1 00:00:00,640 --> 00:00:02,751 the subcommittee will come to order . 2 00:00:06,840 --> 00:00:08,950 So I want to uh welcome to everyone 3 00:00:08,950 --> 00:00:10,839 today's hearing on the Department 4 00:00:10,839 --> 00:00:13,520 Defense Information technology , uh 5 00:00:13,530 --> 00:00:15,570 cyber security and information 6 00:00:15,580 --> 00:00:18,070 assurance . Uh This is the 7 00:00:18,070 --> 00:00:20,180 subcommittee's first hearing on the 8 00:00:20,180 --> 00:00:22,260 department's current I . T . Efforts 9 00:00:22,260 --> 00:00:24,630 and the requested investments for 10 00:00:24,630 --> 00:00:27,460 fiscal year 2022 . Since the sub 11 00:00:27,460 --> 00:00:29,516 committee was formed at the start of 12 00:00:29,516 --> 00:00:31,627 the 117th Congress . Our members have 13 00:00:31,627 --> 00:00:34,550 been eager and encouraged to see the 14 00:00:34,550 --> 00:00:37,200 Department Defense approach its 15 00:00:37,210 --> 00:00:39,780 information technologies with a 16 00:00:39,790 --> 00:00:42,080 prioritization that has been lacking in 17 00:00:42,080 --> 00:00:44,350 the past of the many lessons from the 18 00:00:44,350 --> 00:00:46,680 pandemic . We have seen clearly that 19 00:00:46,680 --> 00:00:49,470 technology can revolutionize how we 20 00:00:49,470 --> 00:00:51,530 conduct our business whether it's 21 00:00:51,540 --> 00:00:53,810 that's in Congress or in the Department 22 00:00:53,820 --> 00:00:56,580 of Defense . However it also requires 23 00:00:56,590 --> 00:00:58,701 that the infrastructure which enables 24 00:00:58,701 --> 00:01:00,590 our technology is prioritized and 25 00:01:00,590 --> 00:01:03,920 secured in a commensurate way . In my 26 00:01:03,920 --> 00:01:06,130 many years in Congress I've witnessed 27 00:01:06,130 --> 00:01:07,920 firsthand the progress that the 28 00:01:07,920 --> 00:01:10,350 department has made in improving the 29 00:01:10,350 --> 00:01:13,150 ways in which it can utilize technology 30 00:01:13,160 --> 00:01:15,370 nevertheless , uh There is still 31 00:01:15,370 --> 00:01:17,980 tremendous work to do . Year after year 32 00:01:17,990 --> 00:01:20,000 we have leaders from across the 33 00:01:20,000 --> 00:01:23,960 department uh tell us that they 34 00:01:24,340 --> 00:01:26,800 consider I . T . To be a priority uh 35 00:01:26,810 --> 00:01:29,440 before immediately pivoting to discuss 36 00:01:29,450 --> 00:01:32,090 how much funding they need for more 37 00:01:32,090 --> 00:01:35,040 flight hours or more aircraft or more 38 00:01:35,040 --> 00:01:38,330 tanks . Quite frankly I'd like to think 39 00:01:38,340 --> 00:01:41,110 that technology will truly be a 40 00:01:41,110 --> 00:01:43,277 priority when for example the Chief of 41 00:01:43,277 --> 00:01:45,790 Naval Operations says that the Navy can 42 00:01:45,790 --> 00:01:47,980 live with one less fighter aircraft in 43 00:01:47,980 --> 00:01:49,980 favor of greater I . T . Investment 44 00:01:51,240 --> 00:01:53,129 through multiple National Defense 45 00:01:53,129 --> 00:01:56,020 authorization act . Uh The Congress has 46 00:01:56,030 --> 00:01:58,200 judged it prudent to empower the chief 47 00:01:58,200 --> 00:02:00,200 information officer in managing the 48 00:02:00,200 --> 00:02:02,200 department's technology portfolio . 49 00:02:02,200 --> 00:02:04,620 Today the C . I . O . Is a Senate 50 00:02:04,620 --> 00:02:07,410 confirmed position has oversight over 51 00:02:07,420 --> 00:02:09,560 each of the services I . T . Budgets 52 00:02:09,640 --> 00:02:11,751 and manages not only the department's 53 00:02:11,751 --> 00:02:14,200 networks but also it's electromagnetic 54 00:02:14,200 --> 00:02:16,200 spectrum enterprise and command and 55 00:02:16,200 --> 00:02:18,256 control and communications efforts . 56 00:02:18,256 --> 00:02:20,200 This place is the C . I . O . In a 57 00:02:20,200 --> 00:02:22,210 unique operationalized role 58 00:02:22,220 --> 00:02:24,400 contributing to success in the 59 00:02:24,400 --> 00:02:27,050 department's no fail missions . At the 60 00:02:27,050 --> 00:02:29,320 same time , there are still questions 61 00:02:29,320 --> 00:02:31,153 about how the Department Defense 62 00:02:31,153 --> 00:02:33,264 defines the role and responsibilities 63 00:02:33,264 --> 00:02:36,110 for cyber matters . If the Secretary 64 00:02:36,110 --> 00:02:38,670 defenses asked who is in charge of 65 00:02:38,670 --> 00:02:40,892 buying weapons for the department , the 66 00:02:40,892 --> 00:02:43,059 answer is unequivocal , unequivocal is 67 00:02:43,059 --> 00:02:44,948 the undersecretary of defense for 68 00:02:44,948 --> 00:02:46,614 acquisition and sustainment . 69 00:02:46,614 --> 00:02:48,837 Conversely , if the secretary has asked 70 00:02:48,837 --> 00:02:51,059 who is in charge of keeping D . O . D . 71 00:02:51,059 --> 00:02:53,003 Network safe , The fact that there 72 00:02:53,003 --> 00:02:54,837 isn't a single correct answer is 73 00:02:54,837 --> 00:02:57,059 troubling . The secretary could respond 74 00:02:57,059 --> 00:03:00,490 with the chief information officer or 75 00:03:00,490 --> 00:03:03,860 the uh the commander of cyber command 76 00:03:03,860 --> 00:03:06,570 or even the Chiefs of the Military 77 00:03:06,570 --> 00:03:09,620 Services and he wouldn't technically be 78 00:03:09,620 --> 00:03:12,630 wrong in any of these responses . So if 79 00:03:12,630 --> 00:03:15,750 we can teach everyone of our new 80 00:03:15,750 --> 00:03:18,820 officers about the criticality of clear 81 00:03:18,820 --> 00:03:21,870 command and control , why can't uh it 82 00:03:21,870 --> 00:03:24,480 applied applied this to the highest 83 00:03:24,480 --> 00:03:27,440 levels of the department ? So with that 84 00:03:27,450 --> 00:03:29,561 as the context , I want to welcome Mr 85 00:03:29,561 --> 00:03:32,420 john Sherman who appears in front of 86 00:03:32,420 --> 00:03:34,890 the subcommittee to the here today , Mr 87 00:03:34,890 --> 00:03:37,210 Sherman served as the acting chief 88 00:03:37,220 --> 00:03:39,570 information Officer . And while we have 89 00:03:39,580 --> 00:03:42,650 had the pleasure to work together since 90 00:03:42,660 --> 00:03:44,950 assuming the role in january , this is 91 00:03:44,950 --> 00:03:47,480 his first appearance before . Uh huh . 92 00:03:47,480 --> 00:03:50,000 Ask hearing . He's a career member of 93 00:03:50,000 --> 00:03:52,220 the Senior intelligence service and 94 00:03:52,220 --> 00:03:54,387 previously served as Chief information 95 00:03:54,387 --> 00:03:56,387 Officer of the U . S . Intelligence 96 00:03:56,387 --> 00:03:59,590 community . So I thank you Mr Sherman 97 00:03:59,590 --> 00:04:01,312 for your your service and your 98 00:04:01,312 --> 00:04:03,530 commitment to the United States and uh 99 00:04:03,540 --> 00:04:05,873 the work that you're doing in D . O . D . 100 00:04:05,873 --> 00:04:08,096 Um But before we get to you I'd like to 101 00:04:08,096 --> 00:04:09,984 now yield to Mr Franklin , who is 102 00:04:09,984 --> 00:04:12,151 stepping in for ranking member banks . 103 00:04:12,151 --> 00:04:14,484 Um scott the floor is yours . Thank you . 104 00:04:14,484 --> 00:04:16,596 Mr Chairman . Thank you . Mr Chairman 105 00:04:16,596 --> 00:04:18,762 for your time here with us today . The 106 00:04:18,762 --> 00:04:20,984 department's information technology and 107 00:04:20,984 --> 00:04:23,040 cyber security budget may not be the 108 00:04:23,040 --> 00:04:22,470 most riveting subject but it is 109 00:04:22,470 --> 00:04:24,637 certainly one of the most critical . I 110 00:04:24,637 --> 00:04:26,581 thi undergirds every department or 111 00:04:26,581 --> 00:04:28,637 every part of the department whether 112 00:04:28,637 --> 00:04:30,692 it's protecting our defense networks 113 00:04:30,692 --> 00:04:33,026 from adversaries managing the D . O . D . 114 00:04:33,026 --> 00:04:35,081 S . Spectrum to ensure swift , clear 115 00:04:35,081 --> 00:04:37,137 communication with our troops around 116 00:04:37,137 --> 00:04:39,026 the world or deploying I . T . Or 117 00:04:39,026 --> 00:04:41,026 software secure software I . T . Is 118 00:04:41,026 --> 00:04:43,081 foundational from weapons systems to 119 00:04:43,081 --> 00:04:45,248 financial management and an enterprise 120 00:04:45,248 --> 00:04:47,470 as large as the department Defense with 121 00:04:47,470 --> 00:04:49,692 its many missions different systems and 122 00:04:49,692 --> 00:04:51,859 multiple stakeholders . Were fortunate 123 00:04:51,859 --> 00:04:54,081 there's not been a catastrophic I . T . 124 00:04:54,081 --> 00:04:56,137 Failure , rendering our equipment no 125 00:04:56,137 --> 00:04:58,248 better than paper weights or allowing 126 00:04:58,248 --> 00:05:00,414 adversaries to sit in our networks and 127 00:05:00,414 --> 00:05:02,414 capture sensitive information . I'm 128 00:05:02,414 --> 00:05:01,790 encouraged by the direction of the 129 00:05:01,790 --> 00:05:03,846 department , but this is not an area 130 00:05:03,846 --> 00:05:05,679 where we can afford to slow down 131 00:05:05,679 --> 00:05:07,846 without strategic vision , re sourcing 132 00:05:07,846 --> 00:05:10,068 and investment in the workforce and buy 133 00:05:10,068 --> 00:05:12,123 in from leadership in the department 134 00:05:12,123 --> 00:05:13,957 failure is possible . The IT and 135 00:05:13,957 --> 00:05:16,179 cyberspace budget represents roughly 7% 136 00:05:16,179 --> 00:05:18,179 of the D . O . D . budgets so every 137 00:05:18,179 --> 00:05:20,179 dollar must be used wisely . I look 138 00:05:20,179 --> 00:05:22,068 forward to hearing your views and 139 00:05:22,068 --> 00:05:24,179 justifications for the budget and how 140 00:05:24,179 --> 00:05:26,123 you're using the dollars to pursue 141 00:05:26,123 --> 00:05:27,957 modernization , efficiencies and 142 00:05:27,957 --> 00:05:30,012 security . The Department of Defense 143 00:05:30,012 --> 00:05:32,179 has a technology deficit and unless we 144 00:05:32,179 --> 00:05:34,401 make both the necessary investments and 145 00:05:34,401 --> 00:05:36,623 prioritization is we risk weakening our 146 00:05:36,623 --> 00:05:38,734 national security and none of us here 147 00:05:38,734 --> 00:05:38,460 wants that . With that . Mr Chairman . 148 00:05:38,460 --> 00:05:41,360 Go back . Good , 149 00:05:44,940 --> 00:05:47,107 very good . Thank you Mr Franklin . Um 150 00:05:47,107 --> 00:05:49,273 With that I want to turn to Mr Sherman 151 00:05:49,273 --> 00:05:51,384 for his opening statement . Thank you 152 00:05:51,384 --> 00:05:53,384 very much sir . Good afternoon . Mr 153 00:05:53,384 --> 00:05:55,496 Chairman . Ranking member and members 154 00:05:55,496 --> 00:05:57,718 of the subcommittee . Thank you for the 155 00:05:57,718 --> 00:05:59,607 opportunity to testify before the 156 00:05:59,607 --> 00:06:01,496 subcommittee today on the current 157 00:06:01,496 --> 00:06:03,440 efforts underway pertaining to the 158 00:06:03,440 --> 00:06:05,662 department's information technology and 159 00:06:05,662 --> 00:06:07,884 cyber security . I'm john Sherman , the 160 00:06:07,884 --> 00:06:09,829 acting Department of Defense Chief 161 00:06:09,829 --> 00:06:11,940 information Officer . The President's 162 00:06:11,940 --> 00:06:13,940 interim National Security strategic 163 00:06:13,940 --> 00:06:16,107 guidance as well as Secretary Austin's 164 00:06:16,107 --> 00:06:18,218 priorities drive the key areas I will 165 00:06:18,218 --> 00:06:20,273 highlight regarding the department's 166 00:06:20,273 --> 00:06:22,910 cloud software , network modernization , 167 00:06:23,170 --> 00:06:25,660 cyber security , work , workforce , 168 00:06:25,800 --> 00:06:28,230 command control , communications and 169 00:06:28,230 --> 00:06:31,180 data . And what I see is a critical 170 00:06:31,180 --> 00:06:33,291 step for the whole enterprise . We've 171 00:06:33,291 --> 00:06:35,240 made cloud computing a fundamental 172 00:06:35,240 --> 00:06:37,018 component of our global I . T . 173 00:06:37,018 --> 00:06:38,851 Infrastructure and modernization 174 00:06:38,851 --> 00:06:41,080 strategy with battlefield success 175 00:06:41,080 --> 00:06:42,858 increasingly reliant on digital 176 00:06:42,858 --> 00:06:44,710 capabilities . Cloud computing 177 00:06:44,710 --> 00:06:46,877 satisfies the warfighters requirements 178 00:06:46,877 --> 00:06:49,200 for rapid access to data , innovative 179 00:06:49,200 --> 00:06:51,460 capabilities and assured support 180 00:06:52,040 --> 00:06:54,151 furthermore , remain committed in our 181 00:06:54,151 --> 00:06:56,430 drive toward a multi vendor , multi 182 00:06:56,430 --> 00:06:59,650 cloud ecosystem . With our Fy 22 cloud 183 00:06:59,650 --> 00:07:01,630 investments representing over 50 184 00:07:01,630 --> 00:07:03,352 different commercial vendors , 185 00:07:03,352 --> 00:07:05,297 including commercial cloud service 186 00:07:05,297 --> 00:07:07,700 providers and system integrators . The 187 00:07:07,700 --> 00:07:09,644 department's cloud converse NC and 188 00:07:09,644 --> 00:07:11,867 ability to leverage this technology has 189 00:07:11,867 --> 00:07:13,700 definitely matured over the last 190 00:07:13,700 --> 00:07:15,811 several years and we are driving hard 191 00:07:15,811 --> 00:07:18,033 to accelerate the momentum even more in 192 00:07:18,033 --> 00:07:21,580 this space . Software capabilities and 193 00:07:21,580 --> 00:07:23,469 networks are also critical to our 194 00:07:23,469 --> 00:07:25,680 success . I'm pleased to announce that 195 00:07:25,680 --> 00:07:27,180 we will release a software 196 00:07:27,180 --> 00:07:29,069 modernization strategy later this 197 00:07:29,069 --> 00:07:31,620 summer that builds on already developed 198 00:07:31,620 --> 00:07:34,140 guidance such as def sec apps two dot 199 00:07:34,140 --> 00:07:36,770 oh guidance released last month , We 200 00:07:36,770 --> 00:07:38,881 are dedicated to delivering resilient 201 00:07:38,881 --> 00:07:40,881 software capability at the speed of 202 00:07:40,881 --> 00:07:43,400 relevance . The FY 22 budget includes 203 00:07:43,400 --> 00:07:45,122 investments to enable software 204 00:07:45,122 --> 00:07:47,750 modernization with cloud services as 205 00:07:47,750 --> 00:07:49,861 the foundation to fully integrate the 206 00:07:49,861 --> 00:07:52,150 technology process and people needed to 207 00:07:52,150 --> 00:07:54,450 deliver next generation capabilities . 208 00:07:55,040 --> 00:07:57,280 Meanwhile , the covid 19 pandemic 209 00:07:57,280 --> 00:07:59,670 crisis changed the way we all work . 210 00:07:59,820 --> 00:08:01,876 The department deployed a commercial 211 00:08:01,876 --> 00:08:03,830 based collaboration capability to 212 00:08:03,830 --> 00:08:06,110 enable the rapid transition from remote 213 00:08:06,110 --> 00:08:08,440 work . While cloud access and remote 214 00:08:08,440 --> 00:08:10,662 work introduces a significant burden to 215 00:08:10,662 --> 00:08:12,773 the D O . D networks . We continue to 216 00:08:12,773 --> 00:08:16,300 deploy secure and agile solutions . All 217 00:08:16,300 --> 00:08:17,967 of these efforts must address 218 00:08:17,967 --> 00:08:19,911 cybersecurity from the start . The 219 00:08:19,911 --> 00:08:21,856 secretary previously discussed the 220 00:08:21,856 --> 00:08:23,689 department's investment in cyber 221 00:08:23,689 --> 00:08:25,689 security and cyber space operations 222 00:08:25,689 --> 00:08:27,856 that will maintain the momentum of our 223 00:08:27,856 --> 00:08:30,480 digital modernization strategy . The FY 224 00:08:30,480 --> 00:08:32,500 22 DOD cybersecurity budget remains 225 00:08:33,040 --> 00:08:35,330 maintains enhanced funding levels 226 00:08:35,340 --> 00:08:38,310 established in fy 20 and Fy 21 for key 227 00:08:38,310 --> 00:08:40,440 enterprise cybersecurity capabilities 228 00:08:40,690 --> 00:08:42,634 that will enable us to advance our 229 00:08:42,634 --> 00:08:45,550 focus on zero trust and risk management 230 00:08:45,550 --> 00:08:48,080 and drive our new investments to 231 00:08:48,080 --> 00:08:50,710 enhance resiliency and cyber defenses . 232 00:08:50,940 --> 00:08:52,996 We take our responsibilities in this 233 00:08:52,996 --> 00:08:55,051 area very seriously given the threat 234 00:08:55,051 --> 00:08:58,020 landscape we face . While all divisions 235 00:08:58,020 --> 00:09:00,020 on our C . I . O Team support , war 236 00:09:00,020 --> 00:09:02,076 fighting . It is command control and 237 00:09:02,076 --> 00:09:04,298 communications or C three that might be 238 00:09:04,298 --> 00:09:06,464 most closely linked to the war fighter 239 00:09:06,464 --> 00:09:08,353 on the ground , sea air and space 240 00:09:08,353 --> 00:09:11,020 domains . The critical capabilities in 241 00:09:11,020 --> 00:09:13,110 this portfolio , positioning , 242 00:09:13,110 --> 00:09:15,110 navigation and timing or PMT 243 00:09:15,150 --> 00:09:17,520 electromagnetic spectrum enterprise or 244 00:09:17,520 --> 00:09:20,240 EMC . And five G . R . A key priority 245 00:09:20,240 --> 00:09:22,420 for the enterprise , especially as we 246 00:09:22,420 --> 00:09:24,198 face threats from our near peer 247 00:09:24,198 --> 00:09:26,720 competitors . Finally , we often note 248 00:09:26,720 --> 00:09:28,664 that data is the ammunition of the 249 00:09:28,664 --> 00:09:31,200 future . The department has prioritized 250 00:09:31,210 --> 00:09:33,070 ensuring the timely secure and 251 00:09:33,070 --> 00:09:35,150 resilient access to data needed for 252 00:09:35,150 --> 00:09:37,170 military advantage and all domain 253 00:09:37,180 --> 00:09:39,890 operations . While data management is 254 00:09:39,890 --> 00:09:42,001 not directly tied to specific program 255 00:09:42,001 --> 00:09:44,660 elements . In the Fy 22 budget request 256 00:09:44,740 --> 00:09:47,110 we are identifying assessing and 257 00:09:47,110 --> 00:09:49,221 tracking our data related investments 258 00:09:49,300 --> 00:09:51,300 as part of the budget certification 259 00:09:51,300 --> 00:09:54,400 process that I lied in closing . I want 260 00:09:54,400 --> 00:09:56,344 to emphasize the importance of our 261 00:09:56,344 --> 00:09:58,511 partnership with Congress in all areas 262 00:09:58,511 --> 00:10:00,456 but but with a particular focus on 263 00:10:00,456 --> 00:10:02,344 digital modernization and I . T . 264 00:10:02,344 --> 00:10:04,511 Reform . Thank you for the opportunity 265 00:10:04,511 --> 00:10:06,567 to testify this afternoon and I look 266 00:10:06,567 --> 00:10:09,160 forward to your questions . Thank you . 267 00:10:09,160 --> 00:10:12,280 Mr Chairman . Um So we're gonna go to 268 00:10:12,280 --> 00:10:14,760 member questions now as we recognize 269 00:10:14,760 --> 00:10:17,980 notice seniority um for five minutes 270 00:10:17,980 --> 00:10:21,260 and I'll start with my self 271 00:10:21,640 --> 00:10:24,730 uh Mr Sherman . The first question I 272 00:10:24,730 --> 00:10:27,560 have uh and I'm gonna be direct . 273 00:10:28,040 --> 00:10:31,170 The department released a comprehensive 274 00:10:31,170 --> 00:10:35,120 summary document of its uh of its IT 275 00:10:35,120 --> 00:10:37,231 and in cyberspace activities budget . 276 00:10:37,231 --> 00:10:41,230 Totalling 30 pages this year . Uh That 277 00:10:41,230 --> 00:10:44,270 same document is six pages . Uh Only 278 00:10:44,280 --> 00:10:46,900 two of which contain any substance 279 00:10:46,910 --> 00:10:50,170 separately . Uh This committee as major 280 00:10:50,170 --> 00:10:52,300 office aware that the I . T . In 281 00:10:52,300 --> 00:10:54,411 cyberspace activities portion of this 282 00:10:54,411 --> 00:10:56,700 year's defense budget overview was 283 00:10:56,700 --> 00:10:59,920 nearly a carbon copy Of the 2020 . The 284 00:10:59,920 --> 00:11:02,280 defense budget overview after being 285 00:11:02,280 --> 00:11:04,180 honest with you , if uh if the 286 00:11:04,190 --> 00:11:06,150 Department of Defense were a high 287 00:11:06,150 --> 00:11:08,206 school student , I would have called 288 00:11:08,206 --> 00:11:10,930 this plagiarism . So with all due 289 00:11:10,930 --> 00:11:14,070 respect , uh if your office cannot be 290 00:11:14,070 --> 00:11:16,237 troubled to put together the necessary 291 00:11:16,237 --> 00:11:18,514 materials , this committee's oversight , 292 00:11:18,514 --> 00:11:20,514 how can we trust the stewardship of 293 00:11:20,514 --> 00:11:23,880 this uh critical portfolio ? Mr . 294 00:11:23,880 --> 00:11:25,991 Chairman , thank you for the question 295 00:11:25,991 --> 00:11:27,936 and I appreciate everything you're 296 00:11:27,936 --> 00:11:30,480 saying the and your staff it raises 297 00:11:30,480 --> 00:11:33,290 with us a couple of weeks ago . So a 298 00:11:33,290 --> 00:11:35,640 couple things happened on this as I've 299 00:11:35,640 --> 00:11:37,696 dug into this and my six months into 300 00:11:37,696 --> 00:11:39,640 the job and particularly as it was 301 00:11:39,640 --> 00:11:41,862 raised recently , part of the reduction 302 00:11:41,862 --> 00:11:43,973 in the length of the documents had to 303 00:11:43,973 --> 00:11:46,084 do with the C . U . I . Or controlled 304 00:11:46,084 --> 00:11:48,084 unclassified information designated 305 00:11:48,084 --> 00:11:50,029 that was put on it . That in a way 306 00:11:50,029 --> 00:11:52,196 perhaps restricted the number of pages 307 00:11:52,196 --> 00:11:54,307 on there . But your point , sir about 308 00:11:54,307 --> 00:11:56,307 the carbon copy of something I take 309 00:11:56,307 --> 00:11:58,473 very seriously . Your staff has raised 310 00:11:58,473 --> 00:12:00,529 this with me and I will own this and 311 00:12:00,529 --> 00:12:02,910 ensure we get it better next time . And 312 00:12:02,910 --> 00:12:05,132 indeed I have been laser focused on the 313 00:12:05,132 --> 00:12:07,530 technology and cyber security but we 314 00:12:07,530 --> 00:12:09,830 need to do a bit better job in C . I . 315 00:12:09,830 --> 00:12:11,941 O . Working with controller and other 316 00:12:11,941 --> 00:12:14,052 department colleagues in the level of 317 00:12:14,052 --> 00:12:16,219 product we share with you . So sir , I 318 00:12:16,219 --> 00:12:18,441 will take this guide and so on and make 319 00:12:18,441 --> 00:12:18,220 it a priority going forward . I 320 00:12:18,220 --> 00:12:20,498 appreciate you flagging it , sir . Mhm . 321 00:12:20,840 --> 00:12:22,880 Without that level of detail , just 322 00:12:22,880 --> 00:12:24,660 understand we can't fulfill our 323 00:12:24,660 --> 00:12:26,827 oversight responsibilities were in the 324 00:12:26,827 --> 00:12:29,130 dark otherwise and uh you know that's 325 00:12:29,130 --> 00:12:31,490 that's unacceptable going forward . So 326 00:12:31,490 --> 00:12:33,550 I take you at your word and uh we'll 327 00:12:33,560 --> 00:12:37,190 we'll go from there . Um Also in 328 00:12:37,190 --> 00:12:39,079 reviewing the department's budget 329 00:12:39,079 --> 00:12:41,246 materials , it would appear that there 330 00:12:41,246 --> 00:12:44,630 are significant challenges between all 331 00:12:44,630 --> 00:12:46,686 the various D . O . D . Entities and 332 00:12:46,686 --> 00:12:48,408 harmonizing how the department 333 00:12:48,408 --> 00:12:51,050 categorizes its cybersecurity and I . T . 334 00:12:51,060 --> 00:12:54,110 Investments . Uh For example the Navy 335 00:12:54,110 --> 00:12:56,290 does not categorize endpoint device 336 00:12:56,290 --> 00:12:58,420 management tools as cyber security 337 00:12:58,420 --> 00:13:00,850 funding yet the Air Force does . As a 338 00:13:00,850 --> 00:13:03,560 result , uh it is nearly impossible to 339 00:13:03,560 --> 00:13:05,504 get a comprehensive picture of how 340 00:13:05,504 --> 00:13:08,500 resources are being being spent . How 341 00:13:08,500 --> 00:13:11,150 can our members help you accelerate uh 342 00:13:11,160 --> 00:13:13,070 The efforts to create greater 343 00:13:13,070 --> 00:13:15,420 compliance and consistency uh in 344 00:13:15,420 --> 00:13:17,142 understanding the department's 345 00:13:17,142 --> 00:13:19,420 investments , Sir . Thank you for that . 346 00:13:19,440 --> 00:13:21,662 I think some of this is what we need to 347 00:13:21,662 --> 00:13:23,829 be doing on our own within the C . I . 348 00:13:23,829 --> 00:13:25,718 O . Enterprise , working with our 349 00:13:25,718 --> 00:13:27,940 service and other colleagues as we work 350 00:13:27,940 --> 00:13:30,162 the budget year to year . To your point 351 00:13:30,162 --> 00:13:32,329 and I took this once I got in the seat 352 00:13:32,329 --> 00:13:34,230 here that are $5.5 billion for 353 00:13:34,230 --> 00:13:36,860 cybersecurity thereabouts doesn't 354 00:13:36,860 --> 00:13:38,693 indeed represent the totality of 355 00:13:38,693 --> 00:13:41,027 cybersecurity throughout the department . 356 00:13:41,027 --> 00:13:43,027 It's a large portion of it . But to 357 00:13:43,027 --> 00:13:45,193 your point about endpoint security and 358 00:13:45,193 --> 00:13:47,249 I'll give another example what we've 359 00:13:47,249 --> 00:13:49,416 done with D O . D or Office 3 65 . And 360 00:13:49,416 --> 00:13:51,582 some of the cyber security features we 361 00:13:51,582 --> 00:13:53,582 bought from the vendor on there are 362 00:13:53,582 --> 00:13:55,582 reflected in our enterprise and not 363 00:13:55,582 --> 00:13:57,880 cyber budget cybersecurity is my top 364 00:13:57,880 --> 00:13:59,936 priority as C . I . O along with the 365 00:13:59,936 --> 00:14:02,158 other modernization activities . But to 366 00:14:02,158 --> 00:14:04,380 be able to reflect the totality of that 367 00:14:04,380 --> 00:14:06,602 is something we need to do a better job 368 00:14:06,602 --> 00:14:08,658 of and I think we have the tools and 369 00:14:08,658 --> 00:14:10,880 wherewithal internally to work with our 370 00:14:10,880 --> 00:14:13,047 colleagues to make sure we can reflect 371 00:14:13,047 --> 00:14:14,991 this more accurately . But this is 372 00:14:14,991 --> 00:14:17,102 something sir I have noticed recently 373 00:14:17,102 --> 00:14:19,660 because the 5.5 billion while an 374 00:14:19,660 --> 00:14:21,827 accurate assessment of cybersecurity , 375 00:14:21,827 --> 00:14:23,993 there are some more in the budget that 376 00:14:23,993 --> 00:14:26,271 we need to be able to reflect in there . 377 00:14:26,271 --> 00:14:26,180 So Sarah will take that on board as 378 00:14:26,180 --> 00:14:28,910 well . It's important , you know , 379 00:14:28,910 --> 00:14:30,910 having that common understanding is 380 00:14:30,910 --> 00:14:32,966 going to help us better understand , 381 00:14:32,966 --> 00:14:34,743 you know , where we are lacking 382 00:14:34,743 --> 00:14:36,910 capabilities , we are investing in the 383 00:14:36,910 --> 00:14:38,910 right place and how our dollars are 384 00:14:38,910 --> 00:14:41,132 being spent . Um uh In in the statement 385 00:14:41,132 --> 00:14:43,270 you submitted to the committee uh you 386 00:14:43,270 --> 00:14:45,320 noted that you serve as the 387 00:14:45,320 --> 00:14:47,630 department's lead for industrial 388 00:14:47,630 --> 00:14:49,797 Control Systems , cyber security . You 389 00:14:49,797 --> 00:14:52,310 also noted that the department is 390 00:14:52,310 --> 00:14:54,032 working to build cybersecurity 391 00:14:54,032 --> 00:14:57,640 expertise in the cyber workforce 392 00:14:57,650 --> 00:15:00,670 um and developing capabilities to 393 00:15:00,670 --> 00:15:03,460 monitor the I . C . S . Systems . So I 394 00:15:03,460 --> 00:15:06,050 have a few questions about this first . 395 00:15:06,060 --> 00:15:08,600 Does the department use the term I . C . 396 00:15:08,600 --> 00:15:11,910 S . And operational technology or O . T . 397 00:15:11,920 --> 00:15:15,040 Entertain interchangeably to my 398 00:15:15,040 --> 00:15:17,151 understanding right now we do , sir . 399 00:15:17,151 --> 00:15:19,040 This is an area of late that I've 400 00:15:19,040 --> 00:15:21,450 wanted to really dig on both back when 401 00:15:21,450 --> 00:15:23,617 I was the principal Deputy C . I . O . 402 00:15:23,617 --> 00:15:25,950 At the time and now is the acting C . I . 403 00:15:25,950 --> 00:15:28,172 O . To answer your question . I believe 404 00:15:28,172 --> 00:15:30,117 we use those interchangeably . I'm 405 00:15:30,117 --> 00:15:32,061 working with our Chief information 406 00:15:32,061 --> 00:15:34,117 security officer just as recently as 407 00:15:34,117 --> 00:15:35,950 this week to start to gather the 408 00:15:35,950 --> 00:15:38,172 documentation we have on this to ensure 409 00:15:38,172 --> 00:15:40,960 that we at the departmental ceo level 410 00:15:41,040 --> 00:15:43,770 have the right sort of guidance and the 411 00:15:43,770 --> 00:15:45,992 articulation of terms right what you're 412 00:15:45,992 --> 00:15:48,910 getting at sir as we're using IOT well 413 00:15:48,910 --> 00:15:51,021 and I'll throw IOT internet of things 414 00:15:51,021 --> 00:15:53,243 and there as well along with industrial 415 00:15:53,243 --> 00:15:54,910 control systems , operational 416 00:15:54,910 --> 00:15:56,910 technology etcetera . To get at the 417 00:15:56,910 --> 00:15:58,854 main issue that we're not creating 418 00:15:58,854 --> 00:16:01,400 scenes and our cybersecurity activities 419 00:16:01,400 --> 00:16:03,580 between the cyber defenders and our 420 00:16:03,580 --> 00:16:05,890 facility managers . Or an adversary 421 00:16:05,890 --> 00:16:07,770 could go after things like H vac 422 00:16:07,780 --> 00:16:09,891 elevators and other places that would 423 00:16:09,891 --> 00:16:12,113 allow cyber vulnerabilities . So that's 424 00:16:12,113 --> 00:16:14,169 where we're at right now , sir . And 425 00:16:14,169 --> 00:16:16,058 what is the difference between uh 426 00:16:16,058 --> 00:16:18,580 defense cyber workforce and cyberspace 427 00:16:18,580 --> 00:16:22,060 operations forces ? The 428 00:16:22,640 --> 00:16:24,862 That I want to make sure I get this one 429 00:16:24,862 --> 00:16:26,862 right . The defense cyber workforce 430 00:16:26,862 --> 00:16:29,450 would include the way we characterize 431 00:16:29,450 --> 00:16:32,670 the work roles include the cyber 432 00:16:32,670 --> 00:16:34,837 workforce , I believe in there , sir . 433 00:16:34,837 --> 00:16:36,614 The way we so the defense cyber 434 00:16:36,614 --> 00:16:38,670 workforce is based on a framework of 435 00:16:38,670 --> 00:16:40,670 the occupational series , we have I 436 00:16:40,670 --> 00:16:43,330 believe there's 54 of any type of 437 00:16:43,340 --> 00:16:46,110 individual military or civilian 438 00:16:46,120 --> 00:16:49,600 operating in cyber cyber work roles in 439 00:16:49,600 --> 00:16:52,090 terms of whether you're a coder , a 440 00:16:52,090 --> 00:16:54,180 cyber defender , etcetera . So this 441 00:16:54,180 --> 00:16:56,402 gets to the blocking and tackling we've 442 00:16:56,402 --> 00:16:58,347 been doing over the past couple of 443 00:16:58,347 --> 00:17:00,180 years to get our arms around the 444 00:17:00,180 --> 00:17:02,347 totality of our cyber workforce , so I 445 00:17:02,347 --> 00:17:04,569 will take that for the record to ensure 446 00:17:04,569 --> 00:17:06,791 I'm being correct on this sir . But the 447 00:17:06,791 --> 00:17:08,847 cyber operators that are working for 448 00:17:08,847 --> 00:17:10,902 cyber common elsewhere , included in 449 00:17:10,902 --> 00:17:13,013 our broader cyber workforce framework 450 00:17:13,013 --> 00:17:15,236 that we put together to allow us to get 451 00:17:15,236 --> 00:17:16,902 the fidelity we need on these 452 00:17:16,902 --> 00:17:19,070 occupational series and the work roles 453 00:17:19,080 --> 00:17:21,200 so we can look all the way across the 454 00:17:21,200 --> 00:17:23,478 dozens of work roles with the fidelity . 455 00:17:23,478 --> 00:17:26,150 We need to be able to characterize the 456 00:17:26,160 --> 00:17:29,020 uh tens of thousands of individuals we 457 00:17:29,020 --> 00:17:31,670 have in this area sir . And the last 458 00:17:31,670 --> 00:17:33,837 questions I have and then I'm going to 459 00:17:33,837 --> 00:17:35,781 yield to the ranking member uh and 460 00:17:35,781 --> 00:17:38,114 hopefully we'll get a second round into . 461 00:17:38,114 --> 00:17:40,170 But uh do the efforts that your your 462 00:17:40,170 --> 00:17:42,630 statement describe extend to the cyber 463 00:17:42,630 --> 00:17:45,100 mission force uh and or the cyber 464 00:17:45,100 --> 00:17:47,860 operations forces And will the 465 00:17:47,870 --> 00:17:50,880 cyberspace operations forces ? I have 466 00:17:50,890 --> 00:17:53,950 dedicated elements for ot cybersecurity , 467 00:17:55,040 --> 00:17:57,151 sir . I want to take that one for the 468 00:17:57,151 --> 00:17:59,151 record and make sure I give you the 469 00:17:59,151 --> 00:18:01,318 right answer on that . I would see the 470 00:18:01,318 --> 00:18:03,540 the IOT , the industrial control system 471 00:18:03,540 --> 00:18:05,484 absolutely involving our cyber com 472 00:18:05,484 --> 00:18:07,540 colleagues on this . But in terms of 473 00:18:07,540 --> 00:18:09,540 how we're going to structure this , 474 00:18:09,540 --> 00:18:11,762 it's frankly early in the movie on this 475 00:18:11,762 --> 00:18:13,984 and I want to make sure I get the right 476 00:18:13,984 --> 00:18:13,270 answer for you on that , sir . But this 477 00:18:13,280 --> 00:18:15,447 is a priority for me , especially post 478 00:18:15,447 --> 00:18:17,613 colonial pipeline . This was a wake up 479 00:18:17,613 --> 00:18:19,613 call and again , the department has 480 00:18:19,613 --> 00:18:21,780 been on this . But what can be done to 481 00:18:21,780 --> 00:18:23,724 I . C . S . I want to ensure we're 482 00:18:23,724 --> 00:18:25,724 putting all the peace parts of this 483 00:18:25,724 --> 00:18:25,710 together . So I will need to take that 484 00:18:25,710 --> 00:18:27,932 one for the record as well , sir . When 485 00:18:27,932 --> 00:18:30,043 we look forward to getting the follow 486 00:18:30,043 --> 00:18:32,210 up from you for the record . With that 487 00:18:32,210 --> 00:18:34,266 I'm going to hold their and yield to 488 00:18:34,266 --> 00:18:33,850 the ranking member . Thank you . Mr 489 00:18:33,850 --> 00:18:35,517 Chairman Mr Sherman . It's my 490 00:18:35,517 --> 00:18:37,572 understanding that the Department of 491 00:18:37,572 --> 00:18:39,628 Defense allows unpatched software to 492 00:18:39,628 --> 00:18:41,683 remain on the network for 100 and 20 493 00:18:41,683 --> 00:18:43,739 days before being removed . When our 494 00:18:43,739 --> 00:18:45,961 adversaries are increasingly looking to 495 00:18:45,961 --> 00:18:48,072 attack us from the cyber domain . Can 496 00:18:48,072 --> 00:18:50,072 you highlight what the department's 497 00:18:50,072 --> 00:18:52,017 doing to reduce this time for time 498 00:18:52,017 --> 00:18:54,239 frame and make sure our systems are not 499 00:18:54,239 --> 00:18:56,461 vulnerable And in part two of that , do 500 00:18:56,461 --> 00:18:58,572 you have the authorities necessary to 501 00:18:58,572 --> 00:18:58,520 require the services and components to 502 00:18:58,520 --> 00:19:02,310 act ? Thank you sir . I believe we do 503 00:19:02,310 --> 00:19:04,532 absolutely have the authorities we need 504 00:19:04,532 --> 00:19:06,740 on this and this gets into the broader 505 00:19:06,740 --> 00:19:09,360 cyber security push . We have looking 506 00:19:09,360 --> 00:19:11,304 at things like our risk management 507 00:19:11,304 --> 00:19:13,527 framework , the standards we have about 508 00:19:13,527 --> 00:19:15,527 how long software can remain on our 509 00:19:15,527 --> 00:19:17,638 network and indeed one of my absolute 510 00:19:17,638 --> 00:19:19,693 main priorities as we move to a zero 511 00:19:19,693 --> 00:19:21,638 trust architecture , getting after 512 00:19:21,638 --> 00:19:23,693 things like unpatched software , But 513 00:19:23,693 --> 00:19:26,080 also an overall holistic approach to 514 00:19:26,080 --> 00:19:27,969 how we structure our networks and 515 00:19:27,969 --> 00:19:30,191 making it assumed that the bad guys are 516 00:19:30,191 --> 00:19:32,191 going to get on there and how do we 517 00:19:32,191 --> 00:19:34,413 segment things and sure it's patched as 518 00:19:34,413 --> 00:19:36,524 quickly as possible and have the very 519 00:19:36,524 --> 00:19:38,580 best tools and approach on this . So 520 00:19:38,580 --> 00:19:40,802 sir , this is something 120 days , it's 521 00:19:40,802 --> 00:19:42,858 probably too long . We would need to 522 00:19:42,858 --> 00:19:45,024 take a look at that . But this gets to 523 00:19:45,024 --> 00:19:44,950 the broader push . I've also got the 524 00:19:44,950 --> 00:19:47,510 Cisco working on to how can we do this 525 00:19:47,510 --> 00:19:49,670 better to ensure as we look at peer 526 00:19:49,670 --> 00:19:52,040 competitors and non state actors that 527 00:19:52,040 --> 00:19:54,262 no , they're coming at this , that that 528 00:19:54,262 --> 00:19:56,151 is not what we want to be able to 529 00:19:56,151 --> 00:19:58,096 maintain their sir . So we will be 530 00:19:58,096 --> 00:19:59,984 looking at that very good in your 531 00:19:59,984 --> 00:19:59,910 testimony . State that not all 532 00:19:59,910 --> 00:20:01,910 priorities can be satisfied in each 533 00:20:01,910 --> 00:20:03,688 budget . That's pretty much the 534 00:20:03,688 --> 00:20:05,521 standard for for all the all the 535 00:20:05,521 --> 00:20:07,688 different departments that come before 536 00:20:07,688 --> 00:20:09,799 us . But can you highlight what's not 537 00:20:09,799 --> 00:20:09,280 being satisfied in the president's 538 00:20:09,280 --> 00:20:11,058 budget and what risks are there 539 00:20:11,058 --> 00:20:12,780 associated with those unfunded 540 00:20:12,780 --> 00:20:15,002 priorities ? Well sir , I would say the 541 00:20:15,002 --> 00:20:17,169 main priorities are all being answered 542 00:20:17,169 --> 00:20:19,336 in the President's budget . We do have 543 00:20:19,336 --> 00:20:21,447 some risk areas that bother me though 544 00:20:21,447 --> 00:20:23,391 is C . I . O . And these have been 545 00:20:23,391 --> 00:20:25,447 enduring and I think my predecessors 546 00:20:25,447 --> 00:20:25,270 would have said the same thing you 547 00:20:25,270 --> 00:20:27,492 mentioned about the software patching . 548 00:20:27,492 --> 00:20:29,492 That's something immediately on our 549 00:20:29,492 --> 00:20:31,492 networks , working with our college 550 00:20:31,492 --> 00:20:33,770 colleagues and acquisition sustainment . 551 00:20:33,770 --> 00:20:35,937 I really want to put our shoulder into 552 00:20:35,937 --> 00:20:37,548 weapons systems and critical 553 00:20:37,548 --> 00:20:39,659 infrastructure , recognizing that our 554 00:20:39,659 --> 00:20:41,770 adversaries are gonna be coming after 555 00:20:41,770 --> 00:20:43,826 those two and moving just beyond the 556 00:20:43,826 --> 00:20:43,810 department defense information at work 557 00:20:43,810 --> 00:20:46,340 under my charge . But looking again at 558 00:20:46,340 --> 00:20:48,507 weapons systems and elsewhere , we can 559 00:20:48,507 --> 00:20:50,618 work with General aka Sonia's team at 560 00:20:50,618 --> 00:20:52,840 cyber . Com , work with A . N . S . And 561 00:20:52,840 --> 00:20:55,007 those are some risk areas that because 562 00:20:55,007 --> 00:20:57,173 some of these programs or start in the 563 00:20:57,173 --> 00:20:59,284 nineties when cyber security was in a 564 00:20:59,284 --> 00:20:59,180 different place , we have a better way 565 00:20:59,180 --> 00:21:01,236 to come at this . That's the type of 566 00:21:01,236 --> 00:21:03,013 areas there where I think we're 567 00:21:03,013 --> 00:21:05,180 carrying some risk that I want to do a 568 00:21:05,180 --> 00:21:06,902 better job of working with our 569 00:21:06,902 --> 00:21:09,013 colleagues in the department . Okay . 570 00:21:09,013 --> 00:21:11,180 What one final question for this round 571 00:21:11,180 --> 00:21:10,790 recent cyber attacks , such as those on 572 00:21:10,790 --> 00:21:12,680 the colonial pipeline and water 573 00:21:12,680 --> 00:21:14,624 treatment facility back in my home 574 00:21:14,624 --> 00:21:16,791 state of florida have highlighted that 575 00:21:16,791 --> 00:21:18,902 critical infrastructure and utilities 576 00:21:18,902 --> 00:21:20,791 are becoming more integrated with 577 00:21:20,791 --> 00:21:22,624 traditional I . T . Networks and 578 00:21:22,624 --> 00:21:24,791 therefore can be more exposed to cyber 579 00:21:24,791 --> 00:21:27,013 risks . How could the diodes mission be 580 00:21:27,013 --> 00:21:29,069 impacted by such attacks on critical 581 00:21:29,069 --> 00:21:31,180 infrastructure and utility operations 582 00:21:31,180 --> 00:21:32,736 technology and what are the 583 00:21:32,736 --> 00:21:34,513 department's plans to ensure an 584 00:21:34,513 --> 00:21:36,624 adequate level of protection to those 585 00:21:36,624 --> 00:21:36,540 assets ? That's commensurate with the 586 00:21:36,540 --> 00:21:39,780 risk ? Yes , sir . That gets exactly to 587 00:21:39,790 --> 00:21:41,512 what I was mentioning with the 588 00:21:41,512 --> 00:21:43,623 chairman's question on this as well . 589 00:21:43,623 --> 00:21:45,960 Uh ice industrial control systems , 590 00:21:45,970 --> 00:21:48,026 operational technology and we'll get 591 00:21:48,026 --> 00:21:50,248 the terminology all right on this . But 592 00:21:50,248 --> 00:21:52,359 exactly what you're talking about . A 593 00:21:52,359 --> 00:21:54,581 cyber attack , not necessarily launched 594 00:21:54,581 --> 00:21:56,692 on our networks but against our water 595 00:21:56,692 --> 00:21:58,692 supply are heating and cooling on a 596 00:21:58,692 --> 00:22:00,914 data center somewhere that could be the 597 00:22:00,914 --> 00:22:03,026 same as a kinetic hill on something . 598 00:22:03,026 --> 00:22:05,248 But it would and shutting the water off 599 00:22:05,248 --> 00:22:05,150 for cooling any number of things that 600 00:22:05,150 --> 00:22:07,050 affect our operations on our 601 00:22:07,050 --> 00:22:08,850 installations . What I didn't 602 00:22:08,850 --> 00:22:11,190 appreciate until I got into this job 603 00:22:11,200 --> 00:22:13,200 was there could be seems we need to 604 00:22:13,200 --> 00:22:15,422 address and so again this is one of our 605 00:22:15,422 --> 00:22:17,589 priorities . Is I'm having our team to 606 00:22:17,589 --> 00:22:19,700 a close look at what policies we have 607 00:22:19,700 --> 00:22:22,450 in place . Is it directive enough ? Is 608 00:22:22,450 --> 00:22:24,510 it suggestive and we need to roll in 609 00:22:24,510 --> 00:22:26,621 harder on this . What I don't want to 610 00:22:26,621 --> 00:22:28,732 have happen is any scenes between the 611 00:22:28,732 --> 00:22:30,621 outfield or so to speak , Between 612 00:22:30,621 --> 00:22:32,343 facilities , cybersecurity and 613 00:22:32,343 --> 00:22:34,566 elsewhere . Where our adversaries could 614 00:22:34,566 --> 00:22:36,621 find a gap and get after us and hurt 615 00:22:36,621 --> 00:22:38,677 our facilities in the N . C . R . Or 616 00:22:38,677 --> 00:22:40,899 one of our installations or overseas or 617 00:22:40,899 --> 00:22:43,121 our war fighting ability . So this is a 618 00:22:43,121 --> 00:22:45,288 priority , sir . And it is in progress 619 00:22:45,288 --> 00:22:47,399 is we're looking at this and again as 620 00:22:47,399 --> 00:22:49,343 recently as this week , we've been 621 00:22:49,343 --> 00:22:51,677 working on this . All right , thank you . 622 00:22:51,677 --> 00:22:53,788 Mr Sherman . I go back thank you . Mr 623 00:22:53,788 --> 00:22:55,510 franklin . Mr . Our sins and I 624 00:22:55,510 --> 00:22:57,677 recognize the private . Thank you . Mr 625 00:22:57,677 --> 00:22:59,940 Chair uh Sherman . That good to see you 626 00:22:59,940 --> 00:23:03,060 in your testimony . On page 10 you page 627 00:23:03,060 --> 00:23:05,270 nine and 10 you discuss five G in 628 00:23:05,270 --> 00:23:09,260 particular . Um that I think 629 00:23:09,470 --> 00:23:11,692 you say that the department is ready to 630 00:23:11,692 --> 00:23:15,460 make available 3.45-3.65 . But 631 00:23:16,140 --> 00:23:19,160 You have concerns about the 3.12 , 632 00:23:19,930 --> 00:23:21,874 Is this a setting in which you can 633 00:23:21,874 --> 00:23:25,540 explain some of your concerns about the 634 00:23:25,540 --> 00:23:28,360 mission operational impact on the 3.12 ? 635 00:23:29,740 --> 00:23:31,870 Yes , sir . At a high level . So the 636 00:23:31,870 --> 00:23:35,080 3.45 to 3.65 or areas we've actually 637 00:23:35,080 --> 00:23:37,191 been able to vacate or in the process 638 00:23:37,191 --> 00:23:40,330 of vacating The other one , the 639 00:23:40,340 --> 00:23:44,260 3.1 and up to 3.45 . This other band 640 00:23:44,940 --> 00:23:47,220 has quite a bit of D . O . D . Activity 641 00:23:47,220 --> 00:23:49,387 in it in the Continental United States 642 00:23:49,387 --> 00:23:51,331 and our territories for radars and 643 00:23:51,331 --> 00:23:53,387 other capabilities that are used for 644 00:23:53,387 --> 00:23:55,109 training as well as real world 645 00:23:55,109 --> 00:23:57,220 operations , homeland Security and so 646 00:23:57,220 --> 00:23:59,510 on . Whereas we've been able to vacate 647 00:23:59,520 --> 00:24:01,687 or in the process of outright vacating 648 00:24:01,687 --> 00:24:03,909 those other bands . This one's gonna be 649 00:24:03,909 --> 00:24:05,853 trickier where we're gonna need to 650 00:24:05,853 --> 00:24:07,964 learn and be able to share that where 651 00:24:07,964 --> 00:24:10,690 we can have some sort of relationship 652 00:24:10,700 --> 00:24:12,700 if this becomes available . Working 653 00:24:12,700 --> 00:24:14,922 with FCC and commerce in T . I . A . To 654 00:24:14,922 --> 00:24:17,033 where I'll give you an example of the 655 00:24:17,033 --> 00:24:19,256 kind of vision we have on this would be 656 00:24:19,256 --> 00:24:22,950 say Aegis class cruiser down in Norfolk 657 00:24:23,340 --> 00:24:25,562 needs to be able to bring up their very 658 00:24:25,562 --> 00:24:27,507 powerful radar but not every day , 659 00:24:27,507 --> 00:24:29,618 maybe certain days of the month . But 660 00:24:29,618 --> 00:24:31,673 when that illuminates it can go well 661 00:24:31,673 --> 00:24:33,396 into the tidewater region as I 662 00:24:33,396 --> 00:24:35,562 understand it . Well , hopefully we're 663 00:24:35,562 --> 00:24:37,700 able to to walk and chew gum where we 664 00:24:37,700 --> 00:24:39,644 can work out arrangements where on 665 00:24:39,644 --> 00:24:41,700 those days that cruiser has to bring 666 00:24:41,700 --> 00:24:43,922 the radar up . There could be some sort 667 00:24:43,922 --> 00:24:45,978 of sharing of that spectrum . That's 668 00:24:45,978 --> 00:24:48,033 what I'm getting at with that band . 669 00:24:48,033 --> 00:24:50,890 That 3.123 point 45 recognizing there's 670 00:24:50,890 --> 00:24:53,140 a lot and I just used a naval example . 671 00:24:53,150 --> 00:24:55,372 There are plenty of others that operate 672 00:24:55,372 --> 00:24:57,317 in that space where our soldiers , 673 00:24:57,317 --> 00:24:59,039 sailors , airmen , marines and 674 00:24:59,039 --> 00:25:01,261 guardians have to be able to operate in 675 00:25:01,261 --> 00:25:03,317 that space . And again some of it is 676 00:25:03,317 --> 00:25:05,539 for real world operational activity . A 677 00:25:05,539 --> 00:25:05,530 wax is an example . So that's what 678 00:25:05,530 --> 00:25:07,970 we're looking at . We want the US to be 679 00:25:07,970 --> 00:25:11,060 a five G . Dominant nation but we also 680 00:25:11,060 --> 00:25:13,004 have to maintain these D . O . D . 681 00:25:13,004 --> 00:25:15,227 Operational needs . But we think we can 682 00:25:15,227 --> 00:25:17,227 work this out and that's what we're 683 00:25:17,227 --> 00:25:19,282 looking at in that band sir . Yeah . 684 00:25:19,282 --> 00:25:21,171 Well you might know we we've been 685 00:25:21,171 --> 00:25:23,393 trying to help you all work that out as 686 00:25:23,393 --> 00:25:25,393 well . It's been a 5th and starts a 687 00:25:25,393 --> 00:25:28,660 little bit . Uh So can you discuss uh 688 00:25:29,040 --> 00:25:31,207 the CIA have a role and what would you 689 00:25:31,207 --> 00:25:34,880 assess the progress of the five G 690 00:25:34,880 --> 00:25:36,991 pilot projects ? You don't have to go 691 00:25:36,991 --> 00:25:39,102 through all 12 but general thoughts . 692 00:25:39,102 --> 00:25:41,269 Right . Yes sir , we absolutely have a 693 00:25:41,269 --> 00:25:43,380 role so we work with our research and 694 00:25:43,380 --> 00:25:45,602 Engineering College , usd or any , they 695 00:25:45,602 --> 00:25:47,658 have the lead , we work it as a from 696 00:25:47,658 --> 00:25:49,880 the C . I . O . Side with the standards 697 00:25:49,880 --> 00:25:51,991 piece , Working closely with them and 698 00:25:51,991 --> 00:25:54,158 working at I don't Wanna say at a more 699 00:25:54,158 --> 00:25:53,920 strategic level but there is a very 700 00:25:53,920 --> 00:25:56,142 close partnership where they're working 701 00:25:56,142 --> 00:25:58,198 directly with the services and sir , 702 00:25:58,198 --> 00:26:00,253 you're aware of all 12 logistics and 703 00:26:00,253 --> 00:26:02,476 healthcare and aircraft maintenance and 704 00:26:02,476 --> 00:26:04,698 everything else where we're working the 705 00:26:04,698 --> 00:26:06,753 standards peace and working with the 706 00:26:06,753 --> 00:26:08,864 higher level interlocutors at FCC and 707 00:26:08,864 --> 00:26:10,864 commerce and elsewhere . So it is a 708 00:26:10,864 --> 00:26:12,698 very good coupling between their 709 00:26:12,698 --> 00:26:14,364 leadership , working with the 710 00:26:14,364 --> 00:26:16,253 stakeholders on the pilots and us 711 00:26:16,253 --> 00:26:18,190 working it from a Ceo standards 712 00:26:18,190 --> 00:26:20,930 policies . I don't want to say 713 00:26:20,930 --> 00:26:23,097 oversight yet , but that piece of it . 714 00:26:23,097 --> 00:26:25,208 So we do have a very close point when 715 00:26:25,208 --> 00:26:27,097 those when those are done or when 716 00:26:27,097 --> 00:26:29,208 there's some assessment noted in your 717 00:26:29,208 --> 00:26:31,319 testimony , Ceo gets us by in 2024 is 718 00:26:31,319 --> 00:26:34,510 here . So you will you with the Ceo 719 00:26:34,520 --> 00:26:38,140 office be taking the the operational 720 00:26:38,150 --> 00:26:41,110 role At some point . I think we need to 721 00:26:41,110 --> 00:26:43,166 define exactly what that means sir , 722 00:26:43,166 --> 00:26:45,388 but yes , well I think we're gonna have 723 00:26:45,388 --> 00:26:47,443 the as it mentioned in my my written 724 00:26:47,443 --> 00:26:49,499 submission and by 2024 and what does 725 00:26:49,499 --> 00:26:51,554 that look like and as our colleagues 726 00:26:51,554 --> 00:26:53,780 and our any move on to 60 and next year 727 00:26:53,780 --> 00:26:55,891 and keep leading us in that direction 728 00:26:55,891 --> 00:26:58,002 to stay ahead of our adversaries . So 729 00:26:58,002 --> 00:26:59,836 yes sir , I see us as having the 730 00:26:59,836 --> 00:27:02,002 overall baton but to be honest we have 731 00:27:02,002 --> 00:27:04,002 to define exactly what that's gonna 732 00:27:04,002 --> 00:27:06,224 look okay . But that makes it a broader 733 00:27:06,224 --> 00:27:08,447 assumption as well than Ceo will be for 734 00:27:08,447 --> 00:27:10,558 lack of a better term . You'll be the 735 00:27:10,558 --> 00:27:12,600 repository for five G . Um not not 736 00:27:12,610 --> 00:27:14,890 military operations but you're you will 737 00:27:14,890 --> 00:27:18,050 be the The keeper of 5G for the 738 00:27:18,050 --> 00:27:20,680 department which once were using it . 739 00:27:20,690 --> 00:27:22,523 Yes , sir . That's based on that 740 00:27:22,523 --> 00:27:24,690 assumption . Subject to administration 741 00:27:24,690 --> 00:27:26,357 and departmental guidance and 742 00:27:26,357 --> 00:27:28,468 legislation from you all sir . Yeah , 743 00:27:28,468 --> 00:27:31,270 that's great . I only have 20 seconds 744 00:27:31,270 --> 00:27:33,300 I'll ask the question but we may be 745 00:27:33,300 --> 00:27:35,356 able to come back so I'll give you a 746 00:27:35,356 --> 00:27:37,467 heads up . It's just a question about 747 00:27:37,467 --> 00:27:39,356 that jake and specifically the Ai 748 00:27:39,356 --> 00:27:41,620 education strategy uh that was part of 749 00:27:41,620 --> 00:27:44,730 the 2020 N . D . A . So if you have an 750 00:27:44,730 --> 00:27:48,000 update on that and specifically on that 751 00:27:48,000 --> 00:27:51,240 as well , um any information on the D O . 752 00:27:51,240 --> 00:27:53,462 D . S perspective , your perspective on 753 00:27:53,462 --> 00:27:55,573 the now Security Commission on AI and 754 00:27:55,573 --> 00:27:58,660 identification to be a Ai ready by 755 00:27:58,660 --> 00:28:02,130 2025 . And will we be ready with 756 00:28:02,130 --> 00:28:04,297 that ? I'll yield back and you can too 757 00:28:04,297 --> 00:28:06,519 on that while we work through the first 758 00:28:06,519 --> 00:28:08,574 round . Thank you . Mr Chair . Mhm . 759 00:28:11,140 --> 00:28:13,240 Thank you . Mr . Carson . Mr Morris 760 00:28:13,250 --> 00:28:16,130 recognized five minutes . Thank you 761 00:28:16,130 --> 00:28:18,241 Chairman . Uh Thank you all for being 762 00:28:18,241 --> 00:28:20,420 here . The intelligence community 763 00:28:20,420 --> 00:28:22,642 through its commercial cloud enterprise 764 00:28:22,642 --> 00:28:24,753 initiative , recently moved away from 765 00:28:24,753 --> 00:28:26,920 its previous approach of utilizing one 766 00:28:26,920 --> 00:28:29,087 cloud provider and has instead adopted 767 00:28:29,087 --> 00:28:31,087 a new approach to cloud computing . 768 00:28:31,087 --> 00:28:32,753 Generally , I I'm in favor of 769 00:28:32,753 --> 00:28:34,976 increasing competition and innovation . 770 00:28:34,976 --> 00:28:37,031 I believe this ensures access to the 771 00:28:37,031 --> 00:28:39,087 latest emerging technologies and the 772 00:28:39,087 --> 00:28:41,253 benefit of price competition , as well 773 00:28:41,253 --> 00:28:43,198 as the ability to procure services 774 00:28:43,198 --> 00:28:45,309 based on specific workload . Uh , and 775 00:28:45,309 --> 00:28:47,420 those and the needs . With that , I'm 776 00:28:47,420 --> 00:28:49,642 interested in learning how the pentagon 777 00:28:49,642 --> 00:28:51,864 has approached cloud computing in order 778 00:28:51,864 --> 00:28:54,087 to maximize the benefits of competition 779 00:28:54,087 --> 00:28:55,864 while the crucial balance while 780 00:28:55,864 --> 00:28:58,031 balancing the needs of managing highly 781 00:28:58,031 --> 00:29:00,198 sensitive , often classified a D . O . 782 00:29:00,198 --> 00:29:02,600 D material . So , my question um , to 783 00:29:02,600 --> 00:29:05,650 Mr Sherman , the Pentagon's $10 billion 784 00:29:05,650 --> 00:29:07,990 Jedi program has been mere meaning 785 00:29:07,990 --> 00:29:10,360 ongoing , years long litigation . One 786 00:29:10,360 --> 00:29:12,304 of the key objectives for the Jedi 787 00:29:12,304 --> 00:29:14,304 contract is to move at the speed of 788 00:29:14,304 --> 00:29:16,416 relevance to support the delivery and 789 00:29:16,416 --> 00:29:16,140 sharing information in real time for 790 00:29:16,140 --> 00:29:18,140 our nation's warfighters , but with 791 00:29:18,140 --> 00:29:20,140 years of delays , that is still not 792 00:29:20,140 --> 00:29:22,251 happened . I know jettison litigation 793 00:29:22,251 --> 00:29:24,140 and your comments may be short on 794 00:29:24,140 --> 00:29:26,362 specifics , but can you speak generally 795 00:29:26,362 --> 00:29:28,529 about how the office of of C . I . O . 796 00:29:28,529 --> 00:29:30,751 Is approaching cloud currently and what 797 00:29:30,751 --> 00:29:32,807 plans are in place or being made for 798 00:29:32,807 --> 00:29:34,751 the department of for future cloud 799 00:29:34,751 --> 00:29:37,170 services . Yes , sir . So starting with 800 00:29:37,170 --> 00:29:39,670 cloud writ large , we went from a 801 00:29:39,670 --> 00:29:42,200 situation where we had maybe almost 802 00:29:42,250 --> 00:29:44,930 1000 flowers blooming to really start 803 00:29:44,930 --> 00:29:46,819 to consolidate down where we have 804 00:29:46,819 --> 00:29:49,041 roughly a dozen as we call them fit for 805 00:29:49,041 --> 00:29:51,152 purpose clouds . You've heard of some 806 00:29:51,152 --> 00:29:53,208 of them Milk Cloud to Dato . The Air 807 00:29:53,208 --> 00:29:56,600 Force's Cloud one , the News Cloud Army 808 00:29:56,610 --> 00:29:58,610 see army as they call and I go into 809 00:29:58,610 --> 00:30:01,490 some others where we're using those as 810 00:30:01,490 --> 00:30:04,040 platforms for software development for 811 00:30:04,040 --> 00:30:06,490 some of the Ai activity at the 812 00:30:06,490 --> 00:30:09,250 unclassified and secret level . In some 813 00:30:09,250 --> 00:30:11,472 cases , some our on premises , some are 814 00:30:11,472 --> 00:30:13,750 off premises . But this gets into that . 815 00:30:13,750 --> 00:30:15,972 In my opening statement about the cloud 816 00:30:15,972 --> 00:30:17,861 converse , NC . In the department 817 00:30:17,861 --> 00:30:20,083 moving from a capital expenditure Capex 818 00:30:20,083 --> 00:30:22,028 model to where we maintain all the 819 00:30:22,028 --> 00:30:24,194 infrastructure and all the hardware to 820 00:30:24,194 --> 00:30:26,750 an op X or operations expenditure model , 821 00:30:26,760 --> 00:30:28,982 which we would use in a cloud setting . 822 00:30:28,982 --> 00:30:31,038 So it's not only having the software 823 00:30:31,038 --> 00:30:32,816 development , the def sec . Ops 824 00:30:32,816 --> 00:30:34,920 workloads , but learning how to live 825 00:30:34,930 --> 00:30:37,097 and operate in a cloud environment and 826 00:30:37,097 --> 00:30:39,260 that we've done so we've been able to 827 00:30:39,260 --> 00:30:41,680 work on that across the services across 828 00:30:41,680 --> 00:30:43,680 the enterprise and with the defense 829 00:30:43,680 --> 00:30:46,110 agencies and field activities . To your 830 00:30:46,110 --> 00:30:49,010 point , we still also have an urgent 831 00:30:49,010 --> 00:30:51,930 unmet need for an enterprise cloud 832 00:30:51,940 --> 00:30:54,880 capability at all three security levels 833 00:30:54,890 --> 00:30:57,000 unclassified secret and top secret . 834 00:30:57,010 --> 00:30:58,899 That extends all the way from the 835 00:30:58,899 --> 00:31:00,788 headquarters , all the way to the 836 00:31:00,788 --> 00:31:02,899 tactical edge . And that has not gone 837 00:31:02,899 --> 00:31:04,788 away at this time . And as Deputy 838 00:31:04,788 --> 00:31:07,010 secretary hicks made some recent public 839 00:31:07,010 --> 00:31:09,066 statements were continuing to assess 840 00:31:09,066 --> 00:31:11,730 our next steps vis a vis the what comes 841 00:31:11,730 --> 00:31:14,460 next , or what should we be doing with 842 00:31:14,460 --> 00:31:16,404 that enterprise , cloud urgent and 843 00:31:16,404 --> 00:31:18,349 unmet need and that's where we are 844 00:31:18,349 --> 00:31:20,238 right now in the cloud movie star 845 00:31:20,238 --> 00:31:22,550 pending your further questions is um 846 00:31:22,560 --> 00:31:24,480 what leveraging public private 847 00:31:24,490 --> 00:31:27,840 partnerships uh help in that regard , 848 00:31:27,850 --> 00:31:29,794 given the fact that , you know , a 849 00:31:29,794 --> 00:31:31,730 healthy majority of cyber 850 00:31:31,730 --> 00:31:33,952 infrastructure in this country is owned 851 00:31:33,952 --> 00:31:36,174 by the private industry , um you see an 852 00:31:36,174 --> 00:31:38,397 opportunity to leverage that with those 853 00:31:38,397 --> 00:31:40,286 particular challenges and and and 854 00:31:40,286 --> 00:31:42,341 moving forward . I think some of the 855 00:31:42,341 --> 00:31:44,341 main challenges and we do obviously 856 00:31:44,341 --> 00:31:46,570 want to work very closely with our 857 00:31:46,570 --> 00:31:48,390 industry partners on their best 858 00:31:48,400 --> 00:31:50,410 capabilities , gets into the cyber 859 00:31:50,410 --> 00:31:53,500 secure cybersecurity realm as we've 860 00:31:53,500 --> 00:31:55,770 seen , as we move from different impact 861 00:31:55,770 --> 00:31:57,937 levels , as we would call from I . L . 862 00:31:57,937 --> 00:31:59,937 Or impact level to which is what we 863 00:31:59,937 --> 00:32:02,048 just did on that commercial , virtual 864 00:32:02,048 --> 00:32:04,048 remote , that covid era remote work 865 00:32:04,048 --> 00:32:06,420 capability up now to what we call D . O . 866 00:32:06,420 --> 00:32:09,980 D 3 65 to get onto an impact level five 867 00:32:09,990 --> 00:32:12,950 enclave that that in this case 868 00:32:12,950 --> 00:32:14,839 Microsoft health set up for us in 869 00:32:14,839 --> 00:32:17,260 different tenants Of which we have 13 870 00:32:17,260 --> 00:32:19,680 of them . So sir , a lot of that we 871 00:32:19,680 --> 00:32:21,347 appreciate the public private 872 00:32:21,347 --> 00:32:23,291 partnership but for the department 873 00:32:23,291 --> 00:32:24,847 offense and for our mission 874 00:32:24,847 --> 00:32:27,013 cybersecurity is going to be paramount 875 00:32:27,013 --> 00:32:29,236 in that discussion . Yeah , and I would 876 00:32:29,236 --> 00:32:31,440 agree with that . I mean it started 877 00:32:31,450 --> 00:32:33,880 these this questioning was talking 878 00:32:33,880 --> 00:32:36,102 about the intelligence community so and 879 00:32:36,102 --> 00:32:38,380 and absolutely respect that . Uh I look 880 00:32:38,380 --> 00:32:40,547 at look at our space force , right and 881 00:32:40,547 --> 00:32:42,658 how our space forces able to leverage 882 00:32:42,658 --> 00:32:44,547 so much from the from the private 883 00:32:44,547 --> 00:32:48,220 sector . Just just him thinking about 884 00:32:48,230 --> 00:32:50,452 how we can create more efficiencies and 885 00:32:50,452 --> 00:32:53,360 and leverage it obviously paramount is 886 00:32:53,640 --> 00:32:56,190 is the classification and ability to do 887 00:32:56,190 --> 00:32:58,690 that . So uh 20 seconds left all your 888 00:32:58,690 --> 00:33:01,500 back and and thank you very much . Yes 889 00:33:01,500 --> 00:33:04,080 sir , thank you . Mr moore MS Hooligan 890 00:33:04,080 --> 00:33:06,136 is now recognized for five minutes . 891 00:33:06,540 --> 00:33:08,651 Thank you Mr Chair . And I just would 892 00:33:08,651 --> 00:33:10,818 like to say I find this this testimony 893 00:33:10,818 --> 00:33:12,651 riveting and so I appreciate the 894 00:33:12,651 --> 00:33:14,707 conversation . Uh and I'm glad to be 895 00:33:14,707 --> 00:33:17,160 here to to ask you questions . Uh I 896 00:33:17,160 --> 00:33:19,327 guess my first question has to do with 897 00:33:19,327 --> 00:33:21,271 the letter that I recently sent to 898 00:33:21,271 --> 00:33:23,271 Secretary Austin with several of my 899 00:33:23,271 --> 00:33:25,604 colleagues . And it asked the D . O . D . 900 00:33:25,604 --> 00:33:27,660 To implement a mandatory training on 901 00:33:27,660 --> 00:33:29,827 digital literacy and cyber citizenship 902 00:33:29,827 --> 00:33:31,827 within the D . O . D . The proposed 903 00:33:31,827 --> 00:33:33,827 defense budget would set aside 30.8 904 00:33:33,827 --> 00:33:35,938 million to help the pentagon improved 905 00:33:35,938 --> 00:33:38,160 tools to identify and address extremism 906 00:33:38,160 --> 00:33:40,327 amongst troops and to enhance training 907 00:33:40,327 --> 00:33:42,810 at all levels . It also included 9.1 908 00:33:42,810 --> 00:33:44,977 million to take initial steps to fight 909 00:33:44,977 --> 00:33:47,210 extremism and insider threats . I was 910 00:33:47,210 --> 00:33:49,432 wondering if you might be able to share 911 00:33:49,432 --> 00:33:51,599 a little bit of detail on what sort of 912 00:33:51,599 --> 00:33:53,710 tools there would be , possibly , and 913 00:33:53,710 --> 00:33:55,821 trainings there would be possibly and 914 00:33:55,821 --> 00:33:57,932 what they might look like for digital 915 00:33:57,932 --> 00:33:59,766 literacy , ma'am , or countering 916 00:33:59,766 --> 00:34:02,310 extremist specifically digital literacy . 917 00:34:02,320 --> 00:34:04,800 The idea here , sir , is that we need 918 00:34:04,800 --> 00:34:06,578 to make sure that everybody has 919 00:34:06,578 --> 00:34:09,050 understanding of how to assess truth 920 00:34:09,060 --> 00:34:11,171 and how , you know , literacy is in a 921 00:34:11,171 --> 00:34:13,393 set of skills , it's not just reading , 922 00:34:13,393 --> 00:34:15,560 but it's also numeracy , its financial 923 00:34:15,560 --> 00:34:17,782 literacy , it's also just kind of civic 924 00:34:17,782 --> 00:34:20,116 engagement and understanding , you know , 925 00:34:20,116 --> 00:34:22,282 how to understand when you're being uh 926 00:34:22,282 --> 00:34:24,610 not told the truth . And so the digital 927 00:34:24,610 --> 00:34:26,610 literacy would be for our troops in 928 00:34:26,610 --> 00:34:29,120 that area , ma'am , at a high level , I 929 00:34:29,120 --> 00:34:31,176 will say , I know there are training 930 00:34:31,176 --> 00:34:33,398 opportunities all across the enterprise 931 00:34:33,398 --> 00:34:35,176 in terms specifically for those 932 00:34:35,176 --> 00:34:37,398 operating and ma'am , I know you've got 933 00:34:37,398 --> 00:34:39,231 a lot of experience in this from 934 00:34:39,231 --> 00:34:39,230 handsome and elsewhere for those 935 00:34:39,230 --> 00:34:41,670 operating in the digital space . But in 936 00:34:41,670 --> 00:34:43,670 terms I'd like to take this for the 937 00:34:43,670 --> 00:34:45,726 record to give you a holistic answer 938 00:34:45,726 --> 00:34:47,781 because I'm gonna be honest with you 939 00:34:47,781 --> 00:34:47,540 haven't had a chance to drill down on 940 00:34:47,540 --> 00:34:50,300 exactly how much we have for the 941 00:34:50,310 --> 00:34:52,530 everybody's digital of course . But if 942 00:34:52,530 --> 00:34:54,474 I'm not working in the information 943 00:34:54,474 --> 00:34:56,641 technology or cybersecurity and if I'm 944 00:34:56,641 --> 00:34:58,586 an operation , let's say , which I 945 00:34:58,586 --> 00:35:00,919 think is what your letter is getting at , 946 00:35:00,919 --> 00:35:03,086 I'd like to get back to you and take a 947 00:35:03,086 --> 00:35:05,141 look at that and see exactly what we 948 00:35:05,141 --> 00:35:07,363 have on the shelf and what we can do to 949 00:35:07,363 --> 00:35:09,252 expand what you're getting at two 950 00:35:09,252 --> 00:35:11,197 beyond the standard computer based 951 00:35:11,197 --> 00:35:13,197 training on on things like avoiding 952 00:35:13,197 --> 00:35:15,540 cybersecurity threats , but avoiding 953 00:35:15,540 --> 00:35:17,762 are doing the right things . So ma'am , 954 00:35:17,762 --> 00:35:19,818 I'd like to take that for the record 955 00:35:19,818 --> 00:35:22,040 and come back to know I appreciate that 956 00:35:22,040 --> 00:35:21,630 and I'd love to follow up with you on 957 00:35:21,630 --> 00:35:24,530 that . My next question is about 958 00:35:24,540 --> 00:35:26,780 investment in stem uh to make sure that 959 00:35:26,780 --> 00:35:30,330 we have competitive cyber professionals 960 00:35:30,340 --> 00:35:32,284 that are able to meet our nation's 961 00:35:32,284 --> 00:35:34,396 workforce demands . And so I'm really 962 00:35:34,396 --> 00:35:36,284 interested in your cyber accepted 963 00:35:36,284 --> 00:35:38,451 service at the hearing in april before 964 00:35:38,451 --> 00:35:40,396 the Senate Armed Service Personnel 965 00:35:40,396 --> 00:35:42,451 Committee . The acting Secretary for 966 00:35:42,451 --> 00:35:44,173 defense for civilian personnel 967 00:35:44,173 --> 00:35:46,007 testified that cyber exceptional 968 00:35:46,007 --> 00:35:47,729 service was important and that 969 00:35:47,729 --> 00:35:49,840 authorities have been able to enhance 970 00:35:49,840 --> 00:35:52,062 recruitment of cyber professionals . He 971 00:35:52,062 --> 00:35:53,784 pointed to the flexibility and 972 00:35:53,784 --> 00:35:56,007 compensation and classification of work 973 00:35:56,007 --> 00:35:58,173 requirements . As examples of how this 974 00:35:58,173 --> 00:36:00,229 program has been able to better meet 975 00:36:00,229 --> 00:36:02,451 targeted cyber needs . We also received 976 00:36:02,451 --> 00:36:04,618 testimony in the subcommittee from the 977 00:36:04,618 --> 00:36:06,673 U . S . Cyber com Commander that the 978 00:36:06,673 --> 00:36:08,673 mission and the opportunity to work 979 00:36:08,673 --> 00:36:10,451 with colleagues of such caliber 980 00:36:10,451 --> 00:36:12,618 provides the most unique and important 981 00:36:12,618 --> 00:36:14,840 competitive advantage than compensation 982 00:36:14,840 --> 00:36:14,090 when competing with the commercial 983 00:36:14,090 --> 00:36:16,090 industry . So I'd like to hear your 984 00:36:16,090 --> 00:36:18,650 take on what it is , what is and what 985 00:36:18,660 --> 00:36:20,549 isn't working with Cyber accepted 986 00:36:20,549 --> 00:36:22,650 service from an I . T . Perspective 987 00:36:22,660 --> 00:36:25,120 rather than from a personal perspective . 988 00:36:25,130 --> 00:36:27,297 Do you agree with the assessments that 989 00:36:27,297 --> 00:36:29,519 we've heard previously ? What would you 990 00:36:29,519 --> 00:36:31,741 like Congress to know about what is and 991 00:36:31,741 --> 00:36:33,797 what isn't working as we continue to 992 00:36:33,797 --> 00:36:35,963 examine these and other authorities to 993 00:36:35,963 --> 00:36:38,019 meet the D . O . D . Cyber needs . I 994 00:36:38,019 --> 00:36:40,130 think at a high level . I think CS is 995 00:36:40,130 --> 00:36:42,340 working well I think . And as I put my 996 00:36:42,340 --> 00:36:44,680 written testimony we've got about 9000 997 00:36:44,680 --> 00:36:46,847 civilian positions that it could apply 998 00:36:46,847 --> 00:36:48,958 to and we've got about 6500 that have 999 00:36:48,958 --> 00:36:51,180 been converted . This has been as us at 1000 00:36:51,180 --> 00:36:53,402 an enterprise level learning how to use 1001 00:36:53,402 --> 00:36:55,730 this capability to the best advantage , 1002 00:36:55,740 --> 00:36:57,851 getting it out there to the different 1003 00:36:57,851 --> 00:36:59,962 services and components on how to use 1004 00:36:59,962 --> 00:37:01,907 it . And also as we use the target 1005 00:37:01,907 --> 00:37:04,320 local targeted local market supplement 1006 00:37:04,320 --> 00:37:06,670 T LMS to the best advantage and the 1007 00:37:06,670 --> 00:37:09,080 other capable that CS provides us for 1008 00:37:09,080 --> 00:37:12,400 expedited hiring and benefits and so on 1009 00:37:12,400 --> 00:37:14,670 to get that talent in the door . I 1010 00:37:14,670 --> 00:37:16,781 would say this really does have to be 1011 00:37:16,781 --> 00:37:18,980 nested in a broader cyber workforce 1012 00:37:18,980 --> 00:37:21,460 strategy , which I've actually launched 1013 00:37:21,630 --> 00:37:23,980 and we aim to publish early next year 1014 00:37:23,980 --> 00:37:26,091 on what is it we're trying to do with 1015 00:37:26,091 --> 00:37:28,600 CS and all these other tools in our 1016 00:37:28,600 --> 00:37:30,710 tool kit here and to increase the 1017 00:37:30,710 --> 00:37:33,160 diversity , the capability , the 1018 00:37:33,160 --> 00:37:35,382 converse unsee of our workforce for the 1019 00:37:35,382 --> 00:37:37,049 21st century threats and also 1020 00:37:37,049 --> 00:37:39,960 leveraging back to the , the stem 1021 00:37:39,960 --> 00:37:42,016 training things like the N . S . A . 1022 00:37:42,016 --> 00:37:44,270 Scholarship program they have and being 1023 00:37:44,270 --> 00:37:46,400 able to fit that in and also the 1024 00:37:46,410 --> 00:37:47,966 accreditation they have for 1025 00:37:47,966 --> 00:37:50,021 institutions around the country from 1026 00:37:50,021 --> 00:37:51,799 junior colleges up to four year 1027 00:37:51,799 --> 00:37:53,880 institutions . So what I saw lacking 1028 00:37:53,890 --> 00:37:56,112 was we didn't have one place . We had a 1029 00:37:56,112 --> 00:37:58,223 little bit in our cyber strategy . We 1030 00:37:58,223 --> 00:38:00,390 need a cyber workforce strategy and as 1031 00:38:00,390 --> 00:38:02,557 a matter of fact I chaired the first , 1032 00:38:02,557 --> 00:38:04,612 I need to make sure I get this right 1033 00:38:04,612 --> 00:38:06,390 the swim be the cyber workforce 1034 00:38:06,390 --> 00:38:08,501 management board . We hadn't held one 1035 00:38:08,501 --> 00:38:10,668 in a year . I said we need to hold one 1036 00:38:10,668 --> 00:38:12,723 which we excuse me , I co chair with 1037 00:38:12,723 --> 00:38:16,420 personnel resources and and uh vodka to 1038 00:38:16,420 --> 00:38:18,587 be able to start to look at these hard 1039 00:38:18,587 --> 00:38:20,809 problems that you're getting . That man 1040 00:38:20,809 --> 00:38:22,976 with CS and some of these other talent 1041 00:38:22,976 --> 00:38:25,170 issues we've got to get right . I know 1042 00:38:25,170 --> 00:38:27,226 my time has expired and I yield back 1043 00:38:27,226 --> 00:38:30,450 thank you thank you Miss 1044 00:38:30,450 --> 00:38:32,810 Hoolahan . Before we go to the second 1045 00:38:32,810 --> 00:38:36,100 round , is there any member who is not 1046 00:38:36,100 --> 00:38:38,100 ask the question in the first round 1047 00:38:38,100 --> 00:38:40,370 that wants to ask a question ? Should I 1048 00:38:40,370 --> 00:38:43,880 think our members remotely okay . Um 1049 00:38:43,890 --> 00:38:46,057 hearing none . We're gonna move to the 1050 00:38:46,057 --> 00:38:49,670 second round and I'll recognize myself 1051 00:38:49,680 --> 00:38:51,660 for the first . Around the second 1052 00:38:51,660 --> 00:38:55,490 questions . Um So out of the 17 1053 00:38:55,490 --> 00:38:58,740 unfunded priority uh list submitted by 1054 00:38:58,740 --> 00:39:01,880 D . O . D . Uh components and commands . 1055 00:39:01,890 --> 00:39:05,020 There are a total of $1.2 billion in I . 1056 00:39:05,020 --> 00:39:08,090 T . Related requests . Obviously no 1057 00:39:08,090 --> 00:39:10,690 small number as the D . O . D . 1058 00:39:10,700 --> 00:39:13,970 Officials responsible for compiling and 1059 00:39:13,970 --> 00:39:16,220 certifying the department's I . T . In 1060 00:39:16,220 --> 00:39:18,670 cyberspace activities budget . Uh What 1061 00:39:18,670 --> 00:39:20,970 does it say that the various components 1062 00:39:20,980 --> 00:39:23,820 have identified I . T . And cyber 1063 00:39:23,820 --> 00:39:26,990 requirements uh May judge to be 1064 00:39:27,000 --> 00:39:30,250 critical but do not prioritize them 1065 00:39:30,260 --> 00:39:33,080 enough and the normal budget process to 1066 00:39:33,080 --> 00:39:34,802 make sure that they are in the 1067 00:39:34,802 --> 00:39:38,550 President's budget . So as a C . I . O . 1068 00:39:38,550 --> 00:39:40,550 This is an ongoing thing we need to 1069 00:39:40,550 --> 00:39:42,272 always be looking at , we have 1070 00:39:42,272 --> 00:39:45,240 certified the budget as required for 1071 00:39:45,240 --> 00:39:47,410 sufficiency to ensure that as we look 1072 00:39:47,410 --> 00:39:49,632 at our digital modernization priorities 1073 00:39:49,640 --> 00:39:51,810 that the components submitting the 1074 00:39:51,810 --> 00:39:53,560 services and so on have funded 1075 00:39:53,560 --> 00:39:56,140 sufficiently to reach that as well as 1076 00:39:56,140 --> 00:39:58,480 within the submitted budget . The 1077 00:39:58,490 --> 00:40:01,030 increase roughly I think five or so 1078 00:40:01,030 --> 00:40:03,197 percent . Since last year we have seen 1079 00:40:03,197 --> 00:40:05,610 an increase our our submitted increase 1080 00:40:05,620 --> 00:40:07,731 to get after what we need to get to . 1081 00:40:07,731 --> 00:40:09,842 But to your point about you for sir , 1082 00:40:09,842 --> 00:40:11,898 being able to have the governance to 1083 00:40:11,898 --> 00:40:14,010 work with them to ensure that this is 1084 00:40:14,010 --> 00:40:16,970 being submitted properly and not 1085 00:40:16,980 --> 00:40:18,980 outside of what we're certifying is 1086 00:40:18,980 --> 00:40:21,091 something I will continue to focus on 1087 00:40:21,091 --> 00:40:23,147 his C . I . O . To ensure we can get 1088 00:40:23,147 --> 00:40:25,290 this right . But I feel that we have 1089 00:40:25,300 --> 00:40:27,467 certified a good budget that we have , 1090 00:40:27,467 --> 00:40:29,578 what we need to cover down on digital 1091 00:40:29,578 --> 00:40:31,633 modernization priorities . And we'll 1092 00:40:31,633 --> 00:40:33,856 continue to watch this closely with our 1093 00:40:33,856 --> 00:40:33,530 component colleagues 1094 00:40:39,110 --> 00:40:42,820 first . Uh huh . 1095 00:40:43,810 --> 00:40:44,830 Okay . Um 1096 00:40:47,910 --> 00:40:51,660 so I have consistently advocated 1097 00:40:51,660 --> 00:40:55,070 for more dedicated senior leadership uh 1098 00:40:55,070 --> 00:40:57,860 and focus for electromagnetic spectrum 1099 00:40:57,860 --> 00:41:00,650 operations at the department . Mr 1100 00:41:00,650 --> 00:41:02,928 Sherman . Uh In your written testimony , 1101 00:41:02,928 --> 00:41:05,150 you wrote that the C . I . O . Has been 1102 00:41:05,150 --> 00:41:07,830 assigned and designated as uh senior 1103 00:41:07,830 --> 00:41:10,720 official for long term implementation 1104 00:41:10,730 --> 00:41:13,120 of the 2020 spectrum uh superiority 1105 00:41:13,120 --> 00:41:15,320 strategy . When will this uh 1106 00:41:15,330 --> 00:41:17,441 implementation plan be released ? And 1107 00:41:17,441 --> 00:41:20,090 how do you intend to carry it out ? And 1108 00:41:20,090 --> 00:41:22,970 why would this plan be successful while 1109 00:41:22,980 --> 00:41:25,240 other others have fallen short ? 1110 00:41:26,810 --> 00:41:29,490 So on the question , we expect the 1111 00:41:29,490 --> 00:41:31,640 implementation plan to be signed very 1112 00:41:31,640 --> 00:41:33,862 soon by the secretary . I don't have an 1113 00:41:33,862 --> 00:41:36,084 exact date , but we've got this teed up 1114 00:41:36,084 --> 00:41:39,650 ready to go and in terms of why it will 1115 00:41:39,650 --> 00:41:43,360 be successful , the commitment from the 1116 00:41:43,370 --> 00:41:46,050 Department , from the Joint Chiefs to 1117 00:41:46,050 --> 00:41:49,300 the OSD side and recognizing that we've 1118 00:41:49,310 --> 00:41:51,410 got to get this right in a near peer 1119 00:41:51,410 --> 00:41:53,577 competitor environment and not that we 1120 00:41:53,577 --> 00:41:55,632 haven't been focusing on this during 1121 00:41:55,632 --> 00:41:57,799 the wars in Afghanistan and Iraq . But 1122 00:41:57,799 --> 00:41:59,743 as we look at china and Russia and 1123 00:41:59,743 --> 00:42:01,688 other adversaries in that regard , 1124 00:42:01,700 --> 00:42:03,922 electromagnetic spectrum is going to be 1125 00:42:03,922 --> 00:42:06,089 critical just as critical as kinetic , 1126 00:42:06,089 --> 00:42:09,520 long range fires , space , cyberspace 1127 00:42:09,520 --> 00:42:11,798 and so on . We've got to be successful . 1128 00:42:11,798 --> 00:42:13,909 So the commitment from the chairman , 1129 00:42:13,909 --> 00:42:16,076 the Vice Chairman , Secretary , Deputy 1130 00:42:16,076 --> 00:42:18,187 Secretary and everybody has been very 1131 00:42:18,187 --> 00:42:20,353 strong . So we're confident that we're 1132 00:42:20,353 --> 00:42:22,409 gonna have what we need And back , I 1133 00:42:22,409 --> 00:42:24,576 think to your middle question sir , we 1134 00:42:24,576 --> 00:42:26,353 do . We are the main overseeing 1135 00:42:26,353 --> 00:42:28,610 official for this . The Vice Chairman 1136 00:42:28,620 --> 00:42:31,030 through the joint staff is leading a 1137 00:42:31,040 --> 00:42:34,430 CFT a functional team working on this 1138 00:42:34,600 --> 00:42:37,160 and come start a fiscal 22 , we're 1139 00:42:37,160 --> 00:42:39,520 going to take the baton as the 1140 00:42:40,100 --> 00:42:42,380 implementing office for this . So we 1141 00:42:42,380 --> 00:42:44,390 are the overall lead responsible 1142 00:42:44,400 --> 00:42:46,400 official for the department . Joint 1143 00:42:46,400 --> 00:42:48,400 staff is working the cf t and we're 1144 00:42:48,400 --> 00:42:50,400 ready to pick that up . And sir , I 1145 00:42:50,400 --> 00:42:52,511 feel we've got the commitment on this 1146 00:42:52,511 --> 00:42:54,733 across the services and the seriousness 1147 00:42:54,733 --> 00:42:56,844 recognizing the threats we face right 1148 00:42:56,844 --> 00:43:00,730 now . Very good . All right , 1149 00:43:00,740 --> 00:43:03,680 thank you . Mr german . Uh with that is 1150 00:43:03,680 --> 00:43:06,550 MS bice is not uh asked the question 1151 00:43:06,550 --> 00:43:10,030 yet . I'll yield to miss price for five 1152 00:43:10,030 --> 00:43:12,810 minutes . Thank you so much . Mr 1153 00:43:12,810 --> 00:43:14,810 Chairman for holding this important 1154 00:43:14,810 --> 00:43:18,770 hearing today . Um That Mr 1155 00:43:18,770 --> 00:43:20,826 Sherman , thank you for being here . 1156 00:43:20,826 --> 00:43:22,992 The D O . D . S . Cloud strategy calls 1157 00:43:22,992 --> 00:43:25,620 for three clouds , Milk Cloud to dato , 1158 00:43:25,630 --> 00:43:28,730 a secure on premise cloud , The defense 1159 00:43:28,740 --> 00:43:30,870 enterprise solutions , cloud based 1160 00:43:30,870 --> 00:43:32,981 secure collaboration solution and the 1161 00:43:32,981 --> 00:43:36,590 Jedi general purpose cloud . Um 4th 1162 00:43:36,590 --> 00:43:38,820 estate agencies were directed to move 1163 00:43:39,300 --> 00:43:41,189 To the middle cloud to auto , but 1164 00:43:41,189 --> 00:43:43,522 adoption has been incredibly slow today . 1165 00:43:43,522 --> 00:43:45,689 Only 3% of the targeted workloads have 1166 00:43:45,689 --> 00:43:47,980 migrated to the mill cloud . Uh this is 1167 00:43:47,980 --> 00:43:49,770 delayed realization of enhanced 1168 00:43:49,770 --> 00:43:51,826 security , which is paramount in the 1169 00:43:51,826 --> 00:43:53,714 light of the most recent colonial 1170 00:43:53,714 --> 00:43:55,826 pipeline and solar wind cybersecurity 1171 00:43:55,826 --> 00:43:58,159 attacks . Um a little bit of background . 1172 00:43:58,159 --> 00:44:00,450 I come from back a family business that 1173 00:44:00,450 --> 00:44:02,672 has dealt in the technology space and I 1174 00:44:02,672 --> 00:44:04,839 recognized the critical need for us to 1175 00:44:04,839 --> 00:44:07,006 protect our assets , especially in the 1176 00:44:07,006 --> 00:44:08,783 cyberspace . Well , the D I . D 1177 00:44:08,783 --> 00:44:10,783 enforced the 2018 mandate directing 1178 00:44:10,783 --> 00:44:12,894 mill cloud to Dato migration . By the 1179 00:44:12,894 --> 00:44:16,840 fourth estate , We're going to ensure 1180 00:44:16,850 --> 00:44:18,906 that it's being used where it can be 1181 00:44:18,906 --> 00:44:21,460 used and ensuring that the Da Fas , the 1182 00:44:21,460 --> 00:44:23,571 defense agencies and field activities 1183 00:44:23,571 --> 00:44:25,682 that need the on prim capability that 1184 00:44:25,682 --> 00:44:28,470 it provides are going to use it in 1185 00:44:28,470 --> 00:44:31,640 terms of what was directed in 2018 . 1186 00:44:31,650 --> 00:44:33,817 I'm frankly from my seat going to take 1187 00:44:33,817 --> 00:44:35,983 a more nuanced approach on this . Milk 1188 00:44:35,983 --> 00:44:38,150 latitude auto is a powerful capability 1189 00:44:38,150 --> 00:44:40,261 on prem . To your point , it operates 1190 00:44:40,261 --> 00:44:42,539 at I . 05 It's not yet accredited at I . 1191 00:44:42,539 --> 00:44:45,860 L six secret And roughly 25% of the 1192 00:44:45,860 --> 00:44:49,550 Dafa migrations that have occurred from 1193 00:44:49,550 --> 00:44:52,320 legacy to cloud based solutions have 1194 00:44:52,320 --> 00:44:54,520 gone to mill cloud to Dato . It's a 1195 00:44:54,520 --> 00:44:56,576 powerful error in our quiver but not 1196 00:44:56,576 --> 00:44:58,520 the only one . And so that's the 1197 00:44:58,520 --> 00:45:00,570 approach I'm taking on this . It is 1198 00:45:00,570 --> 00:45:03,190 definitely a good capability to have . 1199 00:45:03,190 --> 00:45:05,357 It is not our only capability . And so 1200 00:45:05,357 --> 00:45:07,468 that's how I'm approaching this man , 1201 00:45:07,468 --> 00:45:09,468 If I may follow up so you're you're 1202 00:45:09,468 --> 00:45:11,690 suggesting only 25% has migrated to the 1203 00:45:11,690 --> 00:45:13,970 cloud , what is the other 75% doing ? 1204 00:45:13,980 --> 00:45:15,924 They're going to other cloud-based 1205 00:45:15,924 --> 00:45:18,900 capabilities amazon Microsoft and dis 1206 00:45:18,900 --> 00:45:21,122 have provided cloud capabilities to get 1207 00:45:21,122 --> 00:45:23,233 off of legacy platforms . Do you feel 1208 00:45:23,233 --> 00:45:25,400 like the migrating to those particular 1209 00:45:25,400 --> 00:45:29,250 platforms provides um a security 1210 00:45:29,250 --> 00:45:31,417 that you feel comfortable with ? Yes , 1211 00:45:31,417 --> 00:45:34,530 ma'am . It does . Okay . Uh follow up 1212 00:45:34,530 --> 00:45:36,920 questions to that if I can , 1213 00:45:38,390 --> 00:45:40,670 um our adversaries have made it known 1214 00:45:40,670 --> 00:45:42,503 that they plan to use artificial 1215 00:45:42,503 --> 00:45:44,448 intelligence to gain a competitive 1216 00:45:44,448 --> 00:45:46,670 advantage in cyberspace . What is the D 1217 00:45:46,670 --> 00:45:48,559 o d doing to match and exceed any 1218 00:45:48,559 --> 00:45:50,503 capabilities our adversaries might 1219 00:45:50,503 --> 00:45:52,448 develop in the space to defend our 1220 00:45:52,448 --> 00:45:54,670 assets and ensure diode can effectively 1221 00:45:54,670 --> 00:45:56,850 carry out its mission . What keeps you 1222 00:45:56,850 --> 00:45:59,410 up at night ? What keeps me up at night 1223 00:45:59,410 --> 00:46:01,410 are cyber threats of the kind we're 1224 00:46:01,410 --> 00:46:03,466 seeing across the country , not only 1225 00:46:03,466 --> 00:46:05,632 against the government but against the 1226 00:46:05,632 --> 00:46:07,521 private sector . This is the main 1227 00:46:07,521 --> 00:46:09,688 reason I am so committed to moving out 1228 00:46:09,688 --> 00:46:11,799 with the Zero Trust implementation at 1229 00:46:11,799 --> 00:46:14,132 the Department Defense . I want D O . D . 1230 00:46:14,132 --> 00:46:13,750 To be a leader in this space . Zero 1231 00:46:13,750 --> 00:46:16,028 trust has been bandied about for years . 1232 00:46:16,028 --> 00:46:18,028 Some in the private sector may have 1233 00:46:18,028 --> 00:46:20,083 achieved this at some level , but no 1234 00:46:20,083 --> 00:46:21,806 department has at the level on 1235 00:46:21,806 --> 00:46:23,972 suggesting with an assumption that the 1236 00:46:23,972 --> 00:46:26,083 adversary is on the network . We must 1237 00:46:26,083 --> 00:46:28,194 segment in a way we never have before 1238 00:46:28,194 --> 00:46:30,139 instrument the network in a way we 1239 00:46:30,139 --> 00:46:32,083 haven't with and using things like 1240 00:46:32,083 --> 00:46:34,306 identity , credential access management 1241 00:46:34,306 --> 00:46:37,040 in point security , comply to connect 1242 00:46:37,040 --> 00:46:39,096 and it's not one thing you buy but a 1243 00:46:39,096 --> 00:46:41,262 host of capabilities . I know what the 1244 00:46:41,262 --> 00:46:43,429 chinese and Russians want to do to our 1245 00:46:43,429 --> 00:46:45,651 networks and this is the most important 1246 00:46:45,651 --> 00:46:47,762 role I have is C . I . O . Along with 1247 00:46:47,762 --> 00:46:49,818 other types of modernization for our 1248 00:46:49,818 --> 00:46:51,984 warfighters keeping our network safe . 1249 00:46:51,984 --> 00:46:54,980 I've often noted that right now the the 1250 00:46:54,980 --> 00:46:57,410 offensive side has all the capability 1251 00:46:57,410 --> 00:46:59,521 and we on the defensive side have got 1252 00:46:59,521 --> 00:47:01,632 to run a new defense to use one of my 1253 00:47:01,632 --> 00:47:03,799 football terms . We're gonna run a new 1254 00:47:03,799 --> 00:47:05,910 defense . That's what keeps me up and 1255 00:47:05,910 --> 00:47:08,077 it's gonna involve making it about the 1256 00:47:08,077 --> 00:47:10,188 data and the systems as well as ma'am 1257 00:47:10,188 --> 00:47:12,243 artificial intelligence . How we can 1258 00:47:12,243 --> 00:47:14,077 bring that to bear . So we don't 1259 00:47:14,077 --> 00:47:16,299 segment ourselves and have to have tens 1260 00:47:16,299 --> 00:47:18,299 of thousands of defenders doing the 1261 00:47:18,299 --> 00:47:20,521 work that instead of A I algorithms can 1262 00:47:20,521 --> 00:47:20,500 do . So that's gonna be part of zero 1263 00:47:20,500 --> 00:47:22,650 trust as well . Mr Sherman . I 1264 00:47:22,660 --> 00:47:24,660 appreciate your answer . One of the 1265 00:47:24,660 --> 00:47:26,882 concerns I have however , is um looking 1266 00:47:26,882 --> 00:47:28,771 at as a freshman legislator , I'm 1267 00:47:28,771 --> 00:47:30,438 probably bringing a different 1268 00:47:30,438 --> 00:47:32,604 perspective uh , the time it is taking 1269 00:47:32,604 --> 00:47:34,827 to actually get these services migrated 1270 00:47:34,827 --> 00:47:36,910 to either cloud based solutions or 1271 00:47:36,910 --> 00:47:39,530 others that can protect our assets . Uh 1272 00:47:39,540 --> 00:47:41,596 we talked about milk loud too dot oh 1273 00:47:41,596 --> 00:47:43,707 being implemented in 2018 and here we 1274 00:47:43,707 --> 00:47:45,929 are three years later with a very small 1275 00:47:45,929 --> 00:47:48,151 percentage that have been migrated . Um 1276 00:47:48,151 --> 00:47:50,318 how can we effectively speed things up 1277 00:47:50,318 --> 00:47:52,373 in a way that will make sure that we 1278 00:47:52,373 --> 00:47:54,670 are doing it in a thoughtful way , but 1279 00:47:54,670 --> 00:47:56,614 we're also protecting our assets , 1280 00:47:56,614 --> 00:47:58,837 Ma'am , I would just add of the defense 1281 00:47:58,837 --> 00:48:00,948 agencies and field activities the 1st 1282 00:48:00,948 --> 00:48:02,948 14 of them . In our first trench we 1283 00:48:02,948 --> 00:48:04,948 moved 97% of their applications off 1284 00:48:04,948 --> 00:48:07,130 legacy to cloud . Of the four areas I 1285 00:48:07,130 --> 00:48:09,510 talked about as well as the services 1286 00:48:09,510 --> 00:48:11,690 have made great progress , shutdown 1287 00:48:11,690 --> 00:48:13,850 legacy data centers and got to manage 1288 00:48:13,850 --> 00:48:15,850 services like cloud . We are moving 1289 00:48:15,850 --> 00:48:17,683 aggressively in this direction , 1290 00:48:17,683 --> 00:48:19,920 recognizing the vulnerability of legacy 1291 00:48:19,940 --> 00:48:21,870 to cybersecurity threats . So we 1292 00:48:21,870 --> 00:48:23,814 appreciate your comments on that , 1293 00:48:23,814 --> 00:48:26,037 ma'am . Thank you . Mr Chairman of your 1294 00:48:26,037 --> 00:48:29,650 back . Mhm . Thank you . Mr Bass , Mr 1295 00:48:29,650 --> 00:48:31,761 Parsons . I recognized five minutes . 1296 00:48:31,761 --> 00:48:33,761 Thank you . Mr Chair Miss Sherman , 1297 00:48:33,761 --> 00:48:35,650 thanks for sticking around for my 1298 00:48:35,650 --> 00:48:35,370 second round of questions , appreciate 1299 00:48:35,370 --> 00:48:38,250 it had a question regarding uh first 1300 00:48:38,250 --> 00:48:41,690 off section 2 56 of the Fy 20 NBA , 1301 00:48:41,690 --> 00:48:43,301 which required the D O . D . 1302 00:48:43,301 --> 00:48:45,550 Development Edge Ai Education strategy 1303 00:48:45,560 --> 00:48:47,893 and jake is responsible for that effort . 1304 00:48:47,970 --> 00:48:50,620 Uh Do you have an update on that , sir ? 1305 00:48:50,620 --> 00:48:52,620 I'm gonna have to take this for the 1306 00:48:52,620 --> 00:48:54,787 record as the jake . No longer reports 1307 00:48:54,787 --> 00:48:57,120 to me directly there . Close colleagues . 1308 00:48:57,120 --> 00:48:59,176 Um we work hand in glove with them , 1309 00:48:59,176 --> 00:49:01,342 but some of their specific initiatives 1310 00:49:01,342 --> 00:49:03,231 sir , I wouldn't feel comfortable 1311 00:49:03,231 --> 00:49:03,100 articulating . I would defer that to 1312 00:49:03,100 --> 00:49:05,433 general growing and the jake leadership . 1313 00:49:05,433 --> 00:49:07,656 So I'd like to take that for the record 1314 00:49:07,656 --> 00:49:09,822 to give you an accurate answer back on 1315 00:49:09,822 --> 00:49:09,370 that sir . That's fine . And then to 1316 00:49:09,370 --> 00:49:12,540 follow up on some ai I mentioned 1317 00:49:12,540 --> 00:49:16,170 earlier um if the I asked the D O D C O 1318 00:49:16,170 --> 00:49:18,392 had perspective on whether or not we're 1319 00:49:18,392 --> 00:49:20,990 Ai ready the National uh Security 1320 00:49:20,990 --> 00:49:23,340 Commission on A . I . S . Has a variety 1321 00:49:23,340 --> 00:49:27,280 goals including to be A I ready by 2025 . 1322 00:49:27,290 --> 00:49:29,512 Do you think the department will be A I 1323 00:49:29,512 --> 00:49:31,500 ready by 2025 ? Yes sir . I think 1324 00:49:31,500 --> 00:49:33,444 holistically we're doing the right 1325 00:49:33,444 --> 00:49:35,800 things to be A I ready . We've answer , 1326 00:49:35,810 --> 00:49:37,921 we've talked about cloud a little bit 1327 00:49:37,921 --> 00:49:40,600 here in terms of what we have for cloud 1328 00:49:40,600 --> 00:49:42,480 to host A . I . Capabilities and 1329 00:49:42,480 --> 00:49:44,702 algorithms of cybersecurity pieces I've 1330 00:49:44,702 --> 00:49:46,869 talked about with zero Trust are going 1331 00:49:46,869 --> 00:49:48,536 to be critical for artificial 1332 00:49:48,536 --> 00:49:50,930 intelligence . I will come back to our 1333 00:49:50,940 --> 00:49:53,650 urgent and unmet need for an enterprise 1334 00:49:53,650 --> 00:49:56,010 wide cloud capability from headquarters 1335 00:49:56,010 --> 00:49:58,177 to the tactical edge . That's gonna be 1336 00:49:58,177 --> 00:50:00,399 important for AI And it will go to what 1337 00:50:00,399 --> 00:50:02,510 Deputy Secretary Hicks announced last 1338 00:50:02,510 --> 00:50:04,121 week with the A I . And data 1339 00:50:04,121 --> 00:50:06,010 accelerator initiative or a to as 1340 00:50:06,010 --> 00:50:08,177 recalling it to be able to work across 1341 00:50:08,177 --> 00:50:10,288 the combatant commands and unlock the 1342 00:50:10,288 --> 00:50:13,650 power of A I for the co . Coms uh as 1343 00:50:13,650 --> 00:50:15,890 well using cloud based technology . So 1344 00:50:15,890 --> 00:50:17,834 I think we're leaning in the right 1345 00:50:17,834 --> 00:50:20,057 direction but we've got some work to do 1346 00:50:20,057 --> 00:50:22,057 so on that . On that point though , 1347 00:50:22,057 --> 00:50:24,223 then who's responsible for for lack of 1348 00:50:24,223 --> 00:50:27,140 a better term educating the coco palms 1349 00:50:27,150 --> 00:50:30,760 on the use of algorithms for the for 1350 00:50:30,760 --> 00:50:32,816 purposes they define I think this is 1351 00:50:32,816 --> 00:50:34,760 exactly the way to initiative that 1352 00:50:34,760 --> 00:50:36,871 Deputy Secretary Hicks announced with 1353 00:50:36,871 --> 00:50:38,927 these ai teams that will be going to 1354 00:50:38,927 --> 00:50:41,149 the cocoa beans as well as data teams . 1355 00:50:41,150 --> 00:50:43,530 O . D . T . S . Operational data teams 1356 00:50:43,540 --> 00:50:45,707 working together on both the data side 1357 00:50:45,707 --> 00:50:48,040 and the ai side starting at places like 1358 00:50:48,040 --> 00:50:50,670 North com , indo pak calm and so on , 1359 00:50:50,680 --> 00:50:52,970 getting in there with the users and the 1360 00:50:52,970 --> 00:50:55,490 various J code staff and so on and 1361 00:50:55,490 --> 00:50:57,440 working on everything from the 1362 00:50:57,440 --> 00:50:59,773 algorithm development building on , say , 1363 00:50:59,773 --> 00:51:01,900 what maven has done and also on the 1364 00:51:01,900 --> 00:51:04,360 data side , working on things like at 1365 00:51:04,360 --> 00:51:06,740 Vonna and what the data capabilities 1366 00:51:06,740 --> 00:51:08,851 are emerging that together . So these 1367 00:51:08,860 --> 00:51:10,860 these teams that are coming out are 1368 00:51:10,860 --> 00:51:13,138 going to be a key accelerator for that , 1369 00:51:13,138 --> 00:51:15,950 sir ? Yeah , I might have missed it , 1370 00:51:15,960 --> 00:51:19,960 but maybe it didn't . Do you um do 1371 00:51:19,960 --> 00:51:22,120 you have an update or do you are you 1372 00:51:22,120 --> 00:51:25,410 directly involved with C M M . C and uh 1373 00:51:25,420 --> 00:51:27,476 with the role of cybersecurity plays 1374 00:51:27,476 --> 00:51:29,531 with these smaller suppliers , sir ? 1375 00:51:29,531 --> 00:51:31,720 Only in so far as I had one of my 1376 00:51:31,720 --> 00:51:33,998 senior executives participate in the C . 1377 00:51:33,998 --> 00:51:36,030 M . M . C . Review , which was 1378 00:51:36,030 --> 00:51:38,390 conducted by and s as a subject matter 1379 00:51:38,390 --> 00:51:41,020 expert to contribute to that . And then 1380 00:51:41,030 --> 00:51:44,050 only as C M M C connects to our broader 1381 00:51:44,060 --> 00:51:46,620 defense industrial base security that 1382 00:51:46,620 --> 00:51:48,620 we're working through the strategic 1383 00:51:48,620 --> 00:51:50,731 cyber security program , but directly 1384 00:51:50,731 --> 00:51:52,898 no , sir , cm . And see I'm aware of , 1385 00:51:52,898 --> 00:51:55,009 but not directly leading . You should 1386 00:51:55,009 --> 00:51:58,020 understand and we'll follow up um with 1387 00:51:58,020 --> 00:52:00,840 other folks on that with that . Mr . I 1388 00:52:00,840 --> 00:52:03,300 will yield that . Thanks . Very good . 1389 00:52:03,300 --> 00:52:05,300 Thank you . Mr Carson , the ranking 1390 00:52:05,300 --> 00:52:07,522 member of Mr franco is not recognized . 1391 00:52:07,522 --> 00:52:09,578 Thank you . Mr Chairman to follow on 1392 00:52:09,578 --> 00:52:12,070 questions . All the services who have 1393 00:52:12,070 --> 00:52:14,126 come before us have talked about the 1394 00:52:14,126 --> 00:52:16,237 need for more uh folks trained in the 1395 00:52:16,237 --> 00:52:18,403 area of cybersecurity . It's a hot job 1396 00:52:18,403 --> 00:52:20,626 market and the outside private sector . 1397 00:52:20,626 --> 00:52:22,681 What difficulties are you facing and 1398 00:52:22,681 --> 00:52:24,848 hiring individuals with the skill sets 1399 00:52:24,848 --> 00:52:26,903 you need ? And what are you doing to 1400 00:52:26,903 --> 00:52:28,903 addressing shortfalls sir ? I think 1401 00:52:28,903 --> 00:52:31,014 about this almost every day as I look 1402 00:52:31,014 --> 00:52:33,181 out my window over at Crystal City and 1403 00:52:33,181 --> 00:52:35,403 then as I walk out to my truck and look 1404 00:52:35,403 --> 00:52:37,570 over at Rosalind and the number of our 1405 00:52:37,570 --> 00:52:39,348 private sector partners who are 1406 00:52:39,348 --> 00:52:41,348 competing for some of the very same 1407 00:52:41,348 --> 00:52:43,070 talent here . This gets to the 1408 00:52:43,070 --> 00:52:45,292 strategic , the cybersecurity workforce 1409 00:52:45,292 --> 00:52:47,514 strategy . I spoke about a minute ago . 1410 00:52:47,514 --> 00:52:49,626 We've got to come at this differently 1411 00:52:49,626 --> 00:52:51,737 here . We're using the cyber accepted 1412 00:52:51,737 --> 00:52:53,848 service as mentioned to get talent in 1413 00:52:53,848 --> 00:52:56,040 here . We're using things like esa 1414 00:52:56,040 --> 00:52:58,020 educational programs to get to the 1415 00:52:58,020 --> 00:53:00,760 colleges and institutions . We have to 1416 00:53:00,760 --> 00:53:02,927 broaden the aperture on this . Sir , I 1417 00:53:02,927 --> 00:53:05,149 feel very strongly about this . This is 1418 00:53:05,149 --> 00:53:06,927 going to take a whole of nation 1419 00:53:06,927 --> 00:53:09,038 approach . We talk about diversity is 1420 00:53:09,038 --> 00:53:11,149 critical and I mean diversity and not 1421 00:53:11,149 --> 00:53:13,080 only race , gender , but also 1422 00:53:13,080 --> 00:53:15,400 geographic placement . We can't keep 1423 00:53:15,400 --> 00:53:17,567 going to the same wells and recruiting 1424 00:53:17,567 --> 00:53:19,733 in the same places . I want to broaden 1425 00:53:19,733 --> 00:53:21,789 amateur of the sort of talent we can 1426 00:53:21,789 --> 00:53:23,956 bring in to the department defense and 1427 00:53:23,956 --> 00:53:25,956 we may need to think differently to 1428 00:53:25,956 --> 00:53:28,067 working with our P and our colleagues 1429 00:53:28,067 --> 00:53:30,289 About . I'm not sure if we want to hire 1430 00:53:30,289 --> 00:53:32,511 a data scientist for 30 years maybe she 1431 00:53:32,511 --> 00:53:34,733 comes in for three or four years , gets 1432 00:53:34,733 --> 00:53:36,844 the skills , there gets the patriotic 1433 00:53:36,844 --> 00:53:39,011 duty for D . O . D . And return to the 1434 00:53:39,011 --> 00:53:41,122 private sector and then comes back to 1435 00:53:41,122 --> 00:53:43,067 us in some number of years . We're 1436 00:53:43,067 --> 00:53:42,560 gonna have to work with our colleagues 1437 00:53:42,560 --> 00:53:44,782 and intelligence and security on how we 1438 00:53:44,782 --> 00:53:46,893 work clearance issues with that . I'm 1439 00:53:46,893 --> 00:53:49,180 both excited by this but also daunted 1440 00:53:49,550 --> 00:53:51,717 because of the competitive environment 1441 00:53:51,717 --> 00:53:53,606 in which we live with our private 1442 00:53:53,606 --> 00:53:55,550 sector colleagues and the whole of 1443 00:53:55,550 --> 00:53:57,661 nation approaches is going to take to 1444 00:53:57,661 --> 00:53:59,828 stand up against our adversary , sir . 1445 00:54:00,640 --> 00:54:02,720 One last question . In the physical 1446 00:54:02,720 --> 00:54:04,960 domain , a commander would be held 1447 00:54:04,970 --> 00:54:07,890 accountable if he or she lost equipment 1448 00:54:07,890 --> 00:54:10,260 or mishandled it . To what extent do 1449 00:54:10,260 --> 00:54:12,038 you believe commanders are held 1450 00:54:12,038 --> 00:54:14,371 sufficiently accountable for not caring , 1451 00:54:14,371 --> 00:54:16,149 caring , caring for D . O . D . 1452 00:54:16,149 --> 00:54:18,316 Information and system in their care ? 1453 00:54:18,340 --> 00:54:20,730 So this is an evolving area that we've 1454 00:54:20,730 --> 00:54:22,786 talked about quite a bit part of the 1455 00:54:22,786 --> 00:54:24,786 issue and I felt passionately about 1456 00:54:24,786 --> 00:54:27,660 this myself . If you roll out of motor 1457 00:54:27,660 --> 00:54:29,660 pool with that proper ammunition or 1458 00:54:29,660 --> 00:54:31,740 fuel on your fighting vehicle or off 1459 00:54:31,750 --> 00:54:34,028 pushing the ship off the dock etcetera , 1460 00:54:34,028 --> 00:54:36,139 you're held accountable for that part 1461 00:54:36,139 --> 00:54:38,270 of it has to get on how we can ensure 1462 00:54:38,270 --> 00:54:40,381 that there's instrumentation and that 1463 00:54:40,381 --> 00:54:43,000 the commanders and the the ship drivers 1464 00:54:43,000 --> 00:54:45,167 and the maneuver commanders and others 1465 00:54:45,167 --> 00:54:47,333 know what is going on on their weapons 1466 00:54:47,333 --> 00:54:49,389 platform . So if there's going to be 1467 00:54:49,389 --> 00:54:51,611 accountability with this , we've got to 1468 00:54:51,611 --> 00:54:51,120 be able to monitor what's actually 1469 00:54:51,120 --> 00:54:53,287 going on there . And then what does it 1470 00:54:53,287 --> 00:54:55,453 mean in terms of readiness ? So that's 1471 00:54:55,453 --> 00:54:57,453 an evolving discussion we're having 1472 00:54:57,453 --> 00:54:59,676 again with our PNR colleagues on this , 1473 00:54:59,676 --> 00:55:01,842 but what a cyber accountability mean . 1474 00:55:01,842 --> 00:55:04,064 But one key thing on this area that I'm 1475 00:55:04,064 --> 00:55:06,231 working to do and this is an area that 1476 00:55:06,231 --> 00:55:08,453 I want to inject with here with you all 1477 00:55:08,453 --> 00:55:10,509 on the legislative side and industry 1478 00:55:10,509 --> 00:55:12,509 partners and elsewhere we use terms 1479 00:55:12,509 --> 00:55:14,509 like cyber hygiene , which can make 1480 00:55:14,509 --> 00:55:16,731 people glaze over . Sir , I know you're 1481 00:55:16,731 --> 00:55:18,731 a former operator , sometimes cyber 1482 00:55:18,731 --> 00:55:20,676 hygiene . Might people go , well , 1483 00:55:20,676 --> 00:55:22,787 that's something for the C I O or the 1484 00:55:22,787 --> 00:55:24,953 six . The J six . I want to use a term 1485 00:55:24,953 --> 00:55:27,009 called cyber Survivability . This is 1486 00:55:27,009 --> 00:55:28,898 something as a former Bradley guy 1487 00:55:28,898 --> 00:55:30,898 myself . This will get my attention 1488 00:55:30,898 --> 00:55:33,120 that if I'm gonna be taken down by this 1489 00:55:33,120 --> 00:55:35,231 by an adversary , we've got to change 1490 00:55:35,231 --> 00:55:37,342 how we think about cybersecurity . So 1491 00:55:37,342 --> 00:55:39,342 sir , these are the kinds of things 1492 00:55:39,342 --> 00:55:41,398 we're looking at . We need different 1493 00:55:41,398 --> 00:55:43,620 tools in our toolbox , working with PNR 1494 00:55:43,620 --> 00:55:43,320 and we have brought this up to our 1495 00:55:43,320 --> 00:55:45,487 leadership and we have some work to do 1496 00:55:45,487 --> 00:55:47,542 on it , sir . Thanks . And I agree . 1497 00:55:47,542 --> 00:55:49,209 You know , from , from a navy 1498 00:55:49,209 --> 00:55:51,264 standpoint , it's just , it's always 1499 00:55:51,264 --> 00:55:51,030 been known that the captain is 1500 00:55:51,030 --> 00:55:53,252 ultimately responsible . Doesn't matter 1501 00:55:53,252 --> 00:55:55,252 here . She's on the bridge . If the 1502 00:55:55,252 --> 00:55:57,419 ship goes aground , you're relieved of 1503 00:55:57,419 --> 00:55:56,990 command . And at some point , I think 1504 00:55:56,990 --> 00:55:59,212 we're gonna have to understand that the 1505 00:55:59,212 --> 00:56:01,050 potential damage from cyber uh , 1506 00:56:01,060 --> 00:56:03,004 intrusions are going to be just as 1507 00:56:03,004 --> 00:56:04,782 serious as any of those . But I 1508 00:56:04,782 --> 00:56:06,949 appreciate your comments there . Now , 1509 00:56:06,949 --> 00:56:06,160 you're back , MR Chairman ? Yes , sir . 1510 00:56:07,530 --> 00:56:09,586 Very appropriate comments to I would 1511 00:56:09,586 --> 00:56:13,390 say . Um um thank you . Uh Mr Franklin 1512 00:56:13,400 --> 00:56:15,850 and uh Miss Hoolahan is now ready to 1513 00:56:15,860 --> 00:56:18,027 actually , before I go to MS Julia , I 1514 00:56:18,027 --> 00:56:20,027 just want to remind members that as 1515 00:56:20,027 --> 00:56:21,971 soon as we adjourned here , we are 1516 00:56:21,971 --> 00:56:24,082 going to be going up to 22 12 for the 1517 00:56:24,082 --> 00:56:26,840 classified uh portion of this uh the 1518 00:56:26,840 --> 00:56:28,940 Syrians , I hope everyone can Go up 1519 00:56:28,940 --> 00:56:31,051 there for the classified portion with 1520 00:56:31,051 --> 00:56:33,273 that . Mr Clinton is not recognized for 1521 00:56:33,273 --> 00:56:36,890 five minutes . Thank you . My last and 1522 00:56:36,890 --> 00:56:38,779 final question has to do with our 1523 00:56:38,779 --> 00:56:40,779 allies and I had the opportunity to 1524 00:56:40,779 --> 00:56:42,668 meet with several of our of their 1525 00:56:42,668 --> 00:56:44,723 defense attaches . They were talking 1526 00:56:44,723 --> 00:56:46,334 about how their nations have 1527 00:56:46,334 --> 00:56:48,334 implemented effective cybersecurity 1528 00:56:48,334 --> 00:56:50,557 protocols or at least what they believe 1529 00:56:50,557 --> 00:56:52,779 to be effective cybersecurity protocols 1530 00:56:52,779 --> 00:56:54,834 and managing potential cyber attacks 1531 00:56:54,834 --> 00:56:56,946 and intrusions . And in their opinion 1532 00:56:56,946 --> 00:56:59,057 that sometimes better than the United 1533 00:56:59,057 --> 00:57:01,223 States has . The D . O . D . Sought to 1534 00:57:01,223 --> 00:57:03,001 work closely with our allies to 1535 00:57:03,001 --> 00:57:05,168 determine what cybersecurity practices 1536 00:57:05,168 --> 00:57:07,057 are working for . Other nations . 1537 00:57:07,057 --> 00:57:09,223 Absolutely , ma'am , one of the things 1538 00:57:09,223 --> 00:57:11,168 I'm privileged to do is work , for 1539 00:57:11,168 --> 00:57:13,501 example , with our Five Eyes to defense . 1540 00:57:13,501 --> 00:57:15,723 See IOS matter of fact , just two weeks 1541 00:57:15,723 --> 00:57:17,612 ago we would have been meeting in 1542 00:57:17,612 --> 00:57:19,779 person , but for covid , but we held a 1543 00:57:19,779 --> 00:57:22,520 multi day virtual conference going over 1544 00:57:22,520 --> 00:57:24,820 not only cybersecurity but how we can 1545 00:57:24,820 --> 00:57:27,190 work together to modernize . As I work 1546 00:57:27,190 --> 00:57:29,301 with my colleagues in the Five Eyes , 1547 00:57:29,301 --> 00:57:31,190 but other nations as well such as 1548 00:57:31,190 --> 00:57:33,023 Singapore . I had a meeting with 1549 00:57:33,023 --> 00:57:35,134 recently as we talk about things like 1550 00:57:35,134 --> 00:57:37,134 Zero Trust , there may be different 1551 00:57:37,134 --> 00:57:39,246 terminologies , but how do we segment 1552 00:57:39,246 --> 00:57:41,523 networks , how do we instrument things ? 1553 00:57:41,523 --> 00:57:43,634 How do we train our workforce back to 1554 00:57:43,634 --> 00:57:45,801 the talent piece ? So yes , ma'am , we 1555 00:57:45,801 --> 00:57:48,023 have robust conversations and one thing 1556 00:57:48,023 --> 00:57:49,912 coming from the intelligence side 1557 00:57:49,912 --> 00:57:49,680 having the privilege to work with 1558 00:57:49,680 --> 00:57:52,060 allies for many years , um we in the 1559 00:57:52,060 --> 00:57:54,070 United States to a lot of things , 1560 00:57:54,070 --> 00:57:56,292 right , but we have a lot to learn from 1561 00:57:56,292 --> 00:57:58,514 allies to and I value that highly . And 1562 00:57:58,514 --> 00:58:00,737 many of them are women and men who have 1563 00:58:00,737 --> 00:58:02,903 great experience in the private sector 1564 00:58:02,903 --> 00:58:05,126 before they went to their governments . 1565 00:58:05,126 --> 00:58:05,080 And so we do have very active 1566 00:58:05,080 --> 00:58:07,540 discussions on this area , ma'am . Has 1567 00:58:07,540 --> 00:58:09,596 there been discussion in the D . O . 1568 00:58:09,596 --> 00:58:11,818 Dear with our allies about developing a 1569 00:58:11,818 --> 00:58:13,762 formal , comprehensive approach to 1570 00:58:13,762 --> 00:58:15,429 cybersecurity or global cyber 1571 00:58:15,429 --> 00:58:17,970 infrastructure ? So some of this would 1572 00:58:17,970 --> 00:58:20,070 get into probably in terms of cyber 1573 00:58:20,070 --> 00:58:22,181 security , I don't think we've talked 1574 00:58:22,181 --> 00:58:24,530 formally about that . I would also have 1575 00:58:24,530 --> 00:58:26,641 to defer to general naka Sony through 1576 00:58:26,641 --> 00:58:28,863 cyber com , some of those channels what 1577 00:58:28,863 --> 00:58:30,863 he may be setting up . So I'll take 1578 00:58:30,863 --> 00:58:33,086 that one for the record to make sure we 1579 00:58:33,086 --> 00:58:33,010 get your whole answer . But from the C . 1580 00:58:33,010 --> 00:58:35,640 I . O . Side we do have a lot of 1581 00:58:35,640 --> 00:58:37,880 engagements but maybe not quite to the 1582 00:58:37,880 --> 00:58:40,810 level of of a formal structure that 1583 00:58:40,810 --> 00:58:42,866 you're getting out on that , ma'am . 1584 00:58:42,866 --> 00:58:44,740 Thanks . And my last question is 1585 00:58:44,740 --> 00:58:46,907 something that you talked about with a 1586 00:58:46,907 --> 00:58:50,040 kind of workforce coming in and out , 1587 00:58:50,050 --> 00:58:52,430 starting with you all as an example and 1588 00:58:52,430 --> 00:58:54,486 then going to the private sector and 1589 00:58:54,486 --> 00:58:56,652 then perhaps looping back around later 1590 00:58:56,652 --> 00:58:58,708 on mid career . And you talked about 1591 00:58:58,708 --> 00:59:00,819 something that is important , part of 1592 00:59:00,819 --> 00:59:02,763 that which is clearances . Can you 1593 00:59:02,763 --> 00:59:04,874 reflect for a little bit on what does 1594 00:59:04,874 --> 00:59:07,050 that mean ? How do I'm a person who 1595 00:59:07,050 --> 00:59:09,217 held a . T . S . S . C . I . Clearance 1596 00:59:09,217 --> 00:59:11,383 decades ago . Came back around and now 1597 00:59:11,383 --> 00:59:13,272 I'm here again and we have a very 1598 00:59:13,272 --> 00:59:15,272 different process which we can talk 1599 00:59:15,272 --> 00:59:17,217 about later on how we re establish 1600 00:59:17,217 --> 00:59:19,328 those clearances here . But how would 1601 00:59:19,328 --> 00:59:19,230 that happen ? And is there anything 1602 00:59:19,240 --> 00:59:21,407 congressional er federally that we can 1603 00:59:21,407 --> 00:59:23,740 be doing to make that easier for people ? 1604 00:59:24,020 --> 00:59:26,242 Ma'am ? I would really have to defer to 1605 00:59:26,242 --> 00:59:28,187 my colleagues and intelligence and 1606 00:59:28,187 --> 00:59:30,131 security and D . C . S . A . But I 1607 00:59:30,131 --> 00:59:32,353 would just flag as someone who's worked 1608 00:59:32,353 --> 00:59:34,576 in intelligence and now seeing the kind 1609 00:59:34,576 --> 00:59:36,687 of how this would work , we are going 1610 00:59:36,687 --> 00:59:38,909 to have to get our hit around this as a 1611 00:59:38,909 --> 00:59:41,076 person leaves government service works 1612 00:59:41,076 --> 00:59:43,242 in a private sector academic setting . 1613 00:59:43,242 --> 00:59:45,409 They're necessarily gonna have foreign 1614 00:59:45,409 --> 00:59:47,409 contacts in a globalized and I know 1615 00:59:47,409 --> 00:59:49,520 you're well aware of this family when 1616 00:59:49,520 --> 00:59:51,631 they come back let's say they want to 1617 00:59:51,631 --> 00:59:53,687 come back at a higher rank . Maybe a 1618 00:59:53,687 --> 00:59:53,450 slightly different role . We're going 1619 00:59:53,450 --> 00:59:55,672 to have to figure out how we don't make 1620 00:59:55,672 --> 00:59:59,310 them wait 12 18 plus months . 1621 00:59:59,320 --> 01:00:01,320 And so I think this is something we 1622 01:00:01,320 --> 01:00:03,431 need to look at it again on the cyber 1623 01:00:03,431 --> 01:00:05,598 workforce strategy . This is something 1624 01:00:05,598 --> 01:00:07,598 I want to start to put some markers 1625 01:00:07,598 --> 01:00:09,820 down is really firm requirements for us 1626 01:00:09,820 --> 01:00:12,042 to think differently , because the more 1627 01:00:12,042 --> 01:00:14,209 we reflect on this 30 year careers may 1628 01:00:14,209 --> 01:00:16,320 work for some . But as we look at the 1629 01:00:16,320 --> 01:00:18,376 digital and cyberspace , this is not 1630 01:00:18,376 --> 01:00:20,320 going to be best for us back to as 1631 01:00:20,320 --> 01:00:22,376 we're talking from a whole of nation 1632 01:00:22,376 --> 01:00:24,487 approach . So I don't know if we need 1633 01:00:24,487 --> 01:00:26,598 any anything legislatively just yet , 1634 01:00:26,598 --> 01:00:28,598 but I think we need to get our head 1635 01:00:28,598 --> 01:00:28,150 around kind of what the steps of this 1636 01:00:28,150 --> 01:00:30,261 would look like , ma'am , thank you . 1637 01:00:30,261 --> 01:00:32,483 And with a final comment , I really was 1638 01:00:32,483 --> 01:00:34,428 interested in the ranking chairs , 1639 01:00:34,428 --> 01:00:37,900 comments about um kind of how we 1640 01:00:37,900 --> 01:00:40,700 have responsibility to understand what 1641 01:00:40,710 --> 01:00:42,877 the liabilities are in the and frankly 1642 01:00:42,877 --> 01:00:45,043 the punishments are for people who are 1643 01:00:45,043 --> 01:00:47,290 in command and control of cyberspace , 1644 01:00:47,300 --> 01:00:49,578 so to speak . And I'm really intrigued . 1645 01:00:49,578 --> 01:00:51,633 And we look forward to learning more 1646 01:00:51,633 --> 01:00:53,744 about that with with everybody on the 1647 01:00:53,744 --> 01:00:55,911 committee . Yes , ma'am and uh nothing 1648 01:00:55,911 --> 01:00:58,022 to add on that . But just recognizing 1649 01:00:58,022 --> 01:01:00,244 cyber accountability , maybe a new term 1650 01:01:00,244 --> 01:01:02,189 is something we definitely need to 1651 01:01:02,189 --> 01:01:04,300 consider the same as poor maintenance 1652 01:01:04,300 --> 01:01:06,580 or poor training as before unit pushes 1653 01:01:06,580 --> 01:01:08,858 out . So thank you , ma'am . Thank you . 1654 01:01:09,510 --> 01:01:11,330 Thank you again . Mr Morris not 1655 01:01:11,330 --> 01:01:12,997 recognized for five minutes . 1656 01:01:17,810 --> 01:01:21,100 Mr moore is still with us . Absolutely . 1657 01:01:21,110 --> 01:01:23,770 Um Okay , I'll hold there . I'm gonna 1658 01:01:23,780 --> 01:01:27,140 uh miss by for five minutes . Thank you 1659 01:01:27,140 --> 01:01:29,084 Mr Chairman . And I actually wanna 1660 01:01:29,084 --> 01:01:30,862 really tech onto Representative 1661 01:01:30,862 --> 01:01:33,084 Hoolahan's comments about the clearance 1662 01:01:33,084 --> 01:01:35,084 process . I think one of the things 1663 01:01:35,084 --> 01:01:37,251 that we've heard over and over is that 1664 01:01:37,251 --> 01:01:39,251 it's taking too long and sort of to 1665 01:01:39,251 --> 01:01:41,251 that point when we're talking about 1666 01:01:41,251 --> 01:01:43,473 recruitment , we often think of sort of 1667 01:01:43,473 --> 01:01:45,696 the high tech universities , maybe West 1668 01:01:45,696 --> 01:01:47,807 coast universities , the Stanfords of 1669 01:01:47,807 --> 01:01:50,029 the world to go recruit from ? What are 1670 01:01:50,029 --> 01:01:51,973 you all doing to really look at uh 1671 01:01:51,973 --> 01:01:54,084 other institutions of higher learning 1672 01:01:54,084 --> 01:01:56,029 that have a fantastic program that 1673 01:01:56,029 --> 01:01:58,029 maybe hadn't been thought of in the 1674 01:01:58,029 --> 01:01:59,973 past and I'll use uh university in 1675 01:01:59,973 --> 01:02:01,862 Oklahoma University . Tulsa has a 1676 01:02:01,862 --> 01:02:03,918 fantastic cyber program that they're 1677 01:02:03,918 --> 01:02:03,830 really doing some innovative work . And 1678 01:02:03,830 --> 01:02:05,830 how are you looking at this from my 1679 01:02:05,830 --> 01:02:08,052 workforce standpoint . So I'll tell you 1680 01:02:08,052 --> 01:02:10,219 how we're looking from C . I . O . And 1681 01:02:10,219 --> 01:02:12,163 I think R . P . And our colleagues 1682 01:02:12,163 --> 01:02:14,108 could absolutely amplify this with 1683 01:02:14,108 --> 01:02:15,830 greater detail the N . S . A . 1684 01:02:15,830 --> 01:02:18,052 Accreditation and I don't have the list 1685 01:02:18,052 --> 01:02:20,163 here in front of me of uh several 100 1686 01:02:20,163 --> 01:02:19,890 institutions , again from junior 1687 01:02:19,890 --> 01:02:21,946 colleges and I would have to look in 1688 01:02:21,946 --> 01:02:23,946 the state Oklahoma man . But I know 1689 01:02:23,946 --> 01:02:26,168 there's several there to be able to and 1690 01:02:26,168 --> 01:02:28,223 and partner institutions together to 1691 01:02:28,223 --> 01:02:30,390 help bootstrap each other as some have 1692 01:02:30,390 --> 01:02:32,501 gotten the accreditation to get the , 1693 01:02:32,501 --> 01:02:34,557 get the students there . And this is 1694 01:02:34,557 --> 01:02:36,668 what I really feel strongly about . I 1695 01:02:36,668 --> 01:02:38,779 come from a rural area , myself award 1696 01:02:38,779 --> 01:02:41,001 texas , you know , everywhere from from 1697 01:02:41,001 --> 01:02:43,168 very rural areas to urban areas , from 1698 01:02:43,168 --> 01:02:45,223 mainland US to US territories . It's 1699 01:02:45,223 --> 01:02:47,850 gonna take us looking very broadly . So 1700 01:02:47,850 --> 01:02:50,017 to your point , I that's one thing I'm 1701 01:02:50,017 --> 01:02:52,183 trying to push the C . I . O . Through 1702 01:02:52,183 --> 01:02:54,239 this upcoming workforce strategy . I 1703 01:02:54,239 --> 01:02:56,239 will say , I believe recruitment as 1704 01:02:56,239 --> 01:02:58,294 expanded over the last several years 1705 01:02:58,294 --> 01:03:00,350 into these areas and the N . S . A . 1706 01:03:00,350 --> 01:03:02,406 Accreditation that general moccasins 1707 01:03:02,406 --> 01:03:04,461 team lead has helped again ever from 1708 01:03:04,461 --> 01:03:06,572 two year junior colleges , up to four 1709 01:03:06,572 --> 01:03:09,760 year institutions , major big 12 , Big 1710 01:03:09,760 --> 01:03:12,590 10 schools and sec and so on all across 1711 01:03:12,590 --> 01:03:14,923 the nation , uh , to be able to do that . 1712 01:03:14,923 --> 01:03:16,979 So that's what we're trying to do to 1713 01:03:16,979 --> 01:03:19,090 broaden the aperture from , and , and 1714 01:03:19,090 --> 01:03:21,500 also maybe looking at , uh , we do have 1715 01:03:21,500 --> 01:03:23,611 a new tool , we're looking at kind of 1716 01:03:23,611 --> 01:03:25,556 matching talent to job positions , 1717 01:03:25,556 --> 01:03:28,010 looking more broadly beyond just the 1718 01:03:28,010 --> 01:03:29,990 degree they have , what types of 1719 01:03:29,990 --> 01:03:32,212 experiences they have to be able to get 1720 01:03:32,212 --> 01:03:34,379 folks in there . And this is of course 1721 01:03:34,379 --> 01:03:36,490 something the private sector , I know 1722 01:03:36,490 --> 01:03:36,340 you noted , Ma'am is looking very 1723 01:03:36,340 --> 01:03:38,780 carefully at two in terms of what 1724 01:03:38,780 --> 01:03:40,891 degree requirements to someone really 1725 01:03:40,891 --> 01:03:42,891 needs to be a coder . How do we get 1726 01:03:42,891 --> 01:03:44,891 them in the door ? So those are the 1727 01:03:44,891 --> 01:03:47,058 kind of things . I'm again excited and 1728 01:03:47,058 --> 01:03:47,050 daunted , but I think if we get this 1729 01:03:47,050 --> 01:03:49,106 right , this is what's gonna give us 1730 01:03:49,106 --> 01:03:51,217 the advantage on the PRC and others . 1731 01:03:51,217 --> 01:03:53,217 We've got the talent out there . We 1732 01:03:53,217 --> 01:03:55,439 just got to get him in the door . It is 1733 01:03:55,439 --> 01:03:55,030 fantastic to hear you talk about that . 1734 01:03:55,030 --> 01:03:57,197 And Representative Julian and I sit on 1735 01:03:57,197 --> 01:03:59,419 a supply chain task force that has been 1736 01:03:59,419 --> 01:04:01,530 talking a lot about workforce and how 1737 01:04:01,530 --> 01:04:03,960 do we engage various uh you know , 1738 01:04:03,970 --> 01:04:06,570 young people in getting engaged in this 1739 01:04:06,570 --> 01:04:08,626 that may not be going to afford your 1740 01:04:08,626 --> 01:04:10,792 college but still have the aptitude to 1741 01:04:10,792 --> 01:04:12,292 be able to engage in these 1742 01:04:12,292 --> 01:04:14,348 conversations . So I appreciate your 1743 01:04:14,348 --> 01:04:16,459 comments on that . Um if you can kind 1744 01:04:16,459 --> 01:04:18,514 of pivot for just a minute , can you 1745 01:04:18,514 --> 01:04:20,514 talk a little bit about how you are 1746 01:04:20,514 --> 01:04:22,459 coordinating with other government 1747 01:04:22,459 --> 01:04:24,570 agencies , specify , for example , to 1748 01:04:24,570 --> 01:04:24,440 really look at a whole of government 1749 01:04:24,440 --> 01:04:27,340 approach in protecting our assets and 1750 01:04:27,390 --> 01:04:29,870 addressing cybersecurity issues . We've 1751 01:04:29,870 --> 01:04:32,092 seen all of these intrusions lately and 1752 01:04:32,092 --> 01:04:34,314 so it's not just D . O . D . That could 1753 01:04:34,314 --> 01:04:36,370 be impacted , but you have all these 1754 01:04:36,370 --> 01:04:38,426 other agencies that are also kind of 1755 01:04:38,426 --> 01:04:37,730 coordinating . Can you talk a little 1756 01:04:37,730 --> 01:04:39,952 bit about that ? Yes . Well there's the 1757 01:04:39,952 --> 01:04:41,952 interagency process , my friend and 1758 01:04:41,952 --> 01:04:44,063 colleague and Neuberger up at the NSC 1759 01:04:44,063 --> 01:04:46,286 as the deputy national security adviser 1760 01:04:46,286 --> 01:04:46,180 up there . And of course we have Mr 1761 01:04:46,180 --> 01:04:48,347 english as the national english is the 1762 01:04:48,347 --> 01:04:50,458 National cyber director through their 1763 01:04:50,458 --> 01:04:52,458 various forums through the National 1764 01:04:52,458 --> 01:04:54,624 Security Council and so on . We have , 1765 01:04:54,624 --> 01:04:56,569 you know , the new cyber executive 1766 01:04:56,569 --> 01:04:58,736 Order has been a good thing to help us 1767 01:04:58,736 --> 01:05:00,958 unify as a government on these things . 1768 01:05:00,958 --> 01:05:03,124 And of course there's other governance 1769 01:05:03,124 --> 01:05:05,236 for , we have the federal C . I . O . 1770 01:05:05,236 --> 01:05:07,069 Has meetings as well as with the 1771 01:05:07,069 --> 01:05:09,520 federal system so and also the kind of 1772 01:05:09,520 --> 01:05:12,650 informal networks we have with DHS CISA 1773 01:05:12,660 --> 01:05:15,030 with other agencies and of course with 1774 01:05:15,030 --> 01:05:17,086 where I come from , the intelligence 1775 01:05:17,086 --> 01:05:19,810 community governance bodies We have on 1776 01:05:19,810 --> 01:05:22,290 national security systems on things 1777 01:05:22,290 --> 01:05:24,690 like accreditation and looking at 1778 01:05:24,690 --> 01:05:27,030 policies and practices . So there's 1779 01:05:27,030 --> 01:05:29,490 quite a bit you noted Cisa obviously 1780 01:05:29,490 --> 01:05:31,930 close work and as they have the the dot 1781 01:05:31,930 --> 01:05:34,097 gov and and helping secure the federal 1782 01:05:34,097 --> 01:05:36,980 side . And then also we have what we're 1783 01:05:36,980 --> 01:05:38,647 doing through the Joint Force 1784 01:05:38,647 --> 01:05:40,702 headquarters dot and J F H Q . Dough 1785 01:05:40,702 --> 01:05:42,869 and the general skinner leads has much 1786 01:05:42,869 --> 01:05:45,036 contact with them . So I think there's 1787 01:05:45,036 --> 01:05:47,258 robust dialogue back and forth and best 1788 01:05:47,258 --> 01:05:49,313 practices and I do have to say , the 1789 01:05:49,313 --> 01:05:51,540 cyber eO , and the focus that we have 1790 01:05:51,540 --> 01:05:53,429 there has helped us kind of unify 1791 01:05:53,429 --> 01:05:55,651 around some best practices , everything 1792 01:05:55,651 --> 01:05:57,900 from zero trust supply chain to how 1793 01:05:57,900 --> 01:06:00,122 we're going to look at these problems . 1794 01:06:00,122 --> 01:06:02,289 Ma'am . Thank you . Mr Chairman , I'll 1795 01:06:02,289 --> 01:06:04,370 be back . Thank you . Mr . Vice . Uh 1796 01:06:04,380 --> 01:06:06,547 that concludes the member questions as 1797 01:06:06,547 --> 01:06:09,080 I understand it . Uh So with that uh 1798 01:06:09,090 --> 01:06:11,840 the subcommittee will recess uh and 1799 01:06:11,840 --> 01:06:13,951 that will immediately reconvene in 20 1800 01:06:13,951 --> 01:06:15,951 to 12 for the classified portion of 1801 01:06:15,951 --> 01:06:18,062 this hearing . Uh Committee stands in 1802 01:06:18,062 --> 01:06:19,220 recess . Mhm .