vulnerabilities. would you agree with that assessment? >> i think those are basic vulnerabilities. i would say -- i would add to that we see that in a number of cases in other areas as well. >> in addition to just critical infrastructure. the reason i'm focused on critical infrastructure is obviously if there's an attack on critical infrastructure, the consequences are so much greater than if there's an attack on one particular business, even though that, too, can have significant economic consequences and cause many problems. so third, my third question is to try to better define the roles. would you agree that the department of homeland security has the lead role in interacting

with the owners and operators of critical infrastructure to get them to strengthen their protections, harden their defenses up front as opposed to when an attack occurs? >> i do agree with that, senator. >> and the distinction that i'm trying to make is once there is an attack, that has significant consequences, d.o.d. would become the lead agency just as you would if we were attacked by missiles. is that an accurate assessment? >> that's correct. and there is the confusion lies. it is the role of the department of homeland security under the current practice of this

administration and under the legislation that senator lieberman and i have authored to try to strengthen the defenses of our critical infrastructure, and in our legislation, and in a collaborative effort with industry which is absolutely critical that it be collaborative, the department with industry would develop risk-based performance standards. is that your understanding? >> that's my understanding, senator. >> and the reason for that is to ensure that the owners of critical infrastructure implement these risk-based performance standards but i would point out to my colleagues, this isn't some new bureaucracy as we've heard today. it would be a collaborative

effort and the owners and operators of the critical infrastructure would decide how to meet those standards. it would not be dictated by the department. is that your understanding? >> that's my understanding. senator, if i could, i think that's a key point because i think the concern that i hear that we all hear is just that key point. how do you do this in such a way that helps industry without i'll use the term overregulating and this is outside of my area of expertise, but how do you get them the standards and help them build a more resilient network, a more defensible network, if you will, that's the key to this. i do think that's the key issue that you're wrestling with, and i think that's where we can provide technical expertise to dhs and others, and i think that's where we've got to partner with industry and just as you said, i agree with the way that you've stated it. i think that is extremely

important, that bringing the industry folks together to help decide is what i get because they want to be a player in this, because you know, from their perspective, this is important as well. >> and in fact, we need the expertise of industry, of nsa, of dhs, of everybody working together, the results of the investigations from the fbi, because this is a huge problem, and it has consequences for our national security and our economic prosperity, and it is so critical that we work together to solve this problem, and i know that is what you're committing to doing and that's what you are doing. that is the one final point that i want to make today. nsa is already working with dhs,

for example, at the what's called the nkick, the 24 hour, seven day a week entity that has been set up. there's an exchange of personnel between dhs and nsa, is there not? >> there is. >> and under the bill that senator lieberman and i have introduced to try to get that essential visibility that you've emphasized is so important. we would require mandatory reporting in the event of an attack because this can't be discretionary if, in fact, there is a significant attack on critical infrastructure and critical infrastructure is defined as infrastructure, an attack upon which would cause

mass casualties, a severe economic impact or a serious degradation of our national security. so do you support requiring that mandatory reporting in such cases? >> i do, senator, and i think i would add as we discussed earlier that in order for us to help prevent it, it has to be in realtime. i think that's absolutely vital to the defense. >> and the reporting and information sharing under our bill is bidirectional as has become the latest phrase to be used in this. in other words, it's in both directions. even nsa, the capabilities of which are unparalleled, can learn from the private sector. i think you learned that in the dibbs study where there were some signatures that the private

sector had that nsa may not have had. is that accurate? >> that's accurate, and logical when you think about it. adversaries will do different things for different sectors of the government, will use different tools for different sectors of the government. that's one of the great things that we learned on it and how we've got to go forward on the defense industrial based pilot. >> thank you very much. thank you, mr. chairman. >> thank you, senator collins. senator udall? >> thank you, mr. chairman. good morning, gentlemen. thank you for being here. general alexander, let me turn to you first. i've been concerned as we all have for some years about the potential of cyberattacks on our electricity grid here in the united states and the potential effects that such attacks would have on critical missions, especially during an emergency or during periods of prolonged power outages. given the uptick of tensions in the persian gulf and the presence of our military in the region, i'm interested to know

about our potential vulnerabilities of our own military to cyberattacks in the gulf on that electrical infrastructure that our military depends on, and i'm thinking about this from the perspective of the u.s. military's reliance on fuel in the region, fuel that can't be produced without the electricity that runs oil extraction wells and refineries and that powers pumps for offloading fuel for storage and use. do we have an assessment of how dependent u.s. military in the gulf is on electricity infrastructure? do we have a backup plan if there were to be a prolonged grid outage and do we understand the constitution and vulnerability of the electricity grid in the persian gulf well enough to measure the effect on the oil production transportation system, especially but not limited to the oil refineries there? thank you for letting me direct that trio of questions at you. >> senator, i thought you were going to ask me if i got the new

ipad. i thought that's how we were going to start this out. so i did. i got the new ipad. it's wonderful. >> we're envious. >> that's a really good and complex question so let me expand it, if i could, not to make it harder, but so the underlying grids that are in the gulf states and other parts of the region, the military normally will have backup power for military operations, generator power and other things to operate all critical capabilities. so both from our computer networks and our operations, we have backup power for critical infrastructure. that is not the same for the flow of oil and electricity per se throughout the region. and i think the concern that we have, the concern that i think everyone shares here, is what you were driving at. note that this is one network, one global network with a lot of little pieces but all interconnected so you can be anywhere on the network.

my concern is not only in the gulf but here in the united states. so as we go forward in a crisis, no matter where it erupts, is that increasingly, the probability that cyber will be part of that crisis grows. we've got to be prepared for it. it will cover all the things that you mentioned, because those are the easier things to attack, and have some significant advantage for the adversary. >> so you're saying we've got more work to do here to understand the potential threat and to prepare for it. >> we do. and senator, i think we're looking at it both from how do we defend the d.o.d. networks, great progress there, with senator collins, we just talked about defending the critical infrastructure and support to our allies. i think all of those have to come -- have to be laid out and discussed. and it's growing. >> also, what i was saying, i think you agreed with, was the flow of oil on which the world's economy depends could also be

affected by something in this realm of cyberattacks, and we need to be prepared for that in addition. >> it could be, yes. i would not put that highest on the list. i would think the electricity and other. but you can see where it all depends on flow and things opening up. >> so systems in that part of the world are vulnerable and we're also dependent on them, the far reach of the u.s. or europe or the asian oil markets as well. thank you for that. obviously more attention needs to be paid to that. let me move to a question dealing with the computer network exploitation versus computer network attack. how do you exactly draw the line between those two and how does the government change legal authorities funding personnel and infrastructure when moving from cne to cna? >> cne, computer network exploitation, is largely done under title 50.

i say largely, not solely, but largely done under title 50. so that would go to the intelligence community and fall under the executive order 12333. while title 10 is normally where we would conduct computer network attack, you could also do it under covert action, and in times of crisis and war, our forward operating elements would operate computer network attack and exploit under title 10, and it would be done in conjunction with title 50. so the deconfliction would have to do. the good part about training our forces together and operating together is to be sure we deconflict those type of things and it flows back to the defense. same thing on the defense. i think that's why the good part about putting the defense operate with the exploit and attack puts it as one team, not two different teams which is what we largely had up until

2008. >> so you sound as if we're well prepared to deal with those differences. >> no. i think we're well prepared to state how, senator, we would deal with those. i think there's a lot that we have to do. that begins with grow the force and training. that's the most important thing i think we can do right now. i think the partnership with industry is critical, on learning and protecting critical infrastructure. i think those are the right steps to make. i think all of these are in motion. i'd just like to go faster. >> have we taken -- have we conducted, i say we, the united states government, your command, exercises to get at this cna, cne handoff if you will in relation to what just outlined? >> we did have a great exercise out in las vegas, outside las vegas. we actually never got to las vegas. let the record state that. >> ipad would have been handy in las vegas, by the way. >> i think what we did learn is

just some of the things you say. i can't go into all of that here. it was a tremendous exercise and i'll give air force credit for helping to set it up there. they did a wonderful job and we brought in all of our capabilities and our components, and some tremendous lessons learned. i think at a classified level, we could go into those and when you see that, you would say okay, so you're headed in the right direction and i think, senator, we are. >> i assume i will see you in a classified setting at some point in the near future and we can discuss this further. >> i think this afternoon, senator. >> yes. my time's about to expire. long term, you may want to take part of this for the record, how do you see the relationship between the nsa and cybercom evolving and changing? >> i think, senator, they are inextricably linked. i would put it as a platform. you do not want any more than we want dhs to recreate an nsa, we don't want cybercommand to recreate an nsa so we need these two components of d.o.d. to work

closely together. nsa's got the technical talent, got the access, got the capability. cybercommand will have the forces to deploy and the capability to leverage that platform and work with the intelligence side of nsa to further support the combat and command. so i think that relationship is growing, is headed in the right direction. i think that's one of the things that we have talked about and we both strongly agree is something that we've got to maintain. >> thank you for that. general kehler, i know my time's up. if you want to reply further for the record, i would certainly appreciate it. thank you for your service as well. >> thank you, mr. chairman. >> thank you, senator udall. senator chambliss? >> thanks, mr. chairman. gentlemen, thank you for your service. general alexander, i thank you particularly for your recent trip down to fort garden, where you gave a pat on the back and a morale boost to some of the smartest, hardest working, most

committed americans who are doing a great job of helping protect our great country and i thank you for doing that at nsa fort gordon. general alexander, cybercom, you said, had 13,000 employees. let me make sure i get this right in my mind. it's actually, you have 13,000 personnel under your direction. cybercom itself has, what, maybe 1,000 or so personnel? >> little under 1,000 authorized, about 900 some. that does not only cybercommand staff but also operates and directs the defense of the d.o.d. networks. but that's correct. what i counted in that other 12,000 is our cyber, army cybercommand, air force cybercommand. >> various forces. >> that's right. >> okay. i want to make sure i understood that.

nsa today does a pretty good job of intercepting and protecting the dot-gov, dot-mail networks. in fact, i heard you say you have the d.o.d. information systems are probed as many as a thousand times an hour, over six million times a day from criminals, terrorist organizations, including 100 foreign intelligence organizations, and even with that huge magnitude of hacks into the system, general, nsa has done a remarkable job of protecting that system. are you satisfied with where you are in that regard today? >> actually, i'm going to answer this twice and contradict myself. we're making progress and i think we're doing a good job on it but we're not where we need to be, senator. and there's two reasons i say that. i do think we have the best

defense right there, but it could be better and i think for the future for military command and control, it must be better. so i think the i.t. modernization that the defense department is looking at is a key part to even make it better. >> and the legislation that we are talking about whether sttio lieberman/collins, one and the same, or the alternative legislation, neither one of those really address that issue. this is work that you're doing protecting dot-gov and dot-mail, right? >> that is correct in part. if i could say the slight difference is the information sharing of those things that we do to protect our networks that go beyond what you would normally do for a civilian network are the things that we should be -- think should be included in the information sharing parts that both of those have. >> okay. i'll get to information sharing in just a minute. now, going one step further

there, nsa also monitors the defense industrial base and there have been numerous attempts and it may be within those numbers that i've heard you use before, hacks into the defense industrial base have happened and nsa does a good job of protecting those -- those scenarios where that has happened, you've been notified and you're able to respond to it. am i correct? >> not quite. there's a little -- an innuendo here that i think is extremely important. the internet service providers operate that. we provide them signatures, as do the other industry players and the internet service providers actually do the work. the reason that that's important is that i believe that's how we can scale in protecting other critical infrastructure in the mechanisms that homeland security and others are working with so the key part, what we

bring to the table and what fbi and others would bring is specific things that we see going on in in the network that may be sensitive or classified. so we bring that, but they actually operate it. we -- the part that we're able to work with the dib is to understand that they will protect and safeguard classified information. that's a key element of this approach. >> okay. my point being that, your relationship with the internet providers today allows that, the defense industrial base to have that protection. >> that's correct, and now it's been taken over by dhs. so they actually lead. they're the lead interface for the -- the now they've been doing it six weeks. we're at the table and provide technical support but they're actually the lead on that as well. >> okay. looking at another, what i would assume you consider critical infrastructure, our electric grid. if the electric grid is hacked

into today there is a mechanism in place developed by industry where if they see something unusual, then they notify nerc and they immediately go to u.s. cert and notifies them about it. homeland security and they're able to provide protection to the grid under voluntary standards that it industry put forth. am i correct? >> yes, but i think, senator, that's slightly different, if i could. because in those notifications you've gone out in realtime to now a, a part where actually we're in the forensics mode. they're telling you something occurred and by the time it gets to you, a cert. what u.s. cert could do not prevent it only help them understand it. >> okay. >> so i think the information sharing part of what you and others have proposed would take that to a more realtime capability or at least allow that where they could say, i see

x happening and the industry could tell the government that that is occurring so you could take it from the forensic side to the prevention side, which is, i believe, hugely important for the protection of the country. >> okay. and now coming back to what you just alluded to, and stated earlier that is on information sharing. this is really the key, as i understand it, from the standpoint of being able to provide blanket protection to virtually every segment of the economy and every industry that wants the protection out there that needs the protection. if they have the capability of sharing proprietary information with both the government as well as with other industries, like industries, then isn't that the crux of what it's going to take to be able to protect all of the industrial base from a cyber attack in the short run as well as in the long run? >> not -- not actually.

from my perspective, senator, the issue in this part really lies in two great capabilities. the one that we provide, i agree they want that -- they want to know what are the sensitive things that could attack them. industry brings together the symantecs and the mcafees, bring a wealth of knowledge to operate your not wsetwork. it's our assumption they would operate to a standard. if not operated to a standard what happens is, you have other ways of getting into the internet we are probably not looking at. we assume that the doors are locked. if they were not, somebody would get in. or if the window was open. we would be looking for other types of nation states threats and assume what i'll call the

stuff the anti-virus community generally sees and is working on today is taken care of. what that means, as you put all that on the table we all have to work together and share the information. we have to have some set of standards. that's where working with the industries, just as you said, how do you get to the that standard and how do you have the industry players work with the government and say, so what's the right way to approach it? as you may know, we had a meeting a few years ago with a number of the electric company whose asked just that question. how do we do this and who's going to tell us how to work it? that's the approach we have to take. help them get there in a way that's not burdensome but helpful. >> well, i think that part of both pieces of legislation is about the same with respect to getting voluntary participation versus mandatory. that's a little bit different, but the fact of getting the industry to set the standards is the key in getting the industry

to shart informatie the informa other piece of that that both legislation, piece of legislation is a critical part of it. my time is up. i wanted to say i didn't vote for the s.t.a.r.t. treaty. one reason i didn't i was apprehensive about the administration not being able to do what they said they would do on modernization. i thank you for your specific comment on that, that, about the fact that you're concerned about it, and that is a critical aspect of this that we look forward to working with you as we go forward. it's got to be done. thank you. >> thanks, mr. chairman. >> senator. >> thank you, senator chambliss. senator session. >> thank you, senator, chambliss, for that comment, and general great to be with you yesterday and talk about some of the issues that you just mentioned, because the understanding that senator kyl

had, senator chambliss, about the start and what kind of funding would be laid out for the next decade to modernize our nuclear weapons has not been funded. and the numbers, senator kyl, is deeply disappointed about that, and -- mr. chairman, i am troubled today about this little overheard conversation between the president and mr. medvedev where president obama said, of all of these things overheard conversations but particular missile defense, this can be solved but it's important for him to give me space and medvedev said, i understand. i understand your message about space, space for you. this is my last election. after my election i'll have more flexibility.

understand i'll transmit this information to vladimir. this is not a little matter. i'll tell you why it's not a little matter. we had a long debate over the missile defense. the left has never favored missile defense. president bush was preparing to place a system in poland out of the blue it was cancelled. the polls were de polls -- po disappointed, so were the czechs, and told, don't worry about it. we'll have another system. i thought they were changing the course of things and we were going to have that, something that wa not eve's on the drawing board then but we about to implant in poland a system which we've proven. the dmg system that we'd already placed in the united states. so i guess what i say to me, the

president, makes his assurances. we're going to implant a new system, albeit an sm-3 system to protect america, sure we cancel that one, but we're going to build this new one. but the russians object to the new one. they've objected steadfastly for no good reason that i can see, other than maybe domestic russian politics, or used leverage against the united states. and so now it looks like the president's saying, we're going to take care of those concerns, too. we're not going to build the new system. not going to place it there, because -- and now you have, after the election i'll take care of it, vladimir. but that's not what he told us the american people. what he told congress. he told the congress we were going to build this system. so i'm worried about it. i can read -- i know what the significance of this little conversation, and it concerns me. now, i'm also concerned that the policy of the defense department

of the united states, when it comes to the nuclear weapons you control, general keeler is that we are moving to a world without nuclear weapons. a complete elimination of them. the defense posture nuclear review. the defense department's nuclear posture review has 30 references to a world without nuclear weapons in it. this was directly driven by the policy of the president. he's the commander in chief. that's what he wanted. that's what the defense department put in there, and so that's one reason congress insisted that we budget sufficient money to modernize the aging nuclear weapons. that we have. we insisted on that. it came up as a part of the new s.t.a.r.t. debate. the president submitted, sent a letter to us and promised it. but it's not occurring. the money's not there. so we're at a time of great