Be a member of congress. We welcome suzanne spaulding. Also thomas fanning, two of the commissioners of the commission. First of all, i want to thank the cochairs and the two commissioners for their important work on the Cyberspace Solarium Commission. I think the end product is excellent. I think it has some solid recommendations that a number of these are within our committees jurisdiction and will be working hard to vault those and the ones evaluate those and the ones that we can get them passed into law. They can be done through executive action. I would like to spend my time, enter my formal written statement into the record. I just want to talk about two of the commissions of recommendations. When i got here in the congress in 2011, cybersecurity was a hot issue. It still is. It is not going away. But i remember the buzz word back then is we have to do something about this. We have made a number of attempts and quite honestly, we have made a fair amount of progress. My own sense is the bad guys, the people on offense always have an advantage but i think were catching up and closing that gap between offense and defense. There has been some very common themes. First is we have to do a better job of information sharing. I think we have accomplished that with the establishment of the Cybersecurity InfrastructureSecurity Agency headed up by chris krebbs now. We had a Conference Call with director krebbs last weekend. He said cyberactors were trying to steal medical information on the development of a vaccine. This is a persistent threat that is not going away. Which makes the commissions work so incredibly important. The first thing i want to talk about and were working to get included into the Defense Authorization act so it can become law is the need to put someone in charge. National cyberdirector. We held a hearing a counterterrorism years ago of the blue ribbon study panel. That was established on biodefense. It is interesting their number one recommendation is we need somebody in charge. Not too long ago we held a hearing on 5 g. Once again, the number one recommendation out of that Committee Hearing was we need somebody in charge of the implementation and development of 5 g if were going to compete in the world. Lo and behold, i think the number one recommendation out of this commission is we need somebody in charge. Now there is some controversy behind that. Contactly how to set it up is complex. I signed on the letter with sandra who is leading the charge on the Senate Armed Services committee has asked the commission to continue to study and make recommendations exactly how that National Cyberdirector would be established. What part of the administration that individual should be placed into that they can have the maximum positive impact and so hopefully the commission will Stay Together and make that recommendation and we can get that included into the national Defense Authorization act. The other recommendation i want to talk about is something that we did cover if a hearing with the director krebbs in a public hearing is the need for and this is actual we have a bill on this. It is called cybersecurity vulnerability disclosure act. There is a need for a system to be able to contact individuals where they have noticed that there is a threat and right now the only way they can contact those people is if they can literally subpoena the records to find out who those individuals are. Identify them so they can contact them. This shouldnt scare anybody. It shouldnt be a issue of civil liberties. Im going to ask everybody on our committee to do everything we can to by book or by crook hopefully get that into the Defense Authorization act as well. Those are the things i want to concentrate on. I dont want to steal the commissioners thunder. Now i turn it to senator peters. Very good, senator. Thank you for bringing us together. Thank you to our witnesses for joining us today and for your cyberspace the solarium commission. I would like to thank our colleague senator king and for appearing before us today and subjecting himself to our questions so thank you senator king for doing that. Cyberattacks are one of the greatest threats to our National Security and it is a Commission Found in the report, the United States is not thoroughly prepared to defend ourselves. Ed a versares like china, russia, iran have repeatedly attempted to hack into our Critical Infrastructure, interfere in our dreament process and engage in large scale in intellectual property theft. Hey launched a cyberattack against our hospitals to steal information on the virus for the Coronavirus Vaccine that threatened the health and safety. Americans without sufficient cybersecurity tools, resources and skilled personnel, these attacks could have a devastating impact on our daily lives. Your report makes some critical information that with must consider so we can prevent and recover from malicious style attacks. Your recommendations are wise ranging. I think they boil down to three main goals. One, we must work with our althrice promote responsible behavior in cyberspace. We must deny advantages to oured a versares and impose greater costs on those who engage in malicious sibe attacks. I have worked on a bipartisan basis with many of my colleagues on this committee to advance legislation to meet some of these goals. I look forward to discussing some of these today and find ways to come together and make sure were dealing with cybersecurity issues. Thank you again for all of our witnesses joining us today and i look forward to your testimony. Thank you, senator peters. I know this is a web event and not an in person hearing. Ill just ask you to swear that the testimony you give before the committee will be the truth, the whole truth and nothing but the truth so help you god. Thank you. Our first witness is senator angus king. The cochair over the cyberspace commission. Since 2002 he has served as a senator from the state of maine. He was governor of maine for two terms. He graduated from the university of virginia law school. I really appreciate the opportunity to testify before you. What i would like to do is give you a background on the commission and what our fundamental findings were and talk about our strategy of layerd cyberdeterrence. First the commission was set up by the 2019 National Defense act. The mission of the commission was to establish an overall Strategic Direction for american policy in cyberspace, number one and number two, make recommendations for implementing that strategy. The commission had 14 members, four from the congress, four from the executive and six from the private sector. It was entirely nonpartisan. There were really no partisan discussions whatsoever apart from the four members of congress, i have no idea of the policy affiliations for any of the other members over the commission. We have 29 in person meetings. We interviewed over 400 people and went through thousands of pages of documents and ended up with 81 recommendations, 57 of which require legislative action which have been submitted to the various committees and the staffs in the senate and the house. So what are the fundamental findings . It rests upon three issues. Run is reorganization. Get the structure right. The chair talked about this at the beginning. The second is resilience. How do we build cyberdefenses to keep ourselves save safe from attack and the third is response. How do we respond to attacks in such a way as to defend our country. Now the fundamental strategy if you will is called layerd cyberdefense. Layerd cyberdeterrence. Here are the layers. Number one shape behaviors. That is establish norms and standards in the International Community so that this is not a unilateral onecountry kind of effort. The second is to deny benefits. That is to strengthen our cyberdefense and that is part of this is reorganization and part of this is strengthening other agencies that well talk about later this morning. But to basically be more resilient and that includes plans for the recovery of the economy in the case of a sibe attack. The third is the strategy of deterrence. We have been attacked over and over over the last 1015 years. Our adversaries have paid very little price. We need to establish a clear declaratory policy that if you attack the United States in cyberspace, you will have to pay a cost and that is really the fundamental idea of deterrence and we have got to be clear about it and we have got to have oured a versares make the calculation that attacking us is going to cost them. I want to change their calculus when making that decision. Thank you very much for holding this hearing. Look forward to answering your questions. Thank you senator king. Our next witness is congressman mike gallagher, the cochair of he Cyberspace Solarium Commission. You received a bachelors degree from Princeton University and pitched a from georgetown ph. D. From georgetown, university. Congressman gallagher . Thank you, chairman johnson, Ranking Member peters abs and distinguished members of the committee. It is an honor to be here. Thank you to you and your staffs for engaging super actively with the work of the commission as we try and turn our recommendations into actual legislation. We start really from sobering recognition similar to the one hich animated the original project solarium some 67 years ago. It was not getting the job done. I would wholeheartedly agree with chairman johnson. For a variety of reasons we have yet to achieve the speed and agility that is necessary for survival in cyberspace. How do we get there . As angus king reminds me, structure is policy. I would like to talk a bit about our recommendations related to structure. First, we believe that we must create a House Permanent Select Committee on cybersecurity in order to streamline congressional oversight and authority. Second we believe we must establish a Senate ConfirmedNational Cyberdirector that chairman johnson talked about, to lead National Level coordination for cyberstrategy. A public voice for cybersecurity and technology issues. We need to strengthen it to ensure infrastructure conduct Risk Management and cybercampaign planning and lead public and private collaboration allowing it to compete with talent not only with n. S. A. But with google and other companies. And we need to recruit, develop and retain a stronger federal cyberworkforce and there by close our workforce gap and finally we believe we need to strengthen our cybersupply chain. The commission has taken an approach that the power is in free competition. Our strategy amounts to little more than occasionally limiting the access to firms we dont trust into our markets. I believe this is not working. Consider the conference tation for 5 g where the Chinese Communist party is able to subsidize their champions like huawei without having to respond to Market Forces. To counter this, the commission calls for investing information D Communications technology, industrial capacity and reinvigorating our research and development. Of course this will cost some money. Whether in this terms of responding to a pandemic or a massive cyberattacking we believe america can no longer afford to depend on Chinese Technology for Critical Technology with that, i would like to once again thank chairman johnson and angus king and commissioners tom fanning and suzanne spaulding. What made this a unique experience was the quality of participation we got from our outside experts, the executive branch and the sitting members of congress. With that i look forward to your questions. Thank you, congressman gallagher. Our next witness is suzanne spaulding. She is a commissioner of the solar cyberspace commission. She was the undersecurity for the department of Homeland Securitys National Protection d programs director from 20112017. She priestley served six years at the central tension agency d as an advisor to the nonproliferation center. Miss spaulding . Chairman johnson, Ranking Members of the committee, thank you for this opportunity to testify here today. I want to touch on three areas that i think can and should be acted upon quickly. Particularly given the vulnerabilities exposed the pandemic. The first is strengthening the cyberSecurity Agency as the organization that i as the undersecretary is now called. Congress recognized their central role in our countrys efforts to reduce cyberrisk and the commission strongly endorsed this view. Malicious cyberactors targeting hospitals and Health Research research. Home this work has never been more important which is why we urge congress to provide the agency promptly with the resources and authority it needs including Mission Support functions to be able to be the National Risk manager. Continuity of the economy planning. Identify systematically important Critical Infrastructure and coordinate planning and Research Across the federal government and with the private sector. Second, with regard to improving the cyberecosystem and reducing vulnerabilities, the commission understood that markets are usually more efficient than government and can drive better cybersecurity. We looked at why the market is not performing that function today. A key reason is that markets need information in order to be effective. To provide this information, we ask that congress establish a National Cybersecurity certification and labeling authority to help consumers make informed decision when buying connective device, guidelines for Cloud Services. Promote a more effective and market. T cyberinsurance finally i believe one of the most important pillars in the report is resilience. We need to reduce the benefits side in the adversarys costbenefit analysis. Sometimes the most Cost Effective way to reduce cyberrisk will be reducing our dependence on those network systems. Developing redundancies, perhaps analog backup for ways of interrupting cybereffects. Paper ballots are a way of building resilience into infrastructure for example. We have a number of urgent recommendations but i would like to conclude with our recommendations to pilled public resilience against disinformation. Beating ill literacy can help but we need to weaken democracy by pouring gasoline on the flames of division that already occupy online discourse. Pushing americans to give up on our institutions, not just elections, but the justice system, the rule of law and democracy. They seek to destroy the informed and engaged citizenry upon which democracy depends. The commission calls for reinvigorating civic education. Help americans rediscover our shared values, understand why democracy is so valuable, that it is under attack and that every american must stay engaged to hold our institutions accountable and continue to move toward a more perfect union. Thank you for the opportunity to testify and look forward to your questions. Thank you, miss spaulding. Our final witness is mr. Thomas fanning. He is also a member over the Cyberspace Solarium Commission and president and c. E. O. Of southern company, one of the nations leading energy companies. He has work there more than 38 years and currently serves as a cochair and the liaison between the federal government on the power sector on matters of National Security and terrorism and cybersecurity and disaster recovery. He previously served on the Federal Reserve bank in atlanta. Mr. Fanning . Good morning. Thank you chairman johnson, Ranking Member peters and members over the committee for the opportunity to testify today. The United States is at war. Virtually unchecked for years, oured a versares have been stealing our intellectual property and disrupting american commerce and our democratic way of life. This war is being waged primarily on our nations Critical Infrastructure, mainly the energy sector, Communications Network and our financial system. Only 87 to have Critical Infrastructure in the United States is owned and operated by the private sector making collaboration between the private sector and the government imperative. The Cyberspace Solarium Commission was created for this new digital reality. Later, the the outline serves as a practical road map to protect, prepare, hold to ntable and respond existential cyberthreats. We have a three pronged strategy for success. Reshape behavior on the battlefield, impose cost on oured a versares and deny benefits to our enemy. There is no international accepted principle with escalation and deescalation in cyberspace. The first step in shaping behavior on this battlefield is to define state accepted