Transcripts For CSPAN2 Senate Armed Services Cmte. Cybersecu

CSPAN2 Senate Armed Services Cmte. Cybersecurity Hearing October 24, 2017

The Senate Armed Services Committee Held a hearing yesterday. [inaudible conversations] , one. Of morning. The Committee Meets to receive testimony on the u. S. Government policy strategy and organization to protect our nation in cyberspace. To begin id like to thank senators rounds and nelson for their leadership on these issues and our Cyber Security subcommittee. This hearing builds upon the good work that they and their subcommittee have done to tackle the critical challenge of cyber. This is a challenge that is growing more dire and more complex. Not a week passes that we dont read about some disturbing new incident, Cyber Attacks against our Government Systems and Critical Infrastructure, data breaches back compromise Sensitive Information of our citizens and companies, attempts to manipulate Public Opinion through social media and of course attacks against the fundamentals of our democratic system and process. Those are just the ones that we know about. This is a totally new kind of threat as we all know. Our adversaries, both state and nonstate actors view the entire information domain as a battle space and across it, they are waging a new kind of war against us, a war involving and extending beyond our military to include our infrastructure, our businesses and our people. The department of defense has a Critical Role to play in this new kind of war but it cant succeed alone. To be clear, we are not succeeding. For years we have lacks policies and strategies to counter our adversaries and we still do. This is in part because we are trying to defeat a 21st century threat with the organizations and processes of the past century. This is true in the executive branch and frankly its also true here in the congress and we are feeling. Thats why this committee is holding a hearing and why we have taken an unorthodox step of inviting witnesses from across our government to appear today. They are the senior officials responsible for cyber within their respective agencies, and i want to thank them for joining me and welcome them now. We have a consistent secretary of defense for Homeland Defense and Global Security. Scott smith, assistant director for Cyber Division, fbi, and chris krebs, undersecretary for the National Protection and programs director at the department of homeland scary. Id also like to note at the outset, the empty chair at the witness table. The committee invited the principal u. S. Cyber official, white house Cyber Security coordinator rob joyce. Many of us know him and respect him deeply for his significant experience and expertise on fiber and his many years of Government Service at the National Security agency. Unfortunately, but not surprisingly, the white house declined to have the cyber court nader testify, citing executive privilege and precedent against having non confirmed aniseed staff testifying before congress. While this is consistent with past practice on a bipartisan basis, i believe the issue of cyber requires us to rethink our old ways of doing business or to me, the empty chair before us represents a fundamental misalignment between authority and accountability in our government today when it comes to cyber. All of our witnesses answer to the congress for their part of the Cyber Mission, but none of them is accountable for addressing cyber in its entirety. In theory, that is the white house cyber coordinator job but that non confirmable position lacks the full authority to make cyber policy and strategy and direct our governments efforts. That official is literally prohibited by legal precedent from appearing before the congress. So when we, the elected representatives of the American People asked who has sufficient authority to protect and defend our nation from Cyber Threats, and who is accountable for us for accomplishing that mission, the answer is quite literally no one. Previous administration struggled to address this challenge between dod, dhs and the fbi, wellintentioned as it was, but the result was as complex and convoluted as it appears in this chart. Given that no Single Agency has all of the authorities required to detect and respond to incidents, it has created significant confusion about who is actually accountable for defending the United States from Cyber Attacks. Meanwhile, our increasingly capable adversary seek to exploit our vulnerabilities in cyberspace. Facing similar challenges, a number of our allies have pursued innovative models to emphasize increase coronation and consolidation. In doing so, they have significantly enhanced their ability to share information with the public. The United Kingdom recently established its national Cyber Security center, an organization that orchestrates numerous cyber functions across the British Government under one roof sitting sidebyside with industry. Todays hearing is an opportunity to have an honest and open conversation. Our concerns are not meant to be critical or of your organizations. Each of you are limited by the policy and Legal Framework established by congress and the administration. as the one who rushed to the scene that they were in charge with none having the authority or even worse, realizing after a cyber incident that your organizations were not prepared and resourced to respond based on a flawed assumption that someone else was responsible. I think the witnesses for the service to our country and the willingness to appear before this committee. As we continue to assess and address our cyber challenges. Senator reed. Thank you very much for holding the steering at the welcome our witnesses today. Let me also commend senator browns and nelson for the great leadership on this subcommittee. Cyber threats facing the nation does not respect organizational or jurisdictional boundaries, Defense Department, Intelligence Community, fbi, department of Homeland Security, are all critical encountering cyber threat. Each Agency Functions in silos and specialist laws and authorities. In order must develop an integrated whole of government approach to strategic planning, resource allocation and execution of operations. I am echoing the chairman points. This department is not unique to the cybersecurity mission. By the extremism, narcotics ad human trafficking, transnational crime, weapons of mass distraction and other charges are effective whole of government response that cut across the missions and responsibly of departments and agencies. As issues become more complex these problems are becoming more numerous and serious overtime. The rubin various approaches to this problem. With little demonstrated success. White house generally have few tools at the disposal while the lead agency does need to address cross cutting jobs that must remain focused on the mission of its own organization. Last year president obama signed ppd 41, United States cyber incident coordination policy. It established a Cyber Response to group to pull together a hold of government response, but these are ad hoc organizations with little continuity that come together all in response to events. I believe what is needed instead is a framework with an integrated organizational structure authorized to plan cooperating in peacetime while the constant progression of cyber opponents. This arrangement as president. The coast guard is a Service Branch and the department of defense but is a vital part of the department of Homeland Security. It has intelligence authority, defense responsiveness, customs and border enforcement of Law Enforcement authority. The coast guard exercises these authorities judiciously and responsibly and enjoys the complement conference of the American People. We can solve this problem. We have examples. Last Years National Defense Authorization act really cross functional teams to address problems. These teams are composed experts in the functional organizations that rise above the interest of their bureaucracy. The team leads would exercise executive authority delegated by the secretary of defense pick such an approach might be a model for the interagency to address a crosscutting problem like cybersecurity. There is indeed urgency to our task. Russian attack our election last year. They attacked multiple european countries, the Nato Alliance in the european union. The Intelligence Community assures us russian will attack our upcoming midterm elections. So far weve seen no indication that the administration is taking action to prepare for this next inevitability. Finally the government cannot do this alone. As former cyber commit an innocent director general Keith Alexander testified, while the primary responsible of government is to defend the nation the private sector shares responsibility in creating the partnerships necessary to make the defense of our nation possible. Neither the government nor private sector can protect their systems and Networks Without extensive and close cooperation. In many ways the private sectors on the frontline of the cyber threat and the government must work with them if were to effectively counter that threat. We need to covet strategy but it must be in cooperation with the private sector. I think chairman mccain for holding the steering effort cosponsored my legislation that is the Banking Committee jurisdiction, the disclosure act which are federal securities laws tries to encourage companies to focus on avoiding cybersecurity risk before they turn into costly breaches. Thank you, mr. Chairman. Welcome witnesses. Mr. Rapuano, please proceed. Thank you, chairman mccain, Ranking Member reed and members of the committee. It is an honor to appear before you to discuss the roles and responsibilities the department of defense and its interAgency Partners in defending the nation from Cyber Attacks of the significant consequence. I hear today in my role as the assistant secretary of defense for Homeland Defense and Global Security as well as the principal cyber advisor to the secretary of defense, in which i oversee cyber policy in the department, lead the coordination of Cyber Efforts across the department and whether interAgency Partners, and integrate the departments Cyber Capabilities with its Mission Assurance and defense support to civil authorities activities. I appreciate the opportunity to testify alongside my interagency colleagues because these challenges to require a whole of government approach. Dod is developing cyber forces and capabilities to accomplish several missions in cyberspace. Today i will focus on our mission to defend the United States and its interests against high consequence Cyber Attacks, and i would execute that mission in coordination with our interAgency Partners. The departments efforts to build defensive capabilities to the Cyber Mission force, or cmf, play and especially key role in turning out this mission. For both the deterrent and response standpoint the 133 cmf teams that will attain full Operational Capability in september of 2018 are central to the departments approach to supporting u. S. Government efforts to defend the nation against significant Cyber Attacks. With the goal of ensuring u. S. Military dominance in cyberspace, these teams conduct operations also to deny potential adversaries the ability to achieve their objective and to conduct military actions in and through cyberspace to impose costs in response to an imminent ongoing recent attack. In particular, the cmf 68 Cyber Protection teams represent a significant capability to support a broader domestic response. These forces are focused on defending Dod Information Networks but select teams could provide additional capacity or capability to our federal partners if and when necessary. Dod is role in cyberspace goes beyond adversary focus in operations and includes identifying and mitigating our own vulnerabilities. Consistent with statutory provisions related to these efforts when working with our u. S. Domestic partners and with foreign partners and allies to identify and mitigate cyber vulnerabilities in our networks, computers, critical to the infrastructure and weapons systems. While dds dod is made significt progress there is more to do alongside with her as Agency Partners in the broader whole of government effort to protect u. S. National interests in and through cyberspace. The outward focus of dod Cyber Capabilities to mitigate foreign threats at points of origin complements the strengths of our interAgency Partners as we strive to improve resilience should a significant cyber attack occur. In accordance with policy, during cyber incident, dod can be called to directly support the dhs in its role as a lease for protecting, mitigating, and recovering from domestic Cyber Incidents or the doj in its role as a lead investigating, distributing, disrupting and prosecuting cyber crimes. The significant work of our departments has resulted in increased common understanding of our respective roles and responsibilities as well as our authorities. Despite this, however, as a government we continue to face the challenges when it comes to cyber Incident Response on a large scale and it is clear with more to work to ensure we are ready for a significant cyber incident. Specifically, we must resolve gap issues among various departments, clarify thresholds for dod assistance, and identify how to best partner with the private sector to ensure a whole of nation response if and when needed. Dod has number of effort underway to address these challenges and to improve both our readiness and that of our interAgency Partners. For instance, when refining policies and authorities to improve the speed and flexibility to provide support, and were conducting exercises such as cyberguard with a range of interagency and state and local partners to improve our planning and preparations to respond to Cyber Attacks. Additionally, the cyber executive order, 13800 signed in may will go a long way in identifying and addressing the shortfalls in our current structure. Although the department has several unique and robust capabilities, i would caution against ending the current framework and resigning more responsibility for Incident Response to dod. The reasons for this include the need for the department to maintain focus on its key mission, the longstanding tradition of not using the military for civilian functions, and the importance of maintaining consistency with our other domestic response frameworks. Its also important to recognize that he significant realignment of Cyber Response roles and responsibilities risks diluting dod focus on its core military mission to fight and win wars. Finally, putting dod on lead role for domestic Cyber Incidents would be a departure from accepted response, practice and all other domains in which a civilian agency have the lead responsibility for domestic Emergency Response efforts. And it could be disruptive to establishing that critical union of effort thats necessary for success. The federal government shouldnt maintain should maintain the same basic structure for responding to all other national emergencies, whether theyre natural disasters or Cyber Attacks. Theres still work to be done both within the department and with our federal partners to improve dod and u. S. Government efforts over all in cyberspace. Towards this and im in the process of reinvigorating the role of the principal cyber advisor, clarifying the departments internal lines of accountability and authority in cyber, and better integrating and communicating dod cyberspace strategy, plans, and train and equip functions. We will also be updating our dod Cyber Strategy and policies on key cyber issues such as deterrence and tran

© 2025 Vimarsana