WEBVTT 00:00.250 --> 00:02.290 - Branch of our Armed Forces. 00:02.440 --> 00:04.270 From Vice Admiral Michael Gilday, 00:04.270 --> 00:06.330 Commander, Fleet Cyber Command, 00:06.700 --> 00:08.550 Lieutenant General Paul Nakasone, 00:09.000 --> 00:11.430 Commander, Army Cyber Command, and nominated 00:11.430 --> 00:13.860 to be the next Commander of the United States Cyber Command, 00:13.860 --> 00:16.880 and Director of the National Security Agency. 00:17.101 --> 00:19.010 Major General Loretta Reynolds, 00:19.010 --> 00:21.390 Commander, Marine Forces Cyber Command, 00:21.390 --> 00:23.360 and Major General Christopher Weggeman, 00:23.670 --> 00:25.450 Commander, Air Force Cyber. 00:26.150 --> 00:29.060 At the conclusion of Ranking Member Nelson's remarks, 00:29.060 --> 00:32.170 we will ask our witnesses to make their opening statements. 00:32.400 --> 00:34.630 After that, we'll give each of our members five minutes 00:34.630 --> 00:36.730 to ask questions of our witnesses. 00:37.410 --> 00:41.400 As we approach full operational capability later this year, 00:41.710 --> 00:43.890 maturation of the Cyber Mission Force 00:43.890 --> 00:46.220 continues at an impressive pace. 00:46.570 --> 00:48.280 According to Admiral Rogers' testimony 00:48.280 --> 00:50.325 a couple of weeks ago, we are on, 00:50.325 --> 00:51.158 (clearing throat) 00:51.158 --> 00:52.750 excuse me, we are on pace to reach 00:52.750 --> 00:55.460 that milestone earlier than planned. 00:55.820 --> 00:58.650 This, along with the many other advances we see 00:58.650 --> 01:02.180 as the department takes what was once a niche capability 01:02.180 --> 01:04.600 and transforms it into a multi-faceted 01:04.930 --> 01:08.880 war-fighting discipline, it is the result of your hard work. 01:09.090 --> 01:11.000 We thank you for your leadership. 01:11.480 --> 01:14.210 Despite the successes, however, challenges remain 01:14.210 --> 01:16.750 as your focus now shifts from building 01:16.750 --> 01:20.100 a first-of-its-kind force to a sustaining one. 01:20.740 --> 01:23.070 In particular, that sustainment will require 01:23.070 --> 01:26.210 a robust pipeline of talent, ready to take the reigns 01:26.210 --> 01:29.180 as soldiers and civilians move to other disciplines, 01:29.270 --> 01:31.860 are promoted, or separate from the military 01:31.860 --> 01:34.300 to take cyber jobs in the private sector. 01:34.523 --> 01:37.830 Last year, we heard about the 127 Air Force 01:37.830 --> 01:40.700 cyber officers who, after completing 01:40.700 --> 01:42.630 their first tour on the Cyber Mission Force, 01:42.630 --> 01:44.630 departed the Cyber Mission Force. 01:45.030 --> 01:47.510 We understand that was an isolated incident, 01:47.590 --> 01:50.510 and that each of the services has enhanced 01:50.510 --> 01:53.570 its focus on how it manages its force. 01:53.570 --> 01:55.320 Just recently, the Marine Corps announced 01:55.320 --> 01:58.060 that it was creating a cyber space occupational field 01:58.410 --> 02:00.210 to address some of these challenges. 02:00.450 --> 02:02.870 I think we all expect this to be a perpetual challenge, 02:02.870 --> 02:05.980 and we look forward to hearing how you are working together, 02:06.120 --> 02:09.450 sharing ideas, and pursuing creative approaches 02:09.650 --> 02:10.950 to make certain that we develop 02:10.950 --> 02:12.810 the bench-strength that we require. 02:13.350 --> 02:15.950 When it comes to providing the cyber weapons that the force 02:15.950 --> 02:18.330 will need to deter and defend it's cyber space, 02:18.750 --> 02:21.270 there, too, is significant room for improvement. 02:21.470 --> 02:23.900 As we heard from Admiral Rogers a couple of weeks ago, 02:23.900 --> 02:25.710 we are not where we need to be. 02:25.960 --> 02:28.540 Numerous niche capabilities exist today, 02:28.620 --> 02:32.110 however, across the enterprise, the capabilities 02:32.110 --> 02:34.340 for training and conducting operations 02:34.730 --> 02:36.950 are in the earlier stages of development, 02:37.150 --> 02:39.080 and won't be delivered for some time. 02:39.560 --> 02:42.790 The force will undoubtedly be hollow in the near term, 02:42.960 --> 02:44.980 and it is incumbent upon each of you 02:44.980 --> 02:47.340 to deliver those fundamental tools and capabilities 02:47.340 --> 02:51.150 as quickly as possible, to make certain that the impressive 02:51.150 --> 02:53.314 gains you have made in training the force 02:53.314 --> 02:57.070 are not lost because of this lack of cyber weapons. 02:57.370 --> 02:59.300 We have been largely critical of the department 02:59.300 --> 03:03.110 regarding this failure in the past, but we do see progress. 03:03.450 --> 03:07.440 The fiscal year 2019 budget requests included $1.8 billion 03:07.440 --> 03:09.850 for the manning, training, and equipping 03:09.850 --> 03:11.810 of the Cyber Mission Force. 03:11.810 --> 03:14.310 The Army and the Air Force requested approximately 03:14.340 --> 03:17.530 $700 million each in FY-19. 03:17.870 --> 03:21.220 The Navy request, however, was only 318 million, 03:21.220 --> 03:23.870 and is less than half the request of its peers. 03:24.000 --> 03:26.210 Both the Army and the Air Force have committed 03:26.210 --> 03:28.350 to developing foundational capabilities, 03:28.500 --> 03:31.610 like the Army's persistent cyber training environment, 03:31.610 --> 03:34.030 and the Air Force's unified platform. 03:34.290 --> 03:37.030 We look forward to hearing more from the Navy 03:37.030 --> 03:40.910 and the Marine Corps as to why, legitimately, their funding 03:40.910 --> 03:43.910 requirements are substantially less than the other services. 03:44.240 --> 03:46.690 I think our hearing would be incomplete without 03:46.690 --> 03:48.840 some discussion of the service's offensive 03:48.840 --> 03:50.890 and defensive cyber capabilities. 03:50.919 --> 03:54.020 Of particular interest to me is the service's 03:54.020 --> 03:58.020 offensive capabilities in the context of the report 03:58.020 --> 04:01.810 of the Defense Science Board Taskforce of cyber deterrence, 04:02.040 --> 04:05.840 which was published in February 2017, just over a year ago. 04:06.809 --> 04:10.520 As we know, that report notes the importance of a strong 04:10.520 --> 04:14.550 cyber deterrent for the next 10 years, a period during which 04:14.550 --> 04:17.020 we will not have the defensive capability to defeat 04:17.020 --> 04:19.920 our pure adversaries' offensive capabilities. 04:20.430 --> 04:22.370 I would be interested in how the services 04:22.370 --> 04:26.300 are focusing to meet that challenge, and policy issues, 04:26.530 --> 04:29.370 policy issues, that may be inhibiting 04:29.370 --> 04:31.060 their ability to do so. 04:31.470 --> 04:34.580 Finally, I would like to know how the services assess 04:34.580 --> 04:38.810 their capabilities to provide support to civil authorities. 04:39.210 --> 04:42.110 Let me close by expressing our gratitude to the witnesses. 04:42.296 --> 04:45.934 Yes, issues do remain, but the progress made 04:45.934 --> 04:49.930 in the past eight years is a testament to the advocacy 04:49.930 --> 04:53.540 and leadership of each of you and your predecessors. 04:53.920 --> 04:56.920 Thank you, again, for your service, and your willingness 04:56.920 --> 04:59.550 to appear today before our subcommittee. 04:59.950 --> 05:01.020 Senator Nelson? 05:01.940 --> 05:06.200 - Thank you, Mr. Chairman, and I want to hit three issues 05:07.200 --> 05:12.100 for you all to contemplate and to respond to. 05:13.560 --> 05:18.310 The first is just how disorganized the Department of Defense 05:18.310 --> 05:21.200 is when it comes to information warfare, 05:21.520 --> 05:24.260 or information operations. 05:25.780 --> 05:30.230 Officially, doctrine recognizes that information 05:30.250 --> 05:35.150 operations include cyber, psychological, 05:35.604 --> 05:39.220 electronic, and public affairs. 05:40.410 --> 05:42.410 There's even an organization called 05:42.410 --> 05:47.310 Joint Information Warfare Center, and at the level 05:47.310 --> 05:51.650 of the military services represented here today, 05:52.950 --> 05:56.810 there is some integration of all of these elements. 05:56.890 --> 06:01.890 But above that level, these elements are all dispersed. 06:03.605 --> 06:06.920 Cyber Command doesn't have the responsibility 06:06.920 --> 06:11.520 for information operations, which these days 06:12.010 --> 06:15.840 are conducted largely through cyberspace, 06:17.040 --> 06:21.100 and information operations and electronic warfare are the 06:21.100 --> 06:24.480 responsibility of, still, other parts of the department. 06:26.100 --> 06:28.070 Now, why does this matter? 06:28.190 --> 06:33.190 Because Russia's information operation's troops conduct both 06:34.178 --> 06:39.178 technical and cognitive operations in an integrated way. 06:40.740 --> 06:43.700 We conduct information operations in support 06:43.790 --> 06:46.070 of commanders at the tactical level. 06:47.320 --> 06:51.320 Putin and other adversaries are coming at us 06:51.320 --> 06:56.310 at the strategic level in so-called peacetime. 06:58.030 --> 07:01.640 I'm afraid that we are ceding the playing field, 07:01.640 --> 07:03.380 and I look forward to you all 07:03.380 --> 07:06.040 giving us your answers to this. 07:07.240 --> 07:12.180 The second issue is the slow pace of progress 07:12.180 --> 07:17.090 in equipping the cyber units that we have built. 07:18.690 --> 07:22.770 We've manned and trained our cyber units, but we still lack 07:23.190 --> 07:27.000 basic joint capabilities for command and control, 07:27.940 --> 07:31.350 the clandestine network infrastructure needed 07:31.350 --> 07:34.550 to maneuver our forces in cyber space, 07:35.338 --> 07:39.190 and the tools and weapons that they need. 07:41.334 --> 07:45.570 And the third issue is, we have to squarely face 07:46.190 --> 07:50.830 the reluctance to use military cyber units 07:50.830 --> 07:53.430 to respond to attacks against us, 07:55.070 --> 07:59.130 to confront Russian hackers and trolls, 08:00.120 --> 08:05.120 to harass North Korean operators who attack Sony, 08:07.000 --> 08:11.460 and to disrupt ISIS internet operations 08:11.910 --> 08:15.160 outside areas of declared hostilities. 08:16.670 --> 08:20.590 And we're not conducting our own information operations 08:20.590 --> 08:25.590 to defend against to deter attacks and acts 08:27.220 --> 08:30.410 on us and our allies. 08:31.500 --> 08:33.600 And this is not just about Russia. 08:34.720 --> 08:38.850 It's about differing views among all the parts 08:38.850 --> 08:41.650 of our government about what constitutes 08:41.940 --> 08:44.250 traditional military activities. 08:44.250 --> 08:45.740 We have to change this. 08:46.890 --> 08:51.890 Our forces can't just watch our adversaries in cyber space. 08:54.800 --> 08:57.620 And I applaud General Weggeman 09:00.550 --> 09:05.550 for stating in his prepared comments, and I quote, 09:07.340 --> 09:11.130 "We must challenge outmoded concepts of sovereignty, 09:11.430 --> 09:16.430 "attribution, and intelligence gain-loss calculations 09:16.540 --> 09:20.000 "which overly constrain our ability 09:20.000 --> 09:23.770 "to achieve cyber space superiority." 09:24.260 --> 09:25.093 End of quote. 09:27.030 --> 09:29.570 We're all concerned about these threats, 09:30.750 --> 09:35.750 but that concern has not yet been matched by action. 09:38.220 --> 09:41.680 I want to hear what each of you think. 09:42.220 --> 09:47.220 And I realize, as stated to us by the Four Star Commander 09:47.820 --> 09:52.070 of Cyber Command, he hasn't been given the direction. 09:53.360 --> 09:56.780 So, I understand the constraints that you have, 09:57.040 --> 09:59.140 but we've gotta get this out on the table. 10:00.870 --> 10:02.650 And I hope we can start today. 10:03.170 --> 10:04.370 Thank you, Mr. Chairman. 10:05.290 --> 10:07.120 - Thank you, Senator Nelson, and I think you 10:07.120 --> 10:08.770 do a good lead-in to a lot of, 10:08.770 --> 10:11.080 not just the capabilities that we've got, 10:11.080 --> 10:13.784 but to the policy issues we have to address, as well. 10:13.784 --> 10:17.720 I'm not sure how you would like to proceed, 10:17.720 --> 10:19.440 or in what order you would like to proceed. 10:19.440 --> 10:21.500 If there is a preference, I would allow 10:21.500 --> 10:23.700 our witnesses to make that determination. 10:24.990 --> 10:28.850 Lieutenant General Nakasone, would you care to begin, sir? 10:29.720 --> 10:31.240 - Thank you, Senator. 10:31.240 --> 10:33.760 Senator Rounds, Chairman Rounds, Ranking Member Nelson, 10:33.760 --> 10:35.360 and members of the subcommittee, 10:35.624 --> 10:38.588 it's an honor to be here alongside my joint teammates, 10:38.588 --> 10:41.290 representing US Army Cyber Command. 10:42.140 --> 10:44.390 My testimony today focuses on the progress 10:44.390 --> 10:47.380 Army Cyber Command has made since May 2017, 10:47.620 --> 10:49.670 when I last sat before this subcommittee. 10:50.410 --> 10:53.240 Today, the Army's 41 active Cyber Mission Force teams 10:53.240 --> 10:56.790 are fully operational, on mission, equipped in delivering 10:56.790 --> 10:58.890 capabilities to joint and Army commanders, 10:58.980 --> 11:01.280 and continues the operations across the globe. 11:02.320 --> 11:04.560 With the initial build of the Army's Cyber Mission Force 11:04.560 --> 11:07.880 complete, our cyber is now focused on sustaining 11:07.920 --> 11:10.290 a measured readiness, and building the Army's 11:10.290 --> 11:12.790 21 Reserve Component Teams. 11:13.370 --> 11:16.340 All 21 Reserve Component Teams, which are now 11:16.380 --> 11:18.883 a part of the Cyber Mission Force, will reach initial 11:18.883 --> 11:22.300 operational capability by 30 September, 2022, 11:22.860 --> 11:26.200 and full operational capability by 30 September, 2024. 11:27.350 --> 11:29.190 We continue to make out networks more secure 11:29.190 --> 11:30.540 and more dependable through conversions, 11:30.540 --> 11:32.740 modernization, and standardization. 11:33.630 --> 11:36.280 A key priority is updating Army computers to a more 11:36.280 --> 11:39.470 secure operating system, a system known as Windows 10. 11:39.870 --> 11:41.960 Over the past 12 months, the Army's already upgraded 11:41.960 --> 11:45.790 over 95% of its approximately one million computers. 11:46.389 --> 11:47.910 Regarding training. 11:48.600 --> 11:51.550 The Army Cyber Center of Access is now teaching all cohorts 11:52.100 --> 11:54.110 from all components and preparing to integrate 11:54.110 --> 11:57.400 the electronic warfare force into the cyber career field. 11:58.660 --> 12:00.840 The Army also continues to guide program management 12:00.840 --> 12:03.490 for the joint, persistent cyber training environment. 12:04.050 --> 12:07.240 We are leveraging existing infrastructure and resources 12:07.590 --> 12:09.919 to integrate the best government off-the-shelf, 12:09.919 --> 12:12.560 and commercial off-the-shelf solutions. 12:13.970 --> 12:16.030 Construction on the Army's Cyber Command Headquarters 12:16.030 --> 12:18.920 complex at Fort Gordon continues, and is taking shape, 12:18.920 --> 12:21.100 transforming the Fort Gordon region 12:21.100 --> 12:24.430 into a cyberspace hub for the Army and the nation. 12:25.710 --> 12:26.990 Thanks to congressional support, 12:26.990 --> 12:29.670 Army talent management issues are also paying off. 12:30.330 --> 12:32.530 We will soon have the Army's first direct commission 12:32.530 --> 12:35.550 cyber officers, and our civilian cyber operators 12:35.550 --> 12:37.550 will have a new career-management field. 12:38.190 --> 12:40.560 We're also incentivizing soldiers to expanded use 12:40.560 --> 12:42.530 of the assignment incentive pay, 12:42.530 --> 12:44.440 and special duty assignment pay. 12:45.840 --> 12:48.130 Partnerships remain critical to our efforts. 12:48.600 --> 12:50.450 We are leveraging the private sector, 12:50.470 --> 12:52.810 the academic community, and the key allies 12:52.810 --> 12:56.100 to rapidly develop and deliver new capabilities 12:56.100 --> 12:58.200 to the joint force and our Army. 12:59.660 --> 13:02.370 In the future, the Army will require sustained investment 13:02.370 --> 13:04.337 in science and technology to capitalize 13:04.337 --> 13:07.870 on the advancements in artificial intelligence, 13:07.870 --> 13:09.980 and other innovative capabilities. 13:10.890 --> 13:12.480 We also need to purse fort structure 13:12.480 --> 13:15.030 and capabilities at the Army core level, and below, 13:15.250 --> 13:17.720 to insure we have the tactical capabilities 13:17.860 --> 13:19.510 our pilot initiatives have shown. 13:20.830 --> 13:22.130 Today, the Army is driving hard 13:22.130 --> 13:24.030 to lay the groundwork for the future force. 13:24.030 --> 13:26.270 With Congress' support, we will continue to build 13:26.270 --> 13:29.240 upon our momentum to deliver a formidable cyber force 13:29.240 --> 13:30.790 to our war-fighting commanders. 13:31.320 --> 13:33.850 Mr. Chairman, I would request my written testimony 13:33.970 --> 13:35.410 be enter into the official record, 13:35.410 --> 13:37.428 and I'm happy to answer the committee's questions. 13:37.428 --> 13:40.320 - [Chairman Rounds] Thank you, Lieutenant General Nakasone, 13:40.320 --> 13:44.490 and all of your complete messages or reports 13:44.490 --> 13:46.990 will be entered into the record without objection. 13:47.390 --> 13:48.790 Vice Admiral Gilday? 13:51.240 --> 13:53.830 - Chairman Rounds, Ranking Member Nelson, 13:53.830 --> 13:55.830 Senator Sasse, good afternoon. 13:56.260 --> 13:58.300 On behalf of the sailors and the civilians 13:58.300 --> 14:00.850 of Fleet Cyber Command, it's an honor to be here 14:00.850 --> 14:03.130 with my joint teammates, and I thank you 14:03.130 --> 14:04.650 for the opportunity to appear. 14:04.870 --> 14:06.940 I also want to thank you for your leadership 14:06.940 --> 14:09.983 and for your support in helping to keep our nation secure 14:09.983 --> 14:12.750 in this complex domain of cyberspace. 14:13.400 --> 14:16.130 Since appearing before this committee last year, 14:16.600 --> 14:19.180 and like my fellow Cyber Component commanders, 14:19.340 --> 14:22.300 I have continues to observe an upward trend 14:22.520 --> 14:26.550 in the capacity, the capabilities, the sophistication 14:26.650 --> 14:30.050 and the persistence of cyber threats against our networks. 14:30.680 --> 14:33.990 Cyberspace intersects everyone of our Navy's missions, 14:33.990 --> 14:37.950 and it requires an adaptive approach to counter the threat. 14:39.070 --> 14:42.281 Navy's approach for offensive and defensive cyber 14:42.281 --> 14:45.590 can really be summarized in three broad areas. 14:46.110 --> 14:49.350 First, modernizing our existing networks. 14:49.620 --> 14:53.070 Second, by investing in new technologies and partnerships, 14:53.070 --> 14:56.290 and lastly, by carefully managing our talent. 14:57.775 --> 15:00.780 First, we are modernizing and defending our networks 15:00.780 --> 15:03.470 by implementing our cyber resilience strategy, 15:03.510 --> 15:06.350 focused on hardening our network infrastructure, 15:06.350 --> 15:08.180 and reducing it's attack surface. 15:08.630 --> 15:11.150 We're in the fifth year of this ongoing effort. 15:11.500 --> 15:14.510 Further, we have extended our defensive posture 15:14.620 --> 15:16.969 to include deploying defensive cyber teams 15:16.969 --> 15:19.040 with our carrier strike groups 15:19.040 --> 15:21.110 and our amphibious readiness groups. 15:21.730 --> 15:24.640 Second, we are investing in new technologies 15:24.640 --> 15:27.530 and partnerships for the offense and the defense 15:27.530 --> 15:30.280 through a series of initiatives, including 15:30.890 --> 15:33.310 transitioning to cloud-based technologies. 15:33.830 --> 15:36.660 At the same time, we are investing in improvements 15:36.660 --> 15:39.480 to defend an to gain better situational 15:39.480 --> 15:42.050 awareness deep inside our networks. 15:42.740 --> 15:45.280 We are leveraging the data sciences through the Navy's 15:45.280 --> 15:48.520 new digital warfare office, and collaborating 15:48.520 --> 15:51.850 with industry and academia to apply new technologies 15:51.920 --> 15:54.670 like machine learning and artificial intelligence. 15:55.340 --> 15:57.451 We continue to mature partnerships 15:57.451 --> 16:00.160 with a host of allies and partners, 16:00.440 --> 16:02.870 and we have established two new commands, 16:03.240 --> 16:07.070 one for doctrine development, and the other for training, 16:07.270 --> 16:10.620 both improving the integration of cyberspace 16:11.470 --> 16:14.650 and electronic warfare into fleet operations. 16:15.460 --> 16:17.790 Third, we are committed to growing 16:17.790 --> 16:19.990 and sustaining our talent base. 16:20.300 --> 16:22.474 Now that all 40 Navy cyber teams 16:22.474 --> 16:24.550 have reached full operational capability, 16:24.570 --> 16:27.390 we are focused, as General Nakasone said, 16:27.420 --> 16:29.940 on sustaining a mission-ready force. 16:30.090 --> 16:32.618 We are meeting, and in some cases, exceeding, 16:32.618 --> 16:35.970 excessionary tension goals for both officers 16:35.970 --> 16:39.480 and enlisted, as well as expanding our direct commission 16:39.570 --> 16:43.280 Cyber Warrant Officer and Cyber Warfare Engineer programs 16:43.350 --> 16:45.560 to capitalize on our technical talent. 16:46.100 --> 16:48.410 We are improving the ways we integrate cyber talent 16:48.410 --> 16:50.420 from the reserve force, and we are 16:50.420 --> 16:53.360 implementing the DOD's new Cyber-Accepted Service 16:53.360 --> 16:55.790 program for our civilian teammates. 16:56.230 --> 16:58.700 We are improving virtual training capabilities 16:58.700 --> 17:01.980 for all of our cyber teams, and we are building 17:01.980 --> 17:04.690 a new Cyber Center at the United States Naval Academy, 17:04.690 --> 17:07.520 and offering graduate degrees for both officers 17:07.520 --> 17:10.330 and enlisted at the Naval Postgraduate School. 17:10.980 --> 17:15.330 Lastly, I still believe we have much room to grow. 17:15.830 --> 17:18.684 In particular, we need to continue to seek improvements 17:18.684 --> 17:22.830 in how we recruit, how we train, how we retain, 17:22.830 --> 17:27.220 how we reward, how we fight, all the while insuring that 17:27.220 --> 17:30.640 our forces are equipped to compete and defeat the adversary. 17:31.320 --> 17:33.300 Mr. Chairman, senators, thank you 17:33.300 --> 17:35.600 for the opportunity to be here this afternoon. 17:35.820 --> 17:37.830 I take the points from your opening remarks, 17:37.830 --> 17:40.180 and I look forward to answering your questions. 17:40.820 --> 17:42.930 - [Chairman Rounds] Thank you, Vice Admiral Gilday. 17:42.930 --> 17:44.080 Major General Reynolds? 17:47.010 --> 17:49.210 - Chairman, good afternoon, Chairman Rounds, 17:49.700 --> 17:51.680 Ranking Member Nelson, Senator Sasse, 17:52.084 --> 17:55.360 other members of the committee. 17:55.630 --> 17:58.390 On behalf of the Marines, the civilian Marines, 17:58.390 --> 18:00.870 and the families of the United States Marine Corps Force's 18:00.870 --> 18:03.730 Cyberspace Command, I want to thank you 18:03.730 --> 18:06.120 for your continued support, and I appreciate 18:06.120 --> 18:09.250 this opportunity to update you on the tremendous progress 18:09.250 --> 18:11.800 that we've made since I was last before you in May. 18:12.280 --> 18:13.920 I'd like to highlight what our Marines are doing 18:13.920 --> 18:17.110 in the cyberspace domain, and how we've shifted our focus 18:17.110 --> 18:19.570 from building the command to operationalizing, 18:19.570 --> 18:23.380 sustaining, and expanding capabilities in this new domain. 18:23.821 --> 18:26.680 Joint Warfare Cyber, I have organized operations 18:26.680 --> 18:29.040 along three lines of effort, and I'll briefly 18:29.040 --> 18:31.040 highlight those for you today. 18:31.350 --> 18:33.527 I use this framework to organize my activities, 18:33.527 --> 18:35.580 and to measure our progress. 18:35.940 --> 18:38.330 So, my first priority is to secure, operate, 18:38.330 --> 18:40.625 and defend the Marine Corps Enterprise Network, 18:40.625 --> 18:44.450 the Marine Corps portion of the DOD Information Network. 18:44.730 --> 18:47.400 We have continued to expand our definition this year 18:47.467 --> 18:49.950 with a mix-in by including all elements 18:49.950 --> 18:52.750 of the Marine Corps IP space, which includes 18:52.750 --> 18:54.500 our many disparate networks that are owned 18:54.500 --> 18:57.400 and managed by different commands across the Marine Corps. 18:57.520 --> 19:00.300 To be more defensible, we've collapsed domains this year. 19:00.300 --> 19:03.330 We've expanded our enterprise view of the network 19:03.330 --> 19:06.050 through a common service desk and endpoint discovery, 19:06.540 --> 19:09.480 and we are now, as General Nakasone mentioned, 19:09.480 --> 19:11.960 we are also nearing completion of upgrade 19:11.960 --> 19:13.760 to Win 10 across the Marine Corps. 19:14.130 --> 19:15.820 We've also experimented with additional 19:15.820 --> 19:19.462 acquisition methods and models like DIUX 19:19.462 --> 19:22.270 that are more responsive to the changing threat, 19:22.328 --> 19:23.920 and we're looking forward to employing 19:23.920 --> 19:27.070 Cyber Command Acquisition Authority when it makes sense. 19:27.460 --> 19:29.090 Moving forward, and in response 19:29.090 --> 19:30.670 to the National Defense Strategy, 19:30.670 --> 19:33.490 we know we must be prepared to fight tonight, 19:33.910 --> 19:35.550 and we will build the objective network 19:35.550 --> 19:38.510 capable of fighting and winning against the pure adversary 19:38.510 --> 19:40.790 in a contested information environment. 19:41.250 --> 19:43.720 So, recognizing that our ability to command and control 19:43.720 --> 19:46.420 is our center of gravity, we are participating 19:46.420 --> 19:48.490 in efforts with United States Marine Corps 19:48.490 --> 19:50.480 Service Headquarters to design and build 19:50.480 --> 19:52.680 a more defensible-network architecture. 19:53.021 --> 19:56.090 My second priority is fulfilling our responsibility 19:56.090 --> 19:57.843 to provide war-fighting capabilities 19:57.843 --> 19:59.680 through the development of ready, 19:59.680 --> 20:02.470 capable cyber forces to United States Cyber Command, 20:02.680 --> 20:04.800 and I am happy to report that as of January 20:04.800 --> 20:08.270 of this year, ahead of schedule, all of our 13 teams 20:08.464 --> 20:10.980 have reached full operational capability, 20:11.040 --> 20:13.300 and are employed against priority missions. 20:13.780 --> 20:15.907 Many of our marines have participated in planning 20:15.907 --> 20:19.100 or executing offensive and defensive missions 20:19.220 --> 20:21.860 against today's adversaries, and are informing 20:21.860 --> 20:24.200 tactics and procedures on a daily basis. 20:24.580 --> 20:26.760 We are increasing our proficiency everyday. 20:27.140 --> 20:29.260 And now, to increase readiness and retention, 20:29.260 --> 20:31.090 and to increase skills progression, 20:31.220 --> 20:34.520 sir, as you mentioned, the Marine Corps, just last week, 20:34.520 --> 20:37.520 announced the creation of our Cyberspace Occupational field. 20:37.930 --> 20:41.240 The creation of the MOS will allow us to deliberately 20:41.240 --> 20:44.330 provide targeted incentives for recruiting and retention. 20:45.010 --> 20:46.791 And for our civilian marines, we are leaning 20:46.791 --> 20:48.960 into hire and transition our workforce 20:48.960 --> 20:50.590 to the cyber-accepted service. 20:51.240 --> 20:53.610 As part of our integrated planning element build, 20:53.610 --> 20:55.450 in support of Special Operations Command, 20:55.450 --> 20:58.950 we have hired civilians across the SOCOM enterprise, 20:59.100 --> 21:00.750 who are providing cyber intelligence 21:00.750 --> 21:03.160 and planning support for joint cyber fires. 21:03.469 --> 21:06.270 My third priority is to provide support 21:06.270 --> 21:07.700 to the Marine Corps as it works 21:07.700 --> 21:10.000 to operationalize the information environment. 21:10.430 --> 21:12.568 As you are aware, the Combatant has modified 21:12.568 --> 21:15.110 Marine formations to build greater capability 21:15.110 --> 21:16.421 in the information environment 21:16.421 --> 21:18.780 under the Marine Corps operating concept, 21:19.060 --> 21:21.170 and we are building additional DCO forces 21:21.170 --> 21:24.300 inside the MAGTF, experimenting with tactical cyber, 21:24.300 --> 21:26.640 and sharing lessons on the integration of cyber 21:26.640 --> 21:29.670 with other fires and other information capabilities. 21:30.210 --> 21:33.440 As we continue to increase our capability and our capacity, 21:33.560 --> 21:35.580 we look forward to occupying our new 21:35.580 --> 21:39.100 operational headquarters on NSA's campus next month. 21:39.510 --> 21:41.359 I want to, again, take the opportunity to thank Congress 21:41.359 --> 21:43.810 for the military construction funding 21:43.810 --> 21:46.260 that enabled the development of our new building. 21:46.480 --> 21:49.430 This building is much more than just administrative spaces. 21:49.570 --> 21:51.286 It will serve as a platform for training, 21:51.286 --> 21:54.650 command and control, planning, and execution. 21:55.249 --> 21:58.010 I am incredibly proud of the strides that we have made 21:58.010 --> 22:00.360 in operationalizing cyberspace in support 22:00.390 --> 22:02.340 of the MAGTF, and the Joint War Fighter 22:02.580 --> 22:04.590 since I was last before you in May. 22:05.030 --> 22:06.710 Thank you, Mr. Chairman and members of the committee, 22:06.710 --> 22:08.920 for inviting me to testify before you today, 22:09.080 --> 22:11.250 and for the support that you, and this committee, 22:11.250 --> 22:13.200 have provided our marines and their families, 22:13.200 --> 22:15.450 and I look forward to continuing the dialogue 22:15.450 --> 22:17.200 and to answer your questions today. 22:17.210 --> 22:18.043 Thank you. 22:18.043 --> 22:20.004 - [Chairman Rounds] Thank you, Major General Reynolds. 22:20.004 --> 22:22.570 Major General Weggeman, you are last 22:22.570 --> 22:25.140 because you are the youngest of the branches. 22:25.600 --> 22:26.530 You may begin. 22:27.136 --> 22:28.174 (clearing throat) 22:28.240 --> 22:29.198 - I think that's an honor. 22:29.198 --> 22:31.730 Thank you, Chairman Rounds, Ranking Member Nelson, 22:31.970 --> 22:33.704 distinguished members of the subcommittee. 22:33.704 --> 22:36.530 Thank you for the opportunity to appear before you today, 22:36.530 --> 22:38.640 along with my esteemed cyber colleagues. 22:38.820 --> 22:40.780 I look forward to discussing the Air Force's 22:40.780 --> 22:44.270 significant progress in advancing full-spectrum cyberspace 22:44.270 --> 22:48.610 operations and our contributions to joint operations. 22:49.370 --> 22:52.069 I have the distinct honor to lead more than 15,000 22:52.069 --> 22:54.940 total-force airmen and civilians operating globally 22:55.250 --> 22:58.380 as a maneuver and effects force in a contested domain, 22:58.520 --> 23:00.820 delivering cyber superiority for our service 23:00.820 --> 23:03.180 and in support of our joint partners. 23:03.930 --> 23:06.980 In this domain, threats are growing rapidly and evolving. 23:07.420 --> 23:10.021 Our adversaries are acting with precision and boldness, 23:10.021 --> 23:13.070 utilizing cyberspace to continuously challenge 23:13.070 --> 23:16.390 the United States below the threshold of armed conflict, 23:16.610 --> 23:18.836 imposing great costs on our economy, 23:18.836 --> 23:21.530 national unity, and military advantage. 23:22.120 --> 23:24.040 In this ever-shifting and competitive terrain, 23:24.040 --> 23:26.420 we must remain vigilant with cyber-hygiene, 23:26.513 --> 23:30.580 cyber security, and threat-specific defensive operations 23:30.580 --> 23:33.820 in order to compete, deter, and win. 23:34.640 --> 23:36.420 The Air Force has invested in the creation, 23:36.420 --> 23:39.380 fielding, and sustainment of an ever-increasing portfolio 23:39.380 --> 23:41.950 of cyber defensive-and-offensive capabilities. 23:42.300 --> 23:44.650 Specifically, seven cyber-weapon systems 23:44.650 --> 23:47.070 designed to provide a tiered global defense 23:47.230 --> 23:49.130 of the Air Force information network. 23:49.570 --> 23:52.030 Second, defensive cyber maneuver forces 23:52.030 --> 23:54.950 to actively defend key cyber terrain, 23:55.360 --> 23:57.070 and last, offensive capabilities 23:57.070 --> 23:59.070 to provide all domain-integrated 23:59.070 --> 24:01.950 operational effects to combatant commanders. 24:02.930 --> 24:04.820 The Air Force's Cyber Mission Force teams 24:04.820 --> 24:07.030 are on track to achieve full operational 24:07.030 --> 24:10.330 capability by the end of FY 2018. 24:10.810 --> 24:14.980 As of today, 35 of 39 Cyber Mission Force teams 24:14.980 --> 24:17.180 have declared full operational capability. 24:17.180 --> 24:21.128 By comparison, highlighting our extensive progress, 24:21.128 --> 24:24.100 at this time, at this same hearing 10 months ago, 24:24.100 --> 24:26.880 we only had nine teams at FOC. 24:27.450 --> 24:29.080 Our four remaining teams are expected 24:29.080 --> 24:32.520 to declare FOC by June of 2018, concluding 24:32.520 --> 24:35.040 our build phase three months ahead of deadline. 24:35.980 --> 24:39.130 Air Force Cyber trains and fights as a total force team, 24:39.130 --> 24:41.330 harnessing the unique attributes and talents 24:41.370 --> 24:43.610 of all components: regular Air Force, 24:43.610 --> 24:46.270 Air National Guard and Air Force Reserve. 24:46.740 --> 24:49.561 Across 24th Air Force, we employ more than 11,000 24:49.561 --> 24:53.340 full-time and part-time reserve and guard personnel, 24:53.460 --> 24:56.736 providing support for training, intelligence, 24:56.736 --> 24:59.800 full-spectrum operations, command and control, 24:59.800 --> 25:01.500 and capability development. 25:01.890 --> 25:03.680 For our Cyber Mission Force teams, 25:03.680 --> 25:07.210 the Air Force has employed a built-in, total-force strategy 25:07.330 --> 25:09.630 with 15 Air National Guard squadrons, 25:09.630 --> 25:12.250 and a classic reserve-associate squadron, 25:12.340 --> 25:13.940 providing additional trained-and-ready 25:13.940 --> 25:16.180 surge capacity in times of crisis. 25:17.010 --> 25:19.686 Cyber Space Operations are powered through partnerships, 25:19.686 --> 25:22.610 and 24th Air Force is wholly committed to strengthening 25:22.610 --> 25:25.180 our relationships with other Air Force partners, 25:25.410 --> 25:28.500 our sister services, inter-agency counterparts, 25:28.500 --> 25:31.450 combatant commanders, coalition allies, 25:31.460 --> 25:33.540 as well as civilian industry partners. 25:34.190 --> 25:36.700 Congressional support continues to be essential 25:36.780 --> 25:38.790 to our significant operational progress, 25:38.830 --> 25:41.630 and will only increase in importance as we move forward. 25:42.210 --> 25:43.700 I will keep my opening remarks brief, 25:43.700 --> 25:46.240 as I have provided a comprehensive update 25:46.350 --> 25:48.336 for the committee in my written statement, 25:48.336 --> 25:50.850 outlining in detail our significant 25:50.850 --> 25:53.250 operational improvements, specific initiatives, 25:53.250 --> 25:55.632 successes and challenges, of course. 25:55.632 --> 25:58.290 I am honored and humbled to command 25:58.290 --> 26:01.260 this magnanimous organization, and I am inspired 26:01.260 --> 26:03.576 everyday by the innovative spirit, 26:03.576 --> 26:07.130 the patriotism, the sacrifice, and audacity 26:07.130 --> 26:08.840 of our Air Force cyber warriors. 26:09.090 --> 26:10.900 They are, by far, our nation's 26:10.900 --> 26:13.240 most powerful cyber weapons system. 26:13.740 --> 26:16.630 I look forward to your questions, and the ensuing dialogue. 26:16.630 --> 26:17.463 Thank you. 26:17.640 --> 26:19.440 - Thank you, Major General Weggeman. 26:21.130 --> 26:23.770 Senator Sasse has been a regular attendee at these, 26:23.770 --> 26:25.370 and yet, he always seems to have to leave 26:25.370 --> 26:26.860 before he can ask any questions. 26:26.860 --> 26:28.760 And so, I'm gonna defer my questions. 26:28.980 --> 26:30.430 Senator Sasse, you may begin. 26:30.790 --> 26:34.540 - Being 101st in seniority has some downsides, it turns out. 26:35.270 --> 26:36.270 Thank you, Chairman. 26:37.340 --> 26:38.990 Thank you all for your service, thanks for being here. 26:38.990 --> 26:41.990 I'd like to talk about the Presidential Policy Directive 20. 26:42.170 --> 26:47.170 Does it work, and if not, what's the conversation like 26:48.270 --> 26:52.510 between you all and DOD and the NSC about that? 26:52.710 --> 26:54.840 Could you talk us through a little bit, about how long 26:54.840 --> 26:57.240 it takes in the process from beginning to end? 26:57.290 --> 27:00.040 All of you, but General Nakasone, if you want to start? 27:01.280 --> 27:02.113 - So, 27:03.338 --> 27:05.538 PPD 20, or Presidential Policy Directive 20, 27:06.380 --> 27:09.390 the methodology upon which we get approvals 27:09.390 --> 27:11.270 for offensive cyber space operations, 27:12.210 --> 27:14.030 is a work in progress, in terms of 27:14.540 --> 27:17.850 the way that we've approached getting approvals. 27:18.150 --> 27:23.150 I would say we have had a tremendous amount of success 27:24.100 --> 27:26.860 with ongoing operations with regards to 27:27.110 --> 27:29.390 JTF Aires and our fight against ISIS. 27:29.800 --> 27:32.910 That has been, certainly, something that has allowed us 27:32.910 --> 27:35.710 to make a case for the things that we need to have done. 27:35.891 --> 27:37.560 Is the process perfect? 27:37.780 --> 27:40.170 No, it's not, but this is a constant dialogue 27:40.370 --> 27:43.550 that goes on between ourselves, certainly Cyber Command, 27:43.550 --> 27:46.010 and the Department of Defense, and then, 27:46.010 --> 27:47.890 the National Security Council, Senator. 27:49.820 --> 27:50.653 - Admiral. 27:51.330 --> 27:52.450 - Sir, thanks for the opportunity 27:52.450 --> 27:53.800 to comment on this subject. 27:54.560 --> 27:58.380 So, as General Nakasone mentioned, really, we have not, 27:58.380 --> 28:00.810 PPD 20 hasn't kept us from delivering effects 28:00.810 --> 28:02.860 when we've been required to deliver them. 28:03.019 --> 28:05.180 It is intended, or was intended, 28:05.180 --> 28:08.640 to be a very deliberate process in determining 28:08.640 --> 28:11.760 when and how we would deliver cyber effects 28:11.760 --> 28:13.860 against, whether it's a sovereign nation, 28:13.860 --> 28:15.360 or whether it's a rogue actor. 28:15.860 --> 28:18.990 And so, I think that, as an over-arching policy, 28:18.990 --> 28:21.600 I think that it's a good framework. 28:21.607 --> 28:25.255 There are built-in mechanisms within that framework 28:25.255 --> 28:28.040 to accelerate authorities if we need them. 28:28.040 --> 28:32.780 If the nation needs to get authorities quicker, it exists. 28:32.780 --> 28:35.710 But as General Nakasone said, we have learned 28:35.710 --> 28:38.210 a lot in the last 2 1/2 years. 28:38.260 --> 28:41.400 The world has changed a lot in the last 2 1/2 years 28:41.400 --> 28:43.400 in terms of how people act in this space. 28:43.400 --> 28:46.950 And so, I do think that we're learning from that, 28:46.950 --> 28:50.250 and I do think it's informing policy makers, and I think 28:50.250 --> 28:53.260 people are marching together to make improvements. 28:53.740 --> 28:56.200 - So, you can cite specific examples of times 28:56.200 --> 28:59.020 when the process has worked, but I assume if we were in 28:59.050 --> 29:01.440 a classified space, there'd also be 29:01.440 --> 29:04.460 specific operations that you were never able 29:04.460 --> 29:06.530 to carry out because of how slow it is. 29:06.530 --> 29:07.447 I've heard other cyber warriors 29:07.447 --> 29:11.880 refer to PPSD 20 as molasses. 29:12.720 --> 29:15.210 Is it the case, and what can we talk about it 29:15.210 --> 29:18.160 in non-classified setting, about specific operations, 29:18.160 --> 29:20.460 I guess not talking about specific operations, 29:20.460 --> 29:22.620 but what general takeaways do we have 29:22.620 --> 29:24.060 about times when it's been too slow 29:24.060 --> 29:26.560 to enable you to act in cases where you had targets 29:26.560 --> 29:28.410 that you would have liked to pursued? 29:31.200 --> 29:33.777 - Well, I can't speak to any of the operational specifics, 29:33.777 --> 29:37.514 but I'll give you a perspective to your original question. 29:37.514 --> 29:40.320 And again, policy's not my realm, 29:40.320 --> 29:41.990 that's the Senior Military Operational Commander, 29:41.990 --> 29:44.860 but I'll give you some observations of PPD 20. 29:45.080 --> 29:47.230 When I first came into the domain in 2012, 29:47.230 --> 29:49.320 that's when we were writing PPD 20. 29:49.320 --> 29:51.390 So, think about the maturation 29:51.390 --> 29:53.290 and the pace of change since then. 29:53.290 --> 29:56.270 So, six years later, we still have the same PPD 20. 29:57.040 --> 29:59.570 It started out as, kind of, an authorities-driven 29:59.810 --> 30:03.030 policy directive, and I think what we're going to now 30:03.030 --> 30:04.930 is we're learning, now that we have capability capacity 30:04.930 --> 30:07.280 to actually do more, we need more of a mission, 30:07.330 --> 30:10.785 and risk-informed policy that allows us 30:10.785 --> 30:15.690 a broader spectrum of authorities and risks that would 30:15.690 --> 30:19.080 allow us the pace, the timing and tempo of operations, 30:19.080 --> 30:21.530 I think, to match our adversaries in cyberspace. 30:21.530 --> 30:24.470 So, I think that's where we're going. 30:24.470 --> 30:27.360 Now that we're showing that we have capability capacity, 30:27.360 --> 30:29.410 we're proving ourselves that we can be responsible 30:29.410 --> 30:31.130 and credible actors in the space, 30:31.410 --> 30:33.060 I think we should be looking at, 30:33.060 --> 30:37.680 how do we create a broader spectrum of threat-and-risk-based 30:37.920 --> 30:40.360 authorities and delegations, so that 30:40.360 --> 30:42.140 we can respond with greater tempo. 30:42.663 --> 30:45.420 - I want to follow up on the standardized delegation 30:45.420 --> 30:47.617 question, but General, I think you were trying to get in. 30:47.617 --> 30:50.170 - Senator, I think what you've heard 30:50.170 --> 30:54.430 from the other commanders is exactly that, in that 30:54.509 --> 30:56.720 everything that we are learning, I think every day, 30:56.720 --> 30:58.900 we are learning more and more about 30:58.900 --> 31:00.850 the delivery of effects in this domain. 31:00.850 --> 31:04.950 And to General Weggeman's point, it's really a matter of, 31:04.950 --> 31:07.682 where's the risk, and who should accept that risk, 31:07.682 --> 31:09.670 from a decision making perspective? 31:09.670 --> 31:12.410 And so, I certainly think there's some room 31:12.410 --> 31:16.440 to have more discussion on this PPD, sir. 31:16.556 --> 31:18.480 - If you were, sort of, briefing 31:18.480 --> 31:20.360 the Armed Services Committee on what 31:20.360 --> 31:22.160 standardized delegations might look like 31:22.160 --> 31:24.830 for all of our allies, could you give examples 31:24.830 --> 31:27.020 of cases where our allies might have 31:27.031 --> 31:29.610 some delegated authorities that have been routinized 31:29.610 --> 31:31.110 that you'd like us to look at? 31:33.630 --> 31:34.680 - Certainly, Senator. 31:35.395 --> 31:36.750 And if you want, we could probably 31:36.750 --> 31:38.300 do that in a different session. 31:38.750 --> 31:41.560 - I think there are a number of us who'd like to follow up 31:41.560 --> 31:43.980 on that and be tutored by you, again, 31:43.980 --> 31:46.770 with all respect to your operational responsibilities, 31:46.770 --> 31:48.340 not your policy-making responsibilities, 31:48.340 --> 31:51.280 but those of us who are in a policy-making role 31:51.280 --> 31:53.640 know well that we need the tutorials 31:53.640 --> 31:55.700 of people who are actually living this, day-in and day-out. 31:55.700 --> 31:58.900 So, I'm overtime here, but we'll follow up on that 31:58.900 --> 32:00.720 and invite you back in a classified space. 32:00.720 --> 32:01.580 Thanks. 32:02.280 --> 32:03.760 - [Chairman Rounds] Senator Nelson. 32:03.760 --> 32:04.990 - [Senator Nelson] Mr. Chairman, we're here 32:04.990 --> 32:06.970 in the family, so you go ahead. 32:07.510 --> 32:09.460 - Alright, thank you, and I appreciate it. 32:09.460 --> 32:11.430 I'm gonna follow-up, kind of along the same lines 32:11.430 --> 32:13.500 as Senator Sasse has begun, and I think 32:13.500 --> 32:15.050 it's a good line to begin with. 32:15.300 --> 32:17.730 I'd kinda like to know what limitations 32:17.730 --> 32:22.700 in current policy most immediately challenge your ability 32:22.700 --> 32:26.870 to operate effectively in cyberspace, if I could. 32:26.870 --> 32:28.220 And I'll just open this up. 32:29.499 --> 32:30.949 We're all in the family here. 32:34.560 --> 32:36.660 And I recognize that we're in an open session, 32:36.660 --> 32:39.145 but we're talking about policy and the difference, 32:39.145 --> 32:41.495 and let me, perhaps, preface this a little bit. 32:42.200 --> 32:46.340 We've got thousands of years of knowing how armies have 32:46.340 --> 32:49.260 learned how to interact with one another on a battlefield, 32:49.260 --> 32:51.780 there are norms that have been established. 32:52.009 --> 32:54.770 The same with the law of the sea. 32:54.980 --> 32:56.450 There are norms that have been established 32:56.450 --> 32:58.300 in terms of how we treat one another, 33:00.150 --> 33:03.600 military-to-military, military-to-civilian, and so forth. 33:03.716 --> 33:08.680 Even in the air, we have norms about how one aircraft 33:08.680 --> 33:12.790 treats another aircraft when there are incidences involved. 33:13.070 --> 33:14.970 Space is, perhaps, a little bit newer, 33:14.980 --> 33:16.540 and most certainly the norms there 33:16.540 --> 33:19.060 have not been completely established. 33:19.380 --> 33:22.060 When it comes to cyber, the norms 33:22.060 --> 33:25.560 are still being established, and our expectation, 33:25.560 --> 33:28.360 in many cases, is based upon what norms 33:28.360 --> 33:33.074 in other domains of war have already been established. 33:33.074 --> 33:35.340 It would seem that our adversaries have not taken 33:35.340 --> 33:37.420 the same approach, and are not bound by the same 33:37.420 --> 33:40.620 respect for norms as, perhaps, we are. 33:40.920 --> 33:42.040 So, let me bring this back again. 33:42.040 --> 33:44.690 What are the limitations, in terms of how we look at 33:45.080 --> 33:47.700 and how we view the norms, when it comes to 33:47.837 --> 33:52.380 our offensive capabilities, and what are the limitations 33:52.380 --> 33:54.598 that we respect that, perhaps, you would see in, 33:54.598 --> 33:57.360 Senator Sasse indicated our allies, perhaps, 33:57.360 --> 33:59.941 have other alternatives or other policies established. 33:59.941 --> 34:02.900 We have peer competitors that most certainly do some things 34:02.900 --> 34:05.500 that we would consider to be appropriate 34:05.500 --> 34:07.576 at this point and we are restricted from doing. 34:07.576 --> 34:09.490 Do you have any examples of that, 34:09.490 --> 34:12.210 or things that you have seen that have been frustrating 34:12.210 --> 34:15.277 to you, with regard to their offensive movements, 34:15.277 --> 34:18.070 that we simply do not do? 34:19.690 --> 34:22.340 - So, Senator, normally we're a very talkative bunch. 34:22.860 --> 34:25.410 I would offer that we can provide the perspective 34:25.410 --> 34:27.740 of our operational lessons learned, 34:27.740 --> 34:29.750 and let me take it from that aspect, 34:29.750 --> 34:31.770 because I think that's an important piece. 34:31.970 --> 34:35.900 So, when we look at the domain, there are really 34:35.900 --> 34:37.710 three things that I think all of us 34:37.720 --> 34:40.140 are very interested to have a discussion on. 34:40.150 --> 34:42.520 First of all is the discussion of risk. 34:42.720 --> 34:44.530 Who accepts the risk, what is the risk, 34:44.530 --> 34:45.980 how do you describe the risk? 34:46.030 --> 34:47.640 What are the mitigations for that risk? 34:47.640 --> 34:50.130 There are elements that, I think, we talk 34:50.130 --> 34:52.840 a lot about when we are in discussions 34:53.660 --> 34:55.880 and planning for cyberspace operations. 34:56.250 --> 34:59.780 Second thing is, what's the operational gain-loss? 34:59.920 --> 35:02.330 If we do this mission, or we don't do this mission, 35:02.330 --> 35:05.530 what is the opportunity cost for those actions? 35:05.610 --> 35:07.200 And the third element, I would say, 35:07.200 --> 35:09.220 is what's the intel gain-loss? 35:09.460 --> 35:13.256 That is obviously a question that is offered by many of us, 35:13.256 --> 35:15.437 and also those in the inner-agency, and I think that 35:15.437 --> 35:19.490 that is, perhaps, the area that all of us, based upon 35:19.490 --> 35:22.340 our operational experiences, have spent some time with. 35:25.320 --> 35:28.800 - Yes, Senator, I guess I think to offer a thought 35:28.800 --> 35:31.540 based upon Senator Nelson quoting my written statement, 35:31.540 --> 35:33.050 because I think this gets right to it. 35:33.050 --> 35:35.990 So, to me, the cornerstone document is our new 35:35.990 --> 35:37.360 National Defense Strategy, right? 35:37.360 --> 35:41.230 So, compete, deter, and win. 35:42.080 --> 35:45.550 So, if I was looking at a broad set of policies, 35:45.550 --> 35:47.860 I don't want to act like the irresponsible actors. 35:47.860 --> 35:50.860 I think we're a nation of laws. 35:50.860 --> 35:53.750 I think we, as military operational commanders, 35:53.750 --> 35:55.230 operate under the Law of Armed Conflict, 35:55.230 --> 35:57.580 Rules of Engagement, and special instructions, 35:57.710 --> 35:59.610 so that we're credible and responsible 35:59.830 --> 36:01.550 in the disposition of our duties. 36:01.600 --> 36:03.530 But I do think, if we want to compete, deter, and win 36:03.530 --> 36:04.970 in cyberspace, that we have to get, 36:04.970 --> 36:07.450 to General Nakasone's point, more oriented 36:07.450 --> 36:10.946 on mission outcomes and risk models and threat-driven 36:10.946 --> 36:14.680 operations that allow us to become the challenger 36:15.110 --> 36:17.930 instead of the challenged in this domain. 36:18.350 --> 36:19.830 And so, all the things you mention, 36:19.830 --> 36:21.620 all the things I talk about, I do think 36:21.620 --> 36:26.150 we have to look at new approaches within the confines 36:26.150 --> 36:28.450 of our government and what we seek to do 36:28.610 --> 36:31.980 from a national perspective on things like sovereignty. 36:32.040 --> 36:33.070 To your point, right? 36:33.070 --> 36:37.210 There is no international airspace, or water, in cyberspace. 36:37.210 --> 36:40.040 Every piece of the domain is some manmade space 36:40.040 --> 36:42.040 that someone says is his or hers. 36:42.250 --> 36:43.590 And so, we have to rethink that. 36:43.590 --> 36:46.510 I think we have to look at, become the challenger 36:46.510 --> 36:50.710 is gonna require us to be more of a 21st Century 36:50.710 --> 36:53.300 information operation, information warfare 36:53.510 --> 36:57.144 cogent organization, or group of inter-agency partners, 36:57.144 --> 37:01.580 that wants to, then, do the things that are happening to us 37:01.580 --> 37:03.470 to impose cost, to deny benefit, 37:03.950 --> 37:07.270 to demonstrate stake, and to convey the legitimacy 37:07.270 --> 37:11.090 of those actions to our citizenry, as well. 37:12.050 --> 37:12.883 - Thank you. 37:13.140 --> 37:14.110 Senator Nelson. 37:17.400 --> 37:22.190 - General Nakasone, you're going to be the commander of US 37:24.910 --> 37:27.570 Cyber Command, and it is now being 37:27.570 --> 37:30.140 upgraded to a Combatant Command. 37:32.200 --> 37:35.620 Have you thought about the possible unique role 37:35.620 --> 37:39.130 that you're gonna be, that you may be one of the 37:39.840 --> 37:42.500 US Military Establishment Commanders 37:42.500 --> 37:45.980 that is actually in actual combat? 37:49.490 --> 37:53.244 - Senator, if confirmed, certainly, I will be thinking 37:53.244 --> 37:55.650 every single day about that, and I have been a bit 37:55.650 --> 37:57.960 over the past couple weeks as I've testified. 37:58.320 --> 38:01.290 I would offer, as I think to this future, 38:01.290 --> 38:03.960 it's informed by much of what I've learned over the past 38:03.960 --> 38:06.840 couple years in command of Joint Taskforce Aires. 38:06.917 --> 38:07.827 If I might, 38:07.827 --> 38:09.620 - Okay, let me stop you there. 38:09.620 --> 38:11.960 Let me ask about that, because as 38:11.960 --> 38:14.470 the Commander of Task Force Aires, 38:15.420 --> 38:19.420 responsible for the operations to disrupt ISIS, 38:21.370 --> 38:24.560 and specifically, to disrupt ISIS 38:24.560 --> 38:27.330 on the internet for their propaganda, 38:27.350 --> 38:30.590 recruiting, and command and control, 38:31.710 --> 38:35.120 the task force's performance in its first year 38:35.750 --> 38:37.620 was rated as poor. 38:38.630 --> 38:43.630 But you have testified performance has gotten a lot better. 38:44.770 --> 38:49.770 So, have you conducted operations in Task Force Aires 38:49.840 --> 38:54.840 designed to manipulate the thinking of ISIS adherents? 38:57.340 --> 38:58.560 - Senator, yes we have. 38:59.170 --> 39:01.990 We have conducted information operations, and I would offer 39:01.990 --> 39:05.220 that that's perhaps the piece of Aires that I've learned 39:05.220 --> 39:08.010 the most about, being able to provide a message, 39:08.010 --> 39:12.310 to amplify a message, to impact our adversaries. 39:12.510 --> 39:15.390 - So, not just disrupting their networks, 39:15.390 --> 39:20.390 but also conductive, cognitive information operations. 39:21.080 --> 39:22.880 - Yes, Senator, and in fairness, as you pointed 39:22.880 --> 39:25.410 in your opening comment, probably more at the tactical 39:25.410 --> 39:27.150 and, perhaps, operational level, 39:27.150 --> 39:29.380 but I think that that's where it begins. 39:29.400 --> 39:31.350 Understanding how you provide that message, 39:31.350 --> 39:33.050 the infrastructure that you need, 39:33.390 --> 39:37.520 the capabilities that are going to underpin your messaging. 39:37.570 --> 39:40.030 - So, are you using the Army's first 39:40.030 --> 39:42.380 Information Operations Brigade? 39:44.600 --> 39:45.800 - Senator, yes we are. 39:45.880 --> 39:47.990 Certainly, that's one of the elements, and other elements 39:47.990 --> 39:51.010 from our joint force to include our Marines, our Navy, 39:51.010 --> 39:52.490 and our Air Force as well, Senator. 39:52.490 --> 39:57.270 - So now, you're moving to the strategic level overall, 39:57.270 --> 39:59.470 not just the Army's perspective. 39:59.470 --> 40:01.760 Are there lessons from this task fort, 40:03.100 --> 40:05.190 the task force, that can be elevated 40:05.190 --> 40:07.310 to the strategic level and applied 40:07.310 --> 40:11.880 to the information warfare threat from Russia? 40:14.320 --> 40:16.220 - Senator, I think there probably are, 40:16.440 --> 40:19.020 in terms of the lessons that we've learned in Aires. 40:19.020 --> 40:22.678 And while I'm a bit hesitant to apply a broad brush, 40:22.678 --> 40:25.320 let me offer three that do come to mind. 40:25.640 --> 40:27.780 First of all, you have to start early. 40:27.780 --> 40:30.380 You indicated the first year was a difficult one for us. 40:30.380 --> 40:31.950 It was a difficult one for us, 40:31.950 --> 40:34.110 because we were trying to build an infrastructure, 40:34.110 --> 40:35.850 build capabilities, build talent. 40:36.430 --> 40:37.969 The second thing I would offer is, 40:37.969 --> 40:39.700 there's nothing more powerful than having 40:39.700 --> 40:42.003 your own infrastructure, your own capabilities. 40:42.003 --> 40:44.598 One of the things that the Army has provided us 40:44.598 --> 40:46.700 is an infrastructure that we use. 40:47.000 --> 40:49.590 And the third thing is, it comes down to talent. 40:50.446 --> 40:54.980 18 months ago, in a room of cyberspace operators 40:54.980 --> 40:57.670 across our entire force, if I would have asked the question, 40:57.670 --> 40:59.080 raise your hand if you've conducted 40:59.080 --> 41:00.829 an offensive cyberspace operation, 41:00.829 --> 41:03.298 out of 100 soldiers, sailors, airmen, and marines, 41:03.298 --> 41:05.020 maybe two or three would have done it. 41:05.020 --> 41:06.730 Today, nearly the entire room 41:06.730 --> 41:08.280 has got their hand up, Senator. 41:09.350 --> 41:14.350 - So, as you go on to be the Four Star Commander 41:14.990 --> 41:17.070 of a Combatant Command, 41:19.480 --> 41:24.480 Russia has, at least, some military units 41:24.820 --> 41:28.200 that combine technical cyber operations 41:29.770 --> 41:34.210 and information capabilities. 41:35.130 --> 41:38.840 The DNI has testified that their operations 41:38.840 --> 41:42.340 are having strategic effects on us. 41:42.360 --> 41:45.380 That's from Dan Coats, the DNI. 41:46.330 --> 41:51.330 Do your information operations units have cyber skills? 41:54.490 --> 41:56.020 - Our information operations units 41:56.020 --> 41:57.490 do have cyber skills, Senator. 41:57.490 --> 42:01.780 - So, if all these functions are integrated at the service 42:02.200 --> 42:07.200 level, why do we separate them at the unified command level, 42:08.400 --> 42:11.380 and in the office of the Secretary of Defense? 42:13.940 --> 42:15.240 - So Senator, I take your point, 42:15.240 --> 42:19.840 and I think that's where Section 1637 of NDAA-FY-18 42:19.840 --> 42:22.020 is looking at is, how do you bring that together? 42:22.020 --> 42:23.650 How do you have one look? 42:23.650 --> 42:25.263 And I believe that OSD is working 42:25.263 --> 42:27.420 that piece of it right now, Senator. 42:27.500 --> 42:31.520 - Okay, and as you work that, then you've got to 42:31.620 --> 42:35.540 have an answer to the question, who is responsible 42:36.050 --> 42:39.730 for strategic information operations, 42:41.000 --> 42:43.680 the kind of operation that Russia 42:43.980 --> 42:48.210 had conducted against us in our elections. 42:50.970 --> 42:53.730 Anything you can comment on that in this 42:55.380 --> 42:57.010 setting, at this time, even though 42:57.010 --> 42:58.810 you don't have the Four Star? 42:59.170 --> 43:00.840 - So Senator, I will wait until 43:01.290 --> 43:02.930 the OSD has completed that study. 43:02.930 --> 43:04.930 I think that's important as we 43:04.930 --> 43:06.680 take a look and move forward, over. 43:07.670 --> 43:10.740 - Okay, I'll just close out, Mr. Chairman, by saying 43:11.490 --> 43:16.490 that it was so telling when Admiral Rogers, 43:17.800 --> 43:22.220 our Four Star Commander of which General Nakasone 43:22.270 --> 43:27.270 will relieve when Admiral Rogers retires, 43:29.020 --> 43:32.670 it was so telling that he said, 43:34.000 --> 43:36.350 he is ready to do the attacks, 43:36.350 --> 43:39.180 but he has not been given the authorities. 43:40.810 --> 43:41.643 And, 43:43.880 --> 43:47.690 I fear for American democratic institutions 43:47.690 --> 43:49.670 if we don't attack. 43:50.310 --> 43:51.520 Thank you, Mr. Chairman. 43:52.070 --> 43:52.908 - [Chairman Rounds] Senator McCaskill. 43:52.908 --> 43:53.889 - Thank you. 43:53.889 --> 43:56.560 I would just to speak briefly to you 43:56.870 --> 43:58.240 about a couple of issues. 43:58.260 --> 44:03.210 One is recruitment and retention of personnel 44:03.210 --> 44:06.720 that we need in terms of the cyber fight. 44:06.810 --> 44:10.410 You know, there are many things about 44:10.410 --> 44:12.980 the Defense Officer Personnel Management Act 44:12.980 --> 44:16.050 that, I think, enhances the strength of our military, 44:16.540 --> 44:18.100 but there's also some things about it 44:18.100 --> 44:21.380 that don't seem to make much sense in certain contexts. 44:21.890 --> 44:24.840 And I really would love to get your all's input 44:24.840 --> 44:29.790 to how the upper-out issue relates to 44:30.020 --> 44:32.040 the expertise we need in cyber. 44:33.317 --> 44:37.260 You know, I know that pilots in the Army 44:37.420 --> 44:39.320 can, typically, be warrant officers who can 44:39.320 --> 44:41.940 progress in rank, but still continue to fly. 44:42.610 --> 44:45.200 Have we made the adjustments for cyber warriors 44:45.550 --> 44:47.810 to be able to adjust in rank and still be able 44:47.810 --> 44:51.400 to work in the cyber sector, or are we 44:52.420 --> 44:57.420 defaulting to the norm, which is moving them out of that 44:58.293 --> 45:01.300 MSO into something different, so that they 45:01.300 --> 45:04.160 can get experience throughout the various 45:04.160 --> 45:06.720 parts of our excellent military? 45:07.090 --> 45:11.290 So, I liked each of you to address briefly 45:11.780 --> 45:13.970 the recruitment and retention issues, 45:13.970 --> 45:17.510 and what issues that DOPMA may be causing 45:17.747 --> 45:21.770 for our retention of the very best 45:21.770 --> 45:23.550 in this really challenging field. 45:23.550 --> 45:26.740 We have enough trouble competing with the private sector 45:27.700 --> 45:30.140 without adding in some of the challenges 45:30.140 --> 45:32.830 that are inherent in the current way that we 45:33.200 --> 45:35.040 develop leadership in our military. 45:37.170 --> 45:38.003 Admiral? 45:40.380 --> 45:42.780 - Senator, good afternoon, and thanks for your question. 45:43.010 --> 45:45.880 So, if I could say real briefly, in terms of constraints, 45:45.880 --> 45:48.550 I think we have direct commission programs now, 45:48.550 --> 45:50.450 where we're trying to attract the best 45:50.450 --> 45:53.400 and the brightest from society to join us. 45:53.400 --> 45:56.010 And so, their entry level is at an Ensign 45:56.010 --> 45:58.310 or a Second Lieutenant, and so that pays 45:58.480 --> 46:00.770 about $37,000 a year, base pay. 46:00.770 --> 46:03.660 So, we are not competitive with the private sector 46:03.660 --> 46:05.000 in terms of competing for that kind 46:05.000 --> 46:07.180 of talent, and we want to go after it. 46:07.320 --> 46:08.153 Similarly, 46:08.153 --> 46:10.340 - I mean, you know, we can't, 46:10.381 --> 46:13.578 that's what we pay somebody to answer the phones around 46:13.578 --> 46:16.525 here, and we're asking them to have incredible expertise. 46:16.525 --> 46:18.910 That seems, to me, totally unrealistic. 46:19.570 --> 46:21.520 - Yes, ma'am, and there have been other 46:22.160 --> 46:24.570 hearings in the Hill recently where this has been 46:24.570 --> 46:26.814 addressed by the personnel chiefs, in terms of 46:26.814 --> 46:29.710 requesting additional relief so that we can give 46:29.710 --> 46:32.570 people credit for their years of service 46:32.570 --> 46:37.570 in the outside sector, and pay them what they deserve, 46:38.510 --> 46:41.400 in terms of being competitive with the private sector. 46:41.527 --> 46:44.420 In terms of up-or-out, we have not made 46:44.420 --> 46:47.090 any modifications yet, although we know we are going 46:47.090 --> 46:49.510 to have to take a look at that and do so in the future, 46:49.510 --> 46:51.850 'cause to your point, we're just gonna hemorrhage talent 46:51.850 --> 46:55.010 at those upper ranks where we really don't need to, 46:55.010 --> 46:56.710 we can retain those people longer. 46:57.610 --> 47:00.310 If I could talk about the civilian force for a moment, 47:00.450 --> 47:02.040 that's where we do have some challenges 47:02.040 --> 47:06.530 in terms of some fairly rigid guidelines that we have 47:06.530 --> 47:08.860 to follow, in terms of the amount of incentives 47:08.860 --> 47:10.240 that we can offer people coming in, 47:10.240 --> 47:14.650 maybe a 10% hiring raise, maybe a 10% relocation bonus. 47:15.280 --> 47:18.299 perhaps, in some cases, accelerated promotion, 47:18.299 --> 47:21.940 but not broadly enough to make us a very attractive 47:22.080 --> 47:24.650 employer for those in the private sector. 47:24.720 --> 47:28.490 I think that the Cyber Excepted Service 47:28.640 --> 47:30.030 is a step in the right direction, 47:30.030 --> 47:32.280 in terms of providing us more latitude, 47:32.920 --> 47:37.228 but I still think that we will likely 47:37.228 --> 47:41.110 need more authorities to remain competitive, 47:41.110 --> 47:43.470 or to be competitive, with the private sector. 47:43.470 --> 47:45.870 - Is there any other input that anyone 47:45.870 --> 47:47.100 would like to give on this subject? 47:47.100 --> 47:49.010 - Senator, I would just say that I agree 47:49.010 --> 47:50.353 with everything that Admiral Gilday said. 47:50.353 --> 47:54.440 I think cyber is gonna be the game changer for us. 47:54.490 --> 47:57.360 We, in the Marine Corps, just established the new MOS 47:57.360 --> 47:59.110 so that we could target incentives. 47:59.400 --> 48:03.100 Already, I think, we're gonna maximize the bonus structure 48:03.100 --> 48:05.200 that we have inside the Marine Corps to kind of get after 48:05.200 --> 48:07.670 and retain some of this special talent. 48:07.810 --> 48:09.840 The Commandant makes the point all the time, 48:09.840 --> 48:11.760 we may end up with a platoon of war officers, 48:11.760 --> 48:13.640 and that's gotta be okay with us. 48:13.980 --> 48:16.102 So, I know at the highest level of our service, 48:16.102 --> 48:18.040 he's willing to challenge status quo, 48:18.040 --> 48:20.790 and the key for us is to figure out, 48:20.830 --> 48:22.470 what exactly is that incentive? 48:22.510 --> 48:24.380 In some cases, ma'am, it's not pay. 48:24.490 --> 48:27.030 Sometimes it's education, sometimes a certificate, 48:27.030 --> 48:28.450 sometimes it's, you know. 48:28.450 --> 48:31.110 So, for us, it's being able to target those incentives 48:31.110 --> 48:32.440 and have the freedom of action to do that 48:32.440 --> 48:34.090 to retain the best talent, ma'am. 48:34.920 --> 48:35.810 - Anybody else? 48:36.210 --> 48:38.360 - I want to add to General Reynolds' point. 48:38.840 --> 48:40.350 For the Army, what we have taken 48:40.350 --> 48:41.870 a look at is our career fields. 48:41.870 --> 48:44.610 So, Senator, as you discussed, the challenge with DOPMA 48:44.610 --> 48:47.290 right now, you know, up-or-out, what we have looked at is, 48:47.290 --> 48:49.540 is there a career field out there for a tool developer 48:49.540 --> 48:51.250 that all he's gonna do for 20 years 48:51.250 --> 48:52.950 is develop these exquisite tools? 48:52.950 --> 48:54.010 We think there is. 48:54.180 --> 48:56.153 One of the things that I've seen, 48:56.153 --> 48:58.774 across all the services, the senior leadership do 48:58.774 --> 49:01.300 try new flexibility on these things. 49:01.300 --> 49:02.750 Are we gonna send enlisted soldiers 49:02.750 --> 49:04.660 to get a graduate degree, are we gonna send them 49:04.660 --> 49:06.900 to training with industry, are we gonna do different type 49:06.900 --> 49:09.610 of activities that will be attractive to them? 49:09.840 --> 49:11.940 Not all of them will work, some of them will, 49:11.940 --> 49:13.570 but unless we try some of these things, 49:13.570 --> 49:17.110 I think that we're gonna have a challenge in the future. 49:17.630 --> 49:20.140 - Well, if you have the flexibility with MOS descriptions 49:20.140 --> 49:23.240 and MOS incentives, then that's one thing. 49:23.240 --> 49:25.950 But I would really appreciate, if there are things 49:25.950 --> 49:28.960 that we could add the the NDAA this year, 49:29.750 --> 49:33.130 to give you more tools, to recruit and retain. 49:33.200 --> 49:36.500 There is no question that if there is one area that 49:36.500 --> 49:40.130 I pretty much believe, on a bipartisan basis, 49:40.130 --> 49:43.290 everyone realizes that we have got to up our game, 49:43.380 --> 49:45.020 it is in cyber warfare. 49:45.470 --> 49:47.190 Because clearly, right now, 49:47.190 --> 49:48.940 I would not say that we're winning. 49:50.410 --> 49:53.100 And I don't like it when we're not winning. 49:54.420 --> 49:56.620 And so, some of that is complicated 49:56.620 --> 49:58.780 by policy decisions, but some of it is 49:58.950 --> 50:01.230 us getting the very best and very brightest. 50:01.430 --> 50:03.610 And so, if there are specific things we could do 50:03.610 --> 50:06.020 to give you additional flexibility or tools, 50:06.100 --> 50:08.250 I'd really appreciate it if you would share them with us 50:08.250 --> 50:12.110 before we begin our consideration of the NDAA this year. 50:13.830 --> 50:16.200 - [Chairman Rounds] I recognize that you are over on time, 50:16.200 --> 50:18.230 but I know that General Weggeman had tried to make 50:18.230 --> 50:20.600 a comment, as well, and I would allow General Weggeman 50:20.600 --> 50:22.970 to respond, as well, if he'd like to, at this time. 50:23.440 --> 50:28.220 - I think my compatriots provided most of the responses. 50:29.190 --> 50:31.650 For me, I personally believe the services 50:31.650 --> 50:33.670 recruit, first, based upon values, 50:34.010 --> 50:36.530 and then, second, based upon talent or skillset. 50:36.800 --> 50:38.671 And so, I think the cornerstone we have, 50:38.671 --> 50:41.421 as cyberspace operations professionals, is our mission. 50:41.670 --> 50:43.350 As you all know, we're the only organization 50:43.350 --> 50:44.810 that has the mission to do what we do, 50:44.810 --> 50:46.710 when directed and authorized, legally. 50:47.620 --> 50:50.670 And so, I look at that as the biggest retention tool 50:50.670 --> 50:54.590 we have, it's like young Captain Weggeman 50:54.680 --> 50:57.890 on the F-16 line, when I flew four times a week, 50:58.080 --> 50:59.610 I was as happy as they get. 50:59.870 --> 51:02.520 Give me any mission, send me anywhere, I'm up for it. 51:02.830 --> 51:05.350 It's the same for our cyber operations professionals. 51:05.350 --> 51:06.370 Reps and sets. 51:06.370 --> 51:08.860 So, we have to make sure we're giving them the tools, 51:08.860 --> 51:10.850 the infrastructures, and the environments, 51:10.850 --> 51:12.270 so that they can sharpen and hone 51:12.270 --> 51:14.620 their trade crafts, so they get those sorties, 51:14.760 --> 51:17.500 and that helps with retention, for sure. 51:17.540 --> 51:21.050 But, you know, the second thing that would help us all is, 51:21.050 --> 51:22.940 we're all working together, I think we're working 51:22.940 --> 51:26.520 with industry, on cutting-edge assessment tools 51:26.520 --> 51:29.100 to assess a cyber aptitude of an individual 51:29.100 --> 51:30.860 when they come in front of us. 51:32.430 --> 51:34.340 The interesting thing I learned from the people, 51:34.340 --> 51:35.776 again, I'm not a technologist, ma'am, 51:35.776 --> 51:37.730 I'm a fighter pilot by training, 51:37.800 --> 51:39.920 but what I've learned is, the biggest thing we ask them 51:39.920 --> 51:42.520 to assess them is, what do you do on your home time? 51:42.890 --> 51:45.870 Are you scripting on Python, are you on a Metasploit? 51:45.870 --> 51:47.260 Are you coding, are you taking 51:47.260 --> 51:49.310 raspberry pies and putting them together? 51:49.890 --> 51:51.750 That's actually one of the best, most powerful 51:51.750 --> 51:53.180 assessment tools, so that's one of 51:53.180 --> 51:55.410 the things we ask them in terms of that. 51:55.510 --> 51:57.140 And then, I think you've given us a lot 51:57.140 --> 51:58.530 of the powerful arrows in our quiver, 51:58.530 --> 52:00.930 which is to direct-assess and direct-commission. 52:01.000 --> 52:03.130 The Air Force has, in 15 days from now, 52:03.130 --> 52:06.140 our first two pilot direct commissionees go to OTS. 52:06.690 --> 52:08.190 One will be a Second Lieutenant, 52:08.190 --> 52:09.023 one will be a First Lieutenant. 52:09.023 --> 52:10.190 So, we appreciate that. 52:10.190 --> 52:11.680 We'll certainly get back to you on what 52:11.680 --> 52:14.760 we could ask of you in the next NDAA. 52:14.813 --> 52:17.100 But I just wanted to offer the mission perspective 52:17.100 --> 52:19.120 as being the cornerstone for retention. 52:19.320 --> 52:20.220 From my perspective. 52:20.220 --> 52:22.580 - Makes sense, thank you. - Thank you, thank you. 52:22.580 --> 52:24.530 - [Chairman Rounds] Senator Gillibrand. 52:24.570 --> 52:25.403 - Thank you, Mr. Chairman. 52:25.403 --> 52:28.120 I just want to say, I agree with Senator McCaskill strong 52:28.520 --> 52:31.500 that, please give us a request for authorities 52:31.500 --> 52:35.390 on any of the issues where you need support, resources, 52:35.420 --> 52:37.880 flexibility, whatever it is, any ideas, 52:37.880 --> 52:40.630 and I've talked to Lieutenant General about this before. 52:40.630 --> 52:42.990 So, anything you need, we will provide, 52:43.140 --> 52:45.240 'cause we feel so passionately about this. 52:45.870 --> 52:49.790 For Generals Nakasone and Weggeman, you're both building 52:49.790 --> 52:52.860 out-reserve components for cyber capability right now. 52:54.310 --> 52:57.960 The Guard has now built a new out-Task Force Echo, 52:57.960 --> 53:00.580 which has been deployed to Fort Meade. 53:01.130 --> 53:03.950 General Nakasone, what do you see as the longterm mission 53:03.950 --> 53:05.790 of the Army-Guard Cyber component? 53:07.332 --> 53:09.830 - Senator, in reference to our Guard component, 53:09.830 --> 53:12.620 we'll build 11 teams over the next four years. 53:13.190 --> 53:15.669 They will be doing both state missions 53:15.669 --> 53:19.210 when not activated, and they will also be doing 53:19.210 --> 53:21.340 such things as Task Force Echo, which is 53:21.630 --> 53:24.710 a mobilized mission to protect our infrastructure. 53:25.070 --> 53:26.330 What we have found working with 53:26.330 --> 53:28.140 the Guard are several elements. 53:28.140 --> 53:30.652 First of all, incredible base of talent. 53:30.652 --> 53:31.485 - [Senator Gillibrand] Mmhmm. 53:31.485 --> 53:35.210 - Secondly is the ability to provide them the same 53:35.210 --> 53:37.406 training standard that our active component gets, 53:37.406 --> 53:39.270 and the third thing is to equip them 53:39.270 --> 53:41.140 with the same tools that we use 53:41.140 --> 53:43.030 on the active side and the reserve side. 53:43.030 --> 53:44.530 That's powerful for us, ma'am. 53:45.200 --> 53:46.900 - And I think you agree with this, 53:46.900 --> 53:49.700 but could the Guard help address some of the existing gaps 53:49.700 --> 53:53.010 in our whole-of-nation approach to cyber, and could it serve 53:53.010 --> 53:55.270 as a conduit between state, local, and federal government, 53:55.270 --> 53:57.610 as well as the private sector, because of the unique 53:57.610 --> 54:00.110 relationships on the ground and authorities? 54:00.960 --> 54:01.793 - I do agree, Senator. 54:01.793 --> 54:03.420 - And General Weggeman? 54:04.040 --> 54:07.090 - Thank you, ma'am, yes, I'll go last question first. 54:07.090 --> 54:09.746 Absolutely, and I think the Air National Guard 54:09.746 --> 54:13.240 and the 262 Cyber Operation Squadron in Washington State 54:13.560 --> 54:15.650 is a great exemplar of how you can partner 54:15.650 --> 54:18.000 with state utilities, and now, they're working through 54:18.000 --> 54:20.428 the legal dimension of even a private sector utility 54:20.428 --> 54:22.680 for how we would provide support 54:22.940 --> 54:26.164 from an industrial-based SCADA system support 54:26.164 --> 54:28.790 and electrical-power SCADA system support. 54:29.960 --> 54:32.180 So, that's the Guard, the citizen airmen and that state 54:32.180 --> 54:35.320 helping both their state and private sector utilities, 54:35.320 --> 54:36.370 and that's actually ongoing. 54:36.370 --> 54:39.570 And they have three dedicated 10-person UTCs, 54:41.020 --> 54:42.580 think of them as deployable teams, 54:42.580 --> 54:45.450 that are specialized in EP, electrical power 54:45.450 --> 54:47.930 SCADA systems, as one example to this. 54:47.930 --> 54:49.289 So, we're already, I think they're 54:49.289 --> 54:50.520 a great exemplar to go to. 54:50.520 --> 54:53.540 In terms of the Air Force, we've built in, 54:53.540 --> 54:57.210 in our CMF build, Guard and Reserve capabilities already. 54:57.210 --> 55:01.130 So, right now, we have 15 Guard cyber squadrons that have 55:01.130 --> 55:04.410 contributed to build three of the active duty CMF teams, 55:04.410 --> 55:07.310 two cyber protection teams, and one national mission team. 55:08.600 --> 55:10.580 They're currently, actually, the Guard forces 55:10.580 --> 55:13.070 from New York, New Jersey, and Texas 55:13.070 --> 55:15.810 are the three states currently manning those teams. 55:15.810 --> 55:18.630 They've gone through Nettan, full mobilization rotations. 55:18.630 --> 55:21.040 And so, in-dwell, right now, the Air Force already 55:21.040 --> 55:23.750 has 10 cyber protection teams in the Guard, 55:23.790 --> 55:26.300 in-dwell, for surge capacity, if required. 55:26.690 --> 55:29.880 - I'd like to ask you, for the record, both of you, 55:30.290 --> 55:34.340 for a recommendations in terms of how we could use 55:34.340 --> 55:36.880 the National Guard to support next year's election 55:37.070 --> 55:40.640 from cyber attack as a critical infrastructure. 55:40.650 --> 55:43.340 And I understand from earlier hearings that you don't feel 55:43.340 --> 55:45.127 you have that authority from the President, 55:45.127 --> 55:47.060 but what I would like for this committee 55:47.060 --> 55:48.650 is recommendations to this committee that, 55:48.650 --> 55:49.940 if you were given that authority, 55:49.940 --> 55:52.150 what you would like to implement, 55:52.150 --> 55:53.940 and what resources or support you would need 55:53.940 --> 55:56.220 to implement that specific mission. 55:56.360 --> 55:59.220 And I will, then, use that, because this is something 55:59.220 --> 56:02.060 that both Senator Rounds and Nelson have been 56:02.060 --> 56:04.325 very focused on, because we do see the election 56:04.325 --> 56:07.460 as critical infrastructure, we do see an attack 56:07.460 --> 56:10.140 on our election infrastructure as a declaration of war, 56:10.140 --> 56:13.440 and I wanna know, if we ever were able to give you 56:13.440 --> 56:15.820 the authority to protect the next election 56:15.940 --> 56:18.100 how you would use the National Guard, specifically, 56:18.100 --> 56:20.280 to do that, and what additional, 56:20.280 --> 56:21.630 either resources or authorities, 56:21.630 --> 56:24.080 you would need if you were tasked with that duty. 56:24.410 --> 56:25.730 Because that's something this committee's been 56:25.730 --> 56:28.035 very focused on for a long time, and we'd like your input, 56:28.035 --> 56:31.490 specifically if we were to do that in the NDAA. 56:32.760 --> 56:35.297 - Okay, so I appreciate, ma'am, giving me the latitude. 56:35.297 --> 56:37.630 If that policy was given and the authorities were given, 56:37.630 --> 56:40.490 I think there's two specific things that I think 56:40.490 --> 56:42.730 are essential, and it kind of goes to the fire forces 56:42.730 --> 56:45.210 we've learned that can fight fires, 56:45.243 --> 56:48.150 and it goes to pre-scripted knowledge and missions. 56:48.670 --> 56:50.440 And unless you want us to be what I would call 56:50.440 --> 56:52.100 a wet-cleanup-on-aisle-five force, 56:52.100 --> 56:54.210 if you want us to be there and preventively 56:54.210 --> 56:55.630 build security and defense, - Correct. 56:55.630 --> 56:57.895 - to thwart malicious cyber activities, 56:57.895 --> 57:01.240 we would need the authorities and the tools 57:01.240 --> 57:03.589 and the infrastructure, some of our defensive kits, 57:03.589 --> 57:08.589 that are purposely tailored to the networks and systems 57:09.380 --> 57:13.820 that you would want us to support the state and local SCADA, 57:13.820 --> 57:16.700 or sorry, infrastructure Sicarus systems with. 57:16.700 --> 57:19.250 So, we need to know the network topology, 57:19.250 --> 57:21.700 we need to know the hardware, firmware, software 57:21.700 --> 57:24.140 that it operates, so that we can be responsive, 57:24.140 --> 57:26.850 we can censor, we can share information, 57:26.850 --> 57:29.180 and we can be proactive in defense. 57:29.590 --> 57:30.900 - So, that is the guidance I'd like you to write 57:30.900 --> 57:33.410 to this committee, by letter, to say, 57:33.410 --> 57:35.270 if we were ever given this responsibility, 57:35.270 --> 57:36.820 if we were ever given this authority, 57:36.820 --> 57:38.300 these are the 10 things we would need. 57:38.300 --> 57:41.030 And that's item number one, we would need access 57:41.030 --> 57:44.390 to all the information and systems that are used 57:44.390 --> 57:47.230 state-by-state, we would need access to the resources 57:47.230 --> 57:50.390 to be able to develop expertise in each of these systems, 57:50.490 --> 57:51.660 we would need, x, y, and z. 57:51.660 --> 57:54.040 So, just tactically, what do you need, 57:54.040 --> 57:56.010 and then, we can, at least as a committee, decide, 57:56.010 --> 57:59.490 do we want to put that in the NDAA as authorities 58:00.080 --> 58:01.550 for you to, then, go ahead and do. 58:01.550 --> 58:04.160 Obviously, the president would have to sign off on that, 58:04.160 --> 58:06.390 but as our work from the committee, we've had so many 58:06.390 --> 58:09.050 hearings on cyber specifically, and I feel like 58:09.050 --> 58:11.270 your hands have been tied every time we talk 58:11.270 --> 58:12.950 about one critical infrastructure, 58:12.950 --> 58:14.220 which is our electoral system. 58:14.220 --> 58:15.730 And we already know we have foreign 58:15.730 --> 58:18.340 adversaries who are hammering it daily. 58:18.470 --> 58:20.610 We also know that we now have 58:20.610 --> 58:23.743 the technology, because we had a 58:23.743 --> 58:27.580 hackathon, and actually effectively hacked vote totals. 58:27.580 --> 58:29.930 Our own cyber experts could do that 58:29.930 --> 58:31.860 within, I think, a 24-hour period. 58:31.920 --> 58:34.050 So, we know what the vulnerabilities are. 58:34.050 --> 58:36.210 I just want to proactively know from you guys, 58:36.210 --> 58:37.670 with your expertise, what you would need 58:37.670 --> 58:40.730 if you were told, you need to prevent this, 58:40.730 --> 58:43.790 and you need to start a new mission. 58:43.840 --> 58:46.137 So, just guidance, so we know what it looks like. 58:46.137 --> 58:48.860 We also have several private sector 58:48.860 --> 58:50.840 think-tanks working on this, as well. 58:50.840 --> 58:52.340 What would be their recommendations, 58:52.340 --> 58:54.900 to go to everyone of the 50 Secretaries of State. 58:55.300 --> 58:57.110 We'll have that information soon enough. 58:57.110 --> 59:00.200 We have a bill with, Senator Graham and I, to create 59:00.200 --> 59:03.110 a 9-11-style deep-dive to assess 59:03.230 --> 59:04.820 what are the vulnerabilities, and what are 59:04.820 --> 59:07.440 the 10 things, as a secondary effort, too. 59:07.540 --> 59:09.290 But in the meantime, I'd like your guidance, 59:09.290 --> 59:12.070 'cause if we can put it in the NDAA in April, 59:12.070 --> 59:12.903 (clearing throat) 59:13.120 --> 59:13.953 or when is it? 59:13.953 --> 59:14.786 It's soon. 59:14.786 --> 59:15.619 - [Chairman Rounds] Well, yeah. 59:15.619 --> 59:16.452 - It'll be soon. 59:16.452 --> 59:17.285 - [Chairman Rounds] We're in the middle of it 59:17.285 --> 59:18.118 now. - Yeah, right now, 59:18.118 --> 59:19.440 so it'll be soon when we get to vote on it. 59:19.440 --> 59:20.273 Thank you. 59:20.360 --> 59:21.730 - [Chairman Rounds] Senator Nelson, I know that 59:21.730 --> 59:23.340 you're time-constrained, but if you'd like 59:23.340 --> 59:25.220 to make some comments or questions here, 59:25.220 --> 59:27.022 we'll do that before we start to finish up here 59:27.022 --> 59:28.522 a little bit early. - Thanks. 59:29.830 --> 59:33.640 General Nakasono, on the issue of direct commissioning, 59:34.460 --> 59:37.540 what are the legal limits that you cite, 59:37.690 --> 59:39.710 and should we alter them so that 59:39.710 --> 59:42.020 this program can be successful? 59:43.000 --> 59:45.240 - Senator, what we're facing right now 59:45.240 --> 59:48.020 is an inability to grant constructive credit. 59:48.500 --> 59:51.160 As Admiral Gilday spoke to, constructive credit 59:51.160 --> 59:54.709 is the recognition of someone's abilities or experience 59:54.709 --> 59:59.250 in the civilian sector, transformed and measured 59:59.900 --> 01:00:02.950 against what rank they may come in within the military. 01:00:02.950 --> 01:00:05.700 Right now, I believe that we are limited 01:00:05.700 --> 01:00:08.650 to First Lieutenant, bringing them in as a First Lieutenant. 01:00:08.650 --> 01:00:10.910 And so, we would like greater flexibility on that, 01:00:10.910 --> 01:00:12.650 based upon greater experience. 01:00:12.680 --> 01:00:14.209 I think that's important, when you think about some of 01:00:14.209 --> 01:00:17.032 the capabilities and some of the talent we're looking for. 01:00:17.032 --> 01:00:19.380 People on big data, artificial intelligence, 01:00:19.380 --> 01:00:21.590 machine learning, forensics malware analysis, 01:00:21.590 --> 01:00:25.490 those are all things that are not necessarily attractive 01:00:25.490 --> 01:00:27.760 to come in as a young First Lieutenant. 01:00:29.210 --> 01:00:32.440 - And do you think that's hampering us 01:00:32.440 --> 01:00:33.840 getting people to join? 01:00:35.340 --> 01:00:36.173 - I do, Senator. 01:00:37.490 --> 01:00:39.270 - So, how do you fix that? 01:00:39.600 --> 01:00:41.190 Put them at a higher rank? 01:00:41.220 --> 01:00:43.570 _ So, one of the things we've been working with 01:00:43.940 --> 01:00:46.010 your staffers is to look at how we 01:00:46.010 --> 01:00:48.210 better measure constructive credit, 01:00:48.380 --> 01:00:50.530 to allow them to come in at a higher grade. 01:00:51.970 --> 01:00:55.950 - General Reynolds, tell me, 01:00:57.690 --> 01:01:00.190 if you get a direct commission into the Marine Corps, 01:01:00.190 --> 01:01:02.150 does that mean that they still 01:01:02.150 --> 01:01:06.100 have to be able to do 15 pull-ups? 01:01:08.460 --> 01:01:09.293 - Yes, sir. 01:01:09.430 --> 01:01:11.960 - Good, I'm glad, General. 01:01:15.320 --> 01:01:20.090 Why should cyberspace be any different from other domains? 01:01:20.090 --> 01:01:22.240 Do we need the legislation 01:01:24.120 --> 01:01:28.090 to establish, without a doubt, that traditional 01:01:28.090 --> 01:01:32.420 military activities include cyber operations? 01:01:37.880 --> 01:01:41.550 Well, General Nakasone, you're gonna be the big chief, 01:01:42.080 --> 01:01:44.000 so why don't you try to answer that. 01:01:45.810 --> 01:01:47.550 - So, I don't think it should be any different 01:01:47.550 --> 01:01:48.850 than the other domains, Senator. 01:01:48.850 --> 01:01:51.340 I think that this has been a product of 01:01:52.320 --> 01:01:56.140 a very, very young and maturing force 01:01:56.150 --> 01:01:59.030 that we have some unique capabilities 01:01:59.230 --> 01:02:02.070 and characteristics of how we operate. 01:02:02.070 --> 01:02:03.879 Not having borders is something that 01:02:03.879 --> 01:02:07.980 really isn't applicable in the other domains, minus space. 01:02:08.250 --> 01:02:10.240 And so, one of the things that we, again, 01:02:10.240 --> 01:02:13.330 have come to is being able to define traditional 01:02:13.330 --> 01:02:16.000 military activities has sometimes been hard. 01:02:16.270 --> 01:02:18.880 It's much harder if you're not operating in the space. 01:02:18.880 --> 01:02:21.630 And now that we are continually operating in the space, 01:02:21.810 --> 01:02:23.060 I think we have a much greater way 01:02:23.060 --> 01:02:24.610 of being able to determine what 01:02:24.620 --> 01:02:27.330 traditional military activities are. 01:02:28.330 --> 01:02:29.163 - Thank you. 01:02:30.511 --> 01:02:31.344 - [Chairman Rounds] Admiral Gilday. 01:02:31.344 --> 01:02:32.210 - Sure. - Briefly. 01:02:32.210 --> 01:02:35.160 - Sir, I respect your time, as you want to depart. 01:02:35.249 --> 01:02:38.520 The comment that I'd make, with respect to cyber 01:02:38.520 --> 01:02:39.915 and traditional military activities, 01:02:39.915 --> 01:02:43.920 is that the longer that it takes to integrate cyber 01:02:44.090 --> 01:02:47.040 into the other war-fighting domains, 01:02:47.230 --> 01:02:49.030 the longer it takes to normalize it, 01:02:49.720 --> 01:02:52.620 the longer it takes for people to get comfortable with it, 01:02:52.869 --> 01:02:57.869 and the more it's treated as a special kind of action, 01:02:59.610 --> 01:03:01.510 it's difficult to get authorities for. 01:03:01.610 --> 01:03:03.910 To the point that you made in your opening comments 01:03:03.910 --> 01:03:06.650 about the Russians, and it's related to this, 01:03:07.480 --> 01:03:10.370 we're at a point, right now, where we've allowed 01:03:10.370 --> 01:03:12.740 the Russians to establish those boundaries. 01:03:12.800 --> 01:03:15.580 We've allowed them, in any other space, 01:03:15.580 --> 01:03:17.780 the maritime, the air, the land, 01:03:17.910 --> 01:03:21.530 you want to gain access so that you can dominate. 01:03:21.530 --> 01:03:23.380 You want to put the enemy, you want 01:03:23.430 --> 01:03:26.090 to be in a position to dominate, whether it's physically, 01:03:26.090 --> 01:03:27.510 or, in this case, virtually. 01:03:28.100 --> 01:03:31.130 The Russians, the Chinese, North Koreans, 01:03:31.250 --> 01:03:32.760 when you talk about authorities, 01:03:32.760 --> 01:03:34.900 they have different rule-sets, they have a lower 01:03:34.900 --> 01:03:36.740 threshold for aggression, and so, 01:03:36.740 --> 01:03:38.500 they are gaining the initiative. 01:03:38.820 --> 01:03:42.310 And so, it becomes more difficult for us 01:03:42.310 --> 01:03:44.140 to gain a position of advantage, 01:03:44.190 --> 01:03:46.390 and to do the things that you want us to do. 01:03:46.720 --> 01:03:48.680 Changing policy is one thing. 01:03:48.980 --> 01:03:52.072 The will to act is a completely different problem set 01:03:52.072 --> 01:03:56.090 that is just as important as changing PPD 20, or changing 01:03:56.090 --> 01:03:59.000 any policies that underlie how we act in this space. 01:04:00.505 --> 01:04:03.422 (buttons clicking) 01:04:07.936 --> 01:04:08.880 (buttons clicking) 01:04:08.950 --> 01:04:09.783 - Thank you. 01:04:09.840 --> 01:04:11.917 I'm gonna follow up on this, because I think this really 01:04:11.917 --> 01:04:15.380 gets to the root of a lot of the questions that you've 01:04:15.380 --> 01:04:17.730 heard today, and comments that you've heard today. 01:04:17.760 --> 01:04:20.980 I know that Senator Gillibrand has discussed the issue 01:04:20.980 --> 01:04:23.930 of the electoral process, and how critical that is. 01:04:24.510 --> 01:04:25.980 But I think you can look at almost any 01:04:25.980 --> 01:04:27.740 of our critical infrastructure right now, 01:04:27.740 --> 01:04:30.386 and you can just simply ask the same question, 01:04:30.386 --> 01:04:34.050 and that is, if this was an act of war, 01:04:34.050 --> 01:04:35.910 or if this was an act of aggression, 01:04:36.470 --> 01:04:40.680 using kinetic forces, whether by air, land, or sea, 01:04:41.180 --> 01:04:43.810 there would be an expectation by the American public 01:04:43.810 --> 01:04:48.680 that our defense forces would be in a position to respond, 01:04:48.680 --> 01:04:52.090 to defend, but that also, there would be an expectation 01:04:52.090 --> 01:04:54.600 that the deterrent forces would come to bear. 01:04:55.459 --> 01:04:59.440 It seems with regard to cyber, 01:05:00.690 --> 01:05:05.690 we have yet to establish what those incidences are, 01:05:06.380 --> 01:05:09.800 and at what point they reach the point to where 01:05:09.800 --> 01:05:14.800 there has to be a deterrent reaction on our part. 01:05:16.840 --> 01:05:19.520 The Defense Science Board 01:05:20.140 --> 01:05:23.700 made it very clear that for the next 10 years, 01:05:24.280 --> 01:05:27.440 our defensive capabilities will not be equal 01:05:27.440 --> 01:05:30.190 to the offensive capabilities of our peer competitors. 01:05:30.910 --> 01:05:33.740 It's become very clear, and I think the discussion, 01:05:33.740 --> 01:05:36.241 and Admiral Gilday, I think you made mention to it, 01:05:36.241 --> 01:05:39.190 Russia has a different norm in terms of what they see 01:05:39.190 --> 01:05:43.640 as the opportunities within the cyber domain. 01:05:44.330 --> 01:05:45.830 I think we've seen that with a number 01:05:45.830 --> 01:05:49.700 of the peer competitors, and also some rogues, as well, 01:05:50.090 --> 01:05:54.970 and that is that they have used cyber as a way to 01:05:56.120 --> 01:05:59.480 impact our nation's, our assets, 01:05:59.680 --> 01:06:01.760 in some cases critical infrastructure, 01:06:01.760 --> 01:06:04.160 and in some cases, an electoral process. 01:06:05.120 --> 01:06:08.740 But most certainly, they do it, right now without a sense 01:06:08.740 --> 01:06:12.260 that we're prepared to offer that deterrence. 01:06:13.720 --> 01:06:16.430 Can we talk a little bit about what it would take, 01:06:16.430 --> 01:06:18.210 and about the challenges, not so much, 01:06:18.210 --> 01:06:20.390 and I recognize that this is an open session, 01:06:20.390 --> 01:06:23.200 but I think it's really important to lay out, 01:06:24.040 --> 01:06:26.760 as I said, when we talk about NATO issues, and so forth, 01:06:26.760 --> 01:06:28.660 and we talk about international norms, 01:06:30.080 --> 01:06:32.430 there is Talon One, and there's Talon-2.0, 01:06:33.020 --> 01:06:35.530 both of which try to establish what arises 01:06:35.530 --> 01:06:38.140 to an act of war in cyberspace, and also what 01:06:38.140 --> 01:06:40.810 the incidences are that have to be responded to. 01:06:42.020 --> 01:06:44.480 Isn't it really true that here, we have huge 01:06:44.480 --> 01:06:46.830 defensive capabilities, and that we have huge 01:06:49.160 --> 01:06:51.770 capabilities with regard to being able to 01:06:52.050 --> 01:06:55.590 infiltrate, sit silently, gather a huge amount of data, 01:06:56.120 --> 01:06:57.720 as good as anybody in the world, 01:06:57.888 --> 01:07:02.530 and yet, at the same time, because we want to make sure 01:07:02.530 --> 01:07:06.040 that we follow the norms, and that we are 01:07:08.150 --> 01:07:13.150 a respected neighbor, that we are very, very careful 01:07:13.320 --> 01:07:17.700 about how we respond in the domain of cyber? 01:07:18.460 --> 01:07:23.100 If it was air, land, or sea, there could be hell to pay, 01:07:23.610 --> 01:07:26.600 but in cyber, we're not quite prepared to identify, 01:07:26.600 --> 01:07:28.870 and to state publicly, what those norms are. 01:07:29.610 --> 01:07:31.410 What are the policy discussions? 01:07:31.440 --> 01:07:34.270 If I had a group of enlisted men and women 01:07:34.270 --> 01:07:35.720 sitting in front of me right now 01:07:35.720 --> 01:07:37.620 who are on the front lines doing this, 01:07:37.930 --> 01:07:40.870 and it was in a classified setting, they would spill 01:07:40.870 --> 01:07:44.230 their guts about how frustrated they can be, at times, 01:07:44.230 --> 01:07:46.840 and what they would really love to be able to do, 01:07:46.840 --> 01:07:51.350 but they recognize their responsibility 01:07:51.350 --> 01:07:54.330 to adhere to clear policy choices. 01:07:55.220 --> 01:07:57.020 And I know this is more of a statement than it is 01:07:57.020 --> 01:07:59.310 a question, but it's your turn now. 01:07:59.800 --> 01:08:01.440 You've thought about this a lot. 01:08:02.120 --> 01:08:05.082 Can you, in this open space, talk a little bit 01:08:05.082 --> 01:08:07.590 about the challenges that you see, 01:08:07.860 --> 01:08:10.760 and perhaps some of the frustrations that you have, 01:08:10.886 --> 01:08:15.010 in terms of protecting our critical infrastructure, 01:08:15.200 --> 01:08:17.620 civilian resources, and so forth, 01:08:17.672 --> 01:08:22.672 that perhaps the public simply doesn't recognize, 01:08:23.370 --> 01:08:25.640 and that we should be talking about more? 01:08:27.320 --> 01:08:28.510 - Senator, I'll begin on this. 01:08:28.510 --> 01:08:30.720 This is a very important question. 01:08:30.720 --> 01:08:33.450 So, I think it begins with, what is the strategy 01:08:33.450 --> 01:08:35.650 for the defense of the nation in cyberspace? 01:08:36.160 --> 01:08:39.080 That is an overall question that I think has to be asked, 01:08:39.080 --> 01:08:41.050 has to be debated, has to be discussed 01:08:41.050 --> 01:08:43.820 amongst policy makers, the American people, and others. 01:08:43.970 --> 01:08:46.240 - Would you, let me just stop you right there. 01:08:46.240 --> 01:08:48.440 Fair to say that we really don't have 01:08:48.810 --> 01:08:51.500 a true cyber policy established yet. 01:08:53.180 --> 01:08:55.950 - So, I've learned from my testimony over the past 01:08:55.950 --> 01:08:58.610 couple weeks, Senator, that this committee has asked 01:08:58.610 --> 01:09:00.260 many times for a policy, and that one 01:09:00.260 --> 01:09:02.410 still has not been delivered, that is correct. 01:09:02.410 --> 01:09:03.243 - 'Kay. 01:09:03.243 --> 01:09:05.210 - I would offer that, and we think about the defense 01:09:05.210 --> 01:09:08.460 of the nation in cyberspace, roles, responsibilities, 01:09:08.460 --> 01:09:11.950 functions, missions, what are the elements that make it up? 01:09:11.950 --> 01:09:13.030 What are the parts of the government? 01:09:13.030 --> 01:09:14.950 What's the responsibility of the private sector 01:09:14.950 --> 01:09:19.190 that owns 90% of the networks that are necessary to protect? 01:09:19.920 --> 01:09:21.570 The next thing I think about a lot it is, 01:09:21.570 --> 01:09:23.340 what are the thresholds of support? 01:09:23.850 --> 01:09:25.251 So, when we think about this, 01:09:25.251 --> 01:09:28.030 how much of this responsibility should reside 01:09:28.180 --> 01:09:30.263 with the private sector, and at what point, 01:09:30.263 --> 01:09:33.250 when a nation-state actor has taken after our critical 01:09:33.250 --> 01:09:35.826 infrastructure does it become the responsibility 01:09:35.826 --> 01:09:38.326 of the Department of Defense to defend the nation? 01:09:38.900 --> 01:09:40.340 That is still a discussion point that, 01:09:40.340 --> 01:09:42.560 I think, is one to be had. 01:09:42.560 --> 01:09:44.090 And so, those are just a couple, Senator, 01:09:44.090 --> 01:09:45.420 that I would offer as I've thought 01:09:45.420 --> 01:09:48.040 about this question over the past several months. 01:09:49.670 --> 01:09:50.510 - General Reynolds. 01:09:50.510 --> 01:09:53.870 - Yes sir, I'd like to just add one or two thoughts on this. 01:09:53.920 --> 01:09:57.980 One of them is that, I guess, in my time 01:09:57.980 --> 01:09:59.273 in command at Marine Force Cyber, 01:09:59.273 --> 01:10:01.400 going back to the Defense Science Board, 01:10:01.400 --> 01:10:03.971 and what they learned about deterrence, 01:10:03.971 --> 01:10:06.760 one of the key findings was that we need 01:10:06.760 --> 01:10:08.320 to be able to deny the adversary. 01:10:08.320 --> 01:10:11.890 I don't want to speak for all of my peers here, sir, 01:10:11.890 --> 01:10:13.930 but we have spent an enormous amount of time, 01:10:13.930 --> 01:10:16.740 even inside the service, on this denial piece. 01:10:16.880 --> 01:10:20.260 How do we make sure that what I own is defensible, 01:10:20.260 --> 01:10:21.500 and that was a lot of work to do. 01:10:21.500 --> 01:10:24.900 And so, moving forward, will we have additional capacity? 01:10:24.900 --> 01:10:26.470 Yes sir, I think we would. 01:10:27.680 --> 01:10:30.980 But the other thing that I would like to make sure 01:10:30.980 --> 01:10:34.155 that we make a point here, in that, 01:10:34.155 --> 01:10:37.860 and it goes back to the JTF Aires lessons learned. 01:10:38.180 --> 01:10:42.910 What Aires did, I think, for US Cyber Command was provide, 01:10:44.510 --> 01:10:46.950 number one, a joint capability inside US Cyber Command, 01:10:46.950 --> 01:10:50.300 so you have all the services represented there, 01:10:50.300 --> 01:10:54.832 but it also gave an opportunity for the combatant commands 01:10:54.832 --> 01:10:57.940 to reach into Cyber Command in one single entry point. 01:10:57.940 --> 01:11:02.940 It gave the inner-agency one place, it gave our allies 01:11:03.370 --> 01:11:06.830 and partners one place to come in the counter-ISUL fight, 01:11:06.830 --> 01:11:08.670 and that was enormously important. 01:11:09.080 --> 01:11:12.080 And so, I think organizationally, moving forward, 01:11:12.880 --> 01:11:15.010 who are the other combatant commanders that are involved 01:11:15.010 --> 01:11:17.880 in the plan against Russia, how are we 01:11:17.880 --> 01:11:21.150 organizing it ourselves, it's really essential, Senator. 01:11:21.490 --> 01:11:22.323 - Thank you. 01:11:22.323 --> 01:11:23.156 General Gilday. 01:11:24.440 --> 01:11:26.040 - Sir, thanks for your question. 01:11:28.230 --> 01:11:29.530 The main point that I wanna make 01:11:29.530 --> 01:11:31.810 is that the force is not big enough. 01:11:32.200 --> 01:11:33.343 Not based on the discussion that we 01:11:33.343 --> 01:11:36.110 had in this room this afternoon. 01:11:37.400 --> 01:11:41.162 If there's expectations to protect critical infrastructure, 01:11:41.162 --> 01:11:45.860 to hold significant adversaries at risk, 01:11:45.940 --> 01:11:49.500 adversaries that we are in contact with everyday, 01:11:50.712 --> 01:11:54.800 then more needs to be done in terms of the build-out 01:11:54.800 --> 01:11:59.800 and the development of a cyber force that is comparable to 01:12:02.120 --> 01:12:04.940 the nation's reliance on cyberspace, 01:12:04.940 --> 01:12:07.560 for our economy, for our quality of life, 01:12:07.560 --> 01:12:09.210 it touches everything that we do. 01:12:09.530 --> 01:12:10.680 It's gigantic. 01:12:11.580 --> 01:12:13.530 And you take a look at the force, and you take a look 01:12:13.530 --> 01:12:15.730 at the number of trigger pullers we have, 01:12:16.588 --> 01:12:17.421 6,200. 01:12:20.407 --> 01:12:21.980 6,200. 01:12:22.380 --> 01:12:24.640 Take a look at the United States Navy, 01:12:25.020 --> 01:12:26.750 take a look at the United States Army, 01:12:26.750 --> 01:12:27.764 take a look at the Marine Corps, the smallest 01:12:27.764 --> 01:12:30.140 of the services, or the Air Force, and make 01:12:30.140 --> 01:12:32.810 a comparison there, based on what we talked about 01:12:32.810 --> 01:12:36.010 this afternoon in this room, the importance of cyberspace 01:12:36.320 --> 01:12:39.380 to the American people, to our quality of life. 01:12:39.610 --> 01:12:43.720 I think that that has to, at some point, be reassessed, 01:12:43.720 --> 01:12:45.470 and I think that the things that we have learned 01:12:45.470 --> 01:12:48.510 over the last two years need to play into that assessment. 01:12:48.830 --> 01:12:50.350 I think we need to be honest with ourselves, 01:12:50.350 --> 01:12:52.550 I think we need to act more boldly. 01:12:53.366 --> 01:12:56.420 - [Chairman Rounds] General Weggeman? 01:12:56.420 --> 01:12:57.940 - There's a benefit of going last, and I think 01:12:57.940 --> 01:12:59.960 a lot of the key points I would make. 01:12:59.960 --> 01:13:02.330 To Admiral Gilday's last point, I agree, 01:13:02.400 --> 01:13:06.330 the scope and scale of Sicarus is extremely vast, 01:13:06.330 --> 01:13:08.080 and I agree, our force is too small. 01:13:08.080 --> 01:13:11.540 So, we will have to think deliberately and calculated, 01:13:11.690 --> 01:13:13.650 in terms of what would be DOD's role, 01:13:13.650 --> 01:13:17.210 and to support that, and how do we best use a high-demand, 01:13:17.210 --> 01:13:20.010 low-density force, if a policy is written, 01:13:20.010 --> 01:13:22.530 to where we would provide that, above and beyond 01:13:22.625 --> 01:13:25.340 the National Guard or the Reserves. 01:13:25.780 --> 01:13:28.552 So, as the former J5 at Cyber Command, I've been taking 01:13:28.552 --> 01:13:31.764 about, you know, the cyber-deterrence question for a 01:13:31.764 --> 01:13:35.080 long time, and I'll give you, simplistically, my frame. 01:13:35.080 --> 01:13:37.480 The first thing is the phrase is flawed. 01:13:37.720 --> 01:13:41.140 I believe the proper way to say it is cyber-indeterrence. 01:13:42.900 --> 01:13:46.050 What is cyberspace operations' role, offense and defense, 01:13:46.050 --> 01:13:49.390 in a national strategic deterrence campaign? 01:13:49.690 --> 01:13:52.700 Admiral Rogers testified that, sometimes, 01:13:52.700 --> 01:13:54.560 you don't want to use cyber when you combat, 01:13:54.560 --> 01:13:56.070 so it's gotta be a whole-of-government, 01:13:56.070 --> 01:13:57.640 if not whole-of-nation campaign. 01:13:57.640 --> 01:14:00.320 The second thing about anything deterrence is, deter what? 01:14:00.320 --> 01:14:02.110 And I think what we constantly come back to 01:14:02.110 --> 01:14:03.630 in this forum is, we want to say we want 01:14:03.630 --> 01:14:05.360 to deter malicious cyber activity. 01:14:05.587 --> 01:14:08.960 So, if we want to deter or erode an enemy's confidence 01:14:08.960 --> 01:14:12.540 in their ability to pitch malicious cyber activity at us, 01:14:12.810 --> 01:14:15.100 again, we need to use every arrow in our quiver, 01:14:15.100 --> 01:14:18.670 as a nation, to deter that activity, and we are but one. 01:14:19.440 --> 01:14:22.990 We may be the least, have the least, amount of capability 01:14:22.990 --> 01:14:25.170 or capacity, and so we have to go to other things. 01:14:25.170 --> 01:14:27.760 But I do think it's all about cyber-indeterrence, 01:14:27.760 --> 01:14:29.160 and that's really important. 01:14:30.030 --> 01:14:32.950 I go back to the classic principles of, you know, 01:14:32.950 --> 01:14:35.330 within cyber, we have to be able to impose costs, 01:14:35.330 --> 01:14:38.080 we have to be able to deny benefit, and maybe, we do one 01:14:38.080 --> 01:14:40.230 in the cyberspace domain, another in another domain, 01:14:40.230 --> 01:14:42.530 whether it's land, sea, maritime, information, 01:14:43.860 --> 01:14:46.230 leveraging state department, or FBI, 01:14:46.230 --> 01:14:47.700 or other agency partners. 01:14:49.398 --> 01:14:50.963 And then the last is the concept of, 01:14:50.963 --> 01:14:53.750 in the Defense Science Board study, everything is about 01:14:53.750 --> 01:14:55.890 taking that first hit, it's a constant thing. 01:14:55.890 --> 01:14:57.520 For those of us that have been around, 01:14:57.520 --> 01:14:59.490 this is an offense-dominant domain. 01:15:00.160 --> 01:15:02.630 Our adversaries have exquisite capabilities, 01:15:03.050 --> 01:15:06.590 and if you want to be that second-strike force, 01:15:06.850 --> 01:15:10.610 you may not have that luxury, it's hard to recover. 01:15:10.790 --> 01:15:13.460 And so, I think we have to do a hard look at a nation, 01:15:13.460 --> 01:15:14.692 given the exquisite insights that our intelligence 01:15:14.692 --> 01:15:17.180 community can generate, the exquisite insights 01:15:17.180 --> 01:15:20.440 that our cyber forces and operators can generate, 01:15:22.080 --> 01:15:24.070 what is our realm of strategic preemption, 01:15:24.070 --> 01:15:26.160 and when would we have thresholds of triggers 01:15:26.160 --> 01:15:29.580 where we would strategically preempt a large release 01:15:29.580 --> 01:15:31.210 of malware that would take us down 01:15:31.210 --> 01:15:33.160 and set us back on our feet for a year. 01:15:33.913 --> 01:15:35.080 - Thank you. 01:15:35.370 --> 01:15:37.070 Now, let me just finish with this. 01:15:37.855 --> 01:15:40.530 General Nakasone, the Aires Project, 01:15:40.530 --> 01:15:42.680 they pointed out earlier that there were 01:15:42.680 --> 01:15:44.610 some challenges there, and that some 01:15:44.610 --> 01:15:46.380 of the conditions weren't the best. 01:15:46.565 --> 01:15:49.870 And yet, unless we clearly look at 01:15:49.870 --> 01:15:53.090 and we're critical in the way that we analyze 01:15:53.090 --> 01:15:55.950 our successes and where we need to improve, 01:15:57.290 --> 01:15:59.130 we're not really doing our job. 01:15:59.130 --> 01:16:02.079 And so, the fact that we could have a frank discussion 01:16:02.079 --> 01:16:05.010 about improvements and so forth, that's a positive thing. 01:16:05.550 --> 01:16:09.900 And showing how far we've come in a very short period 01:16:09.900 --> 01:16:12.400 of time, with regard to this particular domain, 01:16:12.810 --> 01:16:15.160 I think, is critical in creating more 01:16:15.160 --> 01:16:17.880 successful opportunities in the future. 01:16:18.010 --> 01:16:20.800 And if we ever get to the point where we can't look 01:16:20.800 --> 01:16:23.940 at those criticisms and say, these are learning experiences, 01:16:23.940 --> 01:16:25.390 and we can do better and we will learn 01:16:25.390 --> 01:16:27.630 from them, then we're in real trouble. 01:16:27.630 --> 01:16:30.050 So, first of all, I don't take offense 01:16:30.050 --> 01:16:32.910 from someone suggesting that there were challenges 01:16:32.910 --> 01:16:34.920 with a program, and that we're gonna 01:16:35.130 --> 01:16:36.205 have to do better in the future, and I think 01:16:36.205 --> 01:16:38.470 that's the way that it was perceived by the panel 01:16:38.470 --> 01:16:40.800 that's before us today, and I appreciate that. 01:16:41.280 --> 01:16:43.910 Second of all, I think what we've talked about here today, 01:16:43.910 --> 01:16:46.470 while we're talking about the positioning, 01:16:46.680 --> 01:16:49.350 the capabilities of our forces today 01:16:49.350 --> 01:16:52.770 from your perspective, I think what you've given us, 01:16:52.770 --> 01:16:54.810 in terms of an insight, as far as what 01:16:54.810 --> 01:16:58.830 the policy issues are, and the understanding 01:16:58.830 --> 01:17:01.870 of the American public, with regard to your mission 01:17:01.870 --> 01:17:04.480 right now, and the role that you have been asked to play, 01:17:04.480 --> 01:17:06.620 versus what I think, in many cases, 01:17:06.620 --> 01:17:10.460 is the expectation of an American public that says, 01:17:10.460 --> 01:17:13.270 to begin with, if someone attacks us in cyberspace, 01:17:13.270 --> 01:17:14.840 we should hit 'em hard in cyberspace, 01:17:14.840 --> 01:17:16.970 versus the appropriate role is, 01:17:16.970 --> 01:17:18.570 just because someone attacks us by sea 01:17:18.570 --> 01:17:21.320 doesn't mean we necessarily have to attack only by sea. 01:17:21.390 --> 01:17:23.740 We can attack a whole lot of different domains, 01:17:24.270 --> 01:17:28.380 but it does require this: that unless we are dominant 01:17:28.660 --> 01:17:32.960 in air, land, sea, space, and cyber, 01:17:33.940 --> 01:17:37.640 our adversaries will take advantage of any opening they see. 01:17:38.610 --> 01:17:41.750 And so, with that, I want to say thank you 01:17:41.750 --> 01:17:44.310 to Senator Gillibrand for being able 01:17:44.310 --> 01:17:46.020 to attend with us again today. 01:17:46.210 --> 01:17:49.255 I want to thank all of our 01:17:49.255 --> 01:17:51.960 witnesses here today for your testimony. 01:17:52.730 --> 01:17:55.700 This is not the last that we will see you all 01:17:55.700 --> 01:17:57.350 in front of our committees again. 01:17:57.780 --> 01:17:59.830 General Nakasone, we look forward to visiting with you 01:17:59.830 --> 01:18:02.310 in a new role, as well, when the opportunity comes, 01:18:02.310 --> 01:18:04.480 and unless anyone of our witnesses 01:18:04.480 --> 01:18:06.330 has anything further to add, 01:18:07.450 --> 01:18:11.180 we will call an adjournment to this meeting at this time. 01:18:11.360 --> 01:18:12.193 Thank you. 01:18:12.404 --> 01:18:14.723 (gavel pounding)