Hearings
Hearing Type:
Open
Date & Time:
Thursday, March 30, 2017 - 2:00pm
Location:
Dirksen 106
Witnesses
General (Ret.)
Keith
Alexander
Chief Executive Officer and President
IronNet Cybersecurity
Full Transcript
[Senate Hearing 115-40, Part 2] [From the U.S. Government Publishing Office] S. Hrg. 115-40, Pt. 2 DISINFORMATION: A PRIMER IN RUSSIAN ACTIVE MEASURES AND INFLUENCE CAMPAIGNS PANEL II ======================================================================= HEARING BEFORE THE SELECT COMMITTEE ON INTELLIGENCE OF THE UNITED STATES SENATE ONE HUNDRED FIFTEENTH CONGRESS FIRST SESSION __________ THURSDAY, MARCH 30, 2017 __________ Printed for the use of the Select Committee on Intelligence [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.fdsys.gov ______ U.S. GOVERNMENT PUBLISHING OFFICE 25-998 PDF WASHINGTON : 2017 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 SELECT COMMITTEE ON INTELLIGENCE [Established by S. Res. 400, 94th Cong., 2d Sess.] RICHARD BURR, North Carolina, Chairman MARK R. WARNER, Virginia, Vice Chairman JAMES E. RISCH, Idaho DIANNE FEINSTEIN, California MARCO RUBIO, Florida RON WYDEN, Oregon SUSAN COLLINS, Maine MARTIN HEINRICH, New Mexico ROY BLUNT, Missouri ANGUS KING, Maine JAMES LANKFORD, Oklahoma JOE MANCHIN, West Virginia TOM COTTON, Arkansas KAMALA HARRIS, California JOHN CORNYN, Texas MITCH McCONNELL, Kentucky, Ex Officio CHUCK SCHUMER, New York, Ex Officio JOHN McCAIN, Arizona, Ex Officio JACK REED, Rhode Island, Ex Officio ---------- Chris Joyner, Staff Director Michael Casey, Minority Staff Director Kelsey Stroud Bailey, Chief Clerk CONTENTS ---------- MARCH 30, 2017 OPENING STATEMENTS Burr, Hon. Richard, Chairman, a U.S. Senator from North Carolina. 1 Warner, Hon. Mark R., Vice Chairman, a U.S. Senator from Virginia 2 WITNESSES Mandia, Kevin, Chief Executive Officer, FireEye, Inc............. 2 Prepared statement........................................... 6 Alexander, General (Ret.) Keith B., President and Chief Executive Officer, Ironnet Cyberspace.................................... 13 Prepared statement........................................... 15 Rid, Thomas, Ph.D., Professor of Security Studies, King's College, London................................................ 19 Prepared statement........................................... 22 SUPPLEMENTAL MATERIAL Prepared statement of Senator Burr............................... 68 DISINFORMATION: A PRIMER IN RUSSIAN ACTIVE MEASURES AND INFLUENCE CAMPAIGNS PANEL II ---------- THURSDAY, MARCH 30, 2017 U.S. Senate, Select Committee on Intelligence, Washington, DC. The Committee met, pursuant to notice, at 2:05 p.m. in Room SD-106, Dirksen Senate Office Building, Hon. Richard Burr (Chairman of the Committee) presiding. Committee Members Present: Senators Burr, Warner, Risch, Rubio, Blunt, Lankford, Cotton, Cornyn, Feinstein, Wyden, Heinrich, King, Manchin, Harris, and Reed. OPENING STATEMENT OF HON. RICHARD BURR, CHAIRMAN, A U.S. SENATOR FROM NORTH CAROLINA Chairman Burr. I'd like to call this hearing to order. This morning the committee examined the history and characteristics of the Russian active measures campaign as it led up to this, our second panel, which will examine the role cyber operations play in support of these activities. I'd like to welcome our witnesses: Mr. Kevin Mandia, Chief Executive Officer of FireEye, a global cyber security company. Prior to founding the cyber security company Mandiant, which was acquired by FireEye in 2013, Mr. Mandia served in the United States Air Force as a computer security officer and later as a special agent in the Air Force Office of Special Investigations, where he worked as a cyber crime investigator. Mr. Mandia, I thank you for being here today and, more importantly, thank you for your service. General Keith Alexander is the CEO and President of IronNet Cybersecurity, another global cyber security firm on the forefront of our Nation's commercial efforts to mitigate cyber security threats. Prior to founding IronNet, General Alexander served for 40 years in our armed forces, culminating with his tenure as the Director of the National Security Agency from 2005 to 2014 and concurrent service as Director of U.S. Cyber Command from 2010 to 2014. General, thank you for being here today and, more importantly, for your service to the country. Also, Dr. Thomas Rid is a Professor of Security Studies at Kings College, London. He has studied and written extensively on cyber security issues. He has worked at Hebrew University in Jerusalem, John Hopkins School for Advanced International Studies, and the Rand Corporation. Dr. Rid, thank you as well for your expertise and we look forward to your testimony, as well as we do the other two witnesses. I'd like to note for the public and for my fellow members that the level of cyber expertise in front of us is truly remarkable. These witnesses will be able to provide at an unclassified level some extremely useful texture and detail to the discussion that we began this morning, and I feel certain-- and I say this to all three of you--that the committee in a closed setting might want to reach out to you as we begin to dig a little deeper, so that we can get your thoughts and tap into your expertise in a setting that might be able to explore a little further than the open setting of this hearing. So once again I'll say to members that for this hearing we will be recognized by order of seniority for five-minute rounds. I would note for members that we are targeted to have a vote somewhere between 4:00 and 4:30. It would be my hope that we could wrap up prior to that vote and not hold our witnesses open, and that way we would conclude Senate business for the week with that vote. Vice Chairman. OPENING STATEMENT OF HON. MARK R. WARNER, VICE CHAIRMAN, A U.S. SENATOR FROM VIRGINIA Vice Chairman Warner. Thank you, Mr. Chairman. I don't have any statement other than one to welcome all the witnesses and to point out that before Mr. Mandia's company was acquired by a California company he was based in Alexandria, Virginia, where he did great, great work. And we'd be happy to have you bring your company back, with all due deference to Senator Harris, back to Virginia. Senator Harris. Stay in the sunshine. Chairman Burr. With that, Kevin, I'm going to recognize you to start, and recognize there's a big difference between the tech company you ran and the tech company he claims that he ran. [Laughter.] STATEMENT OF KEVIN MANDIA, CHIEF EXECUTIVE OFFICER, FIREEYE, INC. Mr. Mandia. Thank you. I'd like to start by thanking the Chairman, thanking the Vice Chairman, and the whole Senate Intelligence Committee for this opportunity to share some of the experiences and observables I've had in cyberspace over the last 22 years. What I'm going to speak about today is the cyber capabilities and techniques attributed to Russian hackers, specifically the threat group that we refer to as APT28. I want to talk also about recommendations to prevent or mitigate the impact of these efforts to compromise. Before I answer your questions, I want to give you a little bit of my background or the background of our company so you understand the context of my narrative. As I sit here right now, we have hundreds of employees responding to computer security breaches. We think it's critical to own that moment of responding to a breach, collecting the trace evidence, and analyzing that evidence. So as I give you my narrative today, it's based on really three things. It's based on: one, what we are learning as we respond to hundreds of breaches a year. We're cataloguing that trace evidence and we're putting it into a linked database. Then we have over 150 threat analysts worldwide who speak 32 languages. They're in 32 countries, and they're trying to marry up what we're seeing in cyberspace to what we're seeing in the geopolitical world out there today. Then the third source of my dialogue, the third source of evidence, is in fact we have 5,000-plus customers who are relying on our technology to protect them on a daily basis. Let me first speak to the methodologies being used by APT Group 28. We attribute many intrusions to these folks. You might have heard about the Worldwide Antidoping Agency, the DNC breach, the DCC breach, the Ukrainian Central Election Commission, TV5Monde, and I can keep going on. I believe the Doctor will mention some more of these victims. But all the breaches that we attribute to APT28 in the last two years involved the theft of internal data as well as the leaking of this data by some other party, potentially APT28, potentially some other arm of the organization, into the public. During the course of our APT28 investigations, we've had a significant amount of evidence. We've looked at 550 or more pieces of custom malware. A lot of people will think, well, what's that mean? We don't see this malware publicly available. It's not available to any of you to download and use tomorrow. It's being crafted by somebody in a building somewhere. It's being shared by people in a closed loop and it's not widespread or available to anybody. We've identified over 500 domains or IP addresses used by this group when they attack. To put that in perspective, almost every modern nation that develops an operational capability in cyberspace, the first thing they need to do is get an infrastructure they use to then attack the real site of their attacks, the real intent, the real target. So there's a huge infrastructure of compromised machines or false fronts or organizations that are used for these attacks, and we found over 500 of those. We've analyzed over 70 lure documents written in many different languages. These are the documents that you receive during a spear phishing and they're armed documents if you open up and peruse them. What's interesting is when you assess the lure documents they're related to the subjects and interests of the people who are receiving these documents. So a lot of work is going into the backdrop or the background of the people that are being spear phished. I can go on and on. I've got 40, 50 more pages of what they do. But I'll focus on a couple things that also help us attribute APT28's activities to the Russian government. In 2015 alone, we saw APT28 leverage five zero-days, at least based on our observables. A zero-day is an attack that does not have a patch available for it. It will work if received and you execute the file. The best way to liken the value of a zero-day is, the minute it's used and it's been weaponized, its value goes down incredibly fast. So when you see these things, they're mostly in the--they're mostly in the toolbox of a nation-state at this point. Over the last ten years, the security industry has done a great job making the cost of zero-days go up and to the right, and we're seeing APT28 deploy zero-days as needed. They're also extremely hard to detect once they're in your network, because they rely on the tools your system administrators rely on. So they're pretty--I always say they turn to ghosts almost. The minute they're in, you're likelihood of detecting them if you don't detect the initial breach goes down exponentially. So they have zero-day capability. They operate using your tools and they operate very hard to detect. I want to share with you three observations that I saw emerge in 2014 that I did not see prior to responding to these state actors. I had the privilege of responding to them when I was in the Air Force, probably a different group, but a group that we attributed to the Russian government. Every time I responded to them on the front lines, if they knew we were watching them they would evaporate. We never got to observe the tools, tactics, and procedures of Russian state-sponsored intrusions in the late 1990s and early 2000s. They didn't let us do it. For some reason, in August of 2014 we were responding to a breach at a government organization and during our response our front-line responder said: They know we're there, they know we're observing them, and they're still doing their activities. So I actually flew in, sat on the front lines. It's the first I have seen it. To me that was big news because I had a 20-year run from 1993 to about 2014 where they never changed the rules of engagement. I'd say they changed in August or September 2014. The second thing they did, they started operating at a scale and scope where you could easily detect them. We were observing and orienting on them. They were letting us do it, but their scale and scope became widely known to many security organizations, and we all started working together to get better visibility and fidelity into their tools, tactics, and procedures. Lastly, something that I wouldn't have predicted, but we also witnessed for the first time in 2014, is a group that we'd attribute to the Russian government compromising organizations and then suddenly the documents were being leaked out in a public forum through hacktivist personas, which we have not seen. In conclusion, today and into the foreseeable future it is our view that the United States is going to continue to see these things happen. While many organizations are actively trying to counter these attacks, there is such an asymmetry between offense and defense in cyberspace that it's really hard for any organization to modernize and prevent these intrusions from occurring when you have a state-sponsored attacker. Therefore, we need to explore ways both within and outside of the cyber domain to help deter these attacks. Lastly, I always say if I had five minutes to talk to the Senate, what would I say? Well, here it is. I think we have to first start with we've got to get attribution right. We've got to know who's hacking us so we can establish a deterrent, and this gives us a great opportunity to make sure we have the tools necessary and the international cooperation necessary to have attribution. When you have attribution right, then you can consider the proportional response and the other tools at your disposal as diplomats to make sure we have the deterrence we need. Thank you very much for this opportunity. [The prepared statement of Mr. Mandia follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Chairman Burr. Thank you. General, welcome. STATEMENT OF GENERAL (Ret.) KEITH B. ALEXANDER, PRESIDENT AND CHIEF EXECUTIVE OFFICER, IRONNET CYBERSPACE General Alexander. Chairman, Ranking Member, distinguished members of the committee: It's an honor to be here, I think. I want to pick up from where Kevin left off. I want to raise it up a strategic level. I had the opportunity this morning to see on the news you and the Ranking Member talk about approaching this in a bipartisan way, approaching the solution in a bipartisan way. When you look at the problem and what we're facing, it's not a Republican problem, it's not a Democratic problem. This is an American problem and we all have to come together to solve it. I think that's very important. If we step back and look at this, I want to cover several key areas to give my perspective on what's going on. First with respect to technology, communications is doubling every year. We're getting more devices attached to the network. This network is growing like crazy, and so are the vulnerabilities. Our wealth, our future, our country is stored in these devices. We've got to figure out how to secure them. With those vulnerabilities, we've seen since 2007 attacks on countries like Estonia, Georgia, Ukraine, Saudi Arabia--a whole series of attacks, and then Crimea and others, and then the attacks on the power grid in the Ukraine. What's clear is this network and these tools have gone from interesting exploitation for governments and crime to elements of national power. I think from my perspective, when we consider that this is now an element of national power, we have to step back and say: What's their objective? Sun-Tzu said: ``Know yourself and know your enemy and you'll be successful in a thousand campaigns.'' What's Russia trying to do and why are they trying to do it? From my perspective as I look at it from my background, it's clear it's not just trying to go after the Democratic National Convention or others. This is widespread and a campaign that they're looking at doing that will drive wedges between our own political parties and between our country and NATO and within NATO and within the European Union. Why? I believe when you look at Russia and if you were to play out on a map what's happened over the last 25 or 30 years, they see the fall of the Soviet Union and the impacts on their near border and all these as impacts on them. I bring all this up because one of the questions that's out in the press is: Do we engage the Russians or do we not? Every administration that I'm familiar with, including the Obama administration, started out with: We're going to engage them. In fact it was called ``the reset button.'' While that didn't go far, I believe this Administration should do the same. When I look at what's going on here, there's another opportunity that we have. When you look at the characteristics of leaders in this Administration, we have people with great business experience--the President and the Secretary of State-- and great national security experience. In addressing the problem that we're now dealing with, this is a new area. We're seeing cyber as an element of national power. How do we now engage Russia and other countries and set the right framework? I believe we have to engage and confront: engage them in those areas that we can, set up the right path, reach out, and cool this down, I really do. We've got to fix that. At the same time, we've got to let them know what things they can't do and why they cannot do those--set those standards. I think what this group can do and what you are doing, Chairman and Vice Chairman, is make this a bipartisan approach: solve this for the good of the Nation. We look at cyber security and what Kevin gave you in terms of what industry sees and what government sees. Over the last decade, we have jointly worked on coming up with cyber legislation, how industry and government works together. If we're going to address attribution and other issues, we also have to set up the way for our industry and sectors to work with the government so that that attribution of things that the government knows and those things that industry knows can be used for the common good. It's interesting that sitting in the presidential commission, one of the things that came out when we looked at what's going on was, what's our strategy? At times people looked at this as it's a government issue and it's an industry issue. It's not. This is something that we need to look at as a common issue. ``For the common defense,'' it's in the preamble to the Constitution and it's something that we should all look at. Then we should see, how do we extend that to our allies? So I would step back and encourage, encourage you to step back and look at the strategy: What's Russia trying to do and why are they trying to do it, and how do we engage them? At the same time, we need to address our cyber security issues and go fix those and get on with that. Thank you very much, Mr. Chairman. [The prepared statement of General Alexander follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Chairman Burr. Thank you, General. Mr. Rid. STATEMENT OF THOMAS RID, Ph.D., PROFESSOR OF SECURITY STUDIES, KING'S COLLEGE, LONDON Dr. Rid. Chairman Burr, Vice Chairman Warner, members of the committee: Thank you for giving me the opportunity to speak today about active measures. Understanding cyber operations in the 21st century is impossible without first understanding intelligence operations in the 20th century. Attributing and countering disinformation today is therefore also impossible without first understanding how the United States and its allies attributed and countered hundreds of active measures throughout the Cold War. Nobody summarized this dark art of disinformation better than Colonel Rolf Wagenbreth from the Stasi, who headed the Department X there. He said, and I quote: ``A powerful adversary can only be defeated through a sophisticated, methodical, careful, and shrewd effort to exploit even the smallest cracks within our enemies and within their elites.'' The tried and tested way of active measures is to use an adversary's existing weaknesses against himself, to drive wedges into preexisting cracks. The more polarized a society, the more vulnerable it is; and America in 2016, of course, was highly polarized, with lots of cracks to drive wedges into. But not all wedges; improved high-tech wedges that allowed the Kremlin's operatives to attack their target faster, more reactively, and at a far larger scale than ever before. But the Russian operatives also left behind more clues and more traces than ever before, and assessing these clues and operations requires context. First, in the past 60 years--and we talked about this already this morning--active measures became the norm. The Cold War likely saw more than 10,000 active measures across the world. This is a remarkable figure. The lull in the 1990s and the 2000s I think was an exception. Second, in the past 20 years aggressive Russian digital espionage campaigns--Kevin Mandia mentioned one of them--became the norm as well. The first major state-on-state campaign was called Moonlight Maze, and it started in 1996. In 2000 a shift in tactics became apparent, especially in Moscow's military intelligence agency, GRU. A once careful, risk-averse, and shrewd and stealthy espionage actor became more careless, risk- taking, and error-prone. One particularly revealing slip-up resulted in a highly granular view of just one slice of GRU targeting between March 2015 and May 2016 in the lead-up to the election. That slice contained more than 19,000 malicious links targeting nearly 7,000 individuals across the world, really. Third, in the past two years now, coming closer to the present, Russian intelligence operations began to combine those two things, hacking and leaking. By early 2015, military intelligence was targeting defense and diplomatic entities at high tempo. Among the targets were the private accounts, for example, of the current Chairman of the Joint Chiefs of Staff, General Dunford, or current Assistant Secretary of the Air Force Daniel Ginsberg, or the current U.S. Ambassador to Russia John Tefft, and his predecessor Michael McFaul; a large number of diplomatic and military officials in Ukraine, Georgia, Turkey, Saudi Arabia, Afghanistan, and many countries bordering Russia, especially their defense attaches. All, I add, are legitimate and predictable targets for a military intelligence agency. Russia intelligence, curiously, also targeted inside Russia, critics inside Russia, for example, the hacker group Shaltay Boltai. In early 2015, GRU breached successfully not just the German Parliament, but also the Italian military and the Saudi foreign ministry. Between June 15 and November 16, at least six different front organizations appeared, very much Cold War style, to spread some of the stolen information to the public in a targeted way. Finally, in the past year the timeline here in the U.S. election campaign began to align. Between March 10th and April 7, GRU targeted at least 109 full-time Clinton campaign staffers. These are only full-time core staffers, not their volunteers. These are not even counted here. Russian intelligence targeted Clinton's senior advisor Jake Sullivan in at least 14 different attempts beginning on 19 March. GRU targeted even Secretary Clinton's personal email account, but the data show that she did not fall for the trick and didn't actually reveal her password. Military intelligence agency GRU also targeted DNC staffers between March 15 and April 11, the timing lines up nearly perfectly. About one week later, after the events that I just mentioned, the DCLeaks website was registered, getting ready to spread these data publicly. The overlap between individuals hacked by GRU and leaked on DCLeaks is nearly perfect. Out of 13 named leak victims, the available forensic evidence identifies 12 as targeted by GRU, with the exception of George Soros, by the way. But a narrow technical analysis would miss the main political and ethical challenge. Soviet bloc disinformation specialists preferred the art of exploiting what was then called ``unwitting agents.'' There is no contradiction in their reading between being an honest American patriot and at the same time furthering the cause of Russia. In the peace movement in the 1980s we saw that people were genuinely protesting, say, the NATO double track decision, but at the same time advancing Russian goals. There is no contradiction. Three types of unwitting agents--and I would like to close with that--stand out: WikiLeaks; Twitter, the company itself, and I'm happy to expand later; and over-eager journalists aggressively covering the political leaks while neglecting or ignoring their provenance. In 1965 the KGB's grandmaster of dezinformatsiya, General Ivan Agayants, inspected his active measures outpost in Prague, a particularly effective and aggressive one, and he said, quote: ``Sometimes I am amazed how easy it is to play these games. If they did not have press freedom, we would have to invent it for them.'' Later the Czech operative that he was speaking with in that very moment defected to the United States and testified in Congress, and I quote him to close. He said: ``The press should be more cautious with anonymous leaks. Anonymity is a signal indicating that the Big Russian Bear might be involved.'' Thank you. [The prepared statement of Dr. Rid follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Chairman Burr. I want to thank all three of you for your testimony. I think it's safe to say that this is probably a foundational hearing for our investigation, to have three people with the knowledge that you do. I hope when you do get that second call or third call that you'll sit down with us as we have peeled back the onion and a little bit and we have technical questions. But we've got some technical expertise on the committee. You can look at a lot of gray hair and realize that my technology capabilities are very shallow and that many of us struggle to understand not just what they can do, but even the lingo that's used, the dark side of the web, the open side of the web. These things are amazing and would be shocking to most people. I'm going to turn to the Vice Chairman for his questions. Vice Chairman Warner. Thank you, Mr. Chairman. Let me echo what you said. I think we've got an incredible panel of experts, and you're here because of that expertise. I've got three questions that I'd like to try to get through, the first one hopefully fairly quickly. Based upon your expertise and knowledge, do you have, any of you, have any doubt that it was Russia and Russian agents that perpetrated during the 2016 presidential campaign the hacks of the DNC and the Podesta emails and the misinformation and disinformation campaign that took place during the election? A short answer will do. Do any of you have any doubt that it was Russia? Mr. Mandia. I think basically, from the observables we get at the victim sites you can't always connect the dots. We can't show you a picture of a building. We can't give you a list of names of people who did it. We have to look at a lot of other factors, some of which is incredible amounts of detail. But we've got ten years of observation here. We've seen similar behaviors in the past. My best answer is it absolutely stretches credulity to think they were not involved. Vice Chairman Warner. General Alexander. General Alexander. I believe they were involved. Vice Chairman Warner. Dr. Rid. Dr. Rid. I believe they were involved as well. Vice Chairman Warner. Thank you. It has been reported that some of the techniques--and I say to my good friend Richard Burr, I used to be technologically savvy up until about year 2000, 2001, which still puts me a decade ahead of some of my colleagues. But it's been reported in the press and elsewhere that by using internet trolls and then the botnets and that exponential ability then to kind of flood the zone that in the misinformation and disinformation campaign they were, the Russians, were able to flood the zone, actually not in a broad- based, across the whole country, but literally target it down to precinct levels in certain states. Is that capable to do, if you could have the botnet network that would in effect put out misinformation or disinformation and then all of the other accessory sites that would then gang up on that and target that down to a geographic location? General Alexander. I think it's technically possible. I don't know that you have--that I have enough information to say that was done at each one of those locations. But I think it's technically possible. If you put enough people on it, yes, you could do that. Vice Chairman Warner. Dr. Rid or Mr. Mandia. Dr. Rid. It's very technically possible. May I just make an important distinction here between a ``botnet,'' which is usually remotely controlling somebody's computing resources and machine, and ``bots,'' that is fake Twitter accounts that are automated. Vice Chairman Warner. But they both have the effect. Somebody's campaign--somebody's computer that is accessed or fake Twitter accounts, bots, they still have the same effect of pushing a news story higher on a news feed, for example, a Twitter news feed or a Facebook news feed? Dr. Rid. That is mostly done by bots within social media networks, that can be any social media network. Botnets are usually used for different purposes. Vice Chairman Warner. Kevin, do you want to? Mr. Mandia. Yes. Peeling back the question, there's a couple things. I think you can always try to get public perception to go certain ways based on the results of Google searches and things like that, and you can automate ways to up- level people's attention to things, with all the social media. The good news is during the election a lot of states had the foresight to, let's do shields up and let's be very diligent, let's watch all the cyber traffic we can. And we didn't see any evidence, at least in the DDOS side or distributed denial of service attacks or attacks--we didn't see anything that harmed the actual election process. Vice Chairman Warner. That was not the--but the question of targeting in. So here's the last question. I've heard and it's been reported that part of the misinformation-disinformation campaign that was launched was launched in three key states-- Wisconsin, Michigan, and Pennsylvania--and it was launched, interestingly enough, not to reinforce Trump voters to go out, but actually targeted at potential Clinton voters with misinformation in the last week where they were not suddenly reading, if they got their news from Facebook or Twitter, Clinton and Trump back and forth, but stories about Clinton being sick and other things. I guess my final point here is--and this may be beyond anybody's expertise, but my understanding is the Russians, although very good at some of this technology piece, they might not have been so good at being able to target to a precinct level American political turnout; that that would mean they might be actually receiving some information or alliance from some American political expertise to be able to figure out where to focus these efforts. Dr. Rid. I haven't seen a detailed analysis of the precinct-level targeting that would be good enough to substantiate this assumption. But this relates to a more fundamental problem. One different, separate entire group of actors and some completely legitimate within the campaign were taking advantage of social media. So it's really difficult to distinguish for researchers after the fact what actually is a fake account and what is a real account. Ultimately, we need the cooperation of some of the social media companies to give us heuristics and visibility into the data that only they have. General Alexander. I would take it a step higher, that, Senator, I think what they were trying to do is to drive a wedge within the Democratic Party between the Clinton group and the Sanders group, and then within our Nation between Republicans and Democrats. I think what that does is it drives us further apart, that's in their best interest. And we see that elsewhere. I'm not sure I could zone it down to a specific precinct, but I think what we would expect is for them to create divisions within the whole framework and destroy our unity. And you can see, actually, if you look back over the last year, we didn't need a lot of help in some of those areas. So now the question is, and where I think you have the opportunity, is how do we build that back? Chairman Burr. Let me say before I recognize Senator Rubio, I want to clarify what I said about Senator Warner's business. My reference meant that it was about 14 years ago, 15 years ago. And I think it was you, General Alexander, that came in front of the committee and said: In the future, people won't file technological patents because technology will change so quickly that you won't have a year and a half's time to go through the patent approval process before your technology is obsolete. I think we have reached that point of technological explosion, that what we're talking about today we could have a hearing six months from now and probably talk about something different. Vice Chairman Warner. But I would say that the cell phones that I was involved with in the early 1980s have become a bit ubiquitous. Chairman Burr. Well, we all wish we had flip phones again, I can tell you that. [Laughter.] Senator Rubio. Senator Rubio. Thank you, Mr. Chairman, and to the Ranking Member. Before I get to my question, Mr. Chairman, in the first panel one of the individuals that appeared before us mentioned me in connection with efforts in the 2016 presidential primary. I am not prepared to comment on that and any information on that issue hopefully will be reflected in our report, if any. I do think it is appropriate, however, to divulge to the committee, since a lot of this has taken a partisan tone, not in the committee but in the broader perspective, the following facts. In July of 2016, shortly after I announced that I would seek reelection to the United States Senate, former members of my presidential campaign team who had access to the internal information of my presidential campaign were targeted by IP addresses with an unknown location within Russia. That effort was unsuccessful. I'd also inform the committee that within the last 24 hours, at 10:45 a.m. yesterday, a second attempt was made, again against former members of my presidential campaign team who had access to our internal information, again targeted from an IP address from an unknown location in Russia. That effort was also unsuccessful. My question to all the panelists: I have heard a lot on the radio and on television an advertisement for a firm in the United States actively marketed in Best Buy and other places by the name of Kaspersky Labs. There have been open source reports which I can cite that basically say that Kaspersky Labs has a long history connecting them with the KGB's successor, the Russian security services. I have a Bloomberg article here and others. I would ask the panelists: In your capacity as experts in information technology, would any of you ever put Kaspersky Labs on any device that you use, and do you think any of us here in this room should ever put Kaspersky Labs products on any of our devices or computers or IT material? Mr. Mandia. I think the way I'd address that is, generally people's products are better based on where they're most located and what attacks they defend against. For example, you think about Symantec or McAfee or my company and other companies. We are prominently used in the U.S., so we get to see the best attacks from China and cyber espionage campaigns in Russia. In the Middle East, it's already in massive escalation mode and we're all prominent there. I think what we're starting to see is an alignment where Japan will let a U.S. company secure Japan, South Korea will let a U.S. company defend South Korea, the Middle East will let a U.S. company defend it, but you almost see lines being drawn. There's no doubt the efficacy of Kaspersky's products. They probably get to see different things than we see, being this relevant here. Senator Rubio. My question was not about whether it's an effective tool. My question about it is whether you would ever put it on your computer. Mr. Mandia. My answer indirectly would be there would be better software probably available to you than Kaspersky to defend you here. General Alexander. I'll answer by, no, I wouldn't, and I wouldn't recommend that you do it either. There's better capabilities here that you can use, FireEye, for example, and I'm being credited now with that--no. There are other U.S. firms that answer and solve problems that will face you for the issues that you described earlier, Senator, that I think would be better at blocking them. Dr. Rid. I would, yes. I would also use a competing product at the same time. Always a bit of redundancy never harms. But it's important to say that Kaspersky is not an arm of the Russian government if we look at the publicly available evidence. Kaspersky has published information about Russian cyber attack, cyber intrusion campaigns, digital espionage, about several different Russian campaigns. Name any American company that publishes information about American digital espionage? Senator Rubio. My second question to the panel in the time that I have remaining is: My concern in our debate here is that we're so focused on the hacking and the emails that we've lost--and I think others have used this terminology--we've focused on the trees and have lost sight of the forest. The hacking is a tactic to gather information, for the broader goal of introducing information into the political environment, into the public discourse, to achieve an aim and a goal. It is the combination of information leaked to the media, which of course is always very interested in salacious things, as is their right in a free society. The public wants to read about that, too, sometimes. But it's also part of this other effort of misinformation, fake news, and the like. Would you not advise this panel to look simply beyond the emails--that's an important part--to the broader effort in which the emails in the strategic placement of information in the press is one aspect of a much broader campaign? General Alexander. Senator, that was part of my point about bringing this up to a strategic level and saying that what's Russia trying to accomplish with respect to NATO, the European Union, and the U.S., and driving a wedge between those and creating tensions between those countries and ours. If you were to go back and look at what's happened to Russia over the last 30 years and then play that forward and see what they're now doing, you can see a logic to their strategy. I think that's something that we now need to address. I do think we ought to address this with the Russians and get the Administration to do that. It's not something that we want to go to war on. It's something that we want to resolve by engagement and confrontation. Dr. Rid. How are active measures today different from in the Cold War? This is in answer to your question. In the Cold War, active measures were really artisanal--very quiet, craftsmanship, a lot of hard work, forging letters, doing research. It was a real undertaking. Today they're not artisanal; they're outsourced, outsourced in part to the victim, and especially to journalists, American journalists. They add the value to these active measures. This is important because if we look at the operations in hindsight they appear a lot more sophisticated than they actually were. So we run the risk of overestimating Russian capabilities here. Chairman Burr. Senator Feinstein. Senator Feinstein. Thank you very much, Mr. Chairman. Kevin Mandia, it's good to see you again. I want you to know how much your nation report was appreciated. You spoke before this committee and I think everybody very much appreciated it and I think it had some good results. So thank you very much. General Alexander, this is the first time I've seen you out of uniform. Civilian clothing is becoming. I'd like to personally welcome you. I don't know our third gentleman, but I want to address this to General Alexander. You were Cyber Command for a number of years. You spoke about the fact that the time has come for us to get tough. We have talked about that before. We have WikiLeaks and stream after stream after stream of release of classified information, which has done substantial harm to this Nation. Yet we do nothing. And everybody says, well, we'd like to do something, but we don't quite know what it is. I never thought we would be in a situation where a country like Russia would use this kind of active measure in a presidential campaign. The size of this, the enormity of it, is just eclipsing everything else in my mind. Yet there is no response. As you have left now and you've put the Cyber Command on your desk, what would you do? What would you recommend to this government? General Alexander. I think there are two broad objectives we ought to do. We ought to fix the defense between the public and private sector, between government and industry. Senator Feinstein. You've said that. General Alexander. We have to fix that, because much of what we're seeing is impacting the commercial--or the private sector. Yet the government can't really see that. So the government's not going to be able to help out and the ability to take actions to actively mitigate it therefore are nonexistent or after the fact. If you think about Sony as an example and imagine that as the attack coming in, the government couldn't see that at network speed and so the government came in and did incident response. Everything could happen to Sony. What you really want the government to do is just stop a nation-state like North Korea or Russia from attacking us. But the government can't do that if it can't see it. So we have to put this together. We have to come up with a way of sharing threat intelligence information at network speed and practicing what our government and industry do together and work that with our allies. I believe we can do this and protect civil liberties and privacy. I think we often combine those two, but we can actually separate and show that you can do both. Senator Feinstein. How? General Alexander. Well, for first, the information that we're talking about here doesn't involve our personally identifiable information. Think of this as looking at airplane traffic over the country. When you see radars looking at those airplanes that are going by--think of those as pieces of information--they aren't reading everybody in the airplane. They're seeing an airplane and they're passing it on to another controller, who sees a comprehensive picture. What we see is what radar sees today. So we don't actually--we're not talking about reading threat information. We want to know what's that packet of information doing, why is it coming here, and can I or should I share the fact that a threat is coming to us. Senator Feinstein. I understand what you're saying. But what I'm asking you for is different. It is your expertise based on this, based on the fact that the Russian government, including two intelligence services, made a major cyber attack on a presidential election in this country, with a view of influencing the outcome. What would you recommend? General Alexander. The first step was fix the defense, because if you take offense and you don't have a defense then the second step of going after the power or other sectors puts us at greater risk. So from a National Security Council perspective, what I would expect any administration to do is to look at the consequences of the actions that they take. So when I said engage and confront, in this regard what I would do, what I would recommend, is first and foremost a quiet engagement with the Russian government about what we know and why we know it, without giving away our secrets, and say, that's got to stop. We need an engagement here. If we're going to confront them, it would be: We know you're doing this right now; stop that. We had a channel in the Cold War for doing it. We need a channel to get that and build back the ability to stop things, from my perspective. I would be against using cyber only as a tool against Russia when we have these vulnerabilities we haven't addressed here in our own country. I think it would be a mistake until we fix that. So that's why I say we have to do both. I actually--and it was interesting. We were talking beforehand, and Thomas can add to this. One of the things that as you look at this--I don't believe Russia understood the impact their decisions would have in this area. It's far exceeded it. With all the discussion going on in our country today, I am sure that people in Russia are saying: Oops, we overdid this. Now is the time for us to say: not only did you overdo it, we need to set a framework for how we're going to work in the future, and we need to set that now. That can only be done by engaging them face to face, and I think that's what has to be done. Senator Feinstein. Thank you. Very helpful. Thank you, Mr. Chairman. Chairman Burr. Senator Blunt. Senator Blunt. Let's start with General Alexander. I asked a question this morning, which was, after all the discussion of the long history of Russian involvement in European elections, of things that have happened for a long time and really in a significant way in the last 15 years, why do you think that we were not better prepared for this? General Alexander, you just said that we needed to have a defense. Why wouldn't we have had a defense? What was this about this particular thing that had been so anticipated that the intelligence community, the U.S. Government, even the media, appears not to have had the defense you just mentioned we should have now? General Alexander. Senator, this has been a great discussion that you and the other House of Congress have talked about, and that's how do we put together our country's cyber legislation? Right now we do not have a way for industry and government to work together. So if you think about the DNC or the RNC or the electricity sector and others, when they're being attacked the ability for the government to see and do something on that doesn't exist. Everybody recognizes that we need to do it. We talk about it. In fact, we had at the Armed Services Committee a discussion on it. But we haven't taken the steps to bind that together. We allow it, but we haven't created it. I believe that's the most important thing that we could do on that one vector that Senator Feinstein brought up: fix the defense. The reason is the government's not tracking the RNC and the DNC. Now, industry sees it, and Kevin brought out some key points of what was going on and what they were seeing from an industry perspective. But the reality is we haven't brought these two great capabilities together. The other part, it's my personal experience the government can help on attribution several times greater than what we see in industry. If you put those two together, we could act a lot better. Senator Blunt. Let's go to Mr. Rid. Mr. Rid, should we have--was there nothing we could have done here? Were we not paying the level of attention that we should have paid? Or is it just we just aren't ready because our structure doesn't allow us to anticipate what we know was happening in elections all over the world before 2015 and 2016 here? Particularly in Europe. Maybe ``all over the world'' might be a stretch, but all over Europe, not a stretch. Dr. Rid. There's a lot we can do in order to increase defenses here, as well as to minimize the effect of active measures that are already taking place. Let me name an example. Let's make this concrete. You as members of the legislative body are--and the same is true in Europe--the soft underbelly of the government of the wider administration and government, because--this is true for all parliaments--the IT security is notoriously bad. The chip card that many of your staff members carry around their neck, the CAC card, as it's called, here in Congress, if my information is correct, doesn't actually have the proper chip. It has a picture of a chip. Try feeling. Try to feel the chip with your fingernail. There is no chip. It's only to prevent chip environment if you meet with other parts of the Executive Branch. That tells you that there's a very serious IT security problem. It should be mandatory--and potentially this is something you would think about as we move forward--it should be mandatory for all campaigns, just like you have to disclose financial records, it should be mandatory by default to have two-factor authentication. So not just a password, but actually a second thing, like a number that is generated by an app or a specific key. Senator Blunt. Thank you. We had somebody this morning say it should be mandatory for the State Department to have a program to every day say what was true and what wasn't true. There are certain levels beyond what you can require people to do that really don't make that kind of sense. Mr. Mandia--and I don't mean your comment didn't, but there are practical levels now. I also say the ``soft underbelly'' is one of the nicer things the Legislative Branch would be called these days. But your thoughts on why we didn't see this coming? The earlier panel had a more robust sense of where we should have been understanding what was going on than this one. Mr. Mandia. There's probably a lot of ways to answer that. I'll answer it this way. When it comes to cyber security, first off, I don't want to destroy anybody's hopes. When we say fix the problem, we've known about cancer for 4,000 years; we haven't cured it yet. The reality is this: when we fix the problem here, we're still going to have incidents, we're still going to have something of impact and consequence. My experience is this: People get serious about cyber security when they have two things: either, A, a compliance driver and they take it seriously; or, B, they have the ``oh, crap'' moment, quite frankly, and they've been breached. We published reports, my company did, in 2014 that had a lot of the allusions to what just happened. But sometimes you have to have it happen before you recognize that, wow, that was really on the table. I doubt it'll happen again, but now we're having the dialogue to make sure that it doesn't. Senator Blunt. Thank you, Chairman. Chairman Burr. Senator Wyden. Senator Wyden. Thank you, Mr. Chairman. I think it's been a very good panel. I want to talk about one of our most significant vulnerabilities as it relates to cyber security. I have been working for some time now with Congressman Ted Lieu of California, who is a real expert in this field. One of the things that I'm particularly troubled by is our vulnerabilities in what's called ``SS7,'' Signaling System 7. This essentially allows cellular networks to be able to talk to one another. We seem to have some very significant vulnerabilities that could allow a foreign actor, Russians and a variety of other interests hostile to our country, to hack, tap, or track an American's mobile phone. The hackers could be just about anybody, but certainly a foreign government, and the victim could be just about any American. I think, Dr. Rid--and I welcome anyone who'd like to talk. But I think, Dr. Rid, you've done some serious analysis of these vulnerabilities in SS7 and I would be interested in hearing, A, how serious you think this is, and, B, what do you think our government ought to do about it, particularly in connection to the topic at hand, which is dealing with these Russian hacks? Dr. Rid. Thank you for this very specific question, although I have to say that I'm not an SS7 expert and I don't want to pretend to be one here. But the technology that you're referring to is certainly a weak point and can easily be exploited, ultimately because it is a trust-based system, a trust-based protocol. And if you have a landscape of a lot of mobile phone providers, it's relatively easy to undermine, that some one entity essentially undermines, can essentially exploit the trust here. There are ways to remedy the problem, but I will just add one observation, that if--and I think many people in Congress will be doing this already--if you use an encrypted app for your communications, then you will most likely defeat some of that vulnerability there. Senator Wyden. I hope that's the case. I think the Congressman and I have been concerned that that may not be enough, because largely what has happened thus far is there have been self-regulatory approaches and that and other approaches weren't pursued. So we're going to continue this discussion. As I understood it, you had talked to some of our folks. You may not think yourself--you may not consider yourself an expert, but our folks thought you were very knowledgeable. Dr. Rid. Well, may I respond? Senator Wyden. Sure. Dr. Rid. I think we're looking in multiple ways at market failures here. So two-factor authentication, which I mentioned, we're looking at a market failure there because it's still an opt-in situation. If you have an opt-in situation, most people will not opt in and hence remain vulnerable. The market, when we look at active measures--and this is one of the most fundamental ethical dilemmas here. The market favors disinformation today, and I can go into specifics on how we can remedy this if you like. Senator Wyden. Well, the Congressman and I feel that we ought to get the FCC, the Federal Communications Commission, off the dime, too, because it is clear that they have been slow-walking the various kinds of approaches that could provide an added measure of security. Let me ask one other question and any of you three can get into it. In January the IC assessment, the intelligence community assessment, said that Russian intelligence accessed elements of multiple State or local electoral boards. So I asked the FBI Director then what exactly had been compromised and what was the nature and the extent of the compromise. Director Comey responded that the Russians had attacked State voter registration databases and taken data from those databases. Can you add anything else to that? Any of you three are welcome to do it, because that sounds to me like pretty alarming stuff. The FBI Director in January--and I wish I'd had more time to get into it with him--essentially said that this was a problem, and I would be curious whether you knew anything more about this topic. We can just go right down. General Alexander. I don't. I have talked to some of the-- one of the Secretaries of State on just this and the issue that you brought up, the polling data, the registration data, is something that's at risk and something that the states are looking at. So I do think that's important. Senator Wyden. Great. Thank you, Mr. Chairman. Chairman Burr. Senator Cornyn. Senator Cornyn. Thank you for being here and testifying. I think maybe we assume that people know more about what we're talking about than maybe they actually do. So I'd like to kind of get basic maybe for my benefit and maybe some other people will learn some things as well. But I think we've referred to something that's called spear phishing. So I'd like to have one of you explain what that is. Let me just tell you, by the way, that occasionally my junk email box on my personal email, I'll get emails that purport to be from the FBI Director or the Army Chief of Staff, Mark Milley, my friend from Fort Hood who's now the Army Chief of Staff, or maybe from Apple, telling me that I need to reset my password, or from Google saying I need to execute some sort of maneuver. Then there's a link for me to click on. Is that what is commonly known as spear phishing, and once you click on that link then they basically could take over your machine? Mr. Mandia. Yes, you've basically got that right. Looking back at 2015 and 2016, we did nearly 1,000 investigations into computer intrusions, and we have a skewed vantage point because no one hires us to respond to an intrusion when they're five minutes behind the hack. They hire us when the hack and the breach is already at a scale and scope where they need help. In 91 percent of those breaches, victim zero was in fact spear phishing, meaning that's how the Russian groups, the Chinese cyber espionage campaigns, and every capable hacking threat actor is breaking in. It is in fact a link that purports--it's a link or an attacked document that comes to you. It looks like it's coming from someone that knows you and it's got something relevant attached or the link is to something you consider relevant to what you do for a living. That's what we were talking about earlier, is that's how we kind of know what the Russians were targeting, is they're doing very specific spear phishes to very specific people. But that is the number one way human trust is being exploited and that's how folks are breaking in. Senator Cornyn. Would you be surprised if a member of Congress was being targeted by a Russian or a foreign government spear phishing? Mr. Mandia. I would not be, and I would expect every one of you is targeted on a near-daily basis. Senator Cornyn. General Alexander, you were going to say something? General Alexander. Yes, I was going to add to what Kevin said. They're going to do research on you, know who your friends are, so they know you with Mark Milley from Texas, they know key things about you. Perhaps you golf and you have a friend that golfs, and they're going to send you something: Hey, how about this golfing thing? Click here or do this. And that's how they do it. Spear phishing is targeted on an individual. They do research and understand more about you to go after you as a person. Senator Cornyn. Well, Dr. Rid, you talked about the poor IT and cyber hygiene in the government space. I think some of this could be as simple as updating your antivirus software, scanning your machine periodically, and the like. But let me just mention the specific hack of the OPM, the Office of Personnel Management. I mentioned it at an earlier panel. 21 million Americans had their personal information stolen in government custody. So even though they may have considered it private information, they were forced to give it to the government for security clearance or some other purpose, and now some foreign state actor through a cyber hack has access to 21 million private records, including more than 5 million sets of fingerprints. Is that the kind of information that cyber actors, either criminals or espionage agents, foreign governments, would use to further collect espionage or to steal or to implant ransomware or something in a machine or in a business and then shake them down for money? Dr. Rid. Yes, absolutely. The more information, the more confidential information also, you have, the easier it is to craft a spear phishing, a targeted email, a deceptive email, a forged email so to speak. In my written testimony I included a number of samples, a number of exhibits---- Senator Cornyn. I saw that. Dr. Rid [continuing]. Including John Podesta's. Senator Cornyn. Thank you. Thank you for doing that. Well, we don't have control over everybody's private computer or what kind of software they use. But we do have something to say, I think, about what the United States Government does. And I think one of the things we need to be attentive to is to make sure that the United States Government networks are adequately protected. I know, General Alexander, you had something to do about that at the NSA. But you didn't have the ability to protect all of this other information. Let me just ask--I just have a couple of seconds and since you're here, General Alexander, we're going to have to take up the reauthorization of the Foreign Intelligence Surveillance Act, particularly Section 702. I just would like to ask you, since we have you here, a little bit about its importance to detecting and countering foreign cyber activity. And if you would also include in your answer the privacy protections that are a very, very important part of that and oversight that you got to see first-hand in your capacity as head of NSA and Cyber Command. General Alexander. I think that's the most important program that's out there, especially in counterterrorism. I can give you a real quick example. Najibullah Zazi in Denver was detected by that specific authorization. NSA saw that, provided it to the FBI, and Nazibullah Zazi was the individual in 2009 who was driving across the country to New York City when they arrested the individual in New York City based off of the other program and they found several backpacks in various states of readiness to attack the New York City subway--done by that program. I think that's the most effective counterterrorism program we have, and I think it will be also effective in some areas for cyber security, although I don't have any examples off the top of my head here. Senator Cornyn. Could you conclude your answer and talk a little about minimization and other privacy protections, because I think that's important to the American people, to know that we're very vigilant and diligent in that area as well? General Alexander. Yes. It's interesting because we did a series of presidential review groups on NSA after the Snowden leaks about these programs. At the time one of the board members of the ACLU, Geoffrey Stone, was on that panel. I was kind of skeptical about this individual being on there, and I'm sure he looked at me somewhat askance. After five weeks of sitting down with our people and going through every one of those, he came up to me and he said: Your people have the greatest integrity of any agencies I've seen. And I said: Don't tell me; tell the American people; tell Congress; tell the people of NSA and tell the White House. And he did. So there are some key statements by Geoffrey Stone that show that we can protect civil liberties and privacy. I think it's important to see some of his statements there, because what it did is--he also asked me to write an op-ed. So imagine an Army officer and a board member of the ACLU writing an op-ed on reauthorizing the metadata program, with some changes. And we did. The reason--I asked him: Why are you doing that? And he said: The reason that I'm doing this is that if we don't have programs like this and we're attacked, we won't have civil liberties and privacy, and the mechanisms and the capabilities you have here to protect it are overseen by Congress, overseen by the courts, and overseen by the Administration. Everything has 100 percent review on it. And I think that's the best way to do it. You know, he is right. If we do get another attack, they're going to ask Congress, they're going to ask the Administration, why we didn't stop those. I think this is exactly why we have to move down. I do think we have to be more transparent. I think as we bring cyber security in here, having a discussion like this open hearing about how we can protect these is absolutely critical for our country. I have some statements, but I think your folks can pull those off the web, from Geoffrey Stone, with a ``G''. Thank you. Chairman Burr. Senator Heinrich. Senator Heinrich. Let me start by saying that I guess I can take some comfort now knowing that Senator Rubio and Senator Cornyn and quite a few of us have had these sort of sophisticated targeting examples where you end up having to make sure that everything's in place, that your devices were not penetrated. I've certainly had staff targeted. I've had family members who have received these very sophisticated spear phishing and other kinds of approaches. Sometimes you know where the IP address is coming from because your provider literally tells you: Oh, by the way, if you didn't try to reset your account from Russia yesterday at 3:22 p.m., let us know. And having been through that a few times, one of the things that I've certainly shared with my colleagues--and you mentioned this, Dr. Rid, is the importance of two-step authentication. I think it just can't be oversold to the public. Do you want to say just a couple more words about that and why that's so important? Dr. Rid. Had John Podesta had two-factor authentication the last month of the campaign, the last month of the campaign would have looked very different. I think that says it all. Senator Heinrich. That says it all. Yes, I could not agree more. Given what we saw in 2016 and how easy it is to sometimes drive these wedges within our own society, what should we be expecting in 2018 and how should we be preparing for that? That's open-ended for any of the three of you if you want to share your thoughts. Mr. Mandia. It took about 18 years for me even to figure out as I responded to breaches they reflected geopolitical conditions, but they actually do. What I think we're going to observe in 2017 and 2018, the attacks will always exploit human trust. There will be clever ways to do it. There are ways to get around two-factor authentication, which we've seen Russians use as well as the Chinese government use. I think it's going to be more what's fair game to espionage. I think that governments are going to start working on defining what are the industries that are fair game, what are the activities that are fair game and what aren't, because, quite frankly, every nation can get sucker-punched in cyber space, because we're exploiting human trust. Senator Heinrich. How do you send those signals about what is over the line and what the consequences of crossing that line might be? Mr. Mandia. Well, that's why we have diplomats. I think we're going to have doctrine. We're going to have things that we publish. We're going to have to let people know what we think are the right activities and are the wrong activities. The private sector will participate. Governments will participate. We'll get alignment with some nations and misalignment with others, and we'll adapt to that. General Alexander. Could I add to that? Senator Heinrich. Go ahead, General. General Alexander. I believe that one of the things that you could do and encourage is with the states setting up an exercise program between the State governments and the Federal Government about how you're actually going to improve the security of that and what they need to do, set the standards. So I'd go beyond the National Institute of Standards and Technology. How do we know we're protecting voter registration databases, and what are the standards that we're holding them to and who's watching that, and setting the controls in place. I think that the states would greatly appreciate, so what are you going to do when we're being pummeled by a persistent? Now the government, the Federal Government, needs to step in. That's part of Senator Feinstein's question: How do you? Well, we haven't practiced that. We should practice that. Senator Heinrich. Dr. Rid. Dr. Rid. A very concrete suggestion that I think would actually make a difference. How many of the social media interactions, especially Twitter interactions, during the campaign of the most important Twitter accounts were created by bots? Senator Heinrich. Yes. Dr. Rid. Were created by automated scripts and not humans? The answer to that question--we don't know the answer to that question because Twitter and other social media networks have not provided the data. You could write a letter to these companies and ask them to provide the heuristics, to provide the data: How much of a problem is our bots? Senator Heinrich. That actually, that's very much in line with my next question that I was going to direct to you, which is: In addition to looking at the data, are there things that we should be doing working in concert with those social media companies to dampen the effectiveness of this feedback loop in the media cycle that is being exploited? Dr. Rid. Absolutely. You could, for instance, ask social media companies to provide detailed data, including a methodology of how they arrived at those data. It's very difficult for outsiders to get to the answer to these questions: How much of a problem are bots? I think it is a very significant problem. When you sign up for a new Twitter account today, you can say--you know, the new accounts all have an egg face. You can say: I don't want any eggs, people who never change their account picture. No eggs is a good thing. You can say, I don't want eggs, but you can't say, I don't want bots. Bots are more of a problem than eggs, I believe. So we should be in a position to, by default, move into an environment where we switch out abuse and bots out of our vision, if you like, as users. Senator Heinrich. Very helpful. Thank you all very much. Chairman Burr. Senator Collins. Senator Collins. Thank you, Mr. Chairman. General Alexander, first of all, it's nice to see you once again. Section 501 of the fiscal year 2017 intelligence authorization bill, which, regrettably, has not yet become law, requires the President to establish an interagency committee to counter active measures by Russia, including efforts to influence people and governments through covert and overt broadcasting. The purpose of this committee would be to expose falsehoods, agents of influence, corruption, human rights abuses carried out by the Russian Federation or its proxies. Like the U.S. Information Agency, there once was an Active Measures Working Group that worked to counter covert disinformation from the Soviet Union, and that was disbanded. Is this a recommendation, as we search for ways to counter the Russian attempts to spread propaganda, outright lies, influence our people--is this a recommendation that you believe should be implemented? General Alexander. I do. I think I would look at giving the Administration a suite of capabilities from diplomatic through cyber to what you just said, active measures, what we can do to expose that. I think we also need to give them the freedom to determine what's shared and what's not shared in terms of protecting the Nation in that regard, sharing it all with Congress of course, but how you publicize that if you know something is going on and you've got it through other means. I think those things you'd want the Administration to at least be reasonable about, but I do think these are the kinds of things that should be put on the table. I would have to go back and look at all the tools that you're going to give them and say, does that meet the objectives of engaging Russia and confronting them when they cross the line on something? I think in this case this is something that would give them a tool, if they've crossed that line, to say, stop, here's what we know and here's the consequences. Senator Collins. Because one of the aspects of this investigation that I found troubling that we've already learned is how weak our response is when we have a disinformation campaign. It seems to me that this working group could be useful. I realize it's a delicate issue in some ways because you don't want to sweep up legitimate--you don't want to be trying to set the rules for journalists, for example. But that brings me to another issue for Professor Rid. That is, in your testimony you talked about how Russian disinformation specialized the act--specialists, I'm sorry, perfected the act of exploiting the unwitting agent. I assume by that you mean that individuals or entities who don't know or realize that they are being used by the Russians, but nevertheless are. In your testimony you use examples of Twitter and journalists who cover political leaks without describing the origins of those leaks as examples of unwitting agents that were involved in the Russian influence campaign in 2016. You also list WikiLeaks. I would put WikiLeaks in a different category personally. But what can we do about the unwitting agent? I mean the truly unwitting agent. Dr. Rid. Yes, I agree, in the case of WikiLeaks it's unclear whether they are unwitting indeed or just witting, so to speak. Senator Collins. Right. Dr. Rid. But I think we are trained, the Western mind, if you like, is trained to think in contradictions. It's either this or that. But here I think we're looking at a situation-- and this has been a pattern throughout the Cold War--where active measures operators recognize that unwitting agents--this could be journalists, politicians even; members of Parliament in the past have been the case--just because they're genuinely so passionate and engaged and activist in their outlook further the Russian cause. So we have to recognize that this will continue to be a problem. We cannot simply get rid of that problem. It is something--for instance, we have documents from the Cold War time where disinformation active measures operators say they actually want conflict between the unwitting agent and the actual adversary, say WikiLeaks and the U.S. Government, conflict is good. So that's how far you can take. If the goal is driving wedges, then the unwitting agent is a trump card in your sleeve. Senator Collins. Thank you, Mr. Chairman. Chairman Burr. Senator King. Senator King. Following up on that, it seems to me that the unwitting agent is a key part of this entire process, particularly where you're talking about disinformation. I think you make the point in your prepared statement that anonymity, anonymous leaks, there should be more work on where did it come from. Is that correct? Dr. Rid. Yes, absolutely. WikiLeaks was purpose-built to hide the source. That is the goal of the entire platform. Of course, I think--and I do take Julian Assange seriously when initially at least, historically, he was just an activist. Senator King. He was a clearinghouse, but now he's a selective leaker. Dr. Rid. That seems to be the case, yes. Senator King. General Alexander, we've been talking about this for at least four years. One of the problems--and you talked about this with Senator Collins--this country has no strategy or doctrine around cyber attacks; isn't that correct? And isn't that part of the problem? We need to have a doctrine and our adversaries need to know what it is. General Alexander. Absolutely, Senator, and I would add rules of engagement. We don't have--the consequence is if there were a massive attack we'd have to go back and get authority to act, where if it were missiles coming in we already have rules of engagement. So I think we need to step that up as well. Senator King. Ironically, part of that is transparency, because if we have a capability that would act as a deterrent but our adversaries don't know we have it, it doesn't act as a deterrent. Is that correct? General Alexander. That's correct. In fact, if I could, just to add something, because Thomas brought out another issue. I think it would be good also for the American people to release perhaps collectively the number of vulnerabilities our government has pushed out to industry, that has been identified by government, because often that's opaque. So what you wouldn't see is how much of that is actually being pushed to industry and how that's cleared. But you could get a collective summary from the departments and agencies that have pushed those out and see what's being shared. I think that's a good thing and it's a good way to start that dialogue. Senator King. That's a positive development, but I still believe that we need to develop a deterrence 2.0 to deal with the nature of the threats. And it doesn't have to be cyber for cyber. It could be sanctions or other. But there needs to be a certain response, a defined response and a timely response. Otherwise it's not going to have the deterrent effect. General Alexander. That's right, and we have to get the roles and responsibilities of the different agencies. Who's actually going to conduct that response? I think that has to be set straight and clear. We discussed that in the other hearing, but I think that's something that also means that if we had to react we wouldn't have the right people set up to react. Senator King. Mr. Mandia, one of the things--and I think this has been touched upon in the hearing--is the question of the vulnerability of our State election systems. We know that the Russians were poking around, if you will, in our State election systems. I learned recently that more than 30 states now allow internet voting and 5 have gone completely paperless. Doesn't this create a significant vulnerability? Mr. Mandia. It also creates an opportunity to do things even better. At the end of the day, when we look at--I go right to Estonia and what they do in their election process. I'm not totally intimate with it, but they have an identity management that's far better than our State, for our Nation. When you have anonymity, it's really, really hard to secure the internet. Obviously, we're going to always have attacks on these areas. But what we're seeing is every election year--and I've responded to breaches every election year since 2004--both sides get targeted, things happen. We are still going up and to the right. I'm confident a modern nation--and probably others could speak better to this--would reserve the tool of tweaking electoral votes or ballots to the last resort. I've never seen evidence of that and I think we'll always have a natural risk profile to show great diligence in how we secure the election process and go forward. Senator King. My understanding of the intelligence is that it doesn't appear that they changed votes or vote tallies in this election. Mr. Mandia. No. Senator King. But they weren't going into those State election systems just for recreation. There was some purpose. I think one question, which I think any of you could answer, but you can answer: 2016 wasn't a one-off. This is a continuing ongoing and certainly future threat, is it not? Mr. Mandia. I think so. I think right now when you look at intelligence, it's been totally redefined by the internet. People are searching YouTube every day to see what operations are going on by ISIS. So the intelligence collection that we have today has never existed in the past. It's just that during this election we saw Russia break rules of engagement they had traditionally followed in that they added collections with computer intrusion, stealing documents and leaking them. But yes, I think this is a tool everybody's going to use. Senator King. Dr. Rid, do you want to respond? Dr. Rid. The great active measures campaign of 2016 will be studied in intelligence schools for decades to come, not just in Russia, of course, but in other countries as well. Senator King. So not only will it be studied; it will be attempts made to replicate it. Dr. Rid. That we can only assume, but it will certainly be studied. Senator King. Thank you. Thank you, Mr. Chairman. Chairman Burr. Senator Lankford. Senator Lankford. Thank you, Mr. Chairman. Let me ask you a question, Mr. Mandia. Your company has gone through an extensive amount of background to be able to look at the DNC hack and the exfiltration of their data. I want to repeat again what you have said orally and what is in your statement. Any other details that you can give us. You felt that this was Russian intelligence. You have answered that yes. But much of what you have put in your written statement seems to be a circumstantial look at it, that you were basically eliminating other things. So let me ask you a question. Is this a process of elimination much like a doctor doing a diagnosis, saying it's not this, this, this, and it must be this? Or do you think there's something that zeroes in and says, no, that's really it and here's the evidence that links it? Mr. Mandia. I think that the intelligence available to the private sector is different for attribution than it is in the government. We can only take it so far. We're not going to fly people into Moscow and troll the streets trying to find a building. We have to do it by process of elimination. We have to do it by just deduction. But at the same timeframe, we hope the level of exactitude needed will come from the intelligence communities. But we've done this with China. China, we just got lucky. Their operational security broke down so we could get an exact building and some people. Russia's operational security on the internet is better than that. Senator Lankford. So let me ask: There has been conversation about Guccifer 2 being linked to the Russian government. Do you have any evidence of that or anything that would lead you to conclude that is true or lead you to at least disagree with the intelligence community on that? Mr. Mandia. I think it would be hard to think of any other--here's what we do know. I would attribute the Russian government to the breaches. We cannot connect all the dots from the breach, at least with the observables available to my company and our investigators. We can't go from breach and leaked data to suddenly Guccifer 2.0. We just don't have the means to do that. Senator Lankford. But you think they're consistent? Mr. Mandia. I think it's remarkably consistent. APT28 intrusions are occurring and it's APT28 stolen data that's being leaked by DCLeaks, Guccifer, Anonymous Poland, and a bunch of other what we call fake personas or false personas. Senator Lankford. Great, fair enough. So how confident are you that there's not any false flag operations that are involved in this? Mr. Mandia. We've observed this since 2007. I'm confident that APT28, the hacking group, is in fact sponsored by the government, the Russian government. Senator Lankford. Fair enough. So let me ask you a question and it's the ongoing dialogue that we have here all the time. How do you define any difference in what's thrown around commonly as ``We've had a cyber attack'' or, as has been used in this conversation, ``They've crossed the line''? We continue to talk about things like cyber doctrine, giving clear boundaries. We don't have any of those things. This has been an ongoing conversation for a while about who would set them, how they would be set. But at some point we have to have a clearer, a clear statement of what is crossing the line. Earlier you made a statement it would depend on the State, it would depend on the situation and such. Can you give me an example--obviously, this is an example. Mr. Mandia. Right. Senator Lankford. So other than this one, but give me an example of what it means to have a cyber attack that we can communicate to the American people, this is not just a nuisance hacker stealing information, this is an attack from a foreign government on our sovereignty? Mr. Mandia. First off, I go back to somebody made a comment once: It's hard to define pornography, but we know it when we see it. The reality is it's hard to delineate the cyber attack. I'll give you an example, though. I received a phone call once from one of our intrusion responders saying: We think North Korea hacked Sony Pictures. We went on site, we did the work, and we were as shocked as everyone that we even attributed it at, via our means, to most likely North Korea. Then you start wondering, what levers do we have on North Korea to change their behaviors? That's why I think, A, attribution's critical. Got to know who did it. But I think the response will probably depend on our relations with those nations and their cooperation. Senator Lankford. Talking to the difficulty of identifying who did it, as far as linking places when you get a chance to bounce and to be able to hide it different ways, is that becoming more difficult or easier based on the tools that we have or based on the tools that they have to be able to hide their location? Mr. Mandia. In the private sector, it's becoming more difficult for us to do attribution categorically. We used to have--we respond to hundreds of intrusions a year. By the end of 2010, six years of doing this, we only had 40 buckets of evidence. Every time we responded to a breach to figure out what happened and what to do about it, the trace evidence of what happened, cleanly into 40 buckets. Now we're into the thousands. The TTPs and the malware's change, the infrastructure's changing. I would say actors are getting smarter about remaining anonymous in their attacks. Senator Lankford. Mr. Rid, quickly I want to be able to ask you a question because you were alluding to this earlier. A matter of an attack is not just a matter of going and deleting files or creating chaos. It could be manipulating an existing file where you lose trust for it or adding a file that was never there, and suddenly there's something appearing on your computer that you never put there, someone else added to you. So the threats of the attack that is out there, what could that look like? Dr. Rid. We have concrete examples. A recent one is a critic of President Putin in London was hacked and allegedly-- and I think the evidence is quite good--illegal child abuse imagery was uploaded to his computer as an active measure to undermine his--to make him into a criminal in the U.K. Senator Lankford. So they added child pornography onto his computer? Dr. Rid. You can just download something, as in the case of the DNC hack, where they uploaded something. Senator Lankford. Thank you. Chairman Burr. Senator Manchin. Senator Manchin. Thank you, Mr. Chairman. Thank you all for your testimony today and helping us as much as you possibly can. We appreciate that. Let me ask this question. Could Russia have made a difference in the outcome if they wanted to? Did they get to the level that they could have gone further, but stopped and we fell into the trap? Mr. Mandia. Mr. Mandia. In regards to the computers---- Senator Manchin. Basically, I'm understanding they were more aggressive than they've ever been and they got more involved than they ever got. Could they have done more and just stopped and we fell into the trap? Mr. Mandia. I don't know if we fell into the trap. I don't know what you mean by that. Senator Manchin. The trap is basically what we're doing right now. Mr. Mandia. Could be. I can tell you this: I believe we probably know 90 percent of their cyber capability, maybe even only 80. They probably reserve their upper echelon for maybe-- -- Senator Manchin. Could they have basically changed the outcome of the election? Mr. Mandia. I have no idea. I don't know. Chairman Burr. You don't know if they're capable of doing that? Mr. Mandia. I think--when I think of changing the outcome of an election, I'm an engineer; I think ones and zeroes kind of. I would say, could they have altered the votes? I think we would have seen that. I think we'll see the shot across the bow on some of the most severe attacks, things where we have lots of observation. I think we'd catch the shot across the bow. Senator Manchin. Let me ask this question for anybody who wants to answer. How intense has their involvement been in other countries that we know in the past? Is it to the level they've gotten to with the United States in this past 2016 election? Are they that involved in France, Belgium, Germany? Dr. Rid. Dr. Rid. It depends on how far you want to go back in history. The Stasi, we know that for a fact, affected the outcome of one vote of no confidence in the Bundestag, which kept Chancellor Brandt in power. So we have many, many historical precedents of elections. Senator Manchin. How about in France going right now? Dr. Rid. Right now. We currently do not have a single example in Europe to my knowledge where a hack and a leak were combined in the way it would happen in the United States. Senator Manchin. But their involvement in the election has shown a desire to get people that are more friendly toward the Russians? Dr. Rid. Yes. I mean, I'm not saying there's nothing going on. In fact, there are active measures under way. But they are of a different kind, it seems at this stage at least, than what we saw in 2016 here. They're more old-school, more forgeries, like the Lisa case that Senator Rubio mentioned earlier. Senator Manchin. From the technology end of it, from the cyber end of it, do we have the ability to stop? And you're saying, what can we use? Is there going to be cyber warfare back to them? Is there something that we can do to a Russia that would stop this behavior or they would be concerned about we could intervene or interfere with their system? Mr. Mandia. I think General Alexander should comment on that, but I can tell you, at least on defense in the private sector, probably the best analogy I can give you is a hockey analogy. It's like going up against Gretzky on a penalty shot when the Russian government targets your organization. They have a good chance of putting the puck in the net. General Alexander. There's a couple of things, Senator, that I think we need to do. We talked about fix the defense. I think what we're doing right now with this committee and others is we have highlighted that we know they did this. They know that we know, and now the issue is they've been put on notice and now it's over to our government on the path forward. We have an opportunity to engage and confront them on different issues. I think that in and of itself was something that perhaps they miscalculated. Now what we need to do is fix the defense and see what other actions we should take to defend our infrastructure, including the electoral infrastructure. Senator Manchin. General, when Putin puts his statement out that he put out today claiming no responsibility, no knowledge whatsoever, and we know and the whole world should know--we've made it official. He seems to have a very high rating in Russia, so I don't think they're going to believe us. Do we have the ability to show from a technical aspect what was done? General Alexander. I think one of the benefits of his actual active campaign is it's had a great impact on his popularity in Russia. He's taken us on in these areas. I think saying ``It wasn't us'' is something that he would say ad infinitum. We saw this across the board, Thomas brought out, all the way back from Moonlight Maze and before Russian involvement, and they said it wasn't them. We knew it was. Senator Manchin. Do any one of you three have what you would recommend as the greatest retaliation for Russia for this type of activity? Let's start right down the line if you will, Dr. Rid. What would you recommend? How would we retaliate, basically, to make sure that we harm them or hurt them to the point they will not continue this type of behavior? Dr. Rid. That's a tough question. Senator Manchin. Militarily? Electronically? Dr. Rid. Certainly not militarily as there would be an escalation that is entirely inappropriate. Senator Manchin. Economically? Dr. Rid. In I believe it was the DHS publication at the end of December, 29th, the then-Obama government pointed out, the Administration pointed out, RT as a major outlet of Russian active measures. At this stage RT has a license in the United States. General Alexander. I think we should step back, Senator, and say what is our objective with Russia? This was a single event. I think we should have--this is where the Administration from Secretary of State, Secretary of Defense, and others should get together--and we should give them the opportunity and time to do this--and say, what's our strategy going to be with Russia, which includes what you're asking? Because I don't think we want to do it tit for tat on these things and just retaliate. What we really want to do is, how do we get an engagement with Russia that puts us and the world in a better place? I think it's part engagement and saying, here's what we want to do, we know this, and we've got to figure out how to stop, and here's what's going to happen if we don't, and put those on the table. But I think that needs to be done more in private than in public if we're going to have a chance of success. You know, it's in our interests to address these problems now, when you look at what's going on in the Middle East, what's going on in Eastern Europe, and all the other problems we have. We've got to solve some of these by allowing the Administration to engage in that area. So I would push it over to the Administration. They have good people in this area. Senator Manchin. My time--go ahead. Mr. Mandia. Yes, sir. A lot of comments here. I've got a very simple--there's a carrot or a stick. There's either money or the 82nd Airborne. I'd agree with everything the General said--not time for that. I would caution the response if it's just in cyber space, the asymmetry. If all our tools work against them and all their tools worked against us in cyber space, Russia wins. So I don't think--there's too much asymmetry in cyber, based on our economy relying on it, our communications relying on it, our free press even. They can do an invasion on the privacy of everybody in this room. We can't really reciprocate that, hack Putin's email and post it and get the same results. So I would just advise cyber-on-cyber just feels like we're in the glass house throwing rocks at a mud hut. We're not going to pan out very well there. Senator Manchin. Thank you. Chairman Burr. Senator Harris. Senator Harris. Mr. Mandia, one main reason that we're doing this public hearing is so that the American public can actually understand what happened. So if we can just take a step back, because this is a fairly complex issue, and particularly when we start talking about bots and all these other things. Some people wonder, is it just a short form for a robot? Let me ask you--Americans, I think many whom I've spoken with can't help but feel that they have been played if they made their decision in this election based on fake news. How can they know that they are receiving fake news? How can they detect it so that they can ultimately make decisions like who will be their President based on accurate information? Mr. Mandia. That goes beyond my expertise as a cyber security individual. I can just say as a lay person everybody's got to take everything they hear and vet it against multiple sources. But I simply don't have the right tools to be an expert on how do you determine fake from non-fake news. Senator Harris. Do any of you feel experienced enough to answer that question? Dr. Rid. It's a simple answer. If it's in The New York Times or the Washington Post, it's not fake news. I mean, we have to believe in the center, so to speak. If we don't, if we can't trust the mainstream media any more, then we've lost. General Alexander. Could I add to that? Senator Harris. Yes, please. General Alexander. I think part of it is we at times sensationalize and inflame, not inform. How do we get a more informed set of reports out to the American people on some of these issues? That's something I don't have an answer to, but that's part of the problem. We've got to figure out how to address that as we go into this next age of having all the information available at an instant. We saw the attack on the White House, the theoretical attack about a year ago. It turned out to be fake news. I think we've got to take another few steps on that. That's where the news agencies, social media, and governments have to work together to help get the facts out there. Just the facts, ma'am. Senator Harris. So tell me--I'm going to direct it--I'll start with Mr. Mandia, but whoever can answer this question if you feel you have an answer. How can we tell if Fox manipulated a Google search to elevate the placement of fake news in the 2016 elections, and what partnerships might we take with Google or any other search engine to avoid that happening in the future? Mr. Mandia. I think that's a great question. I think Google probably has the answer. Here's the reality even that's going to be difficult for them. There's a lot of ways. What you're describing is what we used to call astroturfing. It's the way to manipulate public opinion just based on the number of hits and influences behind that. It depends on the platform. It's actually a complex challenge for us to pierce anonymity behind, is that a bot or a human, because bots keep getting smarter, replicating us. General Alexander. I would just add, I think Google has some great folks in this area, and that may be something that you get the folks at Google, Facebook, Twitter together along with some of the other social media and ask them that question: How can we jointly solve some of these issues? I think it's a great question and one that they would take on. Dr. Rid. Social media companies are--the market assesses social media companies on the basis of active users, the active user base. Now, if a certain amount of the active users are simply bots. There's a commercial interest in not revealing the fact that a tenth, a third of your user base actually is machines. Senator Harris. Thank you. General Alexander, as a former General--I asked this question of the earlier panel. We invest in our military and our soldiers as part of our defense system and rightly. But Russia seems to be investing a great amount in its cyber security as a tool of warfare. What would you recommend we do in terms of the United States Government to meet those challenges in terms of how we're investing in infrastructure to be able to combat, both on the point of deterrence, but also resilience; after we do detect, when and if we do detect that we've been hacked, how we can step back up and pick back up as quickly as possible; and then obviously what we need to do in terms of any sort of retaliation? General Alexander. I think there are several key points that we have to do. One is we have to fix the relationship between industry and the government for sharing information so that they can be protected. We have to set up the rules of engagement and the rules of what each of the departments are going to do and they have to understand and agree to those. We have to rehearse that within the government and between government and industry. Senator Harris. I only have a few seconds left, so I'd like you to direct your response--and I appreciate the points you made earlier on this, on this point. But we have a budget coming up. What would you advocate in terms of the budget that is going to be before us to vote on? It's called a skinny budget. There's a whole lot of discussion about where the limited resources and dollars are going to go. On this point, what would you advise us in terms of how we distribute those limited resources to meet these challenges, the challenges in terms of the Russian government and the finding by the FBI, NSA, and CIA that they hacked our systems? General Alexander. I think we definitely need to continue and increase the investment in what we have in our cyber capabilities, the forces and the infrastructure and the tools that we create. That's needed. I think we also have to look at--and one of the members over here brought out--government. Our IT in government is broke. We need to fix it, and we need to look at how we secure it. OPM was a great example that they used. I think that's something this Administration is already looking at, but we need to help them get there and figure out the best way to do that. When you think about it, they don't have the IT resources or the cyber security professionals to actually defend them. The solution has got to look at what we do with the commercial sector and how we add that to government. I think those are the key things. Senator Harris. I appreciate that. Thank you. Chairman Burr. Do any other members seek additional questions? Vice Chair. Vice Chairman Warner. I would just like to ask one quick one. I think this line of questioning we've heard about how we can react, very briefly because the Chairman hasn't asked his questions yet. But I do wonder. We saw the example that somebody did hack into former Prime Minister Medvedev's files, which showed lots and lots of luxury properties all over the world. In many ways that seemed to result in a series of protests across Russia, where unfortunately protesters were arrested. But comment on that? Very briefly, since the Chairman hasn't had his questions. Dr. Rid. I'm not sure I understand the question properly. Are you implying that---- Vice Chairman Warner. I'm inquiring whether the--I agree with Kevin on the notion of simply tit-for-tat actions in cyber because we're more technologically dependent. But there are activities kind of around active measures where Prime Minister, former President and now Prime Minister, Medvedev in Russia-- maybe I'm mispronouncing the name--suddenly all his extensive property holdings became public, which caused great consternation in Russia and a series of protests. Dr. Rid. We know from publicly available information that President Putin, Vladimir Putin, believes the Panama Papers leak, which broke on the 3rd of April in 2016, so right in the middle of the ramped-up targeting--targeting on their side ramped up before Panama Papers broke as a story, but we have to assume they knew about Panama Papers, that it was coming. Putin seems to believe Panama Papers was an American active measure against him. I don't think this was the case, but that puts the entire operation into a slightly different light and it's important to consider that. Chairman Burr. Thank you, Vice Chairman. Listen, we really are grateful to all three of you for making yourselves available. Keith, you're a guy that the committee has looked up to, not just because of the stars on your shoulder, but it's the knowledge in your head and how you have had a way for years to convey to the committee in a way that we could understand what the threat was, what our capabilities needed to be, the actions that we needed to take, why we needed to take them, and the objective of the effort. I think what concerns me is that this thing's speeding so fast now, it's like you pulled the string on the top when we were kids, and over time the top slowed down, and it looks like now the top starts spinning faster and faster and faster once you've pulled the string. So I want you to understand that we're probably going to invite you back in an informal setting, probably not a public setting, where some of the things we got into today we couldn't dig much deeper. And thank you for showing the constraint of doing that. For that reason, I'm not going to include you in my other two questions, because it might put you on the spot. I'm going to turn first to Dr. Rid. Do we have any idea how Russia transmitted emails to WikiLeaks? And if that's the process that everybody assumes happened, then how could WikiLeaks be, as you referred to, unwitting? Dr. Rid. That's a good question. Guccifer 2.0, the front that was created, tweeted that they gave emails to WikiLeaks. WikiLeaks tweeted that they received something from Guccifer 2.0 before this was attributed to Russia. So that's the only evidence that we have publicly and I think it's quite strong, or it's certainly notable. Is WikiLeaks an unwitting agent? In truth, we can't answer the question because they haven't spoken on it. But we also can't just assume that they're not an unwitting agent. But ultimately it doesn't matter, because they are a very effective unwitting agent. Chairman Burr. Kevin, do the forensics that you're able to have done suggest that WikiLeaks continues to hold additional emails that have not been released? Mr. Mandia. I can't answer that. I can tell you from all my experience what we've seen publicly released is probably under one percent of what we've attributed to the Russian government stealing. Chairman Burr. We're trying as a committee to come up to speed on not just terminology, but what that terminology means. So I'd like to give you an opportunity to walk us through how you identify an actor like APT28? Mr. Mandia. Yes, and here comes the details. First, for the first time ever we started getting better software in place beforehand so we'd see keystroke by keystroke what they're doing. I think most Senators do not do command line execution, but there's different commands you can type, there's different letters that you type in different orders. You start getting to know the attackers when you get that command-level access to them. Then it's the malware they've created, the IP addresses they use, the infrastructure they use to attack, the people that they actually target, the encryption algorithms they use, the pass phrases they use when they encrypt things, and the list goes on and on. We tracked at one point--we created a scheme in about 2006 on how do you categorize the intelligence or the evidence, the forensics, from an intrusion investigation, and we had over 650 categories. I can't go into all of them today, but trust me, you observe a group for ten years or more; after a while, we got the bucket right. APT28 to us is a bucket. Every time we respond to them, there's enough criteria together that APT28 is our APT28, APT29 is our APT29, APT1 was PLA Unit 61398. The link is we couldn't take 28 and 29 and say GRU or FSB. It just isn't available to us in the trace evidence when we respond to intrusions. But it's time-stamps, compilations. I'll give you one last example because this is understandable. When you look at the malware that's been used in these attacks and their compile times, 98 percent or higher of it is compiled during business hours in Moscow or St. Petersburg. That's a pretty good clue. And whoever's doing it speaks Russian. Chairman Burr. If you'd rather not answer this or don't know the answer, punt it and I'll forget it. Had the DNC decided to provide their system for FBI to do forensics on, would we have gotten more information? Mr. Mandia. I don't know. I can tell you--I can't speak specifically to that one, but over the last five to six years we respond to a lot of breaches now where the FBI is there, and they are there. And they're not the ones traditionally doing forensics. They are relying on a lot of the private sector forensicators. That's a made-up word. But we're doing our forensics. We're producing it. And the customers are choosing, our clients are choosing, to share that with the FBI. I think the group that responded to the DNC is highly technical, highly capable. They got it right. Chairman Burr. It was a diplomatic way of asking, do we have different capabilities than the private sector. And you said---- Mr. Mandia. Yes. We've had tremendous help. When we respond and the FBI is in the room, it's fantastic help. Maybe they're cleansing intel from another agency or not. But there's been numerous cases where we're showing up and we know maybe three things to look for, and the FBI says: here's another 80; go look for those as well. So we are--and I've been doing this 20 years. It's more likely than not when we respond to intrusion the FBI is actually there and responding with us. Chairman Burr. I sort of leave this hearing not having heard a word that I think we're going to use frequently based upon what's going on, and that's ``dox.'' My understanding of the term ``dox'' is it's the 21st century term for ``steal and leak.'' Am I going to hear ``dox'' a lot in the future? Mr. Mandia. It's an irritating word to hear, isn't it? But at the end of the day, yes, you'll probably hear it. That's the technique that, it looks like a state actor is using it. I can tell you the first time we saw North Korea delete things in the United States, that felt like it crossed a red line. Doxing appears to be the thing that crossed the line with the Russian activities. Chairman Burr. Thomas. Dr. Rid. One sentence on what Kevin just said about the FBI there. Usually in an investigation of the kind he was describing, you would make a so-called image of the computer hard disk, and if the FBI has these images, which I understand they may have, then you don't actually have to physically be there. It's as good as being there physically. But on the doxing observation, yes. Just to make another observation that may be personal for many of you here in this room, but the ethics rules in Congress may actually make members of Congress and in the Senate more vulnerable, because it forces you to use different devices, sometimes as many as three devices, I understand, to make different calls and different communications. So even if the main work device is actually secured properly, then it would push you down into a more vulnerable area. That is a problem that possibly can also be fixed. Chairman Burr. One last general statement, and I heed the advice you gave, General, and you backed up, Thomas, and I think, Kevin, you supported as well. Our response has to be well thought through, and it's not just what we do in reaction to, it's what we do as we set the course for some better defensive mechanism in the future. But you can't neglect the fact that Russia over a period of time has done things outside of cyber--invasion of Ukraine, Moldova, presence in Syria, presence in Egypt. It continues on. We might look at this today in the rear view mirror and say: Boy, they miscalculated. The only way they miscalculated is to have taken our neglect of reaction to what they did as an opportunity to push a little harder on the accelerator. Not being critical, but we've done nothing to Russia when they've made aggressive moves. And now all of a sudden this happened at home. It happened with elections. When you look at it from a standpoint of impact, I think the Ukrainian people would tell me what happened to them is much worse, and if it happened in the United States we would think that's much worse. But the fact is that this is going to require a global response, because the globe is just as exposed as the United States. It was our election system in 2016. It is the French, the Germans--I won't get into the long list of them. But we're within 30 days of what is a primary election in France. It could be that the Russians have now done enough to make sure that a candidate that went to Russia recently and a socialist make the runoff and they end up with a pro-Russian government in France. They've won. That was their intent, I feel certain. We're not sure what the effects are going to be in Germany, but we've actually seen them build up a party in Germany, not tear down but build up a party, and exploit things that were, when you look back on them, fake news, not that we created, but that was created within Germany, that never was news, but they used it, they exploited it. And look at what it's turned into. So we may have been the first victim, but we may not have been victimized as much as others are going to be in the short term, and we certainly should heed the warning and not be an additional victim in 2018 or 2020. Let me move to Senator King real quick. Senator King. Just a follow-up question to Dr. Rid. Tell me more about Guccifer 2.0. Is that a flesh-and-blood human being? Is it an office? Second question: is there any doubt that Guccifer 2.0 is an agent or somehow working for the Russian government? Dr. Rid. Guccifer 2.0 is--we know this from the evidence that's available, not all of it public, but only private sector sources and academic sources, I may say. Guccifer 2.0 is certainly not just one individual, because in private interactions with journalists we can literally see different types of humans at play. Some use it consistently at a specific time, lots of smileys and very informal. Others are more formal. All communicating through the same channel. On the links, Guccifer 2.0 to others, APT28, as I mentioned and as I also lay out in my evidence in the written testimony, hacked 12 of the targets that were leaked, doxed, on DCLeaks. Guccifer 2.0 provided a password that was not publicly known, provided a password to DCLeaks to the smoking gun, the outlet. So that's a very strong forensic link there. The link I think-- the docs can be connected. Senator King. But how about my second part of my question? Is Guccifer 2.0 an agent of the Russian government in some way, shape, or form? Dr. Rid. If you mean by ``agent,'' an agency or sort of organization, it could be a subcontractor, it could be a team within an intelligence agency. Senator King. Affiliated or associated with the Russian government? Dr. Rid. I am confident that the answer is yes. Senator King. Thank you. Thank you, Mr. Chairman. Chairman Burr. I thank all the members, and I thank our panel today. You have provided us some incredible insight and knowledge. We're grateful to you. This hearing is adjourned. [Whereupon, at 4:02 p.m., the hearing was adjourned.] Supplemental Material [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] [all]