1 00:00:00,129 --> 00:00:02,073 Good morning . The Cyber committee 2 00:00:02,073 --> 00:00:04,296 meets this morning to receive testimony 3 00:00:04,296 --> 00:00:06,518 from Dod Cyber security leaders on what 4 00:00:06,518 --> 00:00:08,018 the department is doing to 5 00:00:08,018 --> 00:00:09,796 substantially improve the cyber 6 00:00:09,796 --> 00:00:12,018 security at the enterprise level across 7 00:00:12,018 --> 00:00:13,740 the department and the defense 8 00:00:13,740 --> 00:00:15,851 industrial base . Our witnesses today 9 00:00:15,851 --> 00:00:17,907 are the honorable John Sherman , the 10 00:00:17,907 --> 00:00:17,670 chief information Officer of the 11 00:00:17,680 --> 00:00:19,899 Department of Defense and Lieutenant 12 00:00:19,909 --> 00:00:22,131 General Robert Skinner , who is it as a 13 00:00:22,131 --> 00:00:24,131 director of the defense Information 14 00:00:24,131 --> 00:00:26,353 Systems Agency and the commander of the 15 00:00:26,353 --> 00:00:28,409 joint force headquarters responsible 16 00:00:28,409 --> 00:00:30,409 for operating and defending the Dod 17 00:00:30,409 --> 00:00:34,240 Information network known as uh , we 18 00:00:34,250 --> 00:00:36,417 welcome our witnesses in the committee 19 00:00:36,417 --> 00:00:38,639 and thank you for being here and uh and 20 00:00:38,639 --> 00:00:40,361 all the men and women that you 21 00:00:40,361 --> 00:00:42,472 represent in the services . Thank you 22 00:00:42,472 --> 00:00:44,669 so much as we see every day in Putin's 23 00:00:44,680 --> 00:00:46,680 illegal war against Ukraine . Cyber 24 00:00:46,680 --> 00:00:48,902 attacks are no longer a novel tactic in 25 00:00:48,902 --> 00:00:51,013 warfare . They are a primary tool for 26 00:00:51,013 --> 00:00:52,791 destabilizing both offenses and 27 00:00:52,791 --> 00:00:54,736 defenses on the battlefield and in 28 00:00:54,736 --> 00:00:56,847 advance of pre planned attacks . This 29 00:00:56,847 --> 00:00:58,902 is precisely why we are holding this 30 00:00:58,902 --> 00:01:01,124 hearing this morning to ensure that our 31 00:01:01,124 --> 00:01:03,347 defensive capabilities and awareness on 32 00:01:03,347 --> 00:01:05,124 our networks are up to the same 33 00:01:05,124 --> 00:01:06,902 standard as our offensive cyber 34 00:01:06,902 --> 00:01:09,013 capabilities just as important as our 35 00:01:09,013 --> 00:01:11,180 internal defenses are the defenses and 36 00:01:11,180 --> 00:01:13,291 standards that protect our industrial 37 00:01:13,291 --> 00:01:15,069 based partners and the critical 38 00:01:15,069 --> 00:01:16,958 infrastructure and supports Dod's 39 00:01:16,958 --> 00:01:19,069 mobilization efforts . In addition to 40 00:01:19,069 --> 00:01:21,180 these two major concepts of internal 41 00:01:21,290 --> 00:01:24,610 and external defense , we hope to 42 00:01:24,620 --> 00:01:26,731 receive updates from our witnesses on 43 00:01:26,731 --> 00:01:28,676 the major initiatives that they've 44 00:01:28,676 --> 00:01:30,842 undertaken and participate . And these 45 00:01:30,842 --> 00:01:32,842 include the cyber security maturity 46 00:01:32,842 --> 00:01:35,064 model certification program , the Cyber 47 00:01:35,064 --> 00:01:37,430 Security Collaboration Center , the 48 00:01:37,440 --> 00:01:40,059 locked shield , cyber defense exercise , 49 00:01:40,250 --> 00:01:42,417 the so called zero Trust cybersecurity 50 00:01:42,417 --> 00:01:45,750 architectural model , the perimeter 51 00:01:45,760 --> 00:01:48,500 defense system deployed at the gateways 52 00:01:48,510 --> 00:01:50,910 that connect dod s internal networks to 53 00:01:50,919 --> 00:01:53,550 the global internet . The decision to 54 00:01:53,559 --> 00:01:55,781 acquire a bundled set of cyber security 55 00:01:55,781 --> 00:01:58,250 tools and applications for the dod 56 00:01:58,260 --> 00:02:00,779 enterprise from Microsoft and the 57 00:02:00,790 --> 00:02:02,846 revitalization of the Cyber expected 58 00:02:02,846 --> 00:02:05,459 services as a means to improve the 59 00:02:05,470 --> 00:02:07,692 cyber workforce across the department . 60 00:02:08,229 --> 00:02:10,340 Both the cybersecurity maturity model 61 00:02:10,340 --> 00:02:12,007 certification program and the 62 00:02:12,007 --> 00:02:14,173 cybersecurity Collaboration Center are 63 00:02:14,173 --> 00:02:16,350 crucial guidelines and resources for 64 00:02:16,360 --> 00:02:18,630 our private industry partners . I would 65 00:02:18,639 --> 00:02:20,861 ask Mr Sherman to summarize the results 66 00:02:20,861 --> 00:02:23,279 of the cyber security maturity model 67 00:02:23,289 --> 00:02:25,889 certification reviews . Uh Deputy 68 00:02:25,899 --> 00:02:28,080 Deputy Secretary Hicks completed last 69 00:02:28,089 --> 00:02:30,389 February to explain how the new 70 00:02:30,399 --> 00:02:32,399 direction will relieve the cost and 71 00:02:32,399 --> 00:02:34,399 implementation burden on many small 72 00:02:34,399 --> 00:02:36,621 businesses as well as provide an update 73 00:02:36,621 --> 00:02:39,050 on the rule making process under way 74 00:02:39,059 --> 00:02:41,059 for the defense federal acquisition 75 00:02:41,059 --> 00:02:43,309 regulation . And while I'm aware that 76 00:02:43,320 --> 00:02:45,487 Cyber Security Collaboration Center is 77 00:02:45,487 --> 00:02:47,740 a national security agency led effort , 78 00:02:47,929 --> 00:02:50,710 I hope both of you are able to share 79 00:02:50,789 --> 00:02:53,039 how you interact and how you interact 80 00:02:53,050 --> 00:02:54,828 with the program to protect our 81 00:02:54,828 --> 00:02:57,009 industrial based partners . Just as 82 00:02:57,020 --> 00:02:58,798 important as these programs and 83 00:02:58,798 --> 00:03:00,964 resources are we must adequately train 84 00:03:00,964 --> 00:03:03,020 in the whole of government manner to 85 00:03:03,020 --> 00:03:05,020 respond to cyber attacks . In a red 86 00:03:05,020 --> 00:03:07,059 team versus blue team scenario . I 87 00:03:07,070 --> 00:03:09,181 would like our witnesses to expand on 88 00:03:09,181 --> 00:03:11,259 the importance of the locked shield 89 00:03:11,270 --> 00:03:14,050 cyber defense exercise which pits teams 90 00:03:14,059 --> 00:03:16,003 of international allies up against 91 00:03:16,003 --> 00:03:18,809 nato's experts at the cooperative Cyber 92 00:03:18,820 --> 00:03:21,360 Defense Center of Excellence in Estonia 93 00:03:21,570 --> 00:03:23,850 to simulate these attacks on critical 94 00:03:23,860 --> 00:03:26,619 infrastructure across an entire entire 95 00:03:26,630 --> 00:03:29,520 week . I will also proudly note this 96 00:03:29,529 --> 00:03:31,751 exercise is coordinated and implemented 97 00:03:31,751 --> 00:03:33,973 annually by our expert personnel within 98 00:03:33,973 --> 00:03:36,085 the West Virginia National Guard Army 99 00:03:36,085 --> 00:03:38,100 and te interagency Training and 100 00:03:38,110 --> 00:03:40,221 Education Center in Morgantown , West 101 00:03:40,221 --> 00:03:42,539 Virginia . The next extra exercise is 102 00:03:42,550 --> 00:03:44,772 scheduled to take place in April and if 103 00:03:44,772 --> 00:03:47,220 any members or our staff would like to 104 00:03:47,229 --> 00:03:49,451 attend , uh my office would be happy to 105 00:03:49,451 --> 00:03:51,770 coordinate that effort . Additionally , 106 00:03:51,779 --> 00:03:53,835 the new zero trust security paradigm 107 00:03:53,835 --> 00:03:56,039 calls for reengineering our networks 108 00:03:56,050 --> 00:03:58,089 and security practices on the 109 00:03:58,100 --> 00:03:59,989 assumption that our networks have 110 00:03:59,989 --> 00:04:02,156 already been penetrated by adversaries 111 00:04:02,740 --> 00:04:04,907 requiring that we constantly watch the 112 00:04:04,907 --> 00:04:07,073 behavior and validate the identity and 113 00:04:07,073 --> 00:04:09,018 access privileges of all users and 114 00:04:09,018 --> 00:04:12,339 devices on the network . NSA . And this 115 00:04:12,360 --> 00:04:16,109 uh the I SAS have developed a zero 116 00:04:16,119 --> 00:04:18,175 trust reference architecture for the 117 00:04:18,175 --> 00:04:20,540 department which will require a lot of 118 00:04:20,549 --> 00:04:22,216 cooperation from the military 119 00:04:22,216 --> 00:04:24,216 departments and defense agencies to 120 00:04:24,216 --> 00:04:26,420 implement these changes consistently 121 00:04:26,429 --> 00:04:29,440 across the whole of the dod cooperation 122 00:04:29,450 --> 00:04:31,450 which historically has been notably 123 00:04:31,450 --> 00:04:34,920 absent , turning to Dod's perimeter 124 00:04:34,929 --> 00:04:36,929 defense capabilities . I would note 125 00:04:36,929 --> 00:04:39,096 that while the shift to the zero trust 126 00:04:39,096 --> 00:04:40,762 security paradigm reduces the 127 00:04:40,762 --> 00:04:42,873 importance and reliance on the Castle 128 00:04:42,873 --> 00:04:44,929 Wall mentality of cyber defense , it 129 00:04:44,929 --> 00:04:47,151 does not eliminate the requirements for 130 00:04:47,151 --> 00:04:49,262 automated systems that can detect and 131 00:04:49,262 --> 00:04:51,429 block most cyber threats at high speed 132 00:04:51,429 --> 00:04:53,540 and high volume at the major gateways 133 00:04:53,540 --> 00:04:55,762 and connect Dod's network to the global 134 00:04:55,762 --> 00:04:58,799 internet . It is therefore of concern 135 00:04:58,809 --> 00:05:01,299 to us to hear reports that NSA plans to 136 00:05:01,309 --> 00:05:03,489 cease support for the system currently 137 00:05:03,500 --> 00:05:05,500 performing this task before the 138 00:05:05,510 --> 00:05:07,621 department has developed and tested a 139 00:05:07,621 --> 00:05:09,809 replacement . Congress added funds to 140 00:05:09,820 --> 00:05:12,989 the dod budget in fiscal year 2023 to 141 00:05:13,000 --> 00:05:14,667 begin operations for a modern 142 00:05:14,667 --> 00:05:16,779 replacement while conducting a 143 00:05:16,790 --> 00:05:18,790 demonstration to prove that the new 144 00:05:18,790 --> 00:05:20,790 system can function as planned . We 145 00:05:20,790 --> 00:05:22,901 will ask our witnesses to explain how 146 00:05:22,901 --> 00:05:24,901 we got in this situation where they 147 00:05:24,901 --> 00:05:26,901 feel confident that the solution in 148 00:05:26,901 --> 00:05:29,123 hand will be equal to the task . Next , 149 00:05:29,123 --> 00:05:31,346 I would like to congratulate Mr Sherman 150 00:05:31,346 --> 00:05:33,234 and his predecessor , Dan Dey for 151 00:05:33,234 --> 00:05:35,123 breathing new life into the cyber 152 00:05:35,123 --> 00:05:36,957 expected service program and was 153 00:05:36,957 --> 00:05:38,734 designed by Congress to provide 154 00:05:38,734 --> 00:05:40,623 flexible hiring promotion and pay 155 00:05:40,623 --> 00:05:42,734 authorities for the dod to manage its 156 00:05:42,734 --> 00:05:44,940 civilian personnel engaged in cyber 157 00:05:44,950 --> 00:05:47,061 related work roles . And we hope it's 158 00:05:47,061 --> 00:05:49,149 working . I would ask Mr Sherman to 159 00:05:49,160 --> 00:05:51,382 explain how this program is now working 160 00:05:51,382 --> 00:05:53,549 and how we can help him to improve the 161 00:05:53,549 --> 00:05:55,771 system even further . Finally , I would 162 00:05:55,771 --> 00:05:57,771 note the dod recently completed the 163 00:05:57,771 --> 00:05:59,993 Posture review of the cyber mission and 164 00:05:59,993 --> 00:06:01,993 an update of the department's cyber 165 00:06:01,993 --> 00:06:04,216 strategy . I would ask our witnesses to 166 00:06:04,216 --> 00:06:06,438 summarize the conclusion of the Posture 167 00:06:06,438 --> 00:06:08,660 review and indicate how that review and 168 00:06:08,660 --> 00:06:10,882 the revised strategy will drive changes 169 00:06:10,882 --> 00:06:12,938 in the department . I turn now to my 170 00:06:12,938 --> 00:06:15,271 friend , Senator rounds for his remarks . 171 00:06:15,510 --> 00:06:18,290 Thank you , Senator Manchin . I most 172 00:06:18,299 --> 00:06:20,521 certainly appreciate the opportunity to 173 00:06:20,521 --> 00:06:22,299 participate in this . Our first 174 00:06:22,299 --> 00:06:24,410 cybersecurity subcommittee hearing of 175 00:06:24,410 --> 00:06:26,521 the 118th congress . I'd also like to 176 00:06:26,521 --> 00:06:28,577 thank our witnesses for appearing at 177 00:06:28,577 --> 00:06:30,688 today's hearing and for their service 178 00:06:30,688 --> 00:06:32,632 to our country . The Department of 179 00:06:32,632 --> 00:06:34,799 Defense Information Network also known 180 00:06:34,799 --> 00:06:36,966 as the doin is a global conglomeration 181 00:06:36,966 --> 00:06:39,188 of thousands of information systems and 182 00:06:39,188 --> 00:06:40,855 networks that enable military 183 00:06:40,855 --> 00:06:42,799 operations across all war fighting 184 00:06:42,799 --> 00:06:45,200 domains . Millions of dod military and 185 00:06:45,209 --> 00:06:47,320 civilian personnel rely upon the doin 186 00:06:47,320 --> 00:06:49,369 to share intelligence and access 187 00:06:49,380 --> 00:06:51,269 information capabilities that are 188 00:06:51,269 --> 00:06:53,324 critical to the national security of 189 00:06:53,324 --> 00:06:55,519 the United States . As the information 190 00:06:55,529 --> 00:06:57,529 infrastructure underpinning all dod 191 00:06:57,529 --> 00:07:00,190 missions . The den remains a top target 192 00:07:00,200 --> 00:07:02,500 for cyber attacks . Recent threat , 193 00:07:02,510 --> 00:07:04,820 intelligence reports confirm that cyber 194 00:07:04,829 --> 00:07:06,910 threats from nation states and their 195 00:07:06,920 --> 00:07:09,660 surrogates will remain acute and that 196 00:07:09,670 --> 00:07:11,892 cyber criminals will expand their cyber 197 00:07:11,892 --> 00:07:14,239 operations against the United States to 198 00:07:14,250 --> 00:07:16,660 steal information , conduct influence 199 00:07:16,670 --> 00:07:19,459 operations and destroy our critical 200 00:07:19,470 --> 00:07:22,119 infrastructure . This should serve as a 201 00:07:22,130 --> 00:07:24,089 stark reminder that our near peer 202 00:07:24,100 --> 00:07:26,250 adversaries and competitors are 203 00:07:26,260 --> 00:07:28,859 intensifying their attempts to exploit 204 00:07:29,029 --> 00:07:31,579 any vulnerabilities within the do to 205 00:07:31,589 --> 00:07:34,000 gain strategic military advantage and 206 00:07:34,010 --> 00:07:35,621 compromise the integrity and 207 00:07:35,621 --> 00:07:38,130 effectiveness of this capability for 208 00:07:38,140 --> 00:07:40,959 future missions . Today's hearing is an 209 00:07:40,970 --> 00:07:43,519 opportunity to discuss ongoing efforts 210 00:07:43,529 --> 00:07:45,751 to strengthen the cyber security of the 211 00:07:45,751 --> 00:07:47,307 den across the enterprise , 212 00:07:47,307 --> 00:07:49,170 particularly as malicious cyber 213 00:07:49,179 --> 00:07:51,350 activities grow in number and 214 00:07:51,359 --> 00:07:54,350 sophistication to deter and defend 215 00:07:54,359 --> 00:07:55,970 against threats in the cyber 216 00:07:55,970 --> 00:07:57,526 environment . I welcome the 217 00:07:57,526 --> 00:07:59,359 implementation of the zero trust 218 00:07:59,359 --> 00:08:01,248 architecture to help increase the 219 00:08:01,248 --> 00:08:03,248 visibility into network systems and 220 00:08:03,248 --> 00:08:05,829 reduce cyber risks . I look forward to 221 00:08:05,839 --> 00:08:07,783 discussing how the principles that 222 00:08:07,783 --> 00:08:10,119 embody zero trust framework such as 223 00:08:10,130 --> 00:08:12,279 identity credential and access 224 00:08:12,290 --> 00:08:13,989 management are enhancing the 225 00:08:14,000 --> 00:08:16,070 department's ability to identify 226 00:08:16,079 --> 00:08:18,350 vulnerabilities , mitigate threats and 227 00:08:18,359 --> 00:08:21,010 strengthen the Den cyber posture . 228 00:08:21,839 --> 00:08:24,119 Last year , this subcommittee learned 229 00:08:24,130 --> 00:08:26,074 about the promise and lethality of 230 00:08:26,074 --> 00:08:28,186 artificial intelligence and automated 231 00:08:28,190 --> 00:08:30,459 applications in the Cyber domain . I 232 00:08:30,470 --> 00:08:33,679 hope our witnesses will discuss how the 233 00:08:33,690 --> 00:08:35,330 continued development of A I 234 00:08:35,340 --> 00:08:38,469 capabilities are informing our cyber 235 00:08:38,479 --> 00:08:40,719 security strategy and how we are 236 00:08:40,729 --> 00:08:42,896 preparing to defend the den from our A 237 00:08:42,896 --> 00:08:45,650 I capable adversaries . I also hope 238 00:08:45,659 --> 00:08:48,059 witnesses will address how A I and 239 00:08:48,070 --> 00:08:50,130 automated applications are being 240 00:08:50,140 --> 00:08:51,862 employed to monitor the threat 241 00:08:51,862 --> 00:08:54,799 environment , prioritize cyber risks 242 00:08:55,270 --> 00:08:57,492 and mitigate vulnerabilities throughout 243 00:08:57,492 --> 00:08:59,500 this complex network of information 244 00:08:59,510 --> 00:09:02,349 systems . Also critical to enhancing 245 00:09:02,359 --> 00:09:03,859 the security of the den is 246 00:09:03,859 --> 00:09:06,081 strengthening the supply chain security 247 00:09:06,081 --> 00:09:08,429 of the defense industrial base which 248 00:09:08,440 --> 00:09:10,496 provides essential components to the 249 00:09:10,496 --> 00:09:12,384 functionality of the . Do I would 250 00:09:12,384 --> 00:09:14,551 appreciate the witnesses sharing their 251 00:09:14,551 --> 00:09:16,710 thoughts on how acquisition policies 252 00:09:16,719 --> 00:09:19,049 and strategies are keeping pace with 253 00:09:19,059 --> 00:09:21,090 the evolving cyber threat while 254 00:09:21,099 --> 00:09:23,030 promoting innovation and open 255 00:09:23,039 --> 00:09:25,710 competition , of course , efforts to 256 00:09:25,719 --> 00:09:27,552 recruit and retain a pipeline of 257 00:09:27,552 --> 00:09:29,663 skilled cyber operators to manage the 258 00:09:29,663 --> 00:09:31,775 dough is foundational to its enduring 259 00:09:31,775 --> 00:09:33,929 security . I look forward to the 260 00:09:33,940 --> 00:09:36,051 witnesses discussing their efforts in 261 00:09:36,051 --> 00:09:39,200 this important area . Clearly , there 262 00:09:39,210 --> 00:09:41,580 is much to discuss today . Thank you 263 00:09:41,590 --> 00:09:43,646 again to our witnesses for appearing 264 00:09:43,669 --> 00:09:45,780 Senator Manchin . Thank you , Senator 265 00:09:45,780 --> 00:09:47,891 Rounds . And now I'm going to turn to 266 00:09:47,891 --> 00:09:47,280 the witnesses for your opening 267 00:09:47,289 --> 00:09:50,190 statements , Mr Sherman . Good morning , 268 00:09:50,200 --> 00:09:52,089 Chairman Manchin , ranking member 269 00:09:52,089 --> 00:09:54,311 rounds and distinguished members of the 270 00:09:54,311 --> 00:09:56,478 subcommittee . I'm honored to have the 271 00:09:56,478 --> 00:09:58,589 chance to testify before you today on 272 00:09:58,589 --> 00:10:00,700 what we're doing in the Department of 273 00:10:00,700 --> 00:10:02,922 Defense to modernize our technology and 274 00:10:02,922 --> 00:10:04,922 protect our networks and data in an 275 00:10:04,922 --> 00:10:07,200 increasingly complex cyber environment . 276 00:10:07,200 --> 00:10:09,200 I'm privileged to appear today with 277 00:10:09,200 --> 00:10:11,422 Lieutenant General Bob Skinner who both 278 00:10:11,422 --> 00:10:13,533 heads the defense Information Systems 279 00:10:13,533 --> 00:10:15,644 agency and serves as commander of the 280 00:10:15,644 --> 00:10:17,756 joint force headquarters , Department 281 00:10:17,756 --> 00:10:19,756 of Defense Information Network . We 282 00:10:19,756 --> 00:10:21,867 work together every day to ensure the 283 00:10:21,867 --> 00:10:23,978 dod enterprise is ready both for both 284 00:10:23,978 --> 00:10:25,756 today and tomorrow's missions , 285 00:10:25,756 --> 00:10:27,978 especially those that might involve our 286 00:10:27,978 --> 00:10:27,575 pacing challenge of the People's 287 00:10:27,585 --> 00:10:30,775 Republic of China . My job as dod chief 288 00:10:30,784 --> 00:10:32,673 Information Officer is to set the 289 00:10:32,673 --> 00:10:34,984 overall strategies , conduct oversight , 290 00:10:34,994 --> 00:10:37,645 promulgate policies and lead governance . 291 00:10:37,979 --> 00:10:40,090 And Lieutenant General skinner's role 292 00:10:40,090 --> 00:10:42,201 is to lead and ensure the operational 293 00:10:42,201 --> 00:10:44,400 and technical execution . Our teaming 294 00:10:44,409 --> 00:10:46,631 on this point is hard to overestimate . 295 00:10:47,669 --> 00:10:49,891 Given this close partnership , you will 296 00:10:49,891 --> 00:10:52,020 hear today how we work how our work 297 00:10:52,030 --> 00:10:53,863 dovetails on every aspect of our 298 00:10:53,863 --> 00:10:55,919 modernization efforts . We have made 299 00:10:55,919 --> 00:10:58,141 great strides to posture the department 300 00:10:58,141 --> 00:11:00,197 for peer and near peer competitors . 301 00:11:00,197 --> 00:11:02,197 Notably , our teams work together , 302 00:11:02,909 --> 00:11:06,780 excuse me , pages are sticking work 303 00:11:06,789 --> 00:11:08,956 together toward the joint war fighting 304 00:11:08,956 --> 00:11:11,178 cloud capability contract in December . 305 00:11:11,190 --> 00:11:13,357 At last , the department has access to 306 00:11:13,357 --> 00:11:15,579 enterprise cloud capabilities from four 307 00:11:15,579 --> 00:11:18,070 world class us vendors at all three 308 00:11:18,080 --> 00:11:20,302 security classification levels from the 309 00:11:20,302 --> 00:11:22,136 continental United States to the 310 00:11:22,136 --> 00:11:24,024 tactical edge , which can mean an 311 00:11:24,024 --> 00:11:25,913 island in the Western Pacific key 312 00:11:25,913 --> 00:11:27,913 terrain in eastern Europe or even a 313 00:11:27,913 --> 00:11:30,080 ship at sea . This enterprise cloud is 314 00:11:30,080 --> 00:11:32,191 critical for joint all domain command 315 00:11:32,191 --> 00:11:34,024 and control . The development of 316 00:11:34,024 --> 00:11:36,080 cutting edge artificial intelligence 317 00:11:36,080 --> 00:11:38,024 and machine learning initiatives , 318 00:11:38,024 --> 00:11:40,136 software modernization and strengthen 319 00:11:40,136 --> 00:11:41,913 cyber security . And it is this 320 00:11:41,913 --> 00:11:43,969 emphasis on cyber security that also 321 00:11:43,969 --> 00:11:45,913 drives so much of what we do as we 322 00:11:45,913 --> 00:11:48,024 shift away from dated perimeter based 323 00:11:48,024 --> 00:11:50,136 approaches to a new paradigm as noted 324 00:11:50,136 --> 00:11:52,358 called zero trust , which is predicated 325 00:11:52,358 --> 00:11:54,358 on the assumption that an adversary 326 00:11:54,358 --> 00:11:56,524 might already be on our network and we 327 00:11:56,524 --> 00:11:58,747 must prevent them from moving laterally 328 00:11:58,747 --> 00:12:00,969 and gaining access to our most critical 329 00:12:00,969 --> 00:12:02,858 data . In October , we released a 330 00:12:02,858 --> 00:12:05,024 flagship strategy on zero trusts which 331 00:12:05,024 --> 00:12:07,080 has become a North Star document for 332 00:12:07,080 --> 00:12:09,247 not only the Department of Defense but 333 00:12:09,247 --> 00:12:11,136 indeed other parts of the federal 334 00:12:11,136 --> 00:12:13,024 government and Lieutenant General 335 00:12:13,024 --> 00:12:14,969 skinner and his team providing key 336 00:12:14,969 --> 00:12:16,913 capabilities for this new approach 337 00:12:16,913 --> 00:12:18,913 through an effort they call project 338 00:12:18,913 --> 00:12:20,747 Thunderdome . We've committed to 339 00:12:20,747 --> 00:12:22,969 implementing zero trusts across the dod 340 00:12:22,969 --> 00:12:24,858 by 2027 which is an ambitious yet 341 00:12:24,858 --> 00:12:26,580 critical milestone . Given the 342 00:12:26,580 --> 00:12:28,636 geopolitical threats , we face these 343 00:12:28,636 --> 00:12:30,802 modern threats demand that we maintain 344 00:12:30,802 --> 00:12:32,691 a relentless focus on eliminating 345 00:12:32,691 --> 00:12:34,802 technical debt , all of our systems . 346 00:12:35,119 --> 00:12:37,260 Be they for weapons enterprise , I 347 00:12:38,229 --> 00:12:41,059 command and control business systems or 348 00:12:41,070 --> 00:12:43,292 defense critical infrastructure must be 349 00:12:43,292 --> 00:12:45,292 equipped with the most modern cyber 350 00:12:45,292 --> 00:12:47,514 defenses that can stand up to savvy and 351 00:12:47,514 --> 00:12:49,626 determined state and non state actors 352 00:12:49,626 --> 00:12:51,570 as we've seen in Ukraine . Today's 353 00:12:51,570 --> 00:12:53,681 battlefields are increasingly digital 354 00:12:53,681 --> 00:12:53,510 and connected with all the 355 00:12:53,520 --> 00:12:55,687 opportunities and vulnerabilities that 356 00:12:55,687 --> 00:12:57,576 environment presents nation state 357 00:12:57,576 --> 00:12:59,687 challengers will present threats like 358 00:12:59,687 --> 00:13:01,853 we've not seen since the Cold War , if 359 00:13:01,853 --> 00:13:04,020 not more severe and we must ensure all 360 00:13:04,020 --> 00:13:06,020 our systems , networks and data are 361 00:13:06,020 --> 00:13:08,131 ready . This includes working closely 362 00:13:08,131 --> 00:13:10,298 with our defense industrial base which 363 00:13:10,298 --> 00:13:12,520 remains a target for cyber exploitation 364 00:13:12,520 --> 00:13:14,353 and attack . We must ensure that 365 00:13:14,353 --> 00:13:16,464 companies and other entities handling 366 00:13:16,464 --> 00:13:16,369 sensitive information are doing so 367 00:13:16,380 --> 00:13:18,659 properly and accountably , albeit with 368 00:13:18,669 --> 00:13:20,558 an approach that does not present 369 00:13:20,558 --> 00:13:22,225 overly cumbersome or stifling 370 00:13:22,225 --> 00:13:24,391 requirements , especially to small and 371 00:13:24,391 --> 00:13:26,447 medium businesses additionally . And 372 00:13:26,447 --> 00:13:28,669 most importantly , we never forget that 373 00:13:28,669 --> 00:13:30,836 the best technology in the world means 374 00:13:30,836 --> 00:13:32,947 nothing without a trained , motivated 375 00:13:32,947 --> 00:13:34,947 and diverse workforce . We recently 376 00:13:34,947 --> 00:13:36,947 released a cyber workforce strategy 377 00:13:36,947 --> 00:13:39,058 that will continue to drive us to new 378 00:13:39,058 --> 00:13:41,280 and more effective approaches to how we 379 00:13:41,280 --> 00:13:43,391 identify recruit , retain and upskill 380 00:13:43,391 --> 00:13:45,502 our cyber and digital personnel . All 381 00:13:45,502 --> 00:13:47,725 the while emphasizing our drive to have 382 00:13:47,725 --> 00:13:47,312 a workforce that might not be seeking a 383 00:13:47,395 --> 00:13:49,846 30 year career go uh government career 384 00:13:49,866 --> 00:13:51,977 and which looks like America . We are 385 00:13:51,977 --> 00:13:53,977 determined to get this right and we 386 00:13:53,977 --> 00:13:55,866 know that our nation's talent and 387 00:13:55,866 --> 00:13:57,699 innovation is something that our 388 00:13:57,699 --> 00:13:59,922 authoritarian competitors will never be 389 00:13:59,922 --> 00:14:01,922 able to match . Finally , I wish to 390 00:14:01,922 --> 00:14:04,088 thank the subcommittee for your strong 391 00:14:04,088 --> 00:14:03,986 and continued support which has been 392 00:14:03,995 --> 00:14:06,051 critical to all of our modernization 393 00:14:06,051 --> 00:14:08,106 efforts . And I look forward to your 394 00:14:08,106 --> 00:14:10,439 questions . Thank you . Thank you , sir . 395 00:14:10,439 --> 00:14:13,630 And now to General Skinner . Good 396 00:14:13,640 --> 00:14:15,696 morning , Chairman Manchin , ranking 397 00:14:15,696 --> 00:14:17,918 member rounds and distinguished members 398 00:14:17,918 --> 00:14:20,029 of the subcommittee . I am honored to 399 00:14:20,029 --> 00:14:21,973 represent the approximately 19,000 400 00:14:21,973 --> 00:14:24,029 personnel of the defense Information 401 00:14:24,029 --> 00:14:25,973 Systems agency and the joint force 402 00:14:25,973 --> 00:14:25,500 headquarters , Department , Defense 403 00:14:25,510 --> 00:14:27,732 Information Networks . I'm also honored 404 00:14:27,732 --> 00:14:29,843 to sit alongside one of my two bosses 405 00:14:29,843 --> 00:14:31,621 and key ally in the campaign to 406 00:14:31,621 --> 00:14:33,510 modernize , secure and defend the 407 00:14:33,510 --> 00:14:35,710 department's networks , systems and 408 00:14:35,719 --> 00:14:38,229 data . The honorable John Sherman , the 409 00:14:38,239 --> 00:14:40,350 tight relationship between him and my 410 00:14:40,350 --> 00:14:42,295 other boss , General Paul Nakai is 411 00:14:42,295 --> 00:14:44,406 critical in driving the department to 412 00:14:44,406 --> 00:14:46,406 unparalleled cyber security heights 413 00:14:46,789 --> 00:14:49,011 every day that we come to work . We are 414 00:14:49,011 --> 00:14:51,178 focused on ensuring the joint force is 415 00:14:51,178 --> 00:14:53,280 postured , ready to compete and have 416 00:14:53,289 --> 00:14:55,400 the velocity of action to win against 417 00:14:55,400 --> 00:14:57,400 our pacing challenge , the People's 418 00:14:57,400 --> 00:14:59,567 Republic of China as well as any other 419 00:14:59,567 --> 00:15:01,789 nation or group that desires to harm us 420 00:15:01,789 --> 00:15:03,956 or our allies . Through that lens . We 421 00:15:03,956 --> 00:15:06,011 continue to leverage lessons learned 422 00:15:06,011 --> 00:15:08,122 from the conflict in Ukraine , global 423 00:15:08,122 --> 00:15:10,289 cyber events and the great work of our 424 00:15:10,289 --> 00:15:11,956 intelligence professionals to 425 00:15:11,956 --> 00:15:14,067 strengthen our digital technologies , 426 00:15:14,067 --> 00:15:16,233 the agility of our maneuver forces and 427 00:15:16,233 --> 00:15:18,456 the partnerships with allies , industry 428 00:15:18,456 --> 00:15:21,109 research and academia driven by this 429 00:15:21,119 --> 00:15:23,063 focus . We have made great strides 430 00:15:23,063 --> 00:15:25,230 along many fronts . Over the last year 431 00:15:25,230 --> 00:15:27,397 in December , we awarded the new joint 432 00:15:27,397 --> 00:15:29,563 war fighting cloud capability contract 433 00:15:29,563 --> 00:15:31,675 which will provide us with enterprise 434 00:15:31,675 --> 00:15:33,841 cloud capability at all three straight 435 00:15:33,841 --> 00:15:33,690 classification levels . From the 436 00:15:33,700 --> 00:15:35,478 company of United States to the 437 00:15:35,478 --> 00:15:37,530 tactical edge . We just awarded the 438 00:15:37,539 --> 00:15:39,539 first task order last week and many 439 00:15:39,539 --> 00:15:41,817 others are working through the process . 440 00:15:41,817 --> 00:15:43,710 Additionally , we've initiated 441 00:15:43,719 --> 00:15:45,929 initiated pilots to enable outside the 442 00:15:45,940 --> 00:15:48,107 continental United States cloud access 443 00:15:48,107 --> 00:15:50,273 leveraging both a commercial , as well 444 00:15:50,273 --> 00:15:52,218 as government solutions inside our 445 00:15:52,218 --> 00:15:53,884 overseas data centers to help 446 00:15:53,884 --> 00:15:56,162 facilitate the rapid adoption of cloud . 447 00:15:56,162 --> 00:15:58,162 We've deployed several accelerators 448 00:15:58,162 --> 00:16:00,162 which streamline the cloud adoption 449 00:16:00,162 --> 00:16:02,390 process from a normal 45 day timeline 450 00:16:02,400 --> 00:16:04,456 to within hours or minutes . This is 451 00:16:04,456 --> 00:16:06,567 helping to accelerate our pace to the 452 00:16:06,567 --> 00:16:08,456 cloud to improve our overall user 453 00:16:08,456 --> 00:16:10,511 experience while also increasing our 454 00:16:10,511 --> 00:16:12,622 cyber security . As honorable Sherman 455 00:16:12,622 --> 00:16:14,844 highlighted we've made great strides on 456 00:16:14,844 --> 00:16:16,678 our zeal trusts journey . As Dod 457 00:16:16,678 --> 00:16:18,844 released the Zoot Trusts strategy . We 458 00:16:18,844 --> 00:16:18,450 had already started our Thunderdome 459 00:16:18,460 --> 00:16:20,404 initiative which brings modern and 460 00:16:20,404 --> 00:16:22,571 commercial Zoot Trusts technologies to 461 00:16:22,571 --> 00:16:24,738 the department . We recently completed 462 00:16:24,738 --> 00:16:26,571 our successful prototype and are 463 00:16:26,571 --> 00:16:28,682 working with honorable Sherman's team 464 00:16:28,682 --> 00:16:30,460 on the acquisition strategy and 465 00:16:30,460 --> 00:16:32,627 expansion of these capabilities across 466 00:16:32,627 --> 00:16:34,349 the enterprise . As we combine 467 00:16:34,349 --> 00:16:36,571 Thunderdome with our end point security 468 00:16:36,571 --> 00:16:38,182 strategy , comply to connect 469 00:16:38,182 --> 00:16:40,238 capabilities and host of others . We 470 00:16:40,238 --> 00:16:40,039 are on pace to meet the department's 471 00:16:40,049 --> 00:16:42,460 aggressive zero trust milestones . A 472 00:16:42,469 --> 00:16:44,580 foundational element of zero trust is 473 00:16:44,580 --> 00:16:46,489 identity credential and access 474 00:16:46,500 --> 00:16:48,722 management , which provides the ability 475 00:16:48,722 --> 00:16:50,833 to accurately identify that a user is 476 00:16:50,833 --> 00:16:52,778 actually who they say they are and 477 00:16:52,778 --> 00:16:55,000 limits access to only those assets that 478 00:16:55,000 --> 00:16:57,167 they have been authorized to use . Our 479 00:16:57,167 --> 00:16:59,056 enterprise capabilities are fully 480 00:16:59,056 --> 00:17:01,222 operational and already supporting 200 481 00:17:01,222 --> 00:17:03,278 plus unclassified applications while 482 00:17:03,278 --> 00:17:03,090 delivering new capabilities monthly . 483 00:17:03,710 --> 00:17:05,932 We are also continuing to work with our 484 00:17:05,932 --> 00:17:08,043 mission partners to ensure federation 485 00:17:08,043 --> 00:17:10,210 and interoperability at all levels . A 486 00:17:10,210 --> 00:17:11,988 final area to highlight are the 487 00:17:11,988 --> 00:17:11,640 initiatives we've undertaken to 488 00:17:11,650 --> 00:17:13,594 strengthen our command and control 489 00:17:13,594 --> 00:17:15,706 capabilities . We've made significant 490 00:17:15,706 --> 00:17:17,594 investment in nuclear command and 491 00:17:17,594 --> 00:17:19,706 control , communications , continuity 492 00:17:19,706 --> 00:17:21,539 of operations and special access 493 00:17:21,539 --> 00:17:23,761 program improvements . Just last week , 494 00:17:23,761 --> 00:17:25,817 we decommissioned our legacy special 495 00:17:25,817 --> 00:17:28,094 access network at over 70 global sites . 496 00:17:28,500 --> 00:17:30,556 These are just a few of the examples 497 00:17:30,556 --> 00:17:32,722 that our innovative spirit is tackling 498 00:17:32,722 --> 00:17:34,833 our toughest challenges and providing 499 00:17:34,833 --> 00:17:36,944 the department and the war fighter in 500 00:17:36,944 --> 00:17:38,778 it advantages . While we've made 501 00:17:38,778 --> 00:17:40,889 significant strides , our work is not 502 00:17:40,889 --> 00:17:43,111 done , our success will ultimately come 503 00:17:43,111 --> 00:17:45,222 down to our people and partnerships . 504 00:17:45,222 --> 00:17:47,278 As the department has released a new 505 00:17:47,278 --> 00:17:49,500 cyber workforce strategy . We have also 506 00:17:49,500 --> 00:17:51,778 released our workforce 2025 initiative . 507 00:17:51,778 --> 00:17:51,729 We've laid out a plan to aggressively 508 00:17:51,739 --> 00:17:53,906 and creatively recruit in places we've 509 00:17:53,906 --> 00:17:55,850 not recruited previously . We will 510 00:17:55,850 --> 00:17:57,961 personally and professionally develop 511 00:17:57,961 --> 00:17:59,961 our next generation forces and find 512 00:17:59,961 --> 00:18:02,183 innovative ways to retain the top notch 513 00:18:02,183 --> 00:18:04,295 talent . We will continue to foster a 514 00:18:04,295 --> 00:18:04,229 culture of diverse and critical 515 00:18:04,239 --> 00:18:06,660 thinking , continuous improvement and 516 00:18:06,670 --> 00:18:08,729 accountability . We will also not be 517 00:18:08,739 --> 00:18:10,350 successful without increased 518 00:18:10,350 --> 00:18:12,572 partnerships . Thanks to your support , 519 00:18:12,572 --> 00:18:14,406 we are in the middle of planning 520 00:18:14,406 --> 00:18:16,461 exercise , Lock shields , which is a 521 00:18:16,461 --> 00:18:18,572 multinational cyber security exercise 522 00:18:18,572 --> 00:18:20,572 to share best practices and improve 523 00:18:20,572 --> 00:18:22,850 daily connectivity with our key allies . 524 00:18:22,850 --> 00:18:24,628 Finally , our overall readiness 525 00:18:24,628 --> 00:18:26,683 increased resilience and war fighter 526 00:18:26,683 --> 00:18:28,739 success relies on the strong support 527 00:18:28,739 --> 00:18:30,961 that this subcommittee has provided for 528 00:18:30,961 --> 00:18:32,961 many years . I am grateful for your 529 00:18:32,961 --> 00:18:34,795 support and look forward to your 530 00:18:34,795 --> 00:18:36,906 questions . Thank you and both of you 531 00:18:36,906 --> 00:18:36,569 for your opening statements . And now 532 00:18:36,579 --> 00:18:38,690 we'll start with our questions . I'll 533 00:18:38,690 --> 00:18:40,801 begin and go right over to Senator uh 534 00:18:40,801 --> 00:18:43,135 Mike Grounds . Uh First General Skinner , 535 00:18:43,135 --> 00:18:45,412 as I mentioned in my opening statement , 536 00:18:45,412 --> 00:18:45,089 we have to train for scenarios where 537 00:18:45,099 --> 00:18:47,420 we're preparing uh for across the whole 538 00:18:47,430 --> 00:18:49,041 of our federal government in 539 00:18:49,041 --> 00:18:51,041 coordination with state , local and 540 00:18:51,041 --> 00:18:53,041 industry partners . Uh That's why I 541 00:18:53,041 --> 00:18:55,219 provided $2 million in appropriations 542 00:18:55,229 --> 00:18:57,599 last year for this exercise to ensure 543 00:18:57,609 --> 00:18:59,387 that we have the infrastructure 544 00:18:59,387 --> 00:19:01,220 manpower to not only continue to 545 00:19:01,220 --> 00:19:03,276 participate but also to win in these 546 00:19:03,276 --> 00:19:05,387 exercises . You might want to comment 547 00:19:05,387 --> 00:19:07,498 on that how we've been able to fare , 548 00:19:07,498 --> 00:19:09,280 but I've uh been impressed with 549 00:19:09,290 --> 00:19:12,160 Lockheed Shields exercise for this very 550 00:19:12,170 --> 00:19:14,270 purpose . But has the exercise been 551 00:19:14,280 --> 00:19:16,391 meeting your expectations or what you 552 00:19:16,391 --> 00:19:18,949 thought it could be ? Senator ? The 553 00:19:18,959 --> 00:19:20,903 exercise is definitely meeting our 554 00:19:20,903 --> 00:19:22,903 expectations . Um The way we really 555 00:19:22,903 --> 00:19:24,848 sharpen our swords and sharpen our 556 00:19:24,848 --> 00:19:26,903 ability and our tactics , techniques 557 00:19:26,903 --> 00:19:28,903 and procedures is through exercises 558 00:19:28,903 --> 00:19:30,903 like this , not only with our guard 559 00:19:30,903 --> 00:19:33,040 forces that are a key part of our 560 00:19:33,050 --> 00:19:35,050 overall posture , but also with our 561 00:19:35,050 --> 00:19:37,170 allies and partners . The best way to 562 00:19:37,180 --> 00:19:39,402 learn is to learn through these type of 563 00:19:39,402 --> 00:19:40,958 exercises and these type of 564 00:19:40,958 --> 00:19:42,958 capabilities , which is really very 565 00:19:42,958 --> 00:19:45,420 realistic scenarios to really sharpen 566 00:19:45,430 --> 00:19:47,486 our swords , as I mentioned and also 567 00:19:47,486 --> 00:19:49,541 make sure that our teams are working 568 00:19:49,541 --> 00:19:51,263 together because as we look at 569 00:19:51,263 --> 00:19:53,208 potential conflict and or crisis , 570 00:19:53,459 --> 00:19:55,626 we're not gonna do that alone . And so 571 00:19:55,626 --> 00:19:57,792 having our allies and partners next to 572 00:19:57,792 --> 00:19:59,792 us next to us and having our guards 573 00:19:59,792 --> 00:20:01,626 personnel as part of that , that 574 00:20:01,626 --> 00:20:03,792 overall team is very important . How , 575 00:20:03,792 --> 00:20:06,015 how can , how can we do a better job of 576 00:20:06,015 --> 00:20:07,903 coordinating these participations 577 00:20:07,903 --> 00:20:10,015 across all lines of government as far 578 00:20:10,015 --> 00:20:12,126 as what we're responsible for and the 579 00:20:12,126 --> 00:20:14,015 private sector to bring them into 580 00:20:14,439 --> 00:20:17,060 Senator . Um , we're , I think working 581 00:20:17,069 --> 00:20:20,560 through CIA and working through them to 582 00:20:20,569 --> 00:20:22,847 get down to the state and local levels , 583 00:20:22,847 --> 00:20:25,069 I think is the key key area that we can 584 00:20:25,069 --> 00:20:27,402 continue to leverage , um , to get more , 585 00:20:27,402 --> 00:20:27,099 more participation . Can we do it with 586 00:20:27,109 --> 00:20:29,276 what we have now ? Is it going to take 587 00:20:29,276 --> 00:20:31,165 more , uh , is it gonna take more 588 00:20:31,165 --> 00:20:33,387 finances or do we have the ability to , 589 00:20:33,387 --> 00:20:35,553 to be flexible enough to get that done 590 00:20:35,553 --> 00:20:37,665 now under the current ? So , uh I , I 591 00:20:37,665 --> 00:20:39,942 think there's a lot of flexibility and , 592 00:20:39,942 --> 00:20:39,670 and we will continue to do to leverage 593 00:20:39,680 --> 00:20:41,902 the things that you , you have given us 594 00:20:41,902 --> 00:20:44,124 too . We want you to make sure that you 595 00:20:44,124 --> 00:20:43,500 move as fast as you can get , as 596 00:20:43,510 --> 00:20:45,454 quickly as far as the results that 597 00:20:45,454 --> 00:20:47,399 we're gonna be needing there to be 598 00:20:47,399 --> 00:20:49,510 prepared . Mr Sherman . I'm sure that 599 00:20:49,510 --> 00:20:51,177 you're aware of the practical 600 00:20:51,177 --> 00:20:50,930 implementation of the artificial 601 00:20:50,939 --> 00:20:53,250 intelligence . Probably more than most . 602 00:20:53,560 --> 00:20:55,782 Uh it , it's a top priority for ranking 603 00:20:55,782 --> 00:20:57,910 member rounds and myself , we've been 604 00:20:57,920 --> 00:21:00,087 speaking about that and learning a lot 605 00:21:00,087 --> 00:21:02,087 more about that . Uh I'm saving the 606 00:21:02,087 --> 00:21:04,253 majority of my questions on this topic 607 00:21:04,253 --> 00:21:06,420 for our next hearing , focusing solely 608 00:21:06,420 --> 00:21:08,476 on A I . Uh And there's no doubt the 609 00:21:08,476 --> 00:21:10,989 benefits of A I could bring to both uh 610 00:21:11,000 --> 00:21:13,167 yours and general skinner's job in the 611 00:21:13,167 --> 00:21:15,056 department I think is coming very 612 00:21:15,056 --> 00:21:17,222 rapidly . Uh My question would be what 613 00:21:17,222 --> 00:21:20,640 tangible A I application do you believe 614 00:21:20,650 --> 00:21:23,250 has been most successful ? Which one 615 00:21:23,900 --> 00:21:26,011 sir ? If I had to judge and our Chief 616 00:21:26,011 --> 00:21:28,067 Digital and A I officer is truly our 617 00:21:28,067 --> 00:21:30,289 lead . I empower him through what we're 618 00:21:30,289 --> 00:21:32,178 doing on cloud cyber security and 619 00:21:32,178 --> 00:21:34,380 transport . But one I'll take out or , 620 00:21:34,390 --> 00:21:36,612 or highlight here is what we've done on 621 00:21:36,612 --> 00:21:38,946 preventative maintenance on helicopters , 622 00:21:38,946 --> 00:21:40,890 for example , using A I out of the 623 00:21:40,890 --> 00:21:43,112 tactical edge there to help our special 624 00:21:43,112 --> 00:21:45,219 operators on Black Hawk helicopter 625 00:21:45,229 --> 00:21:47,451 maintenance using A I . And that's been 626 00:21:47,451 --> 00:21:49,673 one of many examples , Senator , but as 627 00:21:49,673 --> 00:21:51,618 a former army officer , I'm pretty 628 00:21:51,618 --> 00:21:53,729 impressed with that one and not doing 629 00:21:53,729 --> 00:21:52,959 preventative maintenance checks and 630 00:21:52,969 --> 00:21:54,913 services like we've done in the 19 631 00:21:54,913 --> 00:21:56,913 nineties or somewhere earlier . But 632 00:21:56,913 --> 00:21:59,025 using A I to allow our maintainers to 633 00:21:59,025 --> 00:22:01,080 get ahead of what they need to do to 634 00:22:01,080 --> 00:22:03,247 keep our helicopters as far as savings 635 00:22:03,247 --> 00:22:05,302 when and using A I on , on that . So 636 00:22:05,302 --> 00:22:07,469 I'd have to take that for the record , 637 00:22:07,469 --> 00:22:07,422 but I know it has been well used by 638 00:22:07,432 --> 00:22:09,432 special operation . Let us know the 639 00:22:09,432 --> 00:22:11,543 savings and we can show that we could 640 00:22:11,543 --> 00:22:13,543 be moving A I and many other arenas 641 00:22:13,543 --> 00:22:15,599 other than just that would be very , 642 00:22:15,599 --> 00:22:17,765 very helpful , sir . Also , uh how can 643 00:22:17,765 --> 00:22:19,988 we do a better job on the committee and 644 00:22:19,988 --> 00:22:22,210 on preparations which I'm also a member 645 00:22:22,210 --> 00:22:24,432 of to organize dod s wealth of data and 646 00:22:24,432 --> 00:22:24,042 put it to use with A I . Are you 647 00:22:24,052 --> 00:22:26,219 getting all the input you need ? Yes , 648 00:22:26,219 --> 00:22:28,385 sir . We're getting the input . And as 649 00:22:28,385 --> 00:22:30,496 my colleague , Doctor Martel , the CD 650 00:22:30,496 --> 00:22:32,552 has noted this is where the pick and 651 00:22:32,552 --> 00:22:34,330 shovel work comes in for A I is 652 00:22:34,330 --> 00:22:36,219 organizing our data exposing it , 653 00:22:36,219 --> 00:22:38,330 creating API S or application product 654 00:22:38,330 --> 00:22:40,330 interfaces where we can get to that 655 00:22:40,330 --> 00:22:42,330 data where it rests , not trying to 656 00:22:42,330 --> 00:22:44,385 bring it all together in one place . 657 00:22:44,385 --> 00:22:46,552 And very importantly , sir , you noted 658 00:22:46,552 --> 00:22:48,496 in your opening remarks about zero 659 00:22:48,496 --> 00:22:50,552 trust is really about protecting our 660 00:22:50,552 --> 00:22:52,774 data , which is what we're really doing 661 00:22:52,774 --> 00:22:51,686 here . It's not just protecting the 662 00:22:51,696 --> 00:22:53,752 systems but making sure that data is 663 00:22:53,752 --> 00:22:55,585 secure , so we can have accurate 664 00:22:55,585 --> 00:22:57,752 algorithms for all the use cases we'll 665 00:22:57,752 --> 00:22:59,974 need , sir . I have further questions , 666 00:22:59,974 --> 00:23:02,085 but I'll turn to Senator rounds now . 667 00:23:02,085 --> 00:23:04,085 Thank you , Mr Chairman . Um Let me 668 00:23:04,085 --> 00:23:06,196 begin just with General skinner . How 669 00:23:06,196 --> 00:23:07,974 is the department measuring its 670 00:23:07,974 --> 00:23:10,196 progress to secure the do ? And I guess 671 00:23:10,196 --> 00:23:12,307 what I'm really asking is , is what , 672 00:23:12,307 --> 00:23:14,252 what metrics are being used by the 673 00:23:14,252 --> 00:23:16,307 department to assess the strength or 674 00:23:16,307 --> 00:23:18,196 weaknesses within the Dough Cyber 675 00:23:18,196 --> 00:23:20,140 Posture Center . We have a host of 676 00:23:20,140 --> 00:23:22,363 metrics that we're using on a day , day 677 00:23:22,363 --> 00:23:24,307 basis to give you just a couple of 678 00:23:24,307 --> 00:23:26,140 examples . We have command cyber 679 00:23:26,140 --> 00:23:28,196 inspections that go out and assess a 680 00:23:28,196 --> 00:23:30,307 base post camper station's ability to 681 00:23:30,307 --> 00:23:32,363 perform their , their cyber security 682 00:23:32,363 --> 00:23:32,170 mission . And we actually give them a 683 00:23:32,180 --> 00:23:34,402 grade at each of those and then we wrap 684 00:23:34,402 --> 00:23:36,458 all those up to look at a holistic , 685 00:23:36,458 --> 00:23:38,402 look at , at the department at our 686 00:23:38,402 --> 00:23:40,458 boundaries and , and , and , and our 687 00:23:40,458 --> 00:23:42,291 perimeter . Uh We , we are using 688 00:23:42,291 --> 00:23:44,579 artificial intelligence um to look to 689 00:23:44,890 --> 00:23:46,779 determine where we have potential 690 00:23:46,779 --> 00:23:48,890 malware in , in zero day malware . Um 691 00:23:48,890 --> 00:23:51,380 And as we continue to highlight those , 692 00:23:51,390 --> 00:23:53,612 we're , we're tracking how much of that 693 00:23:53,612 --> 00:23:55,446 is actually occurring . Um We're 694 00:23:55,446 --> 00:23:57,612 working with the defense defense Cyber 695 00:23:57,612 --> 00:23:59,612 Crime Center , um and they're using 696 00:23:59,612 --> 00:24:01,410 white hackers to test our , our 697 00:24:01,420 --> 00:24:03,420 boundary and we're , we're treating 698 00:24:03,420 --> 00:24:05,642 that as part of our , our metrics . And 699 00:24:05,642 --> 00:24:07,698 then the final area I would offer is 700 00:24:07,698 --> 00:24:09,864 we're scanning on a day to day basis . 701 00:24:09,864 --> 00:24:12,142 The vulnerabilities of our front doors . 702 00:24:12,142 --> 00:24:14,309 Um And we're , we're loading that into 703 00:24:14,309 --> 00:24:13,849 our performance metrics to see what , 704 00:24:13,859 --> 00:24:16,081 what the trends are and , and where the 705 00:24:16,081 --> 00:24:18,192 Artificial intelligence and our , and 706 00:24:18,192 --> 00:24:17,829 our perimeter defenses are working . 707 00:24:18,829 --> 00:24:21,051 Leads me right in my next question . Um 708 00:24:21,051 --> 00:24:23,107 Once again , for General skinner , I 709 00:24:23,107 --> 00:24:25,273 understand that the NSA is planning to 710 00:24:25,273 --> 00:24:27,440 phase out a system that contributes to 711 00:24:27,440 --> 00:24:29,329 the security of the dos perimeter 712 00:24:29,329 --> 00:24:31,849 defenses . How is this a preparing to 713 00:24:31,859 --> 00:24:34,819 defend the dos perimeter defenses ? If 714 00:24:34,829 --> 00:24:36,996 or when the NSA Cyber security systems 715 00:24:36,996 --> 00:24:39,229 are retired senator , we have an 716 00:24:39,239 --> 00:24:41,406 amazing relationship with the national 717 00:24:41,406 --> 00:24:43,517 security agency and , and we are , we 718 00:24:43,517 --> 00:24:45,628 continue to partner at the defense to 719 00:24:45,628 --> 00:24:47,683 make sure that uh that we're working 720 00:24:47,683 --> 00:24:49,795 together in protecting and securing . 721 00:24:49,795 --> 00:24:51,795 Um as the has stood up and as Cyber 722 00:24:51,795 --> 00:24:53,906 Command has stood up , we continue to 723 00:24:53,906 --> 00:24:56,017 evaluate the things that NSA is doing 724 00:24:56,017 --> 00:24:58,128 and the things that the department is 725 00:24:58,128 --> 00:25:00,017 doing and , and where it actually 726 00:25:00,017 --> 00:25:02,183 belongs . And we have conditions based 727 00:25:02,183 --> 00:25:04,183 approach as we move uh capabilities 728 00:25:04,183 --> 00:25:06,072 from the NSA to the Department of 729 00:25:06,072 --> 00:25:08,239 Defense . And one thing that I want to 730 00:25:08,239 --> 00:25:10,239 thank you for is um we have a pilot 731 00:25:10,239 --> 00:25:12,406 ongoing for full protect , full packet 732 00:25:12,406 --> 00:25:14,517 inspection of our , of our boundary . 733 00:25:14,517 --> 00:25:16,683 We just started that pilot , we put on 734 00:25:16,683 --> 00:25:18,795 contract in March and within the next 735 00:25:18,795 --> 00:25:18,729 six months , we're gonna determine if 736 00:25:18,739 --> 00:25:21,739 the capability meets what the marketing 737 00:25:21,750 --> 00:25:23,861 says as well as is it , is it , is it 738 00:25:23,861 --> 00:25:25,917 scalable and that's gonna be another 739 00:25:25,917 --> 00:25:27,972 addition to the capabilities that we 740 00:25:27,972 --> 00:25:30,194 have at our boundary . So you do have a 741 00:25:30,194 --> 00:25:32,028 plan in place so that as the N A 742 00:25:32,028 --> 00:25:34,028 product is removed , you have other 743 00:25:34,028 --> 00:25:36,083 products to replace them in a timely 744 00:25:36,083 --> 00:25:37,917 fashion without any holes in the 745 00:25:37,917 --> 00:25:41,060 coverages . Yes , sir . Ok , 746 00:25:41,630 --> 00:25:43,741 Mr Sherman . Some of the services are 747 00:25:43,741 --> 00:25:46,219 piloting , bring your own device 748 00:25:46,229 --> 00:25:49,000 programs uh which allow service members 749 00:25:49,010 --> 00:25:51,640 to connect their personal I T devices 750 00:25:51,650 --> 00:25:54,160 to the . How is the department 751 00:25:54,170 --> 00:25:56,500 confirming harmful applications and 752 00:25:56,510 --> 00:25:59,250 malware from personal devices are not 753 00:25:59,260 --> 00:26:02,239 inadvertently being introduced to the 754 00:26:02,250 --> 00:26:05,400 do sir ? Does bring your own approved 755 00:26:05,410 --> 00:26:07,577 device pilots that are going on across 756 00:26:07,577 --> 00:26:09,410 all the military services in the 757 00:26:09,410 --> 00:26:11,577 National Guard Bureau . We assess this 758 00:26:11,577 --> 00:26:13,743 through our Chief Information Security 759 00:26:13,743 --> 00:26:15,854 Officer and also working with General 760 00:26:15,854 --> 00:26:17,410 Skinner and the Joint force 761 00:26:17,410 --> 00:26:19,354 headquarters do to end the service 762 00:26:19,354 --> 00:26:21,243 cyber elements to make sure we're 763 00:26:21,243 --> 00:26:23,021 monitoring each of these pilots 764 00:26:23,021 --> 00:26:25,132 carefully . And right now , all these 765 00:26:25,132 --> 00:26:27,354 under under exceptions for policy given 766 00:26:27,354 --> 00:26:29,577 their pilots right now as we assess the 767 00:26:29,577 --> 00:26:31,354 different offerings from , from 768 00:26:31,354 --> 00:26:33,466 Microsoft and others on what may work 769 00:26:33,466 --> 00:26:35,688 best . But watching this closely and as 770 00:26:35,688 --> 00:26:37,743 we we allow other capabilities , for 771 00:26:37,743 --> 00:26:40,215 example , allowing documents and so on 772 00:26:40,225 --> 00:26:42,058 to be worked on there , allowing 773 00:26:42,058 --> 00:26:44,515 mission use but also not opening the 774 00:26:44,526 --> 00:26:46,693 door where there could be some sort of 775 00:26:46,693 --> 00:26:48,859 malicious capability or something else 776 00:26:48,859 --> 00:26:51,385 to come into the through the B Y O D 777 00:26:51,395 --> 00:26:53,228 capability . So we're rigorously 778 00:26:53,228 --> 00:26:55,117 watching this through our Council 779 00:26:55,312 --> 00:26:57,479 service , cyber elements and others to 780 00:26:57,479 --> 00:26:59,479 make sure that these pilot programs 781 00:26:59,479 --> 00:27:01,756 which are pretty constrained right now , 782 00:27:01,756 --> 00:27:01,582 still in the thousands of people , but 783 00:27:01,592 --> 00:27:03,802 not all across the services that we 784 00:27:03,812 --> 00:27:05,868 make decisions on how we're going to 785 00:27:05,868 --> 00:27:07,812 scale this out . And we know , for 786 00:27:07,812 --> 00:27:09,923 example , it's very important for the 787 00:27:09,923 --> 00:27:11,979 National Guard Bureau on a number of 788 00:27:11,979 --> 00:27:11,722 these things . How can we do this to be 789 00:27:11,732 --> 00:27:14,251 mission effective ? But cyber safe sir , 790 00:27:16,010 --> 00:27:18,010 General Skinner , I understand that 791 00:27:18,010 --> 00:27:19,843 there is a significant amount of 792 00:27:19,843 --> 00:27:21,899 automation within this ecosystem and 793 00:27:21,899 --> 00:27:24,229 you've alluded to that already . How 794 00:27:24,239 --> 00:27:26,350 are those capabilities being extended 795 00:27:26,350 --> 00:27:30,089 across the do enterprise ? How , how , 796 00:27:30,099 --> 00:27:32,266 how are you working it through ? Is it 797 00:27:32,266 --> 00:27:34,432 a time frame issue ? Is it a a package 798 00:27:34,432 --> 00:27:36,321 by package ? Is it , what's the , 799 00:27:36,321 --> 00:27:39,099 what's the sequence ? Yes , sir . As we 800 00:27:39,109 --> 00:27:41,276 develop these capabilities , we either 801 00:27:41,276 --> 00:27:43,442 put , put them in a library for others 802 00:27:43,442 --> 00:27:45,498 to be able to access them or we , we 803 00:27:45,498 --> 00:27:47,665 put it on a SharePoint site , but we , 804 00:27:47,665 --> 00:27:49,720 we , we enable it . Um and we have a 805 00:27:49,720 --> 00:27:51,665 catalog of these different capable 806 00:27:51,665 --> 00:27:53,665 abilities that any organization can 807 00:27:53,665 --> 00:27:55,720 leverage . As an example . We have a 808 00:27:55,720 --> 00:27:57,609 bunch of templates that we use as 809 00:27:57,609 --> 00:27:59,553 infrastructure as code that , that 810 00:27:59,553 --> 00:27:59,255 enables individuals to get to the cloud 811 00:27:59,265 --> 00:28:01,321 faster and , and those templates are 812 00:28:01,321 --> 00:28:03,265 available to anyone to use , which 813 00:28:03,265 --> 00:28:05,209 increases their time to get to the 814 00:28:05,209 --> 00:28:07,265 cloud and improve their security and 815 00:28:07,265 --> 00:28:09,487 performance . Thank you , sir . My time 816 00:28:09,487 --> 00:28:11,376 has expired . Thank you , Senator 817 00:28:11,376 --> 00:28:13,579 Senator Budd . Thank you , Chairman . 818 00:28:14,180 --> 00:28:16,236 And again , thank you all , both for 819 00:28:16,236 --> 00:28:18,347 being here . It was great to meet you 820 00:28:18,347 --> 00:28:17,829 all earlier . I appreciate your work 821 00:28:17,839 --> 00:28:20,219 and your service . Um So I'm interested 822 00:28:20,229 --> 00:28:23,189 in uh a Thunderdome prototype . Um the 823 00:28:23,199 --> 00:28:25,421 pilot program that recently concluded . 824 00:28:25,479 --> 00:28:27,701 Uh Can you give me a general skinner an 825 00:28:27,701 --> 00:28:31,369 update um on that ? And uh let me know 826 00:28:31,380 --> 00:28:34,010 if it met all original requirements . 827 00:28:35,180 --> 00:28:37,219 Senator , yes , it , it met all the 828 00:28:37,229 --> 00:28:39,451 original requirements . Uh We call that 829 00:28:39,451 --> 00:28:41,340 pro prototype a success and we're 830 00:28:41,340 --> 00:28:43,396 working with a Sherman's team on the 831 00:28:43,396 --> 00:28:45,562 acquisition strategy to expand this uh 832 00:28:45,562 --> 00:28:47,618 through uh to the enterprise . Could 833 00:28:47,618 --> 00:28:49,840 you in this setting ? Share kind of top 834 00:28:49,840 --> 00:28:52,062 line ? What those original requirements 835 00:28:52,062 --> 00:28:54,173 were ? Yes , the , the , the original 836 00:28:54,173 --> 00:28:56,285 requirements were a as we look at the 837 00:28:56,285 --> 00:28:58,562 zero trust , the seven pillars of , of , 838 00:28:58,562 --> 00:29:00,673 of zero trust . OK . There were three 839 00:29:00,673 --> 00:29:00,439 or four of those pillars that we wanna 840 00:29:00,449 --> 00:29:02,616 make sure that we were meeting from uh 841 00:29:02,616 --> 00:29:05,119 both from an identity standpoint um as 842 00:29:05,130 --> 00:29:07,380 well as the capabilities that you have 843 00:29:07,390 --> 00:29:09,750 at the perimeter . I'll say the the new 844 00:29:09,760 --> 00:29:12,630 perimeter as we continue to um change 845 00:29:12,640 --> 00:29:14,862 the , the the boundary as , as the zero 846 00:29:14,862 --> 00:29:16,918 trust principles . Um Do we have the 847 00:29:16,918 --> 00:29:19,140 right segmentation and the ability to , 848 00:29:19,140 --> 00:29:21,251 to segment so that if you know , just 849 00:29:21,251 --> 00:29:23,418 as in a house , if a burger is in your 850 00:29:23,418 --> 00:29:23,229 house , part of the zero trust 851 00:29:23,390 --> 00:29:25,829 methodology is , is that you limit them 852 00:29:25,989 --> 00:29:28,100 to go from , from room to room and to 853 00:29:28,100 --> 00:29:30,267 be able to micro segment that was part 854 00:29:30,267 --> 00:29:32,378 of the the requirements . Thank you . 855 00:29:32,378 --> 00:29:34,267 How quickly can that prototype be 856 00:29:34,267 --> 00:29:35,359 scaled beyond Isa 857 00:29:38,209 --> 00:29:40,569 Center ? I'm hoping within months as we , 858 00:29:40,579 --> 00:29:42,412 as we work through , through the 859 00:29:42,412 --> 00:29:44,523 acquisition process and , and we work 860 00:29:44,523 --> 00:29:46,635 through , but we've already , we have 861 00:29:46,635 --> 00:29:49,439 about 1600 individuals who are , are 862 00:29:49,449 --> 00:29:51,560 part of the pilot . And as soon as we 863 00:29:51,560 --> 00:29:53,727 get through the acquisition strategy , 864 00:29:53,727 --> 00:29:55,838 um working with our vendors and , and 865 00:29:55,838 --> 00:29:58,060 the commercial companies we wanna scale 866 00:29:58,060 --> 00:30:00,829 fast . Ok . Does the um fiscal year 24 867 00:30:00,839 --> 00:30:03,290 budget ? Does it provide just uh enough 868 00:30:03,300 --> 00:30:05,380 resources to do the scaling that you 869 00:30:05,390 --> 00:30:08,660 hope to do ? Yes , sir . Uh Within the 870 00:30:08,670 --> 00:30:11,030 Department Zero Trust is a significant 871 00:30:11,040 --> 00:30:13,262 investment that department is making um 872 00:30:13,262 --> 00:30:16,949 in the fiscal year 24 budget . Um 873 00:30:17,729 --> 00:30:19,951 Could you tell the committee an idea of 874 00:30:19,951 --> 00:30:22,118 the total attack surface across the uh 875 00:30:22,118 --> 00:30:24,949 dod information network and is just a 876 00:30:24,959 --> 00:30:27,229 assessing commercial capabilities to 877 00:30:27,239 --> 00:30:30,469 actively secure access points . Senator , 878 00:30:30,479 --> 00:30:33,069 as I talk in other open forums , the 879 00:30:33,079 --> 00:30:34,968 Department of Defense Information 880 00:30:34,968 --> 00:30:36,968 Network attack surface is the third 881 00:30:36,968 --> 00:30:39,135 largest in the world behind the United 882 00:30:39,135 --> 00:30:41,190 States and , and China when you talk 883 00:30:41,190 --> 00:30:43,523 about uh address space . And so it is a , 884 00:30:43,523 --> 00:30:45,135 a significant place uh a , a 885 00:30:45,135 --> 00:30:47,680 significant um sphere . Um We are 886 00:30:47,689 --> 00:30:49,911 continually upgrading our abilities and 887 00:30:49,911 --> 00:30:52,133 capabilities at the boundary to , to um 888 00:30:52,133 --> 00:30:53,967 to protect and secure as well as 889 00:30:53,967 --> 00:30:55,745 continually scanning uh the the 890 00:30:55,745 --> 00:30:57,911 boundary from the outside to make sure 891 00:30:57,911 --> 00:30:59,967 that what an adversary may see um is 892 00:30:59,967 --> 00:31:02,189 what we'll see before them and , and we 893 00:31:02,189 --> 00:31:04,245 can uh shore that up . You mentioned 894 00:31:04,245 --> 00:31:06,356 China , there's other adversaries out 895 00:31:06,356 --> 00:31:08,411 there . Um What's your assessment of 896 00:31:08,411 --> 00:31:10,300 the current level of effort ? Our 897 00:31:10,300 --> 00:31:12,522 adversaries have devoted to penetrating 898 00:31:12,522 --> 00:31:14,689 uh defense industrial based networks ? 899 00:31:16,020 --> 00:31:18,131 Senator I , I , I think their , their 900 00:31:18,131 --> 00:31:20,242 effort is very high . Uh Some of them 901 00:31:20,242 --> 00:31:22,298 see the defense industrial base as a 902 00:31:22,298 --> 00:31:24,520 soft underbelly and that's why our work 903 00:31:24,520 --> 00:31:26,520 with C M MC and our work day to day 904 00:31:26,520 --> 00:31:28,298 with our defense industri based 905 00:31:28,298 --> 00:31:30,131 partners is critical . Um moving 906 00:31:30,131 --> 00:31:32,242 forward . Uh because that's where the 907 00:31:32,242 --> 00:31:34,298 adversary is , is really targeting . 908 00:31:34,298 --> 00:31:36,409 And when they target those networks , 909 00:31:36,409 --> 00:31:36,030 what do you see as their aim ? Is it 910 00:31:36,040 --> 00:31:38,130 intellectual property ? Is it other 911 00:31:38,140 --> 00:31:40,196 purposes ? What do you usually see ? 912 00:31:40,209 --> 00:31:42,431 Senator ? I think as you said , I think 913 00:31:42,431 --> 00:31:44,765 it's intellectual property , but also I , 914 00:31:44,765 --> 00:31:44,640 I think they're looking for a way to go 915 00:31:44,650 --> 00:31:46,594 upstream if there's any connection 916 00:31:46,594 --> 00:31:48,650 between that defense industrial base 917 00:31:48,650 --> 00:31:50,594 and the Department of Defense . Uh 918 00:31:50,594 --> 00:31:52,761 they're looking for an upstream uh way 919 00:31:52,761 --> 00:31:54,872 also . Thank you . Uh What additional 920 00:31:54,872 --> 00:31:57,039 risk management and oversight measures 921 00:31:57,039 --> 00:31:59,206 might be needed to improve information 922 00:31:59,206 --> 00:32:01,372 security uh for the department and for 923 00:32:01,372 --> 00:32:03,594 its those private partners that we just 924 00:32:03,594 --> 00:32:03,329 talked about and particularly the 925 00:32:03,339 --> 00:32:05,561 smaller businesses that are part of the 926 00:32:05,561 --> 00:32:08,140 network . So I , I , I , I , I think a 927 00:32:08,150 --> 00:32:10,229 continuing uh our continuing 928 00:32:10,239 --> 00:32:12,780 partnership uh as we work with them to , 929 00:32:12,790 --> 00:32:14,846 to understand their , the the threat 930 00:32:14,846 --> 00:32:17,109 vector and what their security posture 931 00:32:17,119 --> 00:32:19,175 is , I think is first and foremost , 932 00:32:19,175 --> 00:32:21,397 because in order to protect you have to 933 00:32:21,397 --> 00:32:23,563 understand and so the ability for them 934 00:32:23,563 --> 00:32:25,786 to sense and see what their environment 935 00:32:25,786 --> 00:32:25,099 is , I think is the most important 936 00:32:25,109 --> 00:32:27,220 thing that we can continue to do as a 937 00:32:27,220 --> 00:32:29,387 partner . Very good . Thank you both . 938 00:32:29,387 --> 00:32:31,553 Chair , you back . Thank you , Senator 939 00:32:31,553 --> 00:32:33,387 Senator Schmidt . Thank you , Mr 940 00:32:33,387 --> 00:32:35,053 Chairman . Great to be on the 941 00:32:35,053 --> 00:32:38,140 subcommittee . Um uh Mr Sherman , I , I 942 00:32:38,150 --> 00:32:39,761 know that you've got uh some 943 00:32:39,761 --> 00:32:41,928 connections with , with previously NGA 944 00:32:41,928 --> 00:32:43,983 and Saint Louis , of course , is the 945 00:32:43,983 --> 00:32:46,206 home of the NGA West . We're very proud 946 00:32:46,206 --> 00:32:48,372 of that . Um And uh Lieutenant General 947 00:32:48,372 --> 00:32:50,900 Skinner Park University , right ? So 948 00:32:51,359 --> 00:32:53,692 anyway , some connections there , I did , 949 00:32:53,692 --> 00:32:55,526 I wanted to ask just a couple of 950 00:32:55,526 --> 00:32:57,637 questions . One . Um you know , we've 951 00:32:57,637 --> 00:33:00,880 been talking a lot about um the rising 952 00:33:00,890 --> 00:33:04,380 or pacing threat of China and it 953 00:33:04,390 --> 00:33:08,069 seems um pretty obvious that uh 954 00:33:09,160 --> 00:33:13,130 one of the first potential um conflict 955 00:33:13,140 --> 00:33:15,029 could certainly happen in Cyber . 956 00:33:15,029 --> 00:33:17,196 That's maybe the most likely , right ? 957 00:33:17,290 --> 00:33:20,729 Um And we've got what you all are doing . 958 00:33:20,739 --> 00:33:23,510 We've got um assets in the United 959 00:33:23,520 --> 00:33:26,829 States that um you know , control water 960 00:33:26,839 --> 00:33:29,849 supply energy . Ho how , how do you 961 00:33:29,859 --> 00:33:32,260 guys approach this because , you know , 962 00:33:32,270 --> 00:33:34,381 you wouldn't want to have a situation 963 00:33:34,381 --> 00:33:36,548 where you're looking backwards and say 964 00:33:36,548 --> 00:33:38,437 everybody's siloed off because if 965 00:33:38,437 --> 00:33:40,714 something were gonna happen and affect , 966 00:33:40,714 --> 00:33:40,199 you know , how the American people view 967 00:33:40,209 --> 00:33:42,153 something . You know , I know when 968 00:33:42,160 --> 00:33:44,319 there's a prediction of 3" of snow in 969 00:33:44,329 --> 00:33:46,551 Saint Louis , there's like a bread line 970 00:33:46,551 --> 00:33:48,607 at the grocery store , right ? So we 971 00:33:48,607 --> 00:33:50,885 need , need to be ready for this . How , 972 00:33:50,885 --> 00:33:52,996 how would you guys assess where we're 973 00:33:52,996 --> 00:33:52,229 at with that kind of cooperation and 974 00:33:52,239 --> 00:33:54,406 coordination with the private sector ? 975 00:33:54,459 --> 00:33:56,570 I , so there's the defense industrial 976 00:33:56,570 --> 00:33:58,459 base piece we were chatting about 977 00:33:58,459 --> 00:34:00,626 earlier . But to your point , sir , if 978 00:34:00,626 --> 00:34:02,792 the PR C or another nation state actor 979 00:34:02,792 --> 00:34:04,848 were to attack us holistically , our 980 00:34:04,848 --> 00:34:06,848 coordination with the Department of 981 00:34:06,848 --> 00:34:08,848 Homeland Security and S A under Jen 982 00:34:08,848 --> 00:34:11,070 Easterly , with whom we work closely to 983 00:34:11,070 --> 00:34:13,181 make sure there's no seams as we look 984 00:34:13,181 --> 00:34:14,959 at things like defense critical 985 00:34:14,959 --> 00:34:16,848 infrastructure which provides the 986 00:34:16,848 --> 00:34:18,903 support on our bases , installations 987 00:34:18,903 --> 00:34:20,959 and posts as you mentioned for water 988 00:34:20,959 --> 00:34:23,070 power and so on . But many of those , 989 00:34:23,070 --> 00:34:25,237 those things are off our installations 990 00:34:25,237 --> 00:34:27,403 in the local cities , towns , counties 991 00:34:27,403 --> 00:34:29,459 and making sure as we work with DH S 992 00:34:29,459 --> 00:34:31,403 that if there were to be any cyber 993 00:34:31,403 --> 00:34:31,118 attacks or anything like that through 994 00:34:31,128 --> 00:34:33,350 the governance that DH S has that we're 995 00:34:33,350 --> 00:34:35,572 working seamlessly and we do this quite 996 00:34:35,572 --> 00:34:37,906 a bit and we work through , for example , 997 00:34:37,906 --> 00:34:40,239 dod policy as an interlocutor with DH S . 998 00:34:40,239 --> 00:34:42,461 So there's and working with command and 999 00:34:42,461 --> 00:34:44,919 with general skinner's J F HQ Dough hat 1000 00:34:44,929 --> 00:34:47,610 on , we work to make sure there's few 1001 00:34:47,620 --> 00:34:49,342 scenes as possible on this and 1002 00:34:49,342 --> 00:34:51,398 realizing the Chinese or anyone else 1003 00:34:51,398 --> 00:34:53,287 are not going to see boundaries . 1004 00:34:53,287 --> 00:34:55,342 They're gonna come at us as a nation 1005 00:34:55,342 --> 00:34:57,564 and making sure that we're able to make 1006 00:34:57,564 --> 00:34:59,787 sure we can flow forces as necessary to 1007 00:34:59,787 --> 00:35:01,731 the West Coast . Our installations 1008 00:35:01,731 --> 00:35:03,842 aren't brought down , we can have all 1009 00:35:03,842 --> 00:35:03,439 the data we need . And so we do look at 1010 00:35:03,449 --> 00:35:05,282 this pretty holistically , sir . 1011 00:35:06,239 --> 00:35:08,350 Senator , I would add , I my previous 1012 00:35:08,350 --> 00:35:10,510 position as six , I was acutely aware 1013 00:35:10,540 --> 00:35:13,669 of the commercial power , commercial 1014 00:35:13,679 --> 00:35:15,790 water and the effects that that would 1015 00:35:15,790 --> 00:35:17,735 have on our ability to perform our 1016 00:35:17,735 --> 00:35:19,957 mission . And so we worked hand in hand 1017 00:35:19,957 --> 00:35:19,149 with , as honorable Sherman said with , 1018 00:35:19,159 --> 00:35:22,090 with and making sure as a as an example , 1019 00:35:22,100 --> 00:35:24,211 we have day to day discussions from a 1020 00:35:24,211 --> 00:35:26,433 joint first headquarters standpoint and 1021 00:35:26,433 --> 00:35:28,600 and a sharing lessons learned , seeing 1022 00:35:28,600 --> 00:35:30,711 what threats that they're seeing , uh 1023 00:35:30,711 --> 00:35:32,711 what threats that we're seeing . So 1024 00:35:32,711 --> 00:35:32,350 we're all on the same page and 1025 00:35:32,360 --> 00:35:35,229 understanding because every both base 1026 00:35:35,239 --> 00:35:37,639 post camper station relies on the 1027 00:35:37,649 --> 00:35:40,330 commercial sector to provide critical 1028 00:35:40,340 --> 00:35:42,300 capabilities because from a cyber 1029 00:35:42,310 --> 00:35:44,254 domain standpoint , you can't have 1030 00:35:44,254 --> 00:35:46,421 cyber without power . Um and that that 1031 00:35:46,421 --> 00:35:48,588 is a critical portion that we are hand 1032 00:35:48,588 --> 00:35:48,030 in hand and making sure that we all 1033 00:35:48,040 --> 00:35:50,262 have a good understanding , not only of 1034 00:35:50,262 --> 00:35:52,373 the threat , but what's their , their 1035 00:35:52,373 --> 00:35:54,484 security posture because they have to 1036 00:35:54,484 --> 00:35:56,707 be just as cyber secure as we are . And 1037 00:35:56,707 --> 00:35:58,651 obviously on cyber like so much of 1038 00:35:58,651 --> 00:36:00,707 what's what we need to do to prepare 1039 00:36:00,707 --> 00:36:02,429 innovation plays a very , very 1040 00:36:02,429 --> 00:36:04,484 important role . How comfortable are 1041 00:36:04,484 --> 00:36:08,020 both of you with , um , the , uh , the 1042 00:36:08,030 --> 00:36:11,449 bread or diversity of the uh of , of 1043 00:36:11,459 --> 00:36:13,979 those contractors that are gonna 1044 00:36:13,989 --> 00:36:16,020 provide sort of next generation 1045 00:36:16,520 --> 00:36:18,750 technology because one of the dangers 1046 00:36:18,760 --> 00:36:20,939 sometimes is everything , you know , 1047 00:36:20,949 --> 00:36:23,399 there's , there's one contractor , a 1048 00:36:23,409 --> 00:36:25,631 prime or something that dominates and , 1049 00:36:25,631 --> 00:36:27,353 and it crowds out some of that 1050 00:36:27,353 --> 00:36:29,353 innovation . Where do you guys feel 1051 00:36:29,353 --> 00:36:31,520 we're at with that ? I think this is a 1052 00:36:31,520 --> 00:36:33,576 robust market and this is a national 1053 00:36:33,576 --> 00:36:35,520 advantage for us across our entire 1054 00:36:35,520 --> 00:36:38,449 cyber industry ecosystem here , whether 1055 00:36:38,459 --> 00:36:40,403 we're looking at our end points of 1056 00:36:40,403 --> 00:36:42,237 Department of Defense , but also 1057 00:36:42,237 --> 00:36:44,292 operational technology , internet of 1058 00:36:44,292 --> 00:36:46,626 things , et cetera . And then of course , 1059 00:36:46,626 --> 00:36:48,515 as you noted a minute ago , sir , 1060 00:36:48,515 --> 00:36:50,515 working with the civilian sector on 1061 00:36:50,515 --> 00:36:52,737 that , I think we have a rich ecosystem 1062 00:36:52,737 --> 00:36:52,560 we have and I'll say this not only on 1063 00:36:52,570 --> 00:36:54,403 cyber security but cloud service 1064 00:36:54,403 --> 00:36:56,626 providers and others , we have the best 1065 00:36:56,626 --> 00:36:58,792 in the world and I'll put them all day 1066 00:36:58,792 --> 00:37:00,737 long up against whatever China and 1067 00:37:00,737 --> 00:37:00,540 Russia can bring to the fight . And our 1068 00:37:00,550 --> 00:37:02,717 job is to make sure we're applying the 1069 00:37:02,717 --> 00:37:04,510 best services and best , best 1070 00:37:04,520 --> 00:37:06,687 capabilities against where it's needed 1071 00:37:06,687 --> 00:37:08,853 on our cyber terrain in the Department 1072 00:37:08,853 --> 00:37:11,076 of Defense . But I feel confident about 1073 00:37:11,076 --> 00:37:13,076 this , sir , General Skin . I don't 1074 00:37:13,076 --> 00:37:12,659 know if you want to add to that senator . 1075 00:37:12,669 --> 00:37:14,780 I think that the innovative spirit of 1076 00:37:14,780 --> 00:37:17,002 the American public is alive and well , 1077 00:37:17,002 --> 00:37:19,225 the innovative spirit of the Department 1078 00:37:19,225 --> 00:37:19,120 of Defense is alive and well , and I 1079 00:37:19,129 --> 00:37:21,250 think together we are , we are ready 1080 00:37:21,260 --> 00:37:23,427 and we will continue to stay ready and 1081 00:37:23,427 --> 00:37:25,482 we are the best in the world . We'll 1082 00:37:25,482 --> 00:37:27,816 send that demand signal out . Thank you , 1083 00:37:27,816 --> 00:37:30,149 Mr Chairman . Um This will be to both 1084 00:37:30,159 --> 00:37:32,159 of you . I'll start with uh general 1085 00:37:32,159 --> 00:37:34,159 skinner first zero trust principles 1086 00:37:34,159 --> 00:37:35,937 include segmenting networks and 1087 00:37:35,937 --> 00:37:38,103 resources uh within an enterprise in a 1088 00:37:38,103 --> 00:37:39,992 logical and consistent manner and 1089 00:37:39,992 --> 00:37:42,320 enforcing access and policy controls at 1090 00:37:42,330 --> 00:37:44,469 segment and resource boundaries . The 1091 00:37:44,479 --> 00:37:46,870 first Cyber comm commander General 1092 00:37:46,879 --> 00:37:49,469 Alexander famously claimed that the dod 1093 00:37:49,629 --> 00:37:51,840 has not one network , but rather than 1094 00:37:51,850 --> 00:37:54,989 more than 15,000 separate networks 1095 00:37:55,000 --> 00:37:57,449 loosely coupled together . Uh Do you 1096 00:37:57,459 --> 00:37:59,348 agree that dod S networks are not 1097 00:37:59,348 --> 00:38:03,169 currently rationally segmented ? And as 1098 00:38:03,179 --> 00:38:05,229 uh many so called Cyber security 1099 00:38:05,239 --> 00:38:07,840 service providers across all of its 1100 00:38:07,850 --> 00:38:09,679 components who manage security 1101 00:38:09,689 --> 00:38:12,870 operations logically and CS SPS would 1102 00:38:12,879 --> 00:38:14,823 be aligned with network segments , 1103 00:38:14,823 --> 00:38:16,490 intermission threads would be 1104 00:38:16,490 --> 00:38:18,601 standardized . Where are we on that ? 1105 00:38:18,601 --> 00:38:20,712 And I'm sure hopefully we correct the 1106 00:38:20,712 --> 00:38:22,879 most of it . Senator I would offer the 1107 00:38:22,879 --> 00:38:25,046 Department of Information Network is a 1108 00:38:25,046 --> 00:38:27,379 very complex environment . Um And , and , 1109 00:38:27,379 --> 00:38:29,546 and , and the standards that honorable 1110 00:38:29,546 --> 00:38:31,601 Sherman puts out as the duty cio and 1111 00:38:31,601 --> 00:38:30,870 the operational maneuver that us . 1112 00:38:30,879 --> 00:38:33,350 Cyber command does um makes that less 1113 00:38:33,360 --> 00:38:35,527 complex and we are continuing on a day 1114 00:38:35,527 --> 00:38:37,899 to day basis to make it less complex uh 1115 00:38:37,909 --> 00:38:40,131 and more simple . And as we do the zero 1116 00:38:40,131 --> 00:38:42,669 trust methodologies and as we focus on 1117 00:38:42,679 --> 00:38:45,159 the user and the data , we , we make it 1118 00:38:45,169 --> 00:38:47,336 that much less complex and more secure 1119 00:38:47,500 --> 00:38:49,500 Sherman , you take a shot at this . 1120 00:38:49,500 --> 00:38:51,556 Absolutely . So we've been segmented 1121 00:38:51,556 --> 00:38:53,500 for a long time and to your , your 1122 00:38:53,500 --> 00:38:55,222 point that we need now need to 1123 00:38:55,222 --> 00:38:57,278 rationally segment and as we move to 1124 00:38:57,278 --> 00:38:59,500 what we call software defined wide area 1125 00:38:59,500 --> 00:39:01,885 networks or sds and making it less 1126 00:39:01,895 --> 00:39:03,562 about hardware and less about 1127 00:39:03,562 --> 00:39:05,784 organizations , but a rapidly adaptable 1128 00:39:05,784 --> 00:39:08,535 software based ecosystem where again , 1129 00:39:08,545 --> 00:39:10,601 the same principle applies . We're , 1130 00:39:10,601 --> 00:39:12,767 we're hindering the enemy's ability to 1131 00:39:12,767 --> 00:39:14,823 move laterally across that network . 1132 00:39:14,823 --> 00:39:16,767 But we do this in a logical manner 1133 00:39:16,767 --> 00:39:18,545 consistent with this very large 1134 00:39:18,545 --> 00:39:20,323 enterprise that general skinner 1135 00:39:20,323 --> 00:39:22,545 described . And it is indeed one of the 1136 00:39:22,545 --> 00:39:25,342 key pillars of zero trust on networks 1137 00:39:25,352 --> 00:39:27,574 and environment . We call it 1/5 pillar 1138 00:39:27,574 --> 00:39:29,685 there and it matters for other pieces 1139 00:39:29,685 --> 00:39:31,741 too . But that's what Thunderdome is 1140 00:39:31,741 --> 00:39:33,796 working on . We talked about earlier 1141 00:39:33,796 --> 00:39:35,630 and as we oversee our zero trust 1142 00:39:35,630 --> 00:39:37,519 architecture , that's a key point 1143 00:39:37,519 --> 00:39:39,685 taking what General Alexander noted 10 1144 00:39:39,685 --> 00:39:41,796 plus years ago , but making this more 1145 00:39:41,796 --> 00:39:44,019 rational now and where we can manage it 1146 00:39:44,019 --> 00:39:45,796 and be very agile to adapt in a 1147 00:39:45,796 --> 00:39:48,019 software centric method to frustrate an 1148 00:39:48,019 --> 00:39:50,352 enemy's ability to move laterally , sir . 1149 00:39:50,352 --> 00:39:52,949 Thank you , Senator Rounds . Thank you , 1150 00:39:52,959 --> 00:39:55,181 Mr Chairman . I've just got a couple of 1151 00:39:55,181 --> 00:39:57,790 questions uh the first and recognizing 1152 00:39:57,800 --> 00:39:59,800 it's in an unclassified environment 1153 00:39:59,800 --> 00:40:02,239 here , Mr Sherman . How will 1154 00:40:02,250 --> 00:40:04,139 cybersecurity , maturity models , 1155 00:40:04,139 --> 00:40:06,830 certification , certification process 1156 00:40:06,840 --> 00:40:09,969 uh with regard to the Deb contractors , 1157 00:40:10,520 --> 00:40:13,330 defense industrial based contractors , 1158 00:40:13,340 --> 00:40:15,062 streamline compliance with the 1159 00:40:15,062 --> 00:40:17,280 program's security requirements and 1160 00:40:17,290 --> 00:40:20,010 processes . I mean , this is an area 1161 00:40:20,020 --> 00:40:22,260 where if , if there's a challenge for 1162 00:40:22,270 --> 00:40:24,381 all of us , it's in that connectivity 1163 00:40:24,381 --> 00:40:26,780 between the defense industrial base and 1164 00:40:26,790 --> 00:40:29,350 the itself . Yes , sir , taking this 1165 00:40:29,360 --> 00:40:31,304 very seriously because our defense 1166 00:40:31,304 --> 00:40:33,416 industrial base , as we were noting a 1167 00:40:33,416 --> 00:40:35,416 moment ago is our , is our national 1168 00:40:35,416 --> 00:40:37,729 advantage . And whereas cyber security 1169 00:40:37,739 --> 00:40:39,795 is critical because of what the PR C 1170 00:40:39,795 --> 00:40:41,795 and others are doing , we've got to 1171 00:40:41,795 --> 00:40:43,961 make this understandable and usable by 1172 00:40:43,961 --> 00:40:46,183 the defense industrial base . So moving 1173 00:40:46,183 --> 00:40:48,510 from C M MC one T O circa 2021 which 1174 00:40:48,520 --> 00:40:51,179 had five different levels and it had an 1175 00:40:51,189 --> 00:40:53,585 additional layer of controls . O D had 1176 00:40:53,595 --> 00:40:55,817 put on top of the National Institute of 1177 00:40:55,817 --> 00:40:58,075 Standards and Technology or controls . 1178 00:40:58,085 --> 00:41:00,135 We took a step back under Deputy 1179 00:41:00,145 --> 00:41:02,456 Secretary Hicks's leadership to review 1180 00:41:02,466 --> 00:41:04,996 this and make it more understandable 1181 00:41:05,006 --> 00:41:07,446 and executable to where we now sir have 1182 00:41:07,456 --> 00:41:09,696 three levels and removing that extra 1183 00:41:09,706 --> 00:41:12,226 layer of controls and we have a 110 1184 00:41:12,236 --> 00:41:14,125 controls that I put on there . So 1185 00:41:14,125 --> 00:41:16,347 trying to put ourselves in the shoes of 1186 00:41:16,347 --> 00:41:18,403 those companies , whether they be in 1187 00:41:18,403 --> 00:41:20,236 South Dakota , sir , or Texas or 1188 00:41:20,236 --> 00:41:22,458 wherever they are and say , how is this 1189 00:41:22,458 --> 00:41:21,691 gonna impact me where we're not 1190 00:41:21,701 --> 00:41:23,534 surrendering the ground on cyber 1191 00:41:23,534 --> 00:41:26,181 security but making it implement um in 1192 00:41:26,191 --> 00:41:28,413 terms of particularly for the small and 1193 00:41:28,413 --> 00:41:30,247 medium companies . So we're in a 1194 00:41:30,247 --> 00:41:32,413 position right now . This has taken us 1195 00:41:32,413 --> 00:41:34,524 longer frankly than we wanted to have 1196 00:41:34,524 --> 00:41:36,580 to do the review . But sir , measure 1197 00:41:36,580 --> 00:41:36,412 twice cut , once we want to do this 1198 00:41:36,422 --> 00:41:38,771 correctly for it gets over to omb into 1199 00:41:38,781 --> 00:41:40,781 rule making and public review . So 1200 00:41:40,791 --> 00:41:43,013 we're committed to getting this right . 1201 00:41:43,013 --> 00:41:45,013 But all the while a lot of industry 1202 00:41:45,013 --> 00:41:47,180 engagement , so this is understandable 1203 00:41:47,180 --> 00:41:47,122 to the companies that are going to have 1204 00:41:47,132 --> 00:41:49,291 to implement this , sir . Thank you . 1205 00:41:49,770 --> 00:41:52,250 Uh General scare . I understand that I 1206 00:41:52,449 --> 00:41:55,489 A has initiated a pilot assessing new 1207 00:41:55,500 --> 00:41:57,611 innovative commercial or it's a pilot 1208 00:41:57,611 --> 00:41:59,719 project that assesses new and 1209 00:41:59,729 --> 00:42:01,340 innovative commercial active 1210 00:42:01,340 --> 00:42:03,340 cybersecurity capabilities that are 1211 00:42:03,340 --> 00:42:05,530 intended to protect the doin how are 1212 00:42:05,540 --> 00:42:07,651 those efforts going ? And when do you 1213 00:42:07,651 --> 00:42:09,707 think you will be able to expand the 1214 00:42:09,707 --> 00:42:11,929 capabilities to protect the entire do ? 1215 00:42:11,929 --> 00:42:14,262 Hopefully in a successful way , Senator . 1216 00:42:14,262 --> 00:42:16,429 Um as I mentioned earlier in the March 1217 00:42:16,429 --> 00:42:18,610 time , uh about two weeks ago , uh we 1218 00:42:18,620 --> 00:42:20,898 put the , the uh the pilot on contract . 1219 00:42:20,989 --> 00:42:23,156 Um and we're expecting within the next 1220 00:42:23,156 --> 00:42:25,378 six months to have a good understanding 1221 00:42:25,378 --> 00:42:27,545 of that uh the pilots capabilities and 1222 00:42:27,545 --> 00:42:29,600 whether it it can scale while we are 1223 00:42:29,600 --> 00:42:31,711 doing that , we're not sitting on our 1224 00:42:31,711 --> 00:42:33,600 Laurels . We're also , we've also 1225 00:42:33,600 --> 00:42:33,389 implemented this thing called cloud 1226 00:42:33,399 --> 00:42:35,770 based internet isolation , which is a 1227 00:42:35,780 --> 00:42:38,929 an innovative way of taking web traffic 1228 00:42:38,939 --> 00:42:41,250 and moving it to the left . I'll say um 1229 00:42:41,260 --> 00:42:43,482 into a sandbox to where we can actually 1230 00:42:43,482 --> 00:42:45,704 check the traffic out to make sure that 1231 00:42:45,704 --> 00:42:47,816 anything that's being downloaded does 1232 00:42:47,816 --> 00:42:50,038 not have malware in it . Um We're about 1233 00:42:50,038 --> 00:42:49,959 3/4 of the way through the entire 1234 00:42:49,969 --> 00:42:52,080 department that will be behind this . 1235 00:42:52,080 --> 00:42:53,858 Um And that's actually not only 1236 00:42:53,858 --> 00:42:55,636 improving our security but also 1237 00:42:55,636 --> 00:42:57,802 improving our user performance because 1238 00:42:57,802 --> 00:42:59,913 uh some of the information it's being 1239 00:42:59,913 --> 00:43:02,139 discarded and then , and then it's 1240 00:43:02,149 --> 00:43:04,093 coming through the internet access 1241 00:43:04,093 --> 00:43:06,316 points . So both from a user experience 1242 00:43:06,316 --> 00:43:08,482 standpoint and a security standpoint , 1243 00:43:08,482 --> 00:43:10,593 that's another innovative way that we 1244 00:43:10,593 --> 00:43:10,110 are protecting our boundary and 1245 00:43:10,120 --> 00:43:12,209 protecting our users . Great , thank 1246 00:43:12,219 --> 00:43:15,260 you on behalf of the chairman , um , 1247 00:43:15,399 --> 00:43:18,239 Senator Rosen . Well , thank you , 1248 00:43:18,250 --> 00:43:20,520 Senator Rounds . I appreciate that and 1249 00:43:20,530 --> 00:43:22,752 I appreciate you both being here , uh , 1250 00:43:22,752 --> 00:43:24,752 to testify today . And so I'm gonna 1251 00:43:24,752 --> 00:43:26,989 just , uh , uh , get right to it and 1252 00:43:27,000 --> 00:43:28,969 talk a little bit about artificial 1253 00:43:28,979 --> 00:43:30,979 intelligence because we're gonna be 1254 00:43:30,979 --> 00:43:33,090 using it in some form or fashion as a 1255 00:43:33,090 --> 00:43:35,312 cybersecurity solution . I mean , we're 1256 00:43:35,312 --> 00:43:37,423 already doing it in some way and it's 1257 00:43:37,423 --> 00:43:39,701 gonna continue to grow . So Mr Sherman , 1258 00:43:39,701 --> 00:43:41,812 as you know , Senator Manchin already 1259 00:43:41,812 --> 00:43:43,757 spoke about this , our adversaries 1260 00:43:43,757 --> 00:43:45,879 really could use A I in the future 1261 00:43:45,889 --> 00:43:48,111 cyber attacks in the United States . We 1262 00:43:48,111 --> 00:43:50,333 know it including on our dod networks . 1263 00:43:50,739 --> 00:43:52,683 On the other hand , A I also has a 1264 00:43:52,683 --> 00:43:54,572 great potential as a tool for the 1265 00:43:54,572 --> 00:43:56,461 Department of Defense to hunt for 1266 00:43:56,461 --> 00:43:58,461 malicious software search for those 1267 00:43:58,461 --> 00:44:00,628 irregular behaviors if you will , that 1268 00:44:00,628 --> 00:44:02,683 they could indicate a presence of an 1269 00:44:02,683 --> 00:44:04,850 intruder , uh , posing a threat to our 1270 00:44:04,850 --> 00:44:06,906 dod system . So , could you speak to 1271 00:44:06,906 --> 00:44:08,739 how the Department of Defense is 1272 00:44:08,739 --> 00:44:10,628 leveraging and learning about the 1273 00:44:10,628 --> 00:44:13,429 advanced A I models to improve our own 1274 00:44:13,439 --> 00:44:15,729 networks , um intelligence , if you 1275 00:44:15,739 --> 00:44:17,795 will uh for cyber security defense . 1276 00:44:17,795 --> 00:44:19,906 Absolutely , Senator . So as we bring 1277 00:44:19,906 --> 00:44:22,128 data together on what's going on on our 1278 00:44:22,128 --> 00:44:24,295 networks and general skinner can speak 1279 00:44:24,295 --> 00:44:26,517 to this a little bit as well , applying 1280 00:44:26,517 --> 00:44:28,461 A I N M L to look at , as you note 1281 00:44:28,461 --> 00:44:30,517 irregularities on what's going on in 1282 00:44:30,517 --> 00:44:32,406 there . And that's one of the key 1283 00:44:32,406 --> 00:44:34,628 pillars of zero trust on automation and 1284 00:44:34,628 --> 00:44:34,373 orchestration . That's pillar number 1285 00:44:34,383 --> 00:44:36,605 six on there on looking across that and 1286 00:44:36,605 --> 00:44:38,716 also visibility and analytics , which 1287 00:44:38,716 --> 00:44:41,022 is the next pillar as we apply A N I M 1288 00:44:41,032 --> 00:44:43,032 L to this . And excuse me and as my 1289 00:44:43,032 --> 00:44:44,976 colleague , the CD A O , the Chief 1290 00:44:44,976 --> 00:44:46,976 Digital and A I Officer often notes 1291 00:44:47,035 --> 00:44:49,091 that the algorithms aren't the tough 1292 00:44:49,091 --> 00:44:51,091 part of this is getting the data to 1293 00:44:51,091 --> 00:44:53,146 where it needs to be , to be able to 1294 00:44:53,146 --> 00:44:55,257 run the algorithms . And that's where 1295 00:44:55,257 --> 00:44:57,202 we're frankly putting a lot of our 1296 00:44:57,202 --> 00:44:59,368 effort into is making sure we have the 1297 00:44:59,368 --> 00:44:59,196 data with the right standards , the 1298 00:44:59,206 --> 00:45:01,206 right points where we can run these 1299 00:45:01,206 --> 00:45:02,984 algorithms to look at for these 1300 00:45:02,984 --> 00:45:05,150 anomalous behaviors . You know , ma'am 1301 00:45:05,150 --> 00:45:07,373 to , to look for this and to be able to 1302 00:45:07,373 --> 00:45:09,595 secure the dot And I would note general 1303 00:45:09,595 --> 00:45:09,486 skinner may be able to amplify this 1304 00:45:09,496 --> 00:45:11,496 from his role at cyber comm there . 1305 00:45:11,979 --> 00:45:14,035 We're , we're using A I and multiple 1306 00:45:14,035 --> 00:45:15,868 points within the um at , at our 1307 00:45:15,868 --> 00:45:17,812 different end points . Many of the 1308 00:45:17,812 --> 00:45:19,535 products today have artificial 1309 00:45:19,535 --> 00:45:21,757 intelligence already embedded in them . 1310 00:45:21,757 --> 00:45:23,701 So even as we're purchasing them , 1311 00:45:23,701 --> 00:45:23,510 we're leveraging it there at our 1312 00:45:23,520 --> 00:45:25,576 boundary . We're actually leveraging 1313 00:45:25,576 --> 00:45:27,687 artificial intelligence to find those 1314 00:45:27,687 --> 00:45:29,687 irregularities . And those zero day 1315 00:45:29,687 --> 00:45:31,853 malware that that aren't known today , 1316 00:45:31,853 --> 00:45:31,770 we're leveraging that already . And 1317 00:45:31,780 --> 00:45:34,002 then finally , the other area is in our 1318 00:45:34,002 --> 00:45:35,909 big data platforms and looking at 1319 00:45:35,919 --> 00:45:38,489 things retroactively to see what did we 1320 00:45:38,500 --> 00:45:40,556 miss something . Um So as we look at 1321 00:45:40,556 --> 00:45:42,556 all this data and all these sensors 1322 00:45:42,556 --> 00:45:44,611 coming in , we're leveraging the A I 1323 00:45:44,611 --> 00:45:46,667 models to find something that we may 1324 00:45:46,667 --> 00:45:48,333 have missed initially to , to 1325 00:45:48,333 --> 00:45:50,556 holistically uh can get after the cyber 1326 00:45:50,556 --> 00:45:52,778 security threat . And that was going to 1327 00:45:52,778 --> 00:45:55,000 be one of my questions . Are we looking 1328 00:45:55,000 --> 00:45:57,222 in hindsight when we know something was 1329 00:45:57,222 --> 00:45:59,167 that helps machines learn better ? 1330 00:45:59,167 --> 00:46:01,444 That's machine learning . We look back , 1331 00:46:01,444 --> 00:46:03,667 what did we miss ? And they put that in 1332 00:46:03,667 --> 00:46:03,659 their muscle memory , but I'm gonna 1333 00:46:03,669 --> 00:46:05,725 move on to zero trust really quickly 1334 00:46:05,725 --> 00:46:07,959 because uh in November , uh Department 1335 00:46:07,969 --> 00:46:10,136 of Defense , uh of course , released a 1336 00:46:10,136 --> 00:46:12,550 zero trust strategy and the road map . 1337 00:46:12,929 --> 00:46:15,379 And uh the strategy does list as a key 1338 00:46:15,389 --> 00:46:17,770 goal , technological acceleration at a 1339 00:46:17,780 --> 00:46:21,080 pace that equals or exceeds industry 1340 00:46:21,090 --> 00:46:23,423 advancements . That's uh very ambitious . 1341 00:46:23,423 --> 00:46:26,330 So , general skinner , um how are you 1342 00:46:26,340 --> 00:46:28,340 working to meet this very ambitious 1343 00:46:28,340 --> 00:46:30,396 goal ? You've just spoken about it a 1344 00:46:30,396 --> 00:46:32,396 little bit . What challenges do you 1345 00:46:32,396 --> 00:46:34,507 face ? Uh do you have the workforce ? 1346 00:46:34,507 --> 00:46:37,879 How can we help um Senator um honor 1347 00:46:37,919 --> 00:46:39,919 Sherman has put a very aggressive , 1348 00:46:39,919 --> 00:46:42,030 aggressive , aggressive goal goal out 1349 00:46:42,030 --> 00:46:44,197 there in regards to zero trust . And , 1350 00:46:44,197 --> 00:46:46,419 and we're working hand in hand with his 1351 00:46:46,419 --> 00:46:48,697 team with Cyber command to continue to , 1352 00:46:48,697 --> 00:46:50,752 to move forward . As an example , we 1353 00:46:50,752 --> 00:46:52,919 have a thunder dome project um that we 1354 00:46:52,919 --> 00:46:55,141 just uh finished our , our prototype on 1355 00:46:55,141 --> 00:46:57,252 very successful prototype . And we're 1356 00:46:57,252 --> 00:46:56,800 working with his team on the 1357 00:46:56,810 --> 00:46:58,866 acquisition strategy to put this out 1358 00:46:58,866 --> 00:47:00,977 across the entire department . That's 1359 00:47:00,977 --> 00:47:02,866 on the technological standpoint , 1360 00:47:02,866 --> 00:47:05,110 technological point . The other part is 1361 00:47:05,120 --> 00:47:07,989 our workforce and continuing to upscale 1362 00:47:08,000 --> 00:47:10,167 our workforce , continuing to bring in 1363 00:47:10,167 --> 00:47:12,679 and recruit the next generation force 1364 00:47:12,689 --> 00:47:14,320 that has kind of the , the 1365 00:47:14,330 --> 00:47:15,886 understanding of artificial 1366 00:47:15,886 --> 00:47:17,830 intelligence that has the creative 1367 00:47:17,830 --> 00:47:20,090 thinking that has the passion to get at 1368 00:47:20,100 --> 00:47:22,433 this because it can't just be workforce , 1369 00:47:22,433 --> 00:47:24,600 it can't just be technology . It's got 1370 00:47:24,600 --> 00:47:26,544 to be both as we continue to drive 1371 00:47:26,544 --> 00:47:28,656 forward on this aggressive schedule . 1372 00:47:28,656 --> 00:47:30,878 No , I , I think that's exactly right . 1373 00:47:30,878 --> 00:47:32,933 And uh I , I was gonna ask you too , 1374 00:47:32,933 --> 00:47:35,156 are you developing all of this in house 1375 00:47:35,156 --> 00:47:37,378 or are you purchasing software uh um uh 1376 00:47:37,378 --> 00:47:40,189 from the industry ? We're , we're doing 1377 00:47:40,199 --> 00:47:42,255 both . Um We , we , we're leveraging 1378 00:47:42,255 --> 00:47:44,088 the the technology from industry 1379 00:47:44,088 --> 00:47:46,199 because they are , they are are great 1380 00:47:46,199 --> 00:47:48,255 partners . We're leveraging what our 1381 00:47:48,255 --> 00:47:50,421 allies and partners have learned , but 1382 00:47:50,421 --> 00:47:52,421 also we have this innovative spirit 1383 00:47:52,421 --> 00:47:54,421 within our force that can take what 1384 00:47:54,421 --> 00:47:56,532 industry has given them and take it a 1385 00:47:56,532 --> 00:47:58,699 step further . And that is what we are 1386 00:47:58,699 --> 00:48:00,699 continuing to try , who empower and 1387 00:48:00,699 --> 00:47:59,824 make sure that , that , that they're 1388 00:47:59,834 --> 00:48:02,056 able to do that . So it's a combination 1389 00:48:02,056 --> 00:48:04,167 of all the above ma'am . So , are you 1390 00:48:04,167 --> 00:48:06,278 sure that when you're creating this , 1391 00:48:06,278 --> 00:48:05,554 that you have a software bill of 1392 00:48:05,564 --> 00:48:07,731 materials that shows when you're gonna 1393 00:48:07,731 --> 00:48:09,953 do your analytics on the software , you 1394 00:48:09,953 --> 00:48:11,731 have to be sure that you're not 1395 00:48:11,731 --> 00:48:13,731 vulnerable , you know , where every 1396 00:48:13,731 --> 00:48:15,897 piece of that software came from , who 1397 00:48:15,897 --> 00:48:18,064 wrote the code and its vulnerability . 1398 00:48:18,064 --> 00:48:20,397 Yes , ma'am . Thank you . I yelled back . 1399 00:48:20,770 --> 00:48:22,881 Well , and with that , I on behalf of 1400 00:48:22,881 --> 00:48:24,770 Senator Manchin , chairman of the 1401 00:48:24,770 --> 00:48:26,659 committee , uh we wanna thank our 1402 00:48:26,659 --> 00:48:28,770 witnesses and all of the members that 1403 00:48:28,770 --> 00:48:30,548 have attended this subcommittee 1404 00:48:30,548 --> 00:48:32,919 briefing today . Uh We really are proud 1405 00:48:32,929 --> 00:48:35,580 to see the efforts uh at , at this very 1406 00:48:35,590 --> 00:48:38,709 successful cyber defense uh of paying 1407 00:48:38,719 --> 00:48:40,719 off after years of working with the 1408 00:48:40,719 --> 00:48:43,810 department and now literally is not the 1409 00:48:43,820 --> 00:48:46,340 time to relax or to take our foot off 1410 00:48:46,350 --> 00:48:49,330 the gas . Uh It's full speed ahead . We 1411 00:48:49,340 --> 00:48:51,507 do look forward to continuing our work 1412 00:48:51,507 --> 00:48:53,340 together , especially as we look 1413 00:48:53,340 --> 00:48:55,729 forward to the next set of threats and 1414 00:48:55,739 --> 00:48:58,979 opportunities and the role of uh that , 1415 00:48:58,989 --> 00:49:01,139 that ethical artificial intelligence 1416 00:49:01,149 --> 00:49:03,620 will play in our cyber defenses . It , 1417 00:49:03,850 --> 00:49:06,017 as you've indicated , the , the A I is 1418 00:49:06,017 --> 00:49:08,570 here already and uh we're gonna have to 1419 00:49:08,580 --> 00:49:10,580 expand and we're gonna have to take 1420 00:49:10,580 --> 00:49:12,691 advantage of all of the opportunities 1421 00:49:12,691 --> 00:49:14,913 but defend against the , the challenges 1422 00:49:14,913 --> 00:49:17,199 as well . And uh we want to thank you 1423 00:49:17,209 --> 00:49:19,431 both for being here with us today . And 1424 00:49:19,431 --> 00:49:21,709 with that , the hearing is adjourned .