Our friend senator king from maine and representative gallagher from wisconsin. They are joined by fellow commissioner, retired Brigadier General john c english. Professional of cybersecuritys at the u. S. Naval academy and former Deputy Director of the National Security agency. Welcome. Thank you for coming to discuss this important topic. I would like to extend my congratulations as well to Mike Gallagher and his wife anne on the recent birth of their baby girl grace. Good luck on your greatest adventure yet. I would also like to recognize former policy duress. Director Mark Montgomery who served as Deputy Director of the commission. Yearon 1652 of the fiscal ndaa established the Cyberspace Solarium Commission to study alternative strategies for the defending of the United States against malicious cyber activity. Among the strategies were cyber deterrence, persistent engagement and compliance with International Norms. The commission has produced an impressive report that advocates a combination of all three. Deterrence by denial, rapid attribution, deliberate shaping of International Norms through a glass of through aggressive diplomacy and of malicious cyber adversaries. The report also presents a number of reforms, many in legislative format for our deliberation. Of particular importance are the following recommendations. That the department of defense evaluate the size and capacity of the Cyber Mission forces, that the department of defense takes an expanded role in exercises and planning relevant to protection against Cyber Attacks of significant consequence. The department of defense and Cybersecurity Companies hunt on industrialbased networks and that the administration establish a nationals diaper National Cyber director. These are valuable contributions to a debate on how policy, programs and organizational constructs will advance the nations cybersecurity. Able toud that we were incorporate 11 of these recommendations into the withttee mark of the ndaa several additional recommendations which were unfortunately outside of our jurisdiction but were incorporated later on the floor discussion. Tooe this hearing comes late to inform the ndaa mark, three objects up the commissions study remain relevant for this committees oversight of operations and for the committees conferencing of the ndaa. Tost and foremost, i want discuss the motivations behind the Commission Recommendations and further actions detailing the establishment of a National Cyber director. How is the injuries how was the process broken today . What authorities, especially to cybere relevant action should be available to the director . How would the National Cyber director act ii director coordinates the department of defense action in response to a cybersecurity incident of significant consequence . Since its establishment, the subcommittee has focused on coordination among the relevant entities within the department of defense to assure synchronized efforts in implementing and executing their cyberspace missions. I believe the office within the secretary of defense has been particularly performing that particular oversight and coordination role. This has been accomplished without the establishment of a large bureaucracy and without creation of yet another cyber stovepipe within the dod. Ndaa, we included a provision that strengthened the principal Cyber Advisors oversight and coordination role. I also sponsored a presented a provision in the 2015 ndaa that added rentable Cyber Advisors for each Service Secretary to provide that with this critical coordination asset. The principal Cyber Advisors have a Department Advisor role while a National Cyber adviser considers a national role. There may be similarities between the functions of the principal Cyber Advisors and the National Cyber director as envisioned by this commission. I would appreciate this discussion on the similarities and is dachshund differences, and the proposed National Cyber director. Understand theto better operations the commission provided regarding the department of defense is cyber targeting. Matching the commissioners recommendations and cyber deterrence and persistent engagement. Did find the departments aspirations for persistent engagement of our adversaries to be realistic . Finally come i want to hear how the department of defense can better execute its mission to protect the nation against chinese, russian irani and and north korean Cyber Attacks. What are the capability shortfalls . What should its role be in a were Emergency Response action . Thank you for your diligent efforts in reproducing this report and for agreeing to testify before this subcommittee. Senator manchin, welcome. Senator blumenthal sat in to make sure things were working. Welcome. Do you have opening comments . Thank you very much for your die appreciate that. Thank you senator rounds. I want to welcome senator angus king and representative Mike Gallagher. Ok. Who served as cochair of the this committeeof establishing last years ndaa, and general chris who served as one of the commission members. Senator king is a distinguished member of this committee. Herbstor galler, and it of gallagher, i think him. I want to speak about the efforts of this commission, why has been successful and what we can learn for the future. Commission of this size was intended not just to educate congress, the intent is to forge a consensus on what needs to be done to fix problems the commission identifies. Too often those recommendations are too vague or difficult for congress to legislate on. The commission spent a lot of time and effort turning recommendations into actual draft legislation text. This was an immensely important decision. If you have to turn an idea into a bill, you have to think it through and the result has to be compatible with the main purpose of congress. To sure we have had these recommendations significantly, without those legislative drafts, much of the commissions work minority be collecting dust on summons shelf. Oftead, the vast majority recommendations were included in one form or another in the ndaa bills passed by the house and senate. Including significant number of this is no mean feat. Getting approval across committees for legislative amendments on the floor of the house and senate is extremely hard. Something senator king and representative gallagher no very well. Recommendations as to creation of a National Cyber director. This recommendation is not popular with the administration. Senator dachshund i also included that the proposal needed more polishing in order to be better understood with dispositions role should be. Senator king and represented gallagher took this on and in the last couple of months have produced a very good proposal which we will talk about. Firmlymission cochairs believe this position is crucial to integrating the response to all the departments and agencies who have to be involved in dealing with major Cyber Attacks. The recommendation would require reporting of all Critical Infrastructure. While it is important we do all we can to effectively respond to Cyber Threats in a timeless withoutwe must do so interrupting establish cyber threat reporting. As raking member of the resource committee, the prime example our infrastructure entities. They should still report to andr established change that intelligence should be made available to the eventual cyber director. The commissions report specifically rejected a model declaring state declaring major Cyber Attacks by assuring adversaries with an inkind response, retaliating against their Critical Infrastructure. The commissions report suggests a retaliatory doctrine of doing to an adversary was an adversary does to us is immoral and inconsistent with international law. A strategy of deterrence based on retaliation in kind as the basis of our Nuclear Deterrence that has been in place since the end of world war ii. Do not consider this strategy moral or effective. Adversarythe idea an would be deterred from hitting our Critical Infrastructure by the threat we would disable the computers of their cyber forces does not seem likely. Would bessuming we able to identify and incapacitate their cyber forces. Which i submit is an uncertainty solution. For turning two witnesses come i will close by noting that our commission has proposed on this committee has endorsed the ndaa, an exception of life of the commission. This was done for the 9 11 commission and i think it is a good idea for senator king and cosman congressman gallagher to observe how work is being implemented and revisit issues that cannot be resolved in this years budget. Thank you mr. Chairman. Thank you senator manchin. I think the best way to approach this probably since you have done a combined Opening Statement with which is in the record right now, senator king, would you like to begin . And then we will have representative gallagher and finish up with general inglis if that works in terms of how you would like to proceed . Thank you mr. Chairman. There are so many aspects of this, an Opening Statement could go on all afternoon. Im going to try hard not to make that happen. Let me make one point about the pandemic, among all the other things we have learned i think one of the most important things is that the unthinkable can happen. Haver ago, we would not contemplated where we are now with a disease we are having to deal with on a worldwide basis. So it is with a cyberattack. It seems unthinkable, the stuff of science fiction, but it can and has happened. In fact, it is happening at this very moment. Work wec purpose in the did on this commission, and i will outline how we proceeded was to be the 9 11 commission without 9 11. Avoidole purpose is to not only a cyber fast catastrophe, but i death by a thousand cyber cuts. That is what we want to talk about today. The commission, as you mentioned, was set up two years ago and the National Defense authorization act. Mission was to develop a comprehensive Cyber Security strategy for the country and recommend how it should be implemented. There were 14 members, they think part of the success of the mission depends on how it was structured. 14 members, four members of congress, and four members from the executive agencies. Six members from the private sector. Over 30 meetings, 90 of attendance at our meetings. We met in this building just downstairs over and over. Documents,reds of witnesses, and an immense amount of literature search and review of all of the ideas that could be brought before us on these subjects. I am proud to say the work of this commission was entirely nonpartisan. To this day come other than the four members of congress who wear their party labels on their idea thei have no Party Affiliation of any of the other 10 members of the commission. I can honestly say there was not a single comment, discussion or question that suggested any partisan or any kind of purchase supportive you in our commissions discussions. 400 interviews, we came up with 82 recommendations come i57 as senator manchin mentioned were turned into actual legislative language. One of the basic root principles of the report can be summarized in three words. , resilience, and response. Reorganization i think we are going to talk a lot. Secondly, resilience. How do we build up our defenses so that Cyber Attacks are ineffective . The finalists response. How do we develop a deterrence workegy that will actually particularly with a particularly with attacks below the level of use of force. We have not had a catastrophic cyber attack, probably because of the deterrence we already have in place. The problem is we are being attacked in a lower level, continuously, whether it is the theft of intellectual property, the theft of opm records of millions of american citizens, inther it is the attack 2016, that is the area where you remain vulnerable and we have not developed a deterrent policy. Wheres the deterrence . It is to shape behavior. The disputed nine benefits and to impose costs. Either we are going to spend a aboutdeal of time talking the cyber director but i want to address it briefly. The mission and the structure of the National Cyber director is almost identical of the principal cyber adviser position we have created at the department of defense. The difference is a wider scope. Just as we were preparing for the hearing, he made a quick list of seven to nine federal cyberes, all which have responsibilities outside the department of defense. For the structure of the National Cyber directors to provide a person in the administration with the status and the advisory relationship with the president to oversee this diverse and dispersed authority throughout the federal government. Create same reason we the advisor and the department of defense, we need to do it nationwide. That is the fundamental purpose we need to go into much more detail on this. The second is a testimony recently in the house by former representative mike rogers, former chair of the Intelligence Committee who confesses that he has 180 degrees changed his position on the idea of a National Cyber director from steadfast opposition to strong support. I would like to introduce both of those documents for the record with the permission of the chair. Without objection. I will end my comments now and we will be able to discuss more of the details particularly in the National Cyber director recommendation as the hearing progresses. Representative Michael Gallagher come i believe you will be joining us. Are you ready . Can you hear me . Back off a little bit. Hang on a second. We are going to bring the volume down a little. Hopefully that is better. Much. Thank you mr. Chairman. For your leadership and your kind words about my baby daughter. To Ranking Member mansion, thank you sir and to all of you all on the committee for allowing us to. I have enormous respect for this committee and the senate because before i was a member of the house i was a staffer in the senate. There was a time when i actually used to wield the real power. Thank you for letting me return to my roots. As senator king laid out, siberia Cyber Operations continue to in been what we know, the state of our defenses and adversaries intentions are a major cyberattack to Critical Infrastructure is almost something to be expected. I would say we have no choice but to hope for the best while planning for the worst. With this in mind come i would like to emphasize two of our critical proposals as we look ahead to the nda conference. King, i agree with senator on the importance of establishing a National Cyber director. This is the right balance of authority, responsibility and necessary prominence. A Senate Confirmed within the ice of the president that across the federal government in focusnion would bring the that Cyber Security desperately needs at the highest level of the federal government. Second come i would like to highlight the necessity for continuity. We need resiliency enter and redundancy in our Critical Infrastructure. I would submit the pandemic has shown not only that our economy to destruction but the potential impact of economic destruction has on americans. Wereas we thought unthinkable, so too do we need to think through the unsinkable as to how we would rapidly recover in the wake of a massive cyberattack so we have the ability to retaliate. Ill want to say that to ensure Congress Must address a number of issues that impact multiple agencies that currently Work Together to protect National Security in cyberspace. Just a few of our recommendations on that front include the institutionalizing of dod participation in publicprivate cybersecurity initiatives, establishing and funding a joint collaborative environment for sharing bread information, establishing and an integrated and integrate seven existing cyber centers. Crating a joint cyber planning office. Biennial Senior Leader cyber exercise to test our plans. Establishing authority to do Threat Hunting on all. Gov networks. All of these provisions are included in the house version of the ndaa. Perhaps our most important thing are important conclusion is that failure to act is not an option. While we have made remarkable process in a few years, the status quo is simply not getting the job done in the time to act is now. Thank you for the opportuni