Of these activities. Id like to welcome our from the cybersury company mandia. Mr. Mandia served in the united stes air force as a Computer Security officer and later as special agent in the air force officef office of special investigations wheree worked s a cybercrime investigator. Thank you for being here today. And general alexander serd for 40 years in our armed forces, culminating with his ten qure as the director of the National Security agency from 2005 to 20 andoncurrent serve as director of u. S. Cybercommand from 2010 to 2014. Thank you for being here today. It is an expert ontudies, he worked as the university in jusalem, Johns Hopkins schl. Dr. Rid, thank yous well for your expertise and we look. Orward to your testimo sen. Burr the levelf cybersecurity in front of us is truly remarkable. Eyl be able to provide atn unassified levelome extremy useful texture and detail to the discussion w ben this morning i feel certain, and i say is to all three of you, that the committee in a closed setting mit want to reach out to u as we begin to d a little deeper so that we can get your thoughts and tapnto your expertise. That we might be able to explore more than in this open setting. For this hear, ewe will be recognized by orderf senior fi for seniority for five minute rounds. We are targeted to have a vote somewhere between 4 00 and 4 30. It would be my hope we could wrap up prior to that vote and not hold our witnesses open, that way we would conclude Senate Business for the week with that vote. Vice chairman. Thank you, mr. Chairman. I dont have a statement other than one to welcome all the witnesses and to point out that before mr. Mandias company was acquired by a California Company he was based in alexandria, virginia where he did great work. Wed be hay to have you bng with all due deference to senator harris. Sen. Harris stay in the sunsne. Sen. Burr im going to recognizeou to start. Mr. Ana tnkouor allowing me to speak. What im going tspeak about today is t cybercapalities and techniques attriteto russian hacke, specifically a group we refer to as a. P. T. 28. I want to talk also about coendations to prevent or mitt gate the or mitigate the coromise. I nto give you a little of my bacrod and the background of my company. As i sit here right n we have hundredsf employees responding to Computer Security breaches. We thi is critil to own at moment of responding to a breach, collecting the trace ed,ablizing that evidenc so as i give you my narrative todaits based on three things. On what we are learning as we respd to hundreds of breaches a year. Were cataloging that trace evidence and putti it into a linked database, and we have over 150 threat analysts who speak 32 languages, 19 countries, and theyre trying to marry up what were seing in cyberspace to what were seing in a geopolitical world out there today. Then the third source of my dialogue, third source of evidence, is in fact we have 5,000 plus customers relying on outechnology to protecthem on a daily basis. Let me first speak to the methodologies being used by a. P. T. Group 28. We attribute many intrusions these fks. You might have heard about the worldwide antidoping agency, the d. N. C. Breach, the d. C. C. Breach, the ukrainian central election commission, a i can keep going on. I believe the doctor will mention someore of these victims. But all therehes that we atibuteo apt 2inheast two years iolve the theft of internal data as well as the leaking of this ta by some other pty pottially a. P. 28, potentially some other arm of the organization into the public. During the coursof our apt28 investations weve had a siificant amount of evidence. Weve looked at custom mall wear. We dont see this malware blicly availab. Its n ailable to you to down load and use tomorrow. s being crafted in a building, shar by pele in a closed lp, its not widespad or available to anybody. We have identified over 500 do mains or i. P. Addresses used by this group when they attack. Almost every modern nation that develops an Operational Capability in cyberspace, the fit thing they need to do is get an infrastructure they use to then attack their the real site of their attacks. The real intent. The real target. So theres a huge infrastructure of compromised machines or false fronts or organizations that are used for these aacks. We found over 500 of those. We have analyzed over 70 documents written in many languages, these are the document you receive during a spearfishing. Theyre armed documents if you open and perusehem. When you assess e documents, theyre related to the subject and interest of the people receiving these documents. A lot of work is going into the backdrop or background of the people being spearfished. I cano on and on. Ive got 40, 50 more pages of what they do but ill focus on a couple of things that also help us attribute apt28s activities to the russianovernment. In 2015 alone, we saw apt28 leverage five zero days, and a zero day is an attack thadoes not have a patch available for it, it will work if recved and you execute the file. And the best way to liken the value of a zero day the minute its used and its been weaponizedts value goes down incredibly fast. And so when u see these things, mostly inhe thr stly in the toolbox of a nations data athis point. Over the last 10 yrs, the Security Industry h de a great job ming the cost of ro ds go up,nd were seeing a28 deploy tm as needed. Theyre hard to tect onc thre in your netrkbeuse they rely tothe tools your system administrators derely. Say they turno osts almost thminute theyre in, your likeliod of deteing them if you dont dett the initial each go downs exponential. They operatesing yr ols and operate very hard to dect. I want to share with you tee observations i saw emergin 2014 that i did not see prioro reonding to these state actors. I had the privilege of responding to them when i was in the air force. Probably a differe group but a grp we attributeto the russian government. And ery time i responded to them on the front lines, if they knew we were watchinthem, they would evab rate. Weever got to observe the tool tactics and procedures of russian state sponsored intrusions in the late 1990s darly 20s. Ey didnt t us do it. For some reason in august of 2014, we were responding to a each at a Government Organization and during our response, our frontline responder said, they know were there. Theynow were observing them. And theyrstill doing their activiti. Actually flew in, sat on the ont lines, first ive seen it. To me that was big news because i had a 20year run from 1993 to about 2014 where they never change the rules of engagement. They changed in august or september of 2014. Second thing they did is started operating at a scale and scope where you could easily detect them. We were obrving and orienting on them. They were letting us do it. But their scale and scope became widely known to many security organizations and we started Work Together to get better visibility and fidelity. Lastly, someing i wouldnt have predicted but we also witnessed for the first time in 2014, a group we attribute to the russian government compromising organizations and then suddenly the documents are being leaked out in a public forum through hacktivist personas we have not seen. Foroday and the foreele future, itour view that United States will continue see these happen. While Many Organizations are actively trying to counter these attacks, theres sh an asymmetry that is hard for any organization to dernize and prevent these iruons fr occurring when you have a stat sponsored attacker. Therefore were goingo need to exploreayboth witn and outside of the cyberdoma to help deter these attacks lastly i say if i had five minutes to talto the senate, what would i say . Here it is i think weave to firstta with, got to t attbution right. We got to know who is hacking us so we can eablish a deterrent. This gives us a great opportunity to maksure we have the tools necessary and T International cooperaon necessary to havattribution. When you have attribution right, en you can condethe proportional response and the other tools at yo dissal as diplomats to maksu we have the defer ternts need. Thank you very much for this opportuny. Sen. Burr thank y. General. Geral alexander i want to pick up from where kevin left off. I had the opportuni to see on news, u and the Ranking Member talk about approaching thiin a bipartisan way. Approaching e solution in a bipartisan way. And when y look thathe probm and what were fatesing, its not aepublican problem. Its not a democratic probm. This is an americ problem. And we all have to come together solve it. I think thats very important. If we st back and look at this, i wa to cover several key areas t give my perspective on whats going on. First with spect to technolo. The communications is doubling every year. Were get manager devices attached to the network. This network is growing like azy. And so are the vulnerabilities. Our wealth, our future, our country is stored in these devices. Wevgot to figure out how to secure them. Th those vulnerabilities, weve seen since 2007 attacks on countries like estonia. Georgia. Ukraine. Saudi arabia. A whole series of attac and thenria and others. And then aacks on the power grid in the ukraine. And whats career whats clear is these network and these tools have going from exploitation for governments and crime to elements of national power. An i tnk fromy perspective when we consider thathiis now an element of national power, we have to step back and say, whats their objective . Its been said, know yourself, know your eny, and yll be successful in a thousand campgns. Whats russiaryg to dand whare they tiing to do i from m perspective as i look a it with my background, is ear its t just trying to go after the Democratic National conventi or others. This is widesprd, a campaign theyre looking adoing at willrive wedges between our own Political Parties and betweeour country and nato and within no and within the european union. Why . I lieve when you look at russia, and if youere to play out on a map whats happen over the last 25 or 30 years, they see e fall of the soviet uni and the pacts on their nr bord a all these as impacts on them. I bring a this up because one of the questions thats out in the press is, do we engage the russians . Or do we not . Every administrationha im familiar with, including the obama administration, started out with, were going to engage them. It was tchailed reset button. That didnt go far, i believe this administration should do the same. When i look at whats going on here, theres anoer opportunity that we have. When you lookt the characteristics of leaders in this administration, we have pele with great business experience, the president and seetary of state and great National Security experice. In addressing the problem that were now dealing with, this is a new area. Were seeing cyber, its an element of national power, how do we now engage russia and other countes and set the right framework . I believ we have to engage and confront. Engage them in those areas that we can, set up thright path, reachut, and cool this down. I really d. ve got to fix that. At the same time, weve got to let them know what things they cant do and w they cannot do those. Set those standds. And i think wt this group can do and what u are doing, chairman and vice chairman is ma this a bipartisan approach. Solve this for the good of th tion. Wh we look at cybersecurity and what kevin gave you in terms of what dustry sees, and what governmentees, over the last decadeweaveointly worked oncoming up with cyberleglation, how industry angovernment works togher. If we going to address africks anther iues we also have to set up the way for our industry a sectors to work with the government so thathat attribution and things that the government knows and those things that industry knows can be used for the common good. Its interesting that sitting on the president ial commission, one of the things that came out when we looked at whats going on was whats our strategy . And at timespeople looked at this as a government issue and its an industry issue. Its not. This is something that we need to look at as a common issue. For the common defense. Its in the preamble of the constitution. Its something we should all look at. Then we should seeow do we extend that to our allies . I would step back and encourage, encourage you to step back and look at thetrategy. Whats russia trying to do . Why are theyiing to do it . And how do we eage them . At the same time, we need to address our cybersecurity issues and goix those. And get on with that. Thank you very much, mr. Chairman. Se burr thank you, general mr. Rid. Ha for giving me the opportuni to speak today about active ases. Undetaing Cyber Operations inhe 21st century is impossleithout first understanding intelligence operations in the 20th century. Attributg and countering this information day is thefore also impossie without first derstandin how the united ates and its allies attributed an countered hundreds of active measures throughout the cold war. Nobody summarized this dark art of disinformation better than olol than the colel who headed department xe said, quote, a powerful adversary can only be defeat through the a sophisticated, methodical, careful, shrewd effort to exploit evenhe smallest cracks ithin our enemies and within their groups. The tried and tested measure is to use an adversarys measures agait himself, to drive wedge into preexistingrack. The more polarized a siety, theore vulnerable it is and america in 2016, of course, was highly polarized. With lots of cras to drive wedges into. But not old wedges. Improved, high tech wges that allowed the kremlins operatives to attacthr targets fter, more rctiveland on a f larger scale tn ever befe. But the russian oratives also left behind me cluesnd more traces tn ever before. And assessing these cesnd operations reqres context first in the past six years, we ve talked about this already this morning, active measures became the nor e cold warsaw more than 10,0 ti msures across the world and this is a remarkable figure. The lull in the 1990s and 2000s i think was an exceptio secondin the past 20 years, aggresve russian digital espiag became the norm. The first was called amber light ma and it started in 1996. In 2000 the shift in tactics became apparenspecially in moscows military Intelligence Agency. A oncecareful, riskaverse and shrewd and stealthy activity became more careless, risktaking and error prone. One particularly reveang slipup resulted in a highly granular view of just one sce of g. R. U. Targeting between march 2015 and may 26 in the leadup to the election that contained more than 19,000 malicious links, targetting nearly 7,000ndividuals aoss the wod. Third, in the past two years now, coming closer to the present, russi intelligence operations ban to combine those two things, hacng and leaking. Byarly015, military intelligence wasarting defense andipmaticntitie at high tempo. Among the targets were the privateccounts,orxample, of the currenthaman of the joint cefs of staff, general dunfor or Current Assistant secretary of the a fce daniel gsbg. Or the current u. Baador to russia, jn test,nd his predecessor, michael mcfl. A large nber of platic and military officials in ukraine, georgia, turkey, saudirabia, afghanistan, and many countries bordering rusa, especiay the Defense Attache l, i add, are legitimate d prictable targets for a mita ielligence agency. Russian inteigence curiously al targeted inside russia critics inside russia, for ample, theacr group. In early 2015, g. R. Breached successfully not just the german polics parliames but also the italian militar and saudi reign ministry. Between ne 2015 and november 20 at least is six different frt gazations appeared. Ve much ld war style, to spread some of the sle infoatn to the public in a rgeted way. Finally, in the past year, the meline here in the u. S. Election campaign ben align. Etween march 10 and april 7, r. U. Targeted least 109 fullte Clinton Campaign staffers. Only fulltime staffers, not volunteer these are not counted here. Russian intelligence targeted clintons Senior Advisor jay sullivan in at least 14 different attempts beginning on 19 march. They targeted even secretary clintons personal email account bus the data showed she did not fall for the trick and didnt actually reveal her password. Military Intelligence Agency g. R. U. Also targeted d. N. C. Staffers between march 15 and april 11, the timing lines up nearly perfectly. About one week latering after the events i just mentioned, the d. N. C. Website was registered getting ready to spread data ublicly. The timing is nearly perfect. Ut of 13 named leak victims, forensic evidence identified 12 targeted by g. R. U. , with the exception of george soros. But a narrow Technical Analysis would miss the main political and ethical challenge. Soviet bloc disinformation specialists preferred the art of exploiting what was then called nwitting agents. There is no contradiction in their reading between being an honest American Patriot and at the same time furthering the cause of russia. In the Peace Movement in the 1980s, we saw that people would genuinely protesting, say, the nato double track decision, but at the same time advancing russian goals there is no contradiction. Three types of unwitting agents, wikileaks, twitter, the company itself, and im happy to expand later, and overeager journalists aggressively covering the political leaks will neglecting or ignoring their prove nance. In 1965, the k. G. B. s grand master of disinformation, general ivan agayons inspected an act i measures outpost in prague, a particularly effective and aggressive one, and he said, quote, sometimes i am amazed how easy it is to play these games. If they did not have if they did not press freedom we would have to invent it for them. Later, the czech operative he was speaking with at that very moment defected to the United States and testified in congress. And i quote him to close. He said, the press should be more cautious with anonymous leaks. Anonymity is a signal indicating that the big russian bear might be involved. Thank you. Sen. Burr i want to thank all three of you for your testimony and i think its safe to say that this is probably a foundational hearing for our investigation to have three people with the knowledge that you do, and i hope when you do get that second call or third call that you youll sit down with us as we have peeled back the onion a little bit and we have technical questions. Weve got some expertise on the committee, you can look at a lot of gray hair and realize that my technology campaignabilities are very shallow and that many of us struggle to understand not just what they can do but even the lingo thats use and the dark side of the web and the open side of the web, these things are amazing and would be shocking to most people. Ill turn to the vice chairman for his questions. Thank you, mr. Chairman. Let me echo what you said. I think weve got an incredible panel of experts here. Ive got three questions id like to try to get through. The first one hopefully fairly quickly. Sen. Warner based on your expertise and knowledge, do any of you have any doubt that it russia and russian agents that perpetrated during the 2016 president ial campaign the hacks of the d. N. C. And the emails and the misinformation and Disinformation Campaign that took place during the election. A short answer will do. Do any of you have any doubt hat it was russia . Mr. Mandia we cant show you a picture of a building or give you a list of names of people who did it, we have to look at a lot of other factors, some of which is incredible amounts of detail. But weve got 0 years of observation, weve seen similar behaviors in the past, my best answer is it absolutely stretches credulity to think they were not involved. General alexander i believe they were involved. Dr. D i believe they were involved as well. Sen. Warner its been reported that some of the techniques, i say with my good friend richard burr, i used to be technologically savvy up until 2000, 2001, which still puts me a decade ahead of some of my colleagues, but its been reported in the press an elsewhere that by using the botnets and that exponential ability to flood the zone that in the misinformation and Disinformation Campaign, they were, the russians were able to flood the zone, actually not in a broadbase in a broad base across the wheel country but targeted down to precinct levels in certain states. Is that capable to do . If you could have a botnet network that would in effect put out misinformation or disinformation and all the other sites that would then gang up on that and target that down to eographic locations . Mr. Mandia i think its technically possible. I dont think i have enough information to say that was done at each location. I think its technically possible, if you put enough people on it, yes you could do it. Dr. Rid its technically possible. Let me make a distinction between a bot it is net, which is usually controlling somebodys machines, and botts, which is a twitter account thats automated. Sen. Warner but they have the effect, whether its botnets or botts, they have the ability to push something high thorne news feed. Dr. Rid spast mostly dr. Rid thats mostly done by botts. Botnets are a different purpose. Mr. Mandia i think you can get perceptions to go different ways based on Google Searches and automate ways to uplevel peoples attention to things with all the social media. The good news is during the election a lot of states had the foresights, lets do shields up, watch all the cybertraffic we can, and we didnt see any evidence, at least in the ddot site or distributed denial of sites, we didnt see anything that harmed the actual election. Sen. Warner but the question of targeting heres the last question, and it just ive heard and its been reported that part of the misinformation, Disinformation Campaign that was launched was launched in three key states, wisconsin, michigan, and pennsylvania, and it was launched interestingly enough ot not to reinforce trump voters to go out but actually targeted at potential clinton voters, with misinformation in the last week where they were not suddenly reading, if they got their news from facebook and twitter, but stories about clinton being sick and other things. My final point here, this may be beyond anybodys expertise, my understanding is the russians, theyre very good at some of this technology, they might not have been so good at being able to target to a precinct level american political turnout. That would mean they might be actually receiving some, you know, information or alliance from some american political expertise to be able to figure out where to focus these efforts. Dr. Rid i havent seen a Detailed Analysis of precinct level target bug that would be good enough to sub stain shate this assumption but this relates to a more fundamental problem. One separate, an entire group of actors in some and some completely he jate mat within the campaign were taking advantage of social media. Its difficult to distinguish for researchers after the fact what actually is a fake account and what is a real account. Ultimately we need the cooperation of some of the media, social Media Companies to give us heuristics and visibility into the data that nly they have. General alexander i would take it a step higher, senator. I think what they were trying to do is drive a wedge within the Democratic Party between the Clinton Group and the Sanders Group and then within our nation between republicans and democrats. And i think what that does is it drives us further apart. Its in their best interest. We see that elsewhere. Im not sure i can zone it down to a specific precinct but we expect them to create divisions within a framework and destroy our unity. You can see were actually if you look back over the last year, we didnt need a lot of help in some of those areas. So now the question is, and where i think you have the opportunity, is how do we build that back . Sen. Burr i want to clarify what i said about sen. Warners business, my reference about senator warners business, my reference meant it was about 14 years ago, 15 years ago. Someone said, in the future people wont file technological patents because technology will change so quickly that you wont have a year and a half to go through the patent approval process before your patent is obsolete. I think we have reached that point of technological explosion that what were talking about today, we could have a hearing six months from now and probably alk about somhing different. Sen. Warner the cell phones i was involved with in the early 1980s have now become ubiquitous. Sen. Burr senator rubio . Sen. Rubio one of the people who appeared before us earlier mentioned the 2016 president ial prary, im not prepared to comment on that, hopefully information on that will be reflected in our report, if any. I do think its important to divulge to the committee because this has taken a partisan tone, not in the committee. But in july of 2016, shortly after i announced i would seek reelection tthe United StatesSenate Former members of think president ial Campaign Team who had access to the internal information of my president ial campaign were targeted by i. P. Addresses with an unknown location within russia that effort was unsuccessful. Id also inform the committee that within the last 24 hours, at 10 45 a. M. Yesterday, a second attempt was made again against former members of my president ial Campaign Team who had access to our internal information, again targeted from an i. P. Address from an unknown location in russia. And that effort was also unsuccessful. My question to all the panelists , i have heard a lot on the radio and on television and advertisement for a firm in the United States actively marketed in best buy and other places kapersky labs. There have been open source reports that say that it has a long history connecting them to the k. G. B. s successor. I have a bloomberg article here and others. I would ask the panelists in ur capacity as experts in information technology, would any of you ever put Kaspersky Labs on any device you use and do you think any of us here in this room should ever put Kaspersky Labs products on any our devices or computers or i. T. Material . Mr. Mandia the way id address that is generally peoples products are better based on where theyre most located and what attacks they defend against. Mcafee and my company or other companies, we are prominently used in the u. S. We get to see the best attacks from china, cyberespionage campaigns in russia. I think what were starting to see, theres an alignment where japan wont let a u. S. Will let a u. S. Company secure japan. The middle east will let a u. S. Company defend it but you almost see lines being drawn. Theres no doubt the efficacy of kasperskys product that i probably see Different Things than we see being this relevant. Sen. Rubio my question isnt whether its effective, but whether youd put it in onyour computer. Mr. Mandia plst Better Software to theres Better Software for you here. General alexander i wouldnt, you shouldnt either, there are other u. S. Firms that answer and solve problems that will face you for the issues you described earlier, that i think would be better at blocking them. Dr. Rid i would, i would also use a competing program at the same time. A bit of redundancy never harms. Kaspersky is not an arm of the russian government. Kasp rembings sky has published information about russian cyberattack campaigns, digital espionage, about several different russian campaigns. Name any American Company that publishes information about american digitalest pee naubling . Sen. Rubio my second question to the panel is, my concern in our debate here is were so focused on the hacking and the emails that weve lost, and i think others have used the terminology, were focused on the trees and lost sight of the forest. This the hacking is a tactic to gather information for the broader goal of introducing information into the political environment, into the public discourse, to achieve an aim and a goal. And it is the combination of information leaked to the media which of course is always very interested in salacious things, as is their right in a free society. The public wants to read about that too sometimes. But its also part of the effort of misinformation, fake news and the like. Would you not advise the panel to look beyond the emails to the broader effort of which the emails and the strategic placement of information into the press is one aspect of a much Broader Campaign . That was part of my point about bringing this up to a broader level. General alexander to say whats russia trying to accomplish and driving aedge between those and creating tensions between those countries and ours. If you were to go back and welcome at whats happened to russia over the last 30 years and play that forward and see what theyre now doing, you can see a logic to their strategy. I think thats something that we now need to address. I do think we ought to address this with the russians and get the administration to do that. Its not something that we want to go to war on. s something that we want to address by engagement and confrontation. Dr. Rid how active measures today differ from the cold war, this is an answer to your question. In cold war, active measures were artis anal. Artisal. Required a lot of work. They add value to these active measures and this is important because if we look at the operations in hindsight they appear a lot more sophisticated thanhey actually were. We run the risk of overestimating russian capabilities here. Sen. Burr sen. Feinstein. Sen. Feinstein i want you to know how much your china report was appreciated. I think everybody very much appreciated it. I think it had some good results. So thank you very much. General alexander, this is the first time ive seen you out of uniform. Civilian clothing is becoming. And id like to personally welcome you, i dont know, our i dont know our third gentleman but i want to address this to general alexander. You were Cyber Command for a number of years. You spoke about the fact that the time has come for us to get tough. And we had talked about that before. We have wikileaks and stream after stream after stream of release of classified information. Which has done substantial harm to this nation. And yet we do nothing. And everybody says, well, wed like to do something but we dont quite know what it is. I never thought we would be in a situation where a country like russia would use this kind of active measure in a president ial campaign the side of this, the enormity of it, is just eclipsing Everything Else in my mind. And yet there is no response. As you have left now and youve put the Cyber Command on your desk, what would you do . What would you recommend to this government . General alexander i think there are two broad on thives we ought to do. We ought to fix the defense. Between the public and private sector. Between government and industry. Sen. Feinstein you said that. General alexander we have to fix that because much of what were seing is impacting the commercial or private sector. Yet the government cant really see that. So the government is not going to be able to help out and the ability to take action is to actively mitigate it, therefore the about to take actions to mitigate it are therefore nonexistent or after the fact. If you think about sony as an example, imagine that as the attack coming in, the government couldnt see that networks feed and so the government came in and did incident response. Everything happened to sony. What you want the government to do is stop a nation state like north korea or russia from attacking us. But the government cant do that if it cant see it. We have to put this together. We have to come up with a way of share, threaten Network Intelligence at speed and practice what our government and industry do together and work that with our allies. I believe we can do this and protect Civil Liberties and privacy. I think we often combine those two but we can separate and show you can do both. Sen. Feinstein how . General alexander first, the information were talking about doesnt involve personally identify identifying information. Think about it like radars looking at airplanes. Theyre not reading eastbound in the airplane. Theyre seeing an airplane and passing it on to another controller who sees a comprehensive picture. What we see is a what ray car sees today. And so we dont actually were not talking about reading threat information. We want to know whats that pact of information doing . Why is it coming here . Can i or should i share the fact that a threat is coming to us. Sen. Feinstein i understand what youre saying but what im asking you for is different. It is your expertise based on this, based on the fact that the russian government, including two intelligence services, made a major cyberattack on a president ial election in this country. With a view of influencing the tce. Wld you recommend . General alexander the first step is picture defense. If you take offense and dont have a defense then the second step of going after the power or other sectors puts us at greater risk. So from a National Security council perspective, what i would expect any administration to do is look at the consequences of the action this is they take. So when i said engage and confront , in this regard what i would do, what i would recommend is first and foremost a quiet engagement with the russian government about what we know and why we know it, without giving away our secrets. And say thats got to stop. We need an engagement here. If were going to confront them, it would be we know youre doing this right now. Stop that. And we had a channel in the cold war for doing it. We need a channel to do that and build up the ability to put a stop to things, from my perspective. I would be against using cyberonly as a tool against rumb when we have these vulnerabilitiewe havent addressed in our own country. I think it would be a mistake until we fix that. So thats why i say we have to do both. And i actually its interesting. We were talking before hand and thomas can add to this. One of the things that as you look at this, i dont believe russia understood the impact their decisions would have in this area. Its far with all the discussions going on in our country today, im sure people in russia are saying, oops, we overdid this. Now is the time for taos say, not only did you overdo it, we need to set a framework for how were going to work in the future and we need to set that now. That can only be done by engaging them. Facetoface. And i think thats what has to be done. Sen. Feinstein thank you, very helpful. Sen. Burr senator blunt. Sen. Blunt lets start with general alexander, i asked a question this morning which was after all the discussion of the long history of russian involvement in european elections of things that have happened for a long time andly the last 15 years, why do you think that we were not better prepared for this . General alexander, you just said we need to have a defense. Why wouldnt we have had a defense . What was this about this particular thing that should have been so anticipated that the intedges community, the u. S. Government, even the media appears not to have had the defense you just mentioned we should have now . General alexander senator, this has been a great discussion that you and the other house of congress have talked about and thats how do weut together our countrys cyber legislation. Right now, we do not have a way for industry and government to Work Together. So if you think about the d. N. C. Or the r. N. C. Or the Electricity Sector and others. When theyre being attacked, the ability for the government to see and do something on that doesnt exist. Everybody recognizes that we need to do it. We talk about it. In fact, we had the at the Armed Services committee a discussion on it. But we havent take then steps to bind that together. We allow it but havent created it. I believe thats the most important thing that we can do on that one vector that senator feinstein brought up. Fix the defense. The reason is the governments not tracking the r. N. C. And the d. N. C. Now, industry sees it and kevin brought autosome key points of what was going on, what they were seeing from an industry perfect i. But the reality is, we hadnt brought these two great capabilities together. And the other part, its my personal experience the government can help an attribution several times greater than what we see in industry. If you put those two together we could act a lot better. Sen. Blunt so mr. Rid, was there nothing we could have done here . Were we not paying the level of attention we should have paid . Or we just arent ready because our structure doesnt allow us to anticipate what we know was happening in elections all over the world before 2015 and 2016 here . Particularly in europe. Maybe all over the world might be a stretch, but all over europe, not a stretch. Dr. Rid theres a lot we can do in order to increase defenses here as well as minimize measures taking place. Let me name an example. Lets make this concrete. You as members of the legislature are, and the same as true in europe, the belly of the government of the wider administration and government. Because the this is true for all parliaments. The i. T. Security is notoriously bad. I mean the chip card that many of your Staff Members carry cox card,ir neck, the here in congress, doesnt actually have a proper chip. It has a picture of a chip. Try to feel the chip with your fingernail, its not a real chip. Its only to prevent chip envy. That tells you theres a serious i. T. Security problem. It should be mandatory and potentially this is something to think about as we move forward. It should be mandatory for all campaigns, just like you have to disclose financial records, should be mandatory by default to have two factor authentication. Not just a password but actually a second thing. A number that is generated by an app or a specific n. Blunt we had somebody to say it should be mandatory to have a state department say whats true and what wasnt true. Theres certain levels beyond what you can require people to do that really dont make that kind of sense. Mr. Man dia, and i dont mean your comment didnt but there are levels now. I also say that soft underbelly is one of the nicer things the legislative branch would be called these days. But your thoughts on what we why we didnt see this coming . The earlier panel had a more robust sense of where we should have been understanding what was going on than this one. An dia mr. Mandia when we say fix the problem, weve known about cancer for 4,000 years and havent cured it yet. When we fix the problem here, well still have incidents. People get serious about cybersecurity when they have two things, either a, a compliance driver and take it seriously or b they have the oh, crap, moment, and theyve been breached. We published reports in my company did in 2014 that had a lot of allusions to what just happened. But sometimes you have to have it happen before you recognize, wow, that was really on the table. I doubt it will happen again. But now were having the dialogue to make sure that it doesnt. Sen. Blunt thank you, chairman. I think youve been a good panel. I want to talk about one of our most significant vulnerabilities as it relates to cybersecurity. I have been working with congressman ted lieu of california a real expert in this field and one of the things that im particularly troubled by is our vulnerabilities in whats called sf7. Signaling ss7. Signaling system seven. This allows networks to be able to talk to one another. N. Wide n we seem to have en. Wyden we seem to have things that would allow those who are hostile to our country to hack, tap, or track an americans mobile phone. And the hackers could be just about anybody but certainly a Foreign Government and the victim could be just about any american. I think dr. Rid, id welcome anyone who would like to talk about it, but i think, dr. Rid, youve done serious analysis of these vulnerabilities in ss7 and i would be interested in hearing, a, how serious you think this is, and b, what do you think our government ought to do about it, particularly in connection to the topic at hand, which is dealing with these russian hacks . Dr. Rid thank you for this very specific question although i ave to say im not an ss7 expert and dont want to pretend to be one here. But the technology youre referring to is a weak point and can be exploited, ultimately because it is a trustbased system a trustbased protocol. If you have a landscape with a lot of mobile phone providers, its relatively easy to undermine, one entity undermined, can exploit the trust here. There are ways to remedy the problem but i will just add, one observation that if, and i think many people in congress would be doing this, if you use an encrypted app for your communications you will most likely defeat some of that vulnerabilities there. Sen. Wyden i hope thats the case, we have been concerned that may not be enough. Largely what has happened thus far is there have been selfleg rah selfregulatory approaches and that and other approaches werent pursued. Were going to continue this discussion in depth. As i understood it you had talked to some of our folks. You may not think yourself consider yourself an expert but our folks thought you were knowledgeable. Dr. Rid if i may respond . Were looking at market failures here. Twofactor authentication, were looking at a market failure there. Its still an optin. If you have an optin situation, most people will not optin and hence remain vulnerable. There are other the market, when we this is the most ethical. The market favors disinformation today and i have to go into specifics and how we can remedy this if you like. Senator wyden well, the congressman and i feel like we need to get the f. C. C. , the federal communications commission, off the dime too because its clear that they have been slowwalking the various kinds of approaches to provide an added measure of security. Let me ask this question and any of you three can get into this. The Intelligence Community assessment said russian intelligence accessed elements of multiple state or local electoral boards. I asked the f. B. I. Director then what exactly had been compromised and what was the nature and the extent of the compromise. Director comey responded that the russians had attacked state Voter Registration databases and taken data from those databases. Can you all add anything else to that, any of you three are welcomed to do it, because it sounds to me like pretty alarming stuff . The f. B. I. Director in january and i wish i had more time to get into it with him, essentially said this is the problem and i would be curious whether you knew anything more abt this topic. We can just go right down. Dr. Mandia you brought up the polling data. The data Registration Data is something thats at risk and something the states are looking at so i do think thats important. Senator wyden great. Thank you, mr. Chairman. Senator burr senator cornyn. Senator cornyn thank you for coming here testifying. I think people know more what we are talking about than they actually do so id like to get basic maybe for my benefit and maybe some other things will learn as well but i think we referred to something thats called spearphishing and so id like to have one of you explain what that is. Let me just tell you, by the way, occasionally my junk email box on my personal email, ill get emails that purport to be from the f. B. I. Director or the army chief of staff, mt now th army chief of staff, or maybe from apple telling me i need to reset my password or from google saying i need to execute some sort of maneuver. And then theres a link for me to click on. Is that what is commonly known as spearphishing and once you click on that link then they basically can take over your machine . Yeah, you basically got that right. We did nearly 1,000 investigation noose computer intrusions and we have a skewed Vice President because no one hires us to respond to intrusion when they are five minutes behind the hack. Mr. Mandia 91 of those breaches victim zero was in fact speerphishing meaning thats how the russian groups, the chinese espionage campaigns and threat actors are breaking in. It in fact a link its a link or an attached document that comes to you. It looks like its coming from someone that knows you and has something relevant attached or the link is something you consider relevant to what you do for a living and thats what we were talking about earlier, thats how we kind of know what the russians were targeting is theyre doing very specific spearphishes to very specific people but thats a number one way. Human trust is being exploited and thats how folks are breaking in. Korn korn would you be surprised if senator senator cornyn would you surprised if a senator is general alexander i was going to add what kevin said. Theyll do research on you, know who your friends on. You know mark millie from texas, key things about you. Perhaps you golf and you have a friend that golves and theyll send something, how about this golfing thing, click here and do this and thats how they do. Spearphishing is done on an individual and do more things to go after you as a person. Senator cornyn dr. Rid, you talked about poor i. T. And hygiene in the government space. Think some of this can be as simple as updating your antivirus software, scanning your machine periodically and the like. Let me mention the specific act of o. P. M. , office of personnel management. 21 million americans had their personal information stolen in government custody. So even though they may have considered it private information they were forced to give it to the government for security clearance or some other purpose. And now some foreign state actor through a cyberhack has access to 21 million private records, including more than five million sets of fingerprints. Is that the kind of information that cyberactors, either criminals or espionage agents, Foreign Governments would use to further collect espionage or put it in a machine or business and shake them down for money . Dr. Rid yes, absolutely. The more information the more confidential information you have the ooze easier it is to have a spearphishing targeted email, forged email, so to speak. In my written testimony i included a number of samples, a number of exhibits, including john podesta. Senator cornyn thank you for doing that. We dont have control over everybodys private computer or what kind of software they use but we do have something to say, i think, about what the United States government does and i think one of the things we need to be attentive to is to make sure the United StatesGovernment Networks are adequately protected. I know general alexander, you had something to do about that at the n. S. A. But you didnt have the ability to protect all of this other information. Let me just ask, i just have a couple of seconds, and since youre here, general alexander, we have to take up the reauthorization of the foreign Intelligence Surveillance act, particularly section 702. And i just would like to ask you since we have you here, a little bit about its importance to detecting and encountering foreign cyberactivity and if you could also include in your answer the privacy protections that are very, very important part of that and oversight that you got to see firsthand in your capacity as head of n. S. A. And cybercommand. General alexander i think thats the most Important Program out there, especially in counterterrorism. And i can give you a real quick example. One in denver was detected by that specific authorization. N. S. A. Saw that, provided it to the f. B. I. And naja was the individual in 2009 who was driving across the country to new york city when they arrested the individual in new york city based off of the other program. And they found several backpacks and various states of readiness in various states of readiness to attack the new york city subway done by that program. I think thats the most effective Counterterrorism Program we have and i think it will be also effective in some areas for cybersecurity although i dont have any examples off the top of my head here. Senator cornyn and could you talk about minimumization and other privacy protections, because i think thats important to the American People to know were very vigilant and diligent in that area as well . General alexander we did a series of president ial review group on n. S. A. After the snowden leaks about these programs. And at the time one of the Board Members of the aclu, Jeffrey Stone, was on that panel. I was kind of skeptical about this individual being on there, and im sure he looked at me somewhat ascans. After five weeks of sitting down with our people and going through every one of those he came up to me and said your people had the greatest integrity of any agencies ive ever seen. I said, dont tell me, tell the American People, tell congress, tell the people of n. S. A. And tell the white house and he did. And so there are some key statements by Jeffrey Stone that shows that we can protect Civil Liberties and privacy and i think its important to see some of his statements there because what it did, he also asked me to right an op ed. So imagine an army officer and a board member of the aclu righting an oped on reauthorizing the Metadata Program with some changes and we did. And the reason i asked him, why are you doing that . And he said the reason im doing this is if we dont have programs like this and were attacked, we wont have Civil Liberties and privacy. And the mechanisms and the capabilities you have here to protect it are overseen by congress, overseen by the courts and overseen by the administration. Everything has 100 review on it, and i think thats the best way to do it. And, you know, he is right. If we do get another attack, they are going to ask congress, they are going to ask the administration why we didnt stop those. I think this is exactly why we have to move down. I do think we have to more transparent. I think as we bring cybersecurity in here, having a discussion like this, open hearing about how we can protect these is absolutely critical for our country. And i have some statements but i think your folks can pull those off the web from geoffrey tone with a g. Let me start by saying that i guess i can take some comfort now knowing senator rubio and senator cornyn and quite a few of us had these sort of ophisticated targeting examples where you end up having to make sure that everythings in place, that your devices were not penetrated. Senator heinrich i had family members had these sophisticated spearphishing and other kinds of approaches. Sometimes you know where the i. P. Address is coming from because your provider tells you, oh, by the way, if you didnt try to reset your account from russia yesterday at 3 22 p. M. , let us know. So, you know, in having been through that a few times, one of the things i certainly shared with my colleagues and you mentioned this, dr. Rid, is the importance of twostep authentication and i dont think it can be oversold to the public. Do you want to just a couple more words about that and why thats so important . Dr. Rid had john podesta had two ought thentcation, the last month of the campaign the last month of the campaign would have looked very different. I think that says it all. Senator heinrich that says it all. I could not agree more. If given what we saw in 2016 and how easy it is to sometimes drive these wedges withiour own society, what should we be expecting in 2018 and how should we be preparing for that . And thats open for any of the three of you if you want to share your thoughts. It took about 18 years for me to figure out as i responded to breaches that reflected geopolitical conditions but they actually do. What i think were going to serve in 2017, 2018, the exploits will mr. Mandia weve seen russia use and the Chinese Government use. I think its whats fair game to espionage and i think governments will define what industries are fair game, what activities are fair game and what arent because every nation can get sucker punched in cyberspace. Senator heinrich and how do you send the signals what is over the line and the consequences of what crossing that line is . Mr. Mandia we have to have doctrine. We have to let people think what are the right activities and wrong activities. The private sector will participate. We will get alignment with some nations and misalignment and well add to that. General alexander can i add to that . I think what you can do and encourage is with the states setting up an exercise program between the state governments and the federal government about how youre actually going to improve the security of that and what they need to do, set the standards. So id go beyond the National Institute of standards and technology, how do we know were protecting Voter Registration databases and what are the standards that were holding them to and who is watching that and setting the controls in place . I think the states would greatly appreciate, so what are you going to do while were being pummeled by a persistent threat . Now the government, the federal government needs to step in. And thats part of senator feinsteins question. So how do you well, we havent practiced that. We should practice that. Dr. Rid with a very concrete suggestion i think would actually make a difference. How many of the social media interactions, specially twitter interactions, during the campaign of the most important twitter accounts were created by botz, were created by automated scripts and not humans . The answer to that question, we dont know the answer to that question, because twitter and other social Media Networks have not provided the data. You could write a letter to these companies and ask them to provide the data. How much of a problem is botz and senator heinrich thats very much in line to the next question which i was going to direct to you. In addition to looking at the data, are there things that we should be doing, working in concert with those social Media Companies to dampen the effectiveness of this feedback loop in the media cycle thats being exploited . Dr. Rid absolutely. So you could, for instance, ask social Media Companies to provide detailed data, including a methodology how they arrived at those data. Its very difficult for us to get to the answer to these questions. How much of a problem are bots . And i think its a very significant problem. When you sign up for a new twitter account today, you can say, you know the new accounts all have an egg, you can say, i dont want any eggs, people wont change their account picture. No egg is a good thing. You can say bots are more of a problem than eggs, i believe. We should be in position by default move into an environment where we switch out abuse and bots out of our vision, if you like. Senator heinrich very helpful. Thank you all very much. Senator collins thank you, mr. Chairman. General alexander, first of all, its nice to see you once again. Ction 501 of the fiscal year 2017 intelligence authorization bills which regrettably has not yet become law, requires the president to establish an Interagency Committee to counteractive measures by russia, including efforts to influence people in government through covert and overt broadcasting. The purpose of this committee would be to expose falsehoods, agents of influence, corruption, human rights abuses carried out by the Russian Federation or its proxy. Like the u. S. Information agency, there once was an active measures working group that worked to counter covert disinformation from the soviet union, and that was disbanded. Is this a recommendation as we search for ways to counter the ssian attempts to spread propaganda, outright lies, influence our people . Is this the recommendation that you believe should be implemented . General alexander i do. I think i would look at giving the administration a sweep of capabilities from diplomatic through cyber what you said through active measures, what we can do to expose that. I think we need to give them the freedom to determine whats shared and whats not shared in terms of protecting the nation in that regard. Sharing it all with congress, of course, but how you publicize that if you know something is going on and you got two other means. I think those things you would want the administration at least be reasonable about. I do think those are the things that should be put on the table. You know, i would have to go back and look at all the tools that youre give them and say, does that meet the objectives of engaging russia and confronting them when they cross the line on something . And i think in this case, this is something that would give them a tool if they crossed that line to say, stop, heres what we know, and heres the consequences. Senator collins because one of the aspects of this investigation that i found troubling that we already learned is how weak our response is when we have a Disinformation Campaign and it seems to me that this working group could be useful. I realize its a delicate issue in some ways because you dont want to sweep up legitimate you dont want to be trying to set the rules for journalists, for example. But that brings me to another issue for professor rid and that is, in your testimony you talked about how russian sinformation specialized the act specialists sorry perfected the act of exploiting the unwitting agent. And i assume by that you mean that individuals or entities who dont know or realize that they are being used by the russians but nevertheless are. Nd in your testimony you use examples of twitter and journalists who cover political leaks without describing the origins of those leaks as examples of unwitting agents that were involved in the Russian Influence Campaign in 2016. You also list wikileaks. I would put wikileaks in a different category, personally. But what can we do about the unwitting agent . And i mean the truly unwitting agent. Dr. Rid yes, i agree in the case of wikileaks its unclear if they are unwitting indeed or just witting, so to speak. Senator collins right. The id i think we are western mind is trained in contradictions. Its either this or there. But here i think we areking at a situation and this has been a pattern throughout the cold war where active agents, this could be journalists and politicians even, members of parliament in the past that has been the case, just because they are genuinely so passionate and engaged and activist in their outlook further the russian cause. I think we have to recognize this will continue to be a problem. We cannot simply get rid of that problem. It is something so, for instance, we have documents rom the cold wartime where disinformation active measures operated say they actually want conflict between the unwitting agent and the actual adversary. Say, wikileaks and the u. S. Government. Conflict is good so thats how far you can take. If the goal is driving wedges, then the unwitting agent is the trump card in your sleeve. Senator collins thank you, mr. Chairman. Senator kaine following up on that, it seems the unwitting agent is a key part of this entire process, particularly where youre talking about disinformation and i think you make the point in your prepared tatement that anonymity, anonymous leaks, there should be more on where that comes from, is that correct . Dr. Rid yes, absolutely. So the anonymity, wikileaks was purposely built to hide the source. That was the goal of the platform. And i do take it seriously when initially at least historically it was just an activist. He was he was a clearinghouse but now hes a selective leaker. Dr. Rid that seems to be the case, yeah. Senator alexander, we have been talking about this for at least four years one of the problems and you talked about this with senator collins, this country has no strategy or doctrine around cyberattacks. Senator king isnt that correct and isnt that part of the problem . We need to have a doctrine and our adversaries need to know what it is. General alexander we would add rules of engagement. The consequence is, if there were a massive attack, wed have to go back and get authority to act where if it were missiles coming in, we already have rules of engagement. I think we need to step that up as well. Senator king and ironically its transparency because if we have a capability that acts as a deterrent and if our adversaries dont know it is not a deterrent . General alexander thats correct. If i could add something because thomas brought up another issue and i think it would be good, also, for the American People to know the vulnerabilities our government has pushed out to industry thats been identified by government because often thats opaque. So what you wouldnt see is how much of that is actually being pushed to industry and how thats cleared. But you could get a collective summary from the departments and agents that have pushed those out and see whats being shared. I think thats a good thing and its a good way to start that dialogue. Senator king thats a positive development but i still believe we need to develop a deterrence 2. 0 to deal with the nature of the threat. It doesnt have to be cyber for cyber. It can be sanctions. But there needs to be a certain response, a defined response and a timely response. Otherwise its not going to have the effect. General alexander thats right. We have to get the rules and responsibilities of the different agencies. Whos actually going to conduct that response . And i think that has to be set straight and cleared. We discussed that in the other hearing. Thats something that also means if we had to react we wouldnt have the right people set up to react. Senator king mr. Mandia, one of the things thats been touched on in the hearing is the state election systems and we know that the russians were poking around, if you will, in our state election systems. I learned recently that more than 30 states now allow internet voting and five have gone completely paperless. Doesnt this create a significant vulnerability . Mr. Mandia it also creates an opportunity to do things even better. At the end of the day, when we look at i go right to estonia and what they do in their election process, i am not totally imminent with it but they have an Identity Management thats far better than our nation. When you have anonymity its hard to secure the internet and obviously we will have attacks on these areas but what we are seeing is every Election Year and i responded to breaches every Election Year since 2004. Both sides get targeted. Things happened. We are still going up and to the right and i am confident in modernization and probably others could speak better to that, would reserve the tool of tweaking electoral votes or ballots to the last resort. And ive never seen evidence of that and i think we will always have a natural risk profile to show great diligence in how we secure the election process and to go forward. Senator king my understanding of the intelligence is, it doesnt appear they changed votes or vote tallies in this election but they werent going in those state election systems just for recreation. There was some purpose. Mr. Mandia right. Senator king i think one question which i think any of you could answer but you can answer, 2016 wasnt a oneoff. This is a continuing, ongoing and certainly future threat, is it not . Mr. Mandia i think so. I think right now when you think of intelligence, its been totally redefined by the internet. People are searching youtube every day to see what operations are going on by isis. The intelligence we have today has not existed in the past. We saw russia break rules of engagement they have traditionally followed in that they added collections with computer intrusions, stealing documents and leaking them. Yeah, i think this is a tool that everybody will use. Senator king dr. Rid, do you want to respond . Dr. Rid it will be studied in intelligence schools for decades to come. Not just in russia, of course, but in other countries as well. Senator king not only will it be studied, it will be attempts made to replicate it . Dr. Rid that we can only assume but it will certainly be studied. Senator king thank you. Thank you, mr. Chairman. Burr burr senator lankford you have gone through background and looked at the d. M. C. Hack and the exfiltration of their data. I want to repeat what you said orally and in your statement and any details you can give us. You felt this was russian intelligence. You have answered that yes but much what you have put in your written statements seems to be a circumstantial look at it, that you are basically eliminating other things. Let me ask you a question. Is this a process of elimination much like a doctor doing a diagnosis, saying its not this, this, this and it must be this or do you think something that zeros in and says, no, this is really it and this is what links it . General alexander i think its different for atrishation attribution than it is in the government. We will not mr. Mandia we have to do it by process of elimination. We have to do it by deduction but at the same time frame we hope this level of he want tude needed will come from the intelligence communities. We have done this with china. China with just got lucky. Their security broke down so we could get an exact building and people. Russias Operational Security on the internet is better than that. Senator lankford there has gossifer 2 that was linked . Mr. Mandia heres what we do know. I would attribute the russian government to the breaches. We cannot all the dots from the breach. At least with the observables available to our company and our investigators. We cant go from breach and leaked data to suddenly goosifer 2. 0. Senator lankford do you think its consistent . Mr. Mandia yeah. Its a. P. P. 28 being stolen by anonymous poll and a bunch of other what we call fake personas or false personas. Senator lankford how confident are you there are no false flag operations involved in this . Mr. Mandia we observed this since 2007. Im confident that a. P. P. 28, the hacking group, is in fact responserd by the government or the russian government. Senator lankford ok. Fair enough. The ongoing dialogue we have here all the time. How do you find any difference whats thrown around commonly is we had a cyberattack or has been used in this conversation, they crossed the line . We continue to talk about cyberdoctrines, giving clear boundaries. We dont have any of those things, and this has been an ongoing conversation who would set them, how they would be set but at some point we have to have a clear statement of what is crossing the line. So earlier you made a statement it would depend on the state. It would depend on the situation and such. Can you give me an example obviously, this is an example, so other than this one but give me an example of what it means to have a cyberattack that we can communicate to the American People, this is not just a nuisance hacker stealing information, this is an attack from a Foreign Government on our sovereignty. Mr. Mandia somebody made a comment, pornography, we know it when we see it. Its hard to delineate the cyberattack. Ill give you an example though. I received a phone call once from one of our intrusion responder, we think china hacked sony pictures. We did the work. We were shocked as anyone we even attributed via our means to most likely north korea. And then you start wondering what levers do we have on north korea to change their behaviors . And thats why i think, a, attribute ution is critical. Got to know who did it but i think the response will probably depend on the relations with those nations. Senator lankford talk about the difficulty identifying who did it and be able to hide it in different ways, it is it more difficult or easier based on the tools we have or the tools they have to be able to hide their location . Mr. Mandia its the private sector, we respond to hundred of intrusions a year but 2010, six years of doing this, we only had 40 buckets of evidence. Every time we responded to a breach to figure out what happened and what to do about it, the trace evidence of what happened, claim in the 40 buckets. Now we are in the thousands. The malware is changing. The infrastructure is changing. I would say actors are getting smarter about remaining anonymous in their attack. Senator lankford mr. Rid, a matter of an attack is not going into deleting files and chaos. Its ma anybody lating an existing file where you lose trust for it or adding a file that was never there. And to suddenly theres something that appears your computer somebody added. So the threat of the attack out there, what could it look like . Dr. Rid we have concrete examples. Re recent one is a critic of president putin in london was hacked allegedly and i think the evidence is quite good. Illegal child abuse imagery was uploaded to his computer as an active measure to undermine his to make him into a criminal in the u. K. Senator lankford so they added child pornography . Dr. Rid they didnt download it in case of the d. N. C. Hack but they uphoaded something. Senator lankford thank you. Senator burr senator manchin. Senator manchin thank you for your testimony today and helping us as much as you can. Let me ask this question. Can russia made a difference in the outcome if they wanted to . Could they did they got to the level where they stopped and we fell in the trap . Mr. Mandia . Mr. Mandia in regards to senator manchin i understand they got more aggressive then they ever have been. Could they have done more than they stopped and we fell in the trap . Mr. Mandia i dont know if we fell in the trap. Senator manchin the trap is what we are doing right now. Mr. Mandia i think 90 of the cybercapability, maybe 80 they reserved their Upper Echelon to senator manchin could they changed the outcome of the election . Do you think theyre capable of doing that . Mr. Mandia im an engineer. I think in ones and zeros. Could they have altered the votes, i think we would have seen that. I think we will see the shot across the bowel on so much of the most severe attacks. Things where we have lots of observation. See the shot the shot across the bowel. Senator manchin what about countries in the past, is it to the level they gotten to with the United States this past 2016 election . Are they that involved in france, belgium, germany . Dr. Rid . Dr. Rid depends on how far you want to go back in history. We know it affected the outcome in ne vote of no confidence buned stat which kept chancellor in power. Senator manchin what about in france . Dr. Rid we dont have a single example in europe to my knowledge where hack and leak were combined in the way it happened in the United States. Senator manchin but their involvement in the election has shown they desired to get people that are more friendly towards the russians . Dr. Rid i am not saying nothing is going on. There are active measures but different kinds at this stage than what we saw in 2016 here. More old school. More forgeries like the case that senator rubio mentioned earlier. Senator manchin from the Technology End of it, cyber end of it, do we have the ability to stop and youre saying what can we use and will it be cyber warfare back to them is something we can do to russia that would stop this behavior they would be concerned about how we could intervene or interfere with their system . Mr. Mandia i think general alexander should comment on that. I think in the private sector, a hockey analogy. Its like going up against gretzky on the penalty shot when the Russian Organization government gets in your organization, they have a better chance of putting the puck in the net. General alexander there are a couple things, senator, we need to do. We talked about fix the defense. I think what were doing right now with this committee and others, we have highlighted that we know they did this. They know that we know, and now the issue is they theyve been put on notice and now its the path forward and we have an opportunity to engage and confront them on different issues. I think that in and of itself was something that perhaps they miscalculated. Now what we need to do is fix the defense and see what other actions we should take to defend our infrastructure, including the electoral infrastructure. Senator manchin general putin, the statement he put out today claiming no responsibility, no knowledge whatsoever, and we know and the whole world should know. We made it we made it official. How do you i mean, he seems to have a very high rating in russia so i dont think theyre going to believe us. Do we have the ability to show from a technical aspect what was done . General alexander so i think one of the benefits of his actual active campaign is its had a great impact on his popularity in russia. Hes taken us on in these areas. I think saying it wasnt us is something he would say add inif i night up. E saw ad infinitum. Oney light, russia was involved. Senator manchin do you know what the greatest retaliation for what would you recommend . How would we retaliate and make sure we harm them or hurt them to the point they wont ontinue this type of behavior . Dr. Rid thats a tough question. Senator manchin militarily . Dr. Rid i dont think militarily. I think its entirely inappropriate. Senator manchin economically. Dr. Rid i believe it was the d. H. S. Publication at the end of 2009, then obama government pointed out the the administration pointed out r. T. Major outlet of russian at this stage r. T. Has a license in the United States. General alexander so i think we need to step back, senator, and say, what is our objective with russia . This was a single event. This is where the administration, secretary of state, secretary of defense and others should get together and we should give them the opportunity and time to do this. And say, whats our strategy going to be with russia . Which includes what youre asking. Because i dont think we want o do it tid for tat on these things. What we want to is, how do we get an engagement with russia that puts us and the world in a better place . And i think its part engagement saying, heres what we want to do. We know this and we have to figure out how to stop and heres what will happen if we dont and put those on the table. But i think that needs to be done more in private than in public if were going to have a chance of success. You know, its in our interest to address these problems. Now, when you look whats going on in the middle east, whats going on in Eastern Europe and all the other problems we have, we got to solve some of these by allowing the administration to engage in that area. I would push it over to the administration. They have good people in this area. Mr. Mandia a lot of comments here. I got a very simple theres money or the 82nd airborne. Not time for that. I would caution the response if its just in cyberspace. He asymmetry, if our tools win against them and their tools win against us, russia wins. Based on our economy, relying on it, our communications relying on it, our free press, they can do an invasion on the privacy of everybody in this room. We cant really resipry indicate that. Hack putins emails and post it and get the same results. I would advise cyber on cyber, it feels like we are in a glass house throwing rocks at a mud hut. We will not pan out there. Nator harris mr. Mandia, so one main reason that were doing this public hearing is so the American Public can actually understand what happened. And so if we could just take a step back, because this is a fairly complex issue and particularly when we talk about bots and some of these other things, some people want to know if its a short form for a robert. I want to think for a robot. I want to think americans may have field they have been played if they made their decision in this election based on fake news. How can they know that they are receiving fake news . How can they detect it so they can ultimately make decisions like who will be their president based on Accurate Information . Mr. Mandia that goes beyond my expertise as a cybersecurity individual. They have to vet it against multiple sources. But i simply dont have the right tools to be an expert on how do you determine fake from nonfake news. Senator harris do any of you feel experienced enough to answer that question . Dr. Rid its a simple answer. If its in the New York Times or the Washington Post its not fake news. I mean, we have to believe in the center, so to speak. If we contrast the Mainstream Media any more we lost. General alexander i think part of it we sensationalize inflamed and not informed. How do we get a more informed set of reports out to the American People on some of these issues . And thats something i dont have an answer to but thats part of the problem. And weve got to figure out how to address that as we go into this next age of having all the Information Available at an instant. You saw the attack on the white house, the theoretical attack about a year ago. It turned out to be fake news. I any we got to take another few steps on that and thats where the news agencies, social media and governments have to Work Together to help get the facts out there. Just the facts, maam. Senator harris tell me ill start with mr. Mandia, but whoever can answer this question if you feel you have an answer. How can we tell if bots manipulated a Google Search to elevate the placement of fake news in the 2016 elections, and what partnerships might we take with google or any other Search Engine to avoid that happening in the future . Mr. Mandia i any thats a great question. I think google probably has the answer. Heres the reality, even its going to be difficult for them. Theres a lot of ways. What youre describing is astroturfing. Its a way to manipulate public opinion. It depends on the platform. Its a complex challenge for us to pierce anonymity behind. Is that a bot or a human, because bots keeps getting smarter replicating that. General alexander i think google has great folks in this area and i think thats something you get folks at google, facebook, twitter together, along with the other social media and ask that question how can we jointly solve some of these issues . I think its a great question and one that they would fake on. Dr. Rid social Media Companies are the market basis on the active user base. Now, if a certain amount of your active users are simply bots, that theres a commercial interest in not revealing the fact that, you know, a 10th, a third of your user base is actually machines. Senator harris thank you. General alexander, as a former general, i asked the question of the earlier panel, the investment in our military and soldiers as part of our Defense System and rightly but russia seems to be investing a great amount in its cybersecurity as a tool of warfare. What would you recommend we do in terms of the United States government to meet those challenges in terms of how were investing in infrastructure to be able to combat both on the point of deterrence but also resilience after we do detect when and if we do detect weve been hacked, how we can step back up and pick back up as quickly as possible and what we need to do in terms of any sort of retaliation . General alexander so i think there are several key points we have to do. One, we have to fix the relationship between industry and the government for sharing information so they can be protected. We have to set up the rules of engagement and the rules of each of the departments are going to dooned they have to understand and agree to those. We have to rehearse that between the government and between government and industry. Senator harris i only have a few seconds left. Id like you to direct your response and i appreciate your points earlier on this point. We have a budget coming up. What would you advocate in terms of the budget that is going to be before us to vote on. Its called the skinny budget. Theres a whole lot of discussion where the limited resources and dollars are going to go on this point. What would you advise us in terms of how we distribute those limited resources to meet these challenges, the challenges in terms of the russian government and the finding by the f. B. I. And n. S. A. And c. I. A. That they hacked our systems . General alexander well, i think we definitely need to continue and increase the investment of what we have in our cyber capabilities. The forces and the infrastructure and the tools that we create. Thats needed. I think we also have to look at and one of the members over here brought up government. Our i. T. In governments broke. We need to fix it. We need to look at how we secure it. O. P. M. Was a great example that they used. I think thats something this administration is already looking at but we need to help them get there and figure out the best way to do that. And when you think about it, they dont have the i. T. Resources or the cybersecurity professionals actually to defend them. The solution has got to look at what we do at the commercial sector and how we add that to government. I think those are the key things. Senator harris i appreciate that. Thank you. Senator burr do any other members seek additional questions . I would just like to add one quick one. I think this line of questioning we heard about how we can interact. Very briefly because the chairman hasnt asked his questions yet. I do wonder, we saw the example that somebody did hack into rmer Prime Minister medveds files, was showed Luxury Properties around the world. That resulted in a series of protests across russia over unfortunately protesters were arrested. Senator warner but comment on that very briefly since the chairman hasnt had his questions. Dr. Rid i am not sure i understand the question properly. Are you implying that senator warner the challenge and i agree with kevin that the notion that a simply tid for tat, real actions in cyber because were so more technologically dependent but there are activities kind of ound active measures where Prime Minister former president and now president medved in russia i may be mispronouncing his name. But suddenly his extensive Property Holdings became public which caused a series of protests. Dr. Rid now, we know from publicly available information that the president Vladimir Putin believes the Panama Papers leaked which broke on the third of april in 2016 so right in the middle of the ramped up targeting. Targeting on their side ramped up before Panama Papers broke as a story but we have to assume they knew about Panama Papers, that it was coming. Putin seems to believe Panama Papers was an american active measure against him. I mean, i dont think that was the case but that puts the entire investigation into a slightly different light and its important to consider that. Senator burr thank you, vice chairman. Listen, we really are grateful for the three of you for making yourself available. And keep your guy that the committee has looked up to, not just because of the stars on your shoulder but its the knowledge in your head and how you have had a way for years to convey to the committee in a way that we can understand what the threat was, what our capabilities needed to, the actions we needed to take, why we needed to take them and the objective of the effort. I think what concerns me is that this things speeding so fast. Now its like you pulled the string on the top when we were kids and over time its the top slowed down and it looks like now the top starts spinning faster and faster and faster once you pulled the string. So i want you to understand that were probably going to invite you back in an informal setting. Robably not a public setting where some of the things we got into today we couldnt dig much deeper. And thank you for showing the constraint of doing that. And for that reason i am not going to include you in my other two questions because it might put you on the spot. Im going to turn first to dr. Rid. We have any idea how russia transmitted emails to wikileaks , and if thats the process that everybody assumes happened, then how could wikileaks be, as you referred to, unwitting . Dr. Rid gossifer 2, the front that was created, tweeted that they gave it to wikileaks. Wikileaks tweeted they received from gossifer 2 before it was attributed to russia. Thats the only evidence we have publicly and i think its quite strong. It was notable. Is wikileaks an unwitting agent . In truth we cant answer the question because they havent spoken on it. We cant assume they are an unwitting agent. It doesnt matter because they are very effective unwitting agent. Senator burr kevin, do the forensics that you are able to have done suggests that wicky to s wikileaks continues have information that they have not released . Mr. Mandia what we have seen publicly released is what we attribute to the russian governments dealings. Senator burr were trying as a committee come up to speed on not just terminology but what that terminology means. So id like to give you an opportunity to walk us through how you identify an actor like a. P. P. 28. Mr. Mandia yeah. We started getting Better Software in place beforehand so its you can see key stroke by key stroke what theyre doing. Most senators dont do command line execution but there are different commands you can type. Theres different letters you type in different orders. You start getting to know the attackers when you get that command level access to them. And its the malware they created, the i. P. Addresses they used, the infrastructure they used, the people they actually target, the inscription algorithms, the password uses and the list goes on and on. We created a scheme in about 2006 on how you categorize the intelligence or the evidence or the forensics from an intrusion investigation and we had over 650 different categories. I cant go into all of them today. But trust me, you observe a group for 10 years or more, after a while we got the bucket right. A. P. P. 28 to us is a bucket. Every time we respond to them theres enough, you know, criteria to gather that a. P. P. 28 is a. P. P. 29 is a. P. P. 29. A. P. 1 was p. L. 698. E couldnt see g. R. U. Or f. S. B. It isnt available to us in trace evidence. I will give you one last example because its understandable. When you look at the malware thats been used in these attacks and their compile times, 98 or higher is compiled during Business Hours in moscow or st. Petersburg. Thats a pretty good clue. And whoevers doing it speaks russian. Senator burr if youd rather not answer this or dont know the answer, punt it and ill forget it. Ad the d. N. C. Decided to provide their system for f. B. I. To do forensics on, would we ave gotten more information . Mr. Mandia i dont know. I cant speak specifically to this one but over the first to six years we respond to breaches where the f. B. I. Is there. And they are not the ones traditionally doing the friendsics. They are relying on the private sector forensicators, thats a made up word. Our clients are using to share that with the f. B. I. I think the group that responded to the d. N. C. Is highly technical, highly capable, they got it right. Senator burr it was a diplomatic way of asking, do we have different capabilities than the private sector and you said mr. Mandia we have tremendous help. Maybe theyre cleansing intel from another agency or not, but theres been numerous case where is were showing up and we know maybe three things to look for. And the f. B. I. Says, heres another 80. Go look for those as well. So we are and i have bean doing this 20 years. Its more likely than not when the intrusion is there that f. B. I. Is there responding with us. Senator burr so i leave this hearing not having heard a word that i think we will heard going on and thats dox. Its the 21st century term for steal and leak. Am i going to hear dox in the future . Mr. Mandia its an irritating word. Thats the technique it looks like a state actor is using it. I can tell you the first time we saw north korea delete things in the United States, that felt like it crossed the red line. Doxing is the thing that crosses the line with the russian activities. Dr. Rid one thing on what kevin just said about the f. B. I. There. Usually in an investigation of the kind he was describing, you would make a socalled image of the computer. Hard disk. And if the f. B. I. Has these images, which i understand they may have, then you dont have to physically be there. Its as good as being there physically. But under doxing observation, yes, just to make another observation that may be personal for many of you here in this room. Ut the ethic rules ethics rules in congress may actually and embers of congress the senate more vulnerable because it forces you to use different devices. Sometimes as many as three devices, i understand, to make different calls and different communications. So even if the main work device is actually secured properly, then it would push you down into a more vulnerable area. Thats a problem that possibly cannot be fixed. Senator burr one last general statement and i heed the advice you gave, general, you backed up thomas and i think, kevin, you supported as well. Our response has to be wellthought through and its not just what we do in reaction to. Its what we do as we set the course for some better defensive mechanism in the future. But you cant neglect the fact that russia over a period of time has done things outside of ukraine, asion of muldova, presence in syria, presence in egypt. It continues on. That we might look at this today in the Rearview Mirror and say, boy, they miscalculated. The only way they miscalculated neglect of aken our reaction to what they did as an opportunity to push a little harder on the accelerator. So not being critical but weve done nothing to russia when theyve made aggressive moves. And now all of a sudden this happened at home. It happened with elections. When you look at it from a standpoint of impact, i think the ukrainian people would tell me what happened to them is much worse. And if it happened in the United States, we would think thats much worse. But the fact is that this is going to require a Global Response because the globe is just as exposed as the United States. It was our election system in 2016. It is the french, the germans. I wont get into the long list of them, but were within 30 days were within 30 days of what is a primary election in france. It could be the russians have now done enough to make sure that a candidate that went to russia recently and a socialist make the runoff and they end up with a progovernment a prorussian government in france. Theyve won. That was their intent, i feel certain. Were not sure what the effects are going to be in germany, but weve actually seen them build a party in germany. Not tear down but build up a party and exploit things when you look back on them, fake news. Not that we didnt create but germany that thin never was news but they used it, they exploited it and look at what its turned into. We may have been the first victim but we may not be have been victimized as much as others are going to be in the short term and we certainly should heed the warning and not be an additional victim in 2018 or 2020. Let me move to senator king real quick. Tell me more about guccifer 2, is it a human being, is it an officer and is there any question that guccifer is an agent or somehow working for the russian government . Dr. Rid we know from the evidence thats available, not all of it public but in private sector sources and academic sources, guccifer is not just one individual, because in private interactions with journalists, we can see different types of human play that some use specifically at a ecific time, lots of smileys and all communicating through the same channel. , the links guccifer ap 28 what evidence in the written testimony hacked 12 of the targets that were on leaks. They provided a password that was not publicly known, provided password to the smoking gun to the outlet. That is a strong forensic link there that the dots can be connected. Senator king is guccifer 2 an agent of russia . Dr. Rid an organization, could be a subcontractor or a team senator king affiliated with the russian government . Dr. Rid yes. Senator burr i thank all the members and i thank our panel today. You have provided us some incredible insight and knowledge. We are grateful to you. His hearings adjourned. [captions Copyright National cable satellite corp. 2017] captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. Visit ncicap. Org Ranking Member member spoke to reporters at the capitol just a moment ago. Democrat adam schiff. Here are his remarks. Mr. Schiff good afternoon everyone. This afternoon, i received a letter from white House Counsel inviting me to review materials at the white house that pertain