Open Hearing: National Security Agency Activities and its Ability to Meet its Diverse Mission Requirements

[Senate Hearing 114-772] [From the U.S. Government Publishing Office] S. Hrg. 114-772 OPEN HEARING: NATIONAL SECURITY AGENCY ACTIVITIES AND ITS ABILITY TO MEET ITS DIVERSE MISSION REQUIREMENTS ======================================================================= HEARING BEFORE THE SELECT COMMITTEE ON INTELLIGENCE OF THE UNITED STATES SENATE ONE HUNDRED FOURTENTH CONGRESS FIRST SESSION __________ THURSDAY, SEPTEMBER 24, 2015 __________ Printed for the use of the Select Committee on Intelligence [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.govinfo.gov __________ U.S. GOVERNMENT PUBLISHING OFFICE 29-493 PDF WASHINGTON : 2018 ---------------------------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, gpo@custhelp.com. SELECT COMMITTEE ON INTELLIGENCE [Established by S. Res. 400, 94th Cong., 2d Sess.] RICHARD BURR, North Carolina, Chairman DIANNE FEINSTEIN, California, Vice Chairman JAMES E. RISCH, Idaho RON WYDEN, Oregon DAN COATS, Indiana BARBARA MIKULSKI, Maryland MARCO RUBIO, Florida MARK R. WARNER, Virginia SUSAN COLLINS, Maine MARTIN HEINRICH, New Mexico ROY BLUNT, Missouri ANGUS KING, Maine JAMES LANKFORD, Oklahoma MAZIE HIRONO, Hawaii TOM COTTON, Arkansas MITCH McCONNELL, Kentucky, Ex Officio HARRY REID, Nevada, Ex Officio JOHN McCAIN, Arizona, Ex Officio JACK REED, Rhode Island, Ex Officio ---------- Chris Joyner, Staff Director David Grannis, Minority Staff Director Desiree Thompson-Sayle, Chief Clerk CONTENTS ---------- SEPTEMBER 24, 2015 OPENING STATEMENTS Burr, Hon. Richard, Chairman, a U.S. Senator from North Carolina. 1 Feinstein, Hon. Dianne, Vice Chairman, a U.S. Senator from California..................................................... 2 WITNESS Admiral Michael S. Rogers, USN, Director, National Security Agency; Commander, U.S. Cyber Command; and Chief, Central Security Service............................................... 3 Opening statement............................................ 8 SUPPLEMENTAL MATERIAL November 18, 2014, article in DefenseOne.com, ``Political Dysfunction Is a Worse Threat Than Putin, Say National Security Workers'' by Kevin Baron....................................... 26 OPEN HEARING: NATIONAL SECURITY AGENCY ACTIVITIES AND ITS ABILITY TO MEET ITS DIVERSE MISSION REQUIREMENTS ---------- THURSDAY, SEPTEMBER 24, 2015 U.S. Senate, Select Committee on Intelligence, Washington, DC. The Committee met, pursuant to notice, at 2:32 p.m. in Room SH-216, Hart Senate Office Building, Hon. Richard Burr (Chairman of the Committee) presiding. Present: Senators Burr, Feinstein, Risch, Coats, Rubio, Collins, Lankford, Cotton, Wyden, Warner, King, and Hirono. OPENING STATEMENT OF HON. RICHARD BURR, CHAIRMAN, A U.S. SENATOR FROM NORTH CAROLINA Chairman Burr. I'd like to call this hearing to order. Admiral, welcome. I'd like to welcome Admiral Rogers, Director of the National Security Agency. Mike, as you well know, we typically hold our hearings in closed session so that we can review your classified programs. Given the sensitive nature of these programs and the need to protect sources and methods by which intelligence is gathered, that position is certainly understandable. Today, however, we want to take time to ensure that the American people have an opportunity to learn more about the NSA, the mission your workforce is tasked with, and what you're doing to combat the increasing cyber threat to our Nation. Cyber threats to our U.S. national and economic security are a top priority for the intelligence community, and destructive cyber intrusions and attacks are increasing in scale, scope, complexity, and severity of impact. The Office of Personnel Management recently suffered from one of the biggest cyber breaches our government has ever encountered, and there are countless other recent examples of cyber breaches and attacks in both the public and the private sector. While NSA typically works in secrecy, I think all of us on this Committee expect that you'll be front and center on the issue for the foreseeable future, informing and educating the American public. I'd like to take a moment to thank you and your workforce for your dedication and the critical work you continue to do to protect our Nation. You are by now accustomed to the different and direct questions which we ask you often in closed session, and you know that we do so to challenge you and your organization always to be better. Admiral, today represents a unique opportunity for you to educate the American people on what you do, how you do it, how your agency's postured to address the growing cyber threat for both state and non-state actors. I want to thank you again for joining us and I look forward to your testimony as you seek to separate the myth of the NSA from the reality of the NSA, to the extent you can do so in an open setting, and we recognize how different that is. I would also respectfully remind my colleagues to avoid any questions that touch on classified programs or questions that would require Admiral Rogers to divulge any sensitive information, and the Vice Chair and I will consult if in fact we believe that we've put Admiral Rogers in that type of situation. Again, welcome, Admiral. I turn to the Vice Chairman. OPENING STATEMENT OF HON. DIANNE FEINSTEIN, VICE CHAIRMAN, A U.S. SENATOR FROM CALIFORNIA Vice Chairman Feinstein. Thanks very much, Mr. Chairman, and thanks for holding this open hearing to allow the Committee to discuss in public the important work that the NSA does and some of the current challenges they face to keep up with national security threats against us. Director Rogers, welcome back before the Committee. As we have discussed many times in closed sessions, NSA and Cyber Command are at the forefront of a number of major national security challenges and policy decisions. So I look forward to this discussion today. Before getting to the rest of my statement, I want to publicly praise the work the NSA has done in collecting intelligence that has enabled the rest of the government to identify and stop terrorist plots directed or inspired by the Islamic State of Iraq and the Levant here in the homeland. This threat is by no means over, but there have been a number of important disruptions thanks to good intelligence and good law enforcement work, and you figure in that in a major way. So thank you very much. As FBI Director Jim Comey noted in his testimony before our Committee in July, and I quote: ``The foreign terrorist now has direct access into the United States like never before.'' End quote. There are now more than 200 Americans who have traveled or attempted to travel to Syria to participate in the conflict and that remains a significant concern. I'd appreciate your assessment of the ISIL threat and the threat to the United States from others as well. Of course, when discussing that threat we also have to recognize that, due in part to leaks of classified information, improved operational security by terrorist groups, and the availability of encrypted means of communications that cannot be collected, there is increasingly a limit on what NSA will be able to contribute. I know we'll have a chance to discuss that change. There are also numerous press reports in the past week or two suggesting that the Administration is rethinking its support for any legislative solutions to this problem. We welcome your thoughts on how to approach the so-called ``going dark'' issue. I think the more you can tell the public about it here today, the better. Certainly, the hack on the OPM database, as the Chairman said, demonstrates the need for better protection of personal information. But I'd very much like to hear your views on whether this is an either-or situation or if there's a way to keep private communications protected while still allowing the government to gain access to critical information when it's doing so pursuant to a court order or other appropriate legal process. As the head of one of the most technically proficient agencies in the government, your input into this question is very important. Next, while the Committee has been following the implementation of the USA Freedom Act, today presents a good opportunity for the American public to hear how that transition is going. Under the new law, the NSA will no longer collect phone metadata directly from phone companies and conduct its own tailored queries of those data. Instead, the government will have to obtain a court order in order to ask telecommunications providers to query their own records and produce the responsive information. It's important, I think, for the public, as well as for us, to know whether this transition will be complete at the end of a 180-day period and whether you assess, if the system is in place at that time, if you assess it will meet your operational needs. I'd also like to know whether this system, once fully in place, will achieve the goal of providing NSA with responsive information from a broader set of records than it had before the USA Freedom Act passed or whether there will still be the relatively small percentage of phone records that were available to you before the change. Finally, you've briefed the Committee recently on the reorganization you're putting into place in the NSA. It would be appropriate at this hearing for you to describe that reorganization to the extent that you can, why it's needed, and what changes are being made. Again, thank you very much for the work your agency does. I've been very proud of it, and thank you for your leadership. Chairman Burr. Thank you, Vice Chairman. For the purposes of Members, we will skip the one-question round for this open hearing and we'll go to five-minute questions after the Admiral has testified. We will do that based upon seniority, which I'm sure Senator Wyden and Senator Risch will complain to me about since they're on time today and typically they might be running a few minutes behind. But with that, Admiral Rogers, the floor is yours. Again, welcome. STATEMENT OF ADMIRAL MICHAEL S. ROGERS, USN, DIRECTOR, NATIONAL SECURITY AGENCY; COMMANDER, U.S. CYBER COMMAND; AND CHIEF, CENTRAL SECURITY SERVICE Admiral Rogers. Thank you. Chairman Burr, Vice Chairman Feinstein, Members of the Committee: Thank you for inviting me today. It's a distinct honor and privilege to appear before you. I appreciate this opportunity to speak to you about the National Security Agency, about who we are, what we do, and how we contribute to the Nation's security. In talking with you, moreover, I'm grateful for this chance to explain to the American public whom you represent what it is that their fellow citizens at NSA do to defend our Nation as well as support allies and partners around the world. NSA plays a critical role in protecting the United States' national security systems and providing insightful and actionable foreign intelligence to our leaders, military commanders, and foreign partners. We're the Nation's cryptologic arm and America and her allies depend on our efforts. The NSA workforce, approximately 40,000 civilian and military employees, is headquartered at Fort Meade, Maryland, just outside Washington, as you know. We have facilities in 31 states and a global presence that spans the world. The team that I am proudly a member of comprises a diverse group of individuals who come from every corner of America. About 40 percent of our team is uniformed military, representing every service, with both active duty and reserve members. Our team members at NSA include analysts, collectors, operators, mathematicians, linguists, cryptographers, engineers, computer scientists, and too many other skills to list here by name. Our workforce ranges from high school interns to junior enlisted members of the military to senior executives of the civilian service and flag-rank officers in the military. NSA personnel are well educated, with over 75 percent of our civilians holding bachelor's degree or higher. Our military and civilian linguists working in our foreign intelligence mission have proficiency in over 120 different foreign languages. Almost 40 percent of our employees work in the science, technology, engineering, and mathematics fields, and they hold the majority of the over 200 patents that have been granted to members of the NSA workforce, more patents than any other Federal agency. In addition to working every day to keep our country safe, our employees help to enhance their local communities by doing things like volunteering in classrooms, planting community gardens, and helping to clear the Appalachian Trail. They donate thousands of gallons of blood to the Red Cross every year, contribute millions of dollars to Federal charity drives, and give tons of food to the ``Feds Feed Families'' hunger drive. NSA and its affiliates are volunteer firemen, Marines collecting for the ``Toys for Tots'' campaign, Airmen serving with the Civil Air Patrol, Soldiers coaching Little League, Sailors volunteering to clean the Chesapeake Bay, and civilians leading Girl and Boy Scout troops. In short, they are your neighbors. NSA employees work hard and they work well to keep our Nation safe and protect our civil liberties and privacy. Let me explain their main duties and missions in a little bit more detail. NSA's Information Assurance mission--Information Assurance mission--is to protect national security systems, such as systems that process classified information. We generate ideas for defending these networks and impart valuable security insights so the public and our allies may benefit. In short, we ensure that our Nation's leaders and military can communicate securely and that adversaries cannot gain access to our Nation's secrets. That work also enables us to develop new opportunities to share warning and cyber insights with the private sector, so America can improve the overall security and integrity of its information systems and critical infrastructure. NSA has evolved with changes in technology as the world has shifted from analog to digital communications, following the emergence of networks and the convergence of devices and functions in our modern mobile society. As a result, NSA now plays a key role in cyber space, assisting U.S. Government efforts to see, mitigate, and deter cyber security threats. In concert with public, private, and foreign partners, our work helps to ensure users, operators, and administrators maintain control of their systems and data. NSA also gives our leaders unique insights into the hostile activities of foreign powers and their agents. Our people lead the Nation's signals intelligence enterprise, defending America and our allies by collecting, analyzing, and reporting foreign intelligence and counter-intelligence information derived from the interception of foreign signals and communications. NSA does this work in accordance with law and strict guidelines, and only by collecting foreign intelligence in response to specific requirements from U.S. policymakers and senior U.S. commanders which are deemed necessary to advance the Nation's policy goals to warn and report on strategic and military developments around the world and to prevent strategic surprise. What NSA collects and analyzes is driven by the priorities listed by our Nation's political and military leaders in formal and constantly reviewed tasking documents. We work within a framework of law, rules, and oversight provided by Congress, the Executive Branch, and, as appropriate, the courts. That system of accountability ensures the privacy and civil liberties of U.S. persons. On a daily basis, NSA provides insights into hostile plans and intentions so that our customers and partners can counter threats across the globe. Our military and its partners rely on NSA to help them achieve tactical and operational success. Our products are part of the fight, as essential to military operations as food, fuel, and ammunition. Our requirements include a wide range of SIGINT missions. One of our most important SIGINT missions is counterterrorism, discovering terrorist plans, intentions, communications, and locations to disrupt and defeat their attacks. As a combat support agency, NSA directly supports the military with information to perform its missions and to provide force protection, indications and warning, and over watch support to keep our troops out of harm's way. Our work also helps the United States and its allies to capture bomb makers, spot illicit fund transfers, work transnational crime, and explain to other nations how terrorists hope to transit their territory. We also work to identify potential threats to U.S. citizens, military personnel, and embassies around the world. In addition, we devote considerable resources to the international campaign to halt the spread of weapons of mass destruction, tracking, reporting, and sharing data to keep nuclear, biological, and chemical weapons out of the wrong hands to keep the Nation safe. We also assist the efforts of the Department of Homeland Security to protect America's critical infrastructure from cyber attacks. Finally, we support U.S. Cyber Command, which I also lead, and will continue to help the Command develop the capability and capacity it needs to accomplish its vital missions. As you well know, the threat environment both in cyber space and in the physical world is constantly evolving, and we must keep pace in order to maintain our advantage and generate the insights that our Nation is counting on. Our Nation's networks, communications, and data are increasingly at risk from diverse and persistent threats. These include rogue states, organized criminal enterprises, and terrorists, who are showing a willingness and an aptitude to employ sophisticated capabilities against us, our allies, and indeed anyone who they perceive as a threat or a lucrative target. Various self-proclaimed cyber activists also cloud the threat picture. In addition, certain states are disposed to conduct cyber coercion against their neighbors and rivals and to fund campaigns of cyber exploitation against us and our allies. The targets of their efforts extend well beyond government and to privately owned businesses and personally identifiable information, putting the privacy and data of all Americans at risk. Terrorist tactics, techniques, and procedures continue to evolve. Those who would seek to harm us use the same internet, the same mobile communication devices, and the same social media platforms that we all use in our everyday lives. As terrorists become more savvy about protecting their communications, we must keep pace in order to protect the Nation and our allies. NSA will continue to rise to these challenges. As an enterprise, we have had to reinvent ourselves before and we will do so again. The use of intelligence to protect our Nation dates back to the United States' very origins during the Revolutionary War. NSA's predecessors, working with their World War II partners, found German U-boats by solving Enigma machine messages. They helped turn the tide of the war in the Pacific at Midway by cracking the Japanese codes. Today the men and women of NSA fight terrorists around the globe. Today we target the communications of terrorist organizations who mean to do us harm, helping to uncover and thwart their efforts to communication with sleeper cells around the world or recruit fighters to their cause. The means of communications have changed, but the requirement to maintain our ability to collect and exploit the communications of hostile foreign actors remains constant. When the information revolution transformed communications, NSA helped lead the way towards information assurance and pioneered intelligence in cyber space, while enabling military and counterterrorism operations in real time, in full compliance with the Constitution and the law. Every NSA employee takes an oath to preserve, protect, and defend our Constitution and its civil liberties and the privacy of our citizens that the Constitution guarantees. We just repeated this oath across our workforce on 9-11. Security and privacy are not tradeoffs to be balanced, but complementary imperatives, and NSA supports both. The complex issues before us today represent an opportunity to write yet another chapter in our agency's rich tradition of service to the Nation. NSA plays an indispensable role in enabling our leaders to keep the peace and secure the Nation. Our value lies in facilitating positive outcomes for the Nation and our allies, and we have delivered this for well over 60 years. Our unique capabilities are more in demand and more important to the Nation's security than ever. We are rightfully proud of that accomplishment and what we continue to accomplish, and we are striving to ensure that the American people take pride in NSA. Mr. Chairman, Madam Vice Chairman, and Members of the Committee: Thank you again for the opportunity to be here with you today, and I look forward to your questions. [The prepared statement of Admiral Rogers follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Chairman Burr. Admiral Rogers, thank you. Again, for Members, we'll go directly to five-minute rounds based upon seniority. Admiral, cyber threats continue to grow, both for the public and the private sector. NSA faces stiff competition from the private sector at recruiting those individuals with the skills that are needed. What can you offer at NSA that Silicon Valley can't offer? Admiral Rogers. I think the difference for us is that, as you have acknowledged, Chairman, we're competing for much of the same workforce. The advantage that we have in my mind is not unique to the cyber mission. I've experienced this as a uniformed individual for the last 34 years. It's the power of mission and the sense of serving something bigger than yourself. That ultimately is the edge that we have. That's not something you can easily replicate on the outside. It enables us to attract cutting-edge technology, incredibly motivated and capable men and women, even in the face of the fact that they could earn a tremendously greater amount of money working on the outside. But it's that sense of mission, it's that sense of purpose, it's that ethos of culture and compliance, if you will, that I think is our greatest advantage. Chairman Burr. Admiral, NSA plays a significant role in counterterrorism efforts, discovering terrorist plans, intentions, communications, and locations, to disrupt or to defeat their attack. Obviously, we can't go into great detail here, but to what extent can you discuss it, and please elaborate on what NSA is doing to combat terrorism and, more specifically, please elaborate on what NSA's doing to combat terrorism and, more specifically, something that every American's focused on, and that's ISIL? Admiral Rogers. Without going into the details of how we do this, we broadly use our ability to work communications in the foreign space to generate insights as to what ISIL and other groups are doing, largely through our cyber and our signals intelligence expertise. The challenge I would argue in the counterterrorism mission set for us, whether it's ISIL--I've seen the same thing in Al- Qaeda and Al-Qaeda in the Arabian Peninsula, for example--I've seen more changes in their behavior in the last two years probably than any other target. They actively reference some of the compromises and media leaks of the last couple of years, and we know that they have achieved a level of insight as to what we do, how we do it, and the capabilities we have that, quite frankly, they didn't have in the past. As a result of that, quite frankly, it has become harder, more difficult, to achieve insights as to what they are doing, combined with, in fairness, the broader changes in technology we're seeing--encryption, use of apps that offer end-to-end encryption, more complicated attempts to hide in the broader set of noise, if you will, that's out there. The positive side, though, to me is in the end it's not technology; it's about the motivated men and women of NSA. That's our edge. I always remind them, the nature of our profession is that we tend to gain advantage and lose advantage over time, because technology and the opponent's behavior always change. Chairman Burr. Admiral, why should the American people care whether you're successful or not? Admiral Rogers. Because the insights that NSA is able to generate directly help to ensure the security of every citizen of this Nation, as well as those of allies and friends. I will not for one minute pretend that we are a perfect organization, but I am very proud of our mission set, the way we do it. And quite frankly, the only reason I'm still doing this is because I think the mission that NSA does is incredibly important to the Nation and our allies. Chairman Burr. What's your greatest resource challenge right now? Admiral Rogers. Requirements far exceeding resources, whether it's--if you look at the growth in cyber challenges, you look at the proliferation of communications technology, trying to stay on top of this with a workforce that has not grown. We're in our--fiscal year 2016, which we will start on October the 1st, we'll see how the budget comes out, but we project this will be the fifth straight year of a declining budget. So one of my challenges as a leader is how do we continue to generate the insights the Nation is counting on even as the resources that we use to generate those insights continue to decline. Chairman Burr. Thank you, Admiral. I'll turn to the Vice Chairman. Vice Chairman Feinstein. Thanks very much, Mr. Chairman. I'm going to try to get through three questions in five minutes. Let's go, if I might, Admiral, to the USA Freedom Act. How long did it take one of your analysts to do a query under the old bulk collection system and how long does it take to do a query under the new system at the telecom companies? Admiral Rogers. Now, if I could, I assume by asking how long it takes to conduct a query that includes both getting the court's approval, the analysis that goes into deciding that we need to query the data. Under the old system there were several different--we had emergency authorities, for example, that I could use, which were the very quickest. Under those authorities, generally, we could do the analysis, the team could make a case to me as to why I needed to use those emergency authorities when I believed that there wasn't sufficient time to get to the court. On those handful of occasions in which I have done that, I had to notify the Attorney General in writing, I had to notify the FISA Court in writing as to what I did and why I did it, and what the basis of my determination was. In each case, the times that I have done it to date were all driven by the fact that we were getting ready to pursue tactical action somewhere in the world that I was afraid was going to precipitate a reaction from ISIL and other groups and as a result I authorized access to the data and then informed the court and the Attorney General. That process, probably all the analysis, them briefing me, me approving it, them going in and looking at the data, probably something less than 24 hours if you count everything. The average under the old system, not using that emergency basis, was something--I think the fastest we ever did the entire process was something on the order of two days using the normal processes. The average was closer to four to six. Vice Chairman Feinstein. Well now, are you saying you have to use the emergency more often? Admiral Rogers. No. Vice Chairman Feinstein. You said five or six instances. Admiral Rogers. No. We queried the data multiple times through a court approval. There were a handful of times that I---- Vice Chairman Feinstein. Well, you're saying it's faster now? Admiral Rogers. No. That is under the old system. You asked me to compare old versus new. I'm just trying to give you a framework for under the old system. Under the new system, because it's not implemented I can't tell you right now. Remember, we're in the process of transitioning. The transition must be complete by the end of November 28th. Vice Chairman Feinstein. So you haven't done any? Admiral Rogers. We have not completed the process yet. That's why the legislation we had asked--this is going to take some number of months to work with the providers, to make the technical changes on the provider side. Vice Chairman Feinstein. Got it. Second subject. Sunday's ``New York Times'' reported that our country will ask the Chinese to embrace the United Nations Code of Conduct on Principles for Cyberspace that no state should allow activity, quote, ``that intentionally damages critical infrastructure and otherwise impairs the use and operation of critical infrastructure to provide services to the public.'' From your perspective, would a cyber arms control agreement along these lines be valuable? Would it be enforceable? Admiral Rogers. First, that's a broad policy question. In terms of the input, my opinion, the devil is always in the details. I'd want to understand the specifics of exactly what we are talking about. Vice Chairman Feinstein. That's a good duck. It just doesn't quack. Admiral Rogers. I apologize, but there are so many variables in this. Vice Chairman Feinstein. Let's move on. I wanted to ask you about the use of encrypted communications by terrorists and criminals. The FBI Director came before us, as you know, and gave us very stark testimony about going dark and how big the problem was. Do you believe that the increased use of this kind of encryption and apps, as you pointed out, poses a national security threat? Admiral Rogers. Yes, ma'am. I am concerned that the direction we're going is effectively--if we make no changes, represents a significant challenge for us in terms of our ability to generate insights that the Nation is counting on. Vice Chairman Feinstein. Can we make changes? Admiral Rogers. I'm the first to acknowledge it's a complex issue. I'd make a couple points. First, I don't think you want the government deciding, hey, what the right answer is here. We have got to collectively get together between the private sector, government, industry, policy, the technical side and sit down and figure out how we're going to work our way through this, because I'm the first to acknowledge this is an incredibly complex topic and there are no simple and easy answers here. I believe that, like anything, hey, if we put our mind to it, we can ultimately come up with a solution that is acceptable to a majority. It likely won't be perfect and I'm the first to acknowledge you don't want me or an intelligence organization making those kinds of decisions, you don't want us able to unilaterally do that. I'm the first to acknowledge that. Vice Chairman Feinstein. Thank you. Thank you, Mr. Chairman. Chairman Burr. Senator Coats. Senator Coats. Thank you for your service. I appreciate it. To follow up on Senator Feinstein's questions, if I heard you right, under the old system, given the procedures that you go through, if it's an emergency you can get clearance in less than 24 hours? Admiral Rogers. Under the previous framework, I as the Director of NSA was delegated the authority in emergency situations to authorize access to the data. I then had to go to the court and to the Attorney General and put in writing why I did it, what I did, and what the basis of that decision was. Senator Coats. What if it's imminent? What if you get a call that a plane took off in Boston, turned south toward New York when it was scheduled to go to Montreal, and you said that will arrive in New York air space in 15 minutes? What happens? Admiral Rogers. That's one of the reasons for that emergency authority, so that I have the authority under the current system. Now, as we transition to the new law, which again we have to have permanently in place by November the 29th, I have lost that authority. It has now been raised to the Attorney General. So I will have to approach the Attorney General for why she, in this case she, needs to authorize emergency access. Senator Coats. So we're adding time to the process? Admiral Rogers. It's probably going to be longer, I suspect we're going to find out. Senator Coats. And based on my question and your answer, something that imminent probably can't be addressed in time to put up the defenses? Admiral Rogers. Not in minutes. I doubt we could do it in minutes. Senator Coats. You stated in your statement here that NSA works daily to protect privacy and civil liberties. We've seen breaches of tens of millions of Federal employees' records. We've seen breaches of well over 50 million of a major insurance company in my State. We've seen breaches of everything from retail stores to you name it. Obviously, those occur partly because those entities did not have the procedures in place to block that. NSA does. Yet you're criticized, your agency's been criticized, for being too loose on privacy, can't trust you. But all the information--and you're collecting phone numbers and names of individuals you don't know. And the breaches are occurring with all kinds of information of when you were born and what your Social Security number is and what your bank account number is and everything else. So give me again for the record just what kind of things NSA went through and continues to go through that protects privacy and civil liberties, and if you can an explanation of why NSA is deemed untrustworthy holding information, and yet we rely on institutions that leak the stuff by the tens of millions? Admiral Rogers. If I could, let me answer the second part first. It's one of the great challenges for me as a leader and I would argue for us as a Nation. Increasingly, we find ourselves as a society distrustful of government, writ large, and in the aftermath of media leaks, NSA in broad terms. I think that's both a part of this broader environment that we currently live in right now--you see it in the fact that we're unable to achieve--you live this every day in your political lives--we're unable to achieve political consensus on difficult issues that face the Nation. We have strong opinions and yet we can't seem to come to a consensus about how we move forward on many things. What is happening to NSA is a part of that broader context. So we find ourselves in a position where we acknowledge we must follow the law, we acknowledge we must operate within a legal framework and the set of authorities and policies. We do not indiscriminately collect. Everything we do is driven by the law and a set of priorities as to exactly what we do and what we focus on. Those priorities designed to generate insights to help defend our Nation, not to violate people's privacy. But in the world we're living in now, that seems to get lost in the ether in many ways, part of the challenge being as a classified organization, if you will, the how we do what we do, because I can't go into great details about, well, this is exactly why you should feel comfortable, let me walk you through all the things we have done that you have no clue about but you should feel very comfortable with as a citizen or an ally about what we've been able to forestall. In terms of what we put in place to attempt to ensure the privacy and civil liberties of our society, you look at the legal framework that collectively was created for the call data records, USA Freedom Act. You look at what we have done in terms of complying with court orders. You look at what we have done in terms of NSA has had three major outside reviews--702, the Section 215, the call data records, of our collection in general. Every one of those reviews has come back with the same conclusion: You can argue that the law is good or bad, but NSA is fully compliant with the law. NSA has a systematic system in place designed to ensure oversight and protection of the data we collect. We ensure that not everyone in our workforce can just access any one that we collect. The call data records, for example, Section 215, out of an organization, as I told you in my opening statement that's close to 40,000, we have limited access to that data to 30, approximately 30 people by design. We want--we understand the sensitivity and the importance of the data that we collect, and we need to ensure that we can tell you as our oversight, as well as the broader citizens we defend, that we are not arbitrarily misusing this data, that we are not opening it up to just anyone in our workforce who wants to look at it. We take those duties and those responsibilities very seriously, and each one of the three major independent reviews we've had in the last 18 months have come to the exact same conclusion in that regard. Chairman Burr. Senator Wyden. Senator Wyden. Thank you, Mr. Chairman. Thank you, Admiral, for your professionalism. Let's see if we can do the first question on bulk collection, this matter of collecting all the millions of phone records on law-abiding people, with just a yes or no answer, because I know Senator Feinstein got into some of the questions with respect to implementation. I have heard you comment on this, but I'd like to see if we could do this on the record. Do you expect that ending bulk collection is going to significantly reduce your operational capabilities? Admiral Rogers. Yes. Senator Wyden. In what way? Admiral Rogers. Right now, bulk collection gives us the ability to generate insights--we call it discovery--gives us the ability to generate insights as to what's going on out there. I'd also encourage the panel, as well as the Committee, as well as the Nation, to review the National Academy of Sciences review, in which they were specifically asked: Is there an alternative to bulk collection? Is there software or other things that we could develop that could potentially replace NSA's current approach to bulk collection? That independent, impartial, scientifically founded body came back and said: No, under the current structure there is no real replacement and that bulk collection as used by NSA generates value. Senator Wyden. But, as you know, the President's Advisory Committee disagreed with you. They had an independent group appointed and they said--and I believe it's at page 104 of their testimony--that there was no value to bulk collection that could not be obtained through conventional means, and it's specifically cited. Let me ask you about encryption, because in my view this is a problem largely created by your predecessors, General Hayden and General Alexander specifically. I believe they overreached with bulk collection. That undermined the confidence of consumers and the companies responded because they were concerned about the status of their products with strong encryption. So at that point I began to be pretty concerned because it looked like the government's position was companies would be required to build weaknesses into their products. Now the discussion has shifted to whether there should be the availability of encryption keys to access these products. Now, I don't want to go into anything classified or matters relating to Executive Branch discussions. But let me ask you about a policy matter. As a general matter, is it correct that any time there are copies of an encryption key and they exist in multiple places, that also creates more opportunities for malicious actors or foreign hackers to get access to the keys? Admiral Rogers. Again, it depends on the circumstances. But if you want to paint it very broadly like that for a yes and no, then I would probably say yes. Senator Wyden. Okay. I'll quit while I'm ahead. What concerns me, Admiral, seriously is that as this question of access to encryption keys is pursued--and I think that's where we move, as I indicated to you in our conversation, from the original position, which looked like companies would have to build weaknesses into their products, which I think is a staggering development, it seems now it has shifted with Ms. Yates's comments and others to this question of the availability of keys. You've just told me as a general proposition when there are multiple keys--and there will be multiple keys--that creates more opportunities for malicious actors or foreign hackers. And to me, the good guys are not going to be the only people with the keys. There are going to be people who do not wish this country well. That's going to provide more opportunities for the kinds of hacks and the kinds of damaging conduct by malicious actors that I think makes your job harder. I think you're doing a good job. I think you've been straight with the Congress and certainly with me. But that's what concerns me about access to malicious keys, and I appreciate your answer on that. Go take a look at page 104 of the President's Advisory Committee, because on this question of operational capabilities, not only do we not have any cases that indicated that there was a compromise of the abilities of our intelligence community, it was the unanimous finding of the President's experts. That page will give it to you. Thank you, Mr. Chairman. Chairman Burr. Senator Rubio. Senator Rubio. Thank you. Thank you, Admiral, for being here. As you're aware, the Chinese president, the leader of the Chinese Communist Party, Xi Jing Ping, is going to be in the White House this week and to receive the full honors of a state visit. But our relationship with China is not at a good place at this moment. They've breached the U.S. Government databases, they continue cyber attacks against other elements of our government. Over the last 20 years we've witnessed the single largest transfer of wealth in the history of the world as Chinese companies, backed by the Chinese government, have stolen proprietary data and U.S. State secrets, and now, of course, the personal data of at least 25 million Americans, if not more. One of the things I've advocated is a three-step process. I think we should be expelling known Chinese spies that are operating in the U.S. as retaliation for these cyber attacks. I think we should be disconnecting all sensitive databases from the internet and ensure that our agencies that are responsible for protecting government databases are doing their job. And I think we need to make clear that we're going to respond in kind to deter adversaries like China who will continue to attack us. I guess my question begins by asking you: Would you agree that a public discussion on an offensive cyber capability would be an effective deterrent? Admiral Rogers. I think we as a Nation need to have a very public discussion about how do we achieve this idea of deterrence, because if we don't change the current dynamic we are not in a good place. We have got to fundamentally change the dynamic we're dealing with now. Senator Rubio. As the Director of NSA and as Commander of U.S. Cyber Command, have you provided advice to the President-- I'm not asking what the advice is, but have you provided advice to the President or the White House on ways to defend against cyber attacks, cyber deterrent strategy, and appropriate measures for us to respond to such attacks? Admiral Rogers. Yes. Senator Rubio. I understand that you're not charged with creating policy, but has the White House sought your opinions on policies relating to these matters, specifically on a more effective cyber deterrent and best practices for securing U.S. Government systems? Admiral Rogers. Yes. I'm very happy in the process in the sense that, hey, I'm just one perspective. I certainly understand that. But I've certainly had the opportunity to communicate my views as to what I think we need to do. Senator Rubio. I guess my last question is going back to the points that I've raised about expelling Chinese spies operating in the U.S. as retaliation and also disconnecting the sensitive databases from the internet. Are these measures that you think are worthy of exploration? Would they have any sort of deterrent effect or be part of the broader public discussion about this issue? Admiral Rogers. Certainly in my experience one of the things we've found and one of the challenges, particularly for Cyber Command, my other hat where I deal with penetrations in the Department of Defense, one of the things that we have come to understand is you need to minimize your exposure with what we call public-interfacing web sites, connectivity with the internet. The flip side, though, is that there is a requirement in many instances to ensure information flow from the internet in the system. And so the idea that you're going to be able to do some of these things with no internet connectivity, again it depends on the situation. It can be problematic if you expect data to flow back and forth. Senator Rubio. I just have one last question. I apologize. It's kind of a matter of doctrine, more or less. Our doctrine, the doctrine of most nations, if not all on Earth, is that there is a difference between intelligence gathering on governments and intelligence gathering on private entities. Clearly, multiple nations, if not all around the world, have some sort of intelligence gathering capability and it's targeted primarily at the governments and government actors in other nations, especially those they have an adversarial position with. Is it fair to say that for the Chinese there is no such distinction, that for them the notion of intelligence gathering, they view commercial intelligence gathering and governmental intelligence gathering as all part of their foreign policy and intelligence gathering capability? They don't have that distinction that we have or other nations have; is that an accurate assessment? Admiral Rogers. They clearly don't have the same line in the sand, if you will, in that regard. I watch some of my counterparts there do things that under our system I could never do. Senator Rubio. Exactly. So the point I'm trying to drive at, because many Americans are not perhaps fully aware of this, is that the Chinese government actively encourages as part of their national policy the stealing of commercial secrets of American companies for purposes of building up their own capability, and this is directed by government. This is not like a Chinese company hacking an American company. This is directed, influenced, and funded by the network government itself. Admiral Rogers. Yes. Senator Rubio. Thank you so much for your service. Chairman Burr. Senator Warner. Senator Warner. Thank you, Admiral Rogers, for your service. Let me just add an editorial comment here to the Chair and the Vice Chair. My hope would be, in light of the testimony of Admiral Rogers, that we could urge the respective leaders in both parties to bring that information-sharing bill that's passed out of our Committee back to the floor. I think we do a great disservice to our country if we don't act on that legislation as quickly as possible. Chairman Burr. The Vice Chair and I can assure all the Members we are working aggressively to get that back up, and my hope is that Members will have an opportunity, not only to debate it, but to amend it if need be in the month of October. Senator Warner. Thank you, Mr. Chairman. Admiral Rogers, I'm going to spend a couple moments on the OPM breach. Obviously, 22 million-plus individuals, now we're understanding 5.6 million fingerprints. We dug into that and I know you can't comment too much, but that we found--and Senator Collins and I are working on legislation that says as we look at the responsibilities of DHS to try to protect the dot-gov regime, they don't have the same kind of abilities and responsibilities that you have to defend the dot-mil regime when it comes to cyber hygiene. DHS actually has an ability to recommend, but not actually enforce. Recognizing this may be more asking for your editorial view here, do you want to make a comment on that? Admiral Rogers. First, I would argue those authorities to defend DOD networks really reside operationally more in my U.S. Cyber Command role. But it's fair to say--and again, it's all I guess part of the cultures that spawn us--in the Department of Defense our culture is you're always focused on generating actionable outcomes. You're focused on empowering individuals and clearly identifying responsibility and authority and then holding people accountable. I think what we want to get to in the dot-gov domain is something quite similar over time. I think it's fair to say that we're not there right now. Senator Warner. We have, Senator Collins and I, have legislation that would give DHS similar type authorities, as well as that in effect chain of command. There still seems to be some lack of clarity about who's in charge. We hear constantly, even including OPM, that DHS made recommendations about cyber hygiene that were not implemented by OPM and a variety of other dot-gov regimes. That to me seems not good process going forward. Can you speak to, within this setting, what responsibility you have in protecting cyber--in protecting sensitive but unclassified data on the dot-gov side of the house? Admiral Rogers. I do not have immediate responsibility, in the sense that the structure is that I at NSA work through DHS to provide support when it's requested. I am not in those networks. I am not monitoring those networks. Senator Warner. And post-OPM, has DHS requested your assistance? Admiral Rogers. Yes. Senator Warner. Again, this is an area that I believe would be addressed as well, hopefully with at least an amendment to the information-sharing bill, something I know Senator Collins and I, and I think most of our other colleagues share, we need to give DHS those same tools. Let me switch over to an area where Senator Rubio was. I concur with him that, while we've not formally identified the source of the OPM breach, there is obviously speculation amongst Members and the press. My comment as well is that we do need a deterrence as part of our overall national strategy. I'd like you to make any comment you might have on--again, we're playing on different standards. The Chinese in July passed legislation that required all of their information systems and companies that do business in China to have systems that were secure and controllable in terms of access by the Chinese authorities, which not only precludes any of the kind of encryption tools that American domestic companies are looking at, and again I think raise huge concerns--I agree fully with Senator Wyden, but I do think there are concerns to be raised. But also, this ``secure and controllable language,'' wouldn't that be in effect an open ability for Chinese authorities to potentially get into those companies' databases for intellectual property theft and other activities? Admiral Rogers. The Chinese have a fundamentally different construct than we do. They believe in essence that access to the content of communications and data is a sovereign right. We reject that notion. It leads to some of the things that we have seen them do. It's why we have very publicly discussed this with our Chinese counterparts, because in the end we want to get to a place where we can both work together. But the current approach, where we are so fundamentally apart, we've been very up front that this is just not acceptable. We can't sustain a long-term relationship, the kind of relationship we want, if this is the approach, that the privacy of individuals, the access to intellectual property, is just viewed as something the state can do at the time and place of its choosing. It goes totally against our framework. Senator Warner. I hope our President will continue to raise this. Again, Mr. Chairman, my hope is that so many of the businesses that we saw meeting with President Xi the other day in Seattle, I hope they will not default to a lower standard in their rush to try to access the Chinese market. Thank you, Mr. Chairman. Chairman Burr. Senator Collins. Senator Collins. Thank you, Mr. Chairman. Admiral Rogers, let me add my thanks to those of the Committee for your dedicated service. You mentioned, in response to a question from Senator Coats, that only 30 NSA employees had access to the metadata, were authorized to query the database. Am I correct in assuming that those 30 employees were well vetted, they were trained, and that they would be held responsible if there were any misuse of the information? Admiral Rogers. Yes, ma'am. Senator Collins. Has there ever been any misuse of the information that you're aware of? Admiral Rogers. No, ma'am. The only thing I would highlight in terms of oversight and compliance, for example, for those 30 individuals, we monitor every keystroke they use in trying to access the data. We don't do that for every one of our tens of thousands of other employees. We do it in this regard because we realize the sensitivity of the data. Senator Collins. I think that's an excellent point that should have been reassuring to me. It's very ironic that the USA Freedom Act was passed under the guise of increasing privacy protections for the American people when there are 1,400 telcom companies, 160 wireless carriers. Not that you're necessarily going to have to deal with all of those, but isn't it likely that far more than 30 people will now be involved in this process? Admiral Rogers. Yes, I would expect that to be the case. Senator Collins. And given that those companies market and sell a lot of this information, aren't the privacy implications far greater with this new system than under the careful system that you described, with only 30 people authorized? Admiral Rogers. I would respectfully submit that's for others to decide. Senator Collins. Well, I think from your--I understand why you're saying that, but I think if one just looks at the numbers the case becomes very evident. In the USA Freedom Act, there's no requirement for the telcom companies to retain the call detail data, and by that I'm not talking about content. I'm talking about call detail data. That's another misconception that some people have. There's no requirement that that data be held for any particular period of time. Companies hold it for their own business records purpose. Is that a concern to you? Admiral Rogers. Based on our initial interactions with the providers as we move from the old structure to the new structure where the providers hold the data, in talking to them there's a pretty wide range. We're right now dealing with the three largest, who really have been the focus of the previous structure. We will bring additional on line, as you have indicated. Among those three that we're starting with initially, a pretty wide range of how long they opt to retain data and for what purposes. Again, under the construct that's their choice. We'll have to work our way through this. One of the things I have always promised in the discussion that led as part of the legislation was, once we get into this new structure, what I promise will be honest and direct feedback on how this is working. Is it effective, is it not effective? What kind of time duration is it taking us? What have been the operational impacts? I have promised I will bring that back once we get some actual experience. Senator Collins. We appreciate that. Let me turn to a different issue and that is the protection of our critical infrastructure from cyber threats and cyber intrusions, which is an issue that's long been of huge concern to me. The Department of Homeland Security has identified more than 60 entities in our critical infrastructure report damage caused by a single cyber incident could reasonably result in $50 billion in economic damages or 2,500 immediate deaths or a severe degradation of our national defense. Your testimony, your written testimony, talks a little bit about this issue. Your predecessor, General Alexander, previously has said that our Nation's preparedness when it comes to protecting against a cyber attack against our critical infrastructure is about a three on a scale of one to ten. Where do you think that we are on that scale? Admiral Rogers. It varies by sector, but on average I'd probably say right now, again depending on the sector, we're probably a five or a six. That's not where we need to be, clearly. Senator Collins. So there's still a severe problem in this area that makes us very vulnerable as a Nation? Admiral Rogers. Yes, ma'am. Senator Collins. Thank you. Chairman Burr. Senator King. Senator King. Admiral Rogers, greetings. Would a shutdown of the Federal Government next week compromise national security? Admiral Rogers. Yes. And if I could, just to go beyond that. In the last five days or so, as we now are publicly talking about this possibility, watching the reaction of the workforce at NSA and U.S. Cyber Command, who are going `Àgain?,'' who could easily get jobs on the outside and earn significantly more amounts of money, this instability, this message to the workforce that--this is probably a pejorative, but--you are a secondary consideration in a much larger game, if you will, that drives---- Senator King. No, no. It's a smaller game, Admiral. Admiral Rogers. Smaller game. It just drives the workforce, to the point where today I literally was talking to the leadership about, we need to sit down and figure out how we're going to keep these men and women. If their attitude increases---- Senator King. Keeping these talented men and women is hard enough to begin with because of higher salaries outside. There's a survey I commend to your attention, I'll submit for the record, done late last year of national security professionals across the government. One of the fascinating results is that U.S. political dysfunction they ranked as a higher threat to national security than a nuclear-armed Iran, Vladimir Putin, China's military buildup, or North Korea. The only thing above political dysfunction was Islamic extremism. So that is shocking. [The material referred to follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Senator King. Let me move on. Political dysfunction being a national security threat: Pogo: ``We have met the enemy and he is us.'' A couple of other questions. Deterrence. You've talked about it briefly. I want to emphasize--you testified that you were in communication with the White House and the President on this issue. I think this has got to be a high priority. Deterrence doesn't work unless people know about it, and it's got to be a strategy because right now we are in a fight. The cyber war has started and we are in the cyber war with our hands tied behind our backs. We would never build a destroyer without guns. We've talked about this before. I think--I hope you will carry this message back, because we've got to fashion a theory of deterrence. Otherwise, we are going to lose. You cannot defend, defend, defend, defend and never punch back. And if your opponent knows you're not going to punch back, it's just not going to go anywhere. If you can find a question in there, you're welcome to it. But I think you understand. Admiral Rogers. Yes, sir. Senator King. I hope you will take that message back. You're a very strong advocate and you're the right guy to take that message. Another question that's been touched upon is the idea of a cyber-nonproliferation treaty. I find that a fascinating concept and I wish you would expand a bit on that, that we can establish some rules of the road in this field for our mutual protection of the various countries that are cyber capable. Admiral Rogers. I certainly think we can get to the idea of norms. Formal treaty, I don't know, because one of the challenges in my mind is how do we build a construct that ultimately works for both nation-states and non-state actors. One of the challenges inherent in cyber is the fact that you are dealing--unlike the nuclear world where you're dealing with a handful of actors, all nation-states, you're dealing with a much greater number of actors, many of whom, quite frankly, are not nation-states and have no interest in sustaining the status quo, so to speak. In fact, if you look at ISIL and other groups, their vision would be to tear the status quo down. They're not interested in stability. Senator King. I just think that this is a promising area with other nation-states. Obviously, it's not going to be the whole solution, but if there are states like Russia or China that are willing to have this discussion I think it's a profitable discussion. Admiral Rogers. Right. Senator King. Along with the idea of deterrence, because we are asymmetrically vulnerable in this war. We're the most wired country on Earth and that makes us the most vulnerable country on Earth. Well, I appreciate your testimony and the work that you're doing. Oh, you testified a few minutes ago that you had a variety of reactions from the telecoms about retention levels. You said they were short to long. What's the shortest that you've been informed of? Admiral Rogers. I want to say it's something on the order of 12 to 18 months. Senator King. Okay, so that's on the short end. I hope you will let this Committee know if it goes below that level, because at that point it becomes very problematic as to whether or not the data being retained will be of usefulness in a national emergency. Admiral Rogers. I will. Senator King. Thank you, Admiral. Thank you, Mr. Chairman. Chairman Burr. Senator Lankford. Senator Lankford. Admiral, thanks for being here. Thanks for your leadership in your work. We've had multiple conversations and I appreciate what you bring to this. Answer this for me: What else can NSA do to help other agencies deal with cyber deficiencies? We've had some extremely public cyber deficiencies of the Federal Government of late. What assets can NSA bring to bear to be able to help on this? I think you end up coming in to clean up the mess as much as you end up trying to help defend. How do we get proactive on this? Admiral Rogers. What I'd like to do--and again, we'll be part, NSA will be part of a broader team. What I'd like to do is be proactive and get ahead of this problem set. Senator Lankford. Currently the agencies have responsibility to be able to take on and make sure that their systems are all protected. There doesn't seem to be a lot of accountability in the structure. There are people advising agencies, but what can be done proactively? Admiral Rogers. I'd be interested, for example, in could we build a framework where someone from outside the organization is doing an independent assessment, as an example. I can within the DOD, largely under U.S. Cyber Command authority, but I also do this with NSA. I can go into any dot-mil network anywhere in our structure. I can assess it. I can test it. I can attempt to penetrate it. I don't have to give notice to the network owner, as an example. That really doesn't exist on that scale anywhere else in the government. I'd like to see what we can do to try to, again, get ahead of the problem set, try to replicate some of the activities we're seeing from opponents ahead of time before they do it, and test our abilities. Senator Lankford. Let me ask about auditing and how you do that for your own people and processes. You mentioned, for instance, on these 30 folks in the past every keystroke has been monitored. How often do you do auditing and how do you audit that? You have an incredible group of folks that serve the Nation, but obviously the accountability of the network is extremely important. We've had rogue folks in the past take information. Admiral Rogers. Auditing varies. As I've said, those 30 individuals, the call data record database, that's probably the area we put more external monitoring and controls in than any other part of our structure. On the other hand, in the aftermath of the media leaks, we've sat back and asked ourselves, so how could this have happened? What have we failed to do as an organization and what do we need to do to ensure it doesn't happen again? We put a series of capabilities in place where we can monitor behavior. We put a series of capabilities in place where we look at personal behavior more, although I will tell this is another issue that often can provoke a strong reaction from the workforce, who says: So let me understand this; because of the actions of one individual, you are now monitoring me; you're now watching my behavior in a way that you didn't necessarily do before. Do I want to work in a place like that? We try to sit down with the workforce and walk through: here's what we do and here's why we do it. But there's a reason behind it, that each one of us as we voluntarily accept access to the information that we're given, we hold ourselves to a higher standard. We hold ourselves to a different level of accountability. That's part of the quid pro quo here if you're going to be an NSA professional, if you're going to be an NSA employee. But it is not lost on our workforce at times. Senator Lankford. Let's talk about the cyber war we're dealing with internationally at this point. The biggest threats that we have, are they state actors or non-state actors at this point internationally? Admiral Rogers. Let me answer it this way if I could. The greatest amount of activity is still criminal-based, but when I look at from a national security perspective, I would argue at the moment the nation-state represents the greater national security challenge, if you will. When I look at the future, there's three things--and I've said this publicly before--that concern me the most when it comes to cyber. Number one is something directed, destructive activity directed against critical infrastructure. Number two is manipulation, changes to data. At the moment, most of the activity has been theft. What if someone gets in the system and starts just manipulating, changing data, to the point where now as an operator you no longer believe what you're seeing in your system? The third area that I think about in terms of concerns about the future, really to go to your question, is what happens when the non-state actor decides that the web now is a weapon system, not just something to recruit people, not just something to generate revenue, not just something to share their ideology? Senator Lankford. So the relationship between private industry infrastructure, both state and local utilities, and the Federal Government, where do you think we are on the conversation level at this point? Admiral Rogers. We're having the conversations, clearly. DHS really is in the lead here. We're having the conversation. It's a little uneven, some sectors more than others. But we're all victims of the culture we're from. The culture that I'm from as a uniformed individual is it isn't enough to talk; you must physically get down to execution-level detail about how you are going to make this work, how are we going to coordinate this? I don't want to get into a crisis and the first time I've dealt with someone is when their network's penetrated. I'm watching data stream out in the gigabit level, and I'm going: so could you tell me about your basic structure? That's not the time to have this dialogue. Senator Lankford. Thank you. Chairman Burr. Senator Hirono. Senator Hirono. Thank you, Mr. Chairman. Admiral, thank you for your service and for being here today. You and Director Clapper testified before a House committee that data manipulation and what you refer to as data destruction is probably on the horizon and, while we can't do very much about those kinds of behaviors on the part of non- state actors, isn't it very incumbent on us to engage in discussions and, as some of my colleagues have referred to it, proceeding toward the goal of a cyber arms control agreement with certain state actors who have that capability? Admiral Rogers. I don't know if an arms control agreement is the right answer. Senator Hirono. Whatever it is, that we come to some kind of understanding so that state actors do not engage in manipulation and destruction of data. I think that would be just totally---- Admiral Rogers. I would agree. We have been able historically--as a sailor, I can remember at the height of the Cold War we knew exactly how far we could push each other out there. We've got to get to the same level of understanding in this domain, and we are not there right now. Senator Hirono. Do you know whether, with the President of China's visit, whether the cyber issues will be discussed by the two leaders? Admiral Rogers. I think the National Security Adviser and the President have been very public in saying they will raise the full spectrum of issues, to include cyber, with their Chinese counterparts. Senator Hirono. I have a question relating to the OPM breach. Our understanding is that 19 or 20 of 24 major agencies have declared that cyber security is a significant deficiency for their agencies, and you indicated that the NSA doesn't have immediate responsibility to help these other agencies, but that you would respond at the request of DHS. So has DHS made such a request to NSA that you become engaged in helping these other dot-gov agencies to become, well, cyber-safe? Admiral Rogers. Not in terms of the day to day per se. There hasn't been a major penetration in the Federal Government in the last 18 months that NSA hasn't been called in to respond. I think the challenge--and I know DHS shares this--is we've got to move beyond the ``Cleanup on Aisle 9'' scenario, to how to--and it goes to my response to Senator Lankford--how do we get ahead of this problem and start talking to organizations about, what are the steps you need to take now to ensure they can't get in, not, well, they're already in, let me walk you through how to get them out. Senator Hirono. Are you engaged in that process now with the 19 agencies? Admiral Rogers. Not with every agency in the Federal Government, no. Senator Hirono. Why not? Admiral Rogers. Again, under the current construct DHS has overall responsibility for the dot-gov domain. For me, I have to be asked. Senator Hirono. Well, that was my question. Admiral Rogers. Not just unilaterally. Senator Hirono. So it's on an agency by agency basis that DHS asks you? And if they were to ask you to deal with all of the dot-gov agencies, would you have the resources to help? Admiral Rogers. My first comment would be, we've got to prioritize, because I'm expended to defend all of the dot-mil, and now if there's an expectation that same capacity is also going to work on the dot-gov, my first comment would be we have got to prioritize. What's the most essential things we need to protect? Senator Hirono. As I all things, we have to prioritize. But I think that it would behoove DHS--well, it would help if they would make such a request, and then you can engage in prioritizing. Speaking of resources, I want to thank you for your frank assessment of what would happen if there is a government shutdown. You also indicated in your testimony that recruiting and retaining people is going to be an ongoing challenge for our country to stay ahead in the cyber arena. I did have the opportunity to visit our very large NSA facility in Hawaii and I thank all the people there for the work that they're doing. But can you talk a little bit about what you're doing, how aggressively you're going after getting the appropriate people to sign on to work for NSA? Admiral Rogers. So, knock on wood, both our retention of our STEM, or high technical workforce, continues to be good, as has our ability to recruit. We have more people trying to get in with the right skills than we, quite frankly, have space for right now. I am always mindful, though, of what are the advance indicators that would suggest that's changing, that we're going to lose more than we can bring in. I would tell you, the workforce at NSA and U.S. Cyber Command still will talk to me about the shutdown in 2013, as an example: hey--I get this every time, literally, when I talk to our workforce around the world: sir, is this going to happen again? Am I going to be told I can't come to work, I may not be paid, or I'm going to be put on furlough again, as we did in 2013? And the situation that we're facing now and what the workforce is reading in the media right now is not helpful. Senator Hirono. I agree. Thank you. Chairman Burr. Senator Cotton. Senator Cotton. Thank you. Admiral Rogers, nice to see you in an open setting for once. I've enjoyed our many classified briefings, my visit to your headquarters, and my visits with your many personnel all around the world. On behalf of the three million Arkansans I represent, I want to thank not just you, but more importantly the thousands of men and women you represent. They are patriots, they are professionals, and they're responsible for saving thousands of American lives. In 2014 North Korea state-sponsored hackers launched a cyber attack against Sony Pictures. Sony responded by quickly calling the FBI and asking for help. My understanding is that Sony chose this course of action largely due to the FBI's expertise in this area, specifically cyber forensic and defense, their belief that a crime had been committed, and because of the strong relationship that they had developed with the FBI. Do you believe Sony did the right thing by calling the FBI? Admiral Rogers. I'm not in a position to tell you why they did it. I'm glad they reached out, because then very quickly the FBI reached out to NSA and we ended up partnering. Again, never thought I would be dealing with a motion picture company about cyber security. But I was grateful for their willingness to be very upfront and very honest: we have received a major penetration with a massive theft of intellectual property and we need help from the government. Senator Cotton. In the same way that we would encourage a bank that's been held up or a brick and mortar company that's been physically attacked to contact the FBI, you believe that we should encourage these private sector actors to contact the FBI? Admiral Rogers. I think the FBI needs to be a part of this. Now, whether it should be DHS, the FBI--part of the things I believe we need to do is we have got to simplify things for the private sector. When I talk to companies around the United States and I'm often approached, hey, can't you do more directly for us, and I'm going, no, I cannot under the current construct, I'm struck by them telling me: you guys have got to make this easier; I can't figure out if I'm supposed to go to the FBI, DHS, do we go to you? Because, for example, I'm in the financial sector, should I go to Treasury? I think collectively in the government, in the Federal Government, we've got to do a better job of simplifying this so potentially it's one access point and then everything at machine-to-machine speed, to ensure as well accountability and privacy, but the data quickly is disseminated across all of us, because there are so many organizations that to be effective you have to bring to bear in a very orchestrated, very structured way. It can't be like kids with a soccer ball: hey, everybody just runs. Senator Cotton. The NSA is in charge of information assurance operations for the Federal Government, meaning that the NSA is in charge of assuring our national security systems. Am I correct that NSA from time to time will also help Federal agencies protect their unclassified systems? Admiral Rogers. Yes, when they request assistance. Senator Cotton. I realize this is before your time, but to your knowledge did the State Department ever ask the NSA about the wisdom of setting up a private server so Secretary Clinton could conduct official State Department business? Admiral Rogers. I'm not aware of whether they did or they didn't, sir. Senator Cotton. What would be your response if the current Secretary of State or another Cabinet member came to you and said: Admiral Rogers, I'd like to set up a private, non- governmental server and use that to conduct official business? Admiral Rogers. You really want to drag me into this one, sir? Senator Cotton. I'd simply like your professional opinion. Admiral Rogers. My comment would be: you need to ensure you're complying with the applicable regulations and structures for your Department. I'll be the first to admit I'm not smart about what the rules and regulations are for every element across the Federal Government. Senator Cotton. Are the communications of the seniormost advisers to the President of the United States, even those that may be unclassified, a top priority for foreign intelligence services in your opinion? Admiral Rogers. Yes. Senator Cotton. If an NSA employee came to you and said, hey, boss, we have reason to believe that Russian Foreign Minister Sergei Lavrov or Iranian Foreign Minister Javad Zarif is conducting official business on a private server, how would you respond? Admiral Rogers. From a foreign intelligence perspective, that represents opportunity. Senator Cotton. Are you aware of any NSA officials who emailed Secretary Clinton at her private account? Admiral Rogers. No, I have no knowledge. I apologize. Senator Cotton. Are you aware of any NSA officials who were aware that Secretary Clinton had a private email account and server? Admiral Rogers. Now you're talking about something before my time, Senator. I apologize; I just don't know the answer. Senator Cotton. Could I ask you to check your records and respond back to us in writing, please? Admiral Rogers. Yes, sir. I'll take the question for the record. Senator Cotton. Thank you. Chairman Burr. Vice Chairman. Vice Chairman Feinstein. I don't see the relevance of that to this Committee. However, that's just my opinion. I do have a question. Admiral, you indicated in a private session that you were taking a look at reorganization. I know that isn't completed yet; it's still under way. What can you share with the public about the reasons for it and what you believe it might bring about? Admiral Rogers. I've been the Director at NSA now for approximately 18 months and I spent the first portion of those 18 months really focused on the aftermath of media leaks, trying to make sure that we are structured as an organization to deal with that challenge and to make sure that we were in a position to be able to tell our oversight as well as the citizens of the Nation; we are fully compliant with the law and regulation and we're in a place where you should be comfortable that we're able to execute our missions, at the same time ensuring the protection of the data that we access, as well as the broad privacy of U.S. citizens. I then posed the following question to our workforce: `Ìf we stay exactly the way we are, if we change nothing, in five to ten years are we going to be able to say that we are the world's preeminent SIGINT and information assurance organization?'' I said, `Ì'm asking you this question because my concern is if we make no changes, I don't think we're going to be able to say that, and I believe that part of my responsibility as a leader is whenever I turn the organizations over I want to be able to tell whoever relieves me: you should feel good that we've structured this so that you're ready to do what you need to do.'' As a result of that, I posed a series of questions to the workforce, from how do we build the workforce of the future, to what should our organizational structure look like, to how do we need to optimize ourselves for cyber, because my argument was cyber in the next 15 years will be like counterterrorism has been for the last 15 years; it will be a foundational mission set that drives us as an organization, and it will require us to do things on a scale we've never done before and to do it more broadly. And to do that, particularly in a declining resource environment, we have got to be more efficient to be effective, guys. As a result of that, the other point I made to the team was that I don't want this decided by senior leadership at Fort Meade. We're a global enterprise composed of hard-working men and women, and I want them to have a vote, so to speak, an input into what should the organization of the future look like? What do we need to structure ourselves so that in five to ten years, given the changes that we see happening in the world around us, we can say NSA remains the preeminent signals intelligence and information assurance organization in the world? As a result of that, we spent about six months. The organization, the workforce, has teed up a set of recommendations to me. They probably number in excess of 200. They cover from very minor things to very broad things. There's three final areas that I said I want you to spend more time on. The first was the military part of the workforce. I tried to remind everybody, as I said in my opening statement to you, we are an enterprise composed of civilian employees, military men and women, active and reserve, officer and enlisted, as well as contractors, and we have to optimize every single part of this enterprise to get where we need to be. The second issue I said was, I want you to think a little more broadly about cyber, because I don't think we're being far-reaching enough in the recommendations you've given me. The last one was organizational structure. I said, if you look at--if you were building NSA from the ground up today, is this the structure you would have created? I said, our structure reflects a series of changes and choices that have literally been made over the last 20 years. The last major organizational change at NSA on a wide swath was 1999, 1998, coming up on 20 years ago now, and the world has really changed, and our missions have evolved, and I just want to make sure we're optimized to meet the future. So I'll receive the final input back on those three by the 1st of October. In fact, I think I'm going to actually review a draft this weekend, to be honest. I'm told they think they have some initial work for me to look at this weekend. As I had indicated previously, once we sit down and we decide what we think we ought to do, it's my intention to come back to the Committee in its role as oversight to say: this is what's been recommended, this is what I intend to do, here's why I intend to do it, this is what I think it will generate in terms of value. Vice Chairman Feinstein. Thank you. Thank you. I think NSA is in good hands. Thank you very much. Chairman Burr. Admiral Rogers, I seldom get the opportunity to highlight North Carolina's high tech successes, especially given the fact that my Vice Chairman represents Silicon Valley. I keep reminding her, I have the Research Triangle Park. But I'd like to note that, while there are 99 days left in the NSA's LTS Net Codebreaker Challenge, that North Carolina State University is currently ranked number one out of 182 entries. Vice Chairman Feinstein. Is that good? [Laughter.] Chairman Burr. It depends on whether the Admiral thinks it's important to please the Chairman. [Laughter.] It is good. But I think it highlights again something that Dianne and I both know, that that's the fertile ground that you go to recruit. It's where we develop the next talent that not only works at Research Triangle Park or Silicon Valley, but it works at the NSA, and it really is the backbone of our intelligence organizations. Admiral, your mission continues to change, in large measure because of the technology explosion. It's an explosion like we've never seen before, really. It'll only speed up; it will not slow down. And your mission will be impacted by that innovation. I want to say as we conclude, the Committee is here to be a partner. We're anxious to hear your reorganization plans because that reorganization I think gives you the flexibility to move to wherever the challenge forces the NSA to go. I speak on behalf of the Vice Chairman and myself when I ask you to please go back to the 40,000-plus NSA employees and on behalf of the Committee thank them for the work that they do, work that many times the American people don't understand the value of, but sleep safely at night because of that work. This hearing is adjourned. [Whereupon, at 12:24 p.m., the hearing was adjourned.] [all]

Committee Leadership

Tom Cotton

Mark Warner

All Committee Members

Recent Legislation Activity

Hearings & Meetings

Reports & Publications

Committee Resources