the exploiters took many of those certifications and underlying software, which makes it almost impossible to ensure that what you're certifying or what someone else is certifying is in fact correct. now rsa acted quickly, and is replacing all of the certificates and has done that in priority order for the defense department and others. but when you think about it, the ability to do it against a company like rsa is such a high order capability, rsa being one of best, that if they can do it against rsa, that makes most of the other companies vulnerable. >> well, we took some action on the counterfeiting area in our defense authorization bill to try to stop that type of theft, particularly, again, by the chinese when it came to the supply of parts for our weapons systems. we -- i think it would be

important for you to talk to vice president biden or his office so that you can see what steps were taken to inform the chinese of our position on this. and we've now got to find ways -- and i think you're the perfect person to be a spokesman for this -- to stop their theft of other kinds of intellectual property through the use of cyber. and i wonder if you could give us some examples of -- give us some options. i think senator mccain also made reference to this. what are the options for us in terms of action for them or anyone else who is stealing our information, our intellectual property to pay a price for this? >> well, i suppose using the rest of stratcom would be out, chairman. i think the first -- the first

thing that strikes my mind, and i want to be clear on this because the most important thing that we can do right now is make it more difficult for the chinese to do what they're doing. analogy i put on the table is, we have all of our money in our banks but the banks have the money out on tables in new york city at the park. and we're losing the money and we're wondering why, nobody's protecting or it's not well-protected. our intellectual property's not well-protected and we could do better protecting it. step one is take those steps to do that. i do think what the department is doing, you asked for authorities that would need legislation, i think those are in the legislation, and what the department is doing with the authorities we already have is maturing the standing rules of engagement that would allow us to stop some of these exploits as they're going on. i think those are some of the things we can do, stop them in

progress. as an example, we saw an adversary trying to take about lee three gigabytes from our contractors. the issue is now we had to work in human space to reach out to them to say they're trying to steal something from youyou' yo. you've got to stop it. there's got to be a better way to do that because that's like going at network speed, trying to send a regular mail letter to them that you're being attacked. so we've got to bring this up into the network age to get these responses out. so i would advocate, and i think the way we're going is, to, one, build our defense and, two, have options that would stop it. beyond that, i think the president and secretary need options that would take it to the next step. these are not options that we would take but these are options that we would propose the administration.

if they exceed certain limits, i think it is our responsibility jointly and with the co-coms to say, here are the actions you can now take to stop these acts and depending on the severity of the ax, here's what we propose be done. our job would be defend and protect and it some of the attacks analogous to the missiles coming in and give the administration options of what they could do to take it to the next step if they choose. those include cyber and other options that are available. i think the white house has put that forward in their cybersecurity thoughts. >> thank you. senator mccain? >> i want to thank the witnesses. i would ask general alexander, do you agree that secretary panetta and the fbi have said that cyberattacks may soon be the number one threats to the united states?

>> absolutely, senator. >> and would you agree that a major threat to our national security come from outside the united states? specifically, obviously, from unclassified information from china? >> absolutely. >> absolutely. so then what's the logic in providing the overall authority to the department of homeland security? anyone who has been through an airport, as i do regularly, as most of us do, have no confidence in the technological capabilities of the department of homeland security. in fact, as an example, nothing has changed as far as airport security is concerned since probably september 12th, 2011. so the major threat comes from overseas. what would be the logic, then in making the lead organization the department of homeland security? >> senator, i think the issue,

if i could, i want to break this out into three areas to make sure my responses -- >> make it brief. i have additional questions. >> yes, sir. i see three major things. we want dhs to take the lead on resilience and working with civilian agencies in critical infrastructure. we want d.o.d. to take the lead on defending the nation under cyberattack, fbi under law enforcement, and intelligence. and i think all three of us are need to work together as a joint team to move this forward. if we don't work as a team, then the nation suffers. so inside the united states, that's where i think dhs has the lead. they don't in terms of the foreign and the things coming in, that's where you'd want us to have the lead. >> how many people are under your command? >> in cybercommand, counting our service components, a little under 13,000. >> so we now have 13,000 in cybercommand recently formed up, so now we need other agencies. why shouldn't the responsibility

lay with -- lie with cybercommand? >> senator, i do think the responsibility for defending the nation against attack lies within cybercommand out. i think the lead for working with critical infrastructure and helping them defend and prepare their networks should lie with dhs. >> that's a curious logic, general. in fact, most curious. so really, all we formed up cybercommand for was to worry about external threats? is that what you're saying? >> i -- >> so if department of homeland security should take the lead of anything that happens in the united states from outside, but you are still there with your 13,000 people? >> not quite that way. senator, probably i'm not clear enough on this. in terms of dhs' role and responsibility it's working with critical infrastructure and other government agencies on

developing the standards in the protocols of how they build their networks and to be the public interface. i think that's the role that we want them to do, and their people go out and reach out with critical infrastructure and make sure those government system, adequately developed. if they're attacked, no matter where that comes from, now i think the president has options of what he can do. we are one of those sets of options and if chosen, we are prepared to do that. more importantly, where those people really come in is in our offensive capabilities. you asked that earlier. so the offensive capabilities would be to support the other combatant commands in their plans and capabilities. the bulk of our people -- >> so your job is to support other commands with their offensive capability? you know something, general, one of the conclusions of the 9/11 commission is there's too much stove piping in our intelligence community. you're describing stove piping

to me at its ultimate. >> well, that's not the intent. if i could go one point further, the bulk of our forces are folks that operate and defend the d.o.d. networks. that's where we are today. the bulk of them are operating and defending our networks. so you if -- so if you think about what the army, navy and air force do in operating and defending the networks, that's the first mission that u.s. cybercommand was given. we are developing the second parts of that. but i would point out when you say stove pipe, senator i do not agree with that because this is an integrated network. it is one network trying to work everything together. so it is just the opposite of a stove pipe. >> it's interesting that michael mcconnell, at george washington university, former director of national intelligence said current u.s. cyberdefenses are weak and the bills on capitol hill of insufficient. so obviously, the former director of national intelligence has a significant disagreement with your assessment.

so the -- according to a recent article in the wp "washington post," the white house blocked draft legislation that would have given nsa or any government entity the authority to monitor private sector networks for computer viruses are operate active defenses to block them. the nsa supported the authority but the white house did not according to administration official blocking of the draft caused some consternation because nsa wanted to get that authority. there are some who propose that nsa should be able to detect but not read the cyber attack information. do you agree or disagree with that? >> i disagree. i think the approach that we have put on the table is the appropriate one, which is we give that to industry, they can look at that and when they see that, tell us.

i think that's the first right step, senator. i think if we go too far it sends the wrong message. i think we can take this journey and learn as we go on it. >> so you believe that d.o.d., general cartwright said that -- stated the former vice president of the joint chiefs of staff said d.o.d. is spending 90% of its time playing defense against cyberattacks and 10% playing offense, and that department should invert the defense/offense ratio to signify that a cyberattack on the united states will have negative consequences. and your answer, as i understand it is, well, we'll act in some -- in some way or fashion. perhaps you can be a little more specific how we can regain, how can we can gain the offense here. >> i actually agree with this statements, and i'd like to characterize it in my words, if i could, senator,

in that more than 90% of our force was developed -- all of our force in cyber as we started was on the defense and operate. we didn't have an offensive capability. and so what we're looking at now is how to we grow that capability? if you think about what we have within our fleets, air wings and brigades is the operate and defend capabilities. the offensive capabilities primarily lies in the exploitation xpablts of s capaba and others. we're developing those. i agree we need to develop those more and faster, and we're working on that with the services and that's part of our growth plan. i think in terms of this, senator, i don't want to give you the impression that i don't believe we should defend the united states. i do. but i do think we can do that in a way that works with industry without having us in the middle of the network read. they share the information with us and i think that's the right, first step to take. >> according to industry does not need additional regulations. they need ability to share

information, which is our proposal, rather than additional new government regulation implemented by probably the most inefficient bureaucracy that i have ever encountered in my number of years here as a member of congress, the department of homeland security. wasted $887 million on a virtual fence on the arizona/mexico border, has made not a single technological advance as far as airport security is concerned to ease passengers' transit from one place to another, and has shown an incredible ability to illustrate inefficiency at its best. i thank you, mr. chairman. >> thank you, senator mccain. senator lieberman? >> thanks, mr. chairman. thanks to both of you. my friend from arizona. i have a disagreement. i want to come to the defense of the department of homeland security.

the fact is that we haven't had a major terrorist attack on the u.s. since 9/11 and you have to give the leadership, bipartisan, over two administrations, and the thousands of people who work at dhs, some credit for that. secondly, in terms of the stove piping, i think a better analogy here, and it's not a perfect one, it's to compare the relationship between the cia and the fbi to the relationship between cyber command, nsa and dhs. cia has authority outside of the united states of america. the fbi has authority -- this is -- speaking about terrorism, for instance or threats to the nation -- fbi has authority within the country. the problem before 9/11 is there weren't stove piped. they weren't cooperating enough. in the same way nsa cybercommand, as you said, has the responsibility to protect america. it's a jewel. it's a national treasurer from attack along with many other, cyberattack, along with many

other responsibilities that you have. dhs has a domestic responsibility, a preventive responsibility. and in that sense it's different unless expansive and fbi and the other case. the interesting thing that you've testified to, and i think senator mccain was, in hearing, is that you are building exactly the kind of cooperative relationship between nsa cybercommand, dhs, and the fbi that didn't exist before 9/11 and the fact is, senator mccain and i introduced an amendment to the national defense authorization act last december that codifies in law the working agreement between nsa and dhs. so i know -- incidentally, i would say this for the record -- i've talked to admiral mcconnell, a former dni, i've heard him speak in a public setting, he thinks both bills are not strong enough. but if you ask him, do you

prefer the cyber security act of 2012 which senator collins and i, or the security i.t., which my colleagues have put in, he couldn't be clearer. secure i.t. doesn't do it because it doesn't provide for defensive preparation by the private sector. look, i know private sector's lobbying against this. i think there's a terrible trap here. this is not just a question of regulation of business. this is a protection of our homeland. you've told us in response to senator mccain's question, general dempsey, secretary panetta, director muller, cyberattack is the main area of vulnerability we have today. shame on us if we look at this as business regulation. this is homeland security. and we have got to get together before too long and make this happen. i want to come to the particular difference between the two

bills. there are two critical things that have to be done here, in my opinion. there are many important things. one is an information sharing authorization section. the other is protection of most critical cyberinfrastructure, which is owned by the private sector, 90% of it financed, transportation, electricity, water, all of which is vulnerable to attack by the enemy. both bills have information sharing. the bill that senator colins and i have introduced as this provision for the department of homeland security to work with the private sector to require the most critical covered infrastructure, not every business, to take certain actions, to defend their network to defend our country.

general alexander, i believe i heard you say, i just want to have you confirm it that you believe we need both of those authorities in government, that is, information sharing and a system for protecting and better defending privately owned critical infrastructure, that is right? is that right? >> senator, that's correct. as you stated, that's the hard part, determining. how do you do that in a way not to burden industry? we have to set up some standards. i'm not sure that we -- we use the gold standard. >> right. >> the gold standard is one that we thought provided our networks the best defensive posture. we give that out free. we put it on the nsa.gov, here's a set of standards. i think, as we work with industry, the issue is how do you make sure they are as defensible as possible without being overburdened? overare burdensome? >> correct. >> i think we have to set that up. it's like roads, like cars. >> exactly. this is not regulation actually. these are standards for what we're going to ask them to do to

defend our country. and they're going to then figure out how to do it. incidentally, business is understandably worried about the bottom line. we've got to be worried about the security of the american people. incidentally, i take it that from what you said earlier, that the fear of a cyber attack against the united states, i mean, a major cyber attack, is not theoretical but real in your mind, general alexander? >> that's correct, senator. >> and it literally could happen any day. i'm not predicting that it will, but right now, our privately owned cyber space infrastructure as compared and distinguished from d.o.d.'s is vulnerable to attack. is that correct? >> that's correct, senator. in fact, if i could add, it is my opinion that every day the probability of an attack increases as more tools and capabilities are out on the network, on the internet.

>> right. it's very important for people to hear that. i want to relate the requirement on the most critical covered infrastructure to take some defensive action to your description, which i thought was excellent about what you mean when you say you want to see an enemy cyber attack coming. you've made very clear that you don't want nsa into our private cyber systems. but you need to have the private cyber systems be able to tell you when an enemy attack is coming, right? >> that's correct. >> so you can act. to me, that's probably the most significant gain that we will have from the department of homeland security and formed by you, setting these standards for defense for the privately owned cyberspace, which is, look, i hear so many stories about critical infrastructure operating systems, using

defensive systems that are 15 years old without even basic detection capabilities. i think one of most important things that's going to happen, as a result of the system we're talking about, is that the most critical infrastructure, not every business at home but the most critical infrastructure, will have to develop within itself or hire some of the private companies that do this, the defensive systems that will let them know, which a lot don't now, when they're being attacked immediately get to you so you can spring into action to essentially counterattack. is that correct? >> that's correct, and under what conditions is what the administration and the department is looking at on the rules of engagement. so when we actually do that, those will become rules of engagement that we're working on. >> let me just ask, finally, is your relationship under the memorandum that we codified into law with the department of homeland security working well, as far as you're concerned? >> it is.

it's growing. and i think the key thing, secretary napolitano is wonderful to work with. she came out to nsa and cyber command and had a chance to sit down with all of us. absolutely her heart is in right direction. she understands what we bring to the table. she leverages that, not only in the cyber mission but across the board, and i think we're making the correct strides. when you add fbi's tremendous technical capabilities in there, that's the team that the government wants and needs in place. you know, the reality is we can put all of our manpower internal, and it won't solve the problem. we have to work together as a team. i do believe that's the best way to approach it. >> sorry. >> i was going to say, to answer your question, dhs has been good to work with. they are growing their capabilities. it will take time. we provide a lot of assistance to that, and we think it's a good relationship. >> that's exactly what they tell me, good relationship and they're benefiting enormously

from your extraordinary expertise. thanks, general. thanks, mr. chairman? >> senator lieberman? >> could i add a comment? >> if you make it brief. >> it will be very brief. this is really about balanced responsibilities. when you look at balancing responsibilities between the military, the intelligence community, law enforcement, and the department of homeland security, if we weren't talking about cyber, we know how to do that, we understand what that balance looks like. we understand that when dhs needs military support, we have what we call defense support of civil authorities. we have ways we can provide support to them. the question is, what happens when you add cyberspace to this mixture, and that's the balance that we're trying to make sure that we are striking. i think that's an important point for us, as we go forward. the bottom line here is, all of us working to improve the protection of our nation and national security. the second point that i would make, quickly, is that there are three things we have to do here.

one is protect ourselves better, related to cyberspace, for the very reason that you mentioned. the second is we've got to become more resilient, recognizing we're not going to be perfect at protection or defense. we've got to be more resilient, particularly on the military side. lastly, we've got to do better at an offensive capability and balance that in a better fashion as we go forward. >> thank you senator lieberman. senator inhofe. >> thank you, mr. chairman. the first question i'm going to ask, i already know the answer, but i'm going to have to ask it just to get it in the record. in yesterday's "wall street journal," they talked about the president obama's meeting with russian president medvedev yesterday, monday, when president obama said, and i assume he said this without knowing that the mike was on, that this needs to be on the record, and i ask the record reflect this accurately, quote, on all these issues but particularly missile defense,

this -- this can be solved, but it's important for him, incoming russian president vladamir putin, to give me space. this is my last election. after my election, i have more flexibility, unquote. so the question is, do either one of you want to comment? i didn't think so. second thing that i'd like to mention is that general alexander, first of all, thank you for making the trip that you made out. just real briefly, kind of tell me what you found out during your visit to tulsa university. >> thank you, senator. first, there's two things. i am really impressed with the way the american people, especially in tulsa, have come together to help fund that university and the young folks that go there. and from my perspective, one of the key things, and i should have thought about this earlier, that tulsa information issing to is in the information assurance area, coming up with better ways to defend networks.

when you think that, that's what we're talking about on resilient side. what the young people do they find problems in networks. they showed us some in the system and others that if we now made some slight changes, i think those changes and upgrades in the security of those networks would make them more secure. so what i found was tremendous young people doing great things, some of whom we've hired, and we continue to hire from tulsa and other universities throughout the country that are doing programs like that in the information assurance area. so thank you, senator. >> thank you for going out. one of the things that we do have, that you probably witnessed, was the community support behind that program, behind the university. so anyway, it's a good program. general kehler, the -- just a

minute here -- back during the time that we're considering the bill a year ago, we were talking about the fact that president obama's weighing options for sharp new cuts in our nuclear arsenal unilaterally, and that was an agreement with russia to bring it down to the 1,550. i guess it was a month ago, it was reported, that president obama is weighing the options of sharp new cuts to our nuclear arsenal unilaterally, potentially up to, and these are the figures they used, 80% proposing three plans that could limit the number as low as 300. now, it was in '08, i always remember, and i carry this with me, secretary gates stated as long as others have nuclear weapons we must maintain some level of these weapons ourselves to deter potential adversaries and to reassure over two

dozen -- that's about 30, as i understand it -- allies and partners who rely on our nuclear umbrella for their security making it unnecessary for them to develop their own. now i would like to ask if you what kind of implications this would come up with in terms of our outlies, those 30 other countries that are defending our umbrella if we were to voluntarily bring it down 80%? >> sir, i make a couple of points. first thing i would say is, as i said earlier, we don't start with numbers. we have been starting with strategy, objectives, national security objectives, et cetera. the study that you referred to is still ongoing. there are no conclusions have been reached yet, and so it isn't appropriate for me to comment on the study. stratcom has been a full participant in the study, and i

believe that, as i said earlier, there are opportunities here for additional reductions. but that's -- >> unilateral reductions? >> well, sir, all along here, going all the way back to the nuclear posture review, i think the viewpoint has been that it's best to do this with russia. the russian and the u.s. arsenal still really drive this conversation. so doing this with russia is certainly the preferred way forward. i think that the need to continue to deter and assure allies remains. >> well. okay, the point i'm getting at is the key word is unilateral, and that's what concerns me. >> yes, sir. >> let me just real quickly cover a couple of other things here. this, general kehler, this was the triad that we -- i think it's about 2004, 2005 showing the cliff. you're somewhat familiar with that. now, i'm wondering if -- if we