Permanent residents, many errors involved. You can watch this conversation on immigration and sanctuary cities any time on line, cspan. Org, go to our video library. We take to you a hearing underway, the House Armed Services committee on the fiscal 2018 budget request and emerging threats. Hearing now from admiral mike rogers, commander of u. S. Cyber command. I think back to the dialogue in the 1980 whz when i first joined first commissioned in the military in the aftermath of the failure of desert one and the effort to rescue those u. S. Hostages being held in the embassy in terrain. We had a lot of dialogue about is soft so specialized, so poorly understood by theth broad conventional part of the military, so needing of specific attention that we should create a separate sof service. We ultimately decided that the right answer was to create a joint war fighting construct. Thus in 198 was born special operations command. In addition we said that that operational entity needed to be a little uniquely structured. It not only should be a war firtd but it should be given budget it should be given Budget Resources that enable it to not only employ capability but to determine the operational capabilities and drive the investments that actually generate the capability. I think that that is a very effective model for us to think about for sidebarer and Cyber Command vice just automatically transitioning to the idea of a separate service. Thank you. My time is about to expire. I now recognize mr. Languageman. Thank you. Sir admiral, congress has provided cyber come with limited cyber peculiar Acquisition Authority. I wanted to first of all commend the thoughtfulness by which the provision was implemented. But can you please provide general overview of how that authority will be executed and overseen in the command . As you are aware we sat down with osd from a overseeing and technical perspective and asked which was the best way to implement the Acquisition Authority grant to us by the congress. Cyber command approached our teammates at so come and said look you have a skill set, personnel who are more proficient in this area. So come identified the two individuals who we have hired who are going to provide our acquisition oversight and certification, if you will. Those individuals were put in place just a couple months ago. The authorities are now almost finished which are going to see us starting this summer as weve identified it an initial set of priorities where we want to apply this authority in terms of acquisition. You will see that play out over the course of the next couple of things. We have a couple of things to finish ironing out. But you are going the see us implementing this in the next few months in the summer. The authority hasnt been used yet . Not yet because there are some specific technical and oversight and control things i have to make sure are in place before we start spending the money and using this. That will all be finished within the next monltsds or so i think. Can you speculate, provide an example of what you think the authority may be used for . What i have asked is we have already identified for example, a series of capabilities through Cyber Commandss point of partnership. We call it out in sol cone valley. So ive Silicon Valley. I already have an structure thats interacting with the private seconder. Now i want the overlay this Acquisition Authority where i actually purchase, and acquire some of that capability from the private sector that we have been talking to them about for the last few months. Ive trigd to work the requirement piece in anticipation of gaining the Acquisition Authority. Now that weve got that pretty much gone and i overlay the Acquisition Authority you are going to see us enter contracts, focused on mission sets, defense and capability for Cyber Protection teams is the first area we are going to focus on. Okay. Very good. So i mentioned in my Opening Statement that i am going to be attending the annual cyber conference at nato the cooperative Cyber Defense center next week. What is Cyber Commands relationship with cyber and nato. In your opinion, how can we cooperate more closely with our nato allies, how can that cooperation be strengthened. I was just out there last june, spoke at the same conference you will be going to next month. Every time i am in estonia i spend time at the center and actually talk to them. The points i try to make to my nato teammates are a couplefold. First, under the nato framework, the center represents the positions of the members of the alliance closest to the center. Not the alliance as a whole. For example, not oel all 29 nations participate in the center. I would like to see if we can somehow more formally tie the center to nato. That could help i think so this. Also im trying capacity is certainly a challenge. Im trying to meet our own priorities as well as help key allies in the nato alliance. One of the things im interested is i have created a partnership with european command, we are talking about potentially placing an individual maybe in the center in the course of the next year or so to more directly link with ourselves. I would like to see what we can potentially do within the exercise framework that the alliance is starting to create in cyber now. I have extended invitations for them to observe witness our framework. I would like to do the same thing in the nato framework. You know that Congress Passed the sharing information, domestically. We have robust cyber threat information sharing faerks with the israelis. How are we doing with robust cyber threat sharing information with our nato partner . Right now, most cyber sharing tends to be focused in many ways on a nation to nase basis. Thats another one of the challenges, why im interested in with Cyber Command, how with we work that more formally, military organization to military organization so we are doing this once and not 29 different times as it were. Very good. My time is expired. I do have additional questions. If we dont get to a second rond ill submit them for the record. I would appreciate you getting back to me on them. Thank you admiral for the work that you do, thank for your service to the country. Yield mack. Dr. Abraham. Thank you admiral for being here. The Armed Services certainly have their own Cyber Commands. What is cyber come doing as far as the manning and the concept of operations as far as having duplicative issues within those services . Remember the way yeah, to prevent the duplication. The way we are structured, each of those Service Primary operational Cyber Commands is a subcomponent of u. S. Cyber command. Whether its army cyber, coast guard sidebar e air force cyber, fleet sidebar, mar force cyber, they have an operational relationship to me. Thats how we try to work the joint and the service piece in a very integrated way. On the first. I try to be the connecting loop partnering with them and also partnering with the Service Leadership to make sure that from a service and a joint perfepe perspective in the department we are aligned and focused on priorities and outcomes. All right. Lets parlay that into our other federal agencies at it seems all of them certainly have a cyberspace department, so to speak. Cyber com, as far as coordinating mechanisms between other federal agencies could you explain that a little bit, please. We coordinate directly primarily in the rest of the government with the department of Homeland Security. Thats particularly driven by the fact that one of Cyber Commands three mission is if directed by the president or the secretary of defense to defend Critical Infrastructure against acts of significant cyber consequence. We would do that in partnership with dhs. Because of that, we are closely relying with them. In fact i just was talking with the team yesterday. Between the private sector in the private sector the u. S. Government has designated 16 different areas, think about finance, transportation, aviation. There are 16 different segments that the federal government has designated as critical to the nations security. That infrastructure. We have picked one of those 16 segments to do a test case, if you will, between dhs, Cyber Command, that private sector as well as nsa from an information and intelligence sharing, that would be the nsa rule to get down to an execution detail about how we would do this day the day. My experience as an military individual has taught me i dont like to do discovery when im trying to contact with a cloointd. Im interested in how can i create those relationships now before we get into a Major Incident related to one of those 16 segments. I think i have time for one more question. What is cyber coms supporting role in north com, pay com, and has the d. O. D. Codified that relationship so that if there is an incident or accident that that can be really instituted very seamlessly if such an event should happen . So, our role on the defensive side is to support and own sure the continued operation, for example, of those networks, weapons systems, and platforms that those operational commanders and others count on to execute their missions. In addition, we generate offensive capability, particularly for pay comand other geographic commands outside the United States because we dont really see i dont think right now in my mind how would we apply cyber offensive capable in the United States . Not that thats not the role of the d. O. D. Our focus inside the United States would be largely defensive. One of the things its focus area i have set out a series of goals for 2017. One of those goals is increased Cyber Reserve and guard integration, to get to the question that you are really driving at, how do we make sure to for a domestic incident that all elements at d. O. D. Are aligned and we all know how we are going to do this, and all the forces know what their role is going to be, the command control is all outlined. North comknows what they are going to do. I know what im going to do. Pay com, they have a domestic responsibility. They know what they are going to do. I would like to use the defense support to Civil Affairs which has been an ongoing process we have used for decades. I would kinds of like the use that as a test model. I am a big fan of lets use what is working elsewhere, to the extent that i can. Okay. Thank you. Mr. Larson. Admiral, thanks for coming. I would like to go back to the question of unified Cyber Command. Your answer wasnt concerned about the portion of the answer we are still working it out. I was concerned because i thought i heard you Say Something that runs counter to what we told you all to do. Thats the decisions made to do this and that the secretary and the president dont need to make a decision to actually do a unified command. The law as i understand but they will drive the timing, thats separate separate. Thats my only point is the timing. If thats your only point, thats fine. I just thought i heard something else. I apologize if i miscommunicated. You have clearly provided a Legal Framework. Thats what you are doing. Absent of changing the law, thats what we have to execute. Thank you. Can i go back to something the chair was exploring with you and it has to do with having a Cyber Service or not. I actually agree with you in not having one. But it does beg the question, though, to have to have that capability. What flexibility do you need in personnel, what flexibility do youn need in contracting just kind of what flexibility do you need to ifly utilize and even develop a formal framework so you can using active component reserve guard as well as the Contractor Community . Among the ways that we try to ask ourselves if we are going to go with a service base approach, which is what we are executing, how would you do it, we came up with baselines. First is it doesnt matter what your service is, guard or reserve, we build to one standard. We created within a join framework for every position within the Cyber Mission force we can tell what you the pay grade is and we can tell what you the qualification standards are and we can tell what you the duties are that are assigned the position. I said look we have got to create one integrated force. If we do you a that you different variants i cant optimize that. The second thing we said was the structure of the teams needs to be the same regardless of whether it is a particular service, guard or reserve. The analogy i used was it doesnt matter if we have an f16 squadron in the guard or in the active force, theres one squadron nomenclature for an f16 that we can then employ anywhere globally because we know everybody is built to the same standard. We acknowledge there are some variances but everybody is built to the same standard. That was another principle, the only way we can make a service base work is active or reserve, guard or reserve, it doesnt matter. We are building to one standard f. We stick to that framework, im very comfortable that we can make a Service Approach work for us. If we insist on variance, if we insist on everybody doing their own thing im the first to admit this is not a model thats going to generate the outcomes we need. First to acknowledge that. The role of the private sector . So, the private sector, when i look at them a couple things come to mind. Number one, they are providing the they are the ones who are going to provide the Human Capital. Whether that Human Capital ends up wearing a uniform, whether its part of our civilian government work force or its contractor force. They all start in the private sector. So its one of the reasons why i spent a fair amount of time as cyber kmond and as director of the nsa to the same extent in some ways with the academic world with private industry telling me, how do you create a work force . What works for you . What incentives are you using . What has failed that in hindsight you say to yourself, dont go down this road because it really failed speccally for us even as i acknowledge there is a difference between government and the private sector. But i think there are some things that we can learn from each other. In addition i think two other areas come to mind for me with the private seconder testimony first is technology. The days when d. O. D. Is going to be the engine for technological innovation and change i think are long behind us. Its not the d. O. D. Model. Thats why we created the point of partnership in Silicon Valley and in boston. Its why i thought the acquisition piece was so important for us. We have got to be able to tap into the private seconder in terms of acquisition and technology and capabilities. And then the last area, which is a little bit counterintuitive in some ways, when it comes to the generation of policy, concepts, thought, the private sector can play a huge role here. I think back to the beginnings of Nuclear Deterrence and Nuclear Policy for example. If you go back in the 1950s and you read much of the thought process, much of that was falling from the academic world. Hardly anybody remembers now that henry kissing injury remembers in the 1950s and 1960s was a professor at harvard writing about nuclear deteernts and Nuclear Deployment that he and others ended up shaping the Strategic Vision we have. Id like to see the same thing in cyber. All right. Thank you. Ms. Complainy. Thank you madam chair would william and thank you admiral rogers for your service and being here today. Secretary mattis, before he became secretary, in talking about the budget control act and sequestration said no foe in the field could do our military as much harm as sequestration and budge control act. As we begin looking at the 2018 budge im interested to know what to what extent you are able to factor in strategy and threats and sort of Strategic Thinking about what needs to be done as you put together the budget for Cyber Command and to what extent you have still been hamstrung by the bca custom by those cap numbers. So like any entity its about prioritize ooigsation. I spent a lot of time figuring out with finite resources even with growth with finite resources how are we going to prioritize we rolled it out as a government as a department this afternoon and during the mid day today. I have not seen the specifics. I know the broad number for us but i havent seen the subelements. Ill talk broadly. I apologize but ill talk broadly. For the 18 input we tried to identify those priorities. In a macro sense in no particular order i have been arguing manpower, investment in core capabilities, and then number three, how can i accelerate number one and number two. How could i do both of those faster . Because in some ways, even though as the wanna crypt ransom wear that we have been going through shows there is motivation in the department. Men and women doing good work. We were not impacted by a wanna crip. That wasnt by a lack of effort. We sent significant Time Starting in march asking hour selves how might this play out, how will we position ourselves in the case of microsoft didnt put out the patch for the vulnerable. We as microsoft users saw that and started to ask ourselves did a patch of the its one of the reasons why we use a defense in depth strategy. There is no one single solution, no one single way to fix this problem. Its layers built on top of each other. That really has been the key to our success. So we are asking ourselves how can we do this faster. Every day, one of my biggest concerns is i have never really had this same view point in almost 36 years of commissioned service. Every day i literally think to myself we are in a race to generate more capacity and more capabilities at the same time that im watching a host of global actors doing the exact same thing. We are trying to sustain both staying up with them but quite frankly my objective is to get ahead of the problem set. I dont like reacting to things. Its not an efficient way to do business. I dont think its what the nation wants from us. Until im able to bor into the specifics of the budget that gchs you a broad sense of what i thought we needed to focus on. Would you say, admiral, that the budget as its been proposed provides the resources necessary to regain superiority in areas where we have lost it . It certainly moves us along that road but no one should think for one moment that this mission set not unlike some others is going to require increased and sustained investment over time. This is not going to be a one or two years we have increased you by some reasonable number which has been the case for the last few years and thats all you are going to need. If you look at scope and the challenges associated with this mission set and from where we are starting we have a lot of hard work ahead of us 123450 would you talk a lib about how you are going to measure success and how you are going to measure progress along that path of regaining superiority. There is a couple components to it. First we are in the process of developing a set of metrics. How do we truly assess readiness for this force that we have created . We focused for the first few years on assessing niche operating capability and final operating capability. Thats when you hear us talking about foc and ioc. You heard me say in my remarks we achieved ioc essentially on time, october 2016, we are on track for that. One of the things i tell the team is that doesnt get to war fighting. In the end its about our ability to operate in a sustained heavy environment. Just like when we are building a brandnew carrier or a new fighter wing for example, its not enough just to say we have got the filts and the parts. Its about training, assessing readiness. We are working our way through how are we going to do that. Then its other things. Like we ask ourselves are we driving down defensive penetrations . Are we driving down malwear infections . There is some, you know, specific metrics that we think that we can use to give us a sense particularly on the defensive side. Are we being more effective or not. Thank you very much. My times expired. Mr. Oroark . Thank you. Help me understand a little bit how we make clear to other countries around the world the consequences of Cyber Attacks, with conventional weapons in conventional wars, there may be an understanding of what the consequences will be should one country attack another with a certain kind of weapon. What is our level of dialogue with other countries, including those countries we view as threats, including those countries who i think we now who have attacked us about what the consequences are Going Forward . If i could in an unclassified session, im not going to go to get into specifics associated with particular nation states. It hasnt ban one size fits all approach, which is true broadly for strategy for us i would argue as a nation. Its not a one size fits all approach. We try to optimize the way we are looking at this particular challenge set based on the particular actor we are dealing w. What works for one wont necessarily have the same impact as what works for another. There are let me talk about a couple basic things. We have been very public and acknowledged the fact that we are using cyber offensively against isis no. Just because we want isis to know we are contesting them but because quite frankly we also think its in our best interest for others to have a knowledge we are investing in capability and employing it with a legal law of armed conflict. We have also employed strategy documents for department of cyberspace strategy is developing offensive capability that we believe that deterrence is an important concept. We are trying to communicate to the world around us that we are aware of the kinds of activity we are seeing out there. Some of it we view with concern. As a result we think its in our own nations best interest to have a set of capabilities that both generate greater options for our policy makers and our operational commanders but at the same time help communicate to others around us you dont want to go down this road with us. I think the reaction or the way wanna crypt played out in the United States for example, is a very good example of that hey, look, in a major mall wear evident that took down many systems in lots of other parts of the world, did not have the same level of effect on us here in the United States. Let me ask you a question about that. Not my chance. To what degree are we treatybound to assist an ally who attacked through cyber not kinetically . And are we already assisting allies who are maybe to use that most recent example that you just gave . Thats a bit of a legal question. And thats not my lane but ill give you my thoughts from my perspective as an operational commander. We for example, nato has been very direct in saying that they view cyber as a natural continuation of thend staing article five framework where an attack against one is an attack against all even as nato acknowledges the application of article five is through a decision of framework in the North Atlantic Council and its done on a case by case basis. Thats broadly the intent and its been communicated in multiple fell forms in multiple ways. For other nations you would have to ask somebody who is smart better the particulars of the standing mutual defense treatiesy. Let me ask you another question. Because we know the russians attacked the integrity of our elections here. Uhhuh. Because we know that they have done that in other countries because past behavior is a good predigitor of future behavior, whose responsibility is it in this country and then kind of to maybe for the record on for our allies when our al ayes elections are attacked. But is it Cyber Command . Is it dhs . Is it both . Should the rnc or the dnc be attacked Going Forward for example, whose responsibility is that . Under the current framework the department of Homeland Security has overall responsibility for the provision of capability and capacity within the federal government in support of the private sector. Broadly. Cyber command, in its defined mission of if directed, as i said, to support the defense of Critical Infrastructure we would partner with dhs to do that. We would do that, Cyber Command, by attempting to interdakota that opportunity before it ever reached that network. Frankly we wouldnt focus on blue or friendly space, we would be out in gray space. Its years before it gets here. Simple policically, once it gets here dhs created a framework. Cyber command has capabilities in the form of cyber connection teams that we would also deploy in partnership with dhs to support within those 16 Critical Infrastructure areas. Again its one of things that i mentioned earlier that i want to test. We are going to start using one particular sector thats more mature than some of the other 15. Thank you. Mr. Franks. Well, thank you, madam chair. And thank you admiral rogers. Thank for your service to the country and your job is so very important to us all. You stated that your First Mission priority is defense of d. O. D. Information networks. Would you suggest that that means that defensive operations will take precedence over offensive operations . No, i remind the team we have three missions and we have to be capable of executing all of them. I cant go to my boss and say i chose to focus on number one. Dont get me ng would, like any commander i have to prioritize. As i am looking at the challenges i have told the team we will prioritize number one even as we acknowledge we have to execute those other two missions. Like any other Operational Organization at times that have to priorityize resources and focus. It isnt just one and not the others. We have got to do all of them. Yeah, well, as you know, the d. O. D. Relies upon the civilian power grid for 99 of its power requirement, without which im told that its it becomes impossible in cone us to affect the d. O. D. Mission. Do your priorities include protecting the u. S. Power grid and other Critical Infrastructure against Cyber Attacks . Again, i would own responsible for the defense of that in the United States. I will say one of the things im interested to see if we can maybe look at doing differently, im having this conversation in particular with transcomat the moment. Right now when it comes for example, to Critical Infrastructure that the d. O. D. Counts on to do its mission, when it comes to clear defense contractors who either are generating the capabilities that we use, advanced fighters oh, and other platforms, as well as private industry for example, for transcomthat provides services, lift, movement of cargo under the current structure, the Defense Security service has overall responsibility to the interface with these private companies, not the not transcomfor example, even though they work for transcomor they provide a Service Based on a contractual relationship with transcomand not necessarily for us. I would like to see is there a way to bring those operational commands, Cyber Command, dss and that private sector together in a much more integrated way. Because what we are finding right now is i will become aware of activity, i will pass that to dss, dss passes that to the private sector. That doesnt come across to me always as the fastest, most efficient most agile way to do business and i would like to see if we can maybe change that. Admiral, you know that thats been one of the challenges in the past that sometimes you know the whole notion of protecting the grid from Cyber Security challenges kind of walks the 13th floor of humanity. Right. Because we in the department, your department, they consider that a civilian responsibility. Of course the civilian response is that that is a National Security issue and should not be our responsibility. And my fear of course is this neither, with the sufficient focus on it as necessary. And given your stated yes, sir. Yeah. So its worth always Touching Base on. How will Cyber Commands posture improve once its elevated . Do you believe you will have all the resources and authorities you will have to accomplish your assigned missions and what do you expect your number one challenge will be, in terms of russia, china, iran, someone else . Let me unpackage this. If i forget one, let me know, sir. First whats the benefit of elevation. Why have i and others recommended that thats a smart course of action. I acknowledged the decision is not mine. Its outlined in legislation. Now its timing issue absent a change in the leg. In the departments processes when it comes to how we develop budgets, how we articulate prioritization, how we develop broad policy, it is generally built around the idea that the Combatant Commanders are the primary voice force operational end of those processes. Not subunified commands. Gottant commanders. One of my concerns have been, we talk about the importance of cyber. I acknowledge there are other priorities in the department. And yet for some, not all but for some of our processes the cyber expertise is not embedded in the current structure because you would put it one level below. I believe that elevation plugs us in more directly into the primary decisionmaking processes in the department custom is optimal for kbat ant commanders. Now there is one less layer to work through. The commanders i have worked with, general heighten, and boy, how quickly we forget. I can picture he was a good flag officer friend. They were great to team with because i would tell them look if we are going to insist i think i do flows through, i cant get the timeliness and i cant got the speed. And this helps address that. Time is expired. Thank you. I now recognize mr. Comer. Thank you madam chair. Apparently two of our colleagues have introduced a bill that would allow private seconder u. S. Companies to hack back active defense. I hadnt realized before this is apparently illegal today absent a law change . So could you reflect on this proposal and whether its a good idea or not. So, broadly i only speak for mike rogers because im not in the policy lane but i have an opinion. As an operational commander, my concern is while there is certainly historic precedence for this, naishl nation states have often gone to the private seconder when elacked capacity. We did that in the revolution y war. My concern is be leery of putting more gun fighters out in the street in the wild west. As an individual tasked with protectsing our networks i am thinking to myself we have got enough cyber actors out there already. Just putting more out there im not sure is in everybodys best interests. I would also be concerned about the legal leeblt you might im not a lawyer but the legal liability i would think that you would have some liability issues associated with taking actions with second and Third Order Effects that you dont truly understand when you actually execute it. Thats just my concern. Are other countries doing this . Are you familiar with any other countries that have enabled their private sector there may be equivalent legal frame works out there. Certainly not that have come to my attention and not that i have had a discussion about. I was curious, you used a gun fighter analogy. Some people have thought that the nra might set up a whole new wing of activity for this. Its to the extent that private business in this country feels disconnected from government [ loss of audio ] security interests even when its protecting the grid i think you are probably going to see greater pressure. Richltd i would agree. In some ways it goes back to, again, showing you my war college education. I dont want you to think as a taxpayer i didnt listen when i was sent to service colleges. In the west failing and construct the application of force has generally for the last several centuries been viewed as a mission or a right of a sovereign state, not something that the private sector does. We dont use for example, for us we dont use contracts to actually drop and fire weapons. We dont use mercenaries to do that. We use uniform military. I would just be concerned that going that route again argues against the broad principles we have used about the role of the state and applying force kinetically and nonkinetically. We dont use those tools but in our degraded west failian system we dont know who we are being attacked by. It might be state actors, quasi state actors, possibly private actors. Who knows. Well, it depends on the situation. But im the first to acknowledge 100 attribution is probably a standard we are going to be driving for for a long time and not necessarily achieve immediately. What percentage of accuracy in attribution would you give us today . Oh, it depends on the actor. If you take for example speaking now as on the nsa side, if you take look at the efforts we did in the Intelligence Community assessment with respect to russian efforts to influence the 2016 election process, really high confidence. Very fine grain attribution. If you take a look at wanna crypt, for example, were ten days into this, and collectively in both the private sector and the government we are still working our way through who are the actors or actor associated with this . It tends to vary. There is no single concrete with the elections, we are close to 90 , 95 , on this we are 60 but raising it . I dont know, i havent really thought about it from a number. Okay. Thank you madam chair. Mr. Scott. Thank you madam chair. Admiral, it is a long way from auburn university. We are eagles sir. I hope you never lose a war or win a ball game. I am a university of georgia graduate. I have a brother and a sisterinlaw who went to the university of georgia. I love them. Was he the one holding the dog when he bit the player . All kidding aside thank you for your service. We talk a lot about how Fast Technology changes. In the acquisition process being a problem throughout the department. I would lining to hear your comments on the personnel like to hear your comments on the personnel again. You speak to this in your comments. You know, when you get the young man, the young woman out there thats the best and the brightest, their opportunities in the private sector versus their opportunities in the Public Sector under your command, the challenges there, and the issue of you know, what percentage of your personnel are civilian versus uniform . Roughly we are about 80 military. About 20 civilian. Thats kind of what we are building to. It varies in some areas, but its about 80 20. I know we have a tremendous number of wonderful people in uniform. Some of the people that we see that seem to be the best and the bright nest the Technology Field arent exactly the people that you imagine going to boot camp. Right. How do we recruit in case do we have a system in place to allow those people to serve . It is a one of the reasons why we have tried to come up with a total force send sent for us. Active, guard, reserve, civilian contractor. That within that pool of five subpopulations, if you will, we can match almost any individual. Hey, i really want to get into this. I want to serve the nation, but i have no desire to deploy or be put through the physical Fitness Standards of the uniformed world. I will like to work for you as a civilian. I like mobility so i want to try the contractor route, move around a lib. We tried to build a structure that attracts a broad swath. The Positive Side to me is boy when you get people in the team i was just talking to one of the Service Review panels. One of the services out there is created has asked a party of gray beards to take look at how they manage the Cyber Mission force within their service. And to answer the question, are they really on the myselfed for the future. I coincidentally this morning was just sitting down with this retired former chief of their service. And i said, well you have talked to the teams because they did that as part of their process. I said tell me what you are hearing from them. I have a sense but tell me what you are hearing. He said to me the most amazing thing is every team we talk to these men and women are so motivated and love what they are doing. That is a real plus for you. They really are into this mission. Their self image is they are the digital warriors of the 21st century. The challenge, i think we have got to work with the services who provide this manpower capabilities. How do we manage it effectively over time, and how do we also build into this the fact we have got to acknowledge there are some areas we have got to do differently . We cant put a person in this once, spend all that Time Training them and then they dont do it for another ten years. Thats ridiculous to me. On the other hand i realize there is more than just the sidebarer mission force. The services are asking themselves how are we building a broader work force to address cyber. Im working with the services about what percentage of the eligible training population makes sense, what kind of policies we should have with respect to retouring them so we sustain some level of capabilities over time and we are not starting over again every three years. Thats one of the cham challenges at the moment one service is dealing with. Their model. Im argue we have got to make changes. We cant afford to retrain everybody every three years. I dont think its costeffective and demoralizing to the men and women. I think this is going to be one of the greatest challenges Going Forward in how we handle the cyber war, if you will. Right. And not just with your issue. We hear the same thing about the drone pilots, and how dedicated they are, and how determined they are, and you know the need for flexibility. Yes, sir. With where they work and the time that they work. And i i recognize it from a pay scale. Were nowhere close to what they would get right, but on other hand. So i their commitment to the country and your commitment to the country as well. Thank you. Thank you. Mr. Wilson. Thank you chair woman for your extraordinary leadership on organizing this hearing. Sir. Its honor admiral to be back with you and we appreciate your Innovative Service to address the issues of Cyber Defense. As the former chairman of the subcommittee on emerging threats and capability im keenly aware of the huge challenges that lie before us and the extraordinary men and women that you put together to serve in your command. Cyber security is a 24 hour 365 day a year responsibility that requires instantaneous analysis, response, and deterrence. After each cyber attack, we had the circumstance where the government officials are grappling with whether or not it constitutes a mere nuisance or an act of war. It is for this reason i introduce the cyber attack standards measurement study act 1030 which would require that a direct of national intelligence, the Homeland Security security department, fbi, and secretary of defense to conduct a study to determine appropriate standards that could be used to quantify the damage of Cyber Incidents for the purpose of determining appropriate response. And two questions. Do you believe that there exists an interagency definition for cyber act of war . And secondly, do you believe that we have a common metric to measure Cyber Incidents which could benefit the interagency response . I think there is a broad certainly in the kinetic world there is a broad definition out there of an act ever war. But even in the kinetic world its still somewhat situational. So i fully expect that our experience in cyber is going to be something similar. It goes to one of the previous questions in some ways, articulating those concepts in a way that actors understand that you may be tripping a threshold that will trigger response. I think thats in our best long term interest. That helps i think, helps the nation states, actors, groups out there understand there are potential prices to pay here. And at some point you will trip a threshold, again, depending on the scenario. And thats not a good place for you to be. We are clearly still working our way through there. I am not a policy guy. Im the operational guy. I try to figure out what do we do once the policy maker makes that determination. And thank you for recognizing too it can be nation states, it could be other actors. What a challenge. And so were so grateful for your service. One of the first challenges that you have are updating antiquated infrastructure. Yes, sir. Im grateful that the district i represent is adjacent to fort gordon, home of the harmys Cyber Command. Can you please describe the amount of Infrastructure Modernization that needs to occur and how demand differs across the army, navy, air force, coast guard and marines. Ill use one example. As we are working our way through the services because i have overall operational responsibility. The services physically own much. In the Current Network structure the services own the structure. I partner with them in attempting to address that infrastructure Cyber Security. One of the things we continue to find is we are still carrying a lot of very old infrastructure that offers potential increased vulnerable. And the defense in depth approach we use is designed to help mitigate that. But i literally just sent a note to a service chief earlier this week, and Senior Leaders in that service and said, look, at some point, these vulnerabilities down at the tactical level in our acquisition will become potential points of exploitation biers to that have the chance to negate some of that defense indepth. So weve got to address this. I find we have talked a lot about manpower. In some ways to me the acquisition piece, thats even harder. Because its long term. Its huge costs. And it is competing against priorities like so do you want me to buy more f35s, official, you know, carriers . Do you want more brigade combat teams . In a world of finite resources you have got to make those resource tradeoffs. In general the acquisition world hasnt historically always been incentivizes for Cyber Security outcomes as its primary metric. Thank you very much and we look to working with the chairwoman to back you up in every way. Thank you. With my time running out i do want to thank you for the participation by the national guard, and your efforts. What has been the level and what more can we do to help new this regard . If you just look at Cyber Command we have over 100 guardsmen and reserves every day supporting us. Every day we have we currently have guard components activated on the defensive side. On the offensive side. Some of our specialized capabilities. The guard is a day to day player for us. If you also look at what the guard is doing in so, maam. Thank you very much. Time is expired. They are calling votes soon so i want to get through everybody. Dr. Winthrop. Thank you madam chair. Admiral thank you for being here today. Sure. You were talking about various structure where we set up our command and where we are headed. Im curious what our adversaries are doing, what do we know about how they are structured and what they are doing can maybe guide us in some way. Not going to get into a classified information but broadly Cyber Command is viewed as wow this is an interesting concept, what can doe do to emlaid it. Im not saying everybody in the world wants to. But in general i spend a lot of time talking to allies and they will often say to me,ing bhoo while we may not opt to go with the same structure you have created, the process you went through, the capabilities you have developed, the way you have created an organizational operational construct thats focused on jean rating outcomes, hey we are really interested in doing that. Is there a way we can potentially partner. Part of the Cyber Command mission root now is we spend a lot of time with foreign partners around the world. I cant i am the first to acknowledge. I have to acknowledge. There are areas in the world we are focused on helping them develop cyber capabilities. Those are our allies. What about i would be happy to in the closed session. I have some interesting thoughts there. Thats fine. You wanted people to know some of the things we were doing to counter isis. Maybe thats kinds of hitting them but a shot across the bow for others. Have you felt that its had an effect . I certainly hope so. Because quite frankly again one of the reasons we opted to publicly acknowledge this was we wanted other actors to be aware that we are developing and employing, again within a Legal Framework but we are developing and employing those capabilities. There certainly is an increased awareness by actors around the world as they look at us, study us about capabilities and the kinds of things we are doing. Not going to get into specifics but we are certainly aware of that. In another seth i would like to hear more. Id be glad to. We will have that opportunity, im sure. Thank you very much, i yield back. Thank you, thank you very much admiral rogers for your testimony. At this time, they are likely to call votes in the next couple of minutes or so. After votes are finished, we will reconvene in rayburn 2337 upstairs for the closed portion of this. If there are additional questions from the members, please feel free to submit them for the record and then we can anticipate a response from you. Yes, maam. This committee is adjourned. And we will reconvene. Thank you, maam. Heres a look at our primetime schedule on the cspan networks. Starting at 8 00 p. M. Eastern on cspan w testimony from former cia director john brennan. On the investigation into possible russian influence in the 2016 elections. On cspan2, the director of the omb, Mick Mulvaney briefs reporters on president trumps proposed budge for 2018. And on cspan3 a house hearing on the border adjustment tax and u. S. Economic growth. Never let anyone define you. And that is the first lesson i want to leave you with. Only you define who you are. Only you. Our hearts should be open, not just to falling in love, but to the world. We need to look. We need to care. And we need to contribute. Dont ever let anyone tell you that your dreams are silly. And if you have to look back on your life, regret the things that you did, and not what you didnt do. Nothing stays still. Things will change. The question for you is whether and how you will participate in the process of creative change. Just a few past commencement speeches from the cspan video library. And watch more this years commencement speeches on saturday may 27 helicopter, monday, may 29th. Memorial day, and june 3rd on cspan and cspan. Org. Sunday night on after words, msnbc host chris hayes examines how the criminal Justice System is dividing the country in his book a colony in a nation. Mr. Hayes is interviewed by author elizabeth hinton. It seems like ferguson is really kinds of an anchor in many ways in the, boochl im wondering how your experience reporting there kind of illuminated what you are talking about growing up in the bronx in the 80s. The thing about ferguson that blue my mind was, i think if you grow up in a city, and you grow up in the bronx, you have this conception of cities as these stink these n. Cities, there are racial frictions, in cities you have bad neighborhoods and good neighborhoods, all kinds of like loaded ways in which pliskova communities differently, all kinds of loaded ways in custom the borders of different neighborhoods sit atop each other, interlock, overlap and create that sort of sant sandpaper friction. All of that to me was died to the bronx new york or cities. I moved to chicago and i loved in chicago and i lived in d. C. , all these things pertained to these places. The thing that blew my mind its just a municipality of 20,000 people. Its anywhere u. S. A. Its between the Northern Edge of st. Louis and like the tonier subur suburbs. You just drive through it. It looks like anywhere. Right. Its just strip malls and parking lots and houses and and the idea that what i experienced there was like the level of exploitation, and the level of racial oppression and friction, the level of