closed session. But what I would offer here is that one 
of the very big lessons that we have learned is the ability to 
deploy a number of different teams early on in a crisis to U.S. 
European Command, and then working with General Wolters and his 
staff, making sure that those experts, those teams, go to the 
places that are necessary.
    And I can provide a little bit of thought in terms of where 
those teams have gone when we meet a little later on today.
    Mr. Larsen. Are there broader lessons to learn about what 
would--what would trigger the decision to send those teams? It 
seemed kind of--it seemed somewhat obvious in the current case, 
let's say, but there may be other cases in the future where it 
may not be as obvious that, oh, it's time to send teams. So 
what are you learning about looking into the future?
    General Nakasone. So what we have learned over nine 
different hunt forward operations in 2021 is the fact that 
consistent engagement with a series of partner nations is 
really valuable. We understand the networks. We understand the 
leadership. We understand what they care about most.
    And so working with that, you know, in competition or 
crisis is much better than, you know, waiting until there's a 
conflict.
    Mr. Larsen. Right.
    General Nakasone. And so that's what we have learned.
    Mr. Larsen. Mm-hmm. And I'm sorry, Mr. Chair. Did folks ask 
questions about education requirements or anything else?
    So yeah. So how are we doing with the pipeline of people 
that CYBERCOM can utilize in the future?
    General Nakasone. Broadly, I would say, Congressman, is our 
supply is not large enough in our Nation. And so as you well 
know, within the State of Washington with a number of different 
centers of academic excellence, we follow this up now at U.S. 
Cyber Command with the Academic Engagement Network to be able 
to build a resource for our Nation and that doesn't necessarily 
mean that they will come in as military civilian members of the 
Department of Defense, but the ability for them to have 
exposure and interest in what I think is, obviously, you know, 
a key competitive advantage for our Nation in the future.
    Mr. Larsen. All right. That's fine. Thank you. And I yield 
back.
    Mr. Langevin. Thank you, Mr. Larsen.
    Mr. Johnson is recognized.
    Mr. Johnson. Thank you, Mr. Chairman, and thank you, 
General, for your time today. In your role, you are responsible 
for the cyber operations that protect the sprawling .mil 
digital enterprise that our warfighter really depends upon, and 
over the last several years, progress has been made to 
implement an internet operations management program that looks 
at DOD's cyber infrastructure through the eyes of the 
adversary.
    But despite some progress, this program has yet to be 
deployed across the entire DOD Information Network [DODIN], and 
recently enacted fiscal year 2022 DOD appropriations provide 
funds to do that.
    So are you committed to pushing this critical endeavor 
across the finish line this year? Should we expect that?
    General Nakasone. I am committed, Congressman, and I would 
say, first of all, thank you for discussion on the DOD 
Information Network, a sprawling network in terms of, you know, 
what provides us support for our warfighting functions, our 
communications, and our capabilities.
    What we have done with our joint force headquarters that's 
in charge of the DOD Information Network is look at all 45 
stakeholders within this information network and then make sure 
that we're checking in terms of how they're conducting their 
operations.
    This is part of the--you know, the foundational work that 
we need to have a much more secure and resilient DODIN.
    Mr. Johnson. Very good.
    And could you describe how CYBERCOM is integrating 
artificial intelligence and machine learning to automate 
defense of the DODIN and monitor it and identify cyber threats?
    General Nakasone. Congressman, we have worked a number of 
different experiments. I know of specifically an experiment 
that we worked at Army Cyber to look at artificial intelligence 
and machine learning to identify vulnerabilities within our 
network and then patch them automatically.
    This is a really good example of taking, you know, what we 
would consider, you know, a vulnerability and not having to 
have a human in the loop but rapidly being able to address the 
vulnerability with a patch before anyone knows it.
    This is the initial work that we have done. There's more 
work that needs to be done in AI. I'm a very, very strong 
supporter of the AI National Commission and where we can bring 
that to U.S. Cyber Command.
    Mr. Johnson. And I know that some of this is sensitive and 
may be better in a classified setting, but I'm just wondering 
about what the most promising applications of AI and ML 
[machine learning] may be for the CYBERCOM enterprise.
    General Nakasone. There are many, Congressman, and I think 
that I will defer that to a different venue to, perhaps, have 
that discussion with you.
    Mr. Johnson. Very good. Let me ask you about something 
else. I've got a couple minutes here. The late scholar Thomas 
Schelling described bargaining power is the power to hurt. 
Could you describe the utility of the defense forward concept 
compared to a more traditional deterrence by the punishment 
model?
    General Nakasone. So, as, you know, Secretary Plumb 
indicated, cyber deterrence is not nuclear deterrence and this 
is a much different, you know, means upon which we look at this 
domain.
    And so what we have learned, I think, over the past several 
years is that we have to have an ability to really drive the 
cost up for our adversaries and there are a number of different 
ways that we can drive the cost up for our adversaries.
    One is we can have much more resilient networks. Two, we 
can share information more broadly. Three, we can take on cyber 
adversaries that are attempting to attack our Nation. Those are 
all ways of doing it.
    But it's a comprehensive approach. And the other piece that 
I would add is what we have learned from elections is that 
partners matter and partners like the FBI, partners like CISA, 
partners like academic institutions that have, you know, 
knowledge that they're tracking on adversaries that we may not 
even see.
    And so I think, again, to the point of there's no one 
agency, no one department, that can do it all in cyberspace, 
but the most effective ones are the ones that partner and get 
it done together.
    Mr. Johnson. Very good. Thank you again, General.
    I yield back.
    Mr. Langevin. Thank you, Mr. Johnson.
    Mrs. Bice is now recognized for 5 minutes.
    Mrs. Bice. Thank you, Mr. Chairman, and General Nakasone, 
it's good to see you again.
    The emergence of new technologies like artificial 
intelligence and quantum computing and the proliferation of 
cyber intrusion capabilities pose significant threats to our 
national security and to our service members.
    One of my key concerns impacting the Nation's cyber posture 
is the workforce challenges that we face. As you are both well 
aware, it is critical that we get more trained cyber 
professionals into the door at U.S. Cyber Command.
    With the tremendous competition in the private sector for 
cyber talent this is a huge challenge.
    General Nakasone, can you briefly describe the U.S. Cyber 
Command's efforts to recruit and retain top talent in the face 
of stiff competition from the private sector?
    General Nakasone. Congresswoman, thank you very much, and 
it's good to see you again as well.
    Let me begin, first of all, with the recruit piece. This is 
an area that I think our services who have a responsibility--
Army, Navy, Air Force, Marines--to recruit talent have done 
exceptionally well.
    We continue to recruit a population of young men and women 
that want to serve our Nation and they want to work in 
cyberspace, which is incredibly attractive to them.
    The challenge is not necessarily the recruiting. The 
challenge isn't the training. The challenge, as you've 
indicated, is the retention and that's both for military and 
civilian.
    Let me give you two ideas in terms--or several ideas that 
we have approached it. One is, certainly, targeted supplements 
to very, very high-end capabilities. So this is targeted local 
supplements based upon people that are coders or people that 
have significant technical abilities, that pay them at 28 
percent more than the going rate.
    That's never going to, perhaps, compete with the private 
sector. But what it does do it does give us a leg up in being 
able to say what you do is valued and what you do is, 
obviously, renumerated.
    The other piece that I would say is a certain amount of 
dynamic of how we approach cyberspace and one of the things is, 
as the Congressman mentioned, you know, being able to do 
recruiting is, you know--from, you know, a population of 
civilians is, hey, come in and be a mid-grade officer. Or, as 
we take a look at our enlisted workforce and say, hey, why 
don't you go and spend 6 months in training with industry or 
going to get a graduate degree?
    These are all areas that, perhaps, we haven't traditionally 
done within our services. But this is the dynamic nature that I 
think we have got to approach the problem here in cyberspace.
    So as I've talked to the service chiefs, one of the areas 
that I've mentioned is this is a shared responsibility, shared 
in terms of what you have to do as leading your service but 
also shared in the idea we have a lot of different areas that 
we need to be able to make sure that we keep our best people.
    Mrs. Bice. I love your thinking outside of the box approach 
to this--the problem because I think we have to figure out how 
do we keep and retain this crucial talent.
    One other, maybe, thought here is how are you competing 
with DHS when it comes to pay for these individuals? It's my 
understanding that CISA folks are paying significantly or can 
pay significantly more than you're able to do. Is that 
something that Congress needs to look into?
    General Nakasone. So we're working with the Department 
right now in terms of, you know, how we have to look at that. 
That's not only as my role as Commander of U.S. Cyber Command. 
It's also my role as Director of NSA because we do see, you 
know, increased competition.
    But again, you know, I think this is something that work 
closely with the Department, working, obviously, through 
Secretary Plumb as well as the Principal Cyber Advisor to bring 
these ideas. This is something that we're very well aware of.
    Mrs. Bice. Good. And when it--when we're talking about 
cyber leverage, how does CYBERCOM leverage commercial threat 
information provider--threat at information providers and how 
does CYBERCOM share information currently?
    I've heard some concerns about not sharing information. You 
mentioned the FBI previously in a comment that you made.
    I think we have siloed a lot of information and there's not 
as much sharing as there could be. Can you talk a little bit 
about that?
    General Nakasone. There's a program called Under 
Advisement. That is a commercial program that we execute at 
U.S. Cyber Command. It's run by 12 people of my command that 
reaches out to a number of commercial providers and talks about 
what we're seeing in cyberspace, and what are you seeing? It's 
a two-way street, right. I mean, so we're very interested in, 
obviously, what they're seeing. But they're also interested to 
know what are you seeing about our threats.
    This is an incredibly and powerful program that has been 
able to allow us insights into ransomware and insights into 
adversaries that are seeking vulnerabilities within our 
networks. But it's all based upon this idea of give and take 
with the private sector. And so this is a program that I would 
commend in terms of really great success that we're seeing.
    Mrs. Bice. I would love to see more of that because I think 
that information share is going to be crucial for us to be able 
to prevent significant national security cyber threat that we 
face every day. But that sharing of information for the private 
sector is crucial.
    General Nakasone. If I might follow up. One other piece 
that I do want to highlight is that I did mention the Federal 
Bureau of Investigation and our Cyber National Mission Force--
it's commanded by Major General Hartman--our elite force that 
has done tremendous work in defense against malicious cyber 
actors in both elections and ransomware, is closely partnered 
with a number of different field offices throughout the United 
States to share this information.
    As you're well aware, the FBI, obviously, has a track on 
these cyber criminals within the United States. So this pairing 
of information is one of the areas that Director Wray and I 
talk about a lot as being a significant success story in 2021.
    Mrs. Bice. Thank you, Mr. Chairman. I yield back.
    Mr. Langevin. Thank you, Mrs. Bice.
    We're going to be wrapping up in just a minute to go into 
the closed session upstairs. But before we do that, General 
Nakasone, if I could, earlier today in your appearance in front 
of the Senate Armed Services Committee you spoke to the--to 
readiness matters and in those remarks you noted there are 
defined roles for Cyber Command and the military services, and 
that the services, generally, are able to present forces that 
have passed through a basic level of training.
    From there, it's the command's responsibility to manage the 
advanced training. I know that in discussions that you and I 
have had, that obviously training is important, having the--you 
know, the right skill level, especially as you're operating--
our operators operating in cyberspace.
    If we have got concerns around the readiness of our force 
and the commitment of the services to the cyber domain writ 
large, should we be pressing the services to reexamine and 
consider raising the bar on what that basic level of training 
consists of and is defined as? Or, you know, do you recommend a 
better way of doing this, should we be taking a fresh look at 
that?
    General Nakasone. Chairman, I mean, you've hit the nail on 
the head here. This is what we're doing right now, which is, 
the Secretary of Defense has signed out a memorandum directing 
that one service, the Army, has the responsibility for advanced 
cyber training.
    And so now we're going to build that with the Army being in 
charge to be able to ensure that we have standards at different 
locations for this training.
    My hope is that by the time an operator comes to me, 
there's very little training that they have to do. That's not 
the case today for a number of different reasons, and so, 
again, this is part of our maturity, our readiness. But I do 
see progress, as we move forward.
    Mr. Langevin. I hope you'll have advice for us and thoughts 
on how we kind of make that--the training kind of uniform level 
of readiness among all the services so when they get to you, 
you know, they're at peak level and then you can take them, 
obviously, even further. So----
    General Nakasone. And part of this, Chairman, is, you know, 
cyberspace is one of the few domains that is just now getting a 
simulation capability. For us it's called a Persistent Cyber 
Training Environment.
    It's where we're able to do missions in a simulated way, 
and you can imagine the power of this being able to do with 
training, repetition and repetition and more reps, being able 
to do that.
    So we're deploying that now throughout our service elements 
to be able to do that. That's a key enabler that we need to be 
able to do in 2022.
    Mr. Langevin. Excellent. Excellent. And I know that, you 
know, we have talked about the amount of time they're assigned 
to U.S. Cyber Command in a cyber role and, you know, before we 
wrap up is there anything that you want to talk about, you 
know, publicly in terms of how long you'd like to keep them, 
you know, doing cyber work as opposed to the current construct? 
Anything you want to add?
    General Nakasone. Forever.
    [Laughter.]
    Mr. Langevin. So I----
    General Nakasone. So, I mean, Chairman, I would say that 
I'm working this very closely with the service chiefs now. In 
fact, I'm in communication with them to look at this. This is 
something that Command Sergeant Major Lyon is also working with 
the senior enlisted leaders.
    We have to standardize tour lengths. We need to standardize 
Active Duty service obligations. We need to take a look at a 
means upon which we have, I think, more uniformity with regards 
to how long, you know, young men and women are going to be with 
our force.
    Mr. Langevin. Agreed. That's something that I and the 
committee is going to continue to follow. I look forward to 
working with you on that, going forward, as well.
    Okay. So with that, I'm going to ask unanimous consent that 
Ranking Member Banks' opening statement be entered into the 
record. He's still in his markup. And so without objection, so 
ordered.
    [The prepared statement of Mr. Banks can be found in the 
Appendix on page 32.]
    Mr. Langevin. With that, I want to thank members for their 
questions. I want to thank our witnesses for their testimony 
today and their answers to the questions.
    Members may have additional questions that they need to get 
answered that will be submitted for the record. We ask that you 
respond to those members in writing as expeditiously as 
possible.
    We will now adjourn and move to the closed session 
upstairs.
    With that, the subcommittee stands adjourned.
    [Whereupon, at 5:27 p.m., the committee proceeded in closed 
session.]


      
=======================================================================


                            A P P E N D I X

                             April 5, 2022

=======================================================================

      

      
=======================================================================


              PREPARED STATEMENTS SUBMITTED FOR THE RECORD

                             April 5, 2022

=======================================================================

      
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

      
=======================================================================


              WITNESS RESPONSES TO QUESTIONS ASKED DURING

                              THE HEARING

                             April 5, 2022

=======================================================================

      

             RESPONSE TO QUESTION SUBMITTED BY MR. MOULTON

    Dr. Plumb. The DOD Principal Information Operations Advisor is 
currently overseeing the review of the DOD Strategy for Operations in 
the Information Environment and is conducting the first-ever 
information operations posture review. These and other ongoing efforts 
will enable DOD to evaluate the effectiveness of our current and 
planned actions and identify any additional steps that should be 
considered, including any further organizational adjustments to improve 
the Department's efficiency and effectiveness.   [See page 11.]
                                 ______
                                 
              RESPONSE TO QUESTION SUBMITTED BY MR. MOORE
    General Nakasone. U.S. Cyber Command missions and authorities 
dictate that operations will take place outside the United States. As 
you are aware, legal barriers are but one of the reasons the private 
sector is reticent to share information with government organizations. 
Within the United States, the Federal Bureau of Investigation (FBI) and 
Cybersecurity and Infrastructure Security Agency (CISA) have the 
responsibility to work with the private sector in regards to protecting 
their networks and information sharing. Information sharing and public-
private partnerships are where the power is--together they both play a 
vital role in everyone defending and protecting their networks.   [See 
page 13.]

                                  [all]