-- the alaska state of the state address as well as other speeches available online cspan.org. just type the state's name in the video library search bar on the home page. we are going to leave it here for the senate armed services subcommittee on cybersecurity and the defense department roll in fighting hackers who try to influence the u.s. election process. expect to hear about the vulnerabilities in the system during the 2016 elections and russian efforts to hack political institutions and manipulate social media. hearing should be starting shortly. the ranking member bill nelson of florida.

good afternoon. this cybersecurity subcommittee meets this afternoon to receive testimony on the department of defenses role in protecting the u.s. election process. the witnesses are mr. bob butler, cofounder and managing director of cyber strategies, llc. adjunct senior fellow at the center of new america operations for acom. heather conley the senior vice president for europe, you're asia and the arctic and director of the europe program at the center for strategic and international studies, dr. richard hartnet ahead of political science at the university of cincinnati an a former scholar and residence at u.s. cyber command and the national security agency and dr. michael sum wrryer, at the harv

kennedy school. at the conclusion of ranking member nelson's comments, we will have a round of questions and answers. there is no dispute about what russia did during the 2016 election cycle. there is clear evidence that russia attempted to undermine our democratic process through the hacking of independent political entities, manipulation of social media and use of propaganda venues such as russia today. evidence to date indicates that no polls or state election systems were manipulated to change theout come of the vote, however there was evidence of russian probing of certain election systems in 21 states. the department of defense has a critical role to play in challenging and influencing the mind set of our cyber adversaries and defending the homeland from attacks. attacks that could include cyberattacks by other nations against our election infrastructure. we look forward to the department approaching these issues with a heightened sense of urgency.

the threat is not going away. just a couple weeks ago the director of the central intelligence agency warned that russia will seek to influence the upcoming midterm elections. the white house national security adviser stated mexican -- or that the mexican presidential campaign as well. this is all in addition to russia attempts to influence the elections in france and germany last year. each of us on this panel has been quite vocal about the need for a strategy that seizes the strategic high ground. whether you call it deterrence or something else, we need a strategy that moves out of the trenches. the lack of consequences for the countless attacks over the past decade has emboldened our adversaries and left us vulnerable to emboldened behavior. the attacks we experienced during the 2016 election are just the latest rung on that escalation ladder.

as long as our adversaries feel they can act with impunity they will press further. our witnesses offer unique perspectives on the challenges we face. we look to them to help us understand why our posture of restraint has not worked. if we can reverse the damage already done, and what will take to develop and implement a strategy that limits our exposeure and causes cost on malicious behavior. we invited dr. richard harknet to explain his -- limits our ability to confront challenges we face. our adversaries actively exploit us because they see great benefit and little consequence in doing so. i agree with dr. harknet that the cold war models of deterrence weren't work and look forward to hearing what he think will work. dr. sumyer, we understand that he's working on a paper

addressing some of the challenges we examined during our full committee hearings in october on the whole of government approach to cybersecurity. we look forward to hearing more from dr. sul meyer on the gaps and seams he sees in organizational model and what lessons we can learn from allies like the british. ms. heather conley provides expertise in russian politics and foreign policies. russia has yet to face serious consequences in the cyber or other domains for its 2016 elections interference. we look forward to ms. conley's testimony on how the united states can tailer and implement these penalties and how the department can best deter or dissuade further russian election metling. we look for to the testimony of bob butler who brings extensive cybersecurity in the department of defense and private sector. mr. butler has been involved in numerous studies including the recent defense science board task force on cyber deterrence. let me close by thanking our witnesses for their willingness

to appear today before our subcommittee. senator nelson? >> thank you, mr. chairman. first of all, i want to make sure that since this is a hearing on elections that everybody understands that this senator feels that this is about the foundation of our democracy and that we as a government ought to be doing more to defend ourselves. and the second thing i want to make sure everybody understands is, this is not a partisan issue. this can happen to either party or the nonparty candidates as well. and it ought to be all hands on

deck. the chairman and i in public and in closed meetings, because of the clearance, we have been quite disturbed about wondering if we are doing as much as we should as a government to protect ourselves. so in a recent closed hearing of this subcommittee, the department of defense demonstrated that it's not taking appropriate steps to defend against and deter this threat to our democracy. so mr. chairman, i join you in welcoming these witnesses and hope that some practical suggestions are going to come out.

i want to mention just a few things. first, the department had cyber forces designed and trained to thwart attacks on our country through cyber space and that's why we created the cyber command's national mission teams. a member of this subcommittee, senator blumenthal, senator shaheen, we all wrote to the secretary of defense last week that they, the department, ought to be assigned to identify russian operators responsible for the hacking, stealing information, planning misinformation and spreading it through all the bot nets and fake accounts on social media. they ought to do that. that's the cyber command knows

who that is. and then, we ought to use our cyber forces to disrupt this activity. we aren't. we should also be informing the social media companies of russia's fake accounts and other activities that violate those companies' terms of service so that they can be shut down. second, i would ask us to look at that as the department's own defense size board task force on cyber deterrence concluded last year, we ought to show mr. putin that two can play in this game. we ought to consider information operations of our own to deter

mr. putin like exposing his wealth and that of his oligarchs. third, i would suggest the department should ensure that it's active and reserved components cyber units are prepared to assist the department of homeland security and the governors to defend our election infrastructure. not just after the attack but proactively before and during the russian attacks. fourth, i would suggest that the dep must integrate capabilities and planning to cyber warfare and information warfare to conduct information warfare through cyber space as last year's defense bill mandated.

our adversaries recognize the importance of this kind of integration but today cyber warfare and information warfare are separated in the department of defense it involve multiple organizations. and fifth, i would recommend as one of our witnesses i think will testify today, the department must help develop an effective whole of government response to russia's strategic information operation through things like a joint interagency task force and effusion center. our colleagues on the foreign relations committee have proposed something similar. the threats not going away. it's likely to intensify and as our intelligence community has been warning and as dni coats

has just testified to the senate intelligence committee, that threat is not going away. so the 2018 elections are upon us. we cannot sit idly buy and watch this happen again. thank you, mr. chairman. >> thank you and welcome to all of our panelists here today, our witnesses. we'd ask that, first of all, you limit your opening remarks to five minutes but your entire statements will be made a part of the record. we like to begin with mr. butler. >> thank you, mr. chairman. ranking member nelson and distinguished members of the cyber subcommittee. it's a privilege to be here. thank you for the invitation. my views really represent my views and not that of any particular organization. i'll just quickly hit the highlights of my written statement, they track very closely with a lot of the opening comments. my comments are really focused around my assessment of the threat in the electoral processes after interviewing a

few different states. secondly, recommendations to the federal government partner with the whole of america campaign and thirdly what this subcommittee can do going forward. i've been watching the russian influence operations threat for some time in uniform and out of uniform and our ability to counter russian influence operations is not only a function of what we know about the threat but our willingness and ability to address that threat. as i've looked at the election infrastructure in a few states we've learned from 2016 and what is our known vulnerabilities have been remediated. whether you look at the voting registration systems or the election infrastructure proper. however, the states do not know how to address the disinformation campaign. that is a struggle and the threat still remains very, very high. my perspective looking at this particular threat, what we're talking about today is one line of operation within what i think has to be addressed through a

national security counsel led task force. a whole of america campaign, not too much dissimilar from the nctc but with a strong empowered private sector element. again, i go back to the idea of a whole of america process. two key components inside of this, one is the idea of having an element that's focused on strengthening states infrastructure and hardening american citizens, deterrence by denial some would say. a second component focused on cost and position, from bot net disruptions to other kinds of sanctioning activities, importantly reinforce multilateral limit i'm a big component of a cyber stability board, coalition of the of the willing working to ensure the most effective way of doing cost in position. those two components then supported by an integrated fusion center. it provides situational awareness, combined the best of intelligence both in the commercial and from the national security community with law enforcement and active defense

actions. focused on a campaign that is centralized in its planning but decentralized in its execution. from my perspective it really requires both cultural and legislative enablingers. cultural the president must lead and rally the nation. there's opportunities already this week that can be used to help with that. the infrastructure proposals a great example. i don't see anything about resilience in the infrastructure proposal. we should have a way of norpg, especially as we're building new infrastructure, methods and strategies and incentives for strengthening the infrastructure here in this country. additional, we need to leverage the best of u.s. competencies across america. defense is excellent. u.s. intelligence agency combined with web scale companies do a great job. web scale companies are very good and growing in their ability to rapidly identify disinformation campaigns and response.

and we need -- will need some help from the legislative side. specifically for dod, five recommendations that track very closely with what senator nelson was talking about. i think the-to-jump start this sponsored task nelson was talking about. i think to jump-start this nsc-sponsored task force, we should coordinate with the secretary of defense to immediately stand up and a joint interagency task force. inside of that again, empowered private sector players. we typically don't think about that, but this really is something where we need to work together in a public/private partnership. we need to make arrangements with state and local officials through dhs and the national guard bureau. second recommendation is to the ngb and working with the national guard bureau to really not only inventory what we have on cyber units and information operations units, but to begin to scale them to help the states and to help us as we think about incident response in general.

i think they could be aligned with fema regions. i think they could be aligned in a lot of different way, but we need to first get organized. the third is to actually have a session where we discuss courses of action. that would have to be a closed session, but i think that's where the request for authority, new authorities' request for new resources come out and it gets to the point of not only looking at offensive actions, but defensively what we're in store for as we begin to move offensively and what we're going to do from a continuity of government and continuity of business perspective. the last two relate to senator nelson's comments with regards to the dsp tank forcsk force. i think we should continue to push with the task force recommendations and i would advocate that this committee should have its own campaign of exercises to help it understand where the adversary is going and to be able to advance ideas with regards to looking at threat and countermeasures. i stand ready to answer any questions that you have.

>> thank you, mr. butler. miss conley? >> thank you so much, chairman. ranking member senator nelson and esteemed colleagues. thank you for this very timely opportunity to speak to you this afternoon and what a timely moment as u.s. intelligence agencies have now assessed that russia will continue to make bold and more disruptive cyber operations focused on the midterm elections. cia director mike pompeo also stated publicly that he fully expects russia will attempt to disrupt the u.s. midterm election. so we know they are doing it and will do it, but we as a nation are not prepared to effectively combat what i believe is an intensifying disinformation operation, an influence operation. i'm a bit of a contrarian on this panel. i'm not a cybersecurity expert, but what i am most concerned about is that we have nine months and the american people are not educated as to what is

going to happen to them and that's where i think our focus must lie. i'm less concerned about the mindset of president putin. i know his mindset. i'm more concerned about the mindset of the american people as we head towards this election. you asked us what role dod could play to protect the u.s. elections, and i think simply dod, working with congress, has got to demand a whole of government strategy to fight against this the enduring disinformation and influence operation. we don't have a national strategy. unfortunately, modernizing our nuclear forces will not stop a russian influence operation. that's where we are missing a grave threat that exists in the american people's palm of their hand and on their computer screens. it is vital that we start talking publicly about this threat and educating the american people on a bipartisan basis. tragically, the russian campaign has already deeply polarized our

country which only serves the kremlin's interest as one of the most trusted institutions in the united states, the department of defense must leverage that trust with the american people to mitigate russian influence. simply put, the department of defense has to model the bipartisan and fact-based action and behavior and awareness that will help reduce societal division. this is about leadership and it's about protecting the united states and as far as i can see, that is in the department of the defense job description. so a good place to begin is using dod's extensive employee and military networks to provide timely policy guidance and statements about the threat that russian influence operation poses to election security. secretary mattis and general dunnford should provide public outreach to the threat and how to counter it. perhaps they should think about forming public service announcements and european governments have been very effective in warning their publics about the danger of

russian disinformation. france and germany were very strong on that, but you have to put the message out and we have not. i offered one suggestion, my written testimony to look at how we can leverage the national guard bureau looking closely with state and local leaders in cooperation with the department of homeland security to enhance cybersecurity awareness and be able to detect patterns of inthere youence. for example, if hacked e-mail surfaced online in conjunction with the false rumors about potential electoral candidates. we need to start talking about this. another instrument is the state partnership program. the national guard has partnered with the lithuanian military and the estonian military and they can bring back to their states information about how russian influence works. we are speaking today about protecting the homeland from continuous disinformation attacks which alter how the average american thinks about their system of governance and their government, and what the

american people may end up thinking is that everyone is lying, everything is fake and there is nothing that can be trusted and then even the most trusted of american institutions, the defense department, the justice department, the fbi, the department of homeland security, the office of the president will mean very little to the american people, and this is exactly how you break the internal coherence of the enemy system according to russian military doctrine, and unfortunately today, we are doing this most of this to ourselves without assistance from the kremlin. this is a matter of urgency. we have nine months and we need to educate the american people in addition to enhancing, of course, our cybersecurity protections, but as the french disinformation attacks showed what many of the organizations it looked like this information was coming from, it was coming from american organizations. this is designed to be hidden. it adapts. we have to educate the american people about what they are going

to confront on the november elections. thank you. >> thank you, miss conley. dr. hartpit? >> chairman rounds, ranking number nelson, distinguished members. thank you for the opportunity to speak to you about this critical issue today. we have a big picture problem. throughout international political history states have, at times, miss aligned their security approaches to the strategic realities in which they tried to secure themselves. in 1914, every general staff in europe thought that security rested on the offense, and they found how devastatingly in world war i that they were tragically wrong. france in the 1930s said okay, we learned from the last war. it's a defense-dominant environment and we'll rest our security on the most technologically defensive works in history and again, the fundamentals have changed and the germans simply went around the line. senators, with all due respect,

i do not want to be france in the 1930s, but i think we are coming dangerously close it to that my oppia and the misalignment of strategy. our adversaries are working through a new seam in international politics. >> cyberspace is that seam. its unique characteristic have created a strategic environment without having to violate traditional territorial integrity through war. what we've been witnessing are not hacks. they're not thefts. it's not simple espionage. what we must accept is the fact that we are facing comprehensive, strategic campaigns to undermine our national sources of power be they economic, social, political or military and so, therefore, i agree, we must develop a counter strategic campaign to protect those sources that have a more security, stable, interoperable

and global cyberspace. with the regard to the integrity of our elections, we've effectively left civilians whose main focus is not security on the front lines. that is not a recipe for success. specific to the department of defense role of creating better security in, through and from cyberspace, we must adopt a cyber persistence in which our objective is to seize and maintain the initiative. we must defend forward as close to adversary capacity and planning as possible so that we can watch and inform ourselves, disrupt and disable if necessary. our immediate objective must be to first erode the confidence adversaries now have in their ability to achieve and enable objectives. they are very confident. second, we have to erode their confidence in their own capabilities and third, we must erode those capabilities themselves. >> we are well past the post on

this. we need a comprehensive, seamless, integrated strategy that pulls together greater resiliency, forward defense and when necessary countering and testing cyber activity to reverse current behavior. we are not at step one. we are well past that. we actually have to reverse behavior. our security will rest on our ability to simultaneously anticipate how adversaries will exploit our vulnerabilities how we can exploit theirs. cyberspace is an interconnect the form of constant contact that creates an imperative for us to persist. this is a wrestling match in which we have to grapple with who actually has the initiative. being one step ahead in both knowledge and in action. if we do not adjust to this reality our national source of power will remain exposed and more of those who wish to contest our power will pour into this seam. i therefore, argue that we must

make three critical adjustments and the first is we have to adjust our overall strategic perspective. war and territorial aggression which can effectively be deterred are not the only pathways for undermining our national sources of power. in fact, because we have this effective strategic deterrent, we should expect our adversaries to be in the strategic behavior below the threshold of war. ? second, we must move the cyber capability out of their garrisons and adopt a strategy that matches the operation allen viernment of cyberspace. we must meet the challenge of an interconnected domain with a strategy that continuously seeks tactical, operational and strategic initiative. third, we must make the fundamental alterations to capability development, operational tempo and decision making processes and most importantly, as bob referred to, overall authorities that will enable our forces to be

successful. we cannot succeed using authorities that assume territoriality and segmentation in an environment of interconnectedness constant contact and initiative systems. we cannot secure an environment of constant action through inaction. strategic effect in cyberspace comes from the use of capabilities than having the initiative over one's adversaries. it is time for us to seize that initiative. i look forward in explaining in more detail how we can pursue security during our q and a. >> thank you, dr. hartnet. dr. sillmeier. >> ranking member nelson and distinguished subcommittee, it is an honor to be here today. i would like to note that i am part of a team at the kennedy school's bellfor center that released a report a couple of hours ago. it's a playbook for state and local election administrators and it's got steps they can take

to improve the cybersecurity of systems that they administer. it's based on field research by a wonderful research team, many, many students contributed. i'm very lucky to have one of the wonderful students here. karina has joined us. regardless of the role of the department of defense, these defensive improvements are essential and i want to make sure i hit that right up front. those recommendations that we put out today compliment the playbook for the political campaigns to improve their cybersecurity. it's essential that we make our elections harder to hack and that we improve resiliency in case critical systems are compromised. but we should also consider how best to counter threats abroad before they hit us at home. so let me transition to how i see some potential roles for the military outside of the united states to protect our elections. there are two necessary conditions of posture that i see as critical, reconnaissance posture and force posture. first, reconnaissance posture.

our cyber mission forces should constantly conduct reconnaissance mission abroad to discover election-related threats to the united states and provide indicators and warnings to our forces and decisionmakers. there will never be suspect resources to address all threats equally and prioritizing threats to our democratic processes is critical. otherwise we cannot hope to disrupt these threats on forced posture, our forces must be sufficiently ready to strike and strike against targets abroad that threaten our elections. readiness is a critical issue for our armed forces today and i would encourage senators on the sub committee to ensure they're asking tough questions about the readiness of our cyber forces just as they would about any other part of our military. if the military's reconnaissance and forces are postured to focus on threats to our elections from abroad, there are four objectives that i think our forces should be prepared to pursue.

it should go without saying that undertaking these actions should be consistent with international law and other relevant u.s. comm commitments. those objectives are preventing attacks from aprilizing. second, preempting imminent attacks. third, halting attacks in progress and fourth, retaliating if necessary after an attack. on the fourth, let me just note i would emphasize that had retaliation needs to be timely. it's got to be timely. the more time that elapses after an adversary's attack the harder it will be that our action is in direct response. across those objective, proper training, thorough rehearsals and coordination with other parts of our government are essential. bringing military capabilities to bear inside and outside of cyberspace is always a serious matter so it's critical to ensure that rules of engagement and questions about authorities are settled well in advance of any order to strike.

here, i would note that some of our closest allies like the united kingdom and israel have undertaken some national level organizational reforms to streamline responsibilities for cyber issues and we may at some point want to consider something similar here. one of the best cyber-related investments the nation has made is in the national mission force an elite group of network operators at cyber command. they defend the nation from an attack of significant consequence in cyberspace. i think it is very much worth conditioning what role the nfk to describe the objectives just now. >> i have not dus discussed deterrence much. i tonight get me wrong, however i would not like to bet if i didn't have to. sometimes the pros pekt of defending againstis in ils deterrence is the least bad

option. that's not the case in cybersecurity. we have other options like the ones i described just now and we should employ them alongside strong policies of deterrence. finally, i would just note that information derived abroad from reconnaissance should be shared with relevant parties at the state and local level. i want to commend the department of homeland security for working hard to promote information sharing over the last few years and i would also like to encourage more thinking especially among my colleagues in academia to help congress protect itself since congress is so critical as a part of our democratic process not just work accounts, but also campaign accounts, personal accounts and these can't be left vulnerable. that concludes my prepared testimony and i look forward to taking your question. >> thank you. let me thank all of you for some great insight and i look forward to your thoughts in terms of the questions that we ask. what i'd like to do is to do what we call five-minute rounds here. we'll alternate back and forth

and after we've done that once through if we have time i would go back through and do a second round depending on the amount of time that we have and whether or not other members come. let me begin with mine. i'll start with dr. hartnett. you've written that restraint and reactive postures are not sustainable, that the united states needs a strategy that capitalizes on the unique attributes of the cyber domain. you called for a strategy of cyber persistence where we are constantly engaged with adversaries seeking to frustrate, confuse and challenge. how would your strategy calling for persistent engagement apply in the russian meddling with our election as an example and should this involve us contesting the malicious behavior at its source and what do you believe are the consequences of our failure to response to the russian election interference? number one, we've got to be able to provide attribution to where

it's coming from and hopefully we've got that completed, but give me your thoughts on it. what would you say is an example of persistent engagement with regard to what wooe doe've done already and what they expect them to do? [ inaudible ] >> there we go. is it on? >> thank you. so let's think about the internet research agency, right? i mean, we know about this center in st. petersburg. we know that it controls a series of automated bots that are driving particularly well-conceived information operations that are meant to be divisive. right? i don't know why we are according first amendment rights to bot, right? it's not a free speech issue.

if we have evidence of foreign manipulation, technical manipulation of the social media space that's not what the american people, you know, from an educated standpoint actually understand is coming at them, right? they think that this is a maj majoritarian. but if that trend is being driven by foreign automated intrusion that is not an issue over free speech. that's an issue of a direct foreign manipulation and so we need, i agree with dr. sillmeyer, right? we need to have the reconnaissance to your point about attribution, right? that's what persistence enables you to do to start to get better at attribution, but we need to be able to move at the speed of relevance. so if, in fact, the bots are hitting us in a particular trend

that is meant to be divisive, we should be able to have the capacity to at least disrupt if not disable that capacity. we do know where some of these capacities lie by being persistent in our reconnaissance, we will get a better understanding of what our vulnerability surface is. we have to think about it that way. we tend to think about an attack surface. that's from their perspective. we have to get a better handle on what our vulnerability surface is and by being able to understand what our vulnerabilities are and again, a product of being persistent in this case, we can start to take those capabilities away. >> dr. sillmeyer, do you agree with that? >> i do. i agree with a vast majority of what my colleague dr. hartnett just said. for me, even just to get a little more specific, the kinds of options that i would want to be seeing presented, right, need

to allow decision makers some flexibility from lower level actions like denying troll farm access to compromised infrastructure, deleting some accounts to erasing some systems if it comes to it. it's too important to take options off the table ahead of time. so as long as the options space is kept open we can do it persistently or less persistently, but a wide range of options. >> mr. butler, your thoughts? >> i agree with both michael and richard on this. i would say that we need to be asymmetrical in our response. i'm a big believer in bot net instructions as we saw with levishov and that's a symmetrical response. if you look at the research agency in st. petersburg, they're a couple to the kremlin and the counter influence cam camp where you begin to cut the funding and cut the support enablers behind that infrastructure.

so we fleneed to think about ths differently. it shouldn't be cyber on cyber and social media on social media. it's got to be a broader campaign. >> miss conley? >> i agree with the asymmetrical response and while trying to bring down the infrastructure of those -- of those bots, what they are doing though, russia exploits the weaknesses that it finds. so it is amplifying the weaknesses and division that are already appearing on social media. so how do we try to reduce the weaknesses? and this, again, gets back to the critical importance of exactly what this committee represent, the bipartisanship, fact based and getting to communities through a variety of methods to help inform the american people. so when they see a trending site let's look at that. what's underneath that. the only way we can stop this from changing hearts and minds from the american people is

helping them discern what is coming. we can do everything we can technologically to eliminate it, but the other part is just missing. we are not educating. on the asymmetrical sanctions, my frustration, and i am sure many on thisi committee, as wel. >> i'll ask you to shorten it up because my time has expired. >> sorry about that, is to think about ways that we can focus on the kremlin, on financial sanctions, on sanctioning the inner circle as once attributable back to that. so not just in the cyber domain. focusing on financial sanctions and individual sanctions, that could be very powerful, as well. >> thank you. senator nelson? >> so all of you sound like that you just don't think enough has been done and that we're not ready and dr. hartnett, you have said that 2016 was the stone age

compared to what's going to happen so you want to trace what you think will happen? >> i think one of the things back to the chairman's question about one of the lingering effects is, again, we have adversaries who are confident. so even if there are other actors aside from russia who will look at this space and say this is a space that i can play in and i can work in. until we start to reverse that confidence, we're going to see greater experimentation. technologically, i'll give you one example, senator. my concern with regard to leveraging artificial intelligence and machine learning. this will be a step function, thus my stone age aleutian, a step function from where we are. we are going to within the next 16 months, i'm going to be able to take you and put you in a

video in which you are saying something that you never said in a place that you've never been, and you are not going to be able to authent kate thicate that yo not done that or been there. just think about that as a tool for someone, an adversary who wants to engage in disruptive social cohesion types of information campaigns. >> right. >> that's around the corner. >> so miss conley, given that, you've already said that you don't think we've taken any positive, proactive steps. why do you think that's the case? >> i think the executive branch refuses to recognize the threat and it refuses to put forward a national whole of government and whole of society strategy and bring all of the agencies and tools of influence to bear on this. we have to think of this as a direct threat to the national

security of this country. it has to receive the priority. i would also, just to focus what dr. hartnett said, this is adaptation. if we're preparing for what russia did in 2016 it would be very different in november. it would be very different in 2020. it would look more american. it would look less russian and this is adaptation. we're already fighting the next war and ahead of the new one which is why i think education is so critical, but absent a u.s. government approach we will all have to do our part in our communities to inform the people of the american threat and it's unfortunate that we can't do this in a unified way. >> so if we can't get the government to move, are there any private initiatives that would help? >> what i'm seeing is some very effective news literacy campaigns. i think again, new sources and social media are doing fact checking. the pressure that congress has

brought to bear on the social media companies is changing their perspective, but again, we are so late to need. this has been oning about and this campaign is only intensifying and we're just getting our arms wrapped around this. this is where every member of congress has to return to their home district and talk about this in very clear ways. ? amen to that. >> dr. hartnett, on the example that you gave of the next level of technology of which something can be created that looks real, acts real, feels real, et cetera, if cyber command were to adopt your thinking knowing what the threat is in what way would you suggest they change the way they're doing their operations? >> i think it's very important to expand this notion of

defending forward. this notion that we need to be as close to the source of the adver adversarial capability and decision making as possible. this is not a space in which time and geography is leverageable for defense. so when we think about the notion of front lines and the front lines are everybody, right? rate now our general approach has been to defend at our border and our network which actually means that we start defending after the first breach and we are already playing catch-up. so i confer with the notion of adaptability here and it's all about anticipation. so when bob butler talks about asymmetric, right? that's what i would talk about in terms of being able to be one step ahead, right? we have to be able to anticipate

the exploitation of our vulnerabilities you need to be able to be defending as far forward as possible and in space, we defend forward. we are not defending forward right now. >> okay. thank you. >> senator gillibrand? >> thanks to all of you for your testimony. i agree with a lot of it, professor hartnett, i appreciate your effort to redefine the space and operating in it. rather than attack the election infrastructure and treat it like an attack, as you said, but because of the way we set up the cyber capabilities and we have done with good reasons including privacy and state's rights and it seems the dod is hamstrung on trying to have an attack on our democracy. i've asked this many times and they've said it's not our job. so you argue that we need to

consider authorities that we allow dod and dhs for the intelligence community to employ the cyber persistence and recommend the rallies? can you expand on what kind offa authorities we might be considering from our allies. i've put this to the department of defense in any setting we've had in every conversation about cyber and it's a state's rights issue and it's not our job and i cannot for the life of me cannot see why we don't see that as our job. if they would have bombed we would have responded with the military and it seems off-putting to me. the response is often that's homeland security's job. they can call us if they need us, but they haven't. i understand why that's probably not the case because a lot of secretaries of state in a lot of states think it's their job and not anyone else's job and they don't want to relinquish that

control and i would like your suggestions on how to right the authorities that we think are necessary and also, i've really tried to the push the national guard as a possible place where this can be done because the national guard already serves the states and they're already under the control of the governors, so why not amplify what we're already doing with the national guard and reserve to give them the expertise and cyber and actually delegate this mission specifically to them in conjunction with all of the other assets in the military. so to all of you, you can ask dr. hartnett since you addressed it in the opening remarks about what authorities can we give? how can the national guard be useful and how do we get this done because it's frustrating to me that we're not doing it and a third thing to add to your answer and i coa 9/11 deep dive analysis to the electoral infrastructure and it's a bipartisan bill, whether we ever get a vote on it i will never know, but that would be a great first step in my mind to get the

report and these are the ten things you need to know for infrastructure so maybe comment on those three ideas. >> thank you, senator. you mentioned our allies and he has work in analyzing them and if you look at the uk, for example, and you look at the israelis and look at the australians and their first default in cyberspace is to look at how do we find synergy and not segmentation? our entire approach to this space has been starting with who has divided roles and responsibilities. so i think we have to look -- we can learn something from our allies, and we find synergy rather than segmentation and that should be the policy framework question, right? >> in terms of authorityis and think there's a false debate between 10 and 50 and if i argue for a seamless notion and i am suggesting that we understand

title 10 and title 50 as actually mutually reinforcing and not defined as again segmentating and they segment in congress, and they don't segment in operational space and so we should understand and reinterpret, i would argue those authorities to emphasize where a synergy and where there is seamless reinforcement rather than looking at something that divides and put us into different lanes. in terms of the national guard, i think the cyber protection teams and force type of an approach would be appropriate. we need to get at this, senator, so if that is the best mechanism. there's expertise at that level. mr. butler has talked about leveraging the private sector through national guard as well as reserve and we have a capacity if you look at the

brits they are looking at a cyber civilian reserve force and that's another interesting way of thinking about this. so ultimately, if we need to do a deep dive, i think we do, right? i think we have authorities that are structured for a terrestrial space that does not map to the realities of this human-made interconnected space. authorities are what we should do last. we should figure out what our mission is. we should develop the organizations to pursue those missions and then we should authorize them to do it. i would submit to you that one of the major problems we've face side we've been continuously trying to shoehorn our cyber forces into existing authorities and working backward from the way we should be working. >> i'll turn to bob, as well. senator, i think the national guard is an area that we

absolutely should explore and i mention it in my written testimony, as well as far as education and bringing together dhs and dod ask working with community leaders on the state and local level. on the 9/11 commission, cyber is a critical pillar of this and it transcends it, as well, we need to look at russian economic influence and look at a whole range of not just of russia as the adversary and other adversaries that use cyber disinformation and economic. so please broaden that out. they will find any seam, state, federal, first amendment privacy, that's where they will be and that's why we can't get locked into those seams, bob? >> senator, i take it from two different angles. one is clean sheet everything. what do you want to do and let's refocus the authorities. i, katherine's work here in looking at countermeasures is a great example of that. her legal interpretation of the manual is very different from what most people are saying

these days. the other thing is i'm involved in exercises where i'm blending physical ask cyber together and looking at what we look at physical and cyberspace and i'm working on an activity where we have a natural hazard and a nation state actor manipulating inside of that. how do you get a rolling start in you can use our authority and the military can create a rolling start. we need to leverage. we need to reinterpret and leverage these kinds of things as we go forward. a part of that is the national guard bureau. we can't, we have un9/11ness within the stand up of the national guard activities both in the air and now with the army. we have both cyber and information operations. i think we can create pockets of talent. washington state has a phenomenal security unit and maryland has a fantastic unit where they leverage a lot of nsa expertise and we have units spread around the country and we need to create a construct of

cyber move all assistance across boundaries and state borders and again, i think we can do that. we've just got to sit down and plan together a campaign in that regard. >> while the senator's time has expired, we'll let you expedite the answer. >> we'll go real quick. i support the goodness just said. abroad, i do not believe the kind of activities that i described earlier need new authorities. on the deep dive, i'd say great. the bellfor's center has tried to get a tart on that and we hope we can be a support and there's a part of me that wonders that if by saying cyber the response's help desk and by not describing it in a way by warfare and propaganda and foreign influence we do a disservice to the real problem. thank you. >> senator blumenthal. >> thank you, mr. chairman. i want to thank all of you for being here and i'm familiar with

the work done by the belfour center and thank you for the work done by each of your organizations. i want to first tell you. you probably already know that the immediacy and urgency of this task was reinforced this morning before the senate intelligence committee before dan coats with the director of national intelligence said, quote, there should be no doubt that russia perceives its past efforts and views the 2013 midterm elections as a potential russian influence operations and that statement would be beyond conventional wisdom and it would be unnecessary to stay because it is the consensus of our intelligence community and it has been broadly accepted by everyone, except the president of the united states and in my

view, that's the elephant in the room and the president needs to acknowledge this threat on our national security. so, i put that on the record simply because we can propose all of the great ideas in the world and some very good ideas, as a matter of fact, came from a report done by the senate foreign relations committee and a minority report by my colleague and then ranking member senator cardon called putin's asymmetric assault on russia for u.s. national security made very good proposals and i would be interested to see the belfour center's release today and, in fact, without having seen it, mr. chairman, i ask it be made part of the record. >> without objection. >> i think we need to make progress on gaining acceptance

at the highest levels of the united states government, and let me put it as diplomatically as possible for the proposition that russia attacked our democracy, in my view it committed an act of war. they're going to do it again unless they are made to pay a price for it, and that includes enforcing sanctions passed overwhelmingly by this body. 98-2, still unenforced. so the talk about retaliatory measures in real time, doctor, is very well taken, but why should the russians take us seriously when the president denies the plain reality of their attacking our country and the sanctions that would make them pay a price are still unenforced. all of that said, i want to

raise another topic which i think so far has been untouched. the social media site, facebook, google. let me ask each of you if you can comment on what their responsibleities are and how they are meeting them in this disinformation propaganda campaign using bots and fake accounts which have been appearing on those sites? mr. butler? >> i think, senator, the response, and i have talked with a couple of the web scale companies about this and it's aligning with what we've already seen in the counter terrorism fight and so in that space, what you see is them actively, proactively looking for disinformation and in the case of terrorism, of course, looking for recruitment and i think the challenge is guidance with regards to counter narratives or

alternative narratives in that space. that needs to be done with others, but i think that's where we need to head. they have the ability based on their reach and their fusion engines to really help us move much more quickly into active defense in this space and not just to do it from a cyber perspective, but from an influence, a counter influence perspective which i think is critical. >> miss connelly? >> building on the awareness of what they've done to force the social media companies to take a deep look at this has been helpful. i would suggest to you they think russia will adapt their tools and this will look more and more american which will get more and more into first amendment issues because that is a weakness to exploit here. so what i would commend in the interest of being ahead of the curve and not behind it is we start looking at how social media engines can start

detecting what looks like it's an american origin and that would be the next step i recommend. >> thank you. >> i think we have to move away from a partnership model to be perfectly honest with you. we've been talking about a public, private partnership for 25 years. published about this, 25 years ago, and the problem is that partnerships require shared interest in the beginning of the morning. the private sector has a very specific interest profit making and the state has a very specific interest, security providing. we should recognize and grant that they have a different interest. so we need to move this to an alignment model, right? how do we structure incentives within the marketplace for them to achieve their primary objective which is profit making while producing an effect that

the state requires which is enhanced security. until we start to actually think about how can we shape and incentivize that behavior and recognize that we actually have very different interests in this space, right? i mean, that strava fitness band company a few weeks ago, right? produced a heat map that exposes all of our forward-deployed troops. i would submit to you that nobody at their board meeting when they came up with this really great idea of releasing that heat map and they said, look, even our stuff's in the real dark places and they thought that was really cool. ten years ago the intelligence capacity that a state would have had to have found the forward deployed troops. think about that and this was produced by a fitness company. and they are non-security seeking actors in this space. that's the way we have to think about them. let's meet them on their

grounds, right? and start to get them to align toward the security needs we have. >> thank you. >> briefly, i would just note the interests are not aligned and that is the most essential part and to not treat them all the same. not all of the companies have gone through the same amount of self-reflection. some have not and some have and we should be honest about that and finally, i don't think we should limit this to social media companies and there are a lot of companies up and down the stack and a lot of people on the intern internet who have an interest on this type of work. >> i apologize, mr. chairman, i've gone over my time. >> what i would like to do is another round. let's do one more round so that everyone has an opportunity. we'll make it five minutes, and i would simply say that for those of us on this end that like to go, and i went over, as well. let's phrase it so whatever hits

the five minutes whoever is speaking on it that will be the last one on it and we'll move from there. >> let me begin with this very quickly and we'll look at changing the hats. dual hats and within the cyber community and we have a dual-hatted individual for both title 10 and title 50 operations and so forth. we are looking at separating those into separate items and one side, title ten and title 50, and we've had a lot of discussions over it and we were concerned at first that we would go very, very rapidly and now there's a discussion about whether or not moving in this particular way is quick enough. i just want to know your thoughts about whether or not we're actually approaching the challenges that are facing us in the right way with regard to the organization of government as a whole. i can just very quickly go across and ask each of your thoughts about whether or not we're moving in the right direction as to how we are arranging so that we can respond to these types of threats?

i'll begin with mr. butler. >> my sense is that we're at a point when we have enough of the infrastructure developed to really work within cyber command and we're not as dependent as we once were on the national security agency. i think the other part of this is as we move forward with the influence strategies that we're talking about, we need to have a way of checking and understanding whether it's working and so we need an activity that understands this space that can help cyber command make adjustments along the way. so i support the split and the support where we're trying to go as we move forward. as we take a look at those two elements and we put it into a larger dod and whole of government and whole of america construct, i go back to, you know, what i put in my written statement. i think from my perspective, having been through this both in uniform and doing information and operations campaign planning

and where we are today, we need to get the best of america into this space, right? there is a role for dhs. the fbi is very engaged. there is a role for the department of defense that goes beyond the national guard bureau that ties in with the intelligence community. there is a role for trusted private sector partners in this space. as a matter of fact, you can't do it without them. we have to align. >> miss connelly? >> the organizational structure gets to why we nieed a comprehensive-type 9/11 commission. it falls within the streams of law enforcement, intelligence, defense, education, awareness and that's why we need to a deeper dive just as after 9/11 we restructured ourselves and we need to do that again. >> thank you. dr. hartnett. >> i fully concur that we do the deep dive and i would urge us to reconsider the split of the dual hat, and i know that that is not

the current view. this notion of my litmus test. are you producing more segmentation? there is not one of the allies moving in that direction. >> let me ask a question on that very quickly because one of the items was on the title 50 side and the ns aside they love to be deeply embedded and there is a real concern out there that if they active leave and were persistent that they're constantly being seen and that interrupts their capabilities to be the intelligence gatherers that they are and how do we then allow for that constant and persistent activity if they have the same concern about they'd really rather not be seen and they simply want to be the deep ears for us. so i think having the dual hat enables that kind of determination to be made, right? the sensitivity of both when and where we will make certain

tradeoffs and where that seamlessness -- can be intelligence. >> and it's not working today, is it? >> no. i think it can, but if you look at our adversaries, why are they not worried about capability ands why are they not worried about -- we've had a high and right kind of focus to all of this, both in the recon phase and in the force phase that is in the space. >> i'll move over very quickly because he has been shorted. >> always pick on the harvard guy. i think we're back to different interests and the two different institutions have matured and now they have different missions and different jobs to do and the current structure what you can say for it is efficient decision making because it's one person who makes the decision. i think it's time, though, for too different and for an odd judecation to be made for which

priorities are going to take precedence each time. >> thank you. >> senator nelson? until we evolve into that new structure we are struck with what we have and we set up the commission teams to disrupt the troll farms and the bot nets and the hackers all engaged in attacks in our democracy read elections and we can identify them and the infrastructure they use and we can identify their plans and operations. we can do everything that we can to stop these activities, but if you don't do anything it's not going to happen and until the

existing structure that we have, the secretary of the defense walks into the room and says, boss, and his boss is the commander in chief, until he says, boss, we've got to act nothing's going to get done. so -- are we describing a situation that we are defenseless in this '18 election? >> my sense, sir, is no. my recommendation is in the homeland defense mission of the department of defense. we should stand up and move forward as we begin to move to another level which would be a national security task force,

but in the interim, this come they has jurisdiction and the secretary has prerogatives to set up a jiativ to set up homeland defense and this is a homeland defense issue. >> well, everybody's -- >> i think it's a defend the nation issue. >> i think you're right. and. >> i think this is as clear an attack on the country as if you lobbed a missile or if you lobbed an artillery shell. >> senator blumenthal wanted to ask the question, one of you had stated that it's going to morph into where the attacks are going to look more american. would you expand on that, please? >> senator, that was me and it's

in part from some of the lessons we learned from the french presidential election. the last cyber attack which happened within the last 24 hours of the campaign. it was a combination of both hacked e-mails from macron's campaign as well as made up messages and it was all mixed in between. what we understand and i don't have access to classified briefings from our french colleagues that many of where it looked the source came from from u.s. organizations and some of this is tied into adaptation where they don't want it to look like a russian bot and they don't want it to look like a russian and they wanted to originate from other sources to confuse and make attribution questionable in those last few moments. so my indue igz tells me that the more and more of these attacks will look like they're coming from america.

it will obscure attribution and then people will say this is their first amendment right to say these things and put forward -- and that's the problem. >> how did the french counter that? well, very gratefully the french have a blackout period 24 hours before an election and it is a reflection period and because the french government and intelligence agencies had made very clear, repeatedly and publicly, that this was likely to happen, french media were very responsible. they could not fact check the information in time and it would not move forward and the last major attack was thwarted because both of a law and also a lot of french proactive steps to inform their public that this could happen. >> and that was in the last 24 hours before the french election? >> so when it happened it was the presidential election debate

between le pen and macron, in that debate she began to hint that there was information about potentially mr. macron's overseas bank accounts and sort of hinted at this, then about 24 hours later the document release happened, and in that suggested so one could speculate that there was some coordination, but because it hit so late it really did not have the impact, but again, responsible media, government warnings and the reflection period all prevented something that if it had happened 72 hours before it may have had a different impact on that election. >> senator jill brand? you said that they had ways to prevent it from happening, is that true? >> the reports were about campaigns and state and local

officials can take based on field research about what they found was vulnerable and techniques that happened in the past and ways to shore up those defenses and it's not going to be that kind of a deep dive. >> have you distributed that to the 50 states? >> believe so, yes. >> have you gottent commen comm response back? >> it went back. >> i would like you to brief this committee on what the responses are after the outreach to different states and a copy of the report for all committee members so that we have our own first draft of what our own 9/11 deep dive might ultimately look like because this has to be done and it's striking to me that there's no sense of urgency by this administration. it's absolutely crazy as far as i'm concerned and so i want to work towards elevating this issue and your work will help us do that. dr. hartnett, you mentioned in your comments that bots don't

have free speech rights. i couldn't agree with you more. so what kind of legislation do you think we could write or could be written to say we expect these platforms whether it's facebook or twitter or instagram or any other online community to not sell its technology to fake entities who are posing as real people and the reason i say that is it's simple fraud as far as i'm concerned because you're doing it for the purpose of changing someone's mind and distracting them and giving them false information and i believe it should be illegal under the same analysis that we have fraud statutes. how would you go about trying to take away those free speech rights that are given to non-entities today? >> thank you, senator. so i'm not a lawyer, but i would build on what you just said. i think the notion of our

default to fraud, right? so if, in fact, what you are trying to sell is trend, right? if that is the operative thing, that should be human behavior. and so we have to think through -- this is very tricky, right? but legislatively we have to separate out human behavior from automated behavior, right? and automated behavior can be classified as falsification of trending. you know, if you want to caps e capsulate it in that fashion. the space is not just -- it is not smart marketing, it's manipulation and therefore should be out of bounds. can i make one quick comment on your deep dive? >> yeah. >> i look at one other example.

the eisenhower exercises in the 1950s. president eisenhower says, what is our macro grand strategy. set up three competing teams to come up with what the stret ji should look like. it is an interesting alternative approach, but we get at the same sort of things we look at. >> like a national competition? >> they actually specify, he brought together three very specific groups of experts. they were given access to classify information but they worked as independent teams. then they were brought together knock heads over what the best route to a grand strategy looks like. we do not have a cyber grand strategy. and we do not have a grand strategy for cyber space. i can tell you the chinese do. they've announced it. they are going to be the number one ai country by 2030. we need to start to think in

those grand strategic terms. >> senator? >> i will build on this. you have elements in this particular legislation which gets to, you know, what we want on-line plat forms to do. they can identify structure and are beginning to identify infrastructure that has origin in elements that are nefarious. so i think i would add to that as one way of kind of tackling this issue. the second point i want to disagree too strongly with my colleagues here, but i have worked in the private sector and i've worked in the public sector side. i know that there are models that can work to align incentives. enduring security framework is a good example of that. we had it work before when you show a private sector and national security government elements working together, a threat of this magnitude, and you provide some type of limited liability protection, you can get there.

it took us a long time with facebook, twitter and microsoft to get to pulling terrorists data offline. but they are doing it now. my sense is, the sooner we get into this process, with creating an alignment of not only incentives but understanding of the problem, and again it is not with everyone. it is with folks who can do things on scale and really help us as a nation. >> thank you. thank you, mr. chairman. >> thank you, senator gillibrand. first of all, thank you very much for all of the witnesses for your time. you spent an hour and a half with us today. it has been greatly appreciated. i suspect we will speak again in the future as we learn more about the challenges and threats that face our country. it is not going to get better, it is going to get worse. we all recognize that. our challenge is to make sure we have the right long-term strategies and that they are properly implemented. as such, i think we've got a lot of work to do. with that, once again, thank

you. thank you for the participation of our members here today. and at this time, this subcommittee meeting is adjourned.