Return to Transcripts main page
Armed Services Committee Holds Hearing on Cyber Threats. Aired 10-10:30p ET.
Aired January 05, 2017 - 10:00 ET
THIS IS A RUSH TRANSCRIPT. THIS COPY MAY NOT BE IN ITS FINAL FORM AND MAY BE UPDATED.
[10:00:04] ADMIRAL MICHAEL S. ROGERS, DIRECTOR NSA: For NSA's part, we focus on the foreign threat actor in foreign spaces, but we share our information as readily as possible with the rest of our partners in the Department of Defense, the intelligence community and federal law enforcement, as well as others within the U.S. government and the private sector.
As you know, Russian cyber groups have a history of aggressively hacking into other country's government, infrastructure and even election systems. As I've indicated, this will remain a top priority for NSA and U.S. Cyber Command.
In this changing threat environment, I'd like to take this opportunity to emphasize the importance of improving cyber security and working related issues across public and private sectors. We continue to engage with our partners around the world, on what is acceptable and unacceptable behavior in cyber space. And we clearly, are not where we want to be, nor where we need to be in this regard.
We continue to make investments and technologies and capabilities to improve detection of malicious cyber activities and make it more difficult for malicious cyber actors intending to do us harm. Combating cyber threats take more than technology. It takes talented, motivated people. And we are investing more than ever in the recruitment and retention of a skilled work force that is knowledgeable, passionate and dedicated to protecting a nation for the safety of our citizens and of our friends and allies around the world.
Innovation is one of the key tenants of NSA and Cyber Command and we need to invigorate the cyber work force that think creatively about challenges that do not ascribe to traditional understandings of borders and boundaries. This remains a key driver and a key challenge, as we look to the future.
Cyber command is well along in building our cyber mission force, deploying teams to defend the vital networks that support DOD operations, to support combatant commanders in their missions worldwide and to bolster DOD's capacities and capabilities to defend the nation against cyber attacks of significance consequence.
The organizations I lead, U.S. Cyber Command and the National Security Agency, have provided intelligence, expert advice and tailored options to the nation's decision makers in response to recent events. Much of their activities can only be discussed in classified channels, but I must say, I'm proud of what both organizations have accomplished and will accomplish, even as we acknowledge we have to do more.
I look forward to your questions and finally, on one personal note. I apologize to all of you, I have an ongoing back issue. And if I have to stand up in the course of this time period, please don't take that as a sign of disrespect in any way. I guess I'm just getting older.
That's all I have for you, sir.
SEN. JOHN MCCAIN, (R) ARIZONA: I know how you feel.
Director, I just have to -- General Clapper, I just have to mention, the name Mr. Assange has popped up. And I believe that he is the one who's responsible for publishing names of individuals that work for us that put their lives in direct danger, is that correct?
JAMES R. CLAPPER JR., DIRECTOR OF NATIONAL INTELLIGENCE : Yes, he has.
MCCAIN: And do you think that there's any credibility we should attach to this individual, given his record of -- of...
CLAPPER: Not in my view.
MCCAIN: Not in your view.
ROGERS: I second those comments.
MCCAIN: Thank you.
For the record, on October 7th, the Homeland Security and Office of Director of National Intelligence, their assessment was that U.S. intelligence community is confident that the Russian government directed their recent compromise of e-mails from U.S. persons and institutions, including from the U.S. political organizations.
It goes on to say, these thefts and disclosures are intended to interfere with the U.S. election process, quote, "Such activity is not new to Moscow, Russians have used similar tactics and techniques across Europe and Eurasia."
Quote, "Based on the scope and sensitivity of these efforts, that not -- that only Russia's senior most officials could have authorized these activities."
General Clapper, do you --- those are still operable and correct statements?
CLAPPER: Yes, Chairman McCain, they are. As I indicated in my statement, we stand actually more resolutely on the strength of that statement that we made on the 7th of October. MCCAIN: I thank you. And so really, what we're talking about, is if they succeeded in changing the results of an election of which none of us believe they were, that would have to constitute an attack on the United States of America because of the effects, if they had succeeded, would you agree with that?
[10:05:03] CLAPPER: First, we cannot say -- they did not change any vote tallies or -- or anything of that sort.
MCCAIN: Yeah, I'm just talking about...
CLAPPER: And we have no -- we have no way of gauging the impact that -- certainly the intelligence community can't gauge the -- the impact it had on the choices the electorate made. There's no way for us to gauge that.
Whether or not that constitutes an act of war I think is a very heavy policy call that I don't believe the intelligence community should make. But it's certainly -- would carry in my view great gravity.
MCCAIN: Thank you.
Admiral Rogers, have you seen this problem in your position getting worse or better? In other words, it's my information that their techniques have improved, their capability's improved, the degree of success has -- has improved.
Is that -- is your -- is that your assessment?
ROGERS: So, I -- I -- I have publicly said before that the Russians are -- are a feared competitor in cyber. If you look broadly beyond the Russians to cyber at large, the level of capability of nation states and actors around the world continues to increase. I can't think of a single significant actor out there who is either decreasing their level of investment, getting worse in their trade craft or capability, or in any way backing away from significant investments in cyber.
MCCAIN: And with all due respect, you Mr. Secretary, I have not seen a policy -- in other words, I don't think any of our intelligence people know what to do if there is an attack besides report it. I don't think that any of our people know if they see an attack coming what specific actions should be taken.
Maybe I'm missing something, but I've asked time after time, what do you do in the case of an attack? And there's not been an answer. There's not been an answer.
And I -- I -- I believe that unless we have specific instructions to these wonderful men and women who are doing all of this work, then we're going to be bystanders and observers. You know, I'm glad to hear you respond to that.
MARCEL LETTRE, UNDERSECRETARY OF DEFENSE FOR INTELLIGENCE,
DEPARTMENT OF DEFENSE: Mr. Chairman, you're right that we have a lot more work to do to put the right deterrence and response framework in place on cyber. This is somewhat of a new domain of operations and in some cases warfare.
And in -- in -- in my personal opinion, the next administration would -- would be well served to focus very early on -- on those questions of -- of continuing to develop our -- our overarching policy, a comprehensive approach, and a -- a increasingly robust and refined deterrence framework.
MCCAIN: Thank you.
Finally, Director and Admiral, would it make your job easier if you didn't have to report to seven different committees?
CLAPPER: Chairman McCain, my hands have been slapped before when I ventured into the delicate area of congressional jurisdictions. So for...
MCCAIN: Even in the last...
CLAPPER: ... the remaining 15 days that I'm in office, I don't think I'm going to speak to that. Afterwards, I might be different.
MCCAIN: Well, we look forward to calling you back.
ROGERS: Should I second the comments of the Director of National Intelligence?
MCCAIN: But it -- it -- it does make it difficult, doesn't it? With the -- it's not exactly stove piping, but overlapping jurisdictions I think makes your job a little harder, doesn't it? I mean in all candor, Admiral.
ROGERS: I mean, the way I would phrase it is I think clearly an integrated approach is a key -- is a key component of our ability to move ahead here. I -- I would say that in the government, in the private sector, there -- there's no particular one slice where that's not applicable.
MCCAIN: Thank you.
Senator Reed? SEN. JACK REED, (D) RHODE ISLAND: Well, thank you very much Mr. Chairman.
And General Clapper, you responded to the Chairman that in October you and the Director of Homeland Security concluded that the Russian government intervened in the election and Admiral Rogers also seconded that view. That is also today the view for the record of the FBI and the Central Intelligence Agency -- in fact, all the intelligence communities, is that correct?
ROGERS: Yes, the forthcoming report is done essentially by those three agencies, CIA, FBI, and NSA.
REED: And the same conclusion with respect to the involvement of high-level Russian authorities is -- is shared by the -- all of these agencies?
[10:10:00] REED: The -- the chairman just noticed the -- the legislative compartmentalization. Does that reflect also in terms of operations, in terms of -- for example, Admiral Rogers, if you, through NSA or through your sources detect a -- something that is obviously a -- a disruption, something that is patently wrong, you can communicate to the FBI or law enforcement, but there's no mechanism to make things happen administratively, is that fair?
ROGERS: There's certainly process and, in fact, there have been several instances that I can think of in the last 18 months were we have run through that same scenario. Intelligence as it does in many other areas -- other domains, will detect incoming activity of concern. We -- NSA, will partner with FBI, the Department of Homeland Security, U.S. Cyber Command, to ensure the broader government -- the Department of Defense and FBI and its relationship with the private sector.
The biggest frustration to me is speed, speed, speed. We have got to get faster, we've got to be more agile. And, so for me at least within my span of control, I'm constantly asking the team, what can we do to be faster and more agile? How do we organize ourselves, what's the construct that makes the most sense? We can't be bound by history and tradition here, so to speak. We have to be willing to look at alternatives.
REED: Thank you.
General Clapper, one of the aspects of this Russian hacking was not just disseminating information that they had exploited from computers, but also the allegations of fake news sites, fake news stories that were propagated. Is that accurate or is that one aspect of this problem?
CLAPPER: Yes, without getting too far in front of the headlights of our roll out next week to the Congress. That was -- this was a multifaceted campaign, so the hacking was only one part of it. And, it also entailed, you know, classical propaganda, disinformation, fake news.
REED: Does that continue?
REED: Do the Russians particularly are very astute at covering up their tracks. It appears that they weren't quite as a diligent or -- let me ask a question. Do you believe that they made little attempts to cover up as a way to make a point politically?
CLAPPER: Again, without preempting the report, that's classical trade craft that the Russians have long, long used to particularly -- propagating so called disinformation is they will often try to hide the source of that or mask it to -- to deliberately mask the source.
REED: I -- let me just ask one more time. In this situation though, was there attempts to mask their involvement very elaborate and very, very sophisticated, or was just enough to have plausible deniability?
CLAPPER: Sir, I'd rather not get into that. That kind of edges into the sources and methods I run (ph) and I'd rather not speak to that publicly.
REED: Fair enough. This -- these activities are ongoing now in Europe as Europe prepares for elections. Is that a fair assumption?
CLAPPER: It is.
REED: Thank you. Yesterday the Wall Street Journal indicated that the President-elect is considering changes to the intelligence community. Have you at all as the expert in this field, been engaged in any of these discussions, deliberations, advice?
CLAPPER: No, we have not.
REED: Thank you, Mr. Chairman.
SEN. JAMES M. INHOFE, (R) OKLAHOMA.: Thank you, Mr. Chairman.
The -- I heard this morning that a lot of the news media was characterized in this as a hearing on Russian hacking and actually it's on foreign cyber threats to the United States. I would like to cover a couple of the other ones.
First of all, I received something this morning, Director Clapper that I was very glad to read.
I've often said that the threats we're facing today are greater. I look wistfully back at the days of the Cold War. You're statement that I -- that was in print this morning said, sometimes all of this makes me long for the Cold War when world has essentially had two large mutually exclusive and so forth.
[10:15:02] You know I think it's important that we talk about this because the general public is not aware that the nature of the threats that are out there that have not been out there before.
Admiral, on -- no Director Clapper, we've had a lot of -- and most damaging cyber attacks perpetrated against American people when the Chairman gave his opening statement, he singled out three or four of them, one of them was the OPM incident, that was 2014 and '15, Office of Personnel Management, it was a breach and threat to personnel -- personal information, birth dates, home addresses, social security numbers of over 22 million individuals.
I'd like to ask you, what action was taken after that and what kind of effect that might have had on the behavior of the Chinese?
CLAPPER: Well, the major action that we took, of course, was remediation in terms of advising people of what the potential risks were and, of course, there was a lot of work done, NSA was deeply involved in this, in enhancing or improving the cybersecurity posture of OPM and Admiral Rogers might speak to that.
I would say that this was espionage. It was not an attack per say; and of course, I was a bit reticent about, you know, people that live in glass houses shouldn't throw publicly too many rocks. So there isn't I think a difference between, you know, an act of espionage, which we conduct, as well, and other nations do, versus an attack.
Mike, you want to comment?
ROGERS: Just as a broader point, I think the OPM issue highlights that massive data concentrations increasingly have value all of their own.
What do I mean by that? I can remember 10 years ago, earlier in my time in cyber thinking to myself, large data bases like OPM are so large, the ability of an intruder and external actor to actually access, fully extract and bore their way through millions upon millions of millions of records would be difficult.
But with the power of big data analytics, large data concentrations now become increasingly attractive targets because the ability to mine that data for insights, which is what we think drove this action in the first place, becomes more and more easily done.
INHOFE: OK, I appreciate that very much. In your joint statement -- and by the way I like the idea of joint statements; it makes our questioning a lot easier.
You talk about the -- you end up stating through one of your paragraphs, in short, cyber threat cannot be eliminated, rather cyber threat must be managed. And it's interesting that in the Edison Electric Institute, it's a publication I think that came in this morning, they say exactly the same thing.
It seems to be one of the rare cases where we have government and industry working together. Their statement was that electric power industry recognizes it cannot protect all assets from all threats and instead must manage risk. Now they go on to describe the working together with government and they say the industry security strategies constantly evolve and are closely coordinated with the federal government through a partnership called the Electricity Subsector Coordinating Council, the SCC.
Is that something you can comment? Is that -- are we looking at getting some success out of that?
CLAPPER: I think it's emblematic of a lot of work that the intelligence community has done, Department of Homeland Security, in engaging with each of the, I think 16 key infrastructure sectors in this country. And providing what we have embarked on as providing them tailored to each one of those sectors intelligence estimates of what the threats and vulnerabilities are in order to help them take measures to enhance our cybersecurity.
I think the major point there is if there is any connection whatsoever with the internet there is an inherent security vulnerability, and we have to manage that, the risk that is generated accordingly with full knowledge of that fact. If there's an internet connections, there's always going to be a vulnerability.
ROGERS: I would echo that.
[10:20:02] I think part of our challenge is, our defensive strategy must be two-pronged, we have to spend time making it difficult for people to gain access, but we must acknowledge that despite our best efforts, there is a probability that they are still going to get in. So what do you do?
As a guy who defends networks on the Cyber Command side, I would tell you is a whole different thought process, methodology, prioritization and risk approach in dealing with someone who's already in your network versus trying to keep them out in the first place and we have to be able to do both.
INHOFE: All right, I appreciate that, my time has expired. I have one last question, just for the record you can not answer at this time. But a year ago, it was a year and two months ago I think it was Admiral Rogers, you made a statement before this committee that we -- quote, "We have peer competitors in cyber space and some of them have already hinted that they hold the power to cripple our infrastructure and set back our standard of living if they choose."
I'd like for the record, if you could just kind of outline which of our peer competitors might be the closest to choosing...
ROGERS: ... as I have publicly said before, the Russians are the -- the peer competitors to us. But I look at other nations, you look at China for example and the level of capability and investment they're making on watching their abilities rise significantly.
Iran, North Korea, currently at a moderate level. But clearly, the level investment, the capability we're seeing and their willingness to employ cyber in some very aggressive ways that would be way beyond our normal risk...
SEN. BILL NELSON, (D) FLORIDA: I think it is the general assumption that you all have said that our systems can be invaded, that has the American people, we as policy makers concerned. But the average American concern that there is no privacy anymore.
General, do you think in the report next week that you all will ascribe a motivation to Putin for election attempt?
CLAPPER: Yes, we will ascribe a motivation. I'd rather not, again, preempt the report.
NELSON: Understood. Well, then, will you discuss after the report, what is sufficient in the future to impose enough cost to make them stop this kind of activity?
CLAPPER: No, we won't. We -- if we're going to speak to that that would be separate from the report. What the report will include, per the president's tasking, was a section contributed by the Department of Homeland Security and NIST, I believe, on best practices for defending.
But it does not speak to that which is really out of our lane. That's a -- that's a policy call.
NELSON: So we're now talking about deterrence. And as one of you said in your testimony, it's not like a nuclear standoff of mutually assured destruction, because we don't have a particular deterrence now. Would you discuss that?
CLAPPER: What I was -- the point I was trying to make is that in the case of a nuclear deterrence, there are instruments you can see, feel, touch, measure. Weaponry, we've had demonstration, long time ago, of the impact of nuclear weaponry.
And that is what creates both the physical substance of deterrence, as well as the psychology. And the problem with the cyber domain, it's not -- it is not -- it doesn't have those physical dimensions that you can measure, see, feel, and touch as we do with nuclear deterrence.
NELSON: So let me give you an example. Help us understand, had the supposed invasion into the Vermont utility been, in fact, an invasion by a foreign power. And ascribed to that was shutting it down, if that had been the case, what would be some of the options that we would do?
[10:25:03] CLAPPER: Well, then -- again, this would be -- as I understand it, by the way, it was not, but had it been from say malware planted by foreign power, I think that something would be a very situational dependent as what to do about it. As I indicated in my remarks, perhaps a cyber reaction to a cyber act, it may not be the best course of action.
Some other form of national power, sanctions is what we have traditionally used. And as I also indicated the problem, at least for me, is -- and I'll ask others to speak if they want to, is not knowing if -- you do retaliate in a cyber context, not knowing exactly what counter retaliation you'll get back.
Now we go through all kinds of exquisite thought processes on deciding how to react where we try to be very surgical, very precise, try to gauge what the second order or unintended consequences might be. I don't think others are similarly disposed to consider such precision and such exactness when they respond. So there's always that issue of counter retaliation, ergo, my brief mentioned that it's, in my view, best to consider all instruments of national power.
NELSON: And I think that's what's concerning us. Could we -- the United States, do we have the ability that we can make it so tough on North Korea, with a cyber attack, that it would deter them from some of their strange behavior?
CLAPPER: Not necessarily via a direct cyber reaction, given the difficulty of gaining access to their cyber networks.
SEN. ROGER WICKER, (R) MISSISSIPPI: Thanks you.
Director Clapper, you're pretty far along on the report that will be released next week, obviously. How far along are you, and what do you lack and -- and -- and how will this released? Will it be in a classified format, will you -- will you have a deep willing to testify in an open hearing like this? Or would we need to go down to SCIF to hear this?
CLAPPER: What's -- what's planned is a series of briefings. In the Congress, I think I have four more hearings to do. First with our oversight committees which will be closed hearings I believe. And then they'll be...
WICKER: And when will that be? CLAPPER: And all House, all Senate hearings, I believe next week as we roll out a version of the report early...
WICKER: So that will -- those will...
(CROSSTALK) CLAPPER: ... to be followed by an unclassified version.
WICKER: I see. So the -- the public will not hear sources and methods, but they'll -- you think it will be fairly convincing without going beyond what...
CLAPPER: I assure you we intend -- I intend to be -- to push the envelope as much as I can on -- particularly on the unclassified version, because I think the public should know as much about this as possible. This is why I felt very strongly about the statement we made in October. And so we'll be as forthcoming as we can, but there are some sensitive and fragile sources and methods here, which is one reason why we're reticent to talk about it in this setting.
WICKER: Right, and you've said that, and I expect you will be challenged with some very talented questioners up and down the dais here today on that.
I would have to support what Senator Nelson has said. As regrettable and reprehensible as the hacking of political parties is, I do think Senator Nelson has -- has touched on, really, the larger issue, which really is the subject matter of this hearing and that's what the -- what the real threats are.
WICKER: And it concerns me that -- that -- that we really don't know what the deterrents ought to be, and I wonder, at what -- at what level our conversations taking place within the administration or within the intelligence community, about what is appropriate in terms of a response? You mentioned cyber -- countering cyber with cyber is not necessarily the number one solution.