passed as with we are prioritized so that all open cyber positions at dhs, crosstraining our workforce on incident response and create a cyber incident response search capacity force modeled after fema for natural disasters that can rise to meet any demand. before i close out like to add one last article olympic the cyber defense mission is much broader than just response. it encompasses preparedness and resilience and we must continually assess and improve our cybersecurity posture against the latest threats. deny our adversaries opportunities to wreak havoc. finally i like to reinforce one more time, we've made significant progress yet there's a a question with more to do. we must do it with a never before seen since of urgency. by bringing together all stakeholders we are taking action to manage a cybersecurity risk and improve our whole of government incident response even bows and become more resilient. i thank you for the opportunity to test for adult afforded to any questions you may have. >> thank you, mr. krebs, and thanked the witnesses.

i'm sure you can see that chart over there. charts are always interesting, but this one, we're going to need someone to translate for us because it's an example, and i think an one, of the difference, the differences and authorities and responsibilities, none of which seem to have an overall coordinating office or individual. of course, mr. joyce absence here, whose job it is to do all this is an example, frankly, of the disarray in which this whole issue rests. and mr. rapuano, to start with,

you said that is not department of defense responsibility. suppose at the russians had been able to affect the outcome of the last election. wouldn't that fall under their responsibility and authority to some degree of the department of defense if they're able to destroy the fundamental of democracy which would be to change the outcome of an election? >> mr. chairman, specifically, the issues associated with protecting elections from cyber incursion -- >> so you're saying cyber incursion is not something that requires the department of defense to be engaged in, is that correct. >> was no. i'm simply saying based on the state authorities and the state control of the election process in each state, there are issues associated with federal authority to engage -- >> so those issues could be corrected by legislation. they are not engraved in

tablets, okay? so for you to sit there and say well but it's not department of defense responsibility. it is. to defend the nation, the very fundamental, the reason why we're here is because of free and fair elections. if you can change the outcome of an election, that has consequences far more serious than a physical attack. so i admin fundamental disagreement with you about requirements of the department of defense to defend the fundamental of this nation which is a free and fair election which we all know the russians try to affect the outcome. whether they did or not is a matter of opinion. i don't think so, but for you to shuffle off this well, it's not an attack, it is an attack of enormous proportions. it you can change the outcome of an election, then what's the constitution and our way of life all about?

i think senator rounds will be much more articulate on the issue. so one, i disagree with your assessment, and one of the reasons why we have felt frustrated is exactly what you just said. it's exactly what you just said, well, it's not the department of defense is job. it's the department of defense is jump to defend this nation that's why it's called the department of defense. mr. krebs, numerous expert over the past few years have highlighted the need for dramatic change. according to the presidential commission on enhancing national cybersecurity, and i quote, the current leadership and organizational construct for cybersecurity within the federal government is not commensurate with the challenges of securing the digital economy and supporting the national and economic study of the united states. general keith alexander, one of the most respected men in the world, said before this full committee in march quote, when

we talked to the different agencies they don't understand the roles and responsibilities. when you ask each of them who is defending what, you get a different answer. admiral jim cerritos, quote, the need to be a voice in the captain that focuses on cyber. obviously there supposedly one there but he is not appearing before this committee, and that diminishes our ability to carry out our responsibilities. the list goes on and on. january 2017 center for strategic and institutional studies task force simply concluded quote we must consider how to organize the united states to defend cyberspace. and that it dhs is unable to step up its game, we should consider the creation of a new cybersecurity agency. the list goes on and on. i like to have your responses to these assessments ranging from a presidential commission to

general keith alexander to the atlantic council to the center for strategic and international studies task force. all of them are saying the same thing, gentlemen. all of them are saying exactly the same thing. i look forward to getting a translator who can show us what this chart means. i'll be glad to hear your responses. mr. rapuano. >> mr. chairman, i would say just on the issue of the election process the department is clearly there to support the response or the mitigation of potential threats to electoral process but it is something that when you look at the separation of authority between state and local governments, the lead for the coordination and support in our current system is dhs here can we provide defense of authorities as requested support those needs and requirements.

>> that obviously assumes that the department of homeland security has the capabilities and the authority in order to carry out that requirement. whereas this cyber is warfare. cyber is warfare. cyber is an attempt to destroy a democracy. that's what mr. putin is all about. so to somehow shuffled off on to the department of homeland security of course this goes back to this problem with this organizational chart. so i steadfastly reject your shuffling off the responsibilities of cyber over to the department of homeland security, and we have included in the ndaa a requirement for you to do so. mr. smith, you want to respond, or mr. krebs? >> i'm happy to.

fundamentally, it's a complex and challenging operational environment. everyone of the agencies represented at the table today as you see in the bubble chart as it's called has a unique contribution across the ecosystem. >> without coordination? >> i would suggest that we are getting there, we are on the coordination. ppd 41, the cyber response group and the cyber unified cognition group provide a foundation under which we can coordinate. we do work closely with mr. joyce and national city council. however, from an operational perspective i think the department of homeland security and imi will as undersecretary have the direction and authorities i need to move out. the question is whether i have -- >> are winning or losing? >> this is a battle there's going to be going on for many years. we are still can't get our arms around it. this is not speak repeat my question. i would winning or losing? >> it's hard to assess whether we are winning or losing i was a

we're fighting this battle every day, working with the private sector. it is a complex apartment and i look for to working with congress speedy to you know for eight years with and trying to get a policy, for eight years we've been trying to get a strategy, for eight years we've been trying to get something besides this convoluted chart? did you know that? >> yes, sir. i've been in my role for eight weeks. i understand your frustration. i share your frustration. i think we have a lot of work to do, and i think this is going to require both the executive branch and the congress working together to continue understanding exactly how we need to address the threat. >> when the coordinator doesn't show up for hearing, that's not an encouraging sign. senator reed. >> i wish you would consider a subpoena to get the main witness. >> i think that has to be discussed in the committee. >> well, thank you mr. chairman, thank you, gentlemen, for your

testimony. the chairman have raised the issue, russian involvement in the last election but our intelligence community essentially assured us that they're going to come back and with more brio, whatever the right term is. have you been told to prepare for that, mr. rapuano? has the defense department given direction to according to take all steps to advise the administration on what you can do to prevent, preempt tort respond to russian intrusions in 2018? >> senator cochran not aware of a specific direction in terms of a specific task associated with the election process. we are engaging on a routine basis with dhs and the rest of the interagency community to develop priorities and consider responses as well as mitigation measures. as i tried to note earlier, the

competing authorities associate with electoral process really do call for a thoughtful orchestration of how we would direct and cast and engage with the state and local authorities. it really does need to be coordinated because each agency bring something different. there's a private sector component, because most states get very significant support in terms of their electoral systems from five entities. we are certainly engaged in the process and we're certainly available to support, but -- >> but you have been directed to start actively planning and coordinating with respect to the election specific? >> not to my knowledge. >> mr. smith, have you been and your agency the fbi been told of the actively coordinating with respect to the 2018 election in terms of interrupting, preempting, responding to russian intrusions which begin the intelligence community practically assures us will

happen? >> yes. >> you have been? >> yes. >> would you describe what you been doing in the general terms? >> in general terms. we have not stopped since the last election, coordinating and keeping together an election fusion cell which is jointly located at hoover building and working with our interagency partners, not only on what had transpired and getting deeper on that but also working forward as to what may, towards us in the upcoming midterms and 2018 election cycles. so we are actively engaged both with outreach in the communities and the dhs and the election task force, along with every field office has a designated election crimes coordinator who is on the ground out there in the event of information coming towards us or any evidence that

we would need to be aware of and react to. >> mr. krebs, same question. >> absolutely. but i'll tell you this, i did need anybody to tell me to stand up a task force or anything like that. the first thing i did when i came in eight weeks ago was assess the state of the election infrastructure activities and establish an election saturday task force which brings together all the components underneath within nppd but also works closely with intelligence and analysis component with dhs as those fda -- fbi and other partners. i think there's a lot more to do as director smith mentioned it were not just thinking about 18. 18. we think that the gubernatorial election coming up in a matter of weeks. last week we work with 27 states, the election assistance commission and establish a government coordinate in council, the body under which all the state election officials can come together, and provide a foundation to which coordinate

security practices, share information. we are issuing security clearances to a number of election officials and in a matter of weeks will establish a sector chordate accounts which will bring the private sector elements to provide systems and technologies and support. there's still a lot to be done. we certainly have worked ahead of us in the question they will come back and we will be fighting them everyday. >> you mention and several times you need to engage the private sector, and that's a challenge. in fact, it might be more important in this context that in any other since they lead, whereas in other areas like missiles, bombers and vehicles, it's the government more than the private sector. but just quickly, some of the things we have to consider are sort of not responsible of this

committee but legislation senator mccain and i are sponsoring so they would have to designate if they haven't experts have said expert on the board or why not is a way which disclosed to shareholders but also to provide an incentive for them to be more keyed into cyber. there's been some discussions cost talking to mr. rapuano about using that terrorism reinsurance as way to incentivize. without that i don't think we'll get the kind of buying. my time is about to expire but where are we in terms of private engagement? the threshold or some engagement or it still -- >> i actually came out of the private sector, spent the last several years and a major technology come to i managed in them of the cybersecurity policy issues. either unique understanding of what it takes on the private sector side as well incumbent. we do have a number of private

sector representatives within nccic and with the unique statutory authorities for coordinating with the infrastructure committee. we need to better refine our value proposition to get more companies to come in and share information with us but we do have the unique liability protection capability. one thing i think will enable our advancement is i mentioned, i need a name change. i need to be able to tell my stakeholders, my customers wanted to depict the national protection and protector program director doesn't do anything. i knew something i do subsidy so i can go out and clearly communicate what it is on a daily basis that a depict i think that's a big step forward. >> you tell us the title you want decides president. [laughing] >> we will get you a t-shirt, too. [laughing] >> thank you, mr. chairman. the three of you can relax, because what i'm going to address is to the empty chair.

and i know that this message will get through. there has to do with section 881 and 886, there is some provisions in the the senate vn of the ndaa specifically those sections that have raised concerns among the software developers critical to our national defense. the purpose of these provisions are to make available to the public the source code and proprietary data that is used by the department of defense. i'd like to submit with the record numerous letters which i will do in a moment, and documents from industry stakeholders that share my concerns with this language. while he understand the goals and intentions of the legislation, a great unintended consequences and impacts such as limit the software choices available to dod to serve the war fighter, increase costs to

the department of defense by compromising proprietary nature of software or in limiting contractor options, and potentially aid u.s. adversaries and threaten dod cybersecurity by sharing dod source code by placing it in a public repository. it also reduces competitiveness of american software technology companies by opening the software contractors intellectual property and code to the public repository. and as we progressed into the conference report, i look forward to working with the senate armed services committee on the way forward on this topic and recommend that we studied this issue prior to instituting new legislation. this is a provision that is in the senate provision senate bill, not in the house bill. and i would ask unanimous

consent to include in the record at this point mr. chairman these documents from stakeholders. >> without objection. >> thank you. >> well, i wouldn't exactly say that the three of you should relax, but i will address more directly not only to the empty chair, but the general mcmasters, to general kelly, to the vice president into the president. did you realize that you handed out a chart that is five years old? the date on this chart is january of 2013. i mean, why in the world? that -- by the way, senator rounds is saying, acknowledging

this, and want to say what a pleasure it has been to deal with senator rounds as the two leaders of the cyber subcommittee. and i can tell you we are alarmed. you heard the alarm in the voice of the chairman. can we stipulate here that state election apparatuses, state election databases, can we stipulate that that is critical infrastructure? >> we have made that, the department of homeland security has made that determination and i have a subsection. >> good. therefore, a tampering or a changing or interfering with state election databases being critical infrastructure would in fact, be an attack upon our country. can we stipulate that that would be the case?

why is their silence? >> let the record show there was silence. [laughing] >> wow. so do you realize that you can change speedy could i just -- >> please. >> cut i end deferent the witnesses? that the one to -- >> i, and that's why i'm referring my comments that only to the empty chair, but to the people behind that into chair, which is the national security council advisor, general mcmasters, the fellow who runs the white house staff, general kelly, both the phone i have the highest respect and esteem for, and ultimately the vice president and the president. i would go back and listen.

i would defer to the intensity of the chairman to remarks, both in his opening remarks and his questions. you mess around with our election apparatus, and it is an attack on our country. so let me give you an example. it doesn't even have to be that the russians, , man or the chine or some third party. that's not a nationstate. we already know that they are in 20 of our states. we know that from the reports that a a been in the newspaper from the intelligence community. all you have to do is go into certain precincts, you don't enough to change the outcome of the actual vote count. you could just eliminate every tenth registrant, every tenth registered voter. so when mr. jones shows up on

election day to vote, i'm sorry, mr. jones, you are not a registered voter. you multiply that every tenth th voter, you've got absolute chaos in the election. and on top of it, you have the long lines that result, and as result of that people are discouraged from voting because they can't wait in the long line and so forth and so on. this is the ultimate threat. i said so many times in this committee, vladimir putin can't beat us on the land, in the era, on the sea, under the sea or in space, but he can beat us in cyber. and to hand out a five year old data chart as to how we're going to fix the situation just is totally, totally insufficient.

i rest my case, mr. chairman,, and i wish you would consider a subpoena. >> and with the witnesses desire to respond to the diatribe? >> that eloquent -- >> that eloquent diatribe. one of the most historic statements in the history of this committee. [laughing] go ahead, please. >> mr. chairman, i would say just in terms of the department of defense his role, it is important to note that the national guard in a number of states on the authority of the governors train cyber capable forces are assisting those states and their addressing come identifying vulnerabilities and mitigating those vulnerabilitie vulnerabilities. part of them are part of the cyber mission force, and we certainly view quite appropriate the counter tasking and under state authority versus the department of defense attempting

to insert itself into a process without directly being requested. >> could i just say, sir, i can we are appreciative of what the guard is doing. we are appreciative of what local authorities are doing. we are appreciative of what all these different agencies are doing, but we see no coordination and no policy and a strategy. when you're ready to give that to us, we would be eager to hear about it. senator fischer. >> thank you, mr. chairman. those are hard acts to follow, your diatribes. but i would like to focus on something else now with regards to response. gentlemen, one of the things that admiral rodgers has emphasized is the need to move liquor across the board and after threat detection, faster decision-making and faster

responses. so mr. krebs, can you walk us through the process by which an organization, and operator of a piece of critical infrastructure, for example, would reach out to you for help? i know the first tab to detect the threat, and i can take some time, but what does the process look like once they contact you? how long does it take to begin working with them, and are there legal agreements that must be in place before a response team could operate under network? >> thank you for the question. there are of course a number of ways a victim can discover they have been breached. they had some sort of intrusion, working with the intelligence community or the fbi to notify them or the department of homeland security to an for them or of course one of the private sector vendors could discover an actor on their networks. how to reach out, there are a number of ways as well they can reach it. they can e-mail, call the spirit we have local official

cybersecurity advisors throughout the region, we have protected security advisers. they can also contact the fbi. once we are aware of an incident, we will then do with intake process. every incident is going to be different. that's kind of a truism. every incident can be different. in terms of time it all those depend on what the situation is, what kind of information they want to provide. we have to work to a legal agreement just to get on their networks and assault government equipment and take a look. that can take time. it can depend on the legal back-and-forth, hours or even days. but i would view this as kind of an elastic spectrum. it could take, talking hours, a couple days to a week. it all depends on the nature of the breach. >> if you determine that dod has to be as involved in the response as part of that team, i assume is going to take more time then?

and does that decision currently rests with the president, is that correct? >> we do a fair amount of ordination with the department of defense. in fact, we do a crosstraining with an incident response matter. we do have blended teams that go up to the field for investigations that could be fbi or dod assets. in terms of the decision-making process we do have agreements in place to live in understanding and place that we don't necessary have to go to the president. we don't have to go to the secretary level. there are sub level understandings that we are able to use, use each others resources. >> those agreements would also cover what types of military systems that will be needed? >> it's a support function, but we are typically talking personnel. >> mr. rapuano, did i say your name really -- misted up, didn't i?

>> rapuano. >> other concept of operations that define the specific requirements that dod forces to be asked to fulfill and prioritize ssn or sectors that should be defended from cyber attack if we're going to have a high and conflict? >> the focus of the domestic response capabilities, the civil authorities when it comes to cyber are those defense and those protection teams out of the cyber mission force. those are skilled practitioners who understand the forensic issue, the identification of the challenges of types of malware and different approaches removing the malware from the systems. as mr. krebs noted, the defense support authority. >> request for assistance from dhs to the department. we have authorities all the way down to commanders, specifically

cyber command. admiral rogers has the authority and a number of very to direct attach those assets. then comes up to me and for certain areas the secretary requires his approval. but most of these things can be done at lower levels and we have provided that assistance previously to dhs. >> do you have the policy guidance in place if there is a high end conflict, is it a a first-come first-served? do have a way that you can prioritize how you're going to respond? >> absolutely. a high end conflict for which we are receiving cyber attacks and threats in terms of against our capabilities to project power, for example, would be the utmost party for the department as well as attacks against dod information system if we can't communicate internally he can't defend the nation. those are the equivalent of hard brain lung functions, equities

and capabilities we prioritize. we have resources that are available and less tapped by those uppermost priorities and then becomes hard decision times and. >> translator: reply assets for domestic and critical infrastructure protection for example, or to protection of other dod capabilities. >> thank you. >> on behalf of chairman mccain let me recognize senator shaheen. >> thank you, senator reed. thank you to all of her witnesses for being here this morning. i share the frustration you hearing from everyone on this committee about decisions that have not been made actually with respect to cyber threats affecting our nation. one example is the use of casper ski labs antivirus software on u.s. government systems, casper ski labs as reported links to

russian intelligence and it is based in moscow, subjects quite get the crimmins intrusive surveillance and interception laws. we just had a recent report of casper ski his role in a successful russian cyber operation to steal classified information from it nsa employees home computer. and yet they remained on the list of approved software for way too long now. this committee put an amendment in the ndaa that would have prohibited the use of that software by the department of defense, and i'm pleased that find we've seen the administration act on that. but i think it really raises the question of how we got to this point. so what standards were used in approving kaspersky labs as an appropriate choice to fill the escarpments antivirus protection needs? does the government that the

origins and foreign business dealings of cybersecurity firms and software companies before these products are used in our systems? and her companies looking to contract with the us government required to disclose all there for subcontractors as well as their works and you do with foreign governments and maybe a threat to the united states? so i will throw those questions out to whether would like to answer them. >> thank you for the question. as you know the directive we issued several weeks ago just over a month now, 30 some odd days ago, required federal civilian agencies identify casper c products if they have them and it led played governmt and over 90 days. what that tells me is we saw a lot of work to do in terms of the processes that are in place, to assess technology products

that on this of a speedy i create that's what i'm asking those questions. i don't mean to enter up but i've limited time and what it would like to know is what you can tell me about what standards we use, how do we vet this kind of products and how do we ensure that we don't have another case of kaspersky being used in our sensitive government systems? >> if i may suggest i'd like to come back with the general services administration to take a look at that which you and give a more detailed briefing on how we do that. >> thank you. i would appreciate that. also, mr. rapuano, i appreciate your taking some time this morning to spend a few minutes with me to talk about the hewlett-packard enterprise, which allowed the russian defense agency to view the source code of software used to guard the pentagon's class of information exchange network. can you tell me how is the disclosure of our source codes to other entities a usual way of

doing business? how did that happen? >> senator, the details on that as i shared with you this morning, we're working that. our cios beating that effort. i can get you additional details with regard to our procedure to regulate approach but we can follow up with those details for your. >> thank you. appreciate that. that was a rhetorical question to raise the point again that i have serious concerns about the attention where paying to these kinds of issues. in april dod logistic agency said, quote, hp software and hardware are so embedded that it could not consider other competitors quote absence and overall of the current i.t. infrastructure. do you believe that's what is

required and how he we're goino address any of these problems if we say we can't take action because it would create a problem in responding throughout other areas where we do business? again, i appreciate that you're going to respond to the concerns that i laid out, including that one at a later time. i'm almost out of time but i just had one question for you, mr. krebs, and that is on this notice of this hearing, you were listed as performing the duties of the under secretary for the national protection and programs directorate that you said you been on the job for eight weeks. what does that mean? >> yes, ma'am. thank you for the question i have accident with lifted parva since march 2017 was a counselor to general kelly. he moved to the white house of scores and soon after that i was appointed by the president to be

the assistant secretary for infrastructure protection. in the meantime we have an open vacancy at the undersecretary position so as the senior official within the national protection and programs directorate i am the senior official performing the duties of the undersecretary. .. >> my appreciation for you and the ranking member for elevating this particular discussion to

the full committee status. senator nelson has been great to work with and i appreciate the bipartisan way he has approached the issue. wish we had the same type of cooperation this morning with mr. joyce coming to visit with us. i personally did not see this as an adversarial discussion today. i saw this as one in which we could guinn a cooperative effort to discussion how to take care of the seams that actually we believe exist between the different agencies responsible for the protection of the cyber systems in our country. this particular chart, i believe senator alexander indicated over -- general alexander indicated there were over 75 different revisions to this particular chart when it was created. let me just to clear the record, do any of you have a more updated chart than the one

provided today? >> no? no. okay. for the record that was done in 2013. yet at the same time i just -- for mr. krebs, let me just ask, as i understand it, dhs is responsible for the protection of some but not all of the crediting infrastructure in the united states. when it come thursday energy detector the department of energy is the lead agency. is that correct? >> , that is correct. >> where does it fit in the chart other. >> is an updated piece of policy surrounding this if mentioned that's progressive policy arc. the unmuscle moments hold and have been reflected in presidential policy directive 41.

>> we have an updated chart someplace? >> i may have something better than a chart. i have a plan and a policy around it. ppd41 which lay out the responsibilities of respective organizations. >> all of you are working on the same level as mr. krebs has shrined here with the information he has? i yes or no would be appropriate. >> yes. >> yes, senator. >> thank you. then i appreciate that because what really bothered me if this was not update or had been working on anything since 2013 hen the change owes cured. let me ask you quickly, just curious, it would seem to me there's no doubt there are three types of barriers we need overcome in order to strengthen the collective cyber defense over the organization, legal organization and cultural. have any of you identified legislative hurdles that restrict or inhibit enter eight gap offered seams for the

collective cyber defense? >> mr. rapuano? >> i would just note, when you look at the national response framework that we use for noncyber but kinetic in state actor or national events, you have seen since katrina is a maturation of a similar process. many disparate roles and responsibilities and authorities and many different target stakeholders who may require assistance, from local, state, all the way up. and this system, in the national cyber response framework is based closely on the national response framework. we're obviously in a more nascent stage when it comes to cyber all the aspected but i would just say, if you look at the last several months in terms of very significant multiple hurricanes and what i think

overall, in light of the consequences, with a very effective federal response, has been a dramatic evolution in our ability to work as a whole of government team when it comes to complex problems with colliding authorities. >> i have one more questions. get yours gist. we can either have defense here within our country or we can have defense which is to try to stop something in terms of a cyber attack before it actually gets here. that involves not only a cyber system which is universal, involves talking about systems that are sometimes in our ally's country, sometimes countries not necessarily our friend but in areas where they're actually the bad guys located who are creating the attacks themselves. what are your views on the sovereignty relating to cyber security? let me just -- before you answer this, in afghanistan, regardless of what you think about the

strategy, the long-standing undertone that justifies why we're still there is fighting the enemy abroad prevents another major attack at home. in this context it's a defensive strategy played out via offensive maneuvering. as we evolve cyber the cyber intelligence field it's inevitable we'll start to think of cyber defense in this offensively minded way. i'd like to hear you thoughts on the sovereignty and where we ought to be fighting the battle to stop the attacks before they get here. >> senator, that's a very important question. as i think you're aware, the concept of sovereignty are still molding to some anything the sense there are differing views with regard to what constitutes sovereignty and what type of scenario -- >> it is -- mr. chairman dish here's the key part of this. these facts are going on now --

these attacks going on now, talon 1.0 and 2.0 are discussions what our allies are working at in terms of sovereignty issues. in the meantime we have a gap in time period and have to decide where the actually defend our country against the possibility of existing attacks today, tomorrow, and next week. unless we have a current strategy with regard to how we regard sovereignty and where we will actually go to defend our critical infrastructure. could be we have that o. the book today and are you prepared to say where we know we would defend get the attackers and we prepared to take them beyond our border. >> senator, yes, we can do, and the detailses of our current posture i think would need to be deferred to a closed hearing. >> very good. in smith, mr. krebs? >> it's a home and away game. we have to get them over there, at the same time we need to be protecting our infrastructure

here. i work very closely, for instance, with the electricity sector, and the electricity sector coordinating council. i'm on the -- during the hurricanes i was on the phone with the major cos of major utilities daily. every 5:00 p.m. with secretary perry we talk about the status of the electricity sector. we have to start here, network progression, close out to the gaps, mitigate consequences, at the same time we have to take down the threat actor. it's a whole of government best athlete approach. >> thank you. thank you, mr. chairman. apologize for going over but it's a critical issue we have to address. thank you. >> thank you, mr. chairman and thank you for holding this critically important hearing and to the excellent witnesses before us today. this week "the new york times" published an article -- and i'm

going to submit it for the record -- assuming there's no objection children do details north korea's cyber attacks estimated to provide the north korean government with as much as $1 billion a year. that figure is staggering. it's equivalent to a third of that country's total exports. north korea's ransom ware attacks and cyber attacks on banks around the world are producing a funding stream for that country which, in turn, fuels the nuclear program and a funked source that must be stopped at a time when the united states is leading efforts to sanction exports of coal, labor, textiles and other products in order to hinder north korea's nuclear ambitions. we also have to focus on additional funding sources and

this cash flow ought to be priority number one. tough rhetoric must be supported by tonight action, and practical measures that make clear to north korea that this kind of conduct will be answered. so, the question is, what actions are being taken to combat their offensive cyber operations and address this cyber've -- cyber revenue, and i know you may not be fully at liberty to discuss the steps in this forum but i'd like you to do so to the extent you can because north korea node what it is dumb. you're not going reveal anything to north korea. the american people deserve to know what north korea is doing. and they don't.

so, this is a topic that i think ought to be front and center for the administration and for the congress and for the american people, and i look forward to your responses. >> i would simply say, yes, senator, we do have plans and capabilities that are focused and directed on the north korean threat in general, and on the specific activities. that you have noted. think it would be most appropriate to go into details in closed session. >> senator, i would just say that we continue to work with our foreign partners in information-sharing wherever possible, whenever we're able to assist them in identifying these type of criminal activities and provide them also technical assistance whenever asked or engaging with them in joint operations, and whenever possible we are always looking to link it back or coordinate some indictment or

investigative -- some joint operations that would bring to light the people or the nation states that are conducting those activities. >> i'll pile on here. i'm actually providing a little detail on a particular unclassified activity. working very closely with the fbi, we designated one effort called hidden cobra, and we have a hidden cobra page that speaks to a bot net infrastructure, command and control infrastructure, that has certain indicators that, look at this, track this down, wife, federal partners where the command and control infrastructure may be in another country and we share that information and are looking to take action against it. not just a whole of government approach. this is an international problem and with international work and

we have been partnering with unlikely partner. >> i agree with an international problem with international solutions but we provide the main solution and we are in effect victims, substantially if not primarily, of the problem, and i understand, mr. rapuano, we have plains plans and capabi. i'm not fully satisfied with the idea that those forward oriented measures of action are sufficient. i think we need action here and now. the lazareth group, north korea the lazarus group, a north korean-linked cyber crime ring, stole $81 million from the bangladesh central bank account at the new york a federal resere which would have been $1 billion but for a spelling error, fairly

rudimentary on the part of the north koreans. they've also been tied to the wannacry attack earlier this year andnd the sony attack in 2014. this week they are being linked to a $60 million theft from the taiwanese bank. you know, measured in millions -- given the way we measure amounts of money in this week with our budget is in the billions and trillions -- may seem small, but it is substantial given the north korean economy and its size. so i'm hoping that in another setting we can be more fully briefed on what is being done now to stem and stop this threat, and i appreciate all of your good work in this area. thank you. thanks, mr. chairman. >> thank you, gentlemen, for your willingness to tackle these

issues. i think it goes without saying that your level of success in these areas will really influence american democracy for many, many years as well as decades to come. so the conversation today so far has been focused very much on cyber defense coordination which we would all say is very important. however, coordination doesn't do any good without the proper understanding of our capabilities across the government. and that's why i worked with senators coon, fischer and gillibrand to introduce bipartisan legislation requiring the dod to track national guard cybersecurities. and, mr. smith, you gave a shout out to the program within the national guard. for each of you, how do you assess organizations, but you do

have a number of organizations that you're responsible for, how do you to go in and assess what that organization can actually do? and is it effective? so it's great to say is, hey, we have a cyber team in doj, but how do you know they're effective? can youes explain how you assess that? we'll start with you, mr. secretary. >> thank you, senator. that is an excellent question, and it does represent a significant challenge. we've got ale lot of disparate organizationste that, obviously, have cyber equities and are developing cyber capabilities. and within the department of defense we have really committed in earnest to start to better understand the cross-cut in terms of the services, the commands, the full range including the national guard. whatever capabilities, what specific skills are they developed, what professional

development program do we have to recruit, train and develop very attractive career paths for the best and the brightest. so we have a number of initiatives starting with the budge initiative. budget initiative. so when you start to see our budget form youlations, it's apples to apples instead of what it has been his his or to haveiy which is each organization's perspective as to what constitutes the different elements of their budget. the road to progress, so to speak, and we found we really have got to ensure there's competent definitional issues so we're defining things the same way. the other area in terms of national guard, we track national guard cyber capability development, training, how they fit into the cyber mission force. one area we have a challenge with is under state status, we

don't have that same system of consistent definitions. that's something that we're working at, but we definitely recognize the critical importance of having that common ability across multiple front -- >> i appreciate that and that's good to understand that now and get the worked out, those details, and discrepancies work out. mr. smith, how about you? >> on hour -- our technical side we're on the job with that routinely. they're currently actively engaged in incidents, incident and following up on the threats and investigations. we have spent a significant amount of effort in enhancing those, particularly at a much higher level on the cyber technical side, but in addition to that we have taken steps to significantly elevate the entire work force in the digital domain. we have created on the job

training which allows noncyber personnel to be taken offline from investigating other matters to enhance the cyber capability so when they go become after a couple of months, they're capable of bringing both the normal traditional investigative methods along with the current modern digital investigative requirements. longing looker term, though, when we are talking about the work force of the future we have been collaborating on a much more local level with stem high schools programs in developing and building a future work force as opposed to trying to compete with everybody here and with the private industry, which can offer things and more benefits at times than we're capable of, but by building in, in an fbi cyber stem programs, bringing local university courses to high school students at an earlier age and supplementing that with

some leadership development in those high school ranks; looking long-term, building a work force that will augustment and maintain the necessity we all require and we're talking about near this digital arena, working with the noncyber elements, intern cyber people are at a very high level. >> i'm running out of time. mr. krebs, if you could submit that to us for the record i would be appreciative. one thing, as we look across the board, is really assessing the organizations that fall under your purview, make sugar we're not duplicating services amongst our agencies as well, and operating as efficiently as possible. so thank you very much. thank you, mr. chairman. >> thank you, mr. chairman. i'm glad that we're having a discussion about the integrity of our elections and as being fundamental to our democracy. mr. krebs, is a look at this chart, even if it's dated, your responsibility at dhs is to

protect critical infrastructure and you did say you have -- you have an election security text force. do you consider dhs to be the lead agency on make sure our election systems are not hacked? >> ma'am, we do have unique statutory authorities to coordinate protection activities across the critical infrastructure, and as a digs nateed critical structure, subcertificate yes. do not physically protect those networks. i enable state and locals and private sector to have better practices. >> but you would be the lead federal agency that would have the responsibility to work with the state and local entities to protect our election systems? >> from a critical infrastructure protection perspective, yes, ma'am, alongside the fbi and intelligence community. >> we're just looking for wrestling with the idea of who is responsible for what. i'd like to get down with regard

to the election system wed should look to dhs. that's all i want to know. >> guest: i hope your task force is adjust thing purchases of political ads by foreign countries. hope that's one of the things that your task force will address and whether there's ad in for legislation to prevent that kind of -- those kind of purchases. i want to get to a question, too, mr. rapuano, data protection is obviously an important issue wherever i industrial espionage being carried out and the dod requires contractors to provide adequate security for cover defense information that is processed, stored or transmitted on the contractor's internal information it? or network, by december 31, 2017, contractors must at a minimum implement security requirements to meet national institute of standards and technology standards, nist.

so, my question, mr. rapuano, can you talk about the importance of having industry comply with this requirement and how to you are working with industry to get the word out so that everyone is aware. i would say small businesses that y'all work with. they'd knee to node they're supposed to be doing this. >> yes, senator. the primary focus is the defense industrial space where we have the highest frequent and most significant dod programs prograd engaged with this private sector elements that work with the department of defense. i work that closely with the chief information officer for the department. i can get you additional details on the processes for doing that and -- >> i'd like to make sure that, is a mentioned, particularly small businesses, who may not be aware of this requirement, that they are very aware and that they can -- have enough time to comply because december 2017 is

right around the corner. whatever you have, fliers, whatever you use to get the word out. for mr. krebs, you mentioned in your testimony how cyber actors have strategically targeted critical infrastructure, specifically you identified two mallware attacks called black energy and hafax targeted industrial control systems and doesn't take a wild imagination to think of how a sophisticated power attack to power plant control systems could cause a massive disruption with grave consequences. what is being done by dhs to encourage the private sector to harden their defense of industrial control systems? >> host: yes, ma'am. thank you for your question and i share your concern, particularly with respect to

those two tool kits. i think i would -- i'd answer the question two ways. one in end point protection. we work closely with the electricity sector, with the sect sector coordinating council, and that particular -- again, from a grid perspective. then through our industrial control systems, the ics, we look at more capable solution is mexed in my opening staple. not the whack-a-mole approach at the individual facilities but trying to understand what the actual individual control systems are, who mars them. it does tend to be a smaller set of companies rather than 100 or 100 end pointed. we good to the root of the problem, the system nick problem, address that at the manufacturer or coder level, and then from there kind of break out and hit those end points. we look at the end point and also work at the root problem. >> you perform outreach

activities through ics to make sure that, for example, the utilities sector is adequately -- >> among other mechanisms, yes, ma'am. >> thank you, mr. chairman. >> thank you, mr. chairman. >> thank you for being here. one quick question from the perspective of -- my privilege as the personnel subcommittee chair. what trendses, either positive or negative, are we seeing it? is rapuano? is that correct pronouncation? >> yes. >> you mentioned i think earlier when i was here about the national guard playing some role at the state level. can you give any idea of a positive or concerning trends about the resource we're getting into the various agencies to really flesh out our expertise to attract and retain them and to grow them? >> i would simply say -- i think it's been a common experience for my colleagues at the table

here is getting the best talent is a significant challenge in the cyber realm for obvious reasons. >> there's a variety of reasons but what would you list as the top two or three? >> a very high demand signal throughout the entire economy. the compensation that individuals can get on the outside of government is significantly greater. we are trying to address that in terms of our work force management process, and we have some additional authorities that we're applying to that is a believe other agencies have as well. but again, it's a demand versus supply question. >> we have had this discussion before and actually senator round and i talked about it, be very interested in feedback you can give us on things we should look at, as possible subject matter for hearings for retention. i worked in the private sector

and had a cyber subpractice, ethical hack testing practice in the private sector, and what you're up against is not only a higher baseline for salaries but also up against what the industry would call hot skills. these are very, very important skills, and so just when you think you have caught up or got within the range on the baseline comp, firms -- like the firm i worked with, both price waterhouse and ibm says we have to have a signing bow newspapers and retention measures that make it impossible for a governmental institution to stay up with it. i'll be brief because we have votes and i want to stick to the time. want to associate myself with comments and questions made by senator enhoff and senator should high. 'll go back to the record to see how you responded itch want to get more of an idea of the scope and scale of nonclassified

software the depth uses, as a percentage of the entire portfolio, what are we looking at, at nonconfident -- nonclassified software as the percentage of the base, is it suv to same it's in the thousands, in terms terms of soe platforms, tools, the whole portfolio. >> that's a question have into our system and the cio office, and i can get that information back to you as soon as i get it. >> i would have to get back with you with more specifics. >> i think it would be helpful. i'm sure we have application portfolios dish hope, i should say -- we're following best practices and somebody out there in the ops world knows what our portfolio and is howl they fit into the classified and nonclassified realm. that would be helpful.

'll yesterday back the rest of my time so other members can get their questions in before the vote. thank you, mr. chair. >> mr. krebs, just want to make you feel better about your title. enjoyed that interplay with senator shaheen. 40 years ago i worked here as a staff member and was seeking a witness -- from office of management and budget from the administration. they he's a deputy secretary under such and such. i said i don't note what they title minneapolis. the response was -- and you can take this home with you tv dehighest level where they still know anything and i realize eyeful above that level. but i appreciate having you here. i think you fellas understated one important point and i don't understand why the representative from the white house isn't here because i think he has a reasonable story to tell. on may 11th, the president issued a pretty comprehensive executive order on this subject that is not the be all and end all on the subject but is an important beginning in terms

of -- here's my question. in that executive order there were a number of reportback requirements that triggered mostly in august. my question is, have those reportbacks been done? mr. rapuano? >> senator, they're starting to come in and as you note there are a number that are still due out. just -- >> interest m were 180 days and in 90 days. i wonder irthe ones from august have come back. >> i don't have the full tracker with me here. i again get back. >> i would appreciate that. >> some have been submitted with the original timeline and others extended but absolutely those are the essential elements of information necessary to fully develop and update the strategy to the evolving threats and build that doctrine and requirement and plan. >> you use the key word of doctrine. i want to talk about that. by the same token, this committee passed -- the congress passed as part of the national defense authorization act last

december, a provision requiring report from the secretary of defense to the president within 180 days, and from the president to the congress within 180 days. that report would have been due in june from the secretary of defense involving what are the military and nonmilitary options available for deterring and responding to imminent threats in cyberspace. do you know if that report has been completed. >> yes, senator. it was our original intent and desire to couple the two with the input in the president's eo and the input back to the senate. based on the delay of the president's e of we decoupled that because we recognize your impatience so we'll be submitting it to you shortly. >> shortly doesn't make any feel much better. is that geologic time or --

>> calendar time. >> please let us know. you mentioned the word doctrine, and i think that's one of the key issues here. if all we do is try to patch networks and defend ourselves, we'll ultimately lose there has to be -- and mr. smith, you used the term "impose consequences." right now, we're not imposing much in the way of consequences. for the election hacking, one of the most egregious attacks on the united states in recent years there were sanctions passed by the congress but it was six or eight months later and unclear how severe they -- we need a dock trip -- doctrine where our adversaries know if they do x, y will happen to them? just being on defers si won't work. you're in the boxing match and can bob and weave, if you're not

allowed to ever punch you'll lose the boxing match. >> yes, senator. it's certainly agree that both the demonstrated will and ability to respond to provocation in general and cyber specific, is critical to effective deterrence. i think the challenge we have that is somewhat unique in cyber is defining a threshold that then does not invite at very seas to inch up close but -- adversaries to inch up close but not on to it. it's important 'omake thyme hi lie specific slurs generally and the downside of the general it's too ambiguous to be meaningful. >> part of the problem is we want to keep secret what we can do when in reality a secret deterrent is not a deterrent. this other side has to know what is liable to happen to them, and i hope you'll bear that in mind. think this is a critically a

important area because we have to have a deterrent capability. otherwise, we know this is coming. so far there haven't been much in the way of price paid, whether it was sony, or anthem blue cross or the government personnel office or our elections. there have to be consequences. otherwise, everybody is going to come after us. not just russia but north korea, iran, terrorist organizations. this is warfare on the cheap and we have to be able to not only defend ourselves but to defend ourselves through a deterrent policy, and i hope in the counsels of the administration that will be an emphasis on your -- no your response. >> yes, i agree, senator. that is the point of the oe in terms of the detention option set to understand them in the wider context of our capabilities, different authorities, and to start being more definitive about the deterrent options options and he

them. >> thank you, are in chairman. >> i want to return to that. i keep hearing the words but don't see something specific in place, and we have struggled with this for years on this committee now. imagine that tomorrow we had a foreign nation state cyber attack on our financial or banking sector or next month on our utility or our transmission infrastructure or next year on our elections, and i would suggest that any of those would cross the threshold. what is our doctrine for how, when, and with what level of proportionality we're going to respond to that kind of a cyber attack? mr. rapuano. >> first i'd note that obviously our deterrence options are expansive beyond cyber per se. so cyber is one of a large number of tools, including diplomatic, economic trade,

military options, kinetic, including, and then cyber. so looking at the broad space -- >> i agree wholeheartedly, shouldn't limit yourself to responding in kind with the same level of -- or with the same toolbox, but do we have a doctrine, because if we don't have a dock -- doctrine in the cold war we knew what the doctrine for the other side was and they knew what our doctrine was and that kept us from engaging in conflicts that neither side wanted to engage in. do we have an overall structure for how we're going to respond and if we don't, would suggest we have no way to achieve deterrence. >> we do not have sufficient depth and bread of the doctrine has we have been discussing and that's one of the primary driver offered the executive order. the 13800. to have the essential elements

to inform the doctrine. >> the chairman has been asking for an overall plan for i don't know how long, and i think that is what we're all going to be waiting for, and i wish i could ask the same question of mr. joyce, but maybe in a future hearing. for any of you, spent a good part of yesterday looking at russian created, russian paid for facebook ads, that ran in my state and in places across the country, and were clearly designed to divide this country as well as to have an impact on our elections. what is the administration doing to make sure that in 2018, we're not going to see the same thing all over again? don't all speak at once. >> let me start with the

election infrastructure subset. from a pure cyber attack perspective we're working with state officials to update their defense. with regard to the ad buy, it's an emerging issue we're assessing and i can defer to the fbi on their efforts. >> it's not emerging. it emerged. we have been trying to get our hand its around this for close to a year now, and we still don't seem to have a plan, and that worries me enormously. we have special elections in place. we have gubernatorial elections in place, and we are continuing to see this kind of activity and we need to get a handle on it. let me go back to your issue of election infrastructure. as a number of people have mentioned it has been widely reported that there was cyber intrusion into state level voting infrastructure, and it

was -- it's my understanding that dhs, before you got there, was aware of the threats well before last year's election, but only informed the states in recent months as to the nature of the intrusions in those specific states. why did it take so long to engage with the subject matter experts at the state level and is there a process now in place so that we can get those security clearances that you mentioned in a timely way so that the conversation can head off similar activity next year? >> sir, thank you for the question. i understand that over the course of the last year or so, officials in each state that was implicated was notified at some levelful as we continue to study the issue and got a fuller understanding of how each state has perhaps a different arrangement for elects, you in some cases it's state, local, chief election official, a cio

for the state, cio nor networks, homeland security adviser. as we get arms around the problem and the governance stuck tour in 50 states and territoriesing, we have better sense of here their fuller range of notifications we need make. when you think about the notifications of september 22-inch that was a trueing up, perhaps, of each state saying, we let these officials now. wouldn't characterizes a just let them know then. it's we broaden the am aperture and give them context around what may have happened. >> i'm working on legislation and have been working with the people -- secretary of state from my state and then -- who is obviously involved in the national association of secretaries of state. it's not rocket science. it is basically building a

spreadsheet of who and at what level and when we see things happen in a given geographic area, pull out the book and figure out who you need to be talking to, and we need to make sure that is in place. >> yes, sir, we're actively working that right now. >> senator mccaskill. >> thank you. to reiterate some of the things said previously but in the empty chair is outrageous. we have a foreign government go at the heart of our democracy, 0 foreign government that wants to break the back of every democracy in the world, and it -- a very smart senator i heard say in this hearing room, who cares who they were going after this time -- it will be somebody else next time, and i am disgusted that there is not a representative here that can address this. also am worried -- >> could i ask -- interrupt, senator, and just say that we

need to have a meeting of the committee and decide on this issue. i believe you could interpret this as a misinterpretation of the privileges of the president to have counsel. he is in charge of one of the major challenges, major issues of our time, and now he is not going to be able to show up because he is, quote, 0 counselor to the president. that's not what our role is. >> that's never -- i think in any other situation, let's take out the president, take out russia -- this circumstance would not allow to be stand bid the out senate typically. >> i agree. >> you would know more about that than i wouldover been here longer. this is something that we need -- in these times when there's an issue every day that is royleing this country we have tendency to look pasts things that fundamental to the oversight role here in the

senate and i'm glad that the chairman is as engaged at he is on this issue and i look forward to assist. >> i'm -- this should not count against the senator's time but we'll have a full committee constitution on it and i thank the senator. >> i'm worried we have no nominee for your position so if the white house reviews this testimony i hope they will understand that your job is really important. i'm not taking sides as to whether or not you're doing a good job or bad job but the point is we don't need the word "acting" in front of your name for this kind of responsibility in our government. i'm unfortunately the chairman of the committee i'm ranking on, homeland security, has chosen not have a hearing, believe it or not, on the election interference so this is my shot and i'm hoping that the chairman will be a little gentle with me because i haven't had a chance to question on some things. why in the world did it take so

long to notify the states where there had been attempt to enter their symptoms, their voter files? >> i again, ma'am, is a mentioned earlier, it's some point over the course of the least year, not just september 22nd, an appropriate official, whether the owner of a infrastructure, private sector own, or local official, state official, state secretary, spun someone was notified. >> shouldn't all of the secretaries of state have been notified? isn't that just like a, duh. >> i share your corn. over the course of the last sever months we hat a trueing up and have opened a sort of governance structure per each state. the folked that need to be notified. >> what's the explanation for state being told one day it had been and the next day it hadn't been. how did that happen? >> i understand the confusion that may have surrounded the notification of september 22nd

there was additional context that was provided to the individual states so in one case perhaps the election system network may not have been scened or targets. may have been another state estimate analogize that to the bad guy walking down the street and checking your neighbor's do to see if they had a key to get into-under your house. it's not always that they're knocking on the network. they may be looking for other ways in through other networks -- >> doesn't change the fact that the secretaries of state should have been immediately been notified in every state, where there had been knocking on a neighbors' door or their own door. the bottom line is we -- good news is we have a disseparate system in our country so it's hard to find one entry point. bad news if we don't have clear information going to the secretaries of state, then they have no shot of keeping up with the bad guys. >> that's right.

going forward we have that plan in place. we have governance structures. we have notifications, as i mentioned earlier. security clearance processes ongoing for a number of officials and we'll get them in the information they need when they need and it can act. >> they don't want to take advantage of your offering, which is terrific you'll check their systems no mandate no hook, no expense, i talked to secretary of state of missouri and he was saying, listen, they're not even talking to us. this was before september but i do think somebody has to take on the responsibility of one-on-one communication with 50 people in the country, plus i don't know who does voting in the territories but -- as to what is happening, what you're doing, what they're doing, this -- i'm not exactly -- i'm not really enmammor offed the idea of moving off of this to dod. hwaot do we to the work fort there bee reluctance to participate fully if it was

directed be in dod but the chairman rod point, if you don't begin a more seamless operation with clear lines of accountability and control, we have no shot against this enemy. none. and it worries me that this has been mishandled so much in terms of the communication between the states that are responsible for the validity of our elections. let me talk about kasperski. how are you going to make sure it's out of our systems? >> a little over a month ago we did issue a binding operation direct disfor federal -- >> if they've got another 90 days to get stuff because you're giving them long time. >> yes, that is a 90-day process to identify, develop plans to remove. may be budgetary implications and then 30 days to execute. we have seen a number of activities in the intervene ing 30 plus days of people taking it off.

>> let me just ask you do. you think if this happened in russia, if they found a system of ours that was looking at all of their stuff do you think it would -- they'd tell their agencies of government you have 90 days to remove it? >> mam -- >> seriously? >> i learned not to predict what -- >> immean, really. the point i'm trying to make is, why don't you say you have to do it immediatefully. >> ma'am, there are -- you can't just rip out a system. there are certain vulnerabilities that can be introduced by just turning a critical antivirus protect off. we need to have a process in place that you can replace with something that is effective. in meantime we're able to put capabilities around anything that we do identify to monitor for any sort of traffic. >> does the private sector fully aware and are government contractors fully aware of the dangers of the kasperski system? >> we have shared the

bioperational directive with our partners, including state and local partners and working with our interagency partners as well. we're sharing risk information. >> is that a little bit like sharing with the appropriate people at the time but not the sects of state? needs to be a red siren here. what about the governor contractor inside this bod binding on our government contractors. >> is its not -- >> shouldn't it be publish. >> let me follow up on that to get the specifics. >> shouldn't it bejing makes sense. >> since we have more contractor on the ground in afghanistan than tops, it would be important to get kasperski owl of their that would be a department of defense. my authority only extendsem to federal civilian agencies. >> department of defense, have you guys told the contractors? >> we have instructed the removal from all of the dod information systems. i'll follow up specifically on contractors. >> i'd like an answer on the contractors. thank you, mr. chairman, for your indulling.

>> why did it take over a year to neatfy states that their election systems were targeted? >> ma'am, as i've stated, we notified an official within each state that was targeted or scanned. in thege meantime, we did -- we have offered a series of services and capabilities including cyber hygiene scans to every state in, the union and every commonwealth. so not only did we notify the stated -- granted, there was a broader notification that we subsequently made -- but we did make capabilities available to all 50 states and -- >> and are all 50 states using the capabilities that you offered? >> i don't have the specific numbers of the states that are using ours, but we have seen a fairly healthy response. >> i would like a report on

whether all states are using the recommended technology that you offer to them, because i don't think -- i think we need to have that kind of transparency given what senator mccain started this hearing with. i think it is a national security priority. >> yes, ma'am. >> and if the states are not doing their jobs well, we need to provide the oversight that is necessary to make sure they do do their jobs well. do you believe that making these election cybersecurity consultations optimal is sufficient? >> >> i'men sorry, making them -- , optional, optional. >> excuse me, optional. >> youou know, fundamentally the are some constitutional questions in playdm here. what we do in the meantime is insure that every resource that we have available and out there, that the state and local governments and election systems have the ability to access. >> i i understand that there is a nine month wait for a risk and vulnerability assessment. is that accurate? >> we offer a suite of services

from remote scanning capability, scans all the way up to a full blown vulnerability assessment that can sometimes just to execute that vulnerability assessment. because the breadth and depth of the assessment can take a number of weeks, if not months to conduct that assessment itself. so we are in the process of looking into whether that nine month backlog exists and how to insure, again, that in the meantime we can provide every other tool needed out to the state and local officials. >> i guess what i'm trying to get at is are we ready for the next election, and do you believe we aree cyber secure for the next election. >> i think there's a lot of work that we, that remains to be done. i think we need to, as a country, we need to continue insuring that we're doing the basics right. and even at the state and level level, the private sector, there's still a lot of basic hygiene activities that need to be done. >> i would like a full accounting of what's been done,

what has left to be done and what are your recommendations to secure our electoral system by the next election, and i'd like it addressed to the entire committee. because we just needd to know what's outth there, what's left. senator graham and i have a bill to have a 9/11-style commission to do the deep dive you are doing, to make recommendations to the congress on the ten things we must do before the next election and then have the authority to come back to us so we can u actually implement us. because doing it on an ad hoc basis isn't sufficient, and i'm verynt worried that because there's no accountability and because of the constitutional limitations that you mentioned that we are not w going to hold these states accountable when they haven't done the required work. so we at least need to know what have you succeeded in doing, what is still left to be done, what are the impediments. is it delays? is it lack of enough expertise? is it a lack of personnel? is it a lack of resources? i need to know, because i need to fix this problem. >> yes, ma'am. i'll say that we are making significantre progress.

we have a working relationship with state and local election officials, and we are moving forward with the next, towards the next election. >> okay. inr. your confirmation hearing u said that the russian interference in our election is a credible and growing threat and russians willl continue to interfere as long as they view the consequences as less than the benefits they accrue. given the likelihood of continued cyber influence in the american elections, what are the immediate steps that you g are going to take and that the federal government should take to restore the integrity of our elections? and i know you answered one of the earlier questions with the work we're doing with the national guard, but i know that you are not necessarily doing all the training necessary or spending the resources to do all the national guard training consistently with other active personnel. >> senator, we, we stand at the ready in terms of the process that dhs has put into place to support all the states with

regard to the election system vulnerabilities. to date, we have not been tasked directly to support that effort, but we certainly have capabilities that we could apply to that. >> well, can i just have your commitment that in the next budget you n will include the fl amount needed for the training of these cyber potentialists within the national guard -- specialists within the national guard? >> what i i need to do, senator, is check on the status of our current funding for that effort, and g i will get back to you -- >> thank you. >> -- in terms of any deltas. >> thank you, mr. chairman. >> [inaudible] >> thank you, mr. chairman. so i want to follow up, if i can, on these questions about the attacks on our voting s&pes. we know that -- voting systems. we know that 21 states faced attacks by russian actors. seems like the russians are pretty happy with those efforts, and i don't see any reason to believe they won't try again. in fact, mr. krebs, your predecessor at homeland security

recently urged congress to, quote, a have a strong sense of urgency about russian tampering in the upcoming elections, and i know that homeland security designated our election system as critical infrastructure earlier this year. i'd j just like to follow up on the question that senator gillibrand was and -- asking and what i think i heard you say. are you confident that our nation is prepared to fully prevent another round of cyber intrusions into our election systems in 2018 or 020, mr.-- 2020 mr. krebs? >> so what i would say is that we have structures in place. this is not an overnight event. we are not going to flip the switch and suddenly be 100% secure -- -- >> so we're not there now. >> we are working towards the goal -- >> we are not there now? i believe there's work to be done,ca yes, ma'am. >> okay, so we're not there now. can i just ask, have you done a

stateat by state threat assessmt of the cyber environment leading up to the next election? >> are you speaking of specific to the electionwi infrastructure or statewide? >> election infrastructure. >> i would have to check on that. i don't have the -- >> you don't know whether or not there's been a state by state -- >> we have engaged every single state. we are working with their -- >> but my question is actually more specific. a threat assessment for each state on their election infrastructure. >> i would have to get back to you on that. >> okay. are there minimum cyber standards in place for election systems? >> we do work with the national institution, n institute of standards and technology in the election assistance commission to lookon at security standards for voting -- >> i understand you work on it. my question is, are there minimum cyber standards -- >> there are recommended standards, yes, ma'am. >> there are minimum -- >> there are recommends, yes. >> in place. are there established best practices? >> i believe there are best

practices. >> okay, and those are in place. and any plans for substantial support for states to upgrade their cyber defenses? >> if you're talking about investments, i -- >> i am. > okay. that is, that's a different question that i think we need to have a conversation between the executive branch and congress about -- >> was that a no? >> at this point i, we -- i do not personally have the funds to assist -- >> so that's a no. >> that is a resourcing to states that are grant programs we can put in place perhaps to -- >>ha so you not only don't have the money to do it, do you have any plans? i'll ask the question again, for substantial support for states to upgrade their cyber defenses? do you have plans in place? >> we're exploring our options. >> so the answer is, no, you do not have them in place. >> we are working on plans, yes, ma'am. we're assessing what they need. >> yes, the answer is no? okay. look, i understand that states

have the responsibility for their own elections and also that states run our federal elections, but i don't think anybody in this room thinks that the commonwealth of massachusetts or the city of omaha, nebraska, should be left by themselves to defend against a sophisticated cyber adversary like russia. if the russians were poisoning water or setting off bombs in any state or town in america, we would put our full national power into protecting ourselves and fighting back. the russians have attacked our democracy, and i think we need to step up our response, and i think we need to do it fast. thank you, mr. chairman. >> thank you, mr. chairman. and thank you to our witnesses for your testimony today. i think i would concur with all of my colleagues up here that the number one national security threat we face as a country is the cyber threat. it's one we have to be laser focused on, and and i will concur with the chairman and

others who are o very frustrated and troubled by the fact it doesn't seem like we have a comprehensive strategy, we don't have a plan to deal with this in a comprehensive way integrating both state and local officials with federal officials as well as the business sector which is under constant attack. we know the risk is not just military, it's not just the elections -- as significant as that is, because it goes to the core of our democracy. but significant attacks against our economic security which also goes to the core of our i'llization. and -- civilization. and we have just been hit with an absolutely incredible hack with ec -- equifax that has taken the most private information to open up accounts and to take somebody's identity, and you talking about over 100 million people in this country. i can't think of a worse type of cyber attack. mr. smith, do you think we will be able to determine who was responsible for that hack? >> yes.

>> when will we be able to do that? >> i wouldn't want to put a specific -- >> generally. yes, sir. >> generally, within maybe six or eight months. that's on the far side. >> so hopefully within less than that time. attribution's always difficult. you believe we'll be able to identify who was responsible. and then second, do we have the tools to effectively punish those individuals or whoever that entity may be? >> those are. >> two separate questions. >> correct. and two separate issues. first on the at trucks point -- attribution point, to get it to a certain destination is easier than the second question which is, you i know, imposing significant consequence on an individual or on a specific, if it becomes nation-state or associate like that. as you've seen recently though with the yahoo! compromise where

we have seeing a blended threat targeting our businesses and is is -- and our country where you have criminal hackers working at the direction of russian intelligence officers. so that's where i become a little more vague as to my answer on specific would we be able to impose consequences. >> which is a significant problem that you can't answer that, i would think. not to you personally you can't answer it, but that we don't have a plan, we don't have a deterrence plan that says if you do this, these are the consequences for you, and they will be significant particularly if there's a state actor associated with it. now, i know you mentioned the line, we don't want to actually put a line somewhere because everybody will work up to that line. i think we have a problem now is we have zero lines right now, so it's like the wild west out there. but would you concur that if a state actor, hypothetically a

state actor was behind an equifax breach that compromised the mostt personal financial information of over 100 million americans, would that be over any kind of line that you could see? >> sir, i think that the process that we have in play right now in terms of all the reports being submitted in response to the executive order looking at how we protect critical infrastructure, modernizing i.t., develop the work force, develop deterrence options, looking across those suite of issues what are our capabilities, what are our vulnerabilities, what are the implications of adversaries that are exploiting those vulnerabilities, thatse helps inform that doctrine, and that also helps inform an understanding of how to best establish what those thresholds are, those deterrence thresholds. what may be too specific to be useful, but what is too vague to be useful as well. >> well -- >> you're on the path to developing that. >> well, having said that, i think it's a straightforward question.

somebody who hacks in and steals information from over 103 million americans and -- 100 million americans and something that compromises their potential identity for the rest of their lives, i would hope the directive would say that's well over any kind of line. >> it certainly warrants a consequence, absolutely. is it an act of war? i think that's a different question. and i think there are a number of variables that go into that, and there would be more details that we'd be looking at in terms of understanding whatt the actul impact is, who the actor is, what's our quality and competence in attribution. >> mr. credit krebs, you answere questions related to taking out the software from the machines of the united states government because of the risk that is inherent there. if the risk is there for the u.s. government, isn't it risky for the average citizen as well to have this software on their computers when we have millions of americans that have this software and essentially access

to their personal information on that computer? isn't that a significant security risk that we should alert the public to? >> so risk, risk, of course, is relative. the department of homeland security made a risk assessment for the civilian agencies that we were not willing to have these products installed across our networks. i think that's a pretty strong signal of what our risk assessment was, and we have shared information across the critical infrastructure community and state and locals on that decision. >> so you say that's an indication of the seriousness of the problem. so is the -- should the average citizen also take this software off their system? >> i think the average citizen needs to make their own risk-informed decision. the federal government has made the decision this is an unacceptable position, and we're instructing agencies to remove at the present. >> right. thank you soag much. >> thank you very much, mr. chairman. just quickly, following up on

senator peters' line of questioning, is cyber command prepared to engage and defeat an attack on critical infrastructure of the united states? i know there's an issue here of what's the trigger, but are they prepare to do that right mow? >>ha so -- right now? >> so cyber command is developing a suite of capabilities against a variety of targets that are, yes,s it is inclusive of responding to attack on t u.s. critical infrastructure. >> and so the question is, and senate peters raised it, is what is the, for want of a better term, the trigger. and you suggested act of war. we're still on sort of the definitional phase of trying to figure out what would prompt this. we have the capability, but the question is under what circumstance do we use it, is that fair? >> that is fair, absolutely. >> thank you.

>> i want to thank the want to thank i you for the hard work you're doing and your candor in this helping this committee understand many of the challenges. but i -- and i must say i appreciate your great work on behalf of the country. but i can back four years ago, i go back two years ago, i go back one year ago, i get the same answers. we put into the defense authorization bill a requirement that there be a strategy followed by a policy follow by action. we have now four months late a report that's due before the committee. we have our responsibilities, and ask we're going to carry them out. we have, we have authorities that i don't particularly want to use. but unless we are allowed to carryho out our responsibilities toll our voters who sent us her,

then we're going to have to demand a better cooperation and a better teamwork than we're getting now. andn again, i appreciate very much the incredible service that you three have provided to the country, and i am certainly not blaming you for not being able to articulate to us a strategy which is not your responsibility. the implementation of actions dictated by the strategy, obviously, is yours. isso when we see the person in charge at an empty seat here today, then we are going to have to react. the committee is going to have to get together and decide whether we're going to sit by and watch the person in charge not appear before this committee. that, that's not constitutional.

we're co-equal branches of government. to make sure -- so i want to make sure that you understand that every member of this committee appreciates your hard, dedicated, patriotic work and what you're dealing with and doing the best that you can with the hand you're dealt. and this hearing has been very helpful to us in assembling that -- not assembling, but being informed as to one of the major threats to america's security. and i thank you for that. i thank you for your honest and patriotic work. but we are going to get to this because of the risk to our very fundamentals of democracy among which are free and fair elections. so is there anything that the senator from maine would like to editorializesome he usually likes to editorialize on my

remarks, so -- >> my mind is racing, but i think prudence dictates -- [laughter] no response, mr. chair. >> i thank the witnesses for your cooperation. i thank you for your service to the country. this hearing is adjourned. [inaudible conversations]

[inaudible conversations] [inaudible conversations]

[inaudible conversations] [inaudible conversations]

[inaudible conversations] >> you're watching booktv on c-span2 with top nonfiction books and authors every weekend. booktv, television for serious readers. >> and this weekend on booktv's "after words," former fox news anchor gretchen carlson discusses sexual harassment in the workplace in conversation with washington post columnist sally quinn. you'll also hear from former vice president al gore on the effects of climate change around the world as well as a discussion about free speech on america's college campuses. also airing this week, stewart patrick deb