Issc considered just as bad and make sure that that culture is incolcated throughout the force. I agree, but now the admiralt is assaulted by the telecoms who want to tie his hands behind his back by doing all of the encryption. Thank you, mr. Chairman. Thank you, mr. Chairman. In our state, naval surfers warfare, senator crane has taket the lead on much of our effortso to protect against the threat oe counterfeit electronics. And so secretary work and director clapper, the Global Supply chain for ts a g microelectronics presents a growing challenge for cybersecurity. One of the things we saw s wh recently, ibm sold its chipmaking facilities with dod foundry status to a foreignowned competitor. So i was wondering your top toiorities in managing the risk posed by the globalization of microelectronics ilitie Manufacturing Capabilities and our abilities to protect our systems in that area. Its a big question, senator. In fact, its going to be one of the key things we look at in qt this fall review because of the recent, as you said, the recentn sale of the ibmt chips. E two now, there are two schools of thought on this. Secretary carter personally hass jumped into aythis. Some say you do not need a ys yu trusted foundry. Another group says you absolutely have of to it. Systes having confidence in the chips that we put in our Weapons Systems is important. I would expect come february were able to report on final review how were going to tackle this problem. Who within dods leadership has primary responsibility for overseeing the supply chain Risk Management . That would be Frank Kendall and also dla. Dla has the supply chain, and Frank Kendall was really focusey on the trusted chip, the trusted chips. One of the the areas that we look at in regards to partic cyber and in some ways, you know, technology in particular parts not advancing has been a y good thing in this respect, is a in there nuclear area. Are there any specific groups that are focused just on protecting our Nuclear Effort against cyber . E na theres the international nnsa, and we have a Nuclear Weapons council cochaired by, again, Frank Kendall, our under secretary of defense for atl and the vice chairman of the joint chiefs. Theyre the ones who work with doe to make sure our weapons system components are reliable trd trusted and to make sure that we have a safe, reliable, a and Effective Nuclear deterrent. Admiral, when we look at building a force of s cyberwarriors, a cyberteam, how can we use it to help do that . Because it strikes me that that can help us in retaking highly qualified individuals who want o to devote part of their life tos helping their country, and it pe would seem to almost be a perfect fit for us. So we have taken a total force approach to the force that were building out that includes both guard and reserve. Every service slightly different. Not the least of which because Different Services have every different reserve and guard structures. That is a parte of it. I say one of the challenges thaw thre still trying to work our way through is under the title 32 piece, how we coordinate what guard and reserve are doing, hob we generate capacity and bring i it to bear with maximum efficiency. The one thing the two things in partnering with my guard teammates and my reserve teammates, because were taking a total force approach to this, we need one standard for this. We dont want a place where the guard and reserve are trained in one standard and the active side is trained to a different. Activ that gives us maximum ined flexibility in how we apply the capability across the force, and the guard and reserve has done great in that regard. Secondly, we need one common unit structure. We dont want to build unique capability unique, oneofakind structures in the guard andf reserve thats dono match the title 10 side. E we want to treat this as one rev integrated force. Vision again, i would give the guard and reserve great kudos in thatd regard. Weve got a commo an vision, wa we need to go, and weve got a great exercise cyberguard that were using every year where we bring together the guard, the pt private sector, the active component, government, and works our way through the specifics of how were going to make it work. Director clapper and i apologize if you already cyber answered this. What is the one cyberchallenge are you most concerned about . Well, obviously the one that i think about is would be a t massive armageddonlike scale attack against our we infrastructure. That is not woe dont consider that the most likely t probability right now. The greater threat or low to moderate sort of threats that iv were seeing and what i have seen in the five years ive beer in this job is a sort of progression where these get more aggressive and more damaging. And as indicated in my oral statement at the outset, what i will see, i think what we can expect next are data ys manipulation which then calls to question the integrity of the n data which in many ways is more insidious than the kinds of attacks that weve suffered thus far. Ise specter is this massive attack, although its not likely. Thank you. Thank you, mr. Chairman. Ma thank you, mr. Chairman. Agrem annex three of the recently signed Iran Nuclear Agreement calls for the participating countries to work with iran to strengthen irans ability to protect against and respond to Nuclear Security threats including sabotage as well as tt enable effective and sustainable Nuclear Security and physical ta protection ssystems, closed quote. Secretaryr clapper, do you rea this portion of the Iran Nuclear Agreement, the annex, to include cyberthreats meaning that the p5 plus 1 countries who are haa part of this agreement will be expected, will be deemed to have an obligation under the agreement to assist iran in developing systems tode prevents other countries from using cybercapabilities to acquire information about or to disrupt the operations of Irans Nuclear capabilities, Irans Nuclear programs . Well, in this environment, i will say that i trust that this is not going to prevent us from gleaning intelligence from our traditional sources in the interests of verifying the agreement which will be principalllyy monitored by so ia international organization, iaea. Im not aware of any structuresl on our ability to collect on their behavior and their components. Why would wety want to give iran the ability to defend against cyberweapons that we or . Perhaps some of our allies might one day want to use against iran . Sir, in this environment, open environment, there are some aspects here that i cant discuss. Discy to talk with you privately, classified about you that. Inokay. Okay. Disputing the the fact that the agreement says e w that, that we would have to o. No. Okay. Now, can you tell me in this environment what specific technical assistancestan well offering iran in this portion of the esagreement . I honestly dont know the answer to that question. Th ier thought research, i don know exactly what whats in mind there. Iran now, would any of these capability once acquired by iran prevent or inhibit any allies, n an fy enemy of iran from using cybermeasure against Iranian Nuclear facilities . Again, im reluctant to clea discuss that in this were consulted by u. S. Negotiators during the Nuclear Negotiations in connection with this portion of the agreement . Ee well, the intelligence ut community was deeply involved in throughout the negotiations. Can you describe the nature of any consultation you had with them as to this portion of anneh three . With the iranians . Nyes. No, i did not engage with anf iranians no, thats not what im asking. Im asking if you could describe your discussions with u. S. Negotiators as they came to you and consulted with you on the implications of this portion of annex three. I didnt actually my lead for this was norm rule was known to many of you on this committee, National Intelligence man for iran, and he was the direct participant. And i dont want to speak for him as to the extent to which he was involved or consulted on that provision. Youll have to ask ted him. Ve to okay. But you would have been awaro of the consultation going on. Im sure he came to you and t o said, look, this is going to impact our ability, the ability of the United States to do what we need to do with respect to iran. Again, sir that i would rather discuss what n the potential response of ours could be in a closed setting. Okay. Secretary work, how is the Department Working to ensure that the hardware and software on some of these major programs that were developing to future contingencies and technologicale advances so they can continue to address emerging cyberthreats well into thefu futuretu withoum major overhauls of the entire system . Senator, as i said, we are now putting into our kpps or Key Performance parameters on any new systems, specific cyberhardening requirements much like during the cold war when we had emp requirements for many of our systems. The problem that we face is thay many of the old systems that are still in service were not builtr to respond to the cyberthreats that we see today. Were having to go back through all of those older systems, determine which ones are most vulnerable, prioritize them ande make fixes. So it also goes back to senator donnellys question on the trusted foundry. Were trying to determine what is the best way to ensure we tr have reliable and trusted microelectronics. Thank you. I see my times expired. Thank you, mr. Chairman. Cha thank you, mr. Chairman. Secretary work, if theres a ift catastrophic attack tonight on the fiscal infrastructure or financial infrastructure n of ts country, i do not want to go on cable news in the morning, if there is cable news in the morning, and say the administration told us that the policy is still in development. Weve got to get on this. Weve been talking about it forl years. As the chairmanpa pointed out, this was an essential part of our National Defense t authorization acts act a year ago. The idea that we can continue tk simply defend and never have an offensive capability i just think is ignoring this enormousd threat which we all agree. Let me ask a oneword question to each of you. Realm do wein need an offensive capability in the cyberrealm in order to act as a deterrent . Secretary work . We need a broad range of se t responseio options to include do we need an offensive cybercapability to act as a . Deterrent . I would say yes, sir. Secretary director clapper . Absolutely. Admiral oecret yes. Thank you. The second part of that is that it cant be secret. Our instinct is to make everything secret. Hing sec the whole point of deterrent capability is to make it not secret. Isi suspect we do have a capability, but part of a deterrent is it has to be made publ public. I think another question that needs to be dsressaddressed, an dont necessarily think it in this hearing this morning but ie this terms of the policy, we need to define what an act of war is in the cyberarea. Whether hitting Sony Pictures is an act of war or the opm, and how do you draw those lines. I would suggest thats got to be part of the policy idefinition. I dont mean to imply, secretary work, that this is easy, but its urgent. End thats the we simply cant defend ourselves by saying, well, it was complicated, we didnt get to it. Changing the subject slightly, admiral rogers, do you believe that the dispersion of responsibility in the federal government for cyber is a ial pr potential problem . E that it strikes me weve got agencies and departments and bureaus. , i suspect you could name 15 of them if you tried that all have some responsibility here. Do we need to strengthen cybercommand and make that the. Central repository . I would not make cybercommanh the centralav repository. This is much broader than just s the dod perspective. Ive been very public in saying weve got to simplify the structure for the outside world. If youre on the outside looking in and i hear this from the private sector fairly regularly, who do you want me to go to . Should i talk to the fbi . To dhs . Why cant i deal with you . Want do i need if im a financial company, should i be talking toa the sector constantly . Constru we have got to try to simplify this for the private sector. , oe if i might add to that, senator king, its one of the tg reasons why i had a very brief r commercial for just within the Intelligence Community of integrating the cyberpicture and Common Operating Picture simply from within intelligence, let alone what we do to react or protect. And that to me is one important thing. I have come to believe we need along the lines of a mini nctc or ncpc. I would hope that and the leadership and decisionmaking oe that has to start with the whith house. Governm has to start with the administration for an all of li government approachty to dealin with this dispersion of responsibility problem. I would point out ntera parenthetically thatct its t the subject of this hearing, but the fact that we owe china trillions of dollars compromised our ability to interact with hi china in a firm way. Firm its a complicateded relationship, and thats one of the things that makes it difficult. Director copper, do you haveo any idea what brought the chinese to the table for this recent agreement with the president . Well, it appears that the threat of the potential economic sanctions particularly imposing them right before the visit of president xi got the attention. Thats why they dispatched the minister to try to come to some sort of agreement which is what ensued subsequently. Or t i agree that its not a definitive agreement or treaty, but i do agree, secretary work, that its a step in the right direction. At least these issues are being discussed. But countries ultimately only act intr theirac own selfinter. We have to convince the chinese that its in their interest to cut out this activity thats so detrimental to our country. Thank you, gentlemen sir . Yes, sir . One quick comment. Just because we have not published our policy, it is so v broad and encompassing going over things like encryption. Etrn what are the types of authorities we need . It does not mean that if we didg have an attack tonight we would not we do not have the a structure in place right now re with the National Security team to get together to try to er to understand who caused the attack, to understand what the implications of the attack weret and what respons ne we should take. Those are in place right now but the whole point of being able to respond as deterrent sow the act wont occur d. D strandr. Strangelove taught uf we have a secret machine and noo one uses it doesnt work. The deal is they have to know how we will respond, and therefore, not attack in the first place. Thank you, thank you all, gentlemen, for your testimony. On behalf of the chairman, human rights let me recognize chairman fisher. Thank you, senator reed. Te kingfi g up where senator was going on this, many of you g talked about establishing normsl in cyberspace. Be you think its possible to establishha or maintain that no without enforcement behaviors . When we look at publicly tivity identifying those who are responsible for an activity or imposing costs on them, can we can we do that . Ill begin with you, mr. Secretary. Well, i believe that trying to establish these norms are very, very helpful. In the cold war, for example, o there was af tacit agreement th we would not attack each of our Early Warning missile launches the warning satellites. And so establishing these norms are very important. They will be extremely difficult because the enforcement n cyber are far more difficult because its much more easy to attribute missile good attacks, et cetera. I believe that this agreement with china is a good first step, that we should strive to establish norms especially liev betweenar nation states. Establish norms which we believo are beyond the bounds and to try to establish mechanisms by whicl we can work these through. This will be very, very difficult, senator, because its much more difficult. We have the added problem, of course, the norms are, as secretary work said, really applicable to nation states. And of course, you have a wholet range. Nonnation state actors out there who wouldnt necessarily subscribe to these norms and would be a challenge to deal with even if there were nation o state, mutual agreement. I would echo the comments of my two teammates. Ing a im struck by were allcaes. In my early days as a sailor, well before i got into this w business, at the height of the cold war out there, between the soviets and ulus, we knew exact how far we could push each other. And we pushed each other at times right up to the edge. We developed a set of norms, we had a series of deconfliction maritimes in the environment. Na we developed a set of signals over time so we could communicate with each other. So im comfortable that well achieve this over time in the but on state arena. As my teammates said, its the m nonstate actor that really complicates this to me. Attac going to make this difficult. When were attacked in cyberspace, how do we impose costs on those who are attacking us . Do we respond in cyberspace, or can we look at other ways to i think respond in an appropriate manner, say, with sanctions . What would you look at, admiral . What we have talked about to make y is we want sure we dont look at this just from one narrow perspective. That we look more broadly and look across the breadth of capabilities as a nation and bring all of that to bear as wen look ats options as to what to do, and its a casebycase basis. Theres no one single han onesizefitsall answer to this. Fundamentally think more broadly, not that cyber isnt part of this. I dont mean to imply that. Correct. Mr. Secretary, would you agree with the admiral . Untr do you see a variety of options, and wouldnt it be measure beneficial a be more beneficl as a country to have a policy that is a Public Policy on what those options could be and the consequences that would be felt when we are attacked . Th absolutely. Be fel and that is what