to call beijing to account. the u.s. companies feared the chinese government would punish them with crushing cyberattacks for having that public debate. after we opened that debate here and called china out, we were able to have an honest conversation with the american people about the cost of this chinese campaign and what needs to be done about it. china's economic cyber espionage certainly has not diminished in that time. in fact, it has grown exponentially in terms of our human and damage done to our economic future. intelligence secret services have little fear because we have no practical deterrence to that threat. this problem is not going away until that changes. china's economic cyber espionage is not the only threat we face now. iran launched very challenging attacks on our financial networks in 2012. tactic -- it is

not new and not the most sophisticated of attacks. the scale and speed at which this happened was unprecedented and made the attacks very difficult to defend a dense -- against. a sophisticated virus also wiped out more than 30,000 computers at a saudi arabian state oil company. there has been a lot of talk over the years about hypothetical dangers and it has become a bit of a cliché in cyber security circles. i would argue that the threat of a catastrophic and damaging cyber attack in the united dates -- in the united states is becoming less hypothetical every day. is a clear attack example that our adversaries have the intent and capability to launch damaging attacks. moreover, there are growing reports, attempts to breach the networks and industrial control systems of our electric power operators. foreign cyber actors are probing

networks and have gained access to those systems. trojan horse malware that has been a charity to russia has detected on industrial control software for a wider range of american critical infrastructure systems throughout the country. this can be used to shut down vital infrastructure like oil and gas pipelines, power transmission grids, and water distribution and filtration systems. i and not aware of a case yet where hackers gained access to one of these systems and used it to cause damage to critical american infrastructure, but i would not take much comfort in that. i believe our adversaries have the ability to cause such damage. a lack a strong motive at this moment to conduct such an attack and are dependent -- differed only by -- deterred only by the fear of retaliation. we cannot count on a deterrence if we are already in an adversarial position with a

nation like china or russia. and we cannot count on the fact that less rational actors might also gain access to those critical systems. it is not hard to understand how difficult it would be for the power or water to be shut off. imagine if one of our adversaries was able to shut financialmerican transactions. even worse, imagine if a foreign cyber attacker altered or deleted key financial transactions so we could not verify account balances or what companies oh each other from day-to-day. .t certainly would be chaos most of our critical infrastructure providers are doing their best to secure their networks. if we get attacked by an adversary with the resources and capabilities of a nation like china or russia or iran, it is not a fair fight. the u.s. government has an obligation to help the private sector by sharing this threat about potential attacks before they might happen. hoping that this hearing

can help focus members attention on this issue and the need to pass cyber threat information sharing legislation before the end of 2014. for a damagingy cyber attack against our critical infrastructure. if the senate does not act quickly, both houses of congress will have to start from scratch, moving new bills. this could mean an unnecessary and dangerous delay when we are so close to an agreement that protects privacy and our economy and our national security. admiral, thank you for being here. we will turn it over to the ranking member. >> thank you for having this hearing to let the american people know how serious this cyber threat is. thank you, admiral rodgers, for appearing before us today. you have a tremendous job. i know that you have been in six , and weow, seven months are ready to work with you to make sure you get the resources you need to protect our country

from the threats we are talking about. this committee has been sounding the alarm on the cyber threat for years. it has twice led to the house passage of critical cyber legislation. in 2012, we warned of the coming danger as a huge saudi oil company suffered a devastating cyber attack. the virus the race to data on 30,000 of the company computers, replacing it with a picture of a burning american flags. threat hit our shores. we continued to warn as cyberattacks hit the united states. government computers, including at the department of defense, the u.s. treasury, and it goes on. still, congress did not act. the threat did not spread further, to our private networks. target was struck. jpmorgan was hit as well as visa and the bank of america.

in 2012, department of homeland cyberty responded to 198 incidents across critical infrastructure sectors and of these, 40% were in the energy sector. the energy sector continues to bear the brunt of our country's cyber attacks because hackers recognize that it is our achilles' heel. the effects of an attack would send a shockwave through our economy. remember how a single fallen tree in ohio triggered a blackout for more than 50 million people. think about what a cyber attack could do. it could be catastrophic. hit the state department and the white house. the danger is not leaving. what is the full congress waiting for? thanks to chairman rogers' lead ership, the house passed its cyber legislation that would fix a dangerous gap. the inability to share threat information between the public and private sectors.

the private sector owns about 80% of the internet, which makes it difficult for the government to help protect their networks. right now, if your house is broken into, you call 911 and the cops come. if a company gets cyber attacked and billions of dollars gets stolen, which has happened in the united states, they cannot .all a cyber 911 9 -- line there is no legislative framework in place to share with the private sector. it is like being able to see hurricane sandy heading up the east coast and but not being able to mourn anybody that it is coming. that is what our cyber legislation does. it enables this information sharing of cyber threat information. of thehe description burglar, the trajectory of the coming storm. that is what be -- what is being shared, not private information. the senate has its own cyber legislation which is similar to ours.

chairman rogers and i have been working very closely with senator feinstein and senator chambliss on these issues in the senate. we need to move quickly to recognize these issues and pass this legislation. the threat is not going to wait. thank you, admiral rodgers\/\ -- admiral rogers. thank you for having this open hearing so we can educate our american citizens on this threat and what we need to do. >> thank you very much. the floor is yours. welcome. good to know that you have not voted anything to significant. >> thank you for the ability to speak on a topic of critical importance today. i will keep my remarks short. i would start by first thanking representative rogers for your time.

this will be the last time, i suspect, i will be testifying with you asommittee chairman and i just want to thank you for your leadership on the truly nonpartisan nature that you have created. i think it is a great example for all of us and serves the nation well. individual who interact with your committee on a regular basis, i thank you for that. it makes my job better and easier and, more importantly, gets to better solutions, which we are all about in this room. i would start by highlighting -- i do not think there should be any doubt in anyone's mind that the cyber challenges we are talking about are not theoretical. this is something real. ands impacting our nation those of our allies and friends every day and is doing it in a meaningful way that is costing us hundreds of millions of dollars. it is leading to a reduced sense of security and it has the

potential to lead to truly significant, almost catastrophic failures if we do not take action. it also highlights to all of us that there is no one single group or party in the sense of whether it be government or the private sector. the challenges here are so broad that the idea that one sector for one individual organization is going to solve this is not realistic. it will take a true partnership between the private sector, the government, and academia to address the challenges we have. done onwhat you have the legislative side is critically important. we need a legal framework that enables us to rapidly share information machine to machine between the private sector and the government. and do it in a way that provides liability protection for the private sector as well as concerns about

privacy and civil liberties are dressed. i think we can do that. i think you have done that. i challenge the political consensus to pass that. i leave it up to you. what i try to focus on is what , whathink down the road do we need to be doing? in my head, i will talk about that first. the primary role is to make sure we generate insights that aid the public sector as well as -- the private sector as well as government. what is coming at us? how can we get timely, advanced information to help us be in a position to respond? whether that be on the private side or in the government. has a primarysa role in ensuring its information expertise to help both the government and private sector

defending its systems and generating standards and approaches to how you defend capability. and ensuring that our expertise is available to help. from the u.s. cyber command perspective, three primary missions for us. number one, to defend. myself, like many people do, responsible for defending the cyber infrastructure of a large global organization. inare taking serious steps the department to do that. it never goes as fast as you would like, but i am comfortable about the rate of progress we have to do that. the other thing we are trying to do at u.s. cyber command is regenerating the cyber mission force, if you will, the men and women will be addressing the departments cyber needs. prepared toe provide dod capability to defend

critical u.s. infrastructures. the u.s.ou are aware government has designated 16 segments within the private sector as being of critical significance to the nation's security. think water, power, aviation, financial. command is tasked to provide the capability to defend that infrastructure. we continue to move along in that journey. we are about halfway through. we have about four years to generate that capability we are about halfway through that journey in time. 40% in terms of actual generation of the force to date. it is progressing well. we continue to learn insightful lessons as we continue through this. i always remind people, this will be an iterative journey. .e are all trying to learn here cyber is an environment and a mission set that continues to change.

with that, i think i will answer any questions that you have in mind. >> thank you. mr. connolly. >> thank you, admiral. your last comment was the question i had written down to ask you. your difference between recruiting and retaining the folks needed. set in thethis skill colloquial wisdom does not look shorthaired,cut, ,hite and navy uniform person how do you find the folks with the mindset to be able to do these kinds of specific technical things and also have the mindset to be a good sailors example? >> thank you, sir. a couple of comments. first, the workforce will be composed of both military and

civilian. we use the opportunity to have a broad swath of individuals. you willme out today, see people with long ponytails, t-shirts, jeans, very casual, different approach to doing things as opposed to what the military force looks like. that is one of the advantages of the military. it is a civilian component to the workforce. we can get a broad reach of capabilities and backgrounds. they do not all have to be military requirements in terms of physical fitness, standards of uniform, other things. when i started working in cyber in the department, my number one concern was how are we going to be able to recruit and retain the men and women we need to execute this mission within the constraints we had in the department? , as commander of the united states cyber command, i have been pleasantly surprised. both the men and women in

uniform and the civilian element. , youunderstand the nsa have that planned. but the cyber command is self, do you have a blend as well? >> the ratios are different. at u.s. cyber command, we are probably 80% military. >> is there a pay differential between the two workforces? >> i have never heard that issue raised. retention, at angelos university in texas, we have a great cyber training facility as well as an air force base. traininga lot of money , giving these kids tools that are valuable in the private sector.

what are the retention issues you are dealing with? , retention has exceeded expectations. that is largely due to the fact -- and it is not unique to cyber . you can look at almost any military set. we are not going to compete on the basis of pay. we will attract people who have -- who are attracted to the egos and culture, this idea of serving something bigger than yourself. we attract people who like yet the of service to the nation as a core part of what they do. we will attract people who are attracted to the idea of you are doing something that matters to this nation and to defend this nation. we let you do some really neat things. we are also attracting and retaining people on the basis of , in our culture and our model, we will give you responsible at a pretty junior or young age. that seems to have really resignation with the hundreds of civilians in our workforce.

>> i asked this question at goodfellow. 6 and they know how to do it really well. it is clear that when they leave, they will take it back with them to the private sector. is there an ethics element to the ciber trained folks? folks?-trained the constant reminding that we are giving you tools. >> ethics is clearly a part of what we do as a force, as an organization. it is the same challenge when we provide military members sniper training. you remind them that you are given this capability, we give you this training under a not legalission it is or appropriate to use this otherwise. we do the same thing in the cyber missions. >> thank you. appreciate your work.

>> thank you for being with us. we heard last week from general cartwright what needs to be done to set international norms. something analogous to war with cyber. could you give us a few minutes to give us a sense of what some of the key principles might be for those international norms? in the absence of such agreements or norms, it may take a catastrophe or a retaliation to a catastrophe to force people to the table. could you give us a sense of what those norms would look like and how we can help catalyze that agreement around the world? stronglyy, i would encourage -- we have got to develop a set of norms and principles for behaviors in the

space. absent that kind of thing, being totally on the defensive is a losing strategy to me. it will cost a significant amount of money. it leads to a much-decreased probability of mission success. it is not a good outcome for us in the long run. andyourself referenced representative rogers did in his opening statement, there does not seem to be a sense of risk among nationstates in the behaviors we see in cyber. you can do literally almost anything you want and there is no price to pay for it. that is not a good place for us as a nation. and more broadly, for us, internationally, to be in. we are trying to make an argument electively -- we need to develop a set of norms and behaviors that we can fundamentally agreed

with, a starting point for how we are going to be able to act in this environment. i have seen an initial set of points that the white house has developed and shared and raised at a couple of united nations forums. hospitals, every nationstate should have computer emergency capabilities left alone. you want every nation to have the ability to respond to cyber emergencies. you do not want to take the capability away. we need to define what would be offensive. those are issues we are trying to come to grips with. in the absence of any current definitions or expectations of behaviors, now we are left in a place where we are trying to guess what the intent is or how far things are going to go. that is not a good place for us to be. principlehlighted one , some sort of agreement not to mergencyations' e

response capability. what else would you suggest? there is a difference between taking down a sovereign, internal i.t. capability and trying to steal a commercial secret. there is some difference. what other variables are isolating -- thehere is discussion about we want to put in standards of infrastructure for nationstates. if you are going down that road, that is a step be on. you are -- beyond. you are opening yourself up to weaken -- repercussions. some discussion about nationstate application against the commercial sector as a way to steal internet -- intellectual property for state gain. we have argued that that is not what the u.s. -- we do not do that. we argue that is not appropriate for the role of it -- of the nationstate. i think that would be among

them. infrastructure. if you looked at going after things that could lead to loss of life, if you looked at going after things that could lead to loss of control as outside the norms of behavior, those are the kinds of things we are having discussions about. how do we build the framework, if you will? the discussionat happening internationally, do you have confidence that this debate is going to advance? in particular, that we will be able to draw in bad actors like china and iran? or will it take demonstration of capability against them to get them to the table? >> i don't know. i am hoping it is not the latter. clearly, there is ongoing dialogue. or in this,omplicat people use the nuclear analogy in terms of we were able to --

what we were able to develop over time. whenarticular analogy is we started back in the 1950's and the 1960's, you had the capability, nuclear weapons controlled purely by nationstates, no individuals or groups. a very small group of nationstates. , an.ally that is different from the ciber dynamic. we are dealing with nationstates, groups, individuals with capability that is relatively inexpensive and easy to acquire. very unlike the nuclear model. that makes this really problematic. >> thank you. recently, there has been some disclosure of a trojan horse that works in critical infrastructure. can you talk about what the intention may have been?

do you have any attribution to any organization or nationstate that may have been involved? put in context what this means for the national security interest. >> we have seen instances when we are observing intrusions into industrial control systems. that access, that capability can be used by nationstates to take down that capability. recently, toou saw destroy or be destructive with that capability, we are clearly seeing instances when nationstates, groups, and individuals are aggressively looking at acquiring that capability. what we think we are seeing is reconnaissance by many of those actors in an attempt to make sure they understand our systems so they can then, if they choose -- xploit them

those control systems are fundamental to how we work the infrastructure across our nation. they are foundational to almost every network aspect of our life, from our water to our power to our financial segment to the aviation industry. they are so foundational to the way we do -- the way we operate complex systems on a national basis. areas whenf the people will often ask me -- so, what are the coming trends that you see? i think the industrial control system in the state of peace are growth areas and action we are going to see in the coming 12 months. it is among the things that concern me the most, that this will be truly destructive if someone decides that is what they want to do. >> or it was determined that that malware was on those systems. can you be more definitive in

terms of what that means? if i am on that system and want to do some harm, what does that do? do the lights go out? do we start pumping water? what does that really mean? the fact that it was there, does that mean they have the capability to flip the switch if they wanted to? me address the last part first. this should not be any doubt in our minds that there are nationstates and groups out there that have the capability to do that. enter those industrial control systems and shutdown or stall our ability to operate our basic infrastructure. whether it is generating power across this nation, moving water and fuel, i will highlight those because those tend to be the focus areas that we have seen. once you are able to do that, it enables you to do things like tell power turbines to go off-line and stop generating

power. the wanted to segment transmission system so that you could not distribute the power that was coming out of power stations, this would enable you to do that. it enables you to shut down there he segmented, tailored parts of our infrastructure that forestall the ability to provide that service to us as citizens. have determined that nationstates have that capability. >> yes, sir. >> there was a report that referred to chinese -- attributed to the chinese government hackers being on our critical infrastructure systems. is there any other nationstate that you believe has been successful in getting on those systems? there are probably one or two others. i apologize if i consider that classified. i am not comfortable spelling out specifics. there is more than one nation

that we believe has these capabilities. >> the thrust of that question is to say that it is not a one-off. there are multiple nationstates that have the capability and have likely actually been on those networks. >> definitely more than one. the other point i would make, we are watching multiple nationstates invest in this capability. >> when you say investing, talk about what that means. when i say invest in this capability, we see them attempting to do reconnaissance on our systems, attempting to generate insight about how our networks are structured. we see them doing research in this area. we see them attempting to steal information on how our systems are configured. very specific schematics of most of our control systems at the engineering level. how can i get in and defeat them? we are seeing multiple nationstates invest in those

kinds of capabilities. >> you mentioned this next group. you have seen the international organized crime organizations starting to develop their capabilities. we have seen, in some cases, then using nationstate-like techniques. can you flush that out for us? thehave highlighted nationstate threat. this is probably the next one down that gives us cause for concern. can you talk about that and what it means and why it is so difficult for the private sector to defend themselves? what we have traditionally seen in the criminal sector was criminal actors, groups penetrating systems and trying that theynformation can sell or use to generate information. selling personal information. there is a market out there to sell personal information on individuals.

we have been watching them and observing them stealing data associated with generating revenue. the next trend i think we are going to see in the coming near see,is you will start to in many instances, some of those criminal actors now engaging not just in the theft of information designed to generate revenue, but also potentially as a surrogate for other groups, other nations. i am watching nationstates attempt to obscure their fingerprint. one of the ways to do that is to use surrogate groups to attempt to execute these things for you. it is one reason why we are watching criminal actors start tools that we the have seen nationstates using. you are starting to see criminal gangs, in some instances, using those tools. which suggests to us that,

are seeing more linkages between the nationstates and some of these groups. that is a troubling development for us. hitmen for hire. on threats, but i want to ask this last question. regime,cyber sharing certainly our legislation proposes -- there are concerns. without the valid understanding of exactly how it machine,chine to real-time, millions of pieces of information or packets at the speed of light. thatan we assure americans their personal information is not being read or collected or used by the nsa in that real-time machine to machine sharing that would allow you to share what you know with the private sector so they can protect their own networks?

>> i think there are a couple of ways. first of all, this is about computer network defense, not about intelligence. totally different missions with totally different objectives. the second point i would make is we need to publicly sit down and define what elements of information we want to pass to each other these are the specific data fields. this is the information we need, both what the private sector needs and what the government needs. add my perspective, when we private information into this, that complicates things for me because i have protections that i must provide that will slow us down. that is not what we are interested in. us. would be a negative for that is not what we want. i think sitting down and having a very public discussion

retailing exactly what we talking about when it comes to information sharing is one way to do that. and also highlighting what we are not talking about. this is not what we want to see. i do not want people's personal data. that is none of the things that we are talking about in this scenario. >> and this is not the nsa plugging into the private networks. >> which is exactly why we need to do this. you do not want nsa in the private sector network. therefore, i am counting on the private sector to share with us. is, what interested in i think i over the private sector is, here are the specifics of the threat we think are coming at you. here is what it is going to look like. here is the precursor of activities we think you are going to see. here is the composition of the malware we think you are going

to see. here is how we think we can defeat it. what i am interested in earning from the private sector is, tell me what you actually saw. was the malware you detected written along the lines of what we anticipated it was it different? how was it different? help me understand what worked for you and what did not work at how did you configure your networks? what can we share with others so that the insights of one come to the aid of many? that is the kind of back and forth we need. >> you made a very interesting point. is one of the biggest perception problems of this whole debate. you said the nsa is not on the american private sector networks. can you take a couple of sentences and explain that again. i think that is so important. unfortunately, i think people believe the nsa is on the private sector networks. which it is not. that is why the bad guys have so

much opportunity to swim around. the most important points we can make to the american public is what we are trying to do and why the fact that you are not on there is so important. >> the national security organization is a foreign intelligence organization. it is not a domestic intelligence organization. there are legal constraints placed on us when it comes to collection against u.s. persons. u.s. persons include the definition of a u.s. entity in the form of a company. we do not have a presence on any ..s. private networks that is not what we are about. that is not what our mission is. it is because of that lack of awareness that i am saying, look, i need a partnership. we need to exchange information. ceo of a major

thank, i would not want to be telling my shareholders, well, you know, the nsa is inside our network. that is not the way we work but i would tell my shareholders, we have the proactive sharing relationship. we are gaining the benefits of the insights that the nsa is generating in terms of what is likely to come at us. here is what we are doing. here is what is effective and what has not been effective. that is the kind of relationship we need. >> not on american and the mastic networks, but the iranians and other bad actors are. the chairman has raised a very important issue. it is one of the things we have been dealing with. to protect our country, our businesses, we spend a lot of .ime negotiating we have been able to put together a bill that has not

passed in the senate. the bill that gives you the authority to do what you need to do. is to would like to do get you in this hearing so the american public can understand what the checks and balances are the nsa and the fact that your focus is not on american people. what couldt is, happen. i think that debate is good. that we have the privacy groups who focus on that and debate that so we can come together and learn and develop legislation that deals with privacy protections. if someone at nsa breaks the law, they will be held accountable. the bill that we passed and unfortunately it has not gone to lot ofate dealt with a issues. the perception with the american people is because the government -- nobody's name or

address, but there is that perception in the public. the national media pushes it out pretty far. it was not the case. this committee came together. now,velop legislation and if you find a terrorist situation in yemen, you get that information and turn it over to the fbi because you do not have jurisdiction in this country. ,hat this legislation we have we basically say you can move forward and attempt to protect us if we need to. we are not listening to americans at all. have judicial review. the same thing we do in the united states with criminal cases. need a search and seizure, that is our check and balance in this country. in thisks and balances

country are the most stringent of any country in the world. the message that has to get out now is that we do have privacy concerns. we do have constitutional issues and there are checks and balances. if someone does break the law, they will be held accountable. issue onman raised the what happens if you do break the law. you do not have the jurisdiction to begin with. that is turned over to the domestic side with the supervision of the court and privacy groups overseeing it, that kind of thing. that is a long question. short answer, maybe. terms, there is a legal aspect to this in terms of their is the court of law, whose authority and permission we must again. we must formally petition the court if we are going to do surveillance against a u.s. person. we have to prove to a court of law that there is a connection with a foreign nation, so they

are acting as an agent of a foreign government, or they are interconnected with a terrorist organization or an entity that is attempting to do harm to the u.s. or u.s. persons. we have to present a level of evidence that suggests we could do that. >> and that evidence is reasonable or articulable suspicion. >> right. there is a legal control on how we can collect against u.s. persons. addition, congress has oversight functions. it is one of the primary roles, the idea that our elected officials would be briefed on what we do and have oversight and knowledge on what we do and act as representatives of our citizens to ensure there was an external party monitoring what briefed regularly on what we do, being formally notified.

and say, hey, as a matter of record, i want you to know we are doing this and that. there is an oversight mechanism to this. internally, we have created a pretty extensive oversight and compliance set of mechanisms that govern things like how we control our data, who has access to that data. there are training requirements for everyone one of our employees that has access to such data. we have controlled the number of employees who have access to that data. if you look at the record, the , it was something on the order of the tens of thousands. control the data that we collect. we have defined windows as to how long we can retain data. the data, weete purge all of the data and remove

it. we do not hold the data forever. ensure thatred to we maintain protection on the data from the moment we collect it to the moment that we purge it. we do not sell data. we maintain strict controls over the information we have been granted. when we are doing bulk collection overseas, we have to stop what we are doing and either make a decision in our own mind -- ok, is there a legal or do we juste stopped collecting? we have to make that decision. we have to make a legal case if we want to continue. so there is the legal framework to what we do. there is a series of protections and oversights to what we do, both external to the organization and multiple branches of government. there are a series of controls in place in the organization. it is one reason why i would say

look, you can certainly disagree about the localities in terms of hay, is a law good or bad. my responsibility is to ensure that we comply with the law. there should not be any doubt in anybody's mind that we comply with the law. when we fail to do so, we will hold ourselves accountable. >> just one thing. experts were recently ew internet by the p and american life project. the majority said they believe a major cyber attack will happen between now and 2025. which would be large enough to cause significant loss of life or property. tens of billions of dollars. do you share this rim assessment with the majority of these experts? >> i do. >> why or why not?

>> i fully expect that we will be cast to help defend vertical infrastructure in the united states because it is under attack by some foreign nation or some individual or group. i say that because, as you have highlighted, we see multiple nationstates and individuals and groups that have the capability to engage in this behavior. we have seen, to date, this savior. -- this behavior. we have seen this cave your acted on -- this behavior acted on, executed. we have seen this within the corporate sector. knock on wood. outside been largely the united states, but it has happened. we have seen individual groups inside critical u.s. infrastructure. it has a presence that suggests to us that this is an area others want to exploit.

all of that leaves me to believe it is only a matter of when, not if, we are going to see something traumatic. >> you are seeing attacks now. you are under attack today. are the u.s. government cyber networks under attack today? >> people try to gain unauthorized access and steal data. potentially people attempting to manipulate data. >> and this is happening today. what you are saying is they might just get through before 2025. >> i do not think we will have to wait until -- unfortunately, i bet it happens before 2025. .> ms. bachmann >> i just want to thank and complement you and the ranking member for holding this important hearing. this committee has spent a great deal of time on this issue. i think admiral rodgers, york

and telling -- your compelling testimony makes it clear that we need to redouble our efforts on this area and make sure not only are we paying attention, what we are taking direct actions to protect the american people and our economy. from cyber espionage as well as military espionage. i had the occasion to travel to china in august and it was clear that the chinese saw no difference between cyber attacks on military versus espionage. they are open to doing both of those. thank you for this important information that you are putting out. as we know, the technology is increasingpidly and rapidly. one area that a lot of people are beginning to be engaged in and yet people have ears about -- have fears about is cloud computing. could you talk to us a little bit about -- are there bad

actors that you have detected? i do not know if this is classified information or not. could you let this committee know -- are there bad actors that you have already detected in mobile and cloud computing has this advance changed cloud computing and cyberattacks going forward for the private sector and our government? >> thank you. yes, we have observed both the cloud as well as mobile devices -- being attacked and exploited. but the mobile arena is an area where, as i look to the future -- you asked, what are the trends we are going to see in the next five months? this is a coming trend in no small part because if you look ,t the proliferation of devices

,t is not in a traditional corporate, fixed network structure. it is the same phenomenon in the government. we are all turning to mobile, digital devices. as vehicles to enhance our productivity. is those same things that make it attractive, the ability to use it in all sorts of environments, that represents an increased potential for vulnerability. could you speak more specifically to that? are the american people and american companies more vulnerable through mobile and cloud versus the servers or less?

side, you could see arguments either way. in general, i am supportive of the cloud idea because my idea is one of the challenges to defense and the broader of a structure you have, the more you have to defend and the greater probability of people penetrating you. service is smaller. the flipside is where people argue, you are putting all your eggs in one basket. that is certainly true. the flipside is this enables you to protect that basket a whole lot better. having multiple baskets and with the baskets connected -- i apologize. i never thought i would be testifying about baskets. supportive of the cloud. i think it is a great way to go. >> we are looking for a new cliché.

you may have given it to us. >> in terms of the mobile piece, it is really going to be problematic. part of the whole idea of mobile is -- and it does not matter which mobile device. >> or any distinction. >> the way the whole network is structured, the idea that you will pull down whatever , thosetion you like applications have a lot of potential vulnerabilities. we are all out constantly searching for applications that make our lives more productive, that make things easier and more convenient for us and represent more potential vulnerability. >> i appreciate that. my time is up. >> mr. schiff. >> thank you for your service to the country. you have probably the most difficult job and we are

grateful that you took it on. i want to ask you a couple of legislative questions. one on the cyber bill. one of the major differences between the house and senate proposals involves the sharing of information between the government and private sector. what requirements would you place to remove private information before sharing it? last month, you must -- you mentioned that the nsa would need or want private information as part of the cyber threat information. and that receiving the information makes your job harder. does it make sense to require private companies to make a to maketh effort irrelevant personally-identifiable information? you made reference to the metadata program as you saw the usa freedom act fail to get movement in the senate. that intoably pushes

next year and means we have to start all over again. forwardsa moving working with the telephone prepare for the new paradigm for the companies will hold onto their data? there is nothing in statute that requires the government together both data. you could move forward on your own with making the technological changes so we do not have to wait until next year. are we making progress on the technological adaptions that we need to make? question -- your and ifst part about it, i paraphrase, please tell me -- should we attempt to filter of front before the data is pushed to the u.s. government? >> yes. you asked the private companies to make reasonable, good-faith efforts before sharing information with the government.

>> it is all part of the point i was trying to make. we are not willy-nilly pushing information for pushing information. we should define exactly what we want and need and what companies are going to provide, just as the company should expect us to define exactly what you are not going to share with me. i do agree with this idea we should have clear delineation of just what we're going -- what the private sector is going to be sharing with the government. in terms of your second question, could you refresh my memory? >> my question is are you moving forward already and working with to tell phone companies to make whatever technological adaptions they have to make so they can retain their own data instead of the government collecting it in bulk and there's nothing that

prohibits you for doing that. you don't have to wait for the u.s.a. freedom act. are you moving forward to those changes? >> the short answer is not. we rather wait and see what the specifics are going to be of any requirements before we start getting into making changes or started having discussions about the specifics of making changes. part of the reason for that and both our perspectives have been the hope that we're going come to a solution in the near term. one of the questions now, you know, i'm trying to consider, ok. if we're unable to gain the consensus in the window that we thought what are the implications meaning? do we need to start and have some discussions now? i don't have an answer to be honest. >> there is no statutory mandate of any kind for the government to collect the data. the administration and the d.n.i. says it's no longer

necessary, that to tell phone companies can hang on to their own data. the only thing is the government went to the fisa court saying we're going come to you on an individual case by case basis in doing so. there's no reason if you think this is the correct policy that should have to wait for the congress to mandate you to it. >> in fact, that is the current policy that we're acting on right now. that the president in his remarking on the 17th of january directed us to use that legal court construct. we've been doing that since january, even as he indicated and he would turn to the congress enact the legislation that you've sent. but we've been directed to dwhruse model. we sflow to go to the court to access the data. >> so is the government not continuing to collect the data? be he data continues to

accessed. i have to ask the court. >> why do you gather the data if they both think this is not best approach? >> i'm confused because i haven't heard the president tor d.n.i. saying that the access data is not of value. but what the president directed on those remarks on the 17th of january is we'll continue to implement the program while the congress works through how we're going make the long-term changes. ill we do that on a 90-day interval. >> i know i'm out of time. if the administration believes that and i understand that they do, that the better model is to go to a par dwrime the companies hold on to their own data. it doesn't make sense for us to continue the collection of

metadata. you're not legally required. to and there's no reason not to move to that model and begin that transition now. > thank you, mr. chairman. thank you admiral for being here today and for the work that you and your team are doing at n.s.a. it's important work to the country. so we had a discussion just a few minutes agoability the types of things we're seeing in terms of cyber intrusion. the american people have seen a certain number of sishe related incidents including the state department, the white house, e national oceanic atmospheric administration, the the ostal service, and control systems on malwaer. they come on the heals of major

attacks or intrusions such as j.p. morgan chase, michaels, the south korean banking attacks. on "60 minutes" last month, the f.b.i. director said there are two kinds of big companies in the u.s. those who have been hacked by the chinese and those who don't know they've been hacked by the chinese. and i was the other states are doing it. so today we've seen these incidents nearly focused on data breaches and industrial es piyoneadge. what keeps me up at night and i'm sure you as well and the worry that we could face a true cyber attack that we haven't really seen yet that actually causes significant damage to get the same kinds of facts through cyber that -- that

traditionally you'd see through use of kinetic weapons. and we know that that technology is out there as you know. and so my question is, you know, we know who and how we will respond if we saw an attack using kinetic weapons, missiles or bombs. we have either the pentagon or the law enforcement agencies would respond to the national guard or the captains in those cases. but what confidence can you give to the american people? what can you say to the american people that would give them confidence that we have a plan in place and would know how to respond. if either we saw what happened in the planning stations ready to be executed or if it was eing -- if it was given to the

executioner and we could stop it. at this point is there any presidential authority or would it require only presidential authority to snep and order an intervention. we could protect that attack and protect our country. protect our critical inflorida structure. bridge in y have the place to deal with the hurdles or does it take bureaucratic authority at this point? >> i'm pretty comfortable that we have a broad agreement and a broad sharing of how we're going to do it. who would do that? we were spinning our wheels about who's going to do what. we've got good delineation as to who has what responsibilities. we've got good broad agreement

as to how i would go to provide that capability with the snare against critical infra struck clur. clearly the presidential authority is required for part of it. for me it's the d.o.d. entity to provide support in the u.s. to partner with others outside, the d.o.d. arena. that's required. part of response is going to be an offensive capability. yes, i would need an approval from the president to do that. >> the challenge to me is we've got move beyond the agreement get down the execution level of detail. i come from a military culture. and the military culture teaches us, you take them and then you train and you exercise. and you do it over and over. and that's what we've got to do next. so what about the direct tacks that cyber crimes, espionage. one could agree that the

hundreds of thousands of dollars lost some which are methodical and systematic. when does that become economic warfare. how does that respond? >> first of all, i think we're still trying to come to grips -- >> we clearly have tried to make the argument that we tried to differentiate between the state and understanding it against the private sector of another nation to generate economic advantage. for example, that's the major difference -- among the major differences between us and our chinese counter pamplet we don't use our capabilities. other nations to use that as a vehicle to gain economic advantage. that's not what we do. so your -- you see the broorder

answer. we're clearly trying to work our way through all those issues. >> you tend to tree it right now. the primary result. you know, we're spending our time dealing with repercussions of the penetrations but what i'd like to do how can we for stall those penetrations in the first place? >> and it's all those norms, those rules, that behavior that the sneakers. we still have a lot of work to do. >> thank you. >> i appreciate the work you're doing. my time has expired. >> thank you for what you're doing. sky. . chesow >> i'm going to be very

breathe. >> what can you do to insure this in the abscess of their administration and concerns about privacy that december fight is failure of the congress to pass legislation what you may be doing different they are could assure them that their privacy is protected. >> so what we're doing differently is you hear in the president's remarks or the 17th of january. i'm concerned about the potential for abuse. therefore i'm going to overlay a couple of additional requirements. with the metadata, i want you to now go to the court -- it's not enough that you use your own authority as the director so to speak. now i want you do go to the final court to convince the court that you should be

granted access. he also directed -- we used to be able to -- when we went into it. and those instances, we used to . able to do -- tree hops the president came back and said i want to put another level of protection there. i only want you do do two hops if you will. so we're not authorized now string as we're used to be able to do those are in terms of the metta data those are probably the biggest changes that we've dealt with. in addition he's provided strong guidance. the government has generated in a public old fashion weigh outlines it. at we apply and conditions signals. so we're putting those

principles in place. in addiction we've completed over the course of the last 15 months or so, a pretty fundamental in what a city does what collects against. >> yes, ma'am? >> one thing on that, image statement was. >> just quickly, and i think this is so important because there was some confusion here. you were painting the information irned sex 215 via the court, are you not -- section 215 via the court, are you not? >> overseas with the program. is there content on their phone calls? e you taking collecting,

storing content under section 215. does it contain p.i.i. i. you store the p.i. the challenge is -- we get number not a name. and you used that as an analytical tool. do you believe that that any ation is valuable in counterterrorism theafert the united states understates. do you personal nooij that information has led or assisted in any counter terrorism investigation to help defend the investigation? >> i certainly think it's been of value her assistance. >> it's really important to me. no content is collected on any of those phone calls under

selection the 215. you get a review every 90 days and how you processed it and how you handled it. if you want to go for another 90 days we have to make the case. you know, there's some notion that we shouldn't be participating in this. i think it's a bit confusing right by the end of the bulk by the government putting it in one place even though those protections are one place. it was legal. constitutional. but maybe that's not the way to do it. you've adjusted to that. >> yep, you adjusted to new requirements. there are two competing bills that want to get this right. >> i would be cautious of shedding that would be my caution. i know some others have called for something different. and secondly on the p.i.

from companies don't you have the ability to strip p.i.i. for information that leads to the n.s.a. don't you do that today? >> i would think we could do that in an automated fashion. one of the reasons why i would want to have a discussion about exactly what kind of information we're talking about and i can build until the protections in terms of the messenger cal even if a company doesn't have the capability today but say, hey, i want this. it it's going to give it to you. you have the ability to strip out i think we could that. in past conversations that's -- at least what the nebraska told us. myory e only fear is -- and again this is the billingest debate. you want exens for volunteer and the standards are right if they are in fact, in good faith trying to provide a source code without