Senator john mccain chairs the Senate Armed Services committee. This is two hours, 20 minutes. Well, good morning. Committee meets today to receive testimony on the Government Strategy and organization to protect our nation in cyber space. To begin id liking to thank senators rounds and nelson for their leadership on these issues in our Cyber Security subcommittee tackthal critical challenge of cyber. Its a challenge growing more dire and more complex. Not a week passes that we dont read about some disturbing new incident. Cyber attacks against our government system and infrastructure, data breaches that attempts to manipulate Public Opinion and attacks the fundamentals of our democratic system and process. And those are just the ones that we know about. This is a totally new kind of threat as we all know. Our adversaries both state and nonstate actors view the entire information domain as a space and across it theyre waging a new kind of war against us, a war invaucholving but extending baurpd our military to include orbusinesses, infrastructure and business. They have a critical new role to play but it cant succeed alone and to be clear were not succeeding. For years we have lacked policies and strategies to counter our adversaries in the cyber domain and we still do. This is in part because were trying to defeat a 21st century threat with the organizations and processes of the last century. This is true in the executive branch and frankly its also true in the congress. And we are failing. Thats why this committees holding todays hearing and why we have taken the unorthodox step of inviting witnesses to appear today. Our witnesses are the senior officials responsible for cyber within their respective agencies and i want to thank them for joining us and welcome them now. Assistant secretary of defense for Homeland Defense and Global Security. Asestant director for Cyber Division, fbi rr and National Programs director at the department of Homeland Security. Id also like to note the empty chair at the witness table. The committee invited the principal u. S. Cyber official, white house Cyber Security rob joyce. Many of us know mr. Joyce and respect him deeply for his significant experience and expertise on cyber and his many years of service that National Security agency. The white house declined to have its cyber kourt nard testify. Before congress. While this is consistent with past practice on a bipartisan basis, i believe the issue of cyber requires us to completely rethink our old ways of doing business. To me the empty chair before us represents a fundamental misalignment between authority and accountability in our government when it comes to cyber. All of our witnesses answer to the congress for their part of the Cyber Mission but none of them is accountable for addressing cyber in its entirety. In theory that is the white house cyber coordinators job but that nonconfirmable position lacks the full authority to lack cyber policy and strategy and direct our governments efforts and that official is literally prohibited by legal precedent from appearing before the congress. So when we, the elective representatives of the American People ask who has sufficient authority to protect and defend our nation from Cyber Threats and who is countable to us for accomplishing that missions, the answer is quite literally no one. The previous administrations struggled to address this challenge between dod, and the fbi. Well intentioned though it was, led to a result that is as complex and convuluted as it appears in this chart. Given that no Single Agency has all of the authorities required to detect, prevent and respond to incidents, the model has created significant confusion about who is actually accountable for defending the United States from Cyber Attacks. Meanwhile, our increasingly capable adversaries continue to seek to exploit our vulnerabilities in cyber space. Facing similar challenges a number of our allies have pursued innovative models to emphasize consolidation. In doing so, they have significantly enhanced their ability to react and are espond to incidents and to share information across government with the public. For example. The United Kingdom recently established its national Cyber Security center. Numerous cyber functions under one roof sitting side by side with industry. Todays hearing is an opportunity to have an honest and open conversation. Our concerns are not meant to be critical of our witnesss leadership or of your organizations. As each of you are limited by the policy and legal frameworks established by congress and the administration. Our intent is to better understand the coordination and deconfliction underway between agencies and to identify where and how we can improve. The last thing any of us wants is to waste precious time during a major cyber incident because everyone who rushed to the scene thought they were in charge but none had the authority or even worse, realizing after a cyber incident that your organizations were not prepared and resourced respondbased on a flawed assumption that someone else was responsib responsible. I thank the witnesses for their services to the our country and their willingness to appear beor the this committee. Senator reed. Thank you very much, mr. Chairman, for holding this hearing and i welcome our witness today. Let me also commend senator round and nelson for their great leadership on the subcommittee. The cyber threat does not respect org insational or jurisdictional boundaries in the government, Defense Department, Intelligence Community, fbi, Homeland Security are all critical in countering the cyber threat but each silos under specialized laws and authority. We must develop an integrated government approach to strategic planning, and execution of operations. I think im echoing the chairmans points. This problem is not unique the Cyber Security mission. Narcotics and human traffic, proliferation of weapons of mass destruction and other challenges require a hole of government response that cut across departments and agencies. These cross cutting problems are becoming more numerous and serious over time. There have been various approaches to this problem but with littleal demonstrated success. White house czars usually have few tools at their disposal while a lead agency mush remain focussed on the mission of its own organization. Last year president obama signed the cyber incident coordination policy. It established a Cyber Response group to pull together a whole government response. But these are ad hawk organizations with little continuity and only in response to events. I believe what is needed is a framework with an integrated org insational structure authorized to plan and operate in peace time against the constant aggression of cyber opponents. This has precedent. The coast guard is a Service Branch in the department of defense but also a vital part of the Homeland Security. The coast guard engs exercises these judiciously and responsibly and we have examples where we have solved this problem. Last years cross acizational act cut across the Defense Department. These teams are composed of experts in the functional organizations but rooid rise above the interest of the bureaucracies. The team would exercise executive authority deligated by the department of defense. Such an approach might be a model for a cross cutting problem like Cyber Security. And theres urgency to our task. The Nato Alliance and the european union. Intelligence community assures russia will attack our midterm elections. So far weve seen no indication that the administration is taking action to prepare for the next inevtblt. As former Cyber Command and nsa director testified, while the primary responsibility of government, they also create partnerships necessary to make the defense possible. They can capably protect without extensive and close cooperation. In many ways the private sector is on the front lines of a cyber threat and the government must work with them if were to effectively counter that threat. We need a Government Strategy but it must be in cooperation with the private sector. I thank senator mccain and co sponsoring my legislation passed by 36, which through disclosure and our federal security laws tries to focus on avoiding Cyber Security risk before they turn into costly bridges. Welcome witnesses. Please proceed. Department of defense in defending the nation Cyber Attacks have significant consequence. Im here today in my roles as the assistant secretary of defense for Homeland Defense and Global Security as well as the principal cyber advisor to the secretary of defense in which i over see cyber policy in the department, lead the coordination of Cyber Efforts across the department and with our enter Agency Partners and integrate the departments Cyber Capabilities with its mission and defense to activities. I appreciate the opportunity to testify before my inneragency colleagues because these challenges do require a whole of government approach. Dod is discovering cyber approaches and capabilities to establish several missions in cyber space. Today i will focus on our missions to defend the United States and its interests against high consequence Cyber Attacks and how we execute that mission in coordination with our inn innerAgency Partners. The departments efforts to build defensive capabilities through the Cyber Mission force or cmf play an especially key role in carrying out this mission. From both the deterrent and response standpoint the 133 cmf teams that will attain full Operational Capability in september of 2018 are central to the departments approach to supporting u. S. Government efforts to defend the nation against sniignificant Cyber Attacks. These incidents conduct operations to deny adversaries the ability to achieve their objectives and conduct military actions in and through cyber space to impose costs in response to an imminent, ongoing or recent attack. In particular the cmfs 68 Cyber Protection teams represent a significant capability to support a broader response. These forces are focussed on defending Dod Information Networks but select teams could provide additional capacity or capability to our federal partners if and when necessary. Dods role goes beyond adversary focussed operations and includes identifying and mitigating our own vulnerabilities. Consistent with statutory provisions related to these efforts were working with our u. S. Domestic partners and foreign partners and allies to identify and mitigate vulnerabilities in our computers and dod infrastructure. Dod has made significant progress. There is others to do in the whole of government effort to protect u. S. National interests in and through cyber space. The outward focus of dod Cyber Capabilities to mitigate foreign threats at their point of origin compliments the strength of our innerAgency Partners should a significant cyber attack occur. During Cyber Incidents, dod can be called to support the dhs in the lead for protecting, mitigating and recovering domestic Cyber Incidents or the drksz oj in the lead for disrespecting and prosecuting cyber crimes. The significant work of our departments has results in increased common understanding as well as our authorities. Can d spite this however, as a government we continue to face challenges when it comes to cyber Incident Response large scale and it is clear we have more to work to insure we are ready for a significant cyber incident. Specifically we must resolve semen gap issues among departments, clarify thresh holds and identify how to best partner with the private sector to insure a whole of nation response if and when needed. Dod has a number of efforts underway to address these challenges and to approve both our readiness and that of our innerAgency Partners. For instance we are refining policies and authorities to improve speed and flexibility to provide support and we are conducting exercises with a range of inner agency and state and local partners to improve our planning and preparations to respond to Cyber Attacks. Additionally the cyber executive order 13800 signed in may will go a long way in identifying and addressing the shortfalls in our current structure. Although the department has several unique and robust capabilities, i would caution reassigning more responsibility for Incident Response to dod. The reasons include the need for the department to maintain focus on its key mission, the long standing tradition of not using the military for civilian functions and the importance of maintaining consistency with our other domestic response frameworks. Its also important to recognize risks deluding dod focus on its core military mission to fight and win wars. Finally putting dod in a lead froel domestic Cyber Incidents would be a departure in other domains in which civilian agencies have the lead responsibility for response efforts. The federal government shouldnt maintain should maintain the same basic structure for responding to all other National Emergencies whether they are natural disasters or Cyber Attacks. Theres still work to be done both within the department and with our federal partners to improve dod and u. S. Government efforts overall in cyber space. Towards this end im in the process of reinvigoratinging the role of the principal cyber advisor, clarifying the departments internal lines of accountability and authority in cyber. And better integrating and communicating dod cyber space strategy, plans and train and equip functions. We will also be updating our dod Cyber Strategy and policies on key cyber issues. Such as deterrent and translating this into capabilities, forces and operations that will maintain our superiority in this domain. The department is also working to insure several Strategic Initiatives it is undertaking come to fruitioning indelucludi initiating the cyber protectinged Service Program and rationaleizing the department budgets. Our relationship with congress is critical to everything we are doing to defend the nation from high consequence Cyber Attacks. Im grateful for congresss strong support and particularly this subcommittees interest in these issues and i look forward to your questions and working with you and your staffs Going Forward. Thank you. I thank you, mr. Chairman, and offers me opportunity to provide remarks on the fbis Cyber Capabilities. As the committees aware the frequency of Cyber Attacks on our nation have increased dramatically in the past deck aitd and look to be growing. Cyber domain is unique, constantly shifting, changing and evolving. But progress has been made in improving structures and collaboration in innovation. But more can be done. Staying ahead of todays threats require as different mindset than in the past. The scale, scope and complexity of todays threats in the Digital Domain is like anything our humanity or nation has ever experienced. Traditional approaches and mindsets are no longer suited to coping with the speed and few tilt and complexity of the new Digital Domain. We have to include the Digital Domain as part of the threat ecosystem instead of separating it as a mechanical machine. This new era often called the Fourth Industrial Revolution requires the fbi to rapidly assign, align and engage empowered networked teams who are purpose driven and have fierce and unrelenting resolve to win. What does this all mean . What are we doing to stay ahead of the Digital Domain . Impose consequences. Thats where the fbi Cyber Mission is going. The Fbi Cyber Division and program is structured to address a lot of these unique set of challenges. The fbi is made up. Of over 50 field offices, each with a cyber squad and each developing Multiagency Task forces which brings together suf