More information about the rules and requirements and also teacher tips and rubrics to help them incorporate into their classroom and more information about prizes and incorporating the video. Its one way to get ready for the president ial in moderation. Tomorrow, the senate is expected to vote on a temporary spending bill that funds the government until december 11. The house may not be able to vote until thursday after the current spending runs out. Mitch mcconnell blamed democrats for the situation and we will also hear from the editor and candidate rand paul who called for a smaller spending bill. This is 15 minutes. Vot last night from a 77 senators voted for advanced legislation that funded atfu the bipartisan level agreed to by both partiesi the bill represents my preferred method for funding the government, but its now the most vital way forward after extreme actions forced our country into the situation. Here. Moreber how we got they were unlikely to by theirnr desire fore more democracy, but they say that they might in a vern crisis. Me fun so they pursued adi deliberate e strategy of blocking government commtee, and some said that they would block government funding legislationvn in some of these bills came out. Of the committee overwhelmingly on a bipartisan basis. Egis democrats said they wanted th democr Appropriations Committee with largeat majorities. Ur and the democrats voted r repeatedly blocked a bill thattb funds our military and that funds medical care and pay mr. Re raises democrats are willing to a time of daunting International Threats in order to tear down the normal government funding process and force our country into this situation that we now face. Well, im not prepared to let the government im not prepared to let the democrats lead us over the cliff. The bill before us would keep the government open. It would allow time for cooler heads to prevail. Thats why i joined 76 other senators and voted to advance it yesterday. But, look. Obviously, the best way to fund the government is by, first, passing a budget; then passing Appropriations Bills. The Senate Already passed a budget. The senate is prepared to pass the senate is prepared to pass the senate is prepared to pass appropriation legislation and all that is needed is those that have the sea are behind us, we can turn back to trying to pass the appropriation bill. I am reminded of that name is wine from cool hand luke. What we have here is a failure to communicate. And what we have in congress is a failure to legislate. A failure to exert congressional authority. What we have is a failure to use our leverage and the failure to use the power of the purse. Conservatives across america are unhappy and rightly so. We were told that when we took over congress and were republicans were elected that things would be different. But those that put us in charge, we would right the ship and stop the deficit and here we are with another continuing resolution. What is a continuing resolution . It is a continuation of the past and a continuation of the waste and duplication. And it is a steaming pile of the same old, same old. Let me be clear that a continuing resolution is not a good thing. It is more of the status quo. It is a warmed over version of yesterdays failures. And it is an abdication of congressional authority. It is an abdication of congressional power. Let us at least be honest with a continuing resolution that no waste will be cut, no spending will be cut. No regulations will be stopped. And the debt will continue to mount. We are told that we cannot win, that we need 60 votes to the fund anything. But perhaps there is an alternate future where current big step up and save the day. All spending is set to expire automatically. This is the perfect time to turn the tables and to tell the other side that they are going to need 60 votes to permanently spend any money. You see, it doesnt have to be 60 votes to stop things. Only those programs for which we can get 60 votes should go forward. And what would that mean . That would mean an illumination of waste and duplication and a of bad things that we spend money on. If we have occurred we can use the super majority rule to stop wasteful spending. If we have the kurdish, we can force the other side to come up with 60 votes to fund things like planned parenthood. The budget is loaded with nonsense and also waste. Some are going to say that our job is to govern and to preside. But to preside over what . A mountain of new debt . To be the same as the other side and to continue to add that after debt . Our debt is going to consume us if we continue to preside over the status quo. It is as if we are on the titanic and that includes a continuing resolution that continues the spending of wasteful money. I could go on and on about what we are wasting money on. And we spend 300,000 last year studying whether or not japanese quail are more sexually promiscuous on cocaine. And i think these things should never have money spent on. But it will continue. We spend several hundred thousand dollars studying whether we can relieve stress and vietnamese villagers by having them watch American Television reruns. And i dont know about you, but i dont want 1 penny of taxpayer dollars going to this ridiculous stuff. If we pass a continuing resolution no reform will occur. We spend time developing a televised Cricket League for afghanistan. 800,000. You know how many people have a television in afghanistan . One in 10,000 people and i dont care if they all have tv. Its ridiculous that our money, which we dont even have, to send to afghanistan, you are agreeing to continue this nonsense. And we spent 150,000 last year on yoga classes for federal employees. Not only do we pay them nearly one and a half times as much as the private sector employees but we give them yoga classes as well. If you pass a continuing resolution, this goes on and on. And nothing is going to change. The status quo is going to continue and we will continue to spend ourselves into oblivion. We spent 250,000 last year and fighting 24 kids from pakistan to go to space camp in alabama. We borrow money from china to send it to pakistan. Its crazy. It is ridiculous. And it should stop. We have the power to stop it and congress has the power to spend money or not spend money and yet we lay down and we say that it must continue. We dont have the votes to stop it. Well, nonsense. The other side doesnt have the votes to continue the spending we would stand up and challenge them. We spend a halfmillion dollars last year or the year before developing a menu for colonizing mars. We sent a bunch of College Students too wide to study this. They got two weeks all expenses paid in hawaii and you know what a bunch of them came up with . Pizza. This is where your money is going and i could go on hundreds and hundreds of programs. If we do not exert the power of the purse this is going to continue and we should attach all 12 individual spending bills not ground together and we should attack hundreds of instructions. Thousands of instructions. And some of the media said that would be the power of the purse. If you object to the president writing regulations about our authority, congress should defund the regulations. What we object to. They should talk about how we dont want money spent on planned parenthood. Hundreds should be written and sent to them. Would we win all of these battles . Do we have the paddle and transparent to win every battle in defund everything . No, we do not. Do we start off with a negotiating position right now. Why dont we start off with a negotiating position and let defund at all. And if there has to be a negotiation lets start and see where we get. But it would take urge because he would have let spending expire. If youre not willing to let the spending expire and start anew, you have no leverage. The power of the purse is only there if you have the courage of conviction to say that enough is enough. Some will say that we want to shut down government, but no we dont, that means that spending must expire. But lets only renew the spending that makes sense. We have the power of the purse if we choose to exert it. And so look at the mountain of debt and the debt that continues to be added. We have not been doing our job. The way that we are supposed to spend money in congress is 12 individual Appropriations Bills and why dont they presented on the floor. But everyone in america know that its democrats who desire to shut down government. And its democrats that desire not to have any restrictions on where the money is spent and they are saying that we dont want and wasteful spending and we dont want to end any spending and we want to continue the status quo and we should not be complicit with them. We have allowed this to go on for too long and it threatens the very heart of the republic and are very foundation. It is time that we stood up and said enough is enough. One is the was the last time we did it in the appropriate fashion and Congress Passed each of the individual appropriations bill. 2005. A decade ago. It has been a decade. In the last decade we have added 10 trillion in new debt. It is time to take a stand. I have had enough. I am not going to vote for a continuing resolution that is simply a continuation of mounting debt. I wont do it. A continuing resolution is announcing defeat in advance. What we should do is take a stand and we should say in the senate requires a supermajority and that means 60 votes to pass spending. What would happen . Would have spending that is controversial like planned parenthood that would fall away. And you wouldnt find things being funded that are controversial. And what would happen if there would no longer be funding were to put their projects. We had 7 billion worth of just duplication. And even this president puts forward this to be eliminated. Congress is dysfunctional and we continue to pass this resolution which means we do nothing to exert the power of the purse. Congress is a shadow of what it once was. Madison said that we would have hit ambition against ambition and we no longer do that. But instead congress is a withering shadow of what it once was. They have no power and exerts no power and we walk and live in the shadow of a presidency that is growing larger and larger and larger. The president says that he has been writing and creating laws. One of our philosophers said when the executive begins to legislate a form of tyranny is going to ensue and thats what we have now. We have executive tierney. But this is been going on for a while, probably for a hundred years we have been allowing more and more power to accumulate in the hands of the presidency and what we need is a taking back of the power. We need congress to stand up on its on 2 feet and say enough is enough, we are reclaiming the power of the purse and will do whatever is necessary to get rid of the wasteful spending, the offensive spending. And we are going to do it with what the American People want to spend what is only coming in. I oppose this and i recommend that everybody in america says that we are tired of the mounting debt and we want you to stand up and say that enough is enough, let the funding a expire and make the other side come up with 60 votes to spend the money and its time we took a stand and i hope you will. Thank you, mr. President. The Senate Returns tomorrow at 9 30 p. M. To debate a contemporary spending bill that they will vote on at 10 00 a. M. Needing a simple majority to pass. It will fund it through December December 11. It ends wednesday night at midnight and we have live coverage of all the Senate Proceedings on cspan2. A signature feature of booktv is our allday coverage from across the country from top nonfiction authors. The southern festival of books in nashville. The weekend after that we are live for the texas book festival and then we will be covering to book festival is on the same weekend from our nations heartland the wisconsin book festival in madison. And then the boston book festival. Then we will be in portland followed by the National Book awards for new york city and at the end of november we are live for the 18th year in a row from florida for the Miami Book Fair international. That is a view of the fairs and festivals this fall on cspan2 booktv. The director of National Intelligence and Michael Rogers talked about cybersecurity at a hearing of the Senate Conservatives committee including recent hacking threats and encryption in preventing statesponsored cyberattacks. This is two hours and 15 minutes. [inaudible conversations] good morning, we meet today to talk to robert work and the commander of u. S. Cybercommand, director of the National Security agency and chief of the centrals dirty service, we thank the witnesses for their service and for appearing before the committee. We meet at a critical time in just the past year and we all know that the United States has been attacked by north korea, china, russia and the attacks have only increased, crippling our networks and compromising sensitive National Security information. Recent attacks against the joint chiefs of staff are just the latest examples of the growing boldness of pushing acceptable behavior in cyberspace. New hacks are occurring daily. Trends are getting worse, but it seems the administration has still not mounted an adequate response. They say that they will respond at the time and manner of our choosing but then they either take no action or pursue symbolic responses that have zero impact on our adversaries behavior. Not surprisingly the attacks continue and they gain a competitive economic edge in improving the military capabilities. To demonstrate their own need to attack are critical of the structure and they do all of this at a time and manner of their choosing and more and more they are leaving behind what the ad while recently referred to as cyberfingerprints, showing that they feel confident that they can attack us without mexican consequences. Just consider the recent case with china after chinas efforts to steal intellectual property and wage economic espionage against u. S. Companies. Instead last weeks state visit simply a amounted to cyberand enabled the rat. Whats worse is that the white house has rewarded china with diplomatic discussions about establishing norms of behavior that are favorable to china and russia and any internationally agreed upon with rules must recognize the right of selfdefense is contained in article 51 along with meaningful intellectual Property Rights protections. The administration should not concede this point to autocratic regimes who seek to distort or principles or detriment. We are not winning the fight in cyberspace. The adversaries put simply, the problem is a lack of deterrence. The administration is not demonstrated to our adversaries that the consequences of cyberattacks against us outweigh the benefits. Until this happens the attacks are going to continue and our interests are going to suffer. Establishing deterrence hires a strategy to defend and aggressively respond to the challenges to our National Security in cyberspace and that is exactly what the congress required in fiscal year 2014 National Defense authorization act. That strategy is now over a year late and counting and while the department of the defense is a big improvement over previous such efforts, it still does not integrate the ways and means to deter the attacks in cyberspace. Establishing deterrence also requires robust capabilities both ostensibly in defense of late that can pose a credible threat and a gold in which the committee remains actively engaged. The good news is that significant progress has been made in developing our cyberforce and that will include a mix of professionals trained to defend the nation to support the geographic combatant commands and to defend dod networks. This is good, but the vast majority of resources have gone towards showing up cyberdefenses and far more needs to be done to develop the necessary capabilities to deter attacks and fight and win in cyberspace. Policy and decision should not become an and capability development. We do not develop weapons because we want to use them. We develop them so as we do not have to. We are at a tipping point. He said that we have to broaden our capabilities to provide policymakers and operational commanders with a broader range of options. And we must invest more in the offense and capabilities that our teams need to win on the battlefield. We seek to address this challenge and a number of ways including our Pilot Program to provide us with limited authorities and finally we know the Defense Department is in the process of assessing whether the existing command structure can elevate cybercommand to a unified command. There are worthwhile arguments on both sides of the debate and i look forward to hearing views on this question in his assessment of how and elevation might enhance our overall cyberdefense posture. And i also look forward to hearing from eyewitnesses what if any progress has been made on addressing disagreements within the agency on the delegation to use cybercapabilities. And i think the witnesses appearing before the committee and i look forward to their information. It is important to talk about this and i want to thank the director and the cybercommander for their information. Let me start with china. I expect we will have a robust discussion about chinas can compliance chinas leaders must be aware that the reputation may continue to decline if this does not stop, which ultimately will have it immensely negative impact on our relationship with china. I would also emphasize how important it is to embrace these norms, which include refraining from the tax on the other nations Critical Infrastructure. And that includes whether we can go to a full unified command and whether the commander of cybercommand also serves as a director of the nsa. And i understand that the problem could elevate it to a unified command. We have questioned whether or not the arrangement should continue on an arrangement is made and put simply if they are so reliant that, leadership is necessary, is the command ready to stand on its own. This is an issue that the senator has drawn attention to and i think its something thats very critical for this committee. And directly related to the military cybermission unit that weve had over the last two years. The department is leading this with training for personnel and that includes equipment, tools, and capabilities that remain limited. And that includes a mandate that the secretary of defense designated this bill with a unified platform. And that includes commandandcontrol that is necessary for these forces to operate effectively. It will take a number of years to build these capabilities and we are behind in developing this military capability because the Defense Department was persuaded that the system is an capabilities that we are to have would be adequate to use inside the command. And this is an important commonality between intelligence operations and military operations and in some cases that turned out to be not accurate. And that includes articulating a strategy for implementing them. Some believe that retaliation is a necessary and effective component of an effective strategy and i look forward to hearing the views of her witnesses. As my colleagues and witnesses are aware, having reached an agreement i know that the chairman is in full agreement to pass that legislation this year. We must also recognize the Defense Department and Intelligence Community are protecting americas cyberof the structure, lying relying upon the Department Security protection of americas Critical Infrastructure and the use of Contingency Operations to avoid the budget control act helping the dhs or other nondefense partners avoid effective sequestration and this is another solution that we need. And finally i think its important that we Encrypt Communications and offer services for which even the companies themselves have no tactical capabilities. This fbi director has given multiple warnings that they will be going back. These and other questions are vitally important and i look forward to your testimony. I think the witnesses and the director, i have tried to impress. I do want to take note of and thank the members of the committee who are engaged on this issue and have spoken to a publicly, as the two of you just half. The Cyber Threats are increasing in frequency, scale, sophistication, and severity of impact. Although we must be prepared for a large armageddonlarge armageddon scale strikes that would debilitate the entire us infrastructure, that is not the most likely scenario. A primary concern is low to moderate level Cyber Attacks from a variety of sources which we will continue and probably expand. This imposes increasing cost of the business and us economic competitiveness and National Security. Because of our heavy dependence on the internet nearly all information Communication Technologies and it networks and systems will be perpetually at risk. These weaknesses provide an array of possibility for nefarious activity by cyber threat actors, including remoteactors, including remote hacking instructions, supply chain operations to insert compromised hardware software, malicious action by insiders, and simple human mistakes by system users. The Cyber Threats come from a range ofa range of actors including nationstates which falls in the two broad categories, those with highly sophisticated cyber programs, and those with lesser technical capabilities with more nefarious intent such as iran and north korea but who are also much more aggressive and unpredictable. Then there are non nationstate entities, criminals motivated by profit, hackers, extremists motivated by ideology. Profit motivated cyber criminals we will i hung loosely networked online cyber marketplaces referred to as the cyber underground or dark web that provided a forum for the merchandising and elicit Tool Services and infrastructure. So on personal information and financial data. The most significant financial cyber criminal threats come from a relatively small subset of actors, facilitators command criminal forms. Terrorist groups will continue to experiment with hacking which could serve as the foundation for developing Market Basket for these. Cyber. Cyber espionage, criminal and terrorist entities all undermine data confidentiality. Denialdenial of Service Operation and data deletion attacks undermine availability. In the future, i believe we will see more Cyber Operations that will change or manipulate electronic information to compromise its integrity. In other words counter intelligent risks are inherent when foreign intelligence agencies obtain access to an individuals identity information. Of the problem the department of defense has encountered. They could target the individual, family members,individual, family members, coworkers and neighbors using a variety of physical and electronic methods. Speaking of opm breaches, let me say a couple of words about attribution. It is not a simple process that involves three related but distinct determinations, the geographic . Of origin, the identity of the perpetrator, and the responsibility for directing the act. In the case of opm we have differing degrees of confidence in our assessment of the actual responsibility such malicious cyber activity will continue and probably accelerate until we establish and demonstrate the capability to determine malicious statesponsored cyber activity. Establishing a credible deterrent depends upon reaching norms of behavior by the cyber community. In summary the Cyber Threats have become increasingly diverse, sophisticated, and harmful. Other Law Enforcement intelligence and sector specific agencies. Every day each of these centers and entities get better at what they do individually. I believe we have reached a point where we think it is time to knit together the intelligences activities need to defend our networks because while they may be defending Different Networks they are often defending against the great sand threats. They integrate cyber threat intelligence, and i strongly believe the time has come for the creation of such a center toa center to parallel the centers we operate for counterterrorism, proliferation and security. Chairman mccain, ranking member,mccain, ranking member, distinguished members of the committee, thank you for inviting us. The committee has led the way. The response to the threats and the departmentin the department looks forward to working with the committee to get better in this regard cyber intrusion and attacks by state and nonstate actors have increased dramatically in recent years and particularly troubling are the increased frequency and scale of statesponsored cyber actors these adversaries continually adapt and result in response to our Counter Terror networks. The Critical Infrastructure and us companies and interest globally. The recent state of cyber events to include the intrusions into opm, the attacksopm, the attacks on sony and the joint Staff Networks by three separate state actors is not just espionage of convenience but a threat to National Security. As oneas one of our responses be released in 2015 the department of Defense Cyber strategy which will lead the development of our cyber forces and strengthen our Cyber Security and deterrent posture which is insane. The department is pushing hard to achieve the three Core Missions as defined in the strategy. The 1st and most important is to defend department of Defense Network systems and information. Sec. Sec. Information. Secretary carter has made this the number one priority in the Department Command we are getting after it now. To defend the nation against cyber offense of significant consequence and to provide sever support operational and contingency plans and in this regard the us Cyber Command may be conducted to have programs along with other nations. Now, my submitted statement contains additional detail on how were moving out to achieve these three strategic goals. Especially since i noi know this is key in the minds of most of the members here. I want to acknowledge upfront that the sec. And i recognize that we were not where we need to be in our deterrent posture. We do believe that there are some things the department is doing that are working, but we need to improve in this area without question which is why we have revised our cyber strategy. Deterrence is a function a perception that works by convincing a potential adversary the cost of conducting the attack file way any potential benefits and therefore are three main pillars of our Cyber Insurance strategy in terms of deterrence, denial, resilience, cost command position. They continued to perform their essential military task even when contested in the cyber environment, and cost and position is our ability to make her adversaries pay a high price i would like to briefly discussed these three elements, to deny the attacker the ability to adversely impact our military missions we have to better defend our own Information Networks and data. Wewe think the investments we have made are starting to bear fruit, but we recognize the technical upgrades are only part of the solution. Nearly everynearly every single one of the Successful Network exportations that we have had to deal with can be traced to one or more human errors. They allow entry into our network. So raising the level of individual Cyber Security awareness of performance is absolutely paramount. Accordingly, we are working to transform Cyber Security culture, something we ignored for a long time. Longterm by improving Human Performance and accountability in this regard. We have recently published the Cyber Security discipline Implementation Plan and a scorecard that has been brought before the secretary and i every month critical to achieving this goal of securing data and networks and mitigating risks. This scorecard holds commanders accountable for hardening and protecting their endpoints and political systems and also have them hold accountable the personnel and direct the compliance reporting on a monthly basis. The 1st scorecard was published in august of this year, and it is being added to an improved asend up as we go. Denial means defending the nation against Cyber Threats of significant consequence. The pres. Has directed dod working in partnership with other agencies to be prepared to stop the most dangerous cyber events. There may be times when they direct dod and others to conduct defensive Cyber Operations to stop a cyber attack from impacting National Interest which means building and maintaining the capabilities to do just that. This is a Challenging Mission requiring highend capabilities and i trained teams building our Cyber Mission force and deepening our partnership with Law Enforcement and intelligence communities to do that. The 2nd principle is improving resiliency by improving the ability of our adversaries to execute mission in a degraded cyber environment. Our adversaries view dod cyber dependency is a potential for time vulnerability. Therefore, we fight through Cyber Attacks is a Critical Mission function which means normalizing Cyber Security as part of our Mission Assurance efforts, building redundancy when systems are vulnerable, training constantly. Our adversaries have to see that these Cyber Attacks will not provide a significant operational advantage command a 3rd aspect of deterrence is demonstrating a capability to respond through cyber non cyber means. The administration has made clear we will respond in a time, manner, and place of our choosing, and the department has developed options. If successfullyif successfully executed, our mission requires a whole of government and nation approach, and for that nation we continue to work with our partners, agencies, and the private sector and partners around the world to address the challenges that we face. Secretary carter has placed particular emphasis on partnering with the private sector. They do not have all the answers. We think it will be critical our relationship is absolutely critical. The secretary and i appreciate the support provided to dod cyber activities throughout from the very beginning, and we understand and are looking forward to the National Defense authorization act to see if there are other improvements that we can do. I encouraged continued efforts to pass legislation on Cyber Security information sharing. Data breach notification and Law Enforcement provisions related to Cyber Security which were included in the presence legislative proposal submitted earlier this year. I know you agree the American People expect to defend the country against Cyber Threats. The secretary and i look forward to working with this committee and congress to ensure we take every step possible to confront the substantial risks we face. Thank you for inviting us here and giving the attention that you have always given to this urgent manner. I would like to pass it off now to have more rogers, if that is okay. Chairman, ranking member, distinguished rumors of the committee come i am honored to appear before you today to discuss us cyber policy. I would like to thank you for convening this forum and for your effort in this important area. I amarea. I am honored to be sitting aside director klapper and deputy secretary of defense. It gives me great pride to appear before you to highlighting command the accomplishments of the uniformed and civilian personnel. Im grateful for and humbled by the opportunity i havent given to lead our team in the important work that they do in the defense of our nation and department. We are being challenged as never before to defend our nations interest in values in cyberspace against states, groups, and individuals that are using sophisticated capabilities to connect cyber coercion, aggression, and exportation. The targets of their efforts extend well beyond government and into privately owned businesses and personally identifiable information. Our military is in Constant Contact with agile learning adversaries in cyberspace, adversaries dash on the capacity and willingness to take action against soft targets in the us. Our countries integrating Cyber Operations and were told strategic concept. They usethey use Cyber Operations to influence the perceptions and actions of states around the and to shape what we see as our options for supporting allies and friends in a crisis. We need to turn these activities by showing that they are on acceptable, unprofitable, and risky for the instigators. Building capabilities that can contribute to cross domain deterrence and make our commitment even more printable. We are hardening our networks ands showing our opponent cyber aggression wont be easy. We are training a Mission Force that is defending dod networks, supporting joint force commanders and helping to defend Critical Infrastructure within our nature. Partnering with federal, foreign, and Industry Partners in exercising together regularly to rehearse concepts and responses to the structure Cyber Attacks against Critical Infrastructure. Generating options for commanders and policymakers across all phases of conflict and particularly in phase to hold that risk what adversaries truly value the demand far outstrips supply, we continue to rapidly mature based upon real work to have realworld experiences and our Service Server components. Icyber components. I assure the committee us Cyber Command has made measurable progress and are achieving significant operational outcomes and have a clear path ahead. With that, thank you mr. Chairman and members of the committee for convening this forum and inviting all of us to speak. Our progress has been made possible in no small part because of the support from this committee and other stakeholders. The stakeholders. The effort within our department and across the government is essential command i appreciate and i welcome your questions. Thank you, avril, and think the witnesses. Director klapper recently, former chairman of the joint chiefs was askedchiefs was asked about various threats to the United States security and said that in aa range of threats we have a significant advantage accepted cyber. Do you agree with that assessment . It is probably true. We have not we have not exhibited are potential capability. I think that is one of the implicit reasons why i have highlighted Cyber Threats in the last three years. Thank you command you have done that with great effect before this committee as a result of the leader, the chinese leader in washington theyre was some agreement announced the us and china. Do you believe that will result in an elimination of chinese Cyber Attacks. Hope springs eternal. I think we will have to watch what there behavior is, and it will be incumbent upon the Intelligence Community to depict, portrayed to policymakers with behavioral changes, if any,changes, if any, result from this agreement. Are you optimistic . No. Thank you. Apple rogers, you recently stated, there is a perception there is little price to pay for engaging in some pretty aggressive behaviors. Because of a lack of repercussions you see actors, nation states willing to do more. What is required . What action is required to deter these attacks since there is little price to pay . What do we have to do to make it a heavy price to pay . We must clearly articulate in broad terms what is acceptable. We have to clearly articulate that as aa nation we are developing a set of capabilities that we are prepared to use if required. They arerequired. They are not our preference. We clearly wish to engage in a dialogue, but we do have to acknowledge the Current Situation we find ourselves in. I dont think anyone would agree that it is acceptable or in our longterm interests as a nation. I say that with respect. I understand it is not acceptable. What would be, relations and other areas, counter attacks . In other words, what actions would be an hour range of arsenal to respond . Potentially all of those things. The 1st comment, sony is an extract instructive example. When you think about deterrent much more broadly and not just focused within the cyber arena i thought the response we talked about the economic options as a nation, exercise as a good way to remind the world around us there is a broad set of capabilities and levers available and that we are prepared to do more than just respond in kind. One of the things that has been disappointing to the committee is that in the fiscal year Defense Authorization bill. Choir the president to develop an integrated policy the strategy is now one year late. Late. Can you tell us where we are in the process . What you feel is, what my bring the administration into compliance . You are asking me about policy development. Yes. Ii think i would defer to the secretary of work on that. Mr. Chairman, as we have said over and over, we believe our cyber deterrence strategy is constantly evolving and getting stronger. Im talking about a policy, not a strategy, mr. Secretary. He required a policy, the fiscal year 14 National Defense authorization act. A policy is still in development. We believe we have a good cyber strategy. The policy has been outlined in Broad Strokes by not broad enough. Does it describe whether we deter or respond or whether we in other words, as far as i know in the committees nose there has been no specific policy articulated and compliance with the requirement and the Defense Authorization act. If you believe that it has i would be interested in hearing how. I believe that Broad Strokes im not asking Broad Strokes. Suppose there is a cyber attack, do we have a policy is to what we do . Yes. First we deny and then 1st we find out cant do the forensics. Am not asking the methodology. Masking the policy. Do you respond by counterattacking, trying to enact other measures . What do we do in case of a cyber attack . Or respond in a time, manner, and place. That may be one of the options. That is not a policy, secretary. That is an exercise in options. We have not got a policy. For you to sit theyre and tell me that you do aa broad stroke strategy is not in compliance with law. Thank you very much, mr. Chairman. Director klapper, we are constantly engaged in Information Operation with many other nations and they are involved with Information Operations trying to influence the opinion, disguise activities, disrupt, etc. What agencies are under your purview or outside your purview were actively engaged in Information Operations in the United States and the cyber world . Actually, sir, from an intelligence perspective we would see see that in that we dont, at least what i can speak to publicly, engage in that as part of our normal intelligence activity. Theyactivity. They feed other arms, support other arms of the government, normally the state department,department, and is responsible for messaging. The National Counterterrorism center has an office that is devoted to countering violent extremism context, helping to develop themes or recommending themes based upon what we glean from intelligence as potential vulnerabilities and messages that would appear to the various groups to obfuscate the message, disrupted, or compete with it. But generally speaking, intelligence a large does not actively engage. Are these other agencies that you provide information to adequately resourced and staff so that they can use it effectively . Are they getting a lot of good insight and sitting around wondering what they can do . I think i would have a much more robust capability from the standpoint of resource commitment to counter messaging. And that would fall outside the purview of intelligence for the state department . Correct. The voice of america when it was a pretty dominant sort of source of information. Personal opinion only, i would i think perhaps, you know, the usia on steroids that would address these messages more broadly and more robustly, but that is strictly personal opinion. In terms of what you are observing, particularly some of our competitors have been extraordinarily robust Information Operation. They dont like the resources or personnel and are constantly engaged in these type of Information Operations. Enhancing there image, discrediting them to come opponents, actively engaging local groups and other countries of interest, and we are on the sidelines. That is quite right. In contrast to us Russian Intelligence Services are very active and aggressively engaged in messaging. Thank you. Admiral, this issue of encryption that was pointed to, your thoughts would be helpful. The issue that we find ourselves this is less for me on the us Cyber Command side and much more in the nsa side, communications in the world around us increasingly going to endtoend encryption where every aspect is encrypted in the data in the communication is protected at a level that with the current state of technology is difficult to overcome. Clearly that is in the best interest of the nation, and strong encryption is important to strong and chinainternet defense and a well defended internet is in our best interest as a nation. Within that broad framework the challenge where trying to figure out is realizing that that communication path is used by lawabiding citizens, nationstates command Companies Engaged in lawful activity. In the end i think this is about how to we get whats best, when i look at our capabilities of a nation there is nothing we cant overcome if we work together. I think that is the way ahead in broad terms. Thank you very much, mr. Chairman. Thank you mr. Chairman. Youve given us a good summary on the threats that we face and the threats that are occurring today and i appreciate that. Senator mccain asked you about reporting on the policy that congress has passed asked you to report on and that has not been done. The house and senate agreed on requirement that the services need to report on the threats. That is something that came out of our strategic subcommittee and eventually expanded to include all Weapon Systems not just satellites and National Missile defense. We dont have that final report. This budget, i believe, has 200 million in it to help fund this effort. What can you tell us about that . First it may take some time. If it does, i understand. I dont we have had any report from the dod to state what progress youve made and how much longer it will take. Again, on both points, on the policy we expect it is in the final the liberations. It is an interagency effort. We are trying to establish norms and deterrence which is essential to the policy. Im the first to admit that we are the farthest ahead on the denial and the resilience part. Those are the areas where we are moving faster. We have elected to attain the retaliatory mechanism just like Nuclear Weapons because of the risk of escalation. What about the other vulnerability to our Weapon System . It is a big, big problem. Many of the Weapon Systems we have now were not built to withstand a cyber threat. Going through every one of the Weapon Systems, he has prioritized prioritize the Weapon Systems and is working through very carefully, and i expect this work to be done very soon. We now have new requirements in our Key Performance requirements. So youve indicated an individual to be responsible for this . Yes. This individual is working with our cio and the Cyber Command and all of our cyber experts. He is responsible for taking a look at the weapons system and also requiring Key Performance parameters to make sure they have security built in from the beginning. Do they maintain and build the systems and have highly Sensitive Information are we satisfied their insufficiently protected . We certainly recognize a vulnerability there. Weve made changes to the contractual relationships between us and those companies where they have to meet security requirements and inform us of penetration. We are clearly not where we need to be but we continue to make progress. I think its a bipartisan commitment on congress to help you with that. If it takes more money, let us know. We will have have to evaluate it and i also understand that some of the protection can be done without much cost and some might require considerable cost. We hope that you will complete that. Mr. Rogers, i believe last week you reported in the Los Angeles Times about the threat from china. You know one thing they are involved in obtaining u. S. Commercial and trade data. They are a foreign nation, nation, advanced ally of ours and i was told one of their companys bid on a contract and the chinese got all of the bid data from the web. His comment was, its hard to win a bid when your competitor knows what your bidding. Is that kind of thing happening . It has been an weve been very public with that. I think thats reflected in the agreement that you raised during the president of chinas visit last week when we were very concerned about that. My time is up but i would just ask, if you saw an American Business being damaged through improper action, youre not allowed to advise them or share any information with them while our adversaries do their business. Is that the way it works . The way this works is i would provide information and insight. If under that authority i became aware of activity, i would share the insight with dhs and the fbi to interface with the private sector much more than i do. Thank you mr. Chairman, and pink all three of you for your service and being here today. Which country is the most committed successful hacker of the u. S. . China has been the one that we have been the most vocal about but they are not the only one. Last time you were here you had more concerns over russia having the ability or expertise to do less damage. I thought your question was focused on valium. If your question is on capability, if you will, then we then we have been very public saying i would put the russians higher than china. But it feels like china is more committed and determined to do it. They do it at the volume level. I understand. I know you just said no, you dont believe this agreement that the president and our president has made will work. Are there any penalties in this agreement if someone violates it . In terms of what i have seen, i dont think it treats, certainly there are implied penalty. The threat of economic sanctions is what would meet something to the chinese if they violate this agreement. I think as they were discussing earlier in terms of sanctions, there is a whole lot of options here. It doesnt have to be and i to an i can be some form of retaliation. Im not aware of the specific penalties if the agreement is violated. Thats why i think youre pretty quick to say no i dont think it will work. The reason i said no, of course, is the extent of which the chinese have been pervasive in terms of adding our data. Whether or not the government orchestrates all of it is still in question. We are inherently skeptics. I have a question for you secretary. The recent news article that examines similarities between chinas strike finder and our strike fighter. What they have been able to do in such a rapid time without any r d, do you believe that gives them a competitive advantage . I understand there might be some differences in the software and weapon tree, but they are making leaps which are uncommon and we know this. We are not taking any actions against them. I would like to work this in and follow up with your first question. At the highest levels, we have made it clear that we believe the chinese actions are totally in acceptable in cyberspace. I would characterize the agreement that we have as something where we are asking them to prove to us that they are serious about what they say and what they will do to control these efforts. There were really for things that we agreed to do. First we would give timely responses to information when we say hey, we believe there is a problem here and we have agreed to Exchange Information on cyber crimes, weve agreed to collect electronic evidence and mitigate malicious cyber activity that is occurring on our soil. We both agreed that we would not knowingly conduct cyber theft of intellectual property. We told them there was a problem and it was unacceptable. They have said that they will work to curb that. Then we have agreed to have common effort to promote International Norms in the final thing is we will have a highlevel joint mechanism where we can meet at least twice a year and say, look, this is just not working. You are not are not coming through with what you said. This isnt a treaty or anything like that. They have to prove to us, and we know they have stolen information from our defense contractors and it has helped them develop systems. We have hardened our systems through the initiative. We know the j20 is pretty much nearing our weapon. When we know this, why wouldnt we take hard action against them . I just dont understand why we wouldnt retaliate. From a financial standpoint. There are a wide variety of options that we have. They are developed through the inner agency. Again its not necessarily tit for tat. It is proportional response and we are working through all of those. My time is up. If we could just meet up later and discuss those. Certainly. If i may, just add a word about terminology what this represents, of course, is Cyber Espionage. Of course we to practice Cyber Espionage in a public forum to say how successful we are, but were not bad at it. When we talk about what were going to do to counter espionage or retaliate for espionage, i think its a good idea to at least think about the saying that people live in glass houses shouldnt throw rocks. So its okay for them to steal our secrets that are most important . I didnt say that. That we live in a glass house , that is astounding. I did not say it is a good thing. Im just saying that both nations engage in this. I want to thank all of you for being here. With regard to the chinese, i want to follow up, we talked about the stealing of the highest secrets in terms of our Weapon Systems, but what about the 21 Million People whose background check and personal information has been associated publicly with the chinese, and the fact that 5 million sets of fingerprints as well, leading to potential vulnerability for our citizens. If you put that in a context of these other issues that weve raised, it seems to me i looked very carefully at some of the language youve been using. You gave a speech in london and said to turn deterrence must be promoted. You said Cyber Attacks have created a a permissive environment. Im trying to figure out, based on what you said, how we are not in a permissive environment in light of what they have stolen with our Weapon System and the huge infringement on 21 Million People in this country. Also, could you you comment on the vulnerability of that data and where we are in terms of how it will be used against us . First, that is an assessment of what was taken. We dont know in terms of specifics, but that frames the magnitude of this theft, and it is potentially very serious, has very serious implications. First from the standpoint of the Intelligence Committee and identifying people who are under covered status, one small example, it poses all kind of potential and unfortunately it is the gift that will keep on giving for years. Its a very serious situation. What we tried to do is educate people with what to look for and how to protect themselves. Again, this is a huge threat of theft and has potentially damaging implications for people in the Intelligence Agency and other agencies. I think what youre hearing is what are we going to do about it as the issue as opposed to shared agreement on generic principles with chinese. This is a pretty significant issue that will impact millions of americans. Im not hearing what were going to do about it but that may be a higherlevel decision going up to the pres. , but it seems to me, if a point to talk talk about deterrence, if we dont follow up with action, and if you look at that combined with the testimony we heard last week about the Artificial Island being built by the chinese and the fact that we wont go within 12 nautical miles of those islands, if you put that all to the chinese perspective i think one might think we can do whatever we want because we havent seen a response yet. Im not asking for all of you to answer that because it probably needs to be answered by the president and his security team, but it seems to me they arent seeing a response from us and therefore we will continue to see that behavior from the chinese. Before i go, i have an important question on another topic. That is, yesterday, we heard public reports about the potential violation of the inf treaty by the russians and that essentially russia tested the new ground launch mission that violates the 1987 inf treaty. Of course this is going back also to the reports as early as 2008 of russia conducting tests of another ground launch Cruise Missile in potential violation of the inf treaty that we raise with them. When sec. Carter came before his committee on his confirmation, he listed three potential responses to these violations. Now we have the russians violating the inf treaty yet again and my question is, sec. Carter rightly identified that we should respond through missile defense, counterforce or countermeasures. What are we doing about it . Senator this is a longstanding issue that we have been discussing with the russians. The system is in development and has not been fielded yet. We have had different discussions with them on our perception of the violation of the inf and they have come back. This is still in discussion and we have not decided on any particular action at this point. So are you saying you dont think they violated the inf treaty . We believe very strongly that they did. We believe that. Thats what i thought. Now we have another situation going back to 1987. We. We are still in the mist of negotiating. We are giving our position but if they do feel the system that violates the treaty, i would expect us to take one of the three options outlined before the committee. I see a lot of talk and no action unfortunately and people take their cues from that and that worries me. Thank you all. Think you mr. Chairman. Mr. Clapper you testified recently that while the United States makes distinction between Cyber Attacks conducted for economic purposes to gain foreign intelligence, that is the espionage arena that you are referring to, or to cause damage , would you consider the opm breach to the extent that we believe it is a state after who did that that that would be in the category of espionage . Yes. That was the tender of the discussion at the hearing. That that has to do, as a mentioned earlier, the importance of definition nomenclature and the definition of these terms. The theft of the opm data, as egregious as it was, we wouldnt consider that an attack but rather a form of theft or espionage. You say other countries, including our own engage in such activities. My understanding of the recent agreement between the u. S. And china has to do with commercial cyber theft. I think that is a very different category that has to do with obtaining information about corporations, et cetera. Therefore that is in the category of economic attacks. So dir. Clapper, would you consider that kind of agreement to be helpful . I realize that you are skeptical, but to the extent that we are defining a particular kind of cyber attack and that we are contemplating through this agreement and ability of these countries to engage in high level dialogue regarding these kinds of attacks is that a helpful situation . It would be very helpful if, of course, the chinese actually live up to what they agree to. What the agreement pertain to was theft of data for economic purposes, to give the chinese an advantage or their Defense Industries and advantage. As opposed to, i dont believe we have agreed with the chinese to stop spying on each other. So there is a distinction. Mr. Sec. , you can weigh in on this as well. They say we created a potential for dialogue or an environment where there is a process to be followed. In cases where we suspect a cyber attack, at least we have a way we can talk to the chinese. You also mentioned, director clapper, clapper, attribution is not the easiest thing although we are Getting Better at determining who were the actors conducting the cyber attack. One hopes that even with a great deal of skepticism going forward, this may create the space for us to have more than a conversation, but one that would lead to some kind of change in behavior on the part of these state actors. Mr. Sec. , fill free to give us your opinion. I think thats exactly right. As director clapper said, first you have to find out the geographical location of where the attack came from and then you have to identify the actor and whether the government of that space was controlling it. Thats not the easiest to do. We have determined china and in some cases they said this was a a hacker inside our country but we had no control over them. This allows us to say what are you going to do about that . Are you going to provide us the information we need to prosecute this person or are you trying to take care of it on your own . I believe this confidence Building Measure in this way to discuss these things, the proof will be in the pudding. How the chinese react to this. Secretary, i think you mentioned that this agreement allows contemplated meetings at least twice a year. Is there anything that allows for more frequent dialogue between our countries . Senator i believe there was a significant cyber event that we suspected the chinese of doing or they suspected us, that we would be able to meet. This will be a highlevel joint dialogue. Our u. S. Sec. Of Homeland Security and u. S. Attorney general will lead on our part. We will have the first meeting of this group by the end of this calendar year. I believe we all have some healthy skepticism about this but i believe its a good confidence Building Measure and a good first step, and we will see if it leads to better behavior on the part of the chinese. Thank you. I cant help but comment that we have identified the building please dont see this committee as if we dont see who is responsible for it. Thats just very disingenuous. There have been public reports that we have identified the pla building in which these attacks come from. Thank you mr. Chair, thank you for joining us today. Mr. Rogers, ill start with you today. Two of the president s nine lines of effort in defeating isil our first exposing isiss true nature and disrupting the foreign fighter flow. Over the weekend, the new New York Times reported that 30,000 recruits joined isis over the past year and that is double the previous recruitment year. Earlier this month, the ambassador at large said that isyss recruiting trend is still upward and the information was no surprise to her. She also said the upward trend was primarily due to internet and social media. So, do you believe their effort has succeeded on these two lines of effort in cyberspace and social media . Just please a simple yes or no. No. Okay, and why is that . With the record recruiting numbers for isis, how would you then assess the effectiveness of the u. S. Governments counter effort in cyberspace . What specifically is your assessment of the state Department Think again, turn away program and supportive efforts to counter isis recruiting efforts. I am not knowledgeable enough to comment on this. I will say, i have always believed that we must contest isil on the data as much as we do on the battlefield. We have got to be willing to attempt to fight them in that domain just like we are on the battlefield and we clearly are not there yet. I agree. I think we are failing in this effort and some of the programs that we have seen obviously are not working. So, are there areas where you could recommend how the u. S. Better partner with various ngos or private entities to more effectively counter the isis propaganda . Again,. I will say from a technical perspective we are looking at, within our authority in capability, whats in the realm of possibilities, in other words what can we do in this domain. We have a larger problem coming forward in regards to isis and isil in the middle east. We seem to see the emergence of a a trifecta between syria, iran and russia. Now it seems that iraq has begun information sharing. Can you speak to that and the broader implications of russia emerging as a leader in the middle east while we seem to be losing our opportunity with isil questioning. I think they have several objectives here. One is that they want to protect their base, their presence in syria. Their buildup in the northwest part of syria is clearly one and they want to prop up ashad. I think a belated motivation is fighting isil. As far as the joint intelligence arrangement is concerned, i cant go into detail in this forum but i will say, each of the parties entering into this are a little bit suspicious of what is entailed here what we are trying to do is the conflict, and that is the primary purpose of the discussion. If youre going to act on this battlefield, we have to de conflict. They would like to do a military 1st followed by a political transition. We believe those two things have to go in parallel. This is early days. We are still in the midst of discussing what exactly this means. I dont have a definitive answer. I am concerned we advocated our role in the middle east and in so many other areas, as has been pointed out earlier. Grave concern to all of us. Thank you, mr. Chairman. Thank you, mr. Chairman. Gentlemen, thank you for your public service. Admiral, i am concerned about all of these private telecoms that are going to encrypt. If you have encryption of everything, how, in your opinion, does that affect section 702 and 215 collection programs . It certainly makes it more difficult. Says the administration have a policy position on this . No, we are the 1st to analyze an incredibly complicated issue. We still are trying to collectively work our way through what is the right way ahead recognizing there is a lot of valid perspective, but from the perspective that i look at the issue, there is a huge challenge challenge that we must deal with. A huge challenge, and i have a policy position. And that is that the telecom better cooperate with the United States government, or else it just magnifies the ability for the bad guys to utilize the internet to achieve their purposes. Speaking of that, we have a fantastic us military. We are able to protect ourselves. It is the best military in the world, but we have a vulnerability now. And it is a cyber attack. Do you want to see if you can make me feel any better. I would tell you that correct to say the capability of the Department Department if i were to say where we were 18 months to two years ago is significantly improved. We currently defeat 99 points some odd percent of attempts to penetrate dod systems on a daily basis. The capability in terms of the amount of teams and there capability continues to improve. Speed, agility. The challenge is trying to overcome decades of a thought process in which we see defensibility and reliability that were never core design characteristics where we assume that external interfaces, if you will call with the outside world were not something to be overly concerned with. Remotely generating data as to how paragraphs were doing in different states around the world. All positive if youre trying to are trying to develop the next generation of Cruiser Destroyer for the navy, but a world in which those public interfaces, if you are coming increasingly represent potential points of vulnerability. You get this clash of strategies which is where we find ourselves now. One of the things i try to remind people is, it took us decades to get here. We will not fix this in a few years. The six dedicated prioritization, resources command we must do it in a smart way, prioritize and figure out the greatest vulnerability and concern. Can i jump in for a 2nd i want to add to that end for us to let our potential enemies understand that we have the capability of doing to them what they did do to us. However, that gets more complicated when you are dealing with a rogue group of a dozen people stuck in a room somewhere that are not being part of the nation state. Yes sir, mr. Sec. I i was just going to echo what was said. He said, look, we are absolutely not where we need to the inmate job number one defense of the networks. Going from 1500 on place less than 500. Going from 1,000 defendable firewalls to less than 200, somewhere between 50 and 200 you are absolutely right. We recognize this is a terrible vulnerability, working to defend our networks, looking our systems, and trying to change the culture. Culture. Right now if you discharge of what you are held accountable for that. Negligent discharges one of the worst things you can do. Do. We need to inculcate culture whereas cyber discharges considered just as bad and make sure it is inculcated throughout the force. I agree, but the abnormal is assaulted by the telecoms who want to tie his hands behind his back by doing all of the encryption. Thank you, mr. Chairman. In our state Naval Warfare center has taken the lead on much of our efforts to protect against the threat of counterfeit electronics. And so secretary working director clapper, the Global Supply chain for microelectronics prevents presents a growing challenge for Cyber Security. One of the things we saw recently ibm sold its chipmaking facilities when dod trusted foundry that us to a foreignowned competitor. I was wondering, your Top Priorities in managing the risk posed by globalization of our microelectronics Manufacturing Capabilities and our abilities to protect her systems in that area. That is a big question and will be one of the key things that we look at in this fall review because of, as you said, the recent sale of ibm chips. There are two schools of thought on this. Some say you do not need a trusted foundry and another group says you absolutely have to have it. Having confidence inhaving confidence in the chips that we put in our Weapon Systems is important, and i would expect that come february we will be able to report out the final decisions through the fall review on how to tackle this problem. Who was in the department of defense leadership has primary responsibility for overseeing the supply chain Risk Management . Frank kendall and dla. Dla has the supply chain, and Frank Kendall is focused on the trusted chip, that the fabrication of trusted chips. One of the areas that we look at in regards to cyber, and in some ways, you know, technology in particular parts is in the nuclear area. And so are there any specific groups that are focus just on protecting our nuclear efforts against cyber . There is the national the end in sa and and Nuclear Weapons council which is cochaired by Frank Kendall, undersecretary of defense, and vice chairman of the joint chiefs, the ones that work with doe to make sure our Weapon System components are reliable and trusted him to make sure that we have ahave a safe, reliable, and Effective Nuclear deterrent. Admiral, when we look at building a force of cyber warriors, how can we use the National Guard and reserves to help do that . Because it strikes me that that can help us and retaining highly qualified individuals who want to devote part of their life to help oura country command it would seem to almost be a perfect fit for us. We have taken a total force approach which includes both guard and reserve, every service slightly different, not the least of which have Different Services have different release in regard structures. One of the challenges we are trying to work our way through is under the title three to piece, how we coordinate, how we generate capacity and bring it to bear with maximum efficiency. The two things in partnering , because we are taking a total force approach we need one standard. We dodo not want a place with regard and reserve are trained on one standard and the active side is trained to a different. That gives us maximum flexibility. And secondly,secondly, we need one comment unit structure. We dont want to build unique oneofakind structures in the guard and reserve that do not match the title ten side. Treat this as one integrated force and give the guard and reserve great kudos with common vision and a great exercise series cyberguard we are using every year will bring together the guard, privateguard, private sector, active component in government and work our way through the specifics. Director clapper, and i apologize if you already answered this, what is the one cyber challenge you are most concerned about . Well, obviously the one that i think about would be a massive again like scale attack against our infrastructure. That is not we dont consider that the most likely probability right now. The greater threat are the low to moderate threats. What i have seen in the five years i have been in this job is a progression where these get more aggressive and damaging. As i indicated in my oral statement of the outset, what, what i will see i think what we can expect next our data manipulation which are then calls to question the integrity of the data which in many ways is more insidious than the kind of attacks that we have suffered this far. So the specter is this massive attack, although attack, although it is not likely. Thank you. Thank you, mr. Chairman. Thank you,you, mr. Chairman. Annex three of the recently signed a ran Nuclear Agreement calls for the participating countries to work with iran to strengthen ayn rands ability to protect against and response to Nuclear Security threats, including sabotage as well as to enable effective and sustainable Nuclear Security had physical protection systems. Secretary, do you think this portion of the iran Nuclear Agreement, the annex to include cyber threat, meaning that the p5 plus one countries who are part of this agreement will be expected, will be deemed to have an obligation under the agreement to assist he ran in developing systems to prevent other countries using cyber is to acquire information about or to disrupt the operations of progress Nuclear Capabilities . Well, i will say that i trust that this is not going to prevent us from gleaning intelligence from our traditional sources. In the interest of verifying the agreement,agreement, which will be principally monitored by international organization, iaea. So i am not aware of any ability to collect on their behavior and compliance. But why would we want to give a ran the ability to defend against Cyber Weapons that we or perhaps our allies might one day want to use it against . Well, in this open environment there are aspects of that i cannot discuss. Happy to talk with you privately or in a classified environment about that. Okay. But you are not disputing the fact that the agreement says that we would have to no. Okay. Now can you tell me, and this environment what specific Technical Assistance will be offering herein in this portion of the agreement . I honestly dont know the answer to that question. I dont know exactly what is in mind there. Now, would any of these capabilities once acquired by iran prevent or inhibit the United States or any of our allies, any other enemy iran from using any cyber measure against Iranian Nuclear facilities . Again, i am reluctant to discuss that in this setting. Were you consulted during the Nuclear Negotiations thing connection with this portion of the agreement . Deeply involved throughout the negotiations. Can you describe the nature of any consultation that you had with them master this portion of annex three . With the iranians . Yes. No, i did not engage. That is not what im asking. If you could describe your discussions with us negotiators as they came to you and consulted with you on the implications of this annex a three. My lead for this was the known to many of you in this committee, and he was the direct participant. I do not want to speak for him to the extent to which she was involved or consulted on that provision. I would have to ask him. But you would have been aware of this consultation going on. I am sure that he came to you and said, this is going to impact our ability to do but we need to do with respect to a ran. Again, i would rather discuss with the potential response of ours could be in a closed setting. Okay. Secretary, how is the Department Working to ensure that the hardware and software on some of these major programs we are developing the future contingencies and technological advances so that they can continue to draft address emerging Cyber Threats well into the future without major overhauls of the entire system. As i said, we are putting into kp piece or Key Performance parameters on any knew system specific cyber hardening requirements much like during the cold war where we had emp requirements for systems. The problem is that wehe faces many of the old systems are still in service were not built to respond to the Cyber Threats that we see today. We are having to go back through older systems, determine which ones are vulnerable, prioritize them, and make fixes. It alsoit also goes back to senator donald is question of trusted foundry. Trying to determine the best way we have reliable and trusted microelectronics. My time has expired. Thank you, mr. Chairman. Thank you. If there is an attack on the physical infrastructure of this country i do not want to go on cable news and say the administration told us the policy is still in development. We have got to get on this. We have been talking about it for years. This was not an essential part of our National Defense authorization act. The idea that we can continue to simply defend and never have an offensive capability i just think is ignoring this enormous threat which we all agree. Let me ask a oneword answer questions each of you. Doing needed and offense of capability in the cyber realm in order to act as a deterrent . Winning a broad range of Response Options do we need an offense of cyber capability . I wouldi would say yes, sir. Secretary, director clapper. Absolutely. Yes. Thank you. The 2nd part of that is that it cannot be secret. Our instinct is to make everything secret, and the whole point is that it not be. We need to establish what we have. I suspect we do have significant offense of capability, but it must be made public. I think another question that needs to be addressed that i do not necessarily think in terms of the policy, we need to define what an active war is cyber area. Whether hitting Sony Pictures is an act of war or the opm command how you draw those lines, and i suggest that that has got to be part of this policy definition. It is urgent. We simply cannot defend ourselves by saying it was complicated. Changing the subject slightly, do you believe that the dispersion of responsibility in the federal government as a potential problem . It strikes me that we have got agencies and departments and bureaus, i suspect you could name 15 if you tried, that all have some responsibility. Doing need to strengthen Cyber Command . I would not make Cyber Command such a repository. We have got to simplify the structure. Who do you want me to go to . Talk to the fbi, dhs comeau why cant i deal with you . If i am a Financial Company should i be talking to the sector construct we have created . We have got to try to simplify this. I had to that, one of the reasons why i had a very brief commercial just within the Intelligence Community of integrating the cyber picture, but Common Operating Picture from within intelligence let alone what we do to react to protect. Which is one important thing. I have come to believe that we need along the lines of the many and ctc are in cpc. I would hope that that would and the leadership and decisionmaking has to start with the white house, the administration for an all of the government approach to dealing with this dispersion of responsibility problem. A lot of talk about china and our ability to interact and to respond and told china responsible. It is not the subject of this hearing, but the fact that we have china trillions of dollars compromises our ability to interact with china and a firm way. It is a complicated relationship which is one of the things that makes it difficult. Now, do you have any idea what brought that change to the table for this recent agreement with president . It appears that the threat of the potential economic sanctions, particularly imposing them right before the visit of president g got their attention which is why they dispatched minister mom to try to come to some sort of agreement, which is what ensued subsequently. And i agree that it is not a definitive agreement or treaty but i do agree that it is a step in the right direction and at least these issues are being discussed. Colton countries ultimately only act in there own selfinterest. We have to convince them that it is in their interest to cut out this activity that is detrimental to our country. One quick comment. Just because we have not published a policy it is so broad and encompassing going over things like encryption, the types of authorities we need. If we had an attack tonight we do not have the structure in place right now with the National Security team to get together to try to understand who caused the attack to understand the implications of the attack and what response we should take. Those are in place right now but the whole point of being able to responded to turned so that the attack will not occur. If you have a doomsday doomsday machine and no one knows, it is useless. Having a secret plan as to how we respond is not the point i am trying to get at. They have to know how people respond and therefore not attack in the 1st place. Thank you for your testimony. On the recognize sen. Fisher. Thank you, sen. Reid. Following up a little bit where little bit were senator king was going, many of you talked about establishing norms in cyberspace. Cyberspace. Do you think it is possible to establish or maintain that without enforcement behaviors . When we look at publicly identifying those who are responsible for inactivity were imposing costs on them, can we do that . Well, trying to establish these norms are helpful. In the cold war there was agreement that we would not attack each of our Early WarningMissile Launch warning satellites. So establishing these norms are important, but they will be extremely difficult because the Enforcement Mechanisms are far more difficult because it is much more easy to attribute missile attacks. I believe that this agreement with china is a good 1st step, that we should strive to establish norms between nationstates and establish norms which we believe are beyond the bounds had to try to establish mechanisms by which we can work these through, but this will be very difficult because of the it is much more difficult. And we have the added problem, of course, the norms are applicable to nationstates and you have a whole range of non nation state actors who would not necessarily subscribe to these norms and would be a challenge to deal with even if there were nationstate each will agreement. I would echo the comments of my teammates. I am struck by being a captive of my early experience. At the height of the cold war we knew exactly how far between the soviets and thus, ee could push each other. Very aggressive behavior. We developed a section of norms, we actually developed a set ofa set of signals over time so that we could communicate with each other. I am comfortable that we will achieve this over time in the nationstate arena, but it is the state actors that complicate this to me and will make it difficult. What we are attached. How do we impose cost . Do we respond . Can we look at other ways to respond in an appropriate manner with sanctions. What would you look at . What we talked about previously is we want to make sure we dont look at this more broadly and think across the breadth of capabilities and the advantages and bring it all to bear as were looking at options as to what we do and that it is a casebycase basis. There is no single onesizefitsall answer, but more broadly than just cyber. Correct. Would you agree . Do you see a variety of options out theyre . And wouldnt it be more beneficial as a country to be able to have a policy that is a Public Policy on what those options could be and the consequences that would be felt when we are attacked . Absolutely. And andabsolutely. And that is what i say about a broad policy we will respond in a time,a time, place, and manner of our own choosing. There is an asymmetry. They are all authoritarian states