i want to give all of you a broad question and give you plenty of time to answer it. being we're out here in the public for everyone to see, i think it's a great time to not only discuss, you know, what each of your agencies do but also talk about maybe the number one, two, and three, maybe not in any particular order, particular to your agency, what you see as the greatest threats, biggest concerns, and the issues that you all are working on in each of your individual agencies. we'll start with you, director clapper. >> well, sir, my standpoint, obviously i'm trying to overwatch the entire enterprise of u.s. intelligence. as i have said every year that i testified for five years in this job that in my 50-plus years in

the intelligence business, i don't recall a time when we've been beset by a greater variety of challenges and crises around the world, both regionally and functionally. and so the challenge for me is attending to, addressing this wide diversity of threats. in the face of -- and i have to bring this up -- a very uncertain budgeting environment, now approaching our fourth or fifth year of uncertainty about the size and shape of our budget, which poses challenges for us programmatically, certainly with respect to systems acquisition, and the uncertainty it creates in the work force. i'll stop there with that general overview and turn first

to john brennan. >> thank you. thank you, mr. chairman and members of the committee for the opportunity to talk to you today about this very important issue. three top priorities for me thinking about cyber. one is since cia has responsibility to make sure we have a good grasp of what the plans, intentions, and capabilities are of our adversaries around the world, making sure that we have the insights and intelligence that will give us better sense of what may be coming at us. so that's part of our mission, but given that this is a very dynamic environment in terms of what the various tools and capabilities that various actors have, we need to make sure that we're on the top of our game in order to make sure we inform our policymakers, legislators, and others. two, want to make sure our systems are going to be as secure as they can be so that we can fulfill our responsibilities to share information as we need to, make sure people who are going to be able to operate and act on the information that we're able to get, both inside of the cia and outside, that we

can do that securely and reliably. so we have initiated a number of actions within the agency to make sure that in light of some recent experiences. that we are in some respects doubling down on the security in that regard, and i rely very heavily on my colleagues here on that front. and third, since cia is supposed to be operating securely, clandestinely and covertly globally, we need to make sure that we have a full appreciation of what that digital domain, that cyber environment, has in terms of both challenges and opportunities, which is one of the reasons why we in cia have set up a new director on digital innovation to we're able to bring together the expertise and develop the capabilities that we need in order to carry out our missions so that we know what we are dealing with when we try to fulfill our responsibilities around the world in an increasingly digitized environment and the various

digital dust we all pick up every day in our lives. we need to be mindful of how that is going to impact our intelligence activities and operations. >> mike. >> from an nsa perspective, first in terms of what our mission and responsibilities are, we use our foreign intelligence mission to generate insights as to what cyber actors, nation states, groups, individuals are doing in the cyber arena with a view towards ensuring we have insights as to their efforts against the united states, our allies, and their interests. also, importantly from an nsa perspective in our information assurance role, we're responsible for developing cryptographic standards within the department of defense. we also partner with others within the dod to generate the technical standards to help ensure the security of all of our classified systems within the department. and then we apply our information assurance expertise more broadly partnering with the fbi and dhs, both to support more broadly within the federal government and also within the private sector.

those are our roles. in terms of what concerns me, priority number one clearly is ensuring the defense of our own networks to ensure execution of our operations in a secure manner. also, ensuring -- helping to partner with others to ensure the defense of the dod and more broadly the dot-gov domains. when i look at it from a threat perspective, i would argue three things, really, as i focus in on the future. efforts aimed against u.s. critical infrastructure. the second item to me is are we going to see a shift in a trend from not just outright theft of information but are we going to start to see a focus on manipulation or changing of data once someone is able to gain access to a system so we start to question the validity of what we all are particularly looking at. and then finally, in the counterterrorism arena, do we start to see groups start to

view the web as a weapon system and not just a way to dispense ideology, recruit, raise money to decide they want to take it to another level and we clearly already see very open and public conversations about that now. >> director comey. >> thank you, mr. chairman, for having me here today. the fbi's mission is in the united states to detect and respond to all the threats that come at us through the internet, through cyberspace, which is increasingly every threat we're responsible for, whether that's counterterrorism, counterintelligence, or all the many criminal threats we focus on. at the top of our threat stack when it comes to cyber is our nation-state actors. both their intelligence activities in the united states and their theft activities in the united states to steal our innovation, our ideas, our energy. in responding to that, my primary concerns are making sure we have the folks, we have the equipment they need, and we have the deployment that makes sense to respond to that threat. >> general stewart.

>> in dia, our primary responsibility is to understand the military capabilities of our adversary. so in this space, we're particularly interested in how the adversary uses the digital environment to command and control forces, conduct isr so that we can counter his capabilities in this space. so we're focused not just in the non-kinetic capabilities that we can bring against an adversary, isr capabilities, but also the kinetics. so we're looking at this from a broad spectrum. either how we drop bombs to destroy or defeat that capability, or how we can be disruptive in that capability. we provide that through all sorts of analysis based on products and support that we get from our partners here at this table. two concerns for us, how well we defend our networks. we're spending a good bit of time looking at the construct of our architecture so we can defend not just the network but the data within that network.

then the second area of concern is whether or not i have enough resources and expertise to do the first part of our charge in this space, understanding our adversaries c4 isr capabilities. we have to move some resources around. given the totality of things we have to look at, the threat landscape, this is an area where we need to do some additional investments. >> i thank you, all, for being here. at this time, i'll yield to the ranking member for the purpose of questioning. >> thank you, mr. chairman. thank you, gentlemen. i have two questions, one dealing with the encryption issue and the other dealing with our response to cyber attacks and intrusions. on the encryption issue, there are several issues. there's the technological question of can we or can silicon valley design a technological solution. there's a desirability question, even if they could, is it

desirable? do we gain more from having encrypted communications immune from cyber hacking than we lose in law enforcement and ic's ability to get the content an communications? so what's the desirability of a solution if we could achieve it technologically. then there's the economic argument. these companies have to compete overseas. there are others that are offering an encrypted platform that people migrate to. so what do we achieve apart from harming our economic interests by insisting on a key. so i wonder if you could address those arguments that we hear from industry about this. how do you evaluate it? and on the technological issue, 20 years ago the national academy of sciences did an analysis of a related encryption issue and the clipper chip and came up with a neutral and thoughtful analysis. would it be worthwhile to have

them take a look at this question? is there somewhere we can go for an objective answer to the technological question that is held distinct from the economic interests at stake? is it worthwhile pursuing that kind of neutral analysis? so i'd be interested in your comments on the technological feasibility, desirability, and economic implications of the encryption debate. and then on the cyber front, it seems to me that there are two very different kinds of cyber issues we're confronting. there are the cyber attacks -- well, actually, i guess three. there's cyber attacks like sony meant to do damage, cyber threats to our infrastructure would be in that category. there are cyber thefts, so economic espionage for the

purpose of benefitting foreign corporations. then there are foreign intelligence gathering efforts. it seems to me that for many of our adversaries in this realm, like the chinese, there's an advantage to blurring the distinctions between these. if they can blur the distinction between economic theft and foreign intelligence gathering, then they can justify anything they do. and seems to me it's in our interest to draw clear lines between foreign intelligence gathering and economic theft. and yet, when i hear the discussion, sometimes involving opm and sometimes involving other things, i hear us in the ic blurring those lines. so i wish you could address that. shouldn't we make clear what the rules of the road are, that we don't engage in economic espionage and we want to insist

that others also don't engage in that kind of theft? and think about whether there are any rules of the road in terms of foreign intelligence gathering, but keep though questions distinct. if you could comment on those two issues. >> i think i'll turn for those two questions to two of our panel, and i'll start with director comey, then admiral rogers. >> i'll offer reaction on the encryption question. thank you, mr. schiff. first of all, i very much appreciate the feedback from the companies we've been trying to engage in dialogue with companies because this is not a problem that's going to be solved by the government alone. it's going to require industry, academia, associations of all kinds, and the government. i hope we can start from a place we all agree is a problem and that we share the same values around that problem. when i hear people talk about the crypto wars, it throws me because wars are fought between people with different values. i think we all share the same values here. we all care about safety and security on the internet. i'm a big fan of strong encryption. we all care about public safety.

the problem we have here is those are in tension in a whole lot of our work increasingly in counterterrorism and counterintelligence work, and given that we care about the same things, i hope we can agree we ought to come together to solve that problem. i've heard from a lot of folks it's too hard, and my reaction to that is, really? have we really tried? have we really tried? when i look at industry today, i see companies -- i'm not going to name them here -- but major internet service provider who are able to comply with court orders because they strongly encrypt. they can read our e-mails and send us ads. i've never heard anyone say they're fatally flawed from a security perspective. i don't think we've really tried. i also don't think there's an it to the solution. i would imagine there might be many, many solutions depending upon whether you're an enormous company in this business or a tiny company in that business.

i think we haven't given it the shot it deserves, which is why i welcome the dialogue. we're having some very healthy discussions. >> and with respect to the second part of your question, sir, i mean, i think you've correctly characterized there is no one size fits all to describe the spectrum of activity we see out there. i think that's one reason why you see response to different events are not always the same. we try to look at each event in its own context. sony clearly, for example, in the first category as you've suggested an offensive act designed to create damage versus much activity we see, which is clearly designed nation states attempting to gain economic advantage, whether that's for competitive purposes or attempting to steal insights that they can in turn generate and use themselves to develop capabilities that are of interest to them. the theft of information -- i think it's one reason why to date we've tried to be somewhat nuanced, if you will, in how we,

as a government, have responded. it goes to some of your opening statements about the long-term end state we have to get to of this idea of acceptable norms and behaviors. and what is within reason and what is not within reason. we clearly understand nation states use the spectrum of capabilities they have to attempt to generate insights in the world around them. but that does not mean that the use of cyber for manipulative, destructive purposes is acceptable. that does not mean the use of cyber for the extraction of massive amounts of personally identifiable information is acceptable. we're going to have to work our way through how do we develop all that in a much more refined way than we have to date. >> i have to say, sir, that, of course, many of these issues that you raise are significant and also policy issues. not really the realm of the group of people sitting here. we can try to speak to them, but i do feel compelled to make that point.

on your concern about conflating or not distinguishing between cyber threats for economic purposes or for foreign intelligence, you're quite right. it's not that we don't make that distinction, but the adversaries, notably the chinese, do not. they don't see a difference at all in the ultimate purpose for which they extract data from us. so i just want to, you know, kind of make that distinction. i also -- and this is a personal view with respect to that which is conducted for espionage purposes, i just would caution we think in -- the old song about people who live in glass houses. we should think before we throw rocks. so these are very, as you correctly and appropriately

allude, very complex policy issues. >> if i could just drill down once more on both very narrowly. on the latter issue, are there any rules in the road when it comes to foreign intelligence gathering? or is it even futile to try to develop them? because if a nation decides it's in their national security interest, they're going to do what they're going to do. or should we try to establish some rules of the road for foreign intelligence gathering? and on the first point, if director comey, you could just give your thoughts on what you make of the economic arguments that other companies are going to do this. there's an advantage to having healthy american companies in this area, both from an economic and national security point of view. aren't we at risk of losing that? >> jim, go ahead. >> i think it's a reasonable concern.

i have two reactions to it. first, i think it's incumbent upon us as a country to decide how do we want to govern ourselves and our affairs. what's the right thing for america. there are lots of costs that come with being an american business. you're not allowed to employ children. you can't pollute the environment. we impose all kinds of rules on people that other countries don't, which is a disadvantage to our companies. we've decided we want to be a certain way. i think we ought to start there. but look, i'm not blind to the fact they have to compete in the international marketplace with other countries that share our values. so i got to imagine an important part of this is going to be an international set of norms where countries that care about those same things, safety on the internet and public safety, come together and establish this is how we will act. for example, i could imagine us saying, if there is a neutral and detached magistrate that's found a basis under the law for this information, then it can be obtained and the company must find a way to provide it. that's the way the rule of law

that governs our allies around the world is, and i think that would be an important part of any agreement that resolves this. and i hear from our allies all the time, the french want the same thing, the germans, the british. i think that's something that could be done. >> so i'll just comment that on the rules of the road issue that i think it's fair to say the united states has more rules governing the conduct of foreign intelligence than any other nation on the planet. exemplified by pbd-28, which of course governs particularly the conduct of signal intelligence in this country and to some extent extends civilian privacy productions to foreign citizens. i don't believe any other country does that. so we do have an elaborate set of governance tenants that influence the conduct of

intelligence in general and signal intelligence specifically. don't see too many other partners that would similarly align with with us. >> thank you, mr. chairman. >> if i may, admiral rogers. i think you wanted to add. >> the only other comment i would make is in many other areas, we have been able over time to develop a set of norms about a sense of what is acceptable and what is not acceptable. i think over time we'll do the same thing in this environment, but we clearly are not there yet. i would just reinforce the dni's comment about there are very specific things that i find foreign intelligence organizations doing in the cyber domain that quite frankly are illegal for us. we cannot do. it's a very different set of rules out there in many ways, between us and the activities i see others engage in. >> gentlemen yields back. yield five minutes to the gentleman from georgia. >> thank you, chairman.

we passed a good cyber bill, i think, out of the house that allowed businesses to share information without the liability question. as adam mentioned, you know, we hear about a tax and we hear about intrusions. when does playing defense become offense? in other words, if some of these companies have picked out a marker, we have determined where it is coming from. do we continually play defense with that or try to come up with a better defense, or is some action that we might take going to be considered offensive to whether it's a nation state or, you know, another company or whatever? where is that line at?

>> so for us particularly in the dod side, i'm pretty comfortable that we've got a fairly well understood characterization of what is defensive in nature in terms of actions and response. the bigger challenge in some ways is there is still uncertainty about how would you characterize what is offensive and what is authorized. again, that boils down ultimately to a policy decision. to date we have tended to do that on case-by-case basis. in terms of your fundamental premise, i think, importantly, and a comment i certainly make when i'm part of discussions, a purely reactive defensive strategy is not ultimately going to change the dynamic where we are now and the dynamic we find ourselves in now i don't think is acceptable to anyone. >> when you say it's a policy issue, are we talking about a policy issue that comes out of the white house?

>> so the application of cyber in offensive way is an application of force. the application of force under the law of armed conflict in the broader policy construct we use as nations, once you move beyond self-defense, is a decision that is made at a broad policy level. it's no something that i as the director of nsa or cyber command unilaterally decide. it's not the framework. not unique to the cyber world. it's the same fundamental construct we use for the application of force in the kinetic world within the department of defense and more broadly in other areas. >> so how is that sifted out? i mean, who makes that determination? >> so it depends on a case-by-case basis, but clearly the secretary of defense is granted some authorities. the president retains some authorities at his level, and that's all part of the process that we work through and we deal with each individual event on

the merits of its own. >> well, you understand that when the public hears the word "attack," it gives off a little different meaning than if we say intrusion. >> right. which is one reason i think you also raise an important point. terminology and lexicon is very important in this space. and many times i'll hear people throw out attack, act of war, and i go, that's not necessarily in every case how i would characterize the activity that i see. >> so it is a good distinction to make in just using the opm breach as a case in point, though it's been characterized by some loosely as an attack, it really wasn't since it was entirely passive, and it didn't result in destruction or any of those kinds of effects.

so that -- the distinction you point out, and thank you for doing that, is quite important. and as admiral rogers says, the lexicon, the terminology, is crucial. >> if a company or they discover that they're being attacked by a certain entity or whatever and they use a means to stop that attack, in other words, they can figure out how to stop that attack, do they do -- can they do that offensively, i guess? and what would differentiate between an offensive move and a defensive move? >> first of all, there's a clear line in the united states, it would be a crime for any private actor to engage in an offensive cyber operation, to penetrate without permission the computer system of another. that's a statute that this congress has passed. so that's a clear line. i think it also makes good sense to those of us in the intelligence community that we don't want self-help because of the nature of the cyberspace is that there are unforeseen

consequences that are -- could be dramatic and unforeseen. >> i think getting back to the definition -- i think that's what we're looking for is a definition of what is offensive and what's defensive. but thank you very much. and i yield back. >> the gentleman yields back. the gentle lady from alabama, ms. sewell. >> thank you, mr. chairman. i want to thank all of you gentlemen for your service to this nation, for all of the important work that you're doing in your various agencies. i wanted to drill a little bit deeper into the question that congressman westmoreland raised. director clapper, you suggested that the opm information that was stolen wasn't used for any nefarious activities to our knowledge right now. i wanted to know what your thoughts were about how the information that was stolen from opm or from anthem is being used by these cyber actors. >> well, what we've done is

speculate how it could be used. and again, the distinction i was just making with congressman westmoreland had to do with the terminology of saying that the opm breach was an attack. and i don't, again, getting back to the definition, we wouldn't characterize it that way. what's of great concern with respect to the opm breach which i spoke to briefly in my opening statement had to do with potential uses of that data. and, of course, we're looking. thus far we haven't seen any evidence of their usage of that data. certainly, we're going to be looking for it. but it's of great concern to the employees who are potentially affected as well as their families and coworkers in terms of how it could be used in a very damaging way. not only institutionally in terms of particularly for intelligence people, but in

general, how this could be used to inflict financial damage, for example. >> how does the various agencies work in a coordinated effort with respect to cyber attacks? can you talk a little bit about how the -- >> if you're talking about the intelligence agencies? >> yes. >> well, we are very, very mindful of that, obviously. i mean, this is a case where we probably need to set the highest standard and example. and so, i know in my own place, i have a very intensive effort on securing and ensuring that our networks, in my own headquarters, are secure. and i know my colleagues are doing the same. let me ask admiral rogers to comment, as well. >> and i think jim comey may have a perspective, as well. i think first question is which is the domain that is receiving this intrusion? is it within the dot mill, the dot gov, is it in the dot com,

dot edu, in the -- >> isn't it a coordinated effort? >> it is. >> i know it may start in one particular agency which has jurisdictions, but i would assume that it's coordinated across all of our system? >> it is, but my point is the coordination, who has lead, the primacy, it varies by the, if you will, the entity that is being penetrated where it is, in the government, outside the government. if we use the dot-gov domain as an example, the department of homeland security has overall responsibility of the dot-gov domain, dhs, overall responsibility in the dot-gov domain. so if you look in the opm scenario, for example, you saw opm as they began to realize what had happened as they realized this is beyond their own capacity. they turned to dhs. dhs, in turn, then turned to the fbi and nsa to provide technical support. we do that continually. we've done that particularly

between nsa and the fbi within the government domain, increasingly we find ourselves when requested attempting to support high-end intrusions in the private sector, sony, as an example, for example. >> is there anything that could be done to enhance that cooperation coordination? >> there's always more. i mean, from my perspective, as i talked to my teammates, speed is critical here. focus, leadership, buy-in, the ability to set up mechanisms to more rapidly flow information back and forth with each other, the more -- the ability to put expertise more quickly on the problem set. we continually get better, but for me, at least, and part of it is the -- >> obviously, one area that, of course, we could improve is in the government to private sector. >> right. >> relationship. that's why the legislation is so important. let me ask director comey as well if he has a comment. >> i agree with what admiral rogers said.

we've made dramatic strides in the last five years. i think of us -- this is probably a homely metaphor, but we're kind of like a fire station. when the bell rings, we send all the trucks. we don't ask, do they need a hook and ladder? do they need a rescue truck? do they need an ambulance truck? we send them all, and that means we send nsa, fbi, dhs. we talk to each other, then figure out what's needed at the scene to help these people who called 911. that has gotten dramatically better. our primary way of sharing information is through the nci/jtf. which i hope you have had a chance to visit. we all sit together and in human terms and electronically, we share that information about what do we need to respond to this particular fire? >> in my remaining time, i wanted to commend director brennan on your tackling the persistent problem of lack of diversity in the i.c. i know that you commissioned a report, and i just want to commend you on seeing the need and look forward to working with all of the agencies represented in making sure that we address

our lack of diversity in the intelligence community. i yield back. >> the gentle lady yields back. the gentleman from florida is recognized. mr. miller. >> thank you, mr. chairman. somebody said that iran did not have the technical capabilities that a russia or a china would have. is it safe to assume -- and i use that word assume in quotes -- that russia would give some of their capabilities to iran to use it in the cyber world? >> sir, that might be best left to a closed discussion. >> somebody talked about attribution, also. how do we distinguish between a state-sponsored hack or attack and an individual? >> jim? do you want to try that? >> the way we do in almost any other circumstance, we try and see what facts we have to

connect, the individual at the keyboard to a particular government. sometimes it's direct evidence. sometimes it's circumstantial. sometimes it's the tools used. we put together those facts and say what judgment can we make to attribute -- there's always a human being at the keyboard. that human being to a particular state actor. >> and the only other comment i would make is then we'll compare the activity that we've observed with that which we have observed historically over time, looking for similarities, other connections we've previously been able to determine. >> are most of the attacks designed to glean information or to disrupt? >> well, again, the terminology attack versus gleaning information, and to this point, it's either been, you know, disruption of a website, for example, but more commonly just proloining information. as i indicated in my opening

statement, though, i believe that the next push on the envelope here is going to be the manipulation or deletion of data which will, of course, compromise its integrity. >> going back to the russia/iran issue, and i know going back to russia and iran, and i know there are some issues that we can't talk about here, but russia's setting up a cyber command. how about china? >> to the best of my knowledge, the chinese have not yet gone to a configuration like the russians appeared to have with establishing a cyber com somewhat analogous to admiral rogers' command. but that's not to say that the chinese, as you know, have very capable structure and apparatus

in their current p.o.a. staff structure. >> i yield back, mr. chairman. >> the gentleman yields back. mr. quigley is recognized for five minutes. >> thank you, mr. chairman. gentlemen, thank you for being here, and thank you for your service. i guess we hear most often of the high-profile hacks, cyber attacks on the u.s. government and major corporations. but as you know, the majority of businesses in the united states are small businesses. and we have thousands of very small local governments. they still contain in their computers extraordinarily sensitive client information or public information. yet, as we can imagine, they often lack the sophistication, the capabilities, the expertise, the knowledge, the resources to meet this challenge. what, if anything, are we doing to reach out to those entities and try to help them meet this challenge?

>> it is absolutely a concern of every business in the united states from the traditional mom and pop up to medium size to large. and so, we have -- with the fbi is doing about it, is we recognize that that's a threat to everybody because our whole lives are connected to the internet. so in every community in this country, we have something called infraguard which is designed to offer a vehicle for those folks to learn from us best practices and warnings and indicators and for them to be able to share information that's useful to other small businesses and to the fbi. so i'd encourage small business folks, contact your local fbi office. we're in every community in this country. we have over 500 offices. join infraguard. it will make you smarter, and i hope in the process it will make your government smarter. >> i would just add, as well, the responsibility, and only because they're not represented here today, is the department of homeland security which does have a responsibility for engaging at the state and local

and tribal and private sector segment. >> and i appreciate that. but the lack of resources, you know, we hear so often that it's becoming cheaper and easier to hack and more expensive and difficult to defend. is there some other way besides this that we should begin to look at in terms of trying to balance the field between the resources a community bank has versus a major national bank? just as one example. >> one of the things that we need to continue to do better as a federal government is equip our state and local partners to investigate crimes that are digital in nature. and that's something that sheriffs and chiefs are hungry for. the fbi and the secret service are pushing out lots of training, pushing it out online so people from their desk in a police station have become a certified cyber investigator. the reason that matters so much is there's never going to be

enough federal agents to answer the call, answer the bell of tens of thousands of small businesses who need help. and so we've got to equip our local partners to be able to offer that assistance. >> thank you so much, and i yield back, mr. chairman. >> the gentleman yields back. i now yield to the chairman of the agriculture committee, mr. conaway. >> thanks, chairman. director clapper, you mentioned the dark web in your comments, and maybe mr. rogers may be able to better answer it, but could you give us a better description of what that means and how it's being used, and can you tell if information that's been purloined from somewhere else is actually being sold in that arena? >> jim, the dark web? >> the dark web is that portion of the internet that is not touched by any of your normal search engines. so you won't find it through google or yahoo! or bing or anything like that. you have to go looking for it. and so, it requires specialized knowledge and often to operate the required specialized software.

because it is not reachable and it is hidden, sort of a below-level, below the waterline, it's attractive to people who want to avoid any kind of scrutiny. so it's very attractive to criminals of all sorts. >> so have you seen it actually being used to sell information that's been stolen elsewhere? >> oh, certainly. we just took down a forum in the dark web that was being used to trade information -- personally identifiable information and skills. what the hackers have done is, hacking has become so sophisticated, it's become specialized now. so no one does all the different pieces that are necessary to steal your identity and then cash it out. and so, it is on those places in the dark web that they meet each other, and someone who specializes in cashing out can talk to someone who specializes in stealing, and someone else who has a specialty in hiding things on a particular server can sell their services there. so it is a world full of criminals, which is why investigators for the fbi and our partners spend a whole lot of time there. >> so do you have the right

tools, the right -- i mean, is any of that activity that should be criminal that's not criminal yet, are there areas where we need to improve what you can do in that arena? >> i think by and large, we have the tools, congressman. and what we're trying to do is with our international partners, that's the key, because just finding the bad guys from the united states doesn't help us if the bad guys are all around the world. so the operation i just mentioned involved 20 countries simultaneously locking these guys up. so we send a message that you think you're hiding from us, but you're not hiding from us. the dark web is not a safe place to conduct criminal activity. so i think we have the tools and the fbi to get in there and find them. and what we're getting better at is building those international relationships. >> do you have the requisite authoriies that you need? >> i believe so, yes. >> without getting into details, can you assure us that whether it's a breach or attack at opm, that at this stage you've reverse engineered well enough

to try to put in appropriate protections elsewhere in the dot gov world about. >> i don't think that's something i'm best to speak about. >> and for nsa, we provided opm with 19 specific recommendations on how we would suggest changes to the network structure would help forestall future such activity, dhs in addition is identified, recommended improvements. i know opm is working their way through that and has a plan for how they're going to implement the steps they believe are necessary to ensure that they don't see a repeat. >> it's not your lane, but they can't be the only ones who had the problem. is that information -- those recommendations being shared beyond just opm? >> yes. so part of what we try to do and it really goes to representative sewell's point, every time we find ourselves with a major incident, we try to ensure that the insights we generate from that are share more broadly, both across the government with our private sector partners, because we're the first to acknowledge it's likely that others will attempt to replicate the same kind of ttps, as we would say, the same techniques

they're using again so we try to make sure we share information broadly. >> general clapper, is there authority anywhere for someone to require all these government agencies, opm, others to actually implement the recommendations or to set standards and then hold agency executives, secretaries of the various, you know, cabinet folks? is there somebody who can say you have to do this by a certain period of time? >> i can't quote you a chapter and verse. maybe others here can. but i think it just -- from the simple standpoint of institutional responsibility for tending to their networks -- >> yeah, they all work for the president, but it's a little -- you know, you wouldn't expect him to call down and make sure it happens. is there someone in the hierarchy of folks who work close enough to the president that that can actually be required to happen?

>> mike, can you help me with that? >> in the aftermath of opm, more broadly across the federal government, the white house set up a task force that's specifically designated a series of concrete steps that were required to be executed. by memory as we had to finish it all within a 90-day time frame, every department across the government. as the dni indicated, i always try to remind people in the end, this is all about accountability and leadership. and how you prioritize in a tough environment where you're competing for limited resources. you've got 1,000 challenges you're trying to deal with as a leader, trying to ensure that you're sending a strong message to your organization and your subordinates about your expectations are and what's acceptable and what's not acceptable and fundamental lapses in your ability to protect information that our citizens have shared with us from the government -- >> i think you want to point to an institution in the government that has that responsibility

for the -- you know, government-wide is probably the office of management and budget. and, of course, appropriately, they have the power of the purse. >> thank you, gentleman. yield back. >> gentleman yields back. the gentleman from california, mr. swalwell. >> thank you, chair. i want to thank the panelists and the i.c. for your work this summer. we took down some planned isil attacks in america as cooperation in the community and the fbi made some very helpful arrests. you know, and that highlights, i think, you know, we have to be perfect. they pull off one attack, and it hurts people. it caused panic. so thank you for doing that. i want to follow up a little bit on what mr. conaway was saying. my question's for director comey. as a former prosecutor, i appreciate how hard it is to go after, you know, what we were kind of call a paper case or a computer case. it takes a lot of work and to

figure out whose fingertips are on the keyboard causing these attacks is very difficult, especially when they're drawn across the globe. but do you think we could do a better job of making sure we hold these people responsible, show them to the world and deter more attacks? because right now it seems like we are almost entirely on a defensive posture. and i think you hinted that a lot of this is because of international challenges. we just struck an agreement with iran that involved china and russia and countries we don't normally agree with and work with. do you foresee an opportunity for a compact with nations to go after some of the cyber criminals -- cyber espionage i think is different, but cyber criminals that would better assist you to do your job? >> i do. i think the bad guys through the use of the internet have shrunk the world. they've made places that are tens of -- hundreds and thousands of miles apart, next-door neighbors on the internet.

so our strategy, the fbi's strategy is shrink the world back in two ways. forward deploy fbi cyber agents around the world and also equip our partners around the world with technology and training and people so they can help us. because you're exactly right. the bad guys think it's a freebie that they're in their pajamas at their keyboard halfway around the world. they can steal anything in america. we're trying to do is make them look over their shoulders at if they're in america at an fbi agent. but if they're halfway around the world and an agent from that country, and it's getting a lot better. countries from around the world see this. it can always be better, though. >> thank you, director. and with respect to what ranking member schiff was talking about earlier on the end-to-end encryption and the challenges there, i certainly would hate if we didn't do everything we could to prevent the next attack and know where it's going to come from. and the challenge that you have laid out, i think, you know, quite articulately over the past

year about going dark, as you mentioned, it has tension with some of the security and privacy values that we also have. how do you see us reconciling that? and you mentioned making sure that we work with industry. it's not just policy, but, you know, back at home in the bay area, you know, it sometimes seems like we've forgotten about september 11th and privacy is, you know, paramount concern. how can we reconcile the two as lawmakers and also with industry so that we don't look back and see that we could have prevented an attack, but we were dark? >> i think from the government side, our responsibility is to talk to folks and explain to them we're not maniacs. the fbi is not an alien force imposed upon the american people. we work for the american people. we work with the tools that they give us through congress. and so, our job is to say hey, look. our tools are being eroded.

and we're not making it up. what has helped people, i think, in the isil threat is see that we're not making it up. there really is a conflict between two things we all care about deeply. and if we're going to protect people, we've got to figure out how to resolve that. but also, not be arrogant and think well, the answer is, from the government. you should not look to the government for innovation, right? we can do a lot of great things, but technological innovation is not our thing. i think we've got to start by saying we have a problem. we all love this great country of yours. we have to come together to try to solve it. everybody who says it's too hard, i really believe we have not given this the shot that it deserves, and we're going to continue talking about it to try and demystify it and blow away this nonsense that we're at war with each other. this shouldn't be venom. we should all care about the same things and figure out how to solve it. >> and director, finally, if we were in a posture where if american companies -- or if most of the end-to-end encryption that was being used by the bad guys ended up being overseas or

companies that were overseas, what is the plan to make sure we can still protect communications that would threaten america? >> how we would reach -- infrastructure completely overseas? >> yeah. >> we'd have to do it with our foreign partners. as i said, i think every civilized country, every country that cares about the rule of law thinks about this in the same way. all of us have to reconcile those two values. we have to do it as international community. i do think there's a reason, as i said earlier, that we should figure out how do we want to govern ourselves. but we also just don't want to chase the problem where we can't get to it. so we've got to figure out our piece and also work with our international partners as a community of nations to figure out how to address this. >> thank you, director. and again, thank you all for the work you did this summer and continue to do. and i yield back. >> gentleman yields back. miss ross lehtinen of florida. >> thank you so much, mr. chairman. this morning, the treasury department targeted four key

hamas leaders as financial facilitators for their terrorist acts and sanctioned them. one was saudi, one palestinian, one egyptian, one jordanian, as well as the front company that they used to transfer all of these dollars. and they were providing incredible financial support to individual terrorists as well as the groups they belonged to. and this highlights the international scope of fund-raising by these terrorist enterprise and the directing of military operations, the facilitating of transfer of funds all done within the cyber domain. were it not for that, they would not be able to move this money around and plan these attacks. we're talking tens of millions of dollars that were moved from iran to saudi arabia. a lot of money laundering. how confident are you in your individual agencies and working together that you have the

necessary resources to continue to track these terrorist activities that will be able to continue to sanction these individuals? they keep popping up as soon as we put these four guys down and put them out of business, four more will pop up. but we are able to track them thanks to the technology that we have. so how confident are you that we can continue this sort of like in the coast guard in my congressional district, we just have to get faster boats than the drug runners who are moving their drug shipment. >> i think we have -- thanks for the question, ma'am. i think we have a pretty good understanding of the financial mechanisms that are used. we could always do better, and we could always use more resources. but we certainly have put focus on the whole issue of threat finances. that's a whole new realm of intelligence that has evolved over the last decade or so. i have a national intelligence

manager for threat finance who is also the chief intelligence officer in the department of treasury. so we have very good linkage, i think, across the community using -- bringing to bear all the resources of the community, et cetera, to focus on this. but it is a constant challenge because as you've, i think, implied in bringing this up, this is the lifeblood of terrorist -- international terrorist activity. john, do you have a comment? >> i think we certainly have the tools. we are trying to make sure we utilize all of our various intelligence capabilities. but as jim mentioned before, we have ppd-28, and there are issues related to access to metadata, bulk collection, other types of things that i think it gets into this issue about what can we do for security purposes, but what also might, in fact, impact on privacy, civil liberties issues.

so the treasury department relies heavily on the intelligence community to make sure that they have a sufficient basis to designate these individuals, and as jim said, we're working very closely with them. >> is there something that we can do in terms of changing any laws that would allow you to do your job better in a way to bring down these terrorist organizations and the financial wherewithal? >> rather than respond off the tops of our head, why don't we take that for the record and give that some thought? >> thank you, sir. thank you, mr. chairman. >> gentle lady yields back. mr. turner is recognized for five minutes. >> thank you, mr. chairman. again, thank you all for being here and thank you for your diligence on an issue that is an incredibly important one, not only is it an issue as director clapper has said of us losing information, but of the prospects that ultimately we

could be looking at a change in the trend as admiral rogers was saying, the manipulation of data or actually damaging of data and effectiveness. i want to ask two questions that relate to coordination. general stewart, good to see you again. last time i saw you you were in my district at the air force base. thank you for being there. my concern on the first question on the issue of coordination is with respect to isil and following on mr. swalwell's question, we have the director of the fbi, of course, who is trying to ensure that where we have isil who is using social media to recruit individuals, that he find those individuals in the united states and thwart their opportunity or their planned attacks. of course, obviously, with d.o.d., their goal is to find these individuals and bring justice to them so we neutralize the threat as they continue to operate.

the isil's use of personnel -- trying to target military personnel and also facilities through social media is of concern, of course, across the country and in my own community at the air force base, even public events have been canceled. but when it goes to bringing justice to that individual that's not in the united states, the director of the fbi is not involved, the d.o.d. is, and coordination is an issue. and i'd like, general, if you could speak a moment about the issue of the concern of our ability to bring justice to them and what our progress might be there. and the second issue is with respect to the office of personnel management. again, back to the national air and space intelligence center, i have thousands of individuals in my community at the air force base that are very concerned about the data breach, specifically with the sf-86 submission and the information that's contained in there. director clapper, you mentioned that there are personal effects both on -- that could be damaging on financial

information, actions that could be taken to them individually. it also includes their families. but you go to the next layer of then what happens with our national effectiveness as that information is compromised. and i'd like, if you could speak a moment on the issue of coordination of that. you're all dependent on opm to protect the information of the people that allow your agencies to be effective and to function. general? >> congressman, the dia enterprise extends not just here in washington but down to the combat and commands, to the service intelligence centers and out to the forces that are on the ground in respective aor. we coordinate daily on activities that we see across that entire spectrum of the enterprise. so we're in contact with the services. we're in contact with the combat and commands. we're in contact with our analysts here at our regional intel centers to make sure that we get the best characterization of the threat, the best characterization of what they're capable of, and more

importantly, if we can target them, how do we get that targeting data down to those forces that can, in a kinetic way, in a combat way, bring justice to these forces? to our adversary. and so i feel very comfortable that we are talking. so not only are we talking to those units below us, but we're also talking laterally. none of what i can do at dia can be done without the efforts of nsa or the things that are being done at cia. so we bring all sources of information together, package that to all our consumers from the national level all the way down to our forces on the ground, and then we hopefully can bring that targetable information that will strike those actors in a very kinetic way. >> then, director clapper, on the issue of also personal risk, it also includes the professional risk, of the danger of this information being out. if you could speak to that for a moment, knowing that there are thousands of employees who are very concerned about that breach.

>> well, that's quite right, sir. there is potentially -- and i emphasize the word potentially -- great risk certainly in the case of intelligence people, particularly those assigned overseas, and in certain covered categories, that's a great concern of ours. what we have done through the auspices of the national counterintelligence security center is to do as much education as we possibly can on what the potential implications are, both, as i said, institutionally and individually. but at this point, we haven't seen, as we discussed before, actual evidence of the use of any of this data in a nefarious way. i wanted to ask director comey to comment, as well. >> i agree with director clapper's characterization.

i worry, with our workforce being a little confusing, that we -- i have talked to my workforce about this, that we got everybody credit monitoring. that's actually not my worry about this information. i feel like that's buying people flood insurance when their neighborhood just burned down. the fire is what i'm worried about. it's not people's credit cards and their credit rating given what we think the information was taken for. we see no indication of it being used to hit anybody's credit rating or credit accounts. i don't think that's the concern. at the same time, i don't want to put people completely at ease because as director clapper said, there's a significant counterintelligence threat that's associated with someone having this information, a nation state. >> gentleman's time has expired. the gentleman from ohio, dr. wenstrop.

>> thank you, mr. chairman. thank you all for being here with us today. you know, we talk a lot about china, russia, north korea, iran, nonstate actors, and we're concerned with attacks in nesting and the dark web, et cetera. how much of what we're seeing is taking place from within the united states? are we having bad actors within the united states that are participating in attacks and nesting and on the dark web? >> well, we have our fair share of criminals, and criminals increasingly operate online because that's where our lives are. i think that's where children play. that's where we bank. that's where our health care is. and so, people want to hurt kids, that's where they're operating. then they're often sharing images with each other on the dark web hoping that we won't be able to find it, that they'll use the onion rueter to hide their communications. as part of child exploitation, we see fraudsters of all kinds. whether it's health care or just trying to steal your banking transactions, trying to operate in a way that we can't see. and so they think if they go to the dark web, the hidden layers so-called of the internet, they can hide from us. they're kidding themselves because of the effort that's been put in by all of us in the government over the last five years or so that they are out of our view.

but it's a big feature of criminal activity in the united states. >> from a government standpoint and international relations in coming together and trying to combat cyber, do we have full confidence in working with the five eyes? beyond that, where do you think we should go or where are we going in that arena? >> i think i speak for my colleagues on this panel. we have full confidence in the five is. we are very closely latched up when it comes to all matters cyber, whether it's counterterrorism, counterintelligence and criminal. that's a fabulous relationship. it's as healthy as it's been for 70 years. and increasingly, as i said, all states that care about the rule of law are engaged on this. where we have problems is with certain states, russia, in particular, where it's very hard for us to get cooperation and get the actors apprehended, and so, we have to hope to grab them when they leave the country and travel. the good news is all of the successful cyber criminals have

lots of dough, and they want to go on vacation. and that's where with our partners, we grab them up. >> does anyone think there is a potential for a geneva convention-type of arrangement to be made? because i consider the cyber world to be a world war taking place right now each and every day. is there a potential for a set of international rules, even amongst some of the people that we consider to be our adversaries? >> well, yes. there's a potential for it, and one would hope that -- and of course, it took many, many years for the geneva conventions to evolve, and i suspect it probably will in this case, as well. but i think the hope is that there could be established some international norms governing behavior, particularly what civilized nation states will do about criminal behavior and the use of the internet for terrorist purposes. and there are many, many countries that have an interest

in that. >> how do you suggest we begin that process? >> well, certainly the public discourse, i think, is useful. it is certainly a topic within intelligence circles that we discuss with our friends and allies, particularly the five is. so there is a growing body of interest in this. but again, i hark back to we're from the intelligence realm, and this really is a policy issue that's kind of over our labor grade. >> well, that answers my question. that's what i was asking. one other question, has north korea conducted cyber attacks on u.s. companies since sony? >> your question is did they? >> have they? have they conducted any that we're aware of since -- >> since sony? not that i'm aware of. mike? >> we haven't seen any offensive

destructive actions directed against the u.s. corporate sector by the north koreans since the sony incident. >> any conjecture -- is there anything that -- and you don't have to go into detail -- but did america act in any way that maybe has been a deterrent for them to act again? >> i certainly hope that's the case. the president came out very publicly and talked -- acknowledged the act, attributed the act and then talked about what we were going to do in response to it and then talked about and were we to see continued activity along these lines, we will take additional action potentially at the time and place of our choosing. i hope that's been effective. i would argue your question was narrowly focused against activity against the united states. i would argue i have watched them do other offensive actions in the post-sony environment. >> thank you. my time's expired. i yield back. >> gentleman yields back. gentleman from utah, mr. stewart is recognized. >> thank you, mr. chairman.

and gentlemen, thank you for what you do. if there's anyone who's going to save our nation from future chaos, it's the work of you and your agencies taken together. i have great respect for all of you. i consider some of you friends. mr. brennan, i've spent a lot of time with some of your guys around the world in the last six months, and they are heroes. admiral, you and i spent time together last week in utah. thank you for your support there. i have a question, and i want to get to that, but before i do, director clapper, you've said some things that i don't understand. and i hope you can clarify for me, if you could. and that is coming back to the opm breach, and you said it's not an attack. and i guess i would ask you to clarify that. and if i could elaborate just quickly, i understand there may be a technical definition. but there's a couple things that trouble me. one is that we say that we have no evidence of nefarious activity because of that, but we don't know that. if someone is being blackmailed because of this information that's been taken, we wouldn't know that yet.

if someone's cover had been revealed because of the -- you know, this information being available, we wouldn't know that yet, so we don't really know what has been the effect of this being taken. and can you define for me what is an attack, and what isn't -- or doesn't meet that definition? because this seems to me like it would be. >> my working definition of whether it's an attack or not, and my characterization of it not being an attack in that there was no destruction of data or manipulation of data. it was simply stolen. so that -- that's a passive intelligence collection activity. just as we do. >> well, and it seems to me, sir -- >> and to your other question is, you know, we don't know what could be going on. that's quite true. all i'm saying is there's been no evidence surfaced to this point of the use of this data in a nefarious way either against individuals or institutionally. that's not to say we're not mindful of that and that we're

not watching for it. >> and i'm sure that you are. i do think that it seems to minimize the gravity of this event by characterizing it not an attack and saying at this point we are not aware of any nefarious activity when there very well could be and many of us view this as simply more than just data mining. but if i could go on to my question, and i need to set this out very quickly because i really would appreciate your response. national security is a matter of cost benefit analysis. you have nation states that say here are our ambitions. here are our interests, our goals. and on the other hand, they have to, you know, kind of measure the cost of reaching those goals or defending those interests. what are the risks or what are the obstacles that they may overcome in doing that? and it seems to me we haven't weighted the scales on the side of our adversaries in making them know and understand the risks and the costs. and i think the effect of that, we have weakened the idea of deterrence or at least maybe i

don't understand the idea of deterrence. and it seems to me that when we see these attacks, as we have in the recent past, some of them associated with nation states, but they seem to act with impunity. and can you help me understand, what is our policy regarding deterrence? and i know that there's some regards to that that you wouldn't want to talk about, but it seems to me if we can be more open about how we will respond, that that could act as more of a deterrence, and i'm not sure that we've done a very good job of doing that yet. >> personally, this is not a company policy, this is my own view, that until such time as we do achieve or create both the substance and the mindset of deterrence, that this sort of thing is going to continue. the opm breach, and as admiral rogers has stated on more than one occasion, this is not a

one-off, and we will continue to see this until we create both the substance and the psychology of deterrence. >> well, i couldn't agree with you more. i've editorialized about this a number of times, and it just seems that we enhance our security, if we can deter rather than just monitor and take action after the attack. i know there's a fine line you have to tread there because you don't want to reveal our capabilities. you don't want to, you know, reveal how we track and in some cases how we may deter or we may, you know, retribution. but i'm hoping you agree with me. and director, it seems like you are -- that if we could be more open and more clear about our deterrence policy, that that would benefit us. >> those are policy issues. and certainly, as an intel guy, i would be an advocate for that. but ultimately, that's a policy call. >> i understand that. and in five seconds, anyone else on the panel like to address the deterrence?

okay. thank you, mr. chairman. >> gentleman yields back. mr. carson is recognized for five minutes. >> thank you, mr. chairman. i think we all understand that we face serious threats as it relates to hacking in the cyberspace. but we also are dealing with a larger cve strategy and the distribution of propaganda and the radicalization of americans really using online platforms. so i think it's obvious that we have some very challenging concerns about the constitutionality of protected free speech. my first question would be, how effective are these online radicalization efforts domestically? are there particular subsets of our society that are most greatly influenced? outside of -- secondly, outside

of encouraging voluntary compliance by google, facebook, twitter and others, what authorities do you guys have to forcibly remove propaganda and other recruiting materials? and what authorities could congress empower you with to help in those efforts? >> i think i can respond to that, mr. carson. first of all, they are, as we've seen over the last six to nine months, these recruitment efforts using social media are highly effective. isil started investing in it about 12 to 15 months ago. and the fruit of that was seen with all of the people we had to arrest to stop plots late this spring and this summer because social media works. whether you're selling sneakers or selling the poison of the so-called islamic state. so it works. the -- in my experience, the social media companies have been highly responsible and responsive in trying to take down media that is offensive and that is related to a terrorist group. the challenge of social media is it's the most complicated spider web in the world.

and so, you end up having a hard time finding it. and then when you find it and shut it down, it chases to some other place. so it is an enormous problem. and i don't have a simple answer to it. but i do want to say they have been responsive and responsible in my experience. the people who respond to it are troubled minds. people seeking meaning in their lives and folks seek meaning in all different kinds of ways. unfortunately, there's an audience for this kind of poison, that they'll find meaning in the ultimate battle at the end of times through the islamic state. that's craziness, but troubled souls -- and we see people who have problems with alcohol or problems with their families or problems with the law and are seeking orientation in their life are responsive to this kind of stuff. the fbi's piece in that is trying to do two things at once. first, send a strong message of deterrence. that this is not a way to find meaning in your life. this is a way to find years, maybe decades, in a federal prison. so that ought to factor into people's consideration. and to equip police officers and

community service providers and parents with the markers of radicalization. we've gone back through every case we've ever seen and developed a matrix of these are the things that are indicators of that journey, and we're trying to equip people with that so they can see it and help reorient the person. >> has the citizens academy been active in increasing awareness or even more community engagement as it relates to a larger cve strategy? >> yes. citizens academy is a part of every fbi field office where we invite community leaders to come in, learn about the work we do and then go out into the community armed with an understanding of the challenges we face. and they're a key part of that because nobody wants to see these people turn to the dark side in that way. and so our goal, again, we have to be careful because we care deeply, as everybody in this room does, about the first amendment. so we don't want to have the fbi in the business of trying to tell people, here's the true meaning of islam. first of all, we're not qualified. we should be nowhere near that.

we want to equip the good people of the united states with an understanding of the markers of radicalization so they can have those conversations. >> that's an important work, and we appreciate the work that the bureau does and the rest of the agencies represented here. i do want to say, though, director, respectfully, and i think you know this, i don't have to say it, when we talk about radicalization, islam does not have a monopoly on radicalization or even cult-like activity. there are so-called christian groups that are purporting racial mythologies that are just as destructive in the midwest. when i worked at the fusion center, a lot of the calls that we got dealt with white supremacist groups claiming to represent christianity. judism is represented as well and other groups. i think that in our larger cve effort perhaps we can educate the public that islam does not have a monopoly on radicalization, but we appreciate what you guys do. >> thank you. >> thank you. i yield back, mr. chairman. >> gentleman yields back. mr. pompeo is recognized for five minutes. >> thank you, mr. chairman.

director clapper, good portions of the patriot act expire next year, is that right? tell me what efforts the intelligence community has put in place. we struggled mightily with respect to a handful of sections, section 215 and others to get put in place in a way that was meaningful and helpful and allowed you to perform your functions. tell me what efforts that you all are engaged in, contemplating what happens if those provisions do expire and they're not renewed, or any efforts you're engaged in to -- you or the administration are engaged in ensuring that those provisions do not come off the books. >> i guess the best response would be to take that one, too, as to what the workarounds might be if it totally expires. i guess, you know, the hope is that they all won't, and we'll

have to figure out workarounds. but i guess i don't think we're prepared here to respond directly to the question, so we'll get that for you. >> i just raise it. it seems like a long ways away, the middle of next year will be here awfully quickly. we have had enormous struggles legislatively to get these things accomplished. and i want all the members of this committee and all of you to know that there are a bunch of us determined to make sure that these provisions are continued, if they need to be modifies in some way to update and make them consistent with what we're trying to achieve today, but we should not wait until may to begin thinking about what the impacts are. >> you're quite right, sir. and i appreciate your bringing this up. and i'd like to give that a serious response. so we'll get back to you. >> thank you. this is for anyone, but i'll start with director clapper. we've been in negotiations that are now complete with iran. we have an iranian nuclear review act that congress -- that the house is considering today. can you tell me what the iranian behavior has been in the cyber world during these discussions? have there been any noticeable

changes either as the negotiations continue came to fruition or where we sit today? >> mike, why don't you -- >> we have publicly acknowledged if you step back a little bit in the 2012/2013 timeframe, we were seeing significant iranian activity against the u.s. financial sector, trying to take down financial websites, flowing out of '13 as the negotiations kicked in in many ways, we saw less activity directed directly against us, but i would remind people, i have not seen the iranians step back from their commitment to cyber as a tool, and we see it being used against a variety of actors in the gulf and in the region, that they continue to be fully committed to how can they use this capability to achieve a broader set of national objectives. >> thank you. mr. chairman, i yield back my time. >> gentleman yields back. the gentleman from connecticut,

mr. himes. >> thank you, mr. chairman, and thank all of you for your commitment and time this morning. i want to return to a theme that i was bringing up in my opening statement. that's just a couple of questions related to clarity around international norms in the cyber realm. the first question, i guess i directed at mr. clapper. there is some debate as to whether currently existing international treaties and international law, laws of war, are perhaps sufficient to provide the clarity that you need operationally. and i understand there's a policy question here, but i'm asking an operational question, which is, do you think that that's true, or do you see the cyber realm as distinct enough from the territorial or other realms such that it would be operationally helpful to have specific clarity around laws and norms in the cyber realm? >> well, i'll offer an opinion and that's all because it is, as you say, a policy issue. i do think that there needs to be norms that are specifically

tailored for the cyber domain. it's to me at least somewhat analogous to the chemical warfare conventions. that it has some technical aspects that i think need for them to be meaningful and effective, need to be adapted. perhaps drawing on some of the principles of what we now know is international norms in other realms, but i do think there needs to be some tailoring. mike, you have a view on that? >> i would echo that. i think that there are mechanisms out there and frameworks that we can draw on. there's certainly some differences within the cyber arena, and i'm the first to acknowledge that. i think the important point you raise is, clearly, we still do not have enough clarity. and clarity, particularly if i put on my operational role as cyber command, clarity is everything to me because that

enables -- that helps enable speed of response, help generate better outcomes. so i think it's important for us as a nation, and i would argue more broadly, internationally, to come to a sense of so, what are these terms? what are these definitions? what is a framework that enables us to quickly decide what's acceptable, unacceptable and what's an acceptable response? because currently the environment we're all in right now, i don't think anyone is satisfied with the environment we find ourselves in right now. >> thank you. so last question is, i guess, where are we? is this an effort to which your respective organizations are actually contributing significant resources, prioritizing, and obviously, there's groups that aren't represented here like the state department that would be pretty critical. is there something that you see in the u.s. government as a priority? >> well, it's clearly a matter of discussion in the interagency. and i think you're quite right.

the state department probably the better institution to speak to than intelligence. >> any other observations? comments? okay. admiral? >> i would just say, clearly, the i.c. participates in those discussions. and we get the opportunity to provide a viewpoint and perspective. we try to back that up based on the insights and the data we generate, which is what the expectation is for us as intelligence professionals. i think, you know, clearly, we are all frustrated that this is taking us longer than we would all like but i would not want anyone to believe it is not because of a lack of effort and it's not because of a lack of recognition that this is a set of issues that fundamentally need to be addressed. >> thank you. chairman, i yield back the balance of my time. >> the gentleman yields back. i want to thank the panel today. thank you for being here. thank you for being willing to testify in public. we will have questions that we'll submit for the record.

and i think, director clapper, there's a couple questions that may have to be answered in a classified setting, but we look forward to receiving those. i'd like to remind members that they have ten legislative days to submit questions for the record. before we adjourn, i'd like to just quickly recognize lynn westmoreland. >> thank you, chairman. and i want to thank director clapper and director brennan and admiral rogers for your participation in a georgia regents university, the cyber symposium that they are putting on in augusta, georgia, as you know, the nsa facility is there and expanding. and i know that director clapper and director brennan have both stated, as well as admiral rogers, about the need for young talent to get involved in this field. i want to thank the director for sending miss o'sullivan down to speak this year.

we were hoping we could get you, but we're glad to have miss o'sullivan and the same thing -- >> you're getting a better speaker. >> yeah. and sending him. thank you all and thank you for your support and realizing that what we're doing is trying to get young talent to recognize the importance of our cybersecurity, so thank you very much. >> thank you. >> we once again, thank you, gentlemen, and hearing's now adjourned. earlier this week, director of national intelligence james clapper was the main speaker on the opening day of the intelligence and national security summit in washington, d.c. he assessed the state of u.s. intelligence and discussed the intelligence community's effectiveness and accountability. this is an hour. >> thank you, joe.

good morning, everybody. delighted to see that we have such terrific attendance here. i was wondering when i first arrived whether we'd be able to fill up the room but we've done more than that so that's just a testimony to the importance you attached to this conference. i'd like to echo joe's comments regarding our partnership with fca. we have and continue to enjoy working with fcia and look forward to continuing this partnership again next year. there's no better place to begin our exploration of the state of u.s. intelligence than with an address from director of national intelligence james clapper. the fourth director of national intelligence and the leader of all united states intelligence. director clapper has served in

united states intelligence for over 50 years. with more than 30 of those years in uniform. he has served as the director of two national intelligence agencies, the dia and the nga. he's been the undersecretary of defense for intelligence. and as a private sector executive, leading industry support to the intelligence community. there is no intelligence leader past or present with director clapper's depth and breadth of experience across multiple intelligence domains. and both in the private and public sector. and i say that with all due humility as the first director of national intelligence and i marvel at the wisdom and experience that jim has brought

to his job and which i believe has really enhanced the standing and the prestige of the odnia and i think it's also important that unlike his predecessors, he's managed to spend a good bit of time on this tour of duty. i believe more than five years at this point. his career and many accomplishments serve as an example of the power of both intelligence community integration and public/private partnerships. when director clapper completes his remarks, i will moderate a question and answer session and look forward to including many of your questions, as well. so, as was mentioned earlier, write them down and they will be collected from you by the conference staff. it is an honor to have director

james clapper with with us toda. please join me in welcoming him to the 2015 intelligence and national security summit. [ applause ] >> well, thanks. it's great to be back on the stage with this integrated group. spent the past five years prescribing -- preaching the gospel of intelligence integration and it's been my major theme during my tenure as dni. it's really the reason i think the office exists. it's what the 9/11 commission advocated and it's what intelligence reform and terrorism prevention act

legislated. but perhaps my successor won't need to even talk about it. now, this morning, seeing mo begin ski and joe working together, almost makes me feel like intelligence integration is really catching on. by the way, mo and joe has a certain ring to it. either a singing duo or selling car parts together, i'm not sure which, but -- so for the rest of this speech and the spirit of integration, i'll refer to you jointly as mojo. because you have the joint mojo going this morning, as evidenced by this great crowd. so thank you both for the invitation to cake off this great summit and for nurturing the spirit of working together. so when i was here last year, i spoke about our new national -- then new national intelligence strategy quite literally on the

day our publication was literally rolling off the presses. this year, we don't quite have anything as obvious like that to talk about. so i went to the summit website to read what mojo expected me to talk about. here's what the summit website said i'd be discussing. u.s. intelligence is an essential instrument of national power, and perhaps has never been more powerful than today, given advances in technology. and with great power comes great responsibility. that last line really struck me. with great power comes great responsibility. apparently mojo think that i'm spiderman. [ laughter ] >> in the interest of transparency, i'll tell you i'm not. i ask my staff, they say i look

like spidey's uncle ben, but with less hair. but that line, with great power comes great responsibility, was used to introduce his first comic book appearance in 1962. in the spring of 1963, just as i was starting off in the intel business, marvel published the first issue of "the amazing spider-man." coincidence? yes. all kidding aside, we have a lot in common with spiderman. constantly have to worry about covert concerns, someone matching our oipts to our everyday normal lives. both spiderman and peter parker are known for genius level intr intellects and we're known for experts in cryptology, to denial, detection, and even rocket science. spiderman is known for super human strength.

now couple days a week i lift weights in my office. jim and my spotter says i'm pretty strong for a geezer. of course my spotter is normally one of my detail guys. so his evaluation of my weight room prowess may be just a little bit biased. spiderman is known for his precognitive spidey sense. many of our customers expect us to be clairvoyant when it comes to world events. spiderman shoots webs from his wrists. some call him web head. more and more, we are focused on spider intelligence and the worldwide web. okay, i'll grant you, that's a stretch. there are even similarities between spiderman and the ic when it comes to governance.

stan lee created mar rel, but sony pictures has control of spiedy on film. simil similar -- [ inaudible ] integrating priorities and resources across the ic is not easy, particularly when it comes to following the different laws, rules, and processes that reside in each one of those cabinet departments. what we're listing similarities, sony pictures and i both have a less than friendly interaction with north korea. by the way, every spidey fan here is hoping marvel and sony can integrate efforts and give the web slinger a role in captain america's civil war. so we have a lot in common with mar marvel comic's most popular.

but i'll set that aside. because those few sentences, the ones posted just under my picture make a really good point. intelligence is a powerful and essential tool for our national security enterprise. and, again, with great power, comes great responsibility. those statements have been true as long as i can remember, and i can remember back a long way. my dad was in business in world war ii. as a consequence of traveling around the globe with him, i grew up on intelligence sites and antenna farms all over the world. of course back then, we didn't talk about intelligence publicly. five decades later, that's, of course, changed. in fact, it's changed a lot just over the past three years. i admit, because of my experience, growing up in the

business and my five decades or so in intel, that it the kind of transparency we're engaged in now almost is genetically antith cal to me. and as i think back, which i want to do these days, air force second lieutenant jim clapper of 1963 would be shocked by the level of detail that we talk about, specifically in intelligence activities in general in 2015. that's been one of my major take-aways the past few years. yes, we have to protect our secrets, our sources and methods, our trade craft. but we have to be more transparent about the things that we can talk about. because now the american public expects to talk about how we're using the power of u.s. intelligence responsibly. and, again, with great power comes great responsibility. that's a lesson i personally

believe we didn't learn quickly enough and that "we" certainly includes me. so that's why, more and more, we're discussing our work, to correct misunderstandings and to help -- try to help people grasp what we do, to show that we're worthy of america's trust. and to prove that we make worthwhile contributions to the security of americans and our friends and allies around the world. it's why over the past two years, the community has declassified more than 5,000 pages of documents about our work, and importantly about the oversight of our work. that which is conducted by all three branches of the government. and by publishing these declassified documents on our tumbler site, i see on the record and pushing them out on facebook and twitter, they've reached millions of people in the u.s. and around the world.

that includes, of course, our adversaries who also have learned a lot from our transparency. but, i think we've come down on the side of transparency is worth that cost. we declassified these documents to show that we follow the law, and when we do make mistakes, we do our best to live up to that line stan lee wrote just a few months before i joined the intelligence business -- with great power comes great responsibility. we understand the truth in that line. it's why the president challenged us in his speech in january of last year, to formalize privacy protections for our intelligence efforts at home and abroad. and to be more transparent about how we implement those protections. this past january, published a comprehensive report answering the challenges the president publicly gave us in 2014. we also supported the usa

freedom act, which authorized increased reporting of how the ic exercises some of its authorities. and this past february, we published the principles of intelligence transparency. and we stood up an ic transparency group with senior relationships from all over the united states. and their purpose is to -- and i meet with these great people -- to transform these principles into action. and i want to talk about those four transparency principles just for a moment. they're fairly simple. one, provide appropriate transparency to enhance public understanding of the intelligence community. that principle says what we ought to be transparent about and why. two, be proactive and clear in making information publicly available of course when we can. and that gets into how we should be transparent.

three, protect information about intelligence sources, methods, and activities. and four, align ic roles, resources, processes, and policies to support transparency implementation. so the tenets three and four say protecting our trade craft, our sources, an individual responsibility, for each person who holds a security clearance. while transparency is an institutional responsibility for the ic as an enterprise. as a member of the intelligence community, blue badge or green badge, comes across information she thinks we should make public, we have processes in place already to review it for declassification. and if someone comes across something she thinks we're doing wrong, we have lots of avenues to report that activity, including legitimate avenues for

whistle-blowing. make sure our workforce knows the rights and responsibilities on these issues, we've been publicizing how to recommend something for declassification, how to properly blow a whistle and what their protections are if they do so. we're also increasingly reaching out to the american public. as our transparency principle says, we need to be proactive and clear with transparency. because we're trying to help the public understand what we do in their name. it's why we in ic have declassified and published so many significant documents. the tumbler selected our ic on the record site for their 2014 end of year review. that's a big reason why this spring we sent our national intelligence council to to the south by southwest festival to engage people there and get them to help us identify trends in

our next global trends report. also why we published a huge swath of documents on the abbottabad raid. and our publication of bin laden's book shelf, gave us about as much web traffic in two days, 750,000 site visits, and two million page views, as our website received in all of 2013 and 2014 put together. and if you ran a google search for bin laden, dni.gov was the number two search result behind only wikipedia. tomorrow in the name of transparency, i'll be on the hill once again in an open hearing, testifying on cyber threats and cyber intelligence. of course transparency can help us with mission, particularly when we're able to use image publicly. in 2013, we showed how syria used chemical weapons on its own

people. in 2014, we made public the records regarding russia and flight mh17. as we passed the anniversary of hurricane katrina, i found myself thinking about the work nga did back when i was director. in the aftermath ever the hurricane, we reached out to nga for help. figuring out what precisely the storm had done to new orleans and the state of louisiana and the state of mississippi. how it had decimated so much property and rerouted waterways and blocked the ports. in general, helping him with situational awareness to manage the response, we worked very closely together. and i got to know thad allen very well. i very himself a close friend and a personal hero.

this spring, me and my wife had dinner with him and his wife pam. we reminisced and told war stories. i found out that among the few mementos that thad and pam display in their home is a top graph cal three-dimensional map of new orleans given to him by nga when he retired. and he recalled fondly the superb work nga did after hurricane katrina as well as in the aftermath of the bp oil spill. that was all work that mattered. that directly made a difference to american citizens. and the people who were on the ground remember it. as we push forward transparency initiatives, we've been able to help with tragedies and natural disasters around the world. last summer and fall, the ic and nga had a huge and largely unsung impact on the control and containment of ebola in west

africa, for providing open data on human geography to the countries and ngos that were involved. and for the first time ever, setting up a publicly available website for disaster support. this spring nga and the ic put the lessons we learned from the ebola outbreak into action after the earthquake in nepal. producing damage assessments, reporting on the operating status of airfeerlds, providing estimates on internally displaced people and displaying studies of transportation route. we saved lives and set a community on the other side of the world on the road to recovery. and those are things the intelligence community has done that i'm pretty proud of. once we made a commitment to be transparent doing these things, helping people in need were easy decisions, easy commitments to make. and i think going forward, we're going to have to be more

transparent in talking about hard decisions and difficult choices. because we're in a difficult business in a challenging time. so this morning, i started my speech with a comparison of superficial similarities between the ic and spiderman. i think there's one other thing that the intelligence community has in common with spidey and more directly and more distinctly with peter parker. this gets to the heart of why spiderman has been one of marvel's most popular character since the first issue of "the amazing spider-man." 52 years ago, the same year i started in intel, before spidey, most comic books depicted the struggle between the super hero and the super villain. it was superman versus lex luther with kryptonite. with peter parker for this first time, comic readers saw a hero's inner struggles.

they shared his experiences of trying to keep the job and earn enough to survive. trying to talk to girls, and watching helplessly as a loved one, his uncle ben, dies. and more than anything else, peter struggled with deciding what to do when his principles, his personal values came in conflict with each other. that's what made spiderman such an interesting character to follow. people have always related to his inner struggle with decisions. peter found that sometimes he couldn't keep a promise to a friend. and at the same time, as spiderman, help someone in need. the intelligence community is composed of people who similarly face tough choices. i think this often gets lost in the public discussion. we as an institution, and as a workforce, have principles and values that sometimes come into conflict. things like our need to keep sources and methods secret. and our desire to be more open

and transparent with what we do. things like pursuing terrorists and others that want to do us harm and protecting the privacy and civil liberties of the typical citizens not just of this country but of the world who are rarely sometimes caught up in our collection efforts against the bad guys. solutions for these conflicts are not always obvious. >> i've been in meetings where we pulled out our copies of the constitution and bill of rights to get to the truth of what our principles and obligations are. wrestling with constitutional issues to make difficult decisions is part of our daily business. and just a fragment of what makes an ic career so unique. this is a difficult business. i've been in this job, as john mentioned, a little over five years, and every day, i realize that fact a little more.

i've been pondering a lot about how to best express my feelings on my career and this job. and just last week, i came across an e-mail that captured them and expressed them better than i could ever have done. it was something an fbi director jim comey, one of our great leaders in all of government, sent out to his staff, and i want to share his thoughts. he wrote, i've been thinking about humility, lately. one of my weaknesses has long been overconfidence. i don't know whether it was the product of nature or nurture. but from an early age, i had a tendency to reach a conclusion quickly, hold to it firmly, and argue about it until the sun went down. fortunately, a whole lot of life experience has helped beat that out of me. in fact the older i get, the less i know for absolute certain, and the more i realize

my own ability to see clearly and to reason well is limited. that's one of the reasons it's so important to have people around me who see the world differently and who will tell me what they see and conclude so that together we can make better decisions. jim comey's e-mail nails what i have been thinking about and pondering of late. there's a human aspect to intelligence work that gets lost in the public discussion. we're human, and when we forget that, when we're utterly certain about everything, when we stop questioning and stop listening to the people around us who see the world differently, wii more likely to make mistakes and poor decisions, that's what it means to be human. fans of "the amazing spider-man" loved peter parker because we can relate to his humanity. he struggles, he tries his best, he makes his takes, he learns from them, and he keens going.

and he constantly tries to live up to the line that became his creed. with great power comes great responsibility. that line, so succinctly describes what the people in the intelligence community try to live up to every day. to show that we're worthy of america's trust and that we're worthwhile, because -- spoiler alert -- we are not comic book characters. we're americans working to protect our nation and at the same time, striving to live up to our nation's values. so, thanks again, mojo for inviting me to kick off the summit and thanks to everyone here this morning for listening and for being here in the spirit of integration to map out where our community goes next. so thank you very much. [ applause ]

>> thanks very much, jim. that e-mail from jim comey goes all the way back to socrates. all i know is that i know nothing. i guess that's the ultimate wisdom. before i go to questions from the participants, i had a couple of my own. that i'd like to ask, just two. and i don't think they're curveballs in any way. the first, because i know it's a subject of great interest to everybody here. -- is the intelligence budget. i know you don't have a crystal ball, but i think we'd be very interested in hearing what you might have to say, what observation you might have to

say about the status of the intelligence budget and what the prospects are for it in the months or years -- years is perhaps saying much. but as far out as you feel you can comfortably see in that regard. but what's your view on that? >> well, i guess if i had to pick one word to characterize the budget, environment, the budget situation for intelligence which is a microcosm for the rest of the government, i would characterize it as one of uncertainty. we are potentially facing the specter in 2016, depending on what happens on the hill, of another year of sequestration. this afternoon, and coincidentally, i'll be meeting with what we call the small x com, which are essentially the

big six, on teeing up 2017. we're having to worry now about that budget year. and once again, as we look forward to 2017, we are again going to be confronted with putting together a budget with great uncertainty about his fate in the congress. >> the bca, the budget caps, budget control act, still apply. in fact, that law still runs until the year 2021. so we're going to be in this mode of making -- of not knowing what our funding level is ultimately going to be, and living from year to year in this uncertain context, which makes planning very, very difficult. you we have 30 or so major systems acquisitions to manage across the ic, most of those in

the inner row. and it plays havoc when you don't know what the budget situation is going to be, and of course it has huge impact on our most valuable asset, which is our workforce. and that uncertainty, the lingering uncertainty, now stretching into four years, is having impact on the workforce, and that is evidenced in our latest ic climate survey. so it is a very daunting thing, a challenging thing to manage in this kind of environment. i will say that i believe the office, my office, od and i has been put to the litmus test during this four years of uncertainty of reduction.

every year after 9/11, the intelligence community got more money and more people. it wasn't that hard to manage. we're in a much different mode now. i like to think odi has managed its keep by managing a cut environment, where we invest, and where we take cuts. and of course through all of that, the number one presept that i've stuck to for five years now, which is, the first priority is to try to protect the workforce. >> thank you for that. >> my second question, jim, goes to the iran agreement. and basically to ask you if you care to offer some comments on the verifiability of the agreement. >> that is pretty much where -- the lane i tried to stick to, and the ic tried to stick to, our ability to monitor

compliance with this agreement, assuming it comes off. and we were required within five days after the agreement was struck, to submit to the congress a very detailed assessment of our, both capability, what we could do, and where we had lesser capabilities to monitor the agreement. so i come away with -- pretty confident, i won't say 100%. should never say that. but pretty confident that we can, in fact, verify, from our own sources, what the international community will be able to, through the mechanism the iaea, and its very intrusive, in fact, unprecedented access and ability to observe and monitor what the

iranians are doing. so i'm pretty confident in that. we are fielding some independent capabilities which i can't obviously go into, despite all my protestations about transparency, about -- that will enable us, i think, to have good insight into the nuclear industrial enterprise of iran, if i can call it that. and i guess, at large, if you ask me, given a choice between a state sponsored terrorism with nuclear capability or one without it, i'd probably pick the latter. >> okay, so if we could perhaps go to some of the questions that have been submitted from the audience and the first one reads, and this really goes to the human resource issue of the ic as a whole.

what will the ic workforce of the future look like in your view? how are we thinking about policies and processes for recruiting, retention, et cetera. and i would just add, are we getting -- how is recruitment going? are we getting the people we want? >> well, i will tell you that since 9/11, we have brought on a tremendous cadre of people. i just got back from a ten-day march in north africa and east africa. wherever i went, it's literally eye-watering to see what our intelligence people are doing. and the vast majority of these men and women have come on since

9/11. for me, a rather profound change in the community is that thousands have deployed to war zones multiple times since 9/11. that's had huge impact on the identification of missions in our workforce. and it continues to attract great young people to the intelligence community. i went to vietnam in 1965 and hardly ever saw a civilian. civilian employee or civilian contractor. they just weren't there. and that is very, very different today and that has had huge impact on the community. i remember when i left nga in 2006, i was there almost five years, and one statistic i recall that was quoted to me,

60% of the workforce had been hired during the five years i was there. and that's not unusual. that's across the board. we had, last fall, 31 vacancies and got 6,000 applicants. so we do continue to attract, i will also tell you that our attrition rate is pretty low. it runs around 4% and has, you know, plus or minus a tenth of a percent at least during the five years i've been dni. to answer your question, what's the workforce going to be like, well, i think one thing that i've noticed, what the workforce desires, particularly the younger people, is mobility. and we need to be able to facilitate the ability of our young people to come to the community and then go to

industry, get refreshed technologically and then come back to the community. we need to figure out a way to facilitate that. so i think what i mind, what they're interested in, what's the technological challenge, where can i go to broaden my professional horizons? and they're not too concerned with sticking with one institution for a 30-year, lifetime career. that's a big difference from my day when i first got into this business. >> thank you for that. >> a somewhat related question. many have suggested that the intelligence reform and terrorism prevention act, and the odni are like goldwater nichols was for the dod. so how do you think the ic's