Transcripts For CSPAN Former NSA Director Testifies On Russi

CSPAN Former NSA Director Testifies On Russian Interference Capabilities March 30, 2017

Of these activities. Id like to welcome our from the cybersury company mandia. Mr. Mandia served in the united stes air force as a Computer Security officer and later as special agent in the air force officef office of special investigations wheree worked s a cybercrime investigator. Thank you for being here today. And general alexander serd for 40 years in our armed forces, culminating with his ten qure as the director of the National Security agency from 2005 to 20 andoncurrent serve as director of u. S. Cybercommand from 2010 to 2014. Thank you for being here today. It is an expert ontudies, he worked as the university in jusalem, Johns Hopkins schl. Dr. Rid, thank yous well for your expertise and we look. Orward to your testimo sen. Burr the levelf cybersecurity in front of us is truly remarkable. Eyl be able to provide atn unassified levelome extremy useful texture and detail to the discussion w ben this morning i feel certain, and i say is to all three of you, that the committee in a closed setting mit want to reach out to u as we begin to d a little deeper so that we can get your thoughts and tapnto your expertise. That we might be able to explore more than in this open setting. For this hear, ewe will be recognized by orderf senior fi for seniority for five minute rounds. We are targeted to have a vote somewhere between 4 00 and 4 30. It would be my hope we could wrap up prior to that vote and not hold our witnesses open, that way we would conclude Senate Business for the week with that vote. Vice chairman. Thank you, mr. Chairman. I dont have a statement other than one to welcome all the witnesses and to point out that before mr. Mandias company was acquired by a California Company he was based in alexandria, virginia where he did great work. Wed be hay to have you bng with all due deference to senator harris. Sen. Harris stay in the sunsne. Sen. Burr im going to recognizeou to start. Mr. Ana tnkouor allowing me to speak. What im going tspeak about today is t cybercapalities and techniques attriteto russian hacke, specifically a group we refer to as a. P. T. 28. I want to talk also about coendations to prevent or mitt gate the or mitigate the coromise. I nto give you a little of my bacrod and the background of my company. As i sit here right n we have hundredsf employees responding to Computer Security breaches. We thi is critil to own at moment of responding to a breach, collecting the trace ed,ablizing that evidenc so as i give you my narrative todaits based on three things. On what we are learning as we respd to hundreds of breaches a year. Were cataloging that trace evidence and putti it into a linked database, and we have over 150 threat analysts who speak 32 languages, 19 countries, and theyre trying to marry up what were seing in cyberspace to what were seing in a geopolitical world out there today. Then the third source of my dialogue, third source of evidence, is in fact we have 5,000 plus customers relying on outechnology to protecthem on a daily basis. Let me first speak to the methodologies being used by a. P. T. Group 28. We attribute many intrusions these fks. You might have heard about the worldwide antidoping agency, the d. N. C. Breach, the d. C. C. Breach, the ukrainian central election commission, a i can keep going on. I believe the doctor will mention someore of these victims. But all therehes that we atibuteo apt 2inheast two years iolve the theft of internal data as well as the leaking of this ta by some other pty pottially a. P. 28, potentially some other arm of the organization into the public. During the coursof our apt28 investations weve had a siificant amount of evidence. Weve looked at custom mall wear. We dont see this malware blicly availab. Its n ailable to you to down load and use tomorrow. s being crafted in a building, shar by pele in a closed lp, its not widespad or available to anybody. We have identified over 500 do mains or i. P. Addresses used by this group when they attack. Almost every modern nation that develops an Operational Capability in cyberspace, the fit thing they need to do is get an infrastructure they use to then attack their the real site of their attacks. The real intent. The real target. So theres a huge infrastructure of compromised machines or false fronts or organizations that are used for these aacks. We found over 500 of those. We have analyzed over 70 documents written in many languages, these are the document you receive during a spearfishing. Theyre armed documents if you open and perusehem. When you assess e documents, theyre related to the subject and interest of the people receiving these documents. A lot of work is going into the backdrop or background of the people being spearfished. I cano on and on. Ive got 40, 50 more pages of what they do but ill focus on a couple of things that also help us attribute apt28s activities to the russianovernment. In 2015 alone, we saw apt28 leverage five zero days, and a zero day is an attack thadoes not have a patch available for it, it will work if recved and you execute the file. And the best way to liken the value of a zero day the minute its used and its been weaponizedts value goes down incredibly fast. And so when u see these things, mostly inhe thr stly in the toolbox of a nations data athis point. Over the last 10 yrs, the Security Industry h de a great job ming the cost of ro ds go up,nd were seeing a28 deploy tm as needed. Theyre hard to tect onc thre in your netrkbeuse they rely tothe tools your system administrators derely. Say they turno osts almost thminute theyre in, your likeliod of deteing them if you dont dett the initial each go downs exponential. They operatesing yr ols and operate very hard to dect. I want to share with you tee observations i saw emergin 2014 that i did not see prioro reonding to these state actors. I had the privilege of responding to them when i was in the air force. Probably a differe group but a grp we attributeto the russian government. And ery time i responded to them on the front lines, if they knew we were watchinthem, they would evab rate. Weever got to observe the tool tactics and procedures of russian state sponsored intrusions in the late 1990s darly 20s. Ey didnt t us do it. For some reason in august of 2014, we were responding to a each at a Government Organization and during our response, our frontline responder said, they know were there. Theynow were observing them. And theyrstill doing their activiti. Actually flew in, sat on the ont lines, first ive seen it. To me that was big news because i had a 20year run from 1993 to about 2014 where they never change the rules of engagement. They changed in august or september of 2014. Second thing they did is started operating at a scale and scope where you could easily detect them. We were obrving and orienting on them. They were letting us do it. But their scale and scope became widely known to many security organizations and we started Work Together to get better visibility and fidelity. Lastly, someing i wouldnt have predicted but we also witnessed for the first time in 2014, a group we attribute to the russian government compromising organizations and then suddenly the documents are being leaked out in a public forum through hacktivist personas we have not seen. Foroday and the foreele future, itour view that United States will continue see these happen. While Many Organizations are actively trying to counter these attacks, theres sh an asymmetry that is hard for any organization to dernize and prevent these iruons fr occurring when you have a stat sponsored attacker. Therefore were goingo need to exploreayboth witn and outside of the cyberdoma to help deter these attacks lastly i say if i had five minutes to talto the senate, what would i say . Here it is i think weave to firstta with, got to t attbution right. We got to know who is hacking us so we can eablish a deterrent. This gives us a great opportunity to maksure we have the tools necessary and T International cooperaon necessary to havattribution. When you have attribution right, en you can condethe proportional response and the other tools at yo dissal as diplomats to maksu we have the defer ternts need. Thank you very much for this opportuny. Sen. Burr thank y. General. Geral alexander i want to pick up from where kevin left off. I had the opportuni to see on news, u and the Ranking Member talk about approaching thiin a bipartisan way. Approaching e solution in a bipartisan way. And when y look thathe probm and what were fatesing, its not aepublican problem. Its not a democratic probm. This is an americ problem. And we all have to come together solve it. I think thats very important. If we st back and look at this, i wa to cover several key areas t give my perspective on whats going on. First with spect to technolo. The communications is doubling every year. Were get manager devices attached to the network. This network is growing like azy. And so are the vulnerabilities. Our wealth, our future, our country is stored in these devices. Wevgot to figure out how to secure them. Th those vulnerabilities, weve seen since 2007 attacks on countries like estonia. Georgia. Ukraine. Saudi arabia. A whole series of attac and thenria and others. And then aacks on the power grid in the ukraine. And whats career whats clear is these network and these tools have going from exploitation for governments and crime to elements of national power. An i tnk fromy perspective when we consider thathiis now an element of national power, we have to step back and say, whats their objective . Its been said, know yourself, know your eny, and yll be successful in a thousand campgns. Whats russiaryg to dand whare they tiing to do i from m perspective as i look a it with my background, is ear its t just trying to go after the Democratic National conventi or others. This is widesprd, a campaign theyre looking adoing at willrive wedges between our own Political Parties and betweeour country and nato and within no and within the european union. Why . I lieve when you look at russia, and if youere to play out on a map whats happen over the last 25 or 30 years, they see e fall of the soviet uni and the pacts on their nr bord a all these as impacts on them. I bring a this up because one of the questions thats out in the press is, do we engage the russians . Or do we not . Every administrationha im familiar with, including the obama administration, started out with, were going to engage them. It was tchailed reset button. That didnt go far, i believe this administration should do the same. When i look at whats going on here, theres anoer opportunity that we have. When you lookt the characteristics of leaders in this administration, we have pele with great business experience, the president and seetary of state and great National Security experice. In addressing the problem that were now dealing with, this is a new area. Were seeing cyber, its an element of national power, how do we now engage russia and other countes and set the right framework . I believ we have to engage and confront. Engage them in those areas that we can, set up thright path, reachut, and cool this down. I really d. ve got to fix that. At the same time, weve got to let them know what things they cant do and w they cannot do those. Set those standds. And i think wt this group can do and what u are doing, chairman and vice chairman is ma this a bipartisan approach. Solve this for the good of th tion. Wh we look at cybersecurity and what kevin gave you in terms of what dustry sees, and what governmentees, over the last decadeweaveointly worked oncoming up with cyberleglation, how industry angovernment works togher. If we going to address africks anther iues we also have to set up the way for our industry a sectors to work with the government so thathat attribution and things that the government knows and those things that industry knows can be used for the common good. Its interesting that sitting on the president ial commission, one of the things that came out when we looked at whats going on was whats our strategy . And at timespeople looked at this as a government issue and its an industry issue. Its not. This is something that we need to look at as a common issue. For the common defense. Its in the preamble of the constitution. Its something we should all look at. Then we should seeow do we extend that to our allies . I would step back and encourage, encourage you to step back and look at thetrategy. Whats russia trying to do . Why are theyiing to do it . And how do we eage them . At the same time, we need to address our cybersecurity issues and goix those. And get on with that. Thank you very much, mr. Chairman. Se burr thank you, general mr. Rid. Ha for giving me the opportuni to speak today about active ases. Undetaing Cyber Operations inhe 21st century is impossleithout first understanding intelligence operations in the 20th century. Attributg and countering this information day is thefore also impossie without first derstandin how the united ates and its allies attributed an countered hundreds of active measures throughout the cold war. Nobody summarized this dark art of disinformation better than olol than the colel who headed department xe said, quote, a powerful adversary can only be defeat through the a sophisticated, methodical, careful, shrewd effort to exploit evenhe smallest cracks ithin our enemies and within their groups. The tried and tested measure is to use an adversarys measures agait himself, to drive wedge into preexistingrack. The more polarized a siety, theore vulnerable it is and america in 2016, of course, was highly polarized. With lots of cras to drive wedges into. But not old wedges. Improved, high tech wges that allowed the kremlins operatives to attacthr targets fter, more rctiveland on a f larger scale tn ever befe. But the russian oratives also left behind me cluesnd more traces tn ever before. And assessing these cesnd operations reqres context first in the past six years, we ve talked about this already this morning, active measures became the nor e cold warsaw more than 10,0 ti msures across the world and this is a remarkable figure. The lull in the 1990s and 2000s i think was an exceptio secondin the past 20 years, aggresve russian digital espiag became the norm. The first was called amber light ma and it started in 1996. In 2000 the shift in tactics became apparenspecially in moscows military Intelligence Agency. A oncecareful, riskaverse and shrewd and stealthy activity became more careless, risktaking and error prone. One particularly reveang slipup resulted in a highly granular view of just one sce of g. R. U. Targeting between march 2015 and may 26 in the leadup to the election that contained more than 19,000 malicious links, targetting nearly 7,000ndividuals aoss the wod. Third, in the past two years now, coming closer to the present, russi intelligence operations ban to combine those two things, hacng and leaking. Byarly015, military intelligence wasarting defense andipmaticntitie at high tempo. Among the targets were the privateccounts,orxample, of the currenthaman of the joint cefs of staff, general dunfor or Current Assistant secretary of the a fce daniel gsbg. Or the current u. Baador to russia, jn test,nd his predecessor, michael mcfl. A large nber of platic and military officials in ukraine, georgia, turkey, saudirabia, afghanistan, and many countries bordering rusa, especiay the Defense Attache l, i add, are legitimate d prictable targets for a mita ielligence agency. Russian inteigence curiously al targeted inside russia critics inside russia, for ample, theacr group. In early 2015, g. R. Breached successfully not just the german polics parliames but also the italian militar and saudi reign ministry. Between ne 2015 and november 20 at least is six different frt gazations appeared. Ve much ld war style, to spread some of the sle infoatn to the public in a rgeted way. Finally, in the past year, the meline here in the u. S. Election campaign ben align. Etween march 10 and april 7, r. U. Targeted least 109 fullte Clinton Campaign staffers. Only fulltime staffers, not volunteer these are not counted here. Russian intelligence targeted clintons Senior Advisor jay sullivan in at least 14 different attempts beginning on 19 march. They targeted even secretary clintons personal email account bus the data showed she did not fall for the trick and didnt actually reveal her password. Military Intelligence Agency g. R. U. Also targeted d. N. C. Staffers between march 15 and april 11, the timing lines up nearly perfectly. About one week latering after the events i just mentioned, the d. N. C. Website was registered getting ready to spread data ublicly. The timing is nearly perfect. Ut of 13 named leak victims, forensic evidence identified 12 targeted by g. R. U. , with the exception of george soros. But a narrow Technical Analysis would miss the main political and ethical challenge. Soviet bloc disinformation specialists preferred the art of exploiting what was then called nwitting agents. There is no contradiction in their reading between being an honest American Patriot and at the same time furthering the cause of russia. In the Peace Movement in the 1980s, we saw that people would genuinely protesting, say, the nato double track decision, but at the same time advancing russian goals there is no contradiction. Three types of unwitting agents, wikileaks, twitter, the company itself, and im happy to expand later, and overeager journalists aggressively covering the political leaks will neglecting or ignoring their prove nance. In 1965, the k. G. B. s grand master of disinformation, general ivan agayons inspected an act i measures outpost in prague, a particularly effective and aggressive one, and he said, quote, sometimes i am amazed how easy it is to play these games. If they did not have if they did not press freedom we would have to invent it for them. Later, the czech operative he was speaking with at that very moment defected to the United States and testified in congress. And i quote him to close. He said, the press should be more cautious with anonymous leaks. Anonymity is a signal indicating that the big russian bear might be involved. Thank you. Sen. Burr i w

© 2025 Vimarsana