Has come for the creation of such a center to parallel the uh centers that we operate for o counterterrorism, counter nters proliferation and Counter Intelligence and security. Eratio with that, let me turn to deputy secretary work. Chairman mccain, Ranking Member reed, distinguished members of the committee, thank you very much for inviting us here this morning to talk about the threats of cyber. This committee has led the way in discussing the threats and the response to these threats t ded the department looks forward to working with the committee to get betterpa. In this regard. As dni clapper said, cyberintrusions and attacks by both state and nonstate actors i have increased dramatically in c recent years and increasely d troubling are the scale of state sponsored cyberactors breaching u. S. , government and business networks. These adversaries continually adapt, threatening our networks and systems of the department od defense, our nations Critical Infrastructure, and u. S. Companies and interests globally. The recent spate of cyberevents to include the intrusion into opm, the attacks on sony and thf joint Staff Networks by athlete separate statees actors is not y just espionage of convenience, but threat to our National Security. One as one of our responses to this growing threat we released in 2015 the dod cyberstrategy, he which will guide the developmend of our cyberforces and strengthen our cybersecurity and cyberdeterrent posture. That is its aim. The department is pushing hard to achieve the departments three Core Missions as defined in the strategy. The first and absolutely most Important Mission is to defend dod Network Systems and ategy. T information. Secretary carter has made this t the number one priority in the t department, and we are really getting after it now. Second, to defend the nation mad against cyberevents of subsequent consequence, and third, to provide cybersupport operational and contingency plans. The u. S. Cybercommand may be conducted to direct cyberoperations in coordination with other governmentta agencie as appropriate to deter to defeat strategic threats and other demands. Al my submitted statement to mr. Chairman contains additional detail on how were moving out to achieve these three strategic goals. But i would like to highlight ay particular focus on deterrents,h especially since i knower this n key in the minds of most of the members here. I want to acknowledge upfront that the secretary and i recognize that we are notde whe we need to be in our deterrent posture. We do believe that there are some things that the department is doing that are working, but we need to improve in this areat but out question. And thats why weve revised oud cyberstrategy. The deterrencecy is a function perception. It works by convincing any potential adversary that the ft costs of conducting the attack e far outweigh any potential y any benefits and therefore the thre main pillars of our current ms cyberstrategy in terms of ence, deterrents are denial,co resilience, and cost imposition. Denial means preventing the cyberadversary from achieving his objectives. Resilience is that our systems will continue to perform their o essential military taskings evey when they are contested and cost imposition is the ability to make our adversaries to pay a much higher price. I would like to briefly discuss these three elements, to deny the attacker the ability to mili adversely impact our military wn weweions, we have to better defend our own Information Networks and data. And we think the investments we have made in these capabilities are starting to bear fruit. But we recognize the technical y upgrades are only part of the fl solution. Networ nearly everyk single one of th Successful Network exploitations that we have had to deal with can be traced to one or more human errors, which allowed an entry into our network. So raising the level of individual cybersecurity t awareness and performance is absolutely paramount. Accordingly, were working to oi transform oungr cybersecurity culture, something that we humn ignored for a long time, either longterm by improving Human Performance and accountability in this regard. As part of this effort, we haver just recently published a cybersecurity discipline rought Implementation Plan and a scorecard that is brought befors the secretary and meec every month, and theyre critical to achieving this goal of mitigating risks to dod missions. This scorecard holds commandersa accountable forcc hardening and protecting their end points and critical systems, and also have them hold accountable their personnel. Thd direct, asng i said, the compliance reporting to the secretary and me on a monthly basis. E the first scorecard was published in august of this year, and it is being added to t and improved as we go. A denial also means defending the nation againster t cyberthreats significant consequence. The president has directed dod o working in partnership with our other agencies t to be preparedo blunt and stop the most dangerous cyberevents there may be times where the president and the secretary of defense directs dod and others to conduct a hey defensive cyberoperation to stop a cyberattack from impacting oum national interests. And that means building and just maintaining theha capabilities do just that. This is a Challenging Mission ci requiring highend capabilitiess and extremely high trained teams. De were building our cybermissiond force and deepening our partnership with Law Enforcement in the Intelligence Community to do that. Ci o the second principle is improving resiliency by reducing the ability of our adversaries to attack us through cyberspace and by protecting our ability to protect missions in a degraded a cyberenvironment. Ourpote adversaries view, dod s dependency as a potential wartime vulnerability. We view our ability to fight through Cyber Attacks as a Critical Mission function that n means normalizing cybersecurity ass, b part of our mission assue efforts, building redundancy when possible, training constantly to operate in a contested cyberenvironment. Adversaries have to see thattts adese cyberattacks will not provide them a significant operational advantage. Va and the third aspect of ing a deterrence isca having to demonstrate a capability to respond through cyber or noncybermeans to impose costs on a potential adversary. The administration has made clear that we will respond to Cyber Attacks in a time, mannerf and place of our choosing, and the department has developed cyberoptions to hold an succe migressor at risk in cyberspace if required. Successfully executing our missions requires a whole of government and whole of nation approach. And for that reason, dod continues to work with our partners and the other federal departments, agencies and the e private sector and our partnersr around the worlds, to address te sharedrs challenges we face. Secretary carter has placed particular emphasis on sis o partnering with the private t sector. The department doesnt have all w of the answers and is working with industry. We think it will be very, very critical. Finally, our relationship with congress is absolutely critical. The secretary and i very much appreciate the support provided to dod cyberactivities throughouty. An from the very beginning, and wea understand and we arere lookingt forward tohe the National Defen authorization act to see if there are other improvements on c we have we can do. I encourage continued efforts to pass legislation on cybersecurity information sharing. We think that is absolutely rele critical. Data breach notification and Law Enforcement provisions related t to cybersecurity, which were included in the president s legislative proposal submitted earlier this year. I i know you agree that the American People expects us to defend the country against threats of significant consequence. The secretary and i look forward to working with the committee and congress to make sure that we take every step possible to e confront the substantial risks k we face in the cyber realm. O thank you again for inviting us. Here today and giving the attention that you have always given to this urgent matter. Man. Id like to pass it on now to admiral rogers, if that is okay, mr. Chairman. Sir. Chairman mccain, Ranking Member reed and distinguished members of the committee, i am m honored to appearit before you today to discuss u. S. Cyberpolicy and the state ofpo cyberthreats worldwide. Id like to thank you for convening this forum and for your efforts in this important area. For im also honored to be sitting g alongside director clapper and deputy secretary of defense work. It gives me. Great pride to appear before you today to nd te highlight and commend the unifor accomplishments of the uniformee and civilian personnel of u. S. Cybercommand. Im both grateful for and humbled by the opportunity i have been given to lead our cyberteam in the important worki they do in defense of our nation and our department. Were being challenged as never before to defend our nations interest and values in cyberspace against state groupsd and individuals that are using s sophisticated capabilities to s conduct cyberaggression and rtao cyberexploitation. The targets of their efforts extend well beyond government and in privately owned businesses and personally identifiable information. Our military is in constant and contact with agile, learning ngv adversaries iner cyberspace, apt adversaries that have showny th capacity and the willingness to take action against soft targetn in the United States. And w there areer countries that are integrating cyberoperations into a total strategic concept for advancing their regional ates a ambitions. They use rocyberoperations to influence the perception and actions of states around them and to shape what we see as our options for supporting allies and friends in a crisis. Well need to deter these activities by showing that they are unacceptable, unprofitable, and risky for the instigators. U. S. Cybercommand is building sr capabilities that can contribute to cross domain deterrents. We are hardening our networks and showing it wont be easy. Or were creating the mission for us trained and ready like any other maneuver element that is defending dod networks, supporting joint force commanders and helping to defend Critical Infrastructure within our nation. We are partnering with federal, foreign, and Industry Partners and exercising together od regularly to rehearse concepts l and responses topi destructive Cyber Attacks against Critical Infrastructures. Naher we are generating options for rt commanders andac policymakers da across all phases of the conflict andisk particularly in phase zero to hold at risk what ouronti adversaries truly valued the demand outstrips supply, but we continue to rapidly mature and the hard work of the men and women of the u. S. Cybercommand and our cybercomponents as well as our broader partners. I would like to assure the committee that u. S. Cybercommand has made measurable progress. Were achieving significant operational outcomes and we have a clear path ahead. With that, thank you again, mr. Chairman, and members of the convening this forum, inviting all of us to speak. Our progress has been made possible in no small part because of support from this committee and other su stakeholders. Committ unity of effort within our St Department and across the u. S. T government within this mission set ismego essential, and i appreciate our continued. Partnership as we build our nations cyberdiagnosefenses an welcome your question. Thank you, admiral and thank you, witnesses. Edch director clapper, chief dempseys was asked about various threats to United States security. He said in a whole range of do y threats we have the significant advantage except in cyber. Do you agree with that assessment . It its probably true. We havent i guess exhibited what our potential capability bh there is. One of the thats implicit reasons i have highlighted cyberthreats in theu last three years of my worldwide threat assessments. I thank you. And you have done that i think at least to great effect before this committee. As a relative humidity of the leader the chinese leader in. Washington, there was some ll agreement announced between the United States and china. Chinese do you believe that that will result in an elimination of chinese cyberattacks . Well, hope springs eternal. O i think we will have to watch what their behavior is, and it , will be incumbent on the Intelligence Community i think to depict, portray to our policymakers what behavior changes if any result from this agreement. Are you optimistic . No. Thank you. Admiral rogers, you recently stated, quote, there is a perception, quote, there is little price to pay for engaging in some pretty aggressive le behaviors. And because ofic a lack of ub repercussions, you see actors, o nationns states, indeed willingo do more. And this was what you said. What is required . What action is required to deter these attacks since there is do little price to pay . Arti do h we have to do to maket a heavy price to pay . I think we have to clearly articulate in broad terms what. Is acceptable and unacceptable enormous. Clearly develo to c articulate that as a nation we i are developing a set of capabilities. We are prepared to use those o capability if there is requiredn theyre not necessarily our preference. We clearly want to engage in a o dialogue with those around us. Nt but on the other hand, we do have to acknowledge the Current Situation we find ourselves in. U i dont think there is anyone pt ino would agree thatab it is acceptable and it is in our best longterm interests as a nationt i say with respect. I understand its not acceptable. S and but in other words, what would enact a price . Would it be relations in other areas . Would it bed counterattacks . In other words, what actions would be in our range of arsenals to respond . Those so i think its potentially all of those things. The first comment i would make, i think sony is a very instructive example. One of the things i always remind people of, you need to mm think aboutor deterrents much mi broadly, not just focus in the cyberarena. I thought the response to sony where we talked about the economic options as a nation weu would exercise was a good way te remind the world around us that there is a broad set of than capabilities and levers nd. Available to us as a nation, and were prepared to do more than just respond in kind, if you will. Director clapper, one of the things that has been disappointing to the committee is that in the fizz cal year, iw required the president to w develop anhe integrated policy. The project is now a year late. Can you tell us where we are in that process and what you feel is what might bring the administration in compliance . Youre asking me about policr development . Yes. I think i would defer to secretary work on that. Well, mr. Chairman, as we oe have said over and over, we tany believe our cyberdeterrent strategy is constantly evolving and getting stronger. Im talking about a policy, not a strategy, mr. Secretary. Dequired a policy the fiscal dear 14 National Defense authorization act. The policy is still in development. Ve we believe we have a good cyberstrategy. The policy has been outlined in Broad Strokes by the not broad enough, i would think. Does it describe whether we deter or where we respond or whether we in other words as far as i know and the committee knows that there has been no specific policy articulated in compliance with the requirement to the Defense Authorization u act. If yoube believe that it has, i would be very interested in hearing how it has. I believe the Broad Strokes are im not asking Broad Strokeses. Suppose there isve a suber atta like the one on opm do. Ck, do we have a policy as to what we t do . Yes, we do. What is that . The first is first we deny and then first find out 00 and forensics. Im not asking the terattac methodology. Im asking the policy. Do you respond by counter attacking . Do you respond by enact other measures . What do we do in case of a cyberattack . We respond in a time, manner and place does . O thatwe mean we countn attack . That may be one of the the actions. Ons. Thats not a policy, secretary work that is an exercise in options. We have not got a policy. And for you to sit there and tell me that you do a broad strategy frankly is not ateg in compliance with the law. Senator reed . Thank you very much, mr. Chairman,. Director clapper, were constantly engaged euphemistically operations with many other nations and their involved in Information Operations, as you indicated in your testimony influence the tc. Opinion, disguise activities, disrupt, et cetera. What agencies are under your purview or outside your purview are actually engaged in Information Operations for the United States in the cyberworld . Actually, sir, from a perspecti intelligence perspective, we would feed that we dont at least what iivaoc can speak to publicly engage in that as part of our normal intelligence activities. So weel feedli other arms, supp other arms of the government not only the state department, and a those responsible for messaging. The National Counterterrorism mm center has an office that is devoted to in countering violenc extremism context helping to develop themes or recommending themes based on what we glean from intelligence for potential vulnerabilities and messag