[09:30:00] SEN. JOHN MCCAIN (R), CHAIRMAN, ARMED SERVICES COMMITTEE: Senator Warren and Senator Peters. It's a special privilege to serve on this committee, most of all because it affords us the opportunity to spend so much time in the company of heroes, the men and women who serve and sacrifice on our behalf every day. I hope you will come to cherish your service on this committee as much as I have over the years and I look forward to working with each of you.
The committee meets this morning for the first in a series of hearings on cyber security to receive the testimony on foreign cyber threats to the United States. I'd like to welcome our witnesses this morning; James Clapper, director of National Intelligence. Marcel Lettre, undersecretary of defense for intelligence, and Admiral Mike Rogers, commander of U.S. cyber command, director of the National Security Agency and chief of the Central Security Service.
This hearing is about the range of cyber security challenges confronting our nation. Threats from countries like Russia, China, and North Korea and Iran as well as non-state actors from terrorist groups to transnational criminal organizations. In recent years, we've seen a growing series of cyber attacks by multiple actors, attacks that have targeted our citizens, businesses, military, and government.
But there's no escaping the fact that this committee meets today for the first time in this new Congress in the aftermath of an unprecedented attack on our democracy. At the president's direction, Director Clapper is leading a comprehensive review of Russian interference in our recent election with a goal of informing the American people as much as possible about what happened.
I am confident that Director Clapper will conduct this review with the same integrity and professionalism that has characterized his nearly half a century of government and military service. I'm equally confident in the dedicated members of our intelligence committee -- community. The goal of this review, as I understand it, is not to question the outcome of the presidential election, nor should it be.
As both President Obama and President-elect Trump have said, our nation must move forward. But we must do so with full knowledge of the fact. I trust Director Clapper will brief the Congress on his review when it is completed. This is not the time or place to preview its findings.
That said, we know a lot already. In October, our intelligence agencies concluded unanimously that, quote, "The government -- the Russian government directed compromises of e-mails from U.S. persons and institutions including from U.S. political organizations."
They also assessed that, quote, "Disclosures of alleged hacked e- mails were consistent with the methods and motivations of Russian- directed efforts and that these thefts and disclosures were intended to interfere with the U.S. election process." Since then, our intelligence community has released additional information concerning these Russian activities including a joint analysis report that provided technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence services to attack the United States.
Every American should be alarmed by Russia's attacks on our nation. There is no national security interest more vital to the United States of America than the ability to hold free and fair elections without foreign interference. That's why Congress must set partisanship aside, follow the facts, and work together to devise comprehensive solutions to deter, defend against and when necessary, respond to foreign cyber attacks.
As we do, we must recognize that the recent Russian attacks are one part of a much bigger cyber -- cyber problem. Russian cyber attacks have targeted the White House, the joint staff, the State Department, our critical infrastructure. Chinese cyber attacks have reportedly targeted NSA, the Department of State and Commerce, congressional offices, military labs, the Naval War College, and U.S. businesses including major defense contractors.
Most recently, China compromised over 20 million background investigations at the Office of Personnel Management. Iran has used cyber tools in recent years to attack the U.S. Navy. U.S. partners in the Middle East, major financial institutions, and a dam just 25 miles north of New York City, and of course, North Korea was responsible for the massive cyber attack on Sony Pictures in 2014.
What seems clear is that our adversaries have reached a common conclusion that the reward for attacking America in cyberspace outweighs the risk. For years, cyber attacks on our nation have been met with indecision and inaction. Our nation has no policy and thus no strategy for cyber deterrence. This appearance of weakness has been provocative to our adversaries who have attacked us again and again with growing severity.
Unless we demonstrate that the cost of... MCCAIN: Unless we demonstrate that the cost of attacking the United States outweigh the perceived benefits, these cyber attacks will only grow.
This is also true beyond the cyber domain. It should not surprise us that Vladimir Putin would think he could launch increasingly severe cyber attacks against our nation when he had paid little price for invading Ukraine, annexing Crimea, subverting democratic values and institutions across Europe and of course, helping Bashar Assad slaughter civilians in Syria for more than a year with impunity.
The same is true for China, Iran, North Korea and any other adversary that has recently felt embolden to challenge the world order. Put simply, we cannot achieve cyber deterrence without restoring the credibility of the U.S. deterrence more broadly.
To do so, we must first have a policy which means finally resolving the long list of basic cyber questions that we as a nation have yet to answer. What constitutes an act of war or aggression in cyber space that would merit a military response?
Be it by cyber, or other means? What is our theory of cyber deterrence and what is our strategy to implement it? Is our government organized appropriately to handle this threat? Or are we so stove piped that we cannot deal with it effectively?
Who is accountable for this problem? And do they have sufficient authorities to deliver results? Are we in the Congress, just as stove piped on cyber as the executive branch, such that our oversight actually reinforces problems rather than helping to resolve them?
Do we need to change how we are organized? This committee intends to hold a series of hearings in the months ahead, to explore these and other questions. And we look forward to hearing the candid views of our distinguished witnesses today, who have thought about and worked on these questions as much as anyone in our nation.
REED: Well, thank you very much, Mr. Chairman. I want to commend you for your leadership in promptly scheduling this meeting on foreign cyber threats.
I'd also like to welcome our witnesses; Director Clapper, Undersecretary Lettre and Admiral Rogers, thank you gentlemen for your service and your dedication.
While I understand that our witnesses will be discussing the cyber threats that many countries, including China and India, pose to our nation I would like to focus for a few minutes on the widely reported instances of Russian hacking and disinformation that raised concerns regarding the election of 2016.
In addition to stealing information from the Democratic National Committee and the Clinton campaign and cherry-picking what information it leaked to the media, the Russian government also created and spread fake news and conspiracies across the vast social media landscape.
At the very least, the effect of Russia's actions was to erode the faith of the American people and our democratic institutions. These and other cyber tools remain highly active and engaged in misinforming our political dialog, even today.
There is still much we do not know, but Russia's involvement in these intrusions does not appear to be in any doubt. Russia's best cyber operators are judged to be as allusive and hard to identify as any in the world.
In this case, however, detection and attribution were not so difficult, the implication being that Putin may have wanted us to know what he had done, seeking only a level of plausible deniability of support and official rejection of culpability.
These Russian cyber attacks should be judged within the larger context of Russia's rejection of the post-Cold War international order and aggressive actions against its neighbors.
Russian's current leaders and President Putin in particular, precede the democratic movements in the form of Soviet States, the west general support for human rights, press against the rule of law and democracy, as well as NATO and E.U. enlargement, as a threat to what they believe is Russia's sphere of influence.
Putin's Russia makes no secret to the fact that it determined -- it is determined to aggressively halt and counter what is characterizes as western encroachment on its vital interest. Invasion of Georgia, the annexation of Crimea, the aggression against Ukraine featuring sophisticated hybrid warfare techniques, a continuing of those military build-up despite a declining economic, saber-rattling in the Baltic's and Baltic Sea, the authoritarian on float against the press, NGOs and what remains of the Russia democratic opposition, the unwavering campaign for national sovereignty over the internet and the creation of an iron information curtain.
Like China's great firewall and its aggressive interference in western political processes all are one piece. Russia's efforts to undermine democracy at home and abroad and destabilize a country is on its border, it cannot be ignored or traded away in exchange for the appearance of comity.
REED: Furthermore, what Russia did the to the United States in 2016, it is already does -- has done rather, and continues to do in Europe. This challenge, the progress of democratic values since the end of the Cold War must not be tolerated.
Despite the indifference of some to this matter, our nation needs to know in detail what the intelligence community has concluded was an assault by senior officials on a foreign government on our electoral process. Our electoral process is the bedrock of our system of government, an effort to manipulate it, especially by a regime with values and interests so antithetical to our own, is a challenge to the nation's security which must be met with bipartisan and universal condemnation, consequences and correction.
I believe the most appropriate means in conducting inquiry is the creation of a special select committee in the Senate. Since this issue and the solutions to the problems has been exposed, spill across the judicial divides of the standing committees on armed services, intelligence, foreign relations, homeland security, and judiciary. Failing that, our committee must take on as much as of this task as we can. I again, commend the chairman for his commitment to do so.
Therefore I am pleased and grateful that his efforts will be expended, the energy will be invested on the matters that are so critical to the American people.
I also want to applaud president Obama's initial steps, publicized last week to respond to Russia's hostile actions. General Clapper, Undersecretary Lettre, Admiral Rogers, we appreciate your urgent efforts to discover what happened and why and to make these facts known to the president, the president-elect, Congress and the American people. Although your investigation to report to President Obama is not yet public, we hope you'll be able to convey and explain what's been accomplished so far, including the steps already announced by the president.
In addition I am sure we'll have many questions about how we are organized in the cyber domain and what changes you have recommended going forward. Subjects that President Obama referenced in his signing statement of the national defense authorization act for fiscal year 2017. These are difficult issues, but they are vital importance to our nation, our security and our democracy.
Mr. Chairman, I look forward to working with you in a bipartisan manner to conduct a thorough and thoughtful inquiry, and to do more to address the cyber threats our nation's basis, more broadly by state and non-state actions. Thank you very much.
MCCAIN: Welcome the witnesses and Mr. Secretary we'll begin with you for any opening statements or comments you might have.
LETTRE: Thank you Chairman, Ranking Member Reed, members of the committee. I appreciate the opportunity to be here today.
I will shortly turn the microphone over to Director Clapper for some comments followed by Admiral Rodgers. As this is my last appearance before this committee before stepping down from eight years of Pentagon service in a few weeks. I want to thank...
MCCAIN: I'm sure that that is -- I'm sure you'll regret not having that opportunity again.
LETTRE: It will be nice to be skiing a little bit in February, that's for sure.
But having said that, since I am just a few weeks from stepping down, I do want to thank this committee for its partnership and I want to thank Director Clapper and Admiral Rodgers for the privilege of being able to serve together with them and the leadership of the U.S. intelligence community.
And to the men and women of the U.S. intelligence community, civilian and military, thousands of whom are deployed today around the world advancing U.S. interest and protecting America. I do admire your integrity, I admire your service. It has been an honor to serve with you over the last many years.
In the interest of time, I'll briefly note the Department of Defense's views on cyber in three core themes. First, the threats we must address, second, what we are doing to address them now and third, the difficult, but urgent work we know still lies ahead.
First, the threats.
As you know, the Department of Defense's leadership believes we confront no fewer than five immediate, but also distinct and evolving challenges across all operating domains. We are countering the prospect of Russian aggression and coercion, especially in Europe, something we unfortunately have had to energetically renew our focus on in the last several years. We are also managing historic change in perhaps the most consequential region for America's future, the Asia- Pacific and watching the risks of China's destabilizing actions in the region.
We are checking Iranian aggression and malign influence across the Middle East. We are strengthening our deterrent and defense forces in the face of North Korea's continued nuclear and missile provocations. And we are countering terrorism with the aim of accelerating the lasting defeat of ISIL and Al Qaida. These are what many in the Department of Defense have termed the four-plus-one; Four state-based challenges and an ongoing condition of battling terrorism.
As our joint statement for the record has detailed, each of these security challenges; China, Russia, Iran, North Korea, and global terrorist groups such as ISIL, presents a significant cyber threat dimension to the U.S. military. Cyber is an operating domain that is real, complex, dynamic, contested, and must be addressed.
Second, what we are doing about it. The Department of Defense has, for several years, pursued a comprehensive strategy for maintaining the necessary strategic dominance in this domain. Secretary of Defense Ash Carter has pressed for DOD to change, to adapt, and to innovate not only to meet today's challenges, but also to ensure that we effectively defend against cyber threats well into an uncertain future.
We have built and continue to build the means and methods that will strengthen our relative position against each of these dimensions of the cyber threat. The government's cyber policies reflected in presidential policy directives and executive orders provide guidance on the absolute necessity of a whole of government approach critical to protecting our nation.
The department has developed, refined, and published its cyber strategy which clearly lays out three key DOD cyber missions; defending DOD networks, providing cyber options for our military commanders and when called upon by our nation's leaders, defending the nation against cyber attacks of significant consequence. As the director and Admiral Rogers will note, since 2009, the department has matured Cyber Command to ensure clear command responsibility and authority and growing capabilities essential to our unity of effort for cyber operations.
We also continue to mature our cyber mission forces which this fall achieved initial operating capability or IOC status. This force is providing military capability to execute our three missions in cyberspace. We're building new capabilities and new tools for the cyber mission force to use.
Third, what remains to be done. As much as we have done, we recognize there is much more to do. Let me mention just a couple of those most important tasks here. First, we need to continue to develop and refine our national cyber policy framework which includes the evolution of all dimensions of our deterrence posture, the ability to deny the adversary its objectives, to impose costs and to ensure we have a resilient infrastructure to execute a multi-domain mission.
This refinement and evolution in our deterrent thinking and capability will further empower decision-making at net speed. Second, within the department, Cyber Command has matured and is doing more to protect the nation and support global operations than ever before and we need to continue, in fact accelerate, this maturation.
Accordingly, the secretary of Defense supports the elevation of Cyber Command to a unified combatant command and supports ending the dual- hat arrangement for the leadership of NSA and Cyber Command, in doing so through a deliberate conditions-based approach while continuing to leverage the shared capabilities and synergies.
And finally, we must redouble our efforts to deepen partnerships between government and the private sector and between the U.S. government and our allies. We must continue to seek help from American industry, the source of much of the world's greatest technology talent and innovating to find cyber defense solutions, build resiliency into our critical infrastructure systems, and strengthen our deterrence.
With our international allies and partners we must work together to promote stability in cyber space, universal recognition that existing international law applies in cyberspace, and the adoption of voluntary peacetime norms of responsible state behavior.
Mr. Chairman, thanks. I look forward to your questions. I'll now pass the baton to Director Clapper. Thank you.
MCCAIN: General Clapper?
CLAPPER: Chairman McCain, Ranking Member Reed, and distinguished members of the committee, first, thanks very much for your -- your opening statements.
Obviously we're here today to talk about cyber threats that face our nation and I will offer some brief valedictory recommendations and a few parting observations.
I certainly want to take note of and thank the members of the committee who are engaged on this issue and have spoken to it publicly. I know there is great interest in the issue of Russian interference in our electoral process based on the many classified briefings the intelligence community has already provided on this topic to the Congress.
Secretary of Homeland Security Jeh Johnson and I have issued statements about it. The Joint Analysis Report that you alluded to, publicly issued by the Department of Homeland Security and the Federal Bureau of Investigation, provided details on the tools and infrastructure used by the Russian intelligence services to compromise infrastructure associated with the election, as well as a range of U.S. government, political and private sector entities, as you described.
As you also noted, the president tasked the intelligence community to prepare a comprehensive report on Russian interference in our election. We plan to brief the Congress and release an unclassified version of this report to the public early next week, with due deference to the protection of highly sensitive and fragile sources and methods. But until then, we're really not prepared to discuss this beyond standing by our earlier statements. We are prepared to talk about other aspects of the Russian cyber threat.
We also see cyber threats challenging public trust and confidence in information, services, and institutions. Russia has clearly assumed an even more aggressive cyber posture by increasing cyber espionage operations, leaking data stolen from these operations, and targeting critical infrastructure systems. China continues to succeed in conducting cyber espionage against the U.S. government, our allies, and U.S. companies.
The intelligence community and security experts, however, have observed some reduction in cyber activity from China against U.S. companies since the bilateral September 2015 commitment to refrain from espionage for commercial gain. Iran and North Korea continue to improve their capabilities to launch disruptive or destructive cyber attacks to support their political objectives.
Non-state actors, notably terrorist groups, most especially including ISIL, also continue to use the internet to organize, recruit, spread propaganda, raise funds, collect intelligence, inspire action by disciples, and coordinate operations.
So in this regard, I want to foot-stomp a few points that I've made here before. Rapidly advancing commercial encryption capabilities have profound effects on our ability to detect terrorists and their activities. We need to strengthen the partnership between government and industry, and find the right balance to enable the intelligence community and law enforcement both to operate, as well as to continue to respect the rights to privacy.
Cyber operations can also be a means to change, manipulate or falsify electronic data or information to compromise its integrity. Cyberspace can be an echo chamber in which information, ideas or beliefs, true or false, get amplified or reinforced through constant repetition. All these types of cyber operations have the power to chip away at public trust and confidence in our information services and institutions.
By way of some observations or recommendations, both the government and the private sector have done a lot to improve cybersecurity, and our collective security is better, but it's still not good enough. Our federal partners are stepping up their efforts with the private sector, but sharing of what they have remains uneven. I think the private sector needs to up its game on cybersecurity and not just wait for the government to provide perfect warning or a magic solution.
We need to influence international behavior in cyberspace. This means pursuing more global diplomatic efforts to promulgate norms of behavior in peacetime and to explore setting limits on cyber operations against certain targets. When something major happens in cyberspace, our automatic default policy position should not be exclusive to counter cyber with cyber. We should consider all instruments of national power.
In most cases to date, non-cyber tools have been more effective at changing our adversary's cyber behavior. When we do choose to act, we need to model the rules we want others to follow since our actions set precedents. We also need to be prepared for adversary retaliation which may not be as surgical, either due to the adversary's skill or their inherent difficulty in calibrating effect and impact of cyber tools. That's why using cyber to counter cyber attacks risks unintended consequences.
We currently cannot put a lot of stock, at least in my mind, in cyber deterrence. Unlike nuclear weapons, cyber capabilities are difficult to see and evaluate and are ephemeral. It is accordingly very hard to create the substance and psychology of deterrence, in my view. We also have to take some steps now to invest in the future. We need to rebuild trusted working relationships with industry and the private sector on specific issues like encryption and the roles and responsibilities for government, users, and industry. I believe we need to separate NSA and Cyber Com. We should discontinue the temporary dual-hat arrangement which I helped design when I was undersecretary of defense for intelligence seven years ago. This isn't purely a military issue. I don't believe it is in NSA's or the I.C.'s long-term best interest to continue the dual-hat setup.
Third, we must hire, train and retain enough cyber talent and appropriately fuse cyber as a whole-of-I.C. workforce. Clearly, cyber will be a challenge for the U.S., the intelligence community and our national security for the foreseeable future, and we need to be prepared for that. Adversaries are pushing the envelope, since this is a tool that doesn't cost much, and sometimes is hard to attribute.
I certainly appreciate, as we all do, the committee's interest in this difficult and important challenge. I'll wrap up by saying, after 53 years in the intelligence business in one capacity or another, happily I've just got 15 days left. I'll miss being involved in the intelligence mission, and I will most certainly miss the talented and dedicated patriots who are in the United States intelligence community.
I'm very proud of the community professionals I've represented here for the last six-and-a-half years who don't get much public recognition and who like it that way. They've always supported me, and I'm confident they will do no less for my successor whoever that turns out to be.
So let me -- with that, let me stop and pass to Admiral Rogers.
MCCAIN: Thank you, General.
ROGERS: Chairman McCain, Ranking Member Reed, members of the committee, good morning and thank you for the opportunity to appear before the committee today on behalf of United States Cyber Command and the National Security Agency.
I'm honored to appear beside Director Clapper and Undersecretary Lettre, and I applaud them both for their many years of public service. It's been a true honor, gentlemen.
When we last met in September, I discussed the changing cyber threat environment. And today, I look forward to further discussing this complex issue. Of course, some aspects of what we do must remain classified to protect our nation's security. So today, I will limit my discussion to those in the public domain.
We have seen over the course of the last year how this cyber threat environment is constantly evolving. We have all come to take for granted the interconnectivity that is being built into every facet of our lives. It creates opportunities and vulnerabilities. Those who would seek to harm our fellow Americans and our nation utilize the same internet, the same communications devices, and the same social media platforms that we, our families, and our friends here and around the world use.
We must keep pace with such changes in order to provide policy- makers and our operational commanders the intelligence and cyber capabilities they need to keep us safe. That means understanding our adversaries to the best of our ability, and understanding what they mean to do and why.
We're watching sophisticated adversaries involved in criminal behavior, terrorism planning, malicious cyber activities, and even outright cyber attacks. While this is a global problem, we have also recently witnessed the use of these tactics here at home.