and let us know what your thoughts are and where you feel the weaknesses or strengths lie so we can expand or detract from that, and i am deeply concerned. i think you're right, i know you're right in the fact that we're always reacting instead of being proactive and when the attack happens we find out about it after, after our technology and intellectual property and military secrets and plans are stolen. and that's deeply concerning to me. i'm wondering, as the technology continues to advance with potential cyberattacks are capable, as you know, and i think have referenced, executed at increasing speeds, do you have enough leg room from the authorization standpoint to act at the earliest possible opportunity to defeat a cyberattack before it's launched? do you have enough flexibility, do you think? >> those are some of the issues that are being considered in the rules of engagement. so i won't know until we're complete with that. we are pushing for what we think

we need and i think what the chairman and joint staff and osd will do is say okay, what makes sense. being extremely candid on this, it really comes down to so what are those actions that make the sense that we can do defensivdey analogous to the missile shoot-down. if you were to go after a computer in foreign space or some other thing, that might be a response option that would now take i think the president and the secretary to step in and start making decisions versus taking that on. i think that's probably where we'll end up and that makes a lot of sense from my perspective. >> first, thank you very much both of you. this is an issue that deeply concerns me and many other members of the committee. i will be submitting some questions for the record just -- or maybe we can speak offline. i don't want to have you reinvent the wheel, just some areas i think i need a better

understanding of. thank you very much. >> thank you, senator brown. senator hagan? >> thank you, mr. chairman. thank you both for your testimony today and certainly for your service to our country. thank you. general alexander, the administration believes that it's crucial for critical infrastructure companies to carefully diagnose their cyber-vulnerabilities and the risks posed to the american people should these vulnerabilities be exploited and to take steps to eliminate these vulnerabilities. the administration has proposed legislation to ensure that industry stands up to these responsibilities as a matter of national security. the administration's also seeking to extend the signature based defense that the nsa and u.s. cybercommand have developed for d.o.d. critical infrastructure. since the administration seeking to implement both approaches, the implication is that neither one alone is seen as sufficient to meet the threat. others, however, take the

position that information sharing in conjunction with the national security agencies defensive solution would be enough, that it's not necessary to require critical infrastructure companies to build up their own defenses. do you believe that nsa's signature-based defense deployed recently in the defense industrial base pilot program can defend our nation's critical infrastructure against nation state cyberthreats or do you believe that the critical infrastructure companies also need to close their vulnerabilities? >> senator, first, i think it's the latter. we need both. but i'd like to take it one step further because i don't think what we're talking about is having nsa deploy capabilities out there. rather, what we're talking about is nsa providing technical capability to others to run so we don't want, nor do we want to run stuff within -- i want to make that part clear. it's not us putting stuff out

there for us to operate. what we're really saying is industry has a bunch of signatures that can detect foreign actors that are coming against them. government has some of those. nsa, dhs, fbi. all of us need to work together to provide the best set of signatures to protect that critical infrastructure. industry can actually operate that and tell us when that occurs. i also think that you need to set a set of standards for how those systems are operated to give you the best and i'll call that, the general mentioned it, it's in there, resilience. we need resilience in those networks to ensure they can operate and be defensible while we're trying to defend the country outside. does that make sense? >> um-hum. you know, just last friday, i read about it yesterday, microsoft was accompanied by u.s. marshals and they raided office buildings in pennsylvania and in illinois to disrupt a group of computers, a botnet that was harvesting bank accounts, passwords and other personal information from

millions of computers, and microsoft's actions show what's possible and some say is certainly necessary now to stop cybercrimes. what are your thoughts on these actions, just taken recently, and should they serve as a model for other private industries and is there a take-away for the department of defense on this recent raid? >> senator, i think it shows how we can work together, industry and government, to do what's right here and by bringing both of those together, we're better off for it. i think what we've got to do is we've got to come up with that solution in this area, too, and i know both bills are looking at that. i think that information sharing is critical. >> thank you. general alexander, it's often argued that terrorist groups and rogue nations such as north korea, for example, do not yet possess the sophisticated and extensive cybercapabilities to effectively cripple our nation's

critical infrastructure. for example, general cartwright, former chairman of the joint chiefs, has publicly expressed doubt that this class of actors could carry out such attacks today, however, we are aware of what's described as a thriving international black market, where it's possible to buy or to rent cyberattack tools in large scale supporting infrastructure such as thousands or even millions of compromised computers that are deemed to be effective against almost any type of network or information system. this black market has developed to support the vast cybercriminal activities that have been estimated by some to now yield more revenue than the global legal narcotics trade. this criminal money then obviously fuels research and development of modern and up-to-date cyberattack tools. could this black market or rogue nations -- sorry, could this black market and cyberattack tools and infrastructure now or in the future enable terrorists

or rogue nations to acquire ready-made capabilities to inflict significant damage on the u.s. economy and our critical infrastructure? are you worried about that? >> senator, that's my greatest worry. i would go beyond that group. i think the proliferation of cyberweapons, if you will, grows, that we cannot discount the actions that one smart person can do. from my perspective, when we see what our folks are capable of doing, we need to look back and say there are other smart people out there that can do things to this country. we need to look at that and say how are we going to defend. from my opinion, that could go from as you described accurately, and i agree with that, could be non-nation state actors all the way up to nation state actors like north korea. i wouldn't discount any of them. we have to be prepared for all of them. only one of them could do tremendous damage to this

country. >> thank you. last july, general cartwright also speaking as the vice-chairman noted the challenges of recapitalizing all three legs of the triad with constrained resources. general keller, you have raised a similar point, that we are not going to be able to go forward with weapons systems that cost what weapons system currently are costing today. in the search for a solution to these challenges, options seem to take the form of delaying the current programs or reducing the size of the planned programs. what are your thoughts on the pluses and minuses of each of these options? >> senator, first of all, i continue to support the need for a balanced triad of strategic deterrent forces. i think the triad has served us well. i think it continues to serve us well. i think that as we look to the future, there are attributes that are spread across the triad that continue to make sense for our national security.

having said that, i am concerned about the costs and so i think there are a couple of things that we need to keep in mind. we need to phase these programs appropriately. we need to make sure that we have matched the investment with the needs. we need to control costs. i think there are a number of programatic steps to take as we go forward. when i look at the ohio replacement program, i know that we are making decisions here today that will be with us for decades to come. the ohio replacement program as far as we can see into the future, we believe that we see the strategic need for and the strategic value of a submarine based part of our deterrent so moving forward with that, even though we've had to delay the program some, is going to be important. that's also important with our allies, the brits. it's important we have a dual capable long-range bomber. it needs to be nuclear capable but it won't just be used for nuclear purposes and if we do

our deterence job right it will never be used for that purpose. it may very likely be used to employ conventional weapons which is what b-52s and b-2s and b-1s have done. the final -- and that program is under way. i think controlling cost is going to be a big issue in both of those programs. the next question then becomes the future icbm. we have begun an analysis of alternatives to look at what shape, form that might take. and then as we go to the future, i think we will get to a number of decision points on all of these systems that will allow the future environment to shape what the ultimate force outcome becomes. >> my time is up. thank you, both of you. thank you. >> thank you, senator. senator ayott? >> thank you, mr. chairman. thank you, general alexander and thank you, general kehler for being here today and for your service. general kehler, the senate

support for the new s.t.a.r.t. treaty was tied to modernization of the united states nuclear complex and strategic delivery system, and specifically during the senate confirmation, the president committed to modernization in what became known as the 1251 plan that was incorporated in the 2010 ndaa, isn't that right? >> senator, yes. >> okay. and if you look at that commitment in the 1251 plan, there was an initial plan submitted in may of 2010, and then a month before the ratification of the senate treaty, there was $4.1 billion added over five years to the plan. isn't that right? >> yes. you're talking about the d.o.d. -- >> yes. but that was specifically reflected a month before the ratification of the s.t.a.r.t. treaty put into the 1251 plan as

incorporated in the 2010 ndaa. >> senator, i think that's right. that's a little before my time but i think that's right. >> the reason that was done is because modernization was such an important issue to getting that treaty through the united states senate, because modernization is very, very important for our nuclear program, isn't that correct? >> yes, it is. >> okay. well, the 2013 budget request underfunds the commitment made that was expressly made in conjunction with the ratification of the s.t.a.r.t. treaty by over $4 billion over the next five years. isn't that the case? >> it is not -- it is lower than the level of the 1251 report. yes, it is. >> it's $4 billion lower. roughly. >> i think that's right. yes. >> okay.

which the president a month before ratification, to get the senate to sign on to the reductions in the s.t.a.r.t. treaty added $4 billion because we were so worried, i wasn't here at the time, but i know many of my colleagues were very worried about modernization of the program if we were going to make the reductions required by the s.t.a.r.t. treaty, and if the president is not following through, why didn't we include the $4 billion in the slipped to the right five to

seven years, i believe was the number. >> would that not be a broken promise from what was required by the 2010 ndaa and what was specifically contained within the 1251 plan? >> it's certainly different than the 1251 plan, yes. clearly. >> well, if my colleagues signed on to the s.t.a.r.t. treaty concerned about modernization with a commitment from the administration of a certain level of resources, particularly this facility that we've talked about, the cmrr facility is critical, is it not, to modernization? >> yes, it is. >> so no doubt that we need it to modernize. >> in the long run, there is no doubt we need it. >> okay. and so when you were being questioned by senator nelson, you said you owe us questions -- i mean, you owe us answers to this. is that true? >> yes. >> i guess i would reframe it, i think what we need is a commitment from the administration to follow through

on what they promised in conjunction with the ratification of the s.t.a.r.t. treaty because without modernization of our nuclear deterrent, what are the concerns that you have if we don't modernize? >> well, i have a lot of concerns if we don't modernize. i think you have to look at this in terms of there are four pieces to this from my vantage point. piece number one is the delivery systems and i just mentioned that there are modernization plans in place for the delivery systems or there's a study under way to take a look at the icbm leg and what we might need as we go to the future. there's command and control, and the commitment to both of those. the real issue for me is the weapons end of this. and the weapons complex that supports those. in an era that we are in today without nuclear explosive package testing, where we don't do any yield testing, that puts

a strain on the industrial base in a way that i believe hasn't been strained in the past. it strains the science and engineering skills that we have to make sure that as we do life extensions, that we have the appropriate science basis and understanding to be able to do those extensions without nuclear testing. we have issues with aging. most of the problems with the weapons that we have today is that they're reaching the end of their lifetimes in various stages, and so being able to have life extension for those weapons is also very important. at the end of the day, if you have a more modern complex, we think that we probably can have a smaller stockpile, because the way we would hedge against failure would be different as we go to the future. >> but if we just reduce our stockpile and we don't modernize, aren't we taking on additional risk? >> i think that there are scenarios there where that can

be additional risk, yes. >> okay. i certainly would like to know why as reflected in the d.o.d. '13 budget the administration has not followed through on its commitment to modernization, because i think that was critical, as i understand it, toward many individuals around here, they were concerned about that in the debate over the s.t.a.r.t. treaty so it was a very important issue. that's why it was specifically incorporated and tied to the s.t.a.r.t. treaty in the 2010 ndaa. i would hope you would take that for the record and get back to us on that. >> we'll certainly do that. fully understand the concern, recognizing that nothing was immune when we went through the budget reduction to include the nuclear force. i believe that we balanced the investments in much of the portfolio. it doesn't look like the 1251 report but i think we balanced much of it. what concerns me the most i think is the industrial complex. >> okay. thank you very much.

i also wanted to follow up with a question about understand it, historically, general kehler, why do the russians not want us to improve our missile defense system in europe and expand it? they have been very concerned about that. why is that? >> i could give you my understanding of where i think they are. they are very concerned at least in the informal context that i've had with some russian officials, they continue to sayr deployment of a missile defense system will tip the strategic balance in our favor, that it will render their offensive capabilities irrelevant. our contention is that's not at all true, and therein has been the conversation back and forth. >> so my time is up.

so when the president said that essentially, he had to be given space to the russians the other day, what he was really talking about is their concerns about us expanding or enhancing our missile defense system in europe, and and even on the continental u.s. it could be interpreted that way because the russians don't want us to do that. i'm really concerned about that statement that senator inhofe asked you about in the context of what it means in terms of what we would be conceding to the russians going forward in protecting the united states of america and our allies. so thank you very much for appearing today. appreciate it. >> thank you, senator. senator blumenthal? >> thank you, mr. chairman. thank you to you both for your service, your extraordinary service to our nation, in each of your commands and responsibilities and to the men and women who serve under you.

general kehler, if i could begin just briefly following up on a remark that you just made about the ohio class submarine which you have said is going to be of strategic vital importance as far as we can see into the future, i probably am paraphrasing you, not quoting you directly, but i agree completely, and i wonder if you could speak to the significance of the ohio class submarine replacement in terms of what its value is, how does it add value to our strategic force and why is it so important to continue building it without further delay, i should stress? >> senator, each of theme nucle brings something unique to the mixture and the strength of the overall deterrent has always been in the sum of its parts. so as we look at this today, and

as we go to the future, the inherent survivability of the submarine based deterrent has been of great value to us. it continues to be of great value as we go forward at many levels, strategic stability is really built on survivability. the understanding that neither side possesses an overwhelming advantage to strike first, that even in the event of that kind of highly unlikely, the world is different today, and we understand that, but stability particularly in an unforeseen crisis as we look to the future, something that would arise that would put us in crisis with any of the nuclear contenders, having a survivable element of our strategic deterrent is extraordinarily valuable and we believe that that remains

valuable as we look to the future. you can get survivability a lot of ways. an airborne aircraft, pretty survivable platform. if it stands off or can penetrate or has stealth, there are lots of attributes there that get to survivability. but we have looked at our submarine force as providing the bulk of our survivable deterrent, in particular the day-to-day survivable deterrent. submarines that are at sea are survivable. the issue will be with ohio replacement is making sure it stays that way and making sure we can deploy a platform that has those attributes that is perhaps lower in cost to operate when it's fielded and we can guarantee as we look to the future, that it can stay a step ahead of any develop technologies that might threaten it. >> so you would say that the commitment of our military, our strategic planners, is undiluted when it comes to the ohio class replacement?

>> within the modernization efforts that we are undertaking in our strategic deterrent, this one and the long range strike bomber are both at the top of my list. by the way, we don't talk much about the need, but the need for a replacement tanker is equally important to strategic command and that's of course under way with the air force today as well. >> thank you. general alexander, i was struck by your testimony and extraordinarily insightful and helpful testimony about the wide ranging breadth of potential cyberthreats relating to industrial espionage and intellectual property theft as well as the potential infiltration of social media, and it reminded me of a separate and perhaps unrelated but

perhaps not aspect of problematic conduct involving social media that i have highlighted recently, which is the demands that employers have made for passwords, log-in information from prospective job applicants or from employees which enables them to invade the private communications, e-mails, g-chats, private accounts, of their employees and potentially people with whom their employees communicate, including potentially service men and women or loved ones or family or service men and women who are applying for jobs. i wonder if you could comment on the potential security threats apart from the invasions of privacy that may occur from the

demands for information from employees about their security accounts and also, what the needs are in terms of background checks on the part of your agency. >> i think there's, senator, this is a great question. i think first of all, asking for potential emoy and other things odd, from my perspective, to say the minimum. i think the issue that i see in here is a couple things. is one, how do you secure those so that somebody else doesn't gain access to all of them. one of the senators had a great comment about the theft of bank records and what was going on. i think senator hagan about what she's seeing, what microsoft and the authorities are doing, if you make that easier, i am concerned about that. i'm not sure about the foreign threats to this as i am to what that means to the future. i think cyberspace, we have some

tremendous capabilities in cyberspace. we as a nation. the ipad, iphone, and i think our people should be -- feel free to use those and know that they're going to be protected in using them, both their civil liberties and privacy, and as a country. i think we can do both. i think we should push for both. this is a new area and you can see, you're hitting right on some of the key parts, when you look at how the companies are wrestling with this, too. how do you provide maximum benefit without intruding. i think that's going to be an issue that we're going to wrestle with for several years. >> and when it strikes you as odd, i assume that odd -- >> very well-chosen word. >> may be a euphemism for strange o invasive, unacceptable. >> senator, i'm not completely up to speed on all of it. i did read it so i don't know all the facts that go with it. my initial reaction was this

doesn't seem right. that's what i meant by odd. but i don't have all the facts. >> thank you. thank you, general. thank you for your great work on this issue. i hope you will give thought as well and i may ask you a question in writing about it, regarding the potential uses of the national guard cyberunits and how they can better assist you and the cost effectiveness of building those programs through our national guard. >> we are working with the national guard and there are a number of those. i'll start right with the maryland national guard, the delaware national guard, go out to washington. there are some great ones. i'm sure connecticut, too. i don't want to miss that. but i do think this is an opportunity where the national guard has some technical expertise as civilians working in this area, especially when you look at the high tech area. so this is something that we can leverage and we are working on that. >> thank you very much. >> thank you, mr. chairman. >> thank you, senator blumenthal. senator collins? >> thank you, mr. chairman.

general alexander, i very much appreciate the attempts you've made today to clarify the roles of the department of defense versus the department of homeland security versus the fbi when it comes to dealing with cybersecurity. as the discussion today has indicated, i believe there is a lot of confusion over who does what and who should do what, and as you correctly said, this has to be a team approach, and d.o.d., dhs and the fbi have different but complementary roles so what i would like to do, since based on some of the questioning i heard today, i think there's still a little bit

of confusion, is just take you through a series of questions in the hopes of clarifying who does what. first, let me say, do you agree that our critical infrastructure today is not as secure as it should be? >> senator, i do. >> and second, and related to that, several studies and experts have told us on the homeland security committee that critical infrastructure operators are not taking in some cases even the most basic measures such as regularly installing patches or software updates or changing passwords from default settings, and those are pretty basic a