the senate armed services committee held a hearing yesterday. [inaudible conversations] , one.

>> of morning. the committee meets to receive testimony on the u.s. government policy strategy and organization to protect our nation in cyberspace. to begin i'd like to thank senators rounds and nelson for their leadership on these issues and our cyber security subcommittee. this hearing builds upon the good work that they and their subcommittee have done to tackle the critical challenge of cyber. this is a challenge that is growing more dire and more complex. not a week passes that we don't read about some disturbing new incident, cyber

attacks against our government systems and critical infrastructure, data breaches back compromise sensitive information of our citizens and companies, attempts to manipulate public opinion through social media and of course attacks against the fundamentals of our democratic system and process. those are just the ones that we know about. this is a totally new kind of threat as we all know. our adversaries, both state and nonstate actors view the entire information domain as a battle space and across it, they are waging a new kind of war against us, a war involving and extending beyond our military to include our infrastructure, our businesses and our people. the department of defense has a critical role to play in this new kind of war but it can't succeed alone. to be clear, we are not succeeding. for years we have lacks policies and strategies to

counter our adversaries and we still do. this is in part because we are trying to defeat a 21st century threat with the organizations and processes of the past century. this is true in the executive branch and frankly it's also true here in the congress and we are feeling. that's why this committee is holding a hearing and why we have taken an unorthodox step of inviting witnesses from across our government to appear today. they are the senior officials responsible for cyber within their respective agencies, and i want to thank them for joining me and welcome them now. we have a consistent secretary of defense for homeland defense and global security. scott smith, assistant director for cyber division, fbi, and chris krebs, undersecretary for the national protection and programs director at the department of homeland scary. i'd also like to note at the outset, the empty chair at the

witness table. the committee invited the principal u.s. cyber official, white house cyber security coordinator rob joyce. many of us know him and respect him deeply for his significant experience and expertise on fiber and his many years of government service at the national security agency. unfortunately, but not surprisingly, the white house declined to have the cyber court nader testify, citing executive privilege and precedent against having non- confirmed aniseed staff testifying before congress. while this is consistent with past practice on a bipartisan basis, i believe the issue of cyber requires us to rethink our old ways of doing business or to me, the empty chair before us represents a fundamental misalignment between authority and accountability in our government today when it comes to cyber.

all of our witnesses answer to the congress for their part of the cyber mission, but none of them is accountable for addressing cyber in its entirety. in theory, that is the white house cyber coordinator job but that non- confirmable position lacks the full authority to make cyber policy and strategy and direct our governments efforts. that official is literally prohibited by legal precedent from appearing before the congress. so when we, the elected representatives of the american people asked who has sufficient authority to protect and defend our nation from cyber threats, and who is accountable for us for accomplishing that mission, the answer is quite literally no one. previous administration struggled to address this challenge between dod, dhs and the fbi, well-intentioned as it was, but the result was as

complex and convoluted as it appears in this chart. given that no single agency has all of the authorities required to detect and respond to incidents, it has created significant confusion about who is actually accountable for defending the united states from cyber attacks. meanwhile, our increasingly capable adversary seek to exploit our vulnerabilities in cyberspace. facing similar challenges, a number of our allies have pursued innovative models to emphasize increase coronation and consolidation. in doing so, they have significantly enhanced their ability to share information with the public. the united kingdom recently established its national cyber security center, an organization that orchestrates numerous cyber functions across the british government under one roof sitting

side-by-side with industry. today's hearing is an opportunity to have an honest and open conversation. our concerns are not meant to be critical or of your organizations. each of you are limited by the policy and legal framework established by congress and the administration. : >> as the one who rushed to the scene that they were in charge with none having the authority or even worse, realizing after a cyber incident that your organizations were not prepared and resourced to respond based on a flawed assumption that someone else was responsible. i think the witnesses for the

service to our country and the willingness to appear before this committee. as we continue to assess and address our cyber challenges. senator reed. >> thank you very much for holding the steering at the welcome our witnesses today. let me also commend senator brown's and nelson for the great leadership on this subcommittee. cyber threats facing the nation does not respect organizational or jurisdictional boundaries, defense department, intelligence community, fbi, department of homeland security, are all critical encountering cyber threat. each agency functions in silos and specialist laws and authorities. in order -- must develop an integrated whole of government approach to strategic planning,, resource allocation and execution of operations. i am echoing the chairman points. this department is not unique to the cybersecurity mission. by the extremism, , narcotics ad human trafficking, transnational crime, weapons of mass distraction and other charges are effective whole of government response that cut

across the missions and responsibly of departments and agencies. as issues become more complex these problems are becoming more numerous and serious overtime. the rubin various approaches to this problem. with little demonstrated success. white house generally have few tools at the disposal while the lead agency does need to address cross cutting jobs that must remain focused on the mission of its own organization. last year president obama signed ppd 41, united states cyber incident coordination policy. it established a cyber response to group to pull together a hold of government response, but these are ad hoc organizations with little continuity that come together all in response to events. i believe what is needed instead is a framework with an integrated organizational structure authorized to plan cooperating in peacetime while the constant progression of cyber opponents. this arrangement as president. the coast guard is a service

branch and the department of defense but is a vital part of the department of homeland security. it has intelligence authority, defense responsiveness, customs and border enforcement of law enforcement authority. the coast guard exercises these authorities judiciously and responsibly and enjoys the complement -- conference of the american people. we can solve this problem. we have examples. last years national defense authorization act really cross functional teams to address problems. these teams are composed experts in the functional organizations that rise above the interest of their bureaucracy. the team leads would exercise executive authority delegated by the secretary of defense pick such an approach might be a model for the interagency to address a crosscutting problem like cybersecurity. there is indeed urgency to our task. russian attack our election last year. they attacked multiple european countries, the nato alliance in the european union. the intelligence community assures us russian will attack

our upcoming midterm elections. so far we've seen no indication that the administration is taking action to prepare for this next inevitability. finally the government cannot do this alone. as former cyber commit an innocent director general keith alexander testified, while the primary responsible of government is to defend the nation the private sector shares responsibility in creating the partnerships necessary to make the defense of our nation possible. neither the government nor private sector can protect their systems and networks without extensive and close cooperation. in many ways the private sectors on the frontline of the cyber threat and the government must work with them if were to effectively counter that threat. we need to covet strategy but it must be in cooperation with the private sector. i think chairman mccain for holding the steering effort cosponsored my legislation that is the banking committee jurisdiction, the disclosure act which are federal securities laws tries to encourage companies to focus on avoiding cybersecurity risk before they

turn into costly breaches. thank you, mr. chairman. >> welcome witnesses. mr. rapuano, please proceed. >> thank you, chairman mccain, ranking member reed and members of the committee. it is an honor to appear before you to discuss the roles and responsibilities the department of defense and its interagency partners in defending the nation from cyber attacks of the significant consequence. i hear today in my role as the assistant secretary of defense for homeland defense and global security as well as the principal cyber advisor to the secretary of defense, in which i oversee cyber policy in the department, lead the coordination of cyber efforts across the department and whether interagency partners, and integrate the departments cyber capabilities with its mission assurance and defense support to civil authorities activities. i appreciate the opportunity to testify alongside my interagency colleagues because these

challenges to require a whole of government approach. dod is developing cyber forces and capabilities to accomplish several missions in cyberspace. today i will focus on our mission to defend the united states and its interests against high consequence cyber attacks, and i would execute that mission in coordination with our interagency partners. the departments efforts to build defensive capabilities to the cyber mission force, or cmf, play and especially key role in turning out this mission. for both the deterrent and response standpoint the 133 cmf teams that will attain full operational capability in september of 2018 are central to the departments approach to supporting u.s. government efforts to defend the nation against significant cyber attacks. with the goal of ensuring u.s. military dominance in cyberspace, these teams conduct

operations also to deny potential adversaries the ability to achieve their objective and to conduct military actions in and through cyberspace to impose costs in response to an imminent ongoing recent attack. in particular, the cmf 68 cyber protection teams represent a significant capability to support a broader domestic response. these forces are focused on defending dod information networks but select teams could provide additional capacity or capability to our federal partners if and when necessary. dod is role in cyberspace goes beyond adversary focus in operations and includes identifying and mitigating our own vulnerabilities. consistent with statutory provisions related to these efforts when working with our u.s. domestic partners and with foreign partners and allies to identify and mitigate cyber vulnerabilities in our networks,

computers, critical to the infrastructure and weapons systems. while dds dod is made significt progress there is more to do alongside with her as agency partners in the broader whole of government effort to protect u.s. national interests in and through cyberspace. the outward focus of dod cyber capabilities to mitigate foreign threats at points of origin complements the strengths of our interagency partners as we strive to improve resilience should a significant cyber attack occur. in accordance with policy, during cyber incident, dod can be called to directly support the dhs in its role as a lease for protecting, mitigating, and recovering from domestic cyber incidents or the doj in its role as a lead investigating, distributing, disrupting and prosecuting cyber crimes. the significant work of our departments has resulted in increased common understanding of our respective roles and

responsibilities as well as our authorities. despite this, however, as a government we continue to face the challenges when it comes to cyber incident response on a large scale and it is clear with more to work to ensure we are ready for a significant cyber incident. specifically, we must resolve gap issues among various departments, clarify thresholds for dod assistance, and identify how to best partner with the private sector to ensure a whole of nation response if and when needed. dod has number of effort underway to address these challenges and to improve both our readiness and that of our interagency partners. for instance, when refining policies and authorities to improve the speed and flexibility to provide support, and we're conducting exercises such as cyberguard with a range of interagency and state and local partners to improve our planning and preparations to respond to cyber attacks.

additionally, the cyber executive order, 13800 signed in may will go a long way in identifying and addressing the shortfalls in our current structure. although the department has several unique and robust capabilities, i would caution against ending the current framework and re-signing more responsibility for incident response to dod. the reasons for this include the need for the department to maintain focus on its key mission, the long-standing tradition of not using the military for civilian functions, and the importance of maintaining consistency with our other domestic response frameworks. it's also important to recognize that he significant realignment of cyber response roles and responsibilities risks diluting dod focus on its core military mission to fight and win wars. finally, putting dod on lead role for domestic cyber incidents would be a departure from accepted response, practice and all other domains in which a

civilian agency have the lead responsibility for domestic emergency response efforts. and it could be disruptive to establishing that critical union of effort that's necessary for success. the federal government shouldn't maintain -- should maintain the same basic structure for responding to all other national emergencies, whether they're natural disasters or cyber attacks. there's still work to be done both within the department and with our federal partners to improve dod and u.s. government efforts over all in cyberspace. towards this and i'm in the process of reinvigorating the role of the principal cyber advisor, clarifying the departments internal lines of accountability and authority in cyber, and better integrating and communicating dod cyberspace strategy, plans, and train and equip functions. we will also be updating our dod cyber strategy and policies on key cyber issues such as

deterrence and translate this guidance into capabilities, forces and operations that will maintain our superiority in this domain. the department is also working to ensure that several strategic initiatives it is undertaking come to fruition, , including te elevation of u.s. cyber command, the limitation of the cyber executive order, initiating the cyber excepted service program, and rationalizing the departments cyber budget and investment. our relationship with congress is critical to everything we are doing to defend the nation from high consequence cyber attacks. i am grateful for caucuses strong support and particularly the subcommittees interest in these issues and i look forward to your questions and working with you and your staffs going forward. thank you. >> thank you, mr. chairman, thanks, committee, for offer me

an opportunity to provide remarks on the cyber capabilities. as the committee is aware the frequency and sophistication of cyber attacks on our nation of increased dramatically in the past decade and only look to be growing. there are significant challenge challenges. the cyber domain to me is uniqe constantly shifting, changing and evolving. but progress has been made in improving structures and collaboration in innovation. but more can be done. staying ahead of today's threats requires a different mindset than in the past. the scale, scope and complexity of today's threats in the digital domain is like anything humanity of our nation has ever experienced. traditional approaches and mindsets are no longer suited to coping with the speed and complexity of the digital domain. we have to include the digital domain as part of the threat

ecosystem instead of separating it as a mechanical machine this new era often called before the industrial revolution requires the fbi to rapidly assign, align and engage, and powered network teams who are purpose driven and have fears and unrelenting resolve to win. what does this all mean? what are we doing to meet and stay ahead of the new digital domain? predict, impose consequences, that's what the fbi cyber mission is going. the fbi cyber division and program is structured to address a lot of these unique set of challenges. in the field the fbi is made up of 56 different field offices spent all 50 states and u.s. territories, each with the cyber squad, and each developing multi agency cyber task forces which brings technically, proficient investigators, and a list, sign

ellis, from state and local. in addition to those field resources, cyber division offers program management and coordination and more technically advanced responders in our cyber action teams. the cat teams are in the cyber rapid response force that is on call and prepared to deploy globally in response to significant cyber incidents. additionally at fbi headquarters we manage site watch, 24 hour watch center which provides continuous connectivity to interagency partners in an effort to facilitate information sharing and real-time incident management and tracking insuring all agencies are coordinating. in addition to the cyber specific resources come the fbi has other technical assets that can be utilized in the event of cyber incidents. these include our operational technology division, the regional computer forensic laboratory programs, and a

critical incident response group providing additional expertise and capabilities and resources that the fbi can leverage at a cyber incident. partnerships as absolute key focus area from the fbi. we rely on a robust international presence to supplement our domestic footprint. through cyber assistant legal attaches, the fbi and bedside agents with her inner -- counterparts with 18 to locations across the globe. the fbi also relies on private sector partnerships leveraging the national cyber forensic allies, domestic security alliance to name a few. billy deposit home through training, investigation and joint operations is where we are applying our efforts. incident response, if you has the capability to quickly respond to cyber incidents across the country and skip its

response to specific incident utilizing all its resources on the field, headquarters and abroad. we have the ability to galvanize and direct all available cyber resources instantaneously here utilizing dual authorities as domestic law enforcement organization and a member of u.s. intelligence community, the fbi works closely with interagency partners within a whole of government effort to countering cyber threats. the fbi conducts cyber missions with the goal of imposing costs and consequences on the adversary and the we would like to arrest every cyber criminal we recognize indictments are just one tool in the suite of options that are available to us government when deciding how best to approach this complex cyber threat. the fbi understands the importance of incoherently joined with and will continue to find ways to work with an agency

partners in responding to cyber incidents. we look forward to expanding our partnerships with cyber command given their new and unique capabilities and with the national guards new cyber program in complement our field offices and cyber taskforces. all within the confines of current laws authorities and expectations of the american people. we at the fbi appreciate this committees efforts in making cyber threat a focus and committed to improving how we can work together to better defend our nation. we also look forward to discussing these issues in greater detail and answering any questions that you may have. thank you, mr. chairman. >> thank you. mr. krebs. >> chairman mccain, ranking member reed, members of the committee, thanks for the opportunity to appear before you today. in my current role performs the duties of their dissector for the national protection and programs directorate i lead the department of homeland seekers efforts to secure and defend our

federal networks and facilities, and the systemic risk to critical for such an approved cyber and physical security practices across our nation. this is a time hearing as during december, october we recognize national cybersecurity awareness month, find a focus on how cybersecurity is a shared responsibility and ethics of the business, organization in america and is one of the most significant and strategic risks to the united states. to address this week as and if we work together to develop a much needed policies authorities and capabilities across the interagency with state international partners in coordination with the private sector. department of defense is eligible receiver exercise in 1997 laid bare our nation cybersecurity vulnerability and consequences initiating across government journey to respond to the growing cyber threat. over the ensuing 20 years through a series of, orders and other documents omitted most recently with executive order 13800 we established an increasingly defined policy foundation for the cyber mission

space. roles and responsibility seven further bolstered by a partisan legislation providing executive branch and in particular dhs much-needed others to protect federal and critical infrastructure networks. we can solidify the role by giving my organization and index reflects our operational mission and i look forward to working with you in that effort. building of those policies and authorities the department continues to develop the operational capabilities to protect our networks. a national cybersecurity and communications integration center or nccic is a center of gravity for dhs and cyber skewed operations. we monitor federal civilian enterprisewide risk picture that allows us to manage risk across the dot gov. it brings together partisanship of classified and unclassified threat information. partners include representatives from critical infrastructure committee, state, local, and tribal governments, such as pacific liaisons from the department of energy, health and

human services, treasury and defense, intelligence committee, law enforcement, fbi and liaisons of each of the cyber cities including u.s. cyber command. they all sit with one another at nccic. we know we can't stop your in need of efforts to develop scalable solutions to manage systemic cybersecurity risks across the infrastructure. last years presidential policy director -- directive further clarified rules and separates principles for the federal governments response to cyber incidents including formalizing the cyber response group and cyber unified coordination group. it required the department to update the national cyber response plan or insert irp which was completed last january. updating the ncr at pete and marshall insisted a local partners was a critical step in submitting our shared responsibility and accomplish three main goals. first it defines the role and responsibility of all stakeholders, second and

identifies the capabilities required to respond to a significant cyber incident and third it describes with our federal government will coordinate its activities with those affected by a cyber incident. however focus with forward is to build on the with multi-stakeholder multi-stakeholder operational plans and incident response playbooks and that we must train an exercise to the consumer to identify and address the gaps that makes us. we are building on our cyber mission workforce within the framework of the ncirp with her hand and incident response team exercise the tennis of the ncirp each day. we work across the stakeholders within the nccic to conflict this mission. dhs teams are augmented with fbi and dod personnel to fight a more robust and corrugated response. this model of collaboration across agency cooperation will continue taking advantage of the strengths of each agency. to ensure we're focus on the mission that you congress have

passed as with we are prioritized so that all open cyber positions at dhs, crosstraining our workforce on incident response and create a cyber incident response search capacity force modeled after fema for natural disasters that can rise to meet any demand. before i close out like to add one last article olympic the cyber defense mission is much broader than just response. it encompasses preparedness and resilience and we must continually assess and improve our cybersecurity posture against the latest threats. deny our adversaries opportunities to wreak havoc. finally i like to reinforce one more time, we've made significant progress yet there's a a question with more to do. we must do it with a never before seen since of urgency. by bringing together all stakeholders we are taking action to manage a cybersecurity risk and improve our whole of government incident response even bows and become more resilient. i thank you for the opportunity to test for adult afforded to any questions you may have. >> thank you, mr. krebs, and thanked