The 17 biggest data breaches of the
21st century
By Taylor Armerding
CSO | JAN 26, 2018 3:44 AM PT
Data breaches happen daily, in too many places at once to keep count. But what constitutes
a huge breach versus a small one? CSO compiled a list of 17 of the biggest or most
significant breaches of the 21st century.
This list is based not necessarily on the number of records compromised, but on how much
risk or damage the breach caused for companies, insurers and users or account holders. In
some cases, passwords and other information were well protected by encryption, so a
password reset eliminated the bulk of the risk.
1. Yahoo
Date: 2013-14
Impact: 3 billion user accounts
Details: In September 2016, the once dominant Internet giant, while in negotiations to sell
itself to Verizon, announced it had been the victim of the biggest data breach in history, likely
by “a state-sponsored actor,” in 2014. The attack compromised the real names, email
addresses, dates of birth and telephone numbers of 500 million users. The company said
the "vast majority" of the passwords involved had been hashed using the robust bcrypt
algorithm.
A couple of months later, in December, it buried that earlier record with the disclosure that a
breach in 2013, by a different group of hackers had compromised 1 billion accounts.
Besides names, dates of birth, email addresses and passwords that were not as well
protected as those involved in 2014, security questions and answers were also
compromised. In October of 2017, Yahoo revised that estimate, saying that, in fact, all 3
billion user accounts had been compromised.
The breaches knocked an estimated $350 million off Yahoo’s sale price. Verizon eventually
paid $4.48 billion for Yahoo’s core Internet business. The agreement called for the two
companies to share regulatory and legal liabilities from the breaches. The sale did not
include a reported investment in Alibaba Group Holding of $41.3 billion and an ownership
interest in Yahoo Japan of $9.3 billion.
Yahoo, founded in 1994, had once been valued at $100 billion. After the sale, the company
changed its name to Altaba, Inc.
2. Adult Friend Finder
Date: October 2016
Impact: More than 412.2 million accounts
Details: The FriendFinder Network, which included casual hookup and adult content
websites like Adult Friend Finder, Penthouse.com, Cams.com, iCams.com and
Stripshow.com, was breached sometime in mid-October 2016. Hackers collected 20 years
of data on six databases that included names, email addresses and passwords.
Most of the passwords were protected only by the weak SHA-1 hashing algorithm, which
meant that 99 percent of them had been cracked by the time LeakedSource.com published
its analysis of the entire data set on November 14.
CSO Online’s Steve Ragan reported at the time that, “a researcher who goes by 1x0123 on
Twitter and by Revolver in other circles posted screenshots taken on Adult Friend Finder
(that) show a Local File Inclusion vulnerability (LFI) being triggered.” He said the
vulnerability, discovered in a module on the production servers used by Adult Friend Finder,
“was being exploited.”
AFF Vice President Diana Ballou issued a statement saying, “We did identify and fix a
vulnerability that was related to the ability to access source code through an injection
vulnerability.”
Read more about the Adult Friend Finder data breach...
3. eBay
Date: May 2014
Impact: 145 million users compromised
Details: The online auction giant reported a cyberattack in May 2014 that it said
exposed names, addresses, dates of birth and encrypted passwords of all of its 145 million
users. The company said hackers got into the company network using the credentials of
three corporate employees, and had complete inside access for 229 days, during which time
they were able to make their way to the user database.
It asked its customers to change their passwords, but said financial information, such as
credit card numbers, was stored separately and was not compromised. The company was
criticized at the time for a lack of communication informing its users and poor
implementation of the password-renewal process.
CEO John Donahue said the breach resulted in a decline in user activity, but had little
impact on the bottom line – its Q2 revenue was up 13 percent and earnings up 6 percent, in
line with analyst expectations.
Read more about the eBay data breach...
4. Equifax
Date: July 29 2017
Impact: Personal information (including Social Security Numbers, birth dates, addresses,
and in some cases drivers' license numbers) of 143 million consumers; 209,000 consumers
also had their credit card data exposed.
Details: Equifax, one of the largest credit bureaus in the U.S., said on Sept. 7, 2017 that an
application vulnerability on one of their websites led to a data breach that exposed about
147.9 million consumers. The breach was discovered on July 29, but the company says that
it likely started in mid-May.
Read more about the Equifax breach...
5. Heartland Payment Systems
Date: March 2008
Impact: 134 million credit cards exposed through SQL injection to install spyware on
Heartland's data systems.
Details: At the time of the breach, Heartland was processing 100 million payment card
transactions per month for 175,000 merchants – most small- to mid-sized retailers. It wasn’t
discovered until January 2009, when Visa and MasterCard notified Heartland of suspicious
transactions from accounts it had processed.
Among the consequences were that Heartland was deemed out of compliance with the
Payment Card Industry Data Security Standard (PCI DSS) and was not allowed to process
the payments of major credit card providers until May 2009. The company also paid out an
estimated $145 million in compensation for fraudulent payments.
A federal grand jury indicted Albert Gonzalez and two unnamed Russian accomplices in
2009. Gonzalez, a Cuban-American, was alleged to have masterminded the international
operation that stole the credit and debit cards. In March 2010 he was sentenced to 20 years
in federal prison. The vulnerability to SQL injection was well understood and security
analysts had warned retailers about it for several years. Yet, the continuing vulnerability of
many Web-facing applications made SQL injection the most common form of attack against
Web sites at the time.
Read more about the Heartland data breach...
6. Target Stores
Date: December 2013
Impact: Credit/debit card information and/or contact information of up to 110 million people
compromised.
Details: The breach actually began before Thanksgiving, but was not discovered until
several weeks later. The retail giant initially announced that hackers had gained access
through a third-party HVAC vender to its point-of-sale (POS) payment card readers, and had
collected about 40 million credit and debit card numbers.
By January 2014, however, the company upped that estimate, reporting that personally
identifiable information (PII) of 70 million of its customers had been compromised. That
included full names, addresses, email addresses and telephone numbers. The final estimate
is that the breach affected as many as 110 million customers.
Target’s CIO resigned in March 2014, and its CEO resigned in May. The company recently
estimated the cost of the breach at $162 million.
The company was credited with making significant security improvements. However,
a settlement announced in May 2017 that gave Target 180 days to make specific security
improvements was described by Tom Kellermann, CEO of Strategic Cyber Ventures and
former CSO of Trend Micro, as a “slap on the wrist.” He also said it, “represents yesterday’s
security paradigm,” since the requirements focus on keeping attackers out and not on
improving incident response.
Read more about the Target data breach...
7. TJX Companies, Inc.
Date: December 2006
Impact: 94 million credit cards exposed.
Details: There are conflicting accounts about how this happened. One supposes that a
group of hackers took advantage of a weak data encryption system and stole credit card
data during a wireless transfer between two Marshall's stores in Miami, Fla. The other has
them breaking into the TJX network through in-store kiosks that allowed people to apply for
jobs electronically.
Albert Gonzalez, hacking legend and ringleader of the Heartland breach, was convicted in
2010 of leading the gang of thieves who stole the credit cards, and sentenced to 20 years in
prison, while 11 others were arrested. He had been working as a paid informant for the US
Secret Service, at a $75,000 salary at the time of the crimes. The government claimed in its
sentencing memo that companies, banks and insurers lost close to $200 million.
Read more about the TJX data breach...
8. Uber
Date: Late 2016
Impact: Personal information of 57 million Uber users and 600,000 drivers exposed.
Details: The scope of the Uber breach alone warrants its inclusion on this list, and it’s not
the worst part of the hack. The way Uber handled the breach once discovered is one big hot
mess, and it’s a lesson for other companies on what not to do.
The company learned in late 2016 that two hackers were able to get names, email
addresses, and mobile phone numbers of 57 users of the Uber app. They also got the driver
license numbers of 600,000 Uber drivers. As far as we know, no other data such as credit
card or Social Security numbers were stolen. The hackers were able to access Uber’s
GitHub account, where they found username and password credentials to Uber’s AWS
account. Those credentials should never have been on GitHub.
Here’s the really bad part: It wasn’t until about a year later that Uber made the breach public.
What’s worse, they paid the hackers $100,000 to destroy the data with no way to verify that
they did, claiming it was a “bug bounty” fee. Uber fired its CSO because of the breach,
effectively placing the blame on him.
The breach is believed to have cost Uber dearly in both reputation and money. At the time
that the breach was announced, the company was in negotiations to sell a stake to
Softbank. Initially, Uber’s valuation was $68 billion. By the time the deal closed in December,
its valuation dropped to $48 billion. Not all of the drop is attributable to the breach, but
analysts see it being a significant factor.
Read more about the Uber breach…
9. JP Morgan Chase
Date: July 2014
Impact: 76 million households and 7 million small businesses
Details: The largest bank in the nation was the victim of a hack during the summer of 2014
that compromised the data of more than half of all US households – 76 million – plus 7
million small businesses. The data included contact information – names, addresses, phone
numbers and email addresses – as well as internal information about the users, according to
a filing with the Securities and Exchange Commission.
The bank said no customer money had been stolen and that there was “no evidence that
account information for such affected customers – account numbers, passwords, user IDs,
dates of birth or Social Security numbers – was compromised during this attack."
Still, the hackers were reportedly able to gain “root" privileges on more than 90 of the bank’s
servers, which meant they could take actions including transferring funds and closing
accounts. According to the SANS Institute, JP Morgan spends $250 million on security
every year.
In November 2015, federal authorities indicted four men, charging them with the JP Morgan
hack plus other financial institutions. Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein
faced 23 counts, including unauthorized access of computers, identity theft, securities and
wire fraud and money laundering that netted them an estimated $100 million. A fourth
hacker who helped them breach the networks was not identified.
Shalon and Orenstein, both Israelis, pleaded not guilty in June 2016. Aaron was arrested at
JFK Airport in New York last December.
Read more about the JP Morgan data breach...
10. US Office of Personnel Management (OPM)
Date: 2012-14
Impact: Personal information of 22 million current and former federal employees
Details: Hackers, said to be from China, were inside the OPM system starting in 2012, but
were not detected until March 20, 2014. A second hacker, or group, gained access to OPM
through a third-party contractor in May 2014, but was not discovered until nearly a year later.
The intruders exfiltrated personal data – including in many cases detailed security clearance
information and fingerprint data.
Last year, former FBI director James Comey spoke of the information contained in the socalled SF-86 form, used for conducting background checks for employee security
clearances. “My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel
I’ve ever taken, all of my family, their addresses,” he said. “So it’s not just my identity that’s
affected. I’ve got siblings. I’ve got five kids. All of that is in there.”
A report, released last fall by the House Committee on Oversight and Government Reform
summed up the damage in its title: “The OPM Data Breach: How the Government
Jeopardized Our National Security for More than a Generation.”
Read more about the OPM data breach...
11. Sony's PlayStation Network
Date: April 20, 2011
Impact: 77 million PlayStation Network accounts hacked; estimated losses of $171 million
while the site was down for a month.
Details: This is viewed as the worst gaming community data breach of all-time. Of more
than 77 million accounts affected, 12 million had unencrypted credit card numbers. Hackers
gained access to full names, passwords, e-mails, home addresses, purchase history, credit
card numbers and PSN/Qriocity logins and passwords. "It's enough to make every good
security person wonder, 'If this is what it's like at Sony, what's it like at every other multinational company that's sitting on millions of user data records?'" said eIQnetworks' John
Linkous. He says it should remind those in IT security to identify and apply security controls
consistently across their organizations. For customers, "Be careful whom you give your data
to. It may not be worth the price to get access to online games or other virtual assets."
In 2014, Sony agreed to a preliminary $15 million settlement in a class action lawsuit over
the breach.
Read more about the Sony data breach...
12. Anthem
Date: February 2015
Impact: Theft of personal information on up to 78.8 million current and former customers.
Details: The second-largest health insurer in the U.S., formerly known as WellPoint, said a
cyberattack had exposed the names, addresses, Social Security numbers, dates of birth
and employment histories of current and former customers – everything necessary to steal
identity.
Fortune reported in January that a nationwide investigation concluded that a foreign
government likely recruited the hackers who conducted what was said to be the largest data
breach in healthcare history. It reportedly began a year before it was announced, when a
single user at an Anthem subsidiary clicked on a link in a phishing email. The total cost of
the breach is not yet known, but it is expected to exceed $100 million.
Anthem said in 2016 that there was no evidence that members' data have been sold, shared
or used fraudulently. Credit card and medical information also allegedly has not been taken.
Read more about the Anthem data breach...
13. RSA Security
Date: March 2011
Impact: Possibly 40 million employee records stolen.
Details: The impact of the cyberattack that stole information on the security giant's SecurID
authentication tokens is still being debated. RSA, the security division of EMC, said two
separate hacker groups worked in collaboration with a foreign government to launch a
series of phishing attacks against RSA employees, posing as people the employees trusted,
to penetrate the company's network.
EMC reported last July that it had spent at least $66 million on remediation. According to
RSA executives, no customers' networks were breached. John Linkous, vice president, chief
security and compliance officer of eIQnetworks, Inc. doesn't buy it. "RSA didn't help the
matter by initially being vague about both the attack vector, and (more importantly) the data
that was stolen," he says. "It was only a matter of time before subsequent attacks on
Lockheed-Martin, L3 and others occurred, all of which are believed to be partially enabled by
the RSA breach." Beyond that was psychological damage. Among the lessons, he said, are
that even good security companies like RSA are not immune to being hacked.
Jennifer Bayuk, an independent information security consultant and professor at Stevens
Institute of Technology, told SearchSecurity in 2012 that the breach was, “a huge blow to
the security product industry because RSA was such an icon. They’re the quintessential
security vendor. For them to be a point of vulnerability was a real shocker. I don’t think
anyone’s gotten over that,” she said.
Read more about the RSA data breach...
14. Stuxnet
Date: Sometime in 2010, but origins date to 2005
Impact: Meant to attack Iran's nuclear power program, but will also serve as a template for
real-world intrusion and service disruption of power grids, water supplies or public
transportation systems.
Details: The immediate effects of the malicious Stuxnet worm were minimal – at least in the
United States – but numerous experts rank it among the top large-scale breaches because it
was a cyberattack that yielded physical results.
Its malware, designed to target only Siemens SCADA systems, damaged Iran’s nuclear
program by destroying an estimated 984 uranium enrichment centrifuges. The attack has
been attributed to a joint effort by the US and Israel, although never officially acknowledged
as such.
Read more about Stuxnet, who created it and why...
15. VeriSign
Date: Throughout 2010
Impact: Undisclosed information stolen
Details: Security experts are unanimous in saying that the most troubling thing about the
VeriSign breach, or breaches, in which hackers gained access to privileged systems and
information, is the way the company handled it – poorly. VeriSign never announced the
attacks. The incidents did not become public until 2011, and then only through a new SECmandated filing.
As PCWorld put it, “VeriSign buried the information in a quarterly Securities and Exchange
Commission (SEC) filing as if it was just another mundane tidbit.”
VeriSign said no critical systems such as the DNS servers or the certificate servers were
compromised, but did say that, "access was gained to information on a small portion of our
computers and servers." It has yet to report what the information stolen was and what
impact it could have on the company or its customers.
Read more about the VeriSign data breach...
16. Home Depot
Date: September 2014
Impact: Theft of credit/debit card information of 56 million customers.
Details: The hardware and building supply retailer announced in September what had been
suspected for some weeks – that beginning in April or May, its POS systems had been
infected with malware. The company later said an investigation concluded that a “unique,
custom-built” malware had been used, which posed as anti-virus software.
In March 2016, the company agreed to pay at least $19.5 million to compensate US
consumers through a $13 million fund to reimburse shoppers for out-of-pocket losses, and
to spend at least $6.5 million to fund 1 1/2 years of cardholder identity protection services.
The settlement covers about 40 million people who had payment card data stolen, and more
than 52 million people who had email addresses stolen. There was some overlap between
the groups. The company estimated $161 million of pre-tax expenses for the breach,
including the consumer settlement and expected insurance proceeds.
Read more about the Home Depot data breach...
17. Adobe
Date: October 2013
Impact: 38 million user records
Details: Originally reported in early October by security blogger Brian Krebs, it took weeks
to figure out the scale of the breach and what it included. The company originally reported
that hackers had stolen nearly 3 million encrypted customer credit card records, plus login
data for an undetermined number of user accounts.
Later in the month, Adobe said the attackers had accessed IDs and encrypted passwords
for 38 million “active users.” But Krebs reported that a file posted just days earlier, “appears
to include more than 150 million username and hashed password pairs taken from Adobe.”
After weeks of research, it eventually turned out, as well as the source code of several
Adobe products, the hack had also exposed customer names, IDs, passwords and debit
and credit card information.
In August 2015, an agreement called for Adobe to pay a $1.1 million in legal fees and an
undisclosed amount to users to settle claims of violating the Customer Records Act and
unfair business practices. In November 2016, the amount paid to customers was reported at
$1 million.
i
[H.A.S.C. No. 115–8]
CYBER WARFARE IN THE 21ST CENTURY:
THREATS, CHALLENGES, AND
OPPORTUNITIES
COMMITTEE ON ARMED SERVICES
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
HEARING HELD
MARCH 1, 2017
U.S. GOVERNMENT PUBLISHING OFFICE
24–680
WASHINGTON
:
2017
For sale by the Superintendent of Documents, U.S. Government Publishing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512–1800; DC area (202) 512–1800
Fax: (202) 512–2104 Mail: Stop IDCC, Washington, DC 20402–0001
COMMITTEE ON ARMED SERVICES
ONE HUNDRED FIFTEENTH CONGRESS
WILLIAM M. ‘‘MAC’’ THORNBERRY, Texas, Chairman
WALTER B. JONES, North Carolina
JOE WILSON, South Carolina
FRANK A. LOBIONDO, New Jersey
ROB BISHOP, Utah
MICHAEL R. TURNER, Ohio
MIKE ROGERS, Alabama
TRENT FRANKS, Arizona
BILL SHUSTER, Pennsylvania
K. MICHAEL CONAWAY, Texas
DOUG LAMBORN, Colorado
ROBERT J. WITTMAN, Virginia
DUNCAN HUNTER, California
MIKE COFFMAN, Colorado
VICKY HARTZLER, Missouri
AUSTIN SCOTT, Georgia
MO BROOKS, Alabama
PAUL COOK, California
JIM BRIDENSTINE, Oklahoma
BRAD R. WENSTRUP, Ohio
BRADLEY BYRNE, Alabama
SAM GRAVES, Missouri
ELISE M. STEFANIK, New York
MARTHA MCSALLY, Arizona
STEPHEN KNIGHT, California
STEVE RUSSELL, Oklahoma
SCOTT DES JARLAIS, Tennessee
RALPH LEE ABRAHAM, Louisiana
TRENT KELLY, Mississippi
MIKE GALLAGHER, Wisconsin
MATT GAETZ, Florida
DON BACON, Nebraska
JIM BANKS, Indiana
LIZ CHENEY, Wyoming
ADAM SMITH, Washington
ROBERT A. BRADY, Pennsylvania
SUSAN A. DAVIS, California
JAMES R. LANGEVIN, Rhode Island
RICK LARSEN, Washington
JIM COOPER, Tennessee
MADELEINE Z. BORDALLO, Guam
JOE COURTNEY, Connecticut
NIKI TSONGAS, Massachusetts
JOHN GARAMENDI, California
JACKIE SPEIER, California
MARC A. VEASEY, Texas
TULSI GABBARD, Hawaii
BETO O’ROURKE, Texas
DONALD NORCROSS, New Jersey
RUBEN GALLEGO, Arizona
SETH MOULTON, Massachusetts
COLLEEN HANABUSA, Hawaii
CAROL SHEA–PORTER, New Hampshire
JACKY ROSEN, Nevada
A. DONALD MCEACHIN, Virginia
SALUD O. CARBAJAL, California
ANTHONY G. BROWN, Maryland
STEPHANIE N. MURPHY, Florida
RO KHANNA, California
TOM O’HALLERAN, Arizona
THOMAS R. SUOZZI, New York
(Vacancy)
ROBERT L. SIMMONS II, Staff Director
KEVIN GATES, Professional Staff Member
LINDSAY KAVANAUGH, Professional Staff Member
NEVE SCHADLER, Clerk
(II)
CONTENTS
Page
STATEMENTS PRESENTED BY MEMBERS OF CONGRESS
Smith, Hon. Adam, a Representative from Washington, Ranking Member,
Committee on Armed Services ............................................................................
Thornberry, Hon. William M. ‘‘Mac,’’ a Representative from Texas, Chairman,
Committee on Armed Services ............................................................................
2
1
WITNESSES
Healey, Jason, Nonresident Senior Fellow, Cyber Statecraft Initiative, Atlantic Council .............................................................................................................
Libicki, Martin C., Professor, U.S. Naval Academy, and Adjunct Management
Scientist, RAND Corporation ..............................................................................
Singer, Peter, Strategist and Senior Fellow, New America Foundation .............
6
5
3
APPENDIX
PREPARED STATEMENTS:
Healey, Jason ....................................................................................................
Libicki, Martin C. .............................................................................................
Singer, Peter .....................................................................................................
DOCUMENTS SUBMITTED FOR THE RECORD:
[There were no Documents submitted.]
WITNESS RESPONSES TO QUESTIONS ASKED DURING THE HEARING:
[There were no Questions submitted during the hearing.]
QUESTIONS SUBMITTED BY MEMBERS POST HEARING:
Mr. Franks ........................................................................................................
Ms. Hanabusa ...................................................................................................
Ms. Rosen ..........................................................................................................
(III)
71
60
47
85
88
89
CYBER WARFARE IN THE 21ST CENTURY:
THREATS, CHALLENGES, AND OPPORTUNITIES
HOUSE OF REPRESENTATIVES,
COMMITTEE ON ARMED SERVICES,
Washington, DC, Wednesday, March 1, 2017.
The committee met, pursuant to call, at 10:03 a.m., in room
2118, Rayburn House Office Building, Hon. William M. ‘‘Mac’’
Thornberry (chairman of the committee) presiding.
OPENING STATEMENT OF HON. WILLIAM M. ‘‘MAC’’ THORNBERRY, A REPRESENTATIVE FROM TEXAS, CHAIRMAN, COMMITTEE ON ARMED SERVICES
The CHAIRMAN. The committee will come to order. The committee
meets today to explore ‘‘Cyber Warfare in the 21st Century:
Threats, Challenges, and Opportunities.’’ Needless to say, it is a
big complex topic that is at the heart of much of American national
security today and will be even more so in the future.
One of those internet quotes attributed to Albert Einstein says:
Given one hour to save the planet, I would spend 55 minutes understanding the problem and 5 minutes resolving it.
Well, whether Einstein really said something like that or not, I
think the point rings true that much of our challenge in cyber is
understanding the problem. As we have seen in recent years, cyber
is being used by both nation-states and nonstate actors in ways
that challenge our traditional notions of what is war. It is being
used to destroy, to steal, and to influence.
Cyber is a domain of warfare in itself, but its technologies also
undergird most all of our defense efforts. It helps make us the
strongest military in the world, and it also presents a vulnerability,
which adversaries are looking to exploit.
And what is true for our military is also true for our society.
Those technologies offer great opportunity but are also a vulnerability that must be defended. And when it comes to things that
must be defended, we often turn to the United States military.
I am very grateful to all the members who came back to Washington early this week to spend our yearly retreat at Fort Meade
focusing on this issue. Our witnesses today will also help us advance our thinking and hopefully help lead us to find the right
questions so that we can work together to find the right answers.
I would yield to the ranking member for any comments he would
like to make.
(1)
2
STATEMENT OF HON. ADAM SMITH, A REPRESENTATIVE FROM
WASHINGTON, RANKING MEMBER, COMMITTEE ON ARMED
SERVICES
Mr. SMITH. Thank you, Mr. Chairman. I appreciate you holding
this hearing on this very important topic, and it is one that I guess
we are probably going to spend more than 55 minutes trying to figure out the problem, unfortunately. It is very complicated. You
know, the first thing we have to figure out is how, you know, best
and better to protect our networks, both within government and
those private sector groups that we come into contact with the government. We have that problem on the Armed Services Committee
with a lot of the defense contractors that have sensitive information within their cyber domain that we have to figure out how to
protect.
And we still don’t really have a comprehensive strategy for how
to do that. That is part of the problem. And the other part is, as
cyber is increasingly used for active warfare, what is our policy on
that? If we are attacked through cyber, what is an appropriate response?
We saw that with the Russian attacks on the DNC [Democratic
National Committee]. You know, the President responded. It took
a long time because we really don’t have a set policy on what is
a proportional and appropriate response to a given cyber attack,
which we need to figure out.
And then, lastly, how do we use it as an offensive weapon? Certainly our enemies are using it. ISIS [Islamic State of Iraq and
Syria] is using it very effectively to spread their message and recruit. You know, and we have seen Russia use it in a variety of different formats. We have suspicions of others using it as well.
What should we do, from an offensive standpoint, to use cyber
to cause problems for our enemies and advance our interests? So
those are the three questions I am most interested in learning
more about.
I apologize; I actually have to leave early from this hearing. But
certainly I will study the remarks of our witnesses, and I know the
panel will benefit from the discussion.
I thank the chairman for holding this hearing, and I yield back.
The CHAIRMAN. I thank the gentleman.
Again, let me thank each of our witnesses for taking the time to
be here.
We have Dr. Peter Singer, strategist and senior fellow at New
America Foundation, among others things, author of ‘‘Wired for
War’’ and ‘‘Ghost Fleet’’; Dr. Martin Libicki, professor at the U.S.
Naval Academy and adjunct management scientist at the RAND
Corporation; and Mr. Jay Healey, nonresident senior fellow for the
Cyber Statecraft Initiative at the Atlantic Council.
Thank you all for being here. Without objection, your full written
statement will be made part of the record, and we would be pleased
to hear any oral comments you would like to make at this point.
Dr. Singer, we will start with you.
3
STATEMENT OF PETER SINGER, STRATEGIST AND SENIOR
FELLOW, NEW AMERICA FOUNDATION
Dr. SINGER. Chairman Thornberry and Ranking Member Smith,
members of the committee, it is an honor to speak at this important discussion today designed to reboot the cybersecurity conversation. It is all the more needed as the United States was recently the victim of what was arguably the most important cyber
attack campaign in history. Hackers reported as working on behalf
of the Russian Government have attacked a wide variety of American citizens and institutions. They include political organizations
of both parties, the Republican National Committee and the Democratic National Committee, as well as prominent Democrat and Republican leaders, as well as civil society groups like various American universities and academic research programs.
These attacks started years back, but it continued after the 2016
election. They have been reported as hitting clearly government
sites, like the Pentagon’s email system, as well as clearly private
networks, like U.S. banks. They have also been reported as targeting a wide variety of American allies ranging from government,
military, and civilian targets, and states that range from Norway
to the United Kingdom, as well as now trying to influence upcoming elections in Germany, France, and the Netherlands.
While Vladimir Putin has denied the existence of this campaign,
its activities have been identified by groups that include all the different agencies of the U.S. intelligence community, the FBI [Federal Bureau of Investigation], and in statements by both the prior
and present U.S. President. This campaign has also been well-established by the marketplace. Five different well-regarded cybersecurity firms have identified it.
This campaign is not a cyber war of the kind that is often envisioned with power grids going down and fiery cyber Pearl Harbors.
Instead, it is a competition more akin to the Cold War’s predigital
battles that crossed influence operations with espionage and subversion.
However, while Russia’s attacks are the most notable events in
cybersecurity in the last year, unlike in the Cold War, our strategy
must recognize they are only one aspect of a larger threat landscape. In cyberspace, the malevolent actors presently engaged in
attacks on U.S. persons and institutions range from criminals who
are stealing personal information or holding ransom valuable corporate data—although here too there is a prominent Russian link
with reportedly 75 percent of ransomware coming from Russianspeaking parts of the online criminal underground—to governments, like China, which have been accused of large-scale intellectual property theft, as well as breaking into government databases
like the OPM [Office of Personnel Management] in the cyber
version of traditional espionage.
And, finally, our strategy must face that all of this ongoing activity must account for the risk of an actual cyber war, the activities
that would occur in outright conflict, including cyber attacks to
cause physical damage.
So what can be done to defend America in this challenging
realm? In my written testimony, I submitted a series of 30 actions
that can be taken by the Congress to raise cybersecurity. Notably,
4
in reflecting the nature of this nonpartisan realm, the overall strategy in each of the proposed 30 measures are designed to be amenable to and implementable by the leaders of both parties.
I have submitted this strategy for the record, which I hope will
be a useful resource to you and your staff in your important work
ahead. Rather than restating in detail, I would note that it involves
three core elements.
First, activities that can be taken to restore deterrence, from
making key new investments in training, cutting-edge technology
like artificial intelligence [AI], and organizational changes in our
Defense Department approach, including disentangling CYBERCOM [Cyber Command] and the NSA [National Security Agency],
to utilizing all our tools of power to better influence current and
future adversary thinking in the wake of Russia’s attack, most especially by turning sanctions into law and strengthening them.
Second, actions to raise resilience, our ability to shake off attacks
and thus create what is known as deterrence by denial, where we
are not only better protected but adversaries gain less and are thus
less incentivized to attack. Importantly, a strategic effort to raise
U.S. resilience would be a useful investment against any type of attack or attacker.
The steps that can be taken by Congress here range from measures to better utilize Pentagon buying power to oversight on the
implementation of industry best practices in the government. They
also include innovative means to deal with our cybersecurity
human resource challenge, from supporting better pipelines into
government and the military and better organizing the wealth of
talent that lies outside of government in the military and Reserves,
such as through the creation of a program akin to Estonia’s worldrespected approaches to societal resilience.
The final tract looks at the broader challenge we face in a world
of social media and online influence operations. Here, too, there are
a range of suggested congressional actions, including enhancing cybersecurity information sharing among likely U.S. political targets,
raising the ability of the U.S. military to better utilize social media
and integrate it into our own training environments, and supporting the recreation of the Active Measures Working Group, an
interagency Cold War program designed to debunk foreign propaganda and limit the impact of lies spread by what the Soviets aptly
called ‘‘useful idiots.’’
In conclusion, we must recognize that, for as long as we use the
internet, adversaries like Putin’s Russia and many others will seek
to exploit this technology and our dependence on it in realms that
range from politics to business to warfare itself. In response, the
United States can build a new set of approaches to deliver true cybersecurity, aiming to better protect ourselves while reshaping adversary attitudes and options, or we can continue to be a victim.
Thank you.
[The prepared statement of Dr. Singer can be found in the Appendix on page 47.]
The CHAIRMAN. Thank you. Dr. Libicki.
5
STATEMENT OF MARTIN C. LIBICKI, PROFESSOR, U.S. NAVAL
ACADEMY, AND ADJUNCT MANAGEMENT SCIENTIST, RAND
CORPORATION
Dr. LIBICKI. Good morning, Chairman Thornberry, Ranking
Member Smith, and the distinguished members of the committee.
My name is Martin Libicki, the Maryellen and Richard Keyser
Chair of Cybersecurity Studies at the Naval Academy and an adjunct at RAND. The views expressed are my own.
Two years ago, Admiral Rogers asked Congress to support an increase in his ability to carry out cyber attacks so that the United
States could deter cyber attacks on it, but would strength alone
suffice? Our deterrence capability has at least four prerequisites.
First, we must be able to attribute cyber attacks in order to punish the correct party and convince others that we are acting justifiably.
Second, we must communicate our thresholds. What actions will
lead to reprisals?
Third, we need credibility so that others believe that punishment
will in fact follow crossing such thresholds.
Fourth, we need the capability to carry out reprisals.
Of the four prerequisites, it is U.S. capability that is least in
doubt. Any country credited with Stuxnet and the operations that
Snowden leaked has demonstrated an impressive capability. It is
the other three prerequisites that need attention.
Attribution, to be fair, has improved considerably over the past
10 years, but the same cannot always be said about the U.S. ability
or willingness to prove that its attribution is correct. After the
Sony attack, the FBI’s public statement devoted just 140 words to
justifying its attribution, and the public case that Russia carried
out the DNC hack is even more problematic.
Credibility remains an issue. Although the United States did retaliate against North Korea for the Sony attack and Russia for the
DNC hack, the reprisals that have been made public, mostly sanctions, were not the sort that would induce fear in others.
That leaves the issue of thresholds, which gets the least attention. What cyber attacks merit cranking up the machinery of U.S.
retaliation for and thereby potentially altering the U.S. relationship with another country, especially when cyber attacks can vary
so much from a momentary network disruption to a major catastrophe? Not everything that we might call a cyber attack is actionable.
By contrast, even the smallest nuclear weapon on U.S. soil was
obviously actionable. Finding a tractable threshold is not a problem
easily solved. So let’s consider some candidates.
Should something be actionable if it violates the Computer Fraud
and Abuse Act? Well, there are three problems. First, using a national law as an international red line sets a precedent easily
abused by countries that, for instance, criminalize free speech.
Second, this act is violated literally on millions of occasions, pretty much every time a computer is turned into a zombie.
Third, such a law makes cyber espionage an actionable act, but
this is something that the United States carries out all the time.
Well, is something actionable, as one Assistant Secretary of Defense argued, if it is among the top 2 percent of all attacks? Here
6
the problem is that cyber attacks have no minimum. So it is very
difficult to define the set and, thus, very difficult to define 2 percent of the set.
Okay. Should everything that affects the U.S. critical infrastructure be actionable? Supposedly we know what is and is not part of
the U.S. critical infrastructure. But then we have attacks that
make us change our mind. For instance, a number of folks said the
attack on Sony was an attack on the critical infrastructure, and
after the attack on the DNC, we reconsidered the election—the voting machinery in this country, and we reclassified it as part of the
critical infrastructure.
Well, do the laws of armed conflict, or LOAC, provide a good dividing line? Well, unfortunately, LOAC kicks in only when something is broken or someone is hurt, and in cyberspace, damage has
occurred twice and death not at all. An attack that bankrupts a
firm, by contrast, would not be actionable by LOAC. Worse, LOAC
fosters the notion that a cyber attack, like a physical attack, is unacceptable behavior for countries, while cyber espionage, like traditional espionage, is something countries do. But the United States
does not accept all cyber espionage. It successfully pressed China
to stop its economic cyber espionage.
If the data taken from OPM had been sold into the black markets, the United States would doubtlessly have raised very strong
objection to China, and the DNC hack was actually cyber espionage. If the Russians had taken what they took in-house rather
than post it online, there likely would have been no U.S. response.
My bottom line is this: deterrence introduces multiple issues that
need far more careful attention than they have received to date.
Being strong is necessary, but it is not sufficient, and until we have
a firmer basis for setting thresholds, we may have to limit reprisals
to obviously actionable attacks while using the less obvious ones as
markers for what we would react to next time.
I appreciate the opportunity to discuss this important topic, and
I look forward to your questions.
[The prepared statement of Dr. Libicki can be found in the Appendix on page 60.]
The CHAIRMAN. Thank you.
Mr. Healey.
STATEMENT OF JASON HEALEY, NONRESIDENT SENIOR FELLOW, CYBER STATECRAFT INITIATIVE, ATLANTIC COUNCIL
Mr. HEALEY. Good morning, Chairman Thornberry, Ranking
Member Smith, distinguished members of the committee. I am
really humbled to be in front of you today. I will jump right to the
heart of my comments on cyber conflict where several issues stand
out.
First, what isn’t a problem? Attribution, as my colleagues have
pointed out, is not nearly the challenge that it used to be, as analysts at private sector companies and the U.S. Government have
made tremendous gains determining which nations are behind
cyber attacks.
Second, what is different in cyber compared to conventional conflict? I believe it is not hazy borders or operating at network speeds
or the other things that you might have heard that is most dif-
7
ferent, but in fact the role of the private sector. America’s cyber
power is not at Fort Meade. No, the center of U.S. cyber power is
instead in Silicon Valley, in Route 128 in Boston, at Redmond,
Washington, and in all of your districts where Americans are creating and maintaining cyberspace and can bend it if they need to.
Third, what didn’t we see coming? In the wake of the 1991 Gulf
War, we in the military were eager to study information operations, including propaganda and influence, which are now some of
our adversaries’ primary weapons against us. Yet, in the time
since, we have become so enamored of the cyber, we have forgotten
critical lessons of information operations from that time.
Fourth, what might we have most wrong? Simply, deterrence and
coercion. Previous testimony to this House made it clear there was
an electronic Pearl Harbor waiting to happen. Well, that was in
June 1991. So we have been fretting about an electronic Pearl Harbor for 25 of the 75 years since the actual Pearl Harbor. Cyber deterrence above the threshold of death and destruction not just is
working but works pretty much like traditional deterrence. Where
deterrence is not working, of course, is in the gray area between
peace and war, where all major cyber powers are enjoying a freefor-all.
We should not kid ourselves. In that gray zone, the United
States is throwing as well as taking punches, and deterrence works
very differently if your adversary is certain they are striking back,
not first. In fact, I believe cyber may be the most escalatory kind
of conflict we have ever encountered. Because of this, any exercise
in cyber deterrence must be thought of as an experiment. Some of
our experiments will work; some won’t. So we must be cautious, attentive to the evidence, and willing to learn.
So my first recommendation is that a new set of cyber influence
teams might quickly be trained and folded into the Cyber Mission
Force at Fort Meade working alongside cyber and area studies experts there.
Second, I continue to advocate splitting the leadership of NSA
and Cyber Command. Imagine if the Commander of U.S. Pacific
Command were the leading source of information on the China
military threat, negotiated with U.S. companies dealing with
China, ran the best funded China-oriented bureaucracies, was involved in intelligence operations and military planning against
China, and could decide what information on China was classified
or not. Sometimes two heads and two hats are more American than
one.
Third, the best use of government resources is to reinforce those
doing the best work already. Our critical infrastructure companies
are on the front lines and, together with major vendors and cybersecurity companies, have far more defensive capabilities than our
military. Grants to the nonprofit associations that are knitting
these operations together can give massive bang for the buck.
Lastly, I would like to leave you with a question to consider asking others in testimony in the future: What do you believe will be
the dominant form of cyber conflict in 10 years? The Pentagon
seems to have a healthy set of cyber requirements but not many
views of what cyber conflict might be like as they do in the land,
sea, air, or space.
8
For example, I am sure the chief of staff of the Air Force can give
you many reasons on why he sees future air conflict and why a
long-range strike bomber is the answer to succeeding in many of
those kinds of conflicts. What do we think the future of cyber conflict might be like that will justify the requirements that the Pentagon is asking for?
In closing, I would like to mention that on 16 and 17 March, 48
student teams, including from many of your districts or your alma
mater, including the Air Force Academy, Brown, and the Universities of South Alabama and Maryland, College Park, will compete
in the Cyber 9/12 Student Challenge. This competition prepares
students to tackle exactly the same sort of challenges about which
my colleagues and I are testifying before you today. If you or your
staff are available to observe, judge, or provide remarks, the student teams would greatly benefit. Thank you for your time.
[The prepared statement of Mr. Healey can be found in the Appendix on page 71.]
The CHAIRMAN. Thank you.
As we notified all members, Mr. Smith and I agreed that, for the
purpose of this hearing, we would start out by going in reverse seniority order for those members who were here at the time of the
gavel and then go in order that members entered the room, like we
usually do.
I also want to remind members that this afternoon the Emerging
Threats and Capabilities Subcommittee is holding a classified quarterly update on cyber operations to which all members of the committee are invited.
And at this point, I would like to yield my 5 minutes to the chair
of that subcommittee, Ms. Stefanik.
Ms. STEFANIK. Thank you, Mr. Chairman.
I have two questions. The first is broad. What aspects of the previous administration’s cyber policy should we keep and what
should we rethink? I will start with Mr. Healey and move down the
line.
Mr. HEALEY. Thank you very much, Chairwoman, Ms. Stefanik.
The previous administration got a lot of runs across the plate,
but they weren’t really swinging for the fence. So they had a lot
of small—they were playing small ball. And so there weren’t that
many things that really angered me that much about what they
did.
One that I think we should absolutely keep, because I think the
private sector should be the supported command, not the supporting command, I am a big fan of the work that they had done
on the vulnerabilities equities process. This is the process by which
if the U.S. Government discovers vulnerabilities, especially in U.S.
IT [information technology] products, that the default is to tell the
vendors on that, and if they keep it, for example, at Fort Meade,
that they have a risk-mitigation strategy so that, if it does become
public, that they can respond most quickly. The work that they did
on that was very important. That actually dates back to CNCI
[Comprehensive National Cybersecurity Initiative] in the previous
administration, but I think that is certainly worth keeping.
To change: I certainly hope that the U.S. Government can do better on its own cybersecurity systems. It looks like the new adminis-
9
tration might be doing better on this with more of a role for the
Office of Management and Budget as well as more shared services,
that is, more cloud. I also think we can do more within the Department of Defense [DOD] for accountability. My experience in the private sector, especially working for banks, was that they had much
more control over what was added to their networks and who could
do what than even the Department of Defense does, which was a
surprise to me considering how much we think of command and
control and leadership within the Department of Defense. Thank
you.
Ms. STEFANIK. Thank you.
Dr. Libicki.
Dr. LIBICKI. I believe the administration made a lot of good investment in defensive, in defending networks, and I think that is
a trend that should continue. Details, I suppose, we can discuss,
but I think the general trend toward putting most of your eggs in
the defensive basket is a good one.
In the realm of what I would do different. If you are going to talk
up an attack as something that is unacceptable, then you need better attribution, public attribution case, and you need to hit back
more strongly. Conversely, if you are not prepared to hit back
strongly and you are not prepared to make a good attribution case,
maybe you shouldn’t make so big a deal of the cyber attack.
Ms. STEFANIK. Dr. Singer.
Dr. SINGER. I echo what was just previously said and add a couple of things. Towards the end of the Obama administration, in the
wake of the OPM breach, it put together a series of essentially best
practices from the private sector that could be mined for implementation into government. I see those as a key oversight area for Congress and essentially seeing if they are being implemented or not.
And, again, I think they are bipartisan in that they are pulling
from the private sector.
Similarly, in the very last weeks of the transition, there was a
bipartisan commission of experts, cybersecurity experts, that issued
a report of what could be done to aid government in this realm. It
was lost in the little bit of the conversation. Here too, bipartisan
recommendations, implementing those would be a good area.
Finally, the administration created a cybersecurity human resources strategy. This space is not merely about zeros and ones. It
is a people problem, and there are all sorts of areas there, and I
would look to that and see, is this being implemented or not? It
also points to, at least so far in the drafts of the Trump administration’s executive orders, human resources hasn’t been mentioned. So
I would be focusing on that.
In areas of what they can do, what they don’t do, there is a wide
variety of them that have been mentioned. Whether it is sanctions
to—we have done well at pulling in the National Guard as a way
of tapping broader societal resource, but that is only limited to
what is already in the military. I would look to the Estonian model
or, in essence, the cybersecurity version of the Civil Air Patrol as
a way of pulling in broader civilian talent that isn’t either able or
willing to serve in the military or Guard and Reserves.
Ms. STEFANIK. Thank you, Dr. Singer.
10
So my final more specific question: Mr. Healey, in your written
testimony, you discuss how our adversaries are using cyber capabilities as part of a larger strategic and orchestrated influence operations, form of information warfare. The most recent examples
are the North Korean hack of Sony, the Russia hack of the DNC,
and even 2008, the Chinese hack of both the Obama and McCain
campaigns.
In addition to your suggestion to create cyber influence teams
with our cyber forces, what more can we do to counter the strategic
influence campaigns that are so successfully being waged by Russia, China, North Korea, and Iran?
Mr. HEALEY. Such an important question. Thank you very much.
I agree with Dr. Singer on returning to the Active Measures Working Group, which I think is an important step. I think we can start
refunding some of those information operations projects that we
had done in the 1990s, for example, in [Operation] Allied Force
where we had done a lot against Slobodan Milosevic. There had
been a lot done in the military professional universities, especially
places like National Defense University and the doctrine centers
where hopefully some of those people still reside and we might be
able to build back some capability quickly.
It also—we obviously need to do this whole-of-government because this clearly isn’t a Department of Defense response. It has
helped me to think about—you know, we have incidents of national
significance to respond to terrorist attacks. We have cyber incidents
of national significance, but neither of these fit here. It has helped
me to think about an information incident of national significance
and think, who would we bring to the table? What agencies would
we bring to the table to respond to an information incident of national significance? I am not convinced that we should create such
a concept because there is something that strikes me a bit unAmerican about how we might use that if there is information we
didn’t like, but it certainly helped me think about how we might
improve our interagency response against such actions. Thank you.
Ms. STEFANIK. Thank you, Mr. Healey.
I am over my time.
The CHAIRMAN. Mrs. Murphy.
Mrs. MURPHY. Thank you, gentlemen, for being here and for your
testimony as well as the Q&A [question and answer].
I represent a district in central Florida that is home to the Nation’s largest modeling, simulation, and training industry cluster,
which includes a collaboration—which is a collaboration between
the military, academia, and industry. The Army command there,
known as PEO STRI [Program Executive Office Simulation, Training, and Instrumentation], has been tasked with the cyber training
mission for Army.
I was alarmed by a recent study that I saw that talked about the
accelerating workforce gap for cybersecurity professionals. This
survey projects that we will have a shortfall of 1.8 million cybersecurity professionals in the next 5 years. And to put that in some
context, when you talk about workforce gaps in other industries,
we are talking in the tens of thousands, but not in the millions. So
I found this an astounding shortfall in its size and particularly in
11
a critical area for both national security as well as economic stability.
So I was wondering, you know, you have all talked a little bit
about some of the initiatives, workforce initiatives, that could be
implemented, but what specific partnerships between academia,
government, and the private sector would help to build this talent
pipeline in the future, and what role does Congress have in providing investments for and supporting such partnerships?
Dr. SINGER. There is a whole array of activities that can and,
frankly, should be undertaken. As was mentioned, there was previously a human resources strategy. It is unclear whether that will
be continued or not. I believe it should be in the new administration. If it is not, there should be a similar full-fledged version of
it.
Equally, there have been organizations created like, for example,
the U.S. Cyber Corps, which is akin to a ROTC [Reserve Officer
Training Corps] program, a scholarship program for drawing talent
into government. It is unclear what the effect the Federal hiring
freeze will have on that. Right now, you have students that are
worried that they are not going to be able to meet their scholarship
commitments by joining government because the positions won’t be
open to them.
I would urge Congress and the administration to make clear that
cybersecurity is an area that would not be included in that hiring
freeze because, frankly, any labor savings that you get will be lost
by one breach, one incident.
Similarly, there is a whole series of areas to bring in. As was
mentioned, the strength of the United States is in districts like
yours and around, so ways of bringing that talent into government
for short term. So the examples range from adding a cybersecurity
element to the U.S. Digital Service to a program akin to what the
Centers for Disease Control has for bringing in talent from the
medical field.
Finally, bug bounty programs, which are very cheap ways of incentivizing people outside of government to volunteer to help government. I would urge—the DOD is doing these on a pilot basis.
This should be done at every single agency, and Congress can help
support that and incentivize that.
Dr. LIBICKI. I mean, there are a lot of programs that have been
mentioned, could be mentioned, that could increase the supply of
cybersecurity professionals, but if we are talking about the scholarship program, we are talking about hundreds and thousands of
people as opposed to millions of folks. And I think thought needs
to be given not only to how do you increase the supply but also how
you reduce the demand. Let me give you an example.
If you take a look at the Office of Personnel Management, there
was a lot of sensitive information, particularly information that you
gather as part of doing the security clearance, that was leaked to
other countries as a result. Okay. Now, if you just took a cybersecurity perspective, you would say, well, how many people does OPM
have to hire in order to make sure that their material doesn’t leak?
But there is another way of looking at it. Okay. Do we have to
ask people those questions? Do we have to write down the answers? Do we have to put those—digitize the answers that they
12
give? Do we have to make the answers available, and do we have
to make the answers available online? And is there some way of
finding out where the answers are going online in the circulation?
Okay. None of those things that I describe need a cybersecurity
professional. They need ways of understanding how information
works. And I think, as a general proposition, there was a tendency
to say: We want to compute the way we want to compute. We want
no restrictions. This internet stuff is wonderful. We want as much
as we can have. But it seems to give us cybersecurity problems. So
let’s go hire a bunch of cybersecurity folks and sort of spread some
cybersecurity on the top.
And if you can’t get these folks or you are paying an arm and
a leg to get these folks and it still doesn’t work because the Russians are very, very talented and the Chinese are very talented,
okay, then you might want to consider, how are we actually managing our information? And that leads you to a different place.
The CHAIRMAN. If I could request each of you all, if you would
talk directly into the microphone. Sometimes there is a noise outside that is making it hard to hear up here. So thank you.
Mr. Gallagher.
Mr. GALLAGHER. Thank you, Mr. Chairman.
I have a somewhat related question. The Marine Corps Commandant, General Neller, recently stated that using tactical cyber
needs to become routine like other technical arms of the service. So
when the Arty [artillery] officer shows up or the naval gunfire officer shows up, he needs to be accompanied by a cyber liaison officer.
My concern is that in terms of the cyber talent pool, I don’t think
a lot of them are enthusiastic about getting a high and tight and
joining the Marine Corps. So I am drawn to your idea, Dr. Singer,
about something akin to the Estonia Cyber Defense League, but I
see a host of practical challenges to implementation, and I think
we might have to rethink how we grant security clearances.
Could you just talk a little bit more about that and how we
might operationalize and implement such a proposal?
Dr. SINGER. So the approach that Estonia has is a little bit akin
to our age-old the minutemen or, more appropriate today, the Civil
Air Patrol. The Cyber Defense League there is, it takes people that
have been security cleared. So they do go through a clearance process. They are volunteers. They are outside of government. Their
talent ranges from people who are hackers to people who are bankers.
So, for example, if you want to understand how to attack or defend a bank, you just don’t need computer talent. You need to understand how the systems work. And they essentially volunteer to
aid Estonia in everything from red teaming—so attacking voting
systems before an election, define vulnerabilities before the bad
guys do—to they help with emergency response. It is a little bit
akin to the Civil Air Patrol, which gathers people who are interested in aviation, and it ranges from youngsters that are entering
the field to people who just want to keep flying, but then they are
on call for aviation-related accidents, training exercises, and, importantly, on call at the local, State, and Federal level.
My point is, is that, often in this space, we very appropriately
enough say, you know, look, we have got Active Duty, and National
13
Guard has expanded and gotten really good at this, but then we
stop and miss the fact that, as you put, there is a great deal of talent that will be forced to be outside of National Guard.
I would also, real quickly, one other point I want to make is that,
if we are looking at history, we often talk about the Pearl Harbor
parallel, and what General Neller is pointing to is that there are
other battles—Kasserine Pass—which were really ones that whether we won or lost was not based on our weapons but our failure
to figure out how we command and controlled, how we organized,
and that is what I would urge you to be pushing a little bit more
on the military side with.
Mr. GALLAGHER. And then, on that point, Mr. Healey, you seem
to argue that the reports of a cyber Pearl Harbor have been greatly
exaggerated, but I count myself among many Americans who received a notification from OPM after the hack, which some describe
as a cyber Pearl Harbor. What is your assessment of the long-term
damage caused by that hack?
Mr. HEALEY. Certainly when I thought about my colleagues, my
friends who in the future might be negotiating with China over
some issue, and I can imagine their Chinese counterparties sitting
down in front of them and having their complete SF–86 and the
rest of their information in front of them. And I imagine the chilling effect that would have on that negotiation and how America’s
diplomatic position is going to be significantly worse since then.
But I also take the thought of a devastating attack that leaves
thousands of Americans dead. I mean, that, for me, is—it is what
we have been thinking about, what we have been imagining that
was going to be this catastrophic bolt from the blue, and so certainly that hasn’t happened yet. And yet we still, to some degree,
allow that to capture our imagination.
So I think we need a little bit more curiosity about what future
cyber conflicts might be like and how we respond to those. I think
that would put us much better off to deal with the OPMs and to
deal with the Russian hacking.
Mr. GALLAGHER. And, finally, Dr. Libicki, among the many terrorist groups that we are fighting kinetically right now, who is the
most sophisticated cyber actor?
Dr. LIBICKI. I think you would have to say ISIS. But I think
even—ISIS is really good at information operations and propaganda, okay, because in many ways, they say that terrorism is sort
of the propaganda of the deed, and so they are integrated within
a country—with an organization like ISIS. But in terms of actual
cyber capability, there are many criminal groups that are better
than all the terrorist groups.
Mr. GALLAGHER. Thank you, Mr. Chairman.
I yield the rest of my time.
The CHAIRMAN. Mr. Brown.
Mr. BROWN. Thank you, Mr. Chairman.
I represent a district in Maryland that is perhaps less than 8
miles from Fort Meade, which is home to, you know, several very
important agencies and activities in the cyberspace, NSA, Cyber
Command, and Defense Information Systems Agency, and we are
home to a very large percentage of those high-and-tight cyber warriors. And I know that this committee, over the past several years,
14
has looked at the organization and structure of the cyber force,
Cyber Command, as a unified command. We are interested in the
dual-hat arrangement between the Director of NSA and as Commander of CYBERCOM, and also we are interested in a strategy
for incorporating the Guard and the Reserve.
So my question is—and there are a lot of different activities involved in cyber warfare. At the operational level, do you have any
thoughts and opinions on how best to support that combatant commander? We have got cyber mission teams that, my understanding,
right now, pretty much operate from CONUS [continental United
States], a lot at Fort Meade, some in Atlanta, and pushing those
teams out much like the Special Operations Command does, and
any other thoughts you have on sort of the operational tactical deployment of these assets.
Mr. HEALEY. Thank you very much, and there are parts of this
that remind me of the previous question. You know, the cyber
forces, I think, for a very, very long time are going to be highdemand, low-density [HDLD] assets. You know, there is just not
going to be enough of them, and in general, when we have got
HDLD assets, we try to keep them in a centralized pool so that
way—especially keeping them in a place where they can support
multiple commands and multiple operations without having to necessarily to deploy to do them.
I think it is going to be a long time before it is as easy to use
cyber capabilities as it is to drop a JDAM [Joint Direct Attack Munition] or to send artillery rounds downrange. It is extremely complex, and when you have capabilities, you tend to want to use them
sparingly and not in a tactical kind of situation because the adversary will just fix them.
And so the kinds of things that I think have been happening
within the Cyber Mission Force have been really excellent, and we
hope to see more capabilities and spending in that area.
Dr. LIBICKI. Briefly, I am not too sure I have an answer to your
question, but I do have a sense of what it will depend on. First is
we need to understand a lot better the efficacy of offensive cyber
forces, and the second thing is that we have to understand their
depleteability. There is a difference when you surprise somebody in
cyberspace, when you pull off something that they weren’t expecting, okay. The surprise element tends to deteriorate over time. It
is not like an artillery round, which still has the same blast effect
for the first as it does for the hundredth.
So that we don’t understand a lot, and for these next 5 to 10
years, we are going to have to be playing around with a lot of alternative models until we do have a level of understanding that allows
us to make good decisions.
Dr. SINGER. I think your mention of Special Operations Command is an appropriate one. I was actually down there literally
yesterday, and it is my sense that that is the likely and I think
ideal future evolution of what happens with Cyber Command
where it is, as mentioned, it is global in its operation but also can
focus down and help in specific commands on a theater level or the
like. It also has its own culture, its own approaches to promotions,
to different types of budget authorities to reflect kind of its unique
15
role. That is my sense of where Cyber Command can and should
evolve to.
Part of that will, as was mentioned, I do think it is time for it
to disentangle from the dual-hat leadership structure for both what
Jay Healey mentioned, in terms of the intelligence operational side,
to just, frankly, it is a human talent. No matter how good the person is, those two roles are incredibly important, and you are getting half their time. They are also very different. To make a sports
parallel, it is like having, you know, the coach of the Wizards and
the general manager of the Capitals. You know, you wouldn’t do
that.
The final aspect that I would put in terms of—to aid this in solving a lot of this question is better integration of this into our
muddy boots training environments, and when I say ‘‘this,’’ I mean
both offensive and defensive cyber capabilities as well as the social
media side. Our training environment should reflect what the
internet looks like now and how we can and our adversaries will
use it.
Mr. Brown. Thank you, Mr. Chairman.
The CHAIRMAN. Ms. McSally.
Ms. MCSALLY. Thank you, Mr. Chairman.
Thank you, gentlemen. First, I just have a comment as we are
talking about this cyber workforce. Although I agree with you, Dr.
Libicki, about managing our information. There is going to be demand. These are going to be jobs that will be out there and growing. And I highlight the University of Arizona South in my district
has, you know, taken advantage and seen that coming and really
created a cyber operations program partnering with Fort Huachuca, Federal agencies, seeing that this is an opportunity to really
train the workforce of the future for government, military, and the
private sector, and I think a great example of really how educational institutions need to take advantage of this to provide
training and opportunities, you know, for good jobs in the future.
So I just want to highlight what is happening at the U of A South.
I am former military. You look at our potential adversaries. They
don’t want to take us head-on although they are closing some gaps.
But we are so heavily reliant on network operations for command
and control, for situation awareness, you know, whether that is
GPS [Global Positioning System] or how we are managing unmanned aerial systems, even how we are managing air tasking orders and time-sensitive targeting.
If you are the bad guy, you want to go after that asymmetrical
potential Achilles’ heel. Although we haven’t seen it happen, I
would like to hear your comments on our vulnerability. Obviously,
we are in an unclassified setting, and what we, you know, could do
because if we had an adversary go in that direction and try and
take us down, we would—you know, we talk about like the AOR
[area of responsibility] would go stupid pretty fast, like we wouldn’t
be able to operate; we wouldn’t know how to command and control
and give directions to our assets. And I see this as a very deep vulnerability that we have. Do you have any comments on that and
what we need to be doing better about it? You want to start, Mr.
Healey?
16
Mr. HEALEY. Thank you. It is tough for me when you ask me the
question not to answer first with ‘‘Assault Course, Ma’am.’’ So I
would start with——
Ms. MCSALLY. Sorry about that.
Mr. HEALEY. You haven’t had——
Ms. MCSALLY. Put him through basic training.
Mr. HEALEY [continuing]. The cyber Pearl Harbor the way that
we thought in some way because cyber attacks tend to only take
down things made of silicon, things made of ones and zeros, and
those are relatively easy to replace.
The more that we are bringing in the Internet of Things [IOT]
and the smart grid, the more that those same attacks, instead of
just bringing down things made of silicon, can bring down things
made of concrete and steel.
Ms. MCSALLY. Right.
Mr. HEALEY. So I am not of those that think cyber attacks have
been that bad lately. I really don’t, because no one has died yet.
I think we are going to look back at these days as the halcyon days
when Americans had not yet started dying from these.
So, to me, that is really where I would like to start putting a lot
of my time and I think the time from the DOD and from Congress
and in trying to see what we can do about—to secure the IOT and
keep our adversaries away from them. Thank you.
Ms. MCSALLY. Any other comments from——
Dr. SINGER. I think you are spot-on, and I would point to, you
know, so what would make the previous member happy, we spent
over $2 billion on construction in the Fort Meade area alone, which
is great. We have grown up this capability in Cyber Command, but
the Pentagon’s own weapons tester found in their words, quote,
‘‘significant vulnerabilities,’’ end quote, in every major U.S. weapons program. And that is made up—it has revealed itself in everything from China flying comparable copycat versions of the F–35,
which either coincidentally the J–31 looks like it or it is because
there were reported three different breaches during the design
process, to exploitation during warfare itself.
So, in terms of what Congress can do, I think we need to have
a focus on building resilience within the DOD acquisition system.
Specifically, establishing metrics and determining where progress
has been made or not in our acquisitions process to deal with vulnerabilities in that. So we know they are there; what can we do
about it?
I would also add: we can explore how to use Pentagon buying
power more effectively outside the defense industrial base. So, for
example, entities like Transportation Command have relationships
with a lot of different critical infrastructure, how can they
incentivize them to get better at their cybersecurity using Pentagon
buying power?
Ms. MCSALLY. Dr. Libicki.
Dr. LIBICKI. Three things. First, I think we need a better understanding of our end-to-end vulnerability. Part of the problem in defensive cyber is we tend to chop them up into little pieces and look
at the vulnerability of each piece, but in fact, if the bad guys are
going to exploit our vulnerabilities, it is going to do it on an end-
17
to-end basis, and this is the basis under which you ought to measure things.
In terms of the vulnerability, as you point out, this is an unclassified session. So my best guess is that heterogeneity and, believe
it or not, legacy systems make a big difference because it gives us
a lot of ways of doing different things, and I think, in general, the
fact that our warfighters tend to be given the authority to do their
own innovation is very important because, after a cyber attack, the
world is going to look different than it did before, and how do you
put the pieces back together becomes very important, and a welltrained military that knows how to think on the spot in different
ways becomes very important in the aftermath of a cyber attack,
part of the resilience package.
Ms. MCSALLY. Great. Thank you. I had another question about
ISIS, but I am out of time. I often—we see ISIS either using the
internet to recruit, train, direct, yet the internet was continuing to
still work in Raqqa. I have asked many times in this setting, why
is the internet still on in Raqqa? But we don’t have time. So we
will follow up with you all later.
Thank you. I will yield back.
The CHAIRMAN. Mr. Carbajal.
Mr. CARBAJAL. Thank you, Chairman Thornberry and Ranking
Member Smith.
Dr. Singer, I am going to build on that but maybe closer to home.
An area of major concern is the supply chain vulnerabilities where
malicious software, hardware is inadvertently—or exists in the development or acquisition of different systems.
In your testimony, you express concern over the significant vulnerabilities in every major weapons program, extending from
breaches of operational systems to original design process. Can
each of you speak to how we can tackle these vulnerabilities? What
checks and balances can we put in place to avoid developing systems with malicious software or hardware? And what resources do
we need to invest in order to protect our supply chain?
Dr. SINGER. So I should clarify this phrase of significant vulnerabilities. That is actually from the Pentagon’s own weapons tester.
So it is not merely an assertion of mine. It is from our own government’s reporting on it. The concern here, again, as you put, is not
just merely, what does it do in acquisitions, what does it do in an
operational environment like we explored in future scenarios, but
it also means it is, I would argue, difficult to impossible to win an
arms race if you are paying the research and development for the
other side.
And so, in terms of what can be done, I think the question for
Congress is where, in using your authority, what are the changes
needed in acquisition law, or is it processes, is it policy, to create
better requirements for essentially resilience to cybersecurity attack, not preventing it? We will never be able to prevent all of it
but build resilience to it.
This also points to the human resources side that we have talked
about, and again, this cuts across the board in everything from
within the military, as was laid out, to outside and broader society,
and it is very exciting to hear—everyone is very proud of the different universities. We need to think about how we can build train-
18
ing for cybersecurity into our education system to create better levels of cyber hygiene. Thank you.
Mr. CARBAJAL. Thank you.
Dr. LIBICKI. There has been a lot of concern about the fact that
some of our foreign sourcing leads to vulnerabilities. I am not entirely certain whether we need to do all that much more than we
are currently doing. I remember that there was a lot of discussion
20 years ago when people were talking about fixing the Y2K [Year
2000] problem, and there was a lot of handwringing about foreigners working on our code, and therefore, we become much more
vulnerable because we couldn’t trust the foreigners to work on our
code, and I haven’t seen any evidence that that really mattered to
Y2K or that mattered to vulnerabilities in the immediate aftermath
of Y2K.
I think, as a general principle, it gets back to understanding our
end-to-end vulnerabilities. Even if a particular product is weak, if
there is no way to exploit the weakness, that gives you a certain
level of protection. So you do have to look at supply chain vulnerability as part of a broader overall systemic end-to-end vulnerability
issue.
Mr. HEALEY. Thank you very much.
I have been impressed with how much has been done on the academic side and within the computer security community on trying
to build a trusted system on untrustworthy components. So, for example, if you use end-to-end encryption, like is happening now in
Apple, even if you don’t trust the systems between you and the person you are talking to, there are tools like end-to-end encryption
that can give you much more trust over the system as a whole.
One example in the DOD context is DARPA [Defense Advanced
Research Projects Agency] is now putting a system they call
HACMS [High-Assurance Cyber Military Systems], the High Assurance Computing Systems—I can’t remember the exact acronym—where they are using mathematically provably secure code.
They have done this on a helicopter drone. They have given a red
team hacker access to part of that drone, and they have not been
able to get out, to hack the entire drone and take control of it. So
here are areas where you can trust the system even if it has some
untrustworthy components.
I would like to also call out what has been happening between
the defense industrial base companies themselves. The amount of
information sharing, my colleagues tell me, have gotten that, in the
past, if the Chinese were to hack one of those companies, they
could use that same vulnerability to hack all of them. And it has
now been several years where the sharing and the defenses have
gotten so good that now they have to use a different software vulnerability on each of these companies. I think that is exactly getting toward the kind of defenses that we need, and it is probably
more because of the sharing, which is cheap, than having to add
more and give them more money in the contract so they can improve their security.
Thank you.
Mr. CARBAJAL. Thank you for your insight and your wisdom.
I yield back.
19
The CHAIRMAN. Ms. Stefanik, do you have additional questions
on your own time?
Ms. STEFANIK. Thank you, Mr. Chairman.
NATO [North Atlantic Treaty Organization] has introduced the
Tallinn Manual through its Cyber Defense Center of Excellence in
Estonia, which provides an analysis on how existing international
law applies to cyberspace. The most recent Tallinn 2.0 Manual focuses on cyber operations and discusses cyber activities that fall
below the thresholds of the use of force or armed conflict.
Is this framework helpful in establishing international norms for
nation-states, and what, if anything, would you recommend we consider incorporating into U.S. policy?
I will start with Dr. Libicki.
Dr. LIBICKI. I mean, I can say nice things about global rule under
international law, but international law is only as good as countries that support international law are willing to support it. In
other words, they are willing to put muscle behind violations of international law. And I would—I regard international law as a tool
of policy. I do not regard it as a substitute for policy.
At some point, you have to take certain elements of international
law seriously enough to say, ‘‘This is unacceptable, and this is what
we are going to do about that,’’ and this is in turn part of a broader
discussion, which I urge that we have, about what in fact constitutes thresholds. Okay.
Part of the problem with using international law as a base, as
was obvious in the Tallinn 1 Manual, is that there is a lot of disagreement among people about what in fact constitutes legal behavior, and you don’t have the same judicial mechanism in the
United States where you can point to the opinions that are rendered by judges to say, okay, there is a consensus that this is a
way it is and this isn’t the way it is. We don’t have that. Okay.
So, in the end, international law has to be supported by nationstates—by countries and their willingness to take risks in support
of law before it becomes actionable.
Ms. STEFANIK. Thank you.
Mr. Healey and Dr. Singer, do you have anything to add?
Mr. HEALEY. I am a huge fan because it takes a lot of the arguments off the table. You know, instead of arguing, well, arguing
from scratch if we think something is an act of war, not now; we
at least have a place to come from. And that helps a lot. Now we
can argue what part to do about it. That is really what has been
tripping us up, I think, more than anything, is not what to call
something or what thresholds to set, but what are the actual policy
tools and how are we going to use them in each instance, and hopefully now we can focus on that.
Ms. STEFANIK. Dr. Singer.
Dr. SINGER. I am a huge supporter of it as well. I would just add
two things to it. The first is to recognize that there is not just this
process but a broader webwork of agreements and norm building
that is going on in everything from bilaterals with allies to multilaterals, be it at NATO to all the way up to United Nations. And
I think a key area for action for Congress is to essentially request
of the administration, what is your overall strategy here, how does
this all fit together, and, most importantly, are you not going to let
20
this fall by the wayside, because it is clearly advantageous to the
United States to shape these norms in a way that restores global
cybersecurity.
The second most important thing is to recognize that the
quickest way to undermine norms and laws is to take an action
when they are broken, and we have seen repeated instances, specifically by Russia, in everything from attacks on power grids that
were no-go areas, such as in Ukraine, to most recently this broader
campaign that I mentioned. And so, if we want to norm build, we
also have to take actions besides just write things down in treaties.
Ms. STEFANIK. Thank you.
In some of your testimonies, you have talked about our increasing capabilities when it comes to attribution. My question is, how
good are we at doing battle damage assessment [BDA] in cyberspace? Are there areas or capabilities that we need to invest in to
improve our ability to do BDA?
Mr. HEALEY. Do you mean against our—when the attack is
against us or——
Ms. STEFANIK. Yes.
Mr. HEALEY. Yes. Here, I think a lot of work that has been happening in the Information Sharing and Analysis Centers as well as
the new policy from the past administration for Information Sharing and Analysis Centers to try and come together and get that coordination done within the affected sectors themselves or the affected companies, that depends so much on which sector has been
hit to try and figure out the level of disruption.
Some, like finance, are extremely good at this. Their regulatory
agencies are banging on the door to find out what happened. Other
parts of our critical infrastructure, like water, aren’t going to be as
strong, and that underlines, I think, how good the sector organizations are, how well they are regulated, for example, rather than
anything specific to determining the level of disruption and the
damage.
Ms. STEFANIK. Dr. Singer.
Dr. SINGER. This is one of those key areas, I think, to delve deeper into in the muddy boots training side. So, for example, if you
lose 10 percent of communications, it is only if you actually go out
and exercise it that you understand that maybe it doesn’t have a
10 percent compromise on you; maybe it actually means your entire
organization can’t work. Or, similarly, if it is not you lose access
but that you can’t trust communication. If one time the adversary
inserts false information, be it into GPS or false information into
an order, does that mean that you no longer trust the system itself,
so the entire system goes down?
So that is one of the areas where I think we need to evolve it
more and do our own training to understand the effects of it. That
is the only way.
Ms. STEFANIK. Thank you.
My time is expired.
The CHAIRMAN. Ms. Rosen.
Ms. ROSEN. Thank you, and I really appreciate all of you being
here today. Thank you, Mr. Chairman.
My question is about the disentangling of the NSA and Cyber
Command. And so I see some of the benefits and challenges. I
21
would like you to expand on that a little bit and especially about
how that relates to our ability to respond dynamically to threats
or challenges as you see them and our ability to be fast and flexible
there.
Mr. HEALEY. Thank you very much, Congresswoman Rosen.
The most dynamic part of America’s cyber defenses is not Fort
Meade, and it will never be at the Pentagon. It just isn’t. They
can’t—pretty much no part of the U.S. Government is actually creating and maintaining cyberspace. One of my colleagues that used
to—a former Army major that then went on to work at Verizon—
said, look, if there is an attack, we at Verizon and our colleagues
and our companies, we can bend cyberspace if we need to; we can
change the physics of the space to blunt this attack in a way that
is incredibly difficult for places like Fort Meade and U.S. Cyber
Command to do. U.S. Cyber Command simply just doesn’t have the
levers to be able to respond agilely enough to attacks against us.
They can certainly attack back, but they are not—they are not
tied in in the same way as these companies are. And so, because
I believe that the private sector is the supported command, they
have agility, they have the subject-matter expertise, and they can
bend cyberspace if they need to, that our money is best spent, rather than trying to recreate that at Fort Meade, find ways to help
make sure what they can do better.
Dr. LIBICKI. You have asked an interesting question, which, unfortunately, I don’t have a clear answer for because I am still
thinking through it. Okay? But a lot of what you do with Cyber
Command, vis-a-vis NSA, depends on what you actually want
Cyber Command to do. If you are thinking of what Cyber Command does as part of a broader information operations area, then
you need to bring Cyber Command in with other parts of the Department of Defense that deal with information operations. And
this is not a—this is not something that is currently on the table.
Ms. ROSEN. Cyber Command, doesn’t it also execute?
Dr. LIBICKI. Right.
Ms. ROSEN. Right.
Dr. LIBICKI. In terms of its—in terms of its offense mission is
what I am referring to. Okay? In terms of its defense mission, it
is a coordination between Cyber Command and the way the networks are currently managed that becomes an important component. And for a long time, NSA has had that responsibility to improve the security management of DOD networks.
If you are looking for Cyber Command to think in terms of a general analysis of the vulnerability of other people’s militaries, then
you may want to bring them in together with other folks who look
at the vulnerabilities of other people’s militaries that are not necessarily digital zero and ones but, in fact, arise from the interaction
of the various components of their militaries. And that is about as
far as I have gotten in my thinking, unfortunately.
Dr. SINGER. So I think we have laid out earlier some of the rationales for it, and it ranges from the split, as you note, between,
essentially, the evolution of the missions from intelligence to Cyber
Command becoming more and more operational, both offense and
defense, having training requirements and the like. As I mentioned, there is the double-hat problem of just human talent.
22
There is another aspect of this that I think is interesting to talk
with you about is go back to the original rationale for why they
were double-hatted. It was both because the creation of Cyber Command, it didn’t have its own culture, didn’t have its own human
talent, but it also was because there was a concern that the head
of Cyber Command would not be able to speak with a voice or authority that would get Congress’ attention.
Ms. ROSEN. Right.
Dr. SINGER. Post-Snowden, the absolute opposite happened
where you are more interested—maybe not you individually, but
Congress is more interested in the NSA surveillance encryption debate side. And we even saw that in the confirmation hearings for
the head of Cyber Command.
So I think for this wide variety of reasons, it makes sense to split
them, but I would not do it instantaneously. I would do it like the
transition that we had with the Joint Forces Command where the
mandate, so to speak, of the last commander was figure out how
to disentangle this in a way that doesn’t compromise effectiveness.
Ms. ROSEN. Thank you.
Well, as a former computer programmer and systems analyst, I
have about a million more questions about the public-private partnership versus privacy. We don’t have the time to do it today. I
hope you will come back, and I will be able to ask them all. Thank
you.
The CHAIRMAN. You can use the gentlelady as a resource as you
go on ahead. That is what is clear to me.
Mr. Scott.
Mr. SCOTT. Thank you, Mr. Chairman.
Gentlemen, many of my questions have been answered, but I
want to go back and focus on a couple of things. The Y2K issue was
approximately 20 years ago. It was not intentional, but my question has always been, as we talk about malware and digital and
Xs and Os, one of the vulnerabilities that we don’t talk about
much, which has been mentioned before, has been the supply
chains and the ability to perhaps embed things in hardware prior
to the manufacturing of the actual equipment.
I go back to just, for example, the GPS system that we put in
an airplane or a radio system that we put in an airplane, could it
be preprogrammed to stop working at a certain point in time, in
which case that would give your, certainly, major adversaries, your
near-peer adversaries, a distinct advantage over you, and that if
they knew that you were going to lose radio communications at a
certain point in time, that would obviously be an opportune time
for them to go on the offense.
And so it seems to me that we have this constant testing, if you
will, of capabilities among select few countries. When one of those
countries finds a weakness, the question is how far do they go in
exploiting it, I guess, before a cold war actually becomes what we
would acknowledge as a true war.
I listened to your comments on the split of leadership at NSA,
certainly interested in further discussion on that. But I would like
for you to speak, if you would, towards the future.
Dr. Healey, you said that we don’t have the levers that the private sector has to bend cyberspace, I think is the way you put it.
23
We obviously have Active Duty personnel. We have National Guard
personnel. National Guard has had a tremendous amount of success in helping us. What is the—what does the Cyber Mission
Force look like 20 years from now? What are the decisions that
have to be made to make sure that we have that cyber force?
Mr. HEALEY. Thank you very much. It is a great question. And
to put some context, I am not taking swipes at Cyber Command.
I was one of the initial cadre of what became Cyber Command.
When I was a young captain in the late 1990s, I helped the headquarters there set up what was to become the Joint Task ForceComputer Network Defense and was one of the 21st—one of the
first 25 cadre members there, and then it went on to grow to be
U.S. Cyber Command.
When I think about—it is a great question and what that force
might look like. One of the futures that I start thinking, and I am
saying, what would happen if we went down that—if—what cyber
conflict might look like in 10 years.
Last year, at—DARPA funded a contest called the Cyber Grand
Challenge in which they had different supercomputers discovering
their own vulnerabilities and throwing—discovering vulnerabilities
and attacking the other supercomputers on stage, which then had
to run through their programming and come up with automated
defenses. And, certainly, when I am thinking about what cyber conflict might look like in 20 years or 10 years, that to me seems like
somewhere obvious to start in where DARPA is already thinking.
So just imagine how—what that might mean for the Cyber Mission Force where we have over 6,000 people at Fort Meade, and
other places now, preparing for a fight. Well, if the future conflict
is going to be malicious software that has got a back end over a
supercomputer telling it what to target next, how to change to
avoid defenses, you now need your own supercomputer to try and
defend against that. And I think that has just tremendous challenges for military doctrine, for organizations, and certainly, for
staffing.
Mr. SCOTT. That brings me to another question. I mean, obviously, a lot of these people, they are extremely intelligent. We need
to have the ability to work with these people. They may not be interested in joining the military. They may not work, certainly, fulltime or part-time. I mean, for lack of better terminology, I mean,
do we, when we see this problem coming, deputize a cyber posse
like the old days where you bring people in that you have never
worked with before?
And, Dr. Singer, I know—interested in your opinions.
Dr. SINGER. That is why I am an advocate of, look, there is great
talent within Active Duty. National Guard has been a way to pull
in. We have reorganized, so we can pull in that talent, you know,
that already has cyber skill sets. But at the end of the day, as you
note, there will be a wide range of people who either are unwilling
to serve in the National Guard and Reserves or they simply won’t
qualify for physical reasons, whatnot. And so we need to create alternative pathways to draw people in beyond just contracting them.
And that is why I am an advocate of both this Civil Air Patrol
cybersecurity equivalent to expansions of the U.S. Digital Service
to include cybersecurity, simply looking at outside of this field,
24
what are like models that we know work? How do we use those to
bring in cyber talent?
And then, lastly, I would point to the bug bounty program. The—
you asked, you know, what will this look like? The people that participated in the Pentagon’s first bug bounty ranged from off-duty
government workers to people working in business doing it nights.
My favorite example was an 18-year-old who did it in the middle
of their AP [Advanced Placement] test, who volunteered to help defend Pentagon networks and reportedly he did it because he just
wanted the T-shirt. So we have to have a means of pulling in all
this wide variety of talent. That is what makes America great.
Mr. SCOTT. But you also have to get them cleared from a security
standpoint. You have to have them operate under some agency out
there, and those are things that, I think, need—we need to have
that outlined before the attack happens.
Dr. SINGER. Absolutely.
Mr. SCOTT. Mr. Chairman, I apologize for going over.
The CHAIRMAN. That is fine. Interesting discussion.
Mr. O’Halleran.
Mr. O’HALLERAN. Thank you, Mr. Chairman.
I guess I want to go back a little bit to Mr. Scott’s issue, because
I have a concern that what we are doing here is without deterrence, without clearly showing deterrence that we are in this
never-ending spiral of more and more people, more conflict between
budget for cyberspace and the budget for defense; how do we pay
for it, that the people that are attacking us are spending far less
to attack us than we are to stop the attacks. And so it appears that
the deterrence factor has to be something that is credible, as Mr.
Libicki said.
I am just trying to understand how we start to slow down that
cycle. It is a great full-time employment issue for a lot of young
people that are coming out of our universities, but it is a serious
question as far as our long-term capability to be able to defend ourselves without trying to deal with the deterrent side in a meaningful way—if we do not deal with it in a meaningful way.
So how does that all occur? And, Mr. Libicki, I would like to start
with you.
Dr. LIBICKI. I think, ultimately, the way you discourage people
from attacking you is to give yourself an architecture, the relationship between information and systems, that reduces their value—
what they get from attacking you in the first place.
And even if we had an effective national deterrence policy, we
would still have many other threats from criminals, from insiders.
And so one of the advantages of defense and resiliency is that defends against people, no matter what their motivation and no matter what way we can and cannot reach out and touch them.
Mr. O’HALLERAN. And I take it from your comment that you
don’t feel we are at that point yet where we have the system that
can deter like that?
Dr. LIBICKI. I think we have made a great deal of progress. I
think we have a lot more progress to make. It is going to be a long
challenge.
Mr. O’HALLERAN. Dr. Singer.
25
Dr. SINGER. So there are different forms of deterre...
Purchase answer to see full
attachment