Hearing Type: 
Date & Time: 
Thursday, March 30, 2017 - 2:00pm
Dirksen 106


Chief Executive Officer
General (Ret.)
Chief Executive Officer and President
IronNet Cybersecurity
Professor Department of War Studies
King's College London

Full Transcript

[Senate Hearing 115-40, Part 2]
[From the U.S. Government Publishing Office]

                                                  S. Hrg. 115-40, Pt. 2

                                PANEL II



                               BEFORE THE


                                 OF THE

                          UNITED STATES SENATE


                             FIRST SESSION


                        THURSDAY, MARCH 30, 2017


      Printed for the use of the Select Committee on Intelligence


         Available via the World Wide Web: http://www.fdsys.gov


                         U.S. GOVERNMENT PUBLISHING OFFICE 

25-998 PDF                     WASHINGTON : 2017 
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001


           [Established by S. Res. 400, 94th Cong., 2d Sess.]

                 RICHARD BURR, North Carolina, Chairman
                MARK R. WARNER, Virginia, Vice Chairman

JAMES E. RISCH, Idaho                DIANNE FEINSTEIN, California
MARCO RUBIO, Florida                 RON WYDEN, Oregon
SUSAN COLLINS, Maine                 MARTIN HEINRICH, New Mexico
ROY BLUNT, Missouri                  ANGUS KING, Maine
JAMES LANKFORD, Oklahoma             JOE MANCHIN, West Virginia
TOM COTTON, Arkansas                 KAMALA HARRIS, California
                 MITCH McCONNELL, Kentucky, Ex Officio
                  CHUCK SCHUMER, New York, Ex Officio
                    JOHN McCAIN, Arizona, Ex Officio
                  JACK REED, Rhode Island, Ex Officio
                      Chris Joyner, Staff Director
                 Michael Casey, Minority Staff Director
                   Kelsey Stroud Bailey, Chief Clerk


                             MARCH 30, 2017

                           OPENING STATEMENTS

Burr, Hon. Richard, Chairman, a U.S. Senator from North Carolina.     1
Warner, Hon. Mark R., Vice Chairman, a U.S. Senator from Virginia     2


Mandia, Kevin, Chief Executive Officer, FireEye, Inc.............     2
    Prepared statement...........................................     6
Alexander, General (Ret.) Keith B., President and Chief Executive 
  Officer, Ironnet Cyberspace....................................    13
    Prepared statement...........................................    15
Rid, Thomas, Ph.D., Professor of Security Studies, King's 
  College, London................................................    19
    Prepared statement...........................................    22

                         SUPPLEMENTAL MATERIAL

Prepared statement of Senator Burr...............................    68
                                PANEL II


                        THURSDAY, MARCH 30, 2017

                                       U.S. Senate,
                          Select Committee on Intelligence,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 2:05 p.m. in Room 
SD-106, Dirksen Senate Office Building, Hon. Richard Burr 
(Chairman of the Committee) presiding.
    Committee Members Present: Senators Burr, Warner, Risch, 
Rubio, Blunt, Lankford, Cotton, Cornyn, Feinstein, Wyden, 
Heinrich, King, Manchin, Harris, and Reed.


    Chairman Burr. I'd like to call this hearing to order. This 
morning the committee examined the history and characteristics 
of the Russian active measures campaign as it led up to this, 
our second panel, which will examine the role cyber operations 
play in support of these activities.
    I'd like to welcome our witnesses: Mr. Kevin Mandia, Chief 
Executive Officer of FireEye, a global cyber security company. 
Prior to founding the cyber security company Mandiant, which 
was acquired by FireEye in 2013, Mr. Mandia served in the 
United States Air Force as a computer security officer and 
later as a special agent in the Air Force Office of Special 
Investigations, where he worked as a cyber crime investigator.
    Mr. Mandia, I thank you for being here today and, more 
importantly, thank you for your service.
    General Keith Alexander is the CEO and President of IronNet 
Cybersecurity, another global cyber security firm on the 
forefront of our Nation's commercial efforts to mitigate cyber 
security threats. Prior to founding IronNet, General Alexander 
served for 40 years in our armed forces, culminating with his 
tenure as the Director of the National Security Agency from 
2005 to 2014 and concurrent service as Director of U.S. Cyber 
Command from 2010 to 2014.
    General, thank you for being here today and, more 
importantly, for your service to the country.
    Also, Dr. Thomas Rid is a Professor of Security Studies at 
Kings College, London. He has studied and written extensively 
on cyber security issues. He has worked at Hebrew University in 
Jerusalem, John Hopkins School for Advanced International 
Studies, and the Rand Corporation.
    Dr. Rid, thank you as well for your expertise and we look 
forward to your testimony, as well as we do the other two 
    I'd like to note for the public and for my fellow members 
that the level of cyber expertise in front of us is truly 
remarkable. These witnesses will be able to provide at an 
unclassified level some extremely useful texture and detail to 
the discussion that we began this morning, and I feel certain--
and I say this to all three of you--that the committee in a 
closed setting might want to reach out to you as we begin to 
dig a little deeper, so that we can get your thoughts and tap 
into your expertise in a setting that might be able to explore 
a little further than the open setting of this hearing.
    So once again I'll say to members that for this hearing we 
will be recognized by order of seniority for five-minute 
rounds. I would note for members that we are targeted to have a 
vote somewhere between 4:00 and 4:30. It would be my hope that 
we could wrap up prior to that vote and not hold our witnesses 
open, and that way we would conclude Senate business for the 
week with that vote.
    Vice Chairman.

                     SENATOR FROM VIRGINIA

    Vice Chairman Warner. Thank you, Mr. Chairman. I don't have 
any statement other than one to welcome all the witnesses and 
to point out that before Mr. Mandia's company was acquired by a 
California company he was based in Alexandria, Virginia, where 
he did great, great work. And we'd be happy to have you bring 
your company back, with all due deference to Senator Harris, 
back to Virginia.
    Senator Harris. Stay in the sunshine.
    Chairman Burr. With that, Kevin, I'm going to recognize you 
to start, and recognize there's a big difference between the 
tech company you ran and the tech company he claims that he 


    Mr. Mandia. Thank you. I'd like to start by thanking the 
Chairman, thanking the Vice Chairman, and the whole Senate 
Intelligence Committee for this opportunity to share some of 
the experiences and observables I've had in cyberspace over the 
last 22 years. What I'm going to speak about today is the cyber 
capabilities and techniques attributed to Russian hackers, 
specifically the threat group that we refer to as APT28. I want 
to talk also about recommendations to prevent or mitigate the 
impact of these efforts to compromise.
    Before I answer your questions, I want to give you a little 
bit of my background or the background of our company so you 
understand the context of my narrative. As I sit here right 
now, we have hundreds of employees responding to computer 
security breaches. We think it's critical to own that moment of 
responding to a breach, collecting the trace evidence, and 
analyzing that evidence.
    So as I give you my narrative today, it's based on really 
three things. It's based on: one, what we are learning as we 
respond to hundreds of breaches a year. We're cataloguing that 
trace evidence and we're putting it into a linked database. 
Then we have over 150 threat analysts worldwide who speak 32 
languages. They're in 32 countries, and they're trying to marry 
up what we're seeing in cyberspace to what we're seeing in the 
geopolitical world out there today.
    Then the third source of my dialogue, the third source of 
evidence, is in fact we have 5,000-plus customers who are 
relying on our technology to protect them on a daily basis.
    Let me first speak to the methodologies being used by APT 
Group 28. We attribute many intrusions to these folks. You 
might have heard about the Worldwide Antidoping Agency, the DNC 
breach, the DCC breach, the Ukrainian Central Election 
Commission, TV5Monde, and I can keep going on. I believe the 
Doctor will mention some more of these victims.
    But all the breaches that we attribute to APT28 in the last 
two years involved the theft of internal data as well as the 
leaking of this data by some other party, potentially APT28, 
potentially some other arm of the organization, into the 
    During the course of our APT28 investigations, we've had a 
significant amount of evidence. We've looked at 550 or more 
pieces of custom malware. A lot of people will think, well, 
what's that mean? We don't see this malware publicly available. 
It's not available to any of you to download and use tomorrow. 
It's being crafted by somebody in a building somewhere. It's 
being shared by people in a closed loop and it's not widespread 
or available to anybody.
    We've identified over 500 domains or IP addresses used by 
this group when they attack. To put that in perspective, almost 
every modern nation that develops an operational capability in 
cyberspace, the first thing they need to do is get an 
infrastructure they use to then attack the real site of their 
attacks, the real intent, the real target. So there's a huge 
infrastructure of compromised machines or false fronts or 
organizations that are used for these attacks, and we found 
over 500 of those.
    We've analyzed over 70 lure documents written in many 
different languages. These are the documents that you receive 
during a spear phishing and they're armed documents if you open 
up and peruse them. What's interesting is when you assess the 
lure documents they're related to the subjects and interests of 
the people who are receiving these documents. So a lot of work 
is going into the backdrop or the background of the people that 
are being spear phished.
    I can go on and on. I've got 40, 50 more pages of what they 
do. But I'll focus on a couple things that also help us 
attribute APT28's activities to the Russian government. In 2015 
alone, we saw APT28 leverage five zero-days, at least based on 
our observables. A zero-day is an attack that does not have a 
patch available for it. It will work if received and you 
execute the file.
    The best way to liken the value of a zero-day is, the 
minute it's used and it's been weaponized, its value goes down 
incredibly fast. So when you see these things, they're mostly 
in the--they're mostly in the toolbox of a nation-state at this 
point. Over the last ten years, the security industry has done 
a great job making the cost of zero-days go up and to the 
right, and we're seeing APT28 deploy zero-days as needed.
    They're also extremely hard to detect once they're in your 
network, because they rely on the tools your system 
administrators rely on. So they're pretty--I always say they 
turn to ghosts almost. The minute they're in, you're likelihood 
of detecting them if you don't detect the initial breach goes 
down exponentially. So they have zero-day capability. They 
operate using your tools and they operate very hard to detect.
    I want to share with you three observations that I saw 
emerge in 2014 that I did not see prior to responding to these 
state actors. I had the privilege of responding to them when I 
was in the Air Force, probably a different group, but a group 
that we attributed to the Russian government. Every time I 
responded to them on the front lines, if they knew we were 
watching them they would evaporate. We never got to observe the 
tools, tactics, and procedures of Russian state-sponsored 
intrusions in the late 1990s and early 2000s. They didn't let 
us do it.
    For some reason, in August of 2014 we were responding to a 
breach at a government organization and during our response our 
front-line responder said: They know we're there, they know 
we're observing them, and they're still doing their activities. 
So I actually flew in, sat on the front lines. It's the first I 
have seen it.
    To me that was big news because I had a 20-year run from 
1993 to about 2014 where they never changed the rules of 
engagement. I'd say they changed in August or September 2014.
    The second thing they did, they started operating at a 
scale and scope where you could easily detect them. We were 
observing and orienting on them. They were letting us do it, 
but their scale and scope became widely known to many security 
organizations, and we all started working together to get 
better visibility and fidelity into their tools, tactics, and 
    Lastly, something that I wouldn't have predicted, but we 
also witnessed for the first time in 2014, is a group that we'd 
attribute to the Russian government compromising organizations 
and then suddenly the documents were being leaked out in a 
public forum through hacktivist personas, which we have not 
    In conclusion, today and into the foreseeable future it is 
our view that the United States is going to continue to see 
these things happen. While many organizations are actively 
trying to counter these attacks, there is such an asymmetry 
between offense and defense in cyberspace that it's really hard 
for any organization to modernize and prevent these intrusions 
from occurring when you have a state-sponsored attacker.
    Therefore, we need to explore ways both within and outside 
of the cyber domain to help deter these attacks.
    Lastly, I always say if I had five minutes to talk to the 
Senate, what would I say? Well, here it is. I think we have to 
first start with we've got to get attribution right. We've got 
to know who's hacking us so we can establish a deterrent, and 
this gives us a great opportunity to make sure we have the 
tools necessary and the international cooperation necessary to 
have attribution. When you have attribution right, then you can 
consider the proportional response and the other tools at your 
disposal as diplomats to make sure we have the deterrence we 
    Thank you very much for this opportunity.
    [The prepared statement of Mr. Mandia follows:]

    Chairman Burr. Thank you.
    General, welcome.


    General Alexander. Chairman, Ranking Member, distinguished 
members of the committee: It's an honor to be here, I think. I 
want to pick up from where Kevin left off. I want to raise it 
up a strategic level.
    I had the opportunity this morning to see on the news you 
and the Ranking Member talk about approaching this in a 
bipartisan way, approaching the solution in a bipartisan way. 
When you look at the problem and what we're facing, it's not a 
Republican problem, it's not a Democratic problem. This is an 
American problem and we all have to come together to solve it. 
I think that's very important.
    If we step back and look at this, I want to cover several 
key areas to give my perspective on what's going on. First with 
respect to technology, communications is doubling every year. 
We're getting more devices attached to the network. This 
network is growing like crazy, and so are the vulnerabilities. 
Our wealth, our future, our country is stored in these devices. 
We've got to figure out how to secure them.
    With those vulnerabilities, we've seen since 2007 attacks 
on countries like Estonia, Georgia, Ukraine, Saudi Arabia--a 
whole series of attacks, and then Crimea and others, and then 
the attacks on the power grid in the Ukraine. What's clear is 
this network and these tools have gone from interesting 
exploitation for governments and crime to elements of national 
    I think from my perspective, when we consider that this is 
now an element of national power, we have to step back and say: 
What's their objective? Sun-Tzu said: ``Know yourself and know 
your enemy and you'll be successful in a thousand campaigns.'' 
What's Russia trying to do and why are they trying to do it?
    From my perspective as I look at it from my background, 
it's clear it's not just trying to go after the Democratic 
National Convention or others. This is widespread and a 
campaign that they're looking at doing that will drive wedges 
between our own political parties and between our country and 
NATO and within NATO and within the European Union.
    Why? I believe when you look at Russia and if you were to 
play out on a map what's happened over the last 25 or 30 years, 
they see the fall of the Soviet Union and the impacts on their 
near border and all these as impacts on them.
    I bring all this up because one of the questions that's out 
in the press is: Do we engage the Russians or do we not? Every 
administration that I'm familiar with, including the Obama 
administration, started out with: We're going to engage them. 
In fact it was called ``the reset button.'' While that didn't 
go far, I believe this Administration should do the same.
    When I look at what's going on here, there's another 
opportunity that we have. When you look at the characteristics 
of leaders in this Administration, we have people with great 
business experience--the President and the Secretary of State--
and great national security experience. In addressing the 
problem that we're now dealing with, this is a new area. We're 
seeing cyber as an element of national power. How do we now 
engage Russia and other countries and set the right framework?
    I believe we have to engage and confront: engage them in 
those areas that we can, set up the right path, reach out, and 
cool this down, I really do. We've got to fix that.
    At the same time, we've got to let them know what things 
they can't do and why they cannot do those--set those 
standards. I think what this group can do and what you are 
doing, Chairman and Vice Chairman, is make this a bipartisan 
approach: solve this for the good of the Nation.
    We look at cyber security and what Kevin gave you in terms 
of what industry sees and what government sees. Over the last 
decade, we have jointly worked on coming up with cyber 
legislation, how industry and government works together. If 
we're going to address attribution and other issues, we also 
have to set up the way for our industry and sectors to work 
with the government so that that attribution of things that the 
government knows and those things that industry knows can be 
used for the common good.
    It's interesting that sitting in the presidential 
commission, one of the things that came out when we looked at 
what's going on was, what's our strategy? At times people 
looked at this as it's a government issue and it's an industry 
issue. It's not. This is something that we need to look at as a 
common issue. ``For the common defense,'' it's in the preamble 
to the Constitution and it's something that we should all look 
at. Then we should see, how do we extend that to our allies?
    So I would step back and encourage, encourage you to step 
back and look at the strategy: What's Russia trying to do and 
why are they trying to do it, and how do we engage them? At the 
same time, we need to address our cyber security issues and go 
fix those and get on with that.
    Thank you very much, Mr. Chairman.
    [The prepared statement of General Alexander follows:]

    Chairman Burr. Thank you, General.
    Mr. Rid.

                     KING'S COLLEGE, LONDON

    Dr. Rid. Chairman Burr, Vice Chairman Warner, members of 
the committee: Thank you for giving me the opportunity to speak 
today about active measures.
    Understanding cyber operations in the 21st century is 
impossible without first understanding intelligence operations 
in the 20th century. Attributing and countering disinformation 
today is therefore also impossible without first understanding 
how the United States and its allies attributed and countered 
hundreds of active measures throughout the Cold War.
    Nobody summarized this dark art of disinformation better 
than Colonel Rolf Wagenbreth from the Stasi, who headed the 
Department X there. He said, and I quote: ``A powerful 
adversary can only be defeated through a sophisticated, 
methodical, careful, and shrewd effort to exploit even the 
smallest cracks within our enemies and within their elites.''
    The tried and tested way of active measures is to use an 
adversary's existing weaknesses against himself, to drive 
wedges into preexisting cracks. The more polarized a society, 
the more vulnerable it is; and America in 2016, of course, was 
highly polarized, with lots of cracks to drive wedges into. But 
not all wedges; improved high-tech wedges that allowed the 
Kremlin's operatives to attack their target faster, more 
reactively, and at a far larger scale than ever before.
    But the Russian operatives also left behind more clues and 
more traces than ever before, and assessing these clues and 
operations requires context. First, in the past 60 years--and 
we talked about this already this morning--active measures 
became the norm. The Cold War likely saw more than 10,000 
active measures across the world. This is a remarkable figure. 
The lull in the 1990s and the 2000s I think was an exception.
    Second, in the past 20 years aggressive Russian digital 
espionage campaigns--Kevin Mandia mentioned one of them--became 
the norm as well. The first major state-on-state campaign was 
called Moonlight Maze, and it started in 1996. In 2000 a shift 
in tactics became apparent, especially in Moscow's military 
intelligence agency, GRU. A once careful, risk-averse, and 
shrewd and stealthy espionage actor became more careless, risk-
taking, and error-prone. One particularly revealing slip-up 
resulted in a highly granular view of just one slice of GRU 
targeting between March 2015 and May 2016 in the lead-up to the 
election. That slice contained more than 19,000 malicious links 
targeting nearly 7,000 individuals across the world, really.
    Third, in the past two years now, coming closer to the 
present, Russian intelligence operations began to combine those 
two things, hacking and leaking. By early 2015, military 
intelligence was targeting defense and diplomatic entities at 
high tempo. Among the targets were the private accounts, for 
example, of the current Chairman of the Joint Chiefs of Staff, 
General Dunford, or current Assistant Secretary of the Air 
Force Daniel Ginsberg, or the current U.S. Ambassador to Russia 
John Tefft, and his predecessor Michael McFaul; a large number 
of diplomatic and military officials in Ukraine, Georgia, 
Turkey, Saudi Arabia, Afghanistan, and many countries bordering 
Russia, especially their defense attaches.
    All, I add, are legitimate and predictable targets for a 
military intelligence agency. Russia intelligence, curiously, 
also targeted inside Russia, critics inside Russia, for 
example, the hacker group Shaltay Boltai. In early 2015, GRU 
breached successfully not just the German Parliament, but also 
the Italian military and the Saudi foreign ministry.
    Between June 15 and November 16, at least six different 
front organizations appeared, very much Cold War style, to 
spread some of the stolen information to the public in a 
targeted way.
    Finally, in the past year the timeline here in the U.S. 
election campaign began to align. Between March 10th and April 
7, GRU targeted at least 109 full-time Clinton campaign 
staffers. These are only full-time core staffers, not their 
volunteers. These are not even counted here. Russian 
intelligence targeted Clinton's senior advisor Jake Sullivan in 
at least 14 different attempts beginning on 19 March. GRU 
targeted even Secretary Clinton's personal email account, but 
the data show that she did not fall for the trick and didn't 
actually reveal her password.
    Military intelligence agency GRU also targeted DNC staffers 
between March 15 and April 11, the timing lines up nearly 
perfectly. About one week later, after the events that I just 
mentioned, the DCLeaks website was registered, getting ready to 
spread these data publicly. The overlap between individuals 
hacked by GRU and leaked on DCLeaks is nearly perfect. Out of 
13 named leak victims, the available forensic evidence 
identifies 12 as targeted by GRU, with the exception of George 
Soros, by the way.
    But a narrow technical analysis would miss the main 
political and ethical challenge. Soviet bloc disinformation 
specialists preferred the art of exploiting what was then 
called ``unwitting agents.'' There is no contradiction in their 
reading between being an honest American patriot and at the 
same time furthering the cause of Russia. In the peace movement 
in the 1980s we saw that people were genuinely protesting, say, 
the NATO double track decision, but at the same time advancing 
Russian goals. There is no contradiction.
    Three types of unwitting agents--and I would like to close 
with that--stand out: WikiLeaks; Twitter, the company itself, 
and I'm happy to expand later; and over-eager journalists 
aggressively covering the political leaks while neglecting or 
ignoring their provenance.
    In 1965 the KGB's grandmaster of dezinformatsiya, General 
Ivan Agayants, inspected his active measures outpost in Prague, 
a particularly effective and aggressive one, and he said, 
quote: ``Sometimes I am amazed how easy it is to play these 
games. If they did not have press freedom, we would have to 
invent it for them.''
    Later the Czech operative that he was speaking with in that 
very moment defected to the United States and testified in 
Congress, and I quote him to close. He said: ``The press should 
be more cautious with anonymous leaks. Anonymity is a signal 
indicating that the Big Russian Bear might be involved.''
    Thank you.
    [The prepared statement of Dr. Rid follows:]

    Chairman Burr. I want to thank all three of you for your 
testimony. I think it's safe to say that this is probably a 
foundational hearing for our investigation, to have three 
people with the knowledge that you do. I hope when you do get 
that second call or third call that you'll sit down with us as 
we have peeled back the onion and a little bit and we have 
technical questions. But we've got some technical expertise on 
the committee. You can look at a lot of gray hair and realize 
that my technology capabilities are very shallow and that many 
of us struggle to understand not just what they can do, but 
even the lingo that's used, the dark side of the web, the open 
side of the web. These things are amazing and would be shocking 
to most people.
    I'm going to turn to the Vice Chairman for his questions.
    Vice Chairman Warner. Thank you, Mr. Chairman. Let me echo 
what you said. I think we've got an incredible panel of 
experts, and you're here because of that expertise.
    I've got three questions that I'd like to try to get 
through, the first one hopefully fairly quickly. Based upon 
your expertise and knowledge, do you have, any of you, have any 
doubt that it was Russia and Russian agents that perpetrated 
during the 2016 presidential campaign the hacks of the DNC and 
the Podesta emails and the misinformation and disinformation 
campaign that took place during the election? A short answer 
will do. Do any of you have any doubt that it was Russia?
    Mr. Mandia. I think basically, from the observables we get 
at the victim sites you can't always connect the dots. We can't 
show you a picture of a building. We can't give you a list of 
names of people who did it. We have to look at a lot of other 
factors, some of which is incredible amounts of detail.
    But we've got ten years of observation here. We've seen 
similar behaviors in the past. My best answer is it absolutely 
stretches credulity to think they were not involved.
    Vice Chairman Warner. General Alexander.
    General Alexander. I believe they were involved.
    Vice Chairman Warner. Dr. Rid.
    Dr. Rid. I believe they were involved as well.
    Vice Chairman Warner. Thank you.
    It has been reported that some of the techniques--and I say 
to my good friend Richard Burr, I used to be technologically 
savvy up until about year 2000, 2001, which still puts me a 
decade ahead of some of my colleagues.
    But it's been reported in the press and elsewhere that by 
using internet trolls and then the botnets and that exponential 
ability then to kind of flood the zone that in the 
misinformation and disinformation campaign they were, the 
Russians, were able to flood the zone, actually not in a broad-
based, across the whole country, but literally target it down 
to precinct levels in certain states.
    Is that capable to do, if you could have the botnet network 
that would in effect put out misinformation or disinformation 
and then all of the other accessory sites that would then gang 
up on that and target that down to a geographic location?
    General Alexander. I think it's technically possible. I 
don't know that you have--that I have enough information to say 
that was done at each one of those locations. But I think it's 
technically possible. If you put enough people on it, yes, you 
could do that.
    Vice Chairman Warner. Dr. Rid or Mr. Mandia.
    Dr. Rid. It's very technically possible. May I just make an 
important distinction here between a ``botnet,'' which is 
usually remotely controlling somebody's computing resources and 
machine, and ``bots,'' that is fake Twitter accounts that are 
    Vice Chairman Warner. But they both have the effect. 
Somebody's campaign--somebody's computer that is accessed or 
fake Twitter accounts, bots, they still have the same effect of 
pushing a news story higher on a news feed, for example, a 
Twitter news feed or a Facebook news feed?
    Dr. Rid. That is mostly done by bots within social media 
networks, that can be any social media network. Botnets are 
usually used for different purposes.
    Vice Chairman Warner. Kevin, do you want to?
    Mr. Mandia. Yes. Peeling back the question, there's a 
couple things. I think you can always try to get public 
perception to go certain ways based on the results of Google 
searches and things like that, and you can automate ways to up-
level people's attention to things, with all the social media.
    The good news is during the election a lot of states had 
the foresight to, let's do shields up and let's be very 
diligent, let's watch all the cyber traffic we can. And we 
didn't see any evidence, at least in the DDOS side or 
distributed denial of service attacks or attacks--we didn't see 
anything that harmed the actual election process.
    Vice Chairman Warner. That was not the--but the question of 
targeting in.
    So here's the last question. I've heard and it's been 
reported that part of the misinformation-disinformation 
campaign that was launched was launched in three key states--
Wisconsin, Michigan, and Pennsylvania--and it was launched, 
interestingly enough, not to reinforce Trump voters to go out, 
but actually targeted at potential Clinton voters with 
misinformation in the last week where they were not suddenly 
reading, if they got their news from Facebook or Twitter, 
Clinton and Trump back and forth, but stories about Clinton 
being sick and other things.
    I guess my final point here is--and this may be beyond 
anybody's expertise, but my understanding is the Russians, 
although very good at some of this technology piece, they might 
not have been so good at being able to target to a precinct 
level American political turnout; that that would mean they 
might be actually receiving some information or alliance from 
some American political expertise to be able to figure out 
where to focus these efforts.
    Dr. Rid. I haven't seen a detailed analysis of the 
precinct-level targeting that would be good enough to 
substantiate this assumption. But this relates to a more 
fundamental problem. One different, separate entire group of 
actors and some completely legitimate within the campaign were 
taking advantage of social media. So it's really difficult to 
distinguish for researchers after the fact what actually is a 
fake account and what is a real account.
    Ultimately, we need the cooperation of some of the social 
media companies to give us heuristics and visibility into the 
data that only they have.
    General Alexander. I would take it a step higher, that, 
Senator, I think what they were trying to do is to drive a 
wedge within the Democratic Party between the Clinton group and 
the Sanders group, and then within our Nation between 
Republicans and Democrats. I think what that does is it drives 
us further apart, that's in their best interest. And we see 
that elsewhere.
    I'm not sure I could zone it down to a specific precinct, 
but I think what we would expect is for them to create 
divisions within the whole framework and destroy our unity. And 
you can see, actually, if you look back over the last year, we 
didn't need a lot of help in some of those areas.
    So now the question is, and where I think you have the 
opportunity, is how do we build that back?
    Chairman Burr. Let me say before I recognize Senator Rubio, 
I want to clarify what I said about Senator Warner's business. 
My reference meant that it was about 14 years ago, 15 years 
ago. And I think it was you, General Alexander, that came in 
front of the committee and said: In the future, people won't 
file technological patents because technology will change so 
quickly that you won't have a year and a half's time to go 
through the patent approval process before your technology is 
    I think we have reached that point of technological 
explosion, that what we're talking about today we could have a 
hearing six months from now and probably talk about something 
    Vice Chairman Warner. But I would say that the cell phones 
that I was involved with in the early 1980s have become a bit 
    Chairman Burr. Well, we all wish we had flip phones again, 
I can tell you that.
    Senator Rubio.
    Senator Rubio. Thank you, Mr. Chairman, and to the Ranking 
    Before I get to my question, Mr. Chairman, in the first 
panel one of the individuals that appeared before us mentioned 
me in connection with efforts in the 2016 presidential primary. 
I am not prepared to comment on that and any information on 
that issue hopefully will be reflected in our report, if any.
    I do think it is appropriate, however, to divulge to the 
committee, since a lot of this has taken a partisan tone, not 
in the committee but in the broader perspective, the following 
facts. In July of 2016, shortly after I announced that I would 
seek reelection to the United States Senate, former members of 
my presidential campaign team who had access to the internal 
information of my presidential campaign were targeted by IP 
addresses with an unknown location within Russia. That effort 
was unsuccessful.
    I'd also inform the committee that within the last 24 
hours, at 10:45 a.m. yesterday, a second attempt was made, 
again against former members of my presidential campaign team 
who had access to our internal information, again targeted from 
an IP address from an unknown location in Russia. That effort 
was also unsuccessful.
    My question to all the panelists: I have heard a lot on the 
radio and on television an advertisement for a firm in the 
United States actively marketed in Best Buy and other places by 
the name of Kaspersky Labs. There have been open source reports 
which I can cite that basically say that Kaspersky Labs has a 
long history connecting them with the KGB's successor, the 
Russian security services. I have a Bloomberg article here and 
    I would ask the panelists: In your capacity as experts in 
information technology, would any of you ever put Kaspersky 
Labs on any device that you use, and do you think any of us 
here in this room should ever put Kaspersky Labs products on 
any of our devices or computers or IT material?
    Mr. Mandia. I think the way I'd address that is, generally 
people's products are better based on where they're most 
located and what attacks they defend against. For example, you 
think about Symantec or McAfee or my company and other 
companies. We are prominently used in the U.S., so we get to 
see the best attacks from China and cyber espionage campaigns 
in Russia. In the Middle East, it's already in massive 
escalation mode and we're all prominent there.
    I think what we're starting to see is an alignment where 
Japan will let a U.S. company secure Japan, South Korea will 
let a U.S. company defend South Korea, the Middle East will let 
a U.S. company defend it, but you almost see lines being drawn.
    There's no doubt the efficacy of Kaspersky's products. They 
probably get to see different things than we see, being this 
relevant here.
    Senator Rubio. My question was not about whether it's an 
effective tool. My question about it is whether you would ever 
put it on your computer.
    Mr. Mandia. My answer indirectly would be there would be 
better software probably available to you than Kaspersky to 
defend you here.
    General Alexander. I'll answer by, no, I wouldn't, and I 
wouldn't recommend that you do it either. There's better 
capabilities here that you can use, FireEye, for example, and 
I'm being credited now with that--no. There are other U.S. 
firms that answer and solve problems that will face you for the 
issues that you described earlier, Senator, that I think would 
be better at blocking them.
    Dr. Rid. I would, yes. I would also use a competing product 
at the same time. Always a bit of redundancy never harms.
    But it's important to say that Kaspersky is not an arm of 
the Russian government if we look at the publicly available 
evidence. Kaspersky has published information about Russian 
cyber attack, cyber intrusion campaigns, digital espionage, 
about several different Russian campaigns. Name any American 
company that publishes information about American digital 
    Senator Rubio. My second question to the panel in the time 
that I have remaining is: My concern in our debate here is that 
we're so focused on the hacking and the emails that we've 
lost--and I think others have used this terminology--we've 
focused on the trees and have lost sight of the forest.
    The hacking is a tactic to gather information, for the 
broader goal of introducing information into the political 
environment, into the public discourse, to achieve an aim and a 
goal. It is the combination of information leaked to the media, 
which of course is always very interested in salacious things, 
as is their right in a free society. The public wants to read 
about that, too, sometimes.
    But it's also part of this other effort of misinformation, 
fake news, and the like. Would you not advise this panel to 
look simply beyond the emails--that's an important part--to the 
broader effort in which the emails in the strategic placement 
of information in the press is one aspect of a much broader 
    General Alexander. Senator, that was part of my point about 
bringing this up to a strategic level and saying that what's 
Russia trying to accomplish with respect to NATO, the European 
Union, and the U.S., and driving a wedge between those and 
creating tensions between those countries and ours.
    If you were to go back and look at what's happened to 
Russia over the last 30 years and then play that forward and 
see what they're now doing, you can see a logic to their 
strategy. I think that's something that we now need to address. 
I do think we ought to address this with the Russians and get 
the Administration to do that. It's not something that we want 
to go to war on. It's something that we want to resolve by 
engagement and confrontation.
    Dr. Rid. How are active measures today different from in 
the Cold War? This is in answer to your question. In the Cold 
War, active measures were really artisanal--very quiet, 
craftsmanship, a lot of hard work, forging letters, doing 
research. It was a real undertaking. Today they're not 
artisanal; they're outsourced, outsourced in part to the 
victim, and especially to journalists, American journalists. 
They add the value to these active measures.
    This is important because if we look at the operations in 
hindsight they appear a lot more sophisticated than they 
actually were. So we run the risk of overestimating Russian 
capabilities here.
    Chairman Burr. Senator Feinstein.
    Senator Feinstein. Thank you very much, Mr. Chairman.
    Kevin Mandia, it's good to see you again. I want you to 
know how much your nation report was appreciated. You spoke 
before this committee and I think everybody very much 
appreciated it and I think it had some good results. So thank 
you very much.
    General Alexander, this is the first time I've seen you out 
of uniform. Civilian clothing is becoming. I'd like to 
personally welcome you.
    I don't know our third gentleman, but I want to address 
this to General Alexander. You were Cyber Command for a number 
of years. You spoke about the fact that the time has come for 
us to get tough. We have talked about that before. We have 
WikiLeaks and stream after stream after stream of release of 
classified information, which has done substantial harm to this 
    Yet we do nothing. And everybody says, well, we'd like to 
do something, but we don't quite know what it is. I never 
thought we would be in a situation where a country like Russia 
would use this kind of active measure in a presidential 
campaign. The size of this, the enormity of it, is just 
eclipsing everything else in my mind.
    Yet there is no response. As you have left now and you've 
put the Cyber Command on your desk, what would you do? What 
would you recommend to this government?
    General Alexander. I think there are two broad objectives 
we ought to do. We ought to fix the defense between the public 
and private sector, between government and industry.
    Senator Feinstein. You've said that.
    General Alexander. We have to fix that, because much of 
what we're seeing is impacting the commercial--or the private 
sector. Yet the government can't really see that. So the 
government's not going to be able to help out and the ability 
to take actions to actively mitigate it therefore are 
nonexistent or after the fact.
    If you think about Sony as an example and imagine that as 
the attack coming in, the government couldn't see that at 
network speed and so the government came in and did incident 
response. Everything could happen to Sony. What you really want 
the government to do is just stop a nation-state like North 
Korea or Russia from attacking us. But the government can't do 
that if it can't see it.
    So we have to put this together. We have to come up with a 
way of sharing threat intelligence information at network speed 
and practicing what our government and industry do together and 
work that with our allies. I believe we can do this and protect 
civil liberties and privacy. I think we often combine those 
two, but we can actually separate and show that you can do 
    Senator Feinstein. How?
    General Alexander. Well, for first, the information that 
we're talking about here doesn't involve our personally 
identifiable information. Think of this as looking at airplane 
traffic over the country. When you see radars looking at those 
airplanes that are going by--think of those as pieces of 
information--they aren't reading everybody in the airplane. 
They're seeing an airplane and they're passing it on to another 
controller, who sees a comprehensive picture.
    What we see is what radar sees today. So we don't 
actually--we're not talking about reading threat information. 
We want to know what's that packet of information doing, why is 
it coming here, and can I or should I share the fact that a 
threat is coming to us.
    Senator Feinstein. I understand what you're saying. But 
what I'm asking you for is different. It is your expertise 
based on this, based on the fact that the Russian government, 
including two intelligence services, made a major cyber attack 
on a presidential election in this country, with a view of 
influencing the outcome.
    What would you recommend?
    General Alexander. The first step was fix the defense, 
because if you take offense and you don't have a defense then 
the second step of going after the power or other sectors puts 
us at greater risk. So from a National Security Council 
perspective, what I would expect any administration to do is to 
look at the consequences of the actions that they take.
    So when I said engage and confront, in this regard what I 
would do, what I would recommend, is first and foremost a quiet 
engagement with the Russian government about what we know and 
why we know it, without giving away our secrets, and say, 
that's got to stop. We need an engagement here.
    If we're going to confront them, it would be: We know 
you're doing this right now; stop that. We had a channel in the 
Cold War for doing it. We need a channel to get that and build 
back the ability to stop things, from my perspective.
    I would be against using cyber only as a tool against 
Russia when we have these vulnerabilities we haven't addressed 
here in our own country. I think it would be a mistake until we 
fix that. So that's why I say we have to do both.
    I actually--and it was interesting. We were talking 
beforehand, and Thomas can add to this. One of the things that 
as you look at this--I don't believe Russia understood the 
impact their decisions would have in this area. It's far 
exceeded it. With all the discussion going on in our country 
today, I am sure that people in Russia are saying: Oops, we 
overdid this.
    Now is the time for us to say: not only did you overdo it, 
we need to set a framework for how we're going to work in the 
future, and we need to set that now. That can only be done by 
engaging them face to face, and I think that's what has to be 
    Senator Feinstein. Thank you. Very helpful.
    Thank you, Mr. Chairman.
    Chairman Burr. Senator Blunt.
    Senator Blunt. Let's start with General Alexander. I asked 
a question this morning, which was, after all the discussion of 
the long history of Russian involvement in European elections, 
of things that have happened for a long time and really in a 
significant way in the last 15 years, why do you think that we 
were not better prepared for this?
    General Alexander, you just said that we needed to have a 
defense. Why wouldn't we have had a defense? What was this 
about this particular thing that had been so anticipated that 
the intelligence community, the U.S. Government, even the 
media, appears not to have had the defense you just mentioned 
we should have now?
    General Alexander. Senator, this has been a great 
discussion that you and the other House of Congress have talked 
about, and that's how do we put together our country's cyber 
legislation? Right now we do not have a way for industry and 
government to work together. So if you think about the DNC or 
the RNC or the electricity sector and others, when they're 
being attacked the ability for the government to see and do 
something on that doesn't exist.
    Everybody recognizes that we need to do it. We talk about 
it. In fact, we had at the Armed Services Committee a 
discussion on it. But we haven't taken the steps to bind that 
together. We allow it, but we haven't created it.
    I believe that's the most important thing that we could do 
on that one vector that Senator Feinstein brought up: fix the 
defense. The reason is the government's not tracking the RNC 
and the DNC. Now, industry sees it, and Kevin brought out some 
key points of what was going on and what they were seeing from 
an industry perspective. But the reality is we haven't brought 
these two great capabilities together.
    The other part, it's my personal experience the government 
can help on attribution several times greater than what we see 
in industry. If you put those two together, we could act a lot 
    Senator Blunt. Let's go to Mr. Rid. Mr. Rid, should we 
have--was there nothing we could have done here? Were we not 
paying the level of attention that we should have paid? Or is 
it just we just aren't ready because our structure doesn't 
allow us to anticipate what we know was happening in elections 
all over the world before 2015 and 2016 here? Particularly in 
Europe. Maybe ``all over the world'' might be a stretch, but 
all over Europe, not a stretch.
    Dr. Rid. There's a lot we can do in order to increase 
defenses here, as well as to minimize the effect of active 
measures that are already taking place. Let me name an example. 
Let's make this concrete. You as members of the legislative 
body are--and the same is true in Europe--the soft underbelly 
of the government of the wider administration and government, 
because--this is true for all parliaments--the IT security is 
notoriously bad.
    The chip card that many of your staff members carry around 
their neck, the CAC card, as it's called, here in Congress, if 
my information is correct, doesn't actually have the proper 
chip. It has a picture of a chip. Try feeling. Try to feel the 
chip with your fingernail. There is no chip. It's only to 
prevent chip environment if you meet with other parts of the 
Executive Branch. That tells you that there's a very serious IT 
security problem. It should be mandatory--and potentially this 
is something you would think about as we move forward--it 
should be mandatory for all campaigns, just like you have to 
disclose financial records, it should be mandatory by default 
to have two-factor authentication. So not just a password, but 
actually a second thing, like a number that is generated by an 
app or a specific key.
    Senator Blunt. Thank you.
    We had somebody this morning say it should be mandatory for 
the State Department to have a program to every day say what 
was true and what wasn't true. There are certain levels beyond 
what you can require people to do that really don't make that 
kind of sense.
    Mr. Mandia--and I don't mean your comment didn't, but there 
are practical levels now. I also say the ``soft underbelly'' is 
one of the nicer things the Legislative Branch would be called 
these days. But your thoughts on why we didn't see this coming? 
The earlier panel had a more robust sense of where we should 
have been understanding what was going on than this one.
    Mr. Mandia. There's probably a lot of ways to answer that. 
I'll answer it this way. When it comes to cyber security, first 
off, I don't want to destroy anybody's hopes. When we say fix 
the problem, we've known about cancer for 4,000 years; we 
haven't cured it yet. The reality is this: when we fix the 
problem here, we're still going to have incidents, we're still 
going to have something of impact and consequence.
    My experience is this: People get serious about cyber 
security when they have two things: either, A, a compliance 
driver and they take it seriously; or, B, they have the ``oh, 
crap'' moment, quite frankly, and they've been breached.
    We published reports, my company did, in 2014 that had a 
lot of the allusions to what just happened. But sometimes you 
have to have it happen before you recognize that, wow, that was 
really on the table. I doubt it'll happen again, but now we're 
having the dialogue to make sure that it doesn't.
    Senator Blunt. Thank you, Chairman.
    Chairman Burr. Senator Wyden.
    Senator Wyden. Thank you, Mr. Chairman. I think it's been a 
very good panel.
    I want to talk about one of our most significant 
vulnerabilities as it relates to cyber security. I have been 
working for some time now with Congressman Ted Lieu of 
California, who is a real expert in this field. One of the 
things that I'm particularly troubled by is our vulnerabilities 
in what's called ``SS7,'' Signaling System 7. This essentially 
allows cellular networks to be able to talk to one another. We 
seem to have some very significant vulnerabilities that could 
allow a foreign actor, Russians and a variety of other 
interests hostile to our country, to hack, tap, or track an 
American's mobile phone. The hackers could be just about 
anybody, but certainly a foreign government, and the victim 
could be just about any American.
    I think, Dr. Rid--and I welcome anyone who'd like to talk. 
But I think, Dr. Rid, you've done some serious analysis of 
these vulnerabilities in SS7 and I would be interested in 
hearing, A, how serious you think this is, and, B, what do you 
think our government ought to do about it, particularly in 
connection to the topic at hand, which is dealing with these 
Russian hacks?
    Dr. Rid. Thank you for this very specific question, 
although I have to say that I'm not an SS7 expert and I don't 
want to pretend to be one here. But the technology that you're 
referring to is certainly a weak point and can easily be 
exploited, ultimately because it is a trust-based system, a 
trust-based protocol. And if you have a landscape of a lot of 
mobile phone providers, it's relatively easy to undermine, that 
some one entity essentially undermines, can essentially exploit 
the trust here.
    There are ways to remedy the problem, but I will just add 
one observation, that if--and I think many people in Congress 
will be doing this already--if you use an encrypted app for 
your communications, then you will most likely defeat some of 
that vulnerability there.
    Senator Wyden. I hope that's the case. I think the 
Congressman and I have been concerned that that may not be 
enough, because largely what has happened thus far is there 
have been self-regulatory approaches and that and other 
approaches weren't pursued. So we're going to continue this 
discussion. As I understood it, you had talked to some of our 
folks. You may not think yourself--you may not consider 
yourself an expert, but our folks thought you were very 
    Dr. Rid. Well, may I respond?
    Senator Wyden. Sure.
    Dr. Rid. I think we're looking in multiple ways at market 
failures here. So two-factor authentication, which I mentioned, 
we're looking at a market failure there because it's still an 
opt-in situation. If you have an opt-in situation, most people 
will not opt in and hence remain vulnerable.
    The market, when we look at active measures--and this is 
one of the most fundamental ethical dilemmas here. The market 
favors disinformation today, and I can go into specifics on how 
we can remedy this if you like.
    Senator Wyden. Well, the Congressman and I feel that we 
ought to get the FCC, the Federal Communications Commission, 
off the dime, too, because it is clear that they have been 
slow-walking the various kinds of approaches that could provide 
an added measure of security.
    Let me ask one other question and any of you three can get 
into it. In January the IC assessment, the intelligence 
community assessment, said that Russian intelligence accessed 
elements of multiple State or local electoral boards. So I 
asked the FBI Director then what exactly had been compromised 
and what was the nature and the extent of the compromise.
    Director Comey responded that the Russians had attacked 
State voter registration databases and taken data from those 
databases. Can you add anything else to that? Any of you three 
are welcome to do it, because that sounds to me like pretty 
alarming stuff. The FBI Director in January--and I wish I'd had 
more time to get into it with him--essentially said that this 
was a problem, and I would be curious whether you knew anything 
more about this topic.
    We can just go right down.
    General Alexander. I don't. I have talked to some of the--
one of the Secretaries of State on just this and the issue that 
you brought up, the polling data, the registration data, is 
something that's at risk and something that the states are 
looking at. So I do think that's important.
    Senator Wyden. Great.
    Thank you, Mr. Chairman.
    Chairman Burr. Senator Cornyn.
    Senator Cornyn. Thank you for being here and testifying.
    I think maybe we assume that people know more about what 
we're talking about than maybe they actually do. So I'd like to 
kind of get basic maybe for my benefit and maybe some other 
people will learn some things as well. But I think we've 
referred to something that's called spear phishing. So I'd like 
to have one of you explain what that is.
    Let me just tell you, by the way, that occasionally my junk 
email box on my personal email, I'll get emails that purport to 
be from the FBI Director or the Army Chief of Staff, Mark 
Milley, my friend from Fort Hood who's now the Army Chief of 
Staff, or maybe from Apple, telling me that I need to reset my 
password, or from Google saying I need to execute some sort of 
    Then there's a link for me to click on. Is that what is 
commonly known as spear phishing, and once you click on that 
link then they basically could take over your machine?
    Mr. Mandia. Yes, you've basically got that right. Looking 
back at 2015 and 2016, we did nearly 1,000 investigations into 
computer intrusions, and we have a skewed vantage point because 
no one hires us to respond to an intrusion when they're five 
minutes behind the hack. They hire us when the hack and the 
breach is already at a scale and scope where they need help.
    In 91 percent of those breaches, victim zero was in fact 
spear phishing, meaning that's how the Russian groups, the 
Chinese cyber espionage campaigns, and every capable hacking 
threat actor is breaking in. It is in fact a link that 
purports--it's a link or an attacked document that comes to 
you. It looks like it's coming from someone that knows you and 
it's got something relevant attached or the link is to 
something you consider relevant to what you do for a living.
    That's what we were talking about earlier, is that's how we 
kind of know what the Russians were targeting, is they're doing 
very specific spear phishes to very specific people. But that 
is the number one way human trust is being exploited and that's 
how folks are breaking in.
    Senator Cornyn. Would you be surprised if a member of 
Congress was being targeted by a Russian or a foreign 
government spear phishing?
    Mr. Mandia. I would not be, and I would expect every one of 
you is targeted on a near-daily basis.
    Senator Cornyn. General Alexander, you were going to say 
    General Alexander. Yes, I was going to add to what Kevin 
said. They're going to do research on you, know who your 
friends are, so they know you with Mark Milley from Texas, they 
know key things about you. Perhaps you golf and you have a 
friend that golfs, and they're going to send you something: 
Hey, how about this golfing thing? Click here or do this. And 
that's how they do it.
    Spear phishing is targeted on an individual. They do 
research and understand more about you to go after you as a 
    Senator Cornyn. Well, Dr. Rid, you talked about the poor IT 
and cyber hygiene in the government space. I think some of this 
could be as simple as updating your antivirus software, 
scanning your machine periodically, and the like. But let me 
just mention the specific hack of the OPM, the Office of 
Personnel Management. I mentioned it at an earlier panel. 21 
million Americans had their personal information stolen in 
government custody.
    So even though they may have considered it private 
information, they were forced to give it to the government for 
security clearance or some other purpose, and now some foreign 
state actor through a cyber hack has access to 21 million 
private records, including more than 5 million sets of 
    Is that the kind of information that cyber actors, either 
criminals or espionage agents, foreign governments, would use 
to further collect espionage or to steal or to implant 
ransomware or something in a machine or in a business and then 
shake them down for money?
    Dr. Rid. Yes, absolutely. The more information, the more 
confidential information also, you have, the easier it is to 
craft a spear phishing, a targeted email, a deceptive email, a 
forged email so to speak. In my written testimony I included a 
number of samples, a number of exhibits----
    Senator Cornyn. I saw that.
    Dr. Rid [continuing]. Including John Podesta's.
    Senator Cornyn. Thank you. Thank you for doing that.
    Well, we don't have control over everybody's private 
computer or what kind of software they use. But we do have 
something to say, I think, about what the United States 
Government does. And I think one of the things we need to be 
attentive to is to make sure that the United States Government 
networks are adequately protected.
    I know, General Alexander, you had something to do about 
that at the NSA. But you didn't have the ability to protect all 
of this other information.
    Let me just ask--I just have a couple of seconds and since 
you're here, General Alexander, we're going to have to take up 
the reauthorization of the Foreign Intelligence Surveillance 
Act, particularly Section 702. I just would like to ask you, 
since we have you here, a little bit about its importance to 
detecting and countering foreign cyber activity. And if you 
would also include in your answer the privacy protections that 
are a very, very important part of that and oversight that you 
got to see first-hand in your capacity as head of NSA and Cyber 
    General Alexander. I think that's the most important 
program that's out there, especially in counterterrorism. I can 
give you a real quick example. Najibullah Zazi in Denver was 
detected by that specific authorization. NSA saw that, provided 
it to the FBI, and Nazibullah Zazi was the individual in 2009 
who was driving across the country to New York City when they 
arrested the individual in New York City based off of the other 
program and they found several backpacks in various states of 
readiness to attack the New York City subway--done by that 
    I think that's the most effective counterterrorism program 
we have, and I think it will be also effective in some areas 
for cyber security, although I don't have any examples off the 
top of my head here.
    Senator Cornyn. Could you conclude your answer and talk a 
little about minimization and other privacy protections, 
because I think that's important to the American people, to 
know that we're very vigilant and diligent in that area as 
    General Alexander. Yes. It's interesting because we did a 
series of presidential review groups on NSA after the Snowden 
leaks about these programs. At the time one of the board 
members of the ACLU, Geoffrey Stone, was on that panel. I was 
kind of skeptical about this individual being on there, and I'm 
sure he looked at me somewhat askance.
    After five weeks of sitting down with our people and going 
through every one of those, he came up to me and he said: Your 
people have the greatest integrity of any agencies I've seen. 
And I said: Don't tell me; tell the American people; tell 
Congress; tell the people of NSA and tell the White House. And 
he did.
    So there are some key statements by Geoffrey Stone that 
show that we can protect civil liberties and privacy. I think 
it's important to see some of his statements there, because 
what it did is--he also asked me to write an op-ed. So imagine 
an Army officer and a board member of the ACLU writing an op-ed 
on reauthorizing the metadata program, with some changes. And 
we did.
    The reason--I asked him: Why are you doing that? And he 
said: The reason that I'm doing this is that if we don't have 
programs like this and we're attacked, we won't have civil 
liberties and privacy, and the mechanisms and the capabilities 
you have here to protect it are overseen by Congress, overseen 
by the courts, and overseen by the Administration. Everything 
has 100 percent review on it. And I think that's the best way 
to do it.
    You know, he is right. If we do get another attack, they're 
going to ask Congress, they're going to ask the Administration, 
why we didn't stop those. I think this is exactly why we have 
to move down. I do think we have to be more transparent. I 
think as we bring cyber security in here, having a discussion 
like this open hearing about how we can protect these is 
absolutely critical for our country.
    I have some statements, but I think your folks can pull 
those off the web, from Geoffrey Stone, with a ``G''. Thank 
    Chairman Burr. Senator Heinrich.
    Senator Heinrich. Let me start by saying that I guess I can 
take some comfort now knowing that Senator Rubio and Senator 
Cornyn and quite a few of us have had these sort of 
sophisticated targeting examples where you end up having to 
make sure that everything's in place, that your devices were 
not penetrated. I've certainly had staff targeted. I've had 
family members who have received these very sophisticated spear 
phishing and other kinds of approaches. Sometimes you know 
where the IP address is coming from because your provider 
literally tells you: Oh, by the way, if you didn't try to reset 
your account from Russia yesterday at 3:22 p.m., let us know.
    And having been through that a few times, one of the things 
that I've certainly shared with my colleagues--and you 
mentioned this, Dr. Rid, is the importance of two-step 
authentication. I think it just can't be oversold to the 
public. Do you want to say just a couple more words about that 
and why that's so important?
    Dr. Rid. Had John Podesta had two-factor authentication the 
last month of the campaign, the last month of the campaign 
would have looked very different. I think that says it all.
    Senator Heinrich. That says it all. Yes, I could not agree 
    Given what we saw in 2016 and how easy it is to sometimes 
drive these wedges within our own society, what should we be 
expecting in 2018 and how should we be preparing for that? 
That's open-ended for any of the three of you if you want to 
share your thoughts.
    Mr. Mandia. It took about 18 years for me even to figure 
out as I responded to breaches they reflected geopolitical 
conditions, but they actually do. What I think we're going to 
observe in 2017 and 2018, the attacks will always exploit human 
trust. There will be clever ways to do it. There are ways to 
get around two-factor authentication, which we've seen Russians 
use as well as the Chinese government use.
    I think it's going to be more what's fair game to 
espionage. I think that governments are going to start working 
on defining what are the industries that are fair game, what 
are the activities that are fair game and what aren't, because, 
quite frankly, every nation can get sucker-punched in cyber 
space, because we're exploiting human trust.
    Senator Heinrich. How do you send those signals about what 
is over the line and what the consequences of crossing that 
line might be?
    Mr. Mandia. Well, that's why we have diplomats. I think 
we're going to have doctrine. We're going to have things that 
we publish. We're going to have to let people know what we 
think are the right activities and are the wrong activities. 
The private sector will participate. Governments will 
participate. We'll get alignment with some nations and 
misalignment with others, and we'll adapt to that.
    General Alexander. Could I add to that?
    Senator Heinrich. Go ahead, General.
    General Alexander. I believe that one of the things that 
you could do and encourage is with the states setting up an 
exercise program between the State governments and the Federal 
Government about how you're actually going to improve the 
security of that and what they need to do, set the standards.
    So I'd go beyond the National Institute of Standards and 
Technology. How do we know we're protecting voter registration 
databases, and what are the standards that we're holding them 
to and who's watching that, and setting the controls in place. 
I think that the states would greatly appreciate, so what are 
you going to do when we're being pummeled by a persistent? Now 
the government, the Federal Government, needs to step in. 
That's part of Senator Feinstein's question: How do you? Well, 
we haven't practiced that. We should practice that.
    Senator Heinrich. Dr. Rid.
    Dr. Rid. A very concrete suggestion that I think would 
actually make a difference. How many of the social media 
interactions, especially Twitter interactions, during the 
campaign of the most important Twitter accounts were created by 
    Senator Heinrich. Yes.
    Dr. Rid. Were created by automated scripts and not humans? 
The answer to that question--we don't know the answer to that 
question because Twitter and other social media networks have 
not provided the data. You could write a letter to these 
companies and ask them to provide the heuristics, to provide 
the data: How much of a problem is our bots?
    Senator Heinrich. That actually, that's very much in line 
with my next question that I was going to direct to you, which 
is: In addition to looking at the data, are there things that 
we should be doing working in concert with those social media 
companies to dampen the effectiveness of this feedback loop in 
the media cycle that is being exploited?
    Dr. Rid. Absolutely. You could, for instance, ask social 
media companies to provide detailed data, including a 
methodology of how they arrived at those data. It's very 
difficult for outsiders to get to the answer to these 
questions: How much of a problem are bots? I think it is a very 
significant problem.
    When you sign up for a new Twitter account today, you can 
say--you know, the new accounts all have an egg face. You can 
say: I don't want any eggs, people who never change their 
account picture. No eggs is a good thing. You can say, I don't 
want eggs, but you can't say, I don't want bots. Bots are more 
of a problem than eggs, I believe.
    So we should be in a position to, by default, move into an 
environment where we switch out abuse and bots out of our 
vision, if you like, as users.
    Senator Heinrich. Very helpful. Thank you all very much.
    Chairman Burr. Senator Collins.
    Senator Collins. Thank you, Mr. Chairman.
    General Alexander, first of all, it's nice to see you once 
again. Section 501 of the fiscal year 2017 intelligence 
authorization bill, which, regrettably, has not yet become law, 
requires the President to establish an interagency committee to 
counter active measures by Russia, including efforts to 
influence people and governments through covert and overt 
    The purpose of this committee would be to expose 
falsehoods, agents of influence, corruption, human rights 
abuses carried out by the Russian Federation or its proxies. 
Like the U.S. Information Agency, there once was an Active 
Measures Working Group that worked to counter covert 
disinformation from the Soviet Union, and that was disbanded.
    Is this a recommendation, as we search for ways to counter 
the Russian attempts to spread propaganda, outright lies, 
influence our people--is this a recommendation that you believe 
should be implemented?
    General Alexander. I do. I think I would look at giving the 
Administration a suite of capabilities from diplomatic through 
cyber to what you just said, active measures, what we can do to 
expose that. I think we also need to give them the freedom to 
determine what's shared and what's not shared in terms of 
protecting the Nation in that regard, sharing it all with 
Congress of course, but how you publicize that if you know 
something is going on and you've got it through other means.
    I think those things you'd want the Administration to at 
least be reasonable about, but I do think these are the kinds 
of things that should be put on the table. I would have to go 
back and look at all the tools that you're going to give them 
and say, does that meet the objectives of engaging Russia and 
confronting them when they cross the line on something? I think 
in this case this is something that would give them a tool, if 
they've crossed that line, to say, stop, here's what we know 
and here's the consequences.
    Senator Collins. Because one of the aspects of this 
investigation that I found troubling that we've already learned 
is how weak our response is when we have a disinformation 
campaign. It seems to me that this working group could be 
useful. I realize it's a delicate issue in some ways because 
you don't want to sweep up legitimate--you don't want to be 
trying to set the rules for journalists, for example.
    But that brings me to another issue for Professor Rid. That 
is, in your testimony you talked about how Russian 
disinformation specialized the act--specialists, I'm sorry, 
perfected the act of exploiting the unwitting agent. I assume 
by that you mean that individuals or entities who don't know or 
realize that they are being used by the Russians, but 
nevertheless are.
    In your testimony you use examples of Twitter and 
journalists who cover political leaks without describing the 
origins of those leaks as examples of unwitting agents that 
were involved in the Russian influence campaign in 2016. You 
also list WikiLeaks. I would put WikiLeaks in a different 
category personally.
    But what can we do about the unwitting agent? I mean the 
truly unwitting agent.
    Dr. Rid. Yes, I agree, in the case of WikiLeaks it's 
unclear whether they are unwitting indeed or just witting, so 
to speak.
    Senator Collins. Right.
    Dr. Rid. But I think we are trained, the Western mind, if 
you like, is trained to think in contradictions. It's either 
this or that. But here I think we're looking at a situation--
and this has been a pattern throughout the Cold War--where 
active measures operators recognize that unwitting agents--this 
could be journalists, politicians even; members of Parliament 
in the past have been the case--just because they're genuinely 
so passionate and engaged and activist in their outlook further 
the Russian cause.
    So we have to recognize that this will continue to be a 
problem. We cannot simply get rid of that problem. It is 
something--for instance, we have documents from the Cold War 
time where disinformation active measures operators say they 
actually want conflict between the unwitting agent and the 
actual adversary, say WikiLeaks and the U.S. Government, 
conflict is good. So that's how far you can take. If the goal 
is driving wedges, then the unwitting agent is a trump card in 
your sleeve.
    Senator Collins. Thank you, Mr. Chairman.
    Chairman Burr. Senator King.
    Senator King. Following up on that, it seems to me that the 
unwitting agent is a key part of this entire process, 
particularly where you're talking about disinformation. I think 
you make the point in your prepared statement that anonymity, 
anonymous leaks, there should be more work on where did it come 
from. Is that correct?
    Dr. Rid. Yes, absolutely. WikiLeaks was purpose-built to 
hide the source. That is the goal of the entire platform. Of 
course, I think--and I do take Julian Assange seriously when 
initially at least, historically, he was just an activist.
    Senator King. He was a clearinghouse, but now he's a 
selective leaker.
    Dr. Rid. That seems to be the case, yes.
    Senator King. General Alexander, we've been talking about 
this for at least four years. One of the problems--and you 
talked about this with Senator Collins--this country has no 
strategy or doctrine around cyber attacks; isn't that correct? 
And isn't that part of the problem? We need to have a doctrine 
and our adversaries need to know what it is.
    General Alexander. Absolutely, Senator, and I would add 
rules of engagement. We don't have--the consequence is if there 
were a massive attack we'd have to go back and get authority to 
act, where if it were missiles coming in we already have rules 
of engagement. So I think we need to step that up as well.
    Senator King. Ironically, part of that is transparency, 
because if we have a capability that would act as a deterrent 
but our adversaries don't know we have it, it doesn't act as a 
deterrent. Is that correct?
    General Alexander. That's correct. In fact, if I could, 
just to add something, because Thomas brought out another 
issue. I think it would be good also for the American people to 
release perhaps collectively the number of vulnerabilities our 
government has pushed out to industry, that has been identified 
by government, because often that's opaque. So what you 
wouldn't see is how much of that is actually being pushed to 
industry and how that's cleared. But you could get a collective 
summary from the departments and agencies that have pushed 
those out and see what's being shared. I think that's a good 
thing and it's a good way to start that dialogue.
    Senator King. That's a positive development, but I still 
believe that we need to develop a deterrence 2.0 to deal with 
the nature of the threats. And it doesn't have to be cyber for 
cyber. It could be sanctions or other. But there needs to be a 
certain response, a defined response and a timely response. 
Otherwise it's not going to have the deterrent effect.
    General Alexander. That's right, and we have to get the 
roles and responsibilities of the different agencies. Who's 
actually going to conduct that response? I think that has to be 
set straight and clear. We discussed that in the other hearing, 
but I think that's something that also means that if we had to 
react we wouldn't have the right people set up to react.
    Senator King. Mr. Mandia, one of the things--and I think 
this has been touched upon in the hearing--is the question of 
the vulnerability of our State election systems. We know that 
the Russians were poking around, if you will, in our State 
election systems. I learned recently that more than 30 states 
now allow internet voting and 5 have gone completely paperless. 
Doesn't this create a significant vulnerability?
    Mr. Mandia. It also creates an opportunity to do things 
even better. At the end of the day, when we look at--I go right 
to Estonia and what they do in their election process. I'm not 
totally intimate with it, but they have an identity management 
that's far better than our State, for our Nation.
    When you have anonymity, it's really, really hard to secure 
the internet. Obviously, we're going to always have attacks on 
these areas. But what we're seeing is every election year--and 
I've responded to breaches every election year since 2004--both 
sides get targeted, things happen. We are still going up and to 
the right. I'm confident a modern nation--and probably others 
could speak better to this--would reserve the tool of tweaking 
electoral votes or ballots to the last resort. I've never seen 
evidence of that and I think we'll always have a natural risk 
profile to show great diligence in how we secure the election 
process and go forward.
    Senator King. My understanding of the intelligence is that 
it doesn't appear that they changed votes or vote tallies in 
this election.
    Mr. Mandia. No.
    Senator King. But they weren't going into those State 
election systems just for recreation. There was some purpose. I 
think one question, which I think any of you could answer, but 
you can answer: 2016 wasn't a one-off. This is a continuing 
ongoing and certainly future threat, is it not?
    Mr. Mandia. I think so. I think right now when you look at 
intelligence, it's been totally redefined by the internet. 
People are searching YouTube every day to see what operations 
are going on by ISIS. So the intelligence collection that we 
have today has never existed in the past. It's just that during 
this election we saw Russia break rules of engagement they had 
traditionally followed in that they added collections with 
computer intrusion, stealing documents and leaking them. But 
yes, I think this is a tool everybody's going to use.
    Senator King. Dr. Rid, do you want to respond?
    Dr. Rid. The great active measures campaign of 2016 will be 
studied in intelligence schools for decades to come, not just 
in Russia, of course, but in other countries as well.
    Senator King. So not only will it be studied; it will be 
attempts made to replicate it.
    Dr. Rid. That we can only assume, but it will certainly be 
    Senator King. Thank you.
    Thank you, Mr. Chairman.
    Chairman Burr. Senator Lankford.
    Senator Lankford. Thank you, Mr. Chairman.
    Let me ask you a question, Mr. Mandia. Your company has 
gone through an extensive amount of background to be able to 
look at the DNC hack and the exfiltration of their data. I want 
to repeat again what you have said orally and what is in your 
statement. Any other details that you can give us. You felt 
that this was Russian intelligence. You have answered that yes. 
But much of what you have put in your written statement seems 
to be a circumstantial look at it, that you were basically 
eliminating other things.
    So let me ask you a question. Is this a process of 
elimination much like a doctor doing a diagnosis, saying it's 
not this, this, this, and it must be this? Or do you think 
there's something that zeroes in and says, no, that's really it 
and here's the evidence that links it?
    Mr. Mandia. I think that the intelligence available to the 
private sector is different for attribution than it is in the 
government. We can only take it so far. We're not going to fly 
people into Moscow and troll the streets trying to find a 
building. We have to do it by process of elimination. We have 
to do it by just deduction. But at the same timeframe, we hope 
the level of exactitude needed will come from the intelligence 
    But we've done this with China. China, we just got lucky. 
Their operational security broke down so we could get an exact 
building and some people. Russia's operational security on the 
internet is better than that.
    Senator Lankford. So let me ask: There has been 
conversation about Guccifer 2 being linked to the Russian 
government. Do you have any evidence of that or anything that 
would lead you to conclude that is true or lead you to at least 
disagree with the intelligence community on that?
    Mr. Mandia. I think it would be hard to think of any 
other--here's what we do know. I would attribute the Russian 
government to the breaches. We cannot connect all the dots from 
the breach, at least with the observables available to my 
company and our investigators. We can't go from breach and 
leaked data to suddenly Guccifer 2.0. We just don't have the 
means to do that.
    Senator Lankford. But you think they're consistent?
    Mr. Mandia. I think it's remarkably consistent. APT28 
intrusions are occurring and it's APT28 stolen data that's 
being leaked by DCLeaks, Guccifer, Anonymous Poland, and a 
bunch of other what we call fake personas or false personas.
    Senator Lankford. Great, fair enough. So how confident are 
you that there's not any false flag operations that are 
involved in this?
    Mr. Mandia. We've observed this since 2007. I'm confident 
that APT28, the hacking group, is in fact sponsored by the 
government, the Russian government.
    Senator Lankford. Fair enough. So let me ask you a question 
and it's the ongoing dialogue that we have here all the time. 
How do you define any difference in what's thrown around 
commonly as ``We've had a cyber attack'' or, as has been used 
in this conversation, ``They've crossed the line''? We continue 
to talk about things like cyber doctrine, giving clear 
boundaries. We don't have any of those things. This has been an 
ongoing conversation for a while about who would set them, how 
they would be set. But at some point we have to have a clearer, 
a clear statement of what is crossing the line.
    Earlier you made a statement it would depend on the State, 
it would depend on the situation and such. Can you give me an 
example--obviously, this is an example.
    Mr. Mandia. Right.
    Senator Lankford. So other than this one, but give me an 
example of what it means to have a cyber attack that we can 
communicate to the American people, this is not just a nuisance 
hacker stealing information, this is an attack from a foreign 
government on our sovereignty?
    Mr. Mandia. First off, I go back to somebody made a comment 
once: It's hard to define pornography, but we know it when we 
see it. The reality is it's hard to delineate the cyber attack. 
I'll give you an example, though. I received a phone call once 
from one of our intrusion responders saying: We think North 
Korea hacked Sony Pictures. We went on site, we did the work, 
and we were as shocked as everyone that we even attributed it 
at, via our means, to most likely North Korea.
    Then you start wondering, what levers do we have on North 
Korea to change their behaviors? That's why I think, A, 
attribution's critical. Got to know who did it. But I think the 
response will probably depend on our relations with those 
nations and their cooperation.
    Senator Lankford. Talking to the difficulty of identifying 
who did it, as far as linking places when you get a chance to 
bounce and to be able to hide it different ways, is that 
becoming more difficult or easier based on the tools that we 
have or based on the tools that they have to be able to hide 
their location?
    Mr. Mandia. In the private sector, it's becoming more 
difficult for us to do attribution categorically. We used to 
have--we respond to hundreds of intrusions a year. By the end 
of 2010, six years of doing this, we only had 40 buckets of 
evidence. Every time we responded to a breach to figure out 
what happened and what to do about it, the trace evidence of 
what happened, cleanly into 40 buckets. Now we're into the 
    The TTPs and the malware's change, the infrastructure's 
changing. I would say actors are getting smarter about 
remaining anonymous in their attacks.
    Senator Lankford. Mr. Rid, quickly I want to be able to ask 
you a question because you were alluding to this earlier. A 
matter of an attack is not just a matter of going and deleting 
files or creating chaos. It could be manipulating an existing 
file where you lose trust for it or adding a file that was 
never there, and suddenly there's something appearing on your 
computer that you never put there, someone else added to you.
    So the threats of the attack that is out there, what could 
that look like?
    Dr. Rid. We have concrete examples. A recent one is a 
critic of President Putin in London was hacked and allegedly--
and I think the evidence is quite good--illegal child abuse 
imagery was uploaded to his computer as an active measure to 
undermine his--to make him into a criminal in the U.K.
    Senator Lankford. So they added child pornography onto his 
    Dr. Rid. You can just download something, as in the case of 
the DNC hack, where they uploaded something.
    Senator Lankford. Thank you.
    Chairman Burr. Senator Manchin.
    Senator Manchin. Thank you, Mr. Chairman.
    Thank you all for your testimony today and helping us as 
much as you possibly can. We appreciate that. Let me ask this 
question. Could Russia have made a difference in the outcome if 
they wanted to? Did they get to the level that they could have 
gone further, but stopped and we fell into the trap?
    Mr. Mandia.
    Mr. Mandia. In regards to the computers----
    Senator Manchin. Basically, I'm understanding they were 
more aggressive than they've ever been and they got more 
involved than they ever got. Could they have done more and just 
stopped and we fell into the trap?
    Mr. Mandia. I don't know if we fell into the trap. I don't 
know what you mean by that.
    Senator Manchin. The trap is basically what we're doing 
right now.
    Mr. Mandia. Could be. I can tell you this: I believe we 
probably know 90 percent of their cyber capability, maybe even 
only 80. They probably reserve their upper echelon for maybe--
    Senator Manchin. Could they have basically changed the 
outcome of the election?
    Mr. Mandia. I have no idea. I don't know.
    Chairman Burr. You don't know if they're capable of doing 
    Mr. Mandia. I think--when I think of changing the outcome 
of an election, I'm an engineer; I think ones and zeroes kind 
of. I would say, could they have altered the votes? I think we 
would have seen that. I think we'll see the shot across the bow 
on some of the most severe attacks, things where we have lots 
of observation. I think we'd catch the shot across the bow.
    Senator Manchin. Let me ask this question for anybody who 
wants to answer. How intense has their involvement been in 
other countries that we know in the past? Is it to the level 
they've gotten to with the United States in this past 2016 
election? Are they that involved in France, Belgium, Germany?
    Dr. Rid.
    Dr. Rid. It depends on how far you want to go back in 
history. The Stasi, we know that for a fact, affected the 
outcome of one vote of no confidence in the Bundestag, which 
kept Chancellor Brandt in power. So we have many, many 
historical precedents of elections.
    Senator Manchin. How about in France going right now?
    Dr. Rid. Right now. We currently do not have a single 
example in Europe to my knowledge where a hack and a leak were 
combined in the way it would happen in the United States.
    Senator Manchin. But their involvement in the election has 
shown a desire to get people that are more friendly toward the 
    Dr. Rid. Yes. I mean, I'm not saying there's nothing going 
on. In fact, there are active measures under way. But they are 
of a different kind, it seems at this stage at least, than what 
we saw in 2016 here. They're more old-school, more forgeries, 
like the Lisa case that Senator Rubio mentioned earlier.
    Senator Manchin. From the technology end of it, from the 
cyber end of it, do we have the ability to stop? And you're 
saying, what can we use? Is there going to be cyber warfare 
back to them? Is there something that we can do to a Russia 
that would stop this behavior or they would be concerned about 
we could intervene or interfere with their system?
    Mr. Mandia. I think General Alexander should comment on 
that, but I can tell you, at least on defense in the private 
sector, probably the best analogy I can give you is a hockey 
analogy. It's like going up against Gretzky on a penalty shot 
when the Russian government targets your organization. They 
have a good chance of putting the puck in the net.
    General Alexander. There's a couple of things, Senator, 
that I think we need to do. We talked about fix the defense. I 
think what we're doing right now with this committee and others 
is we have highlighted that we know they did this. They know 
that we know, and now the issue is they've been put on notice 
and now it's over to our government on the path forward.
    We have an opportunity to engage and confront them on 
different issues. I think that in and of itself was something 
that perhaps they miscalculated. Now what we need to do is fix 
the defense and see what other actions we should take to defend 
our infrastructure, including the electoral infrastructure.
    Senator Manchin. General, when Putin puts his statement out 
that he put out today claiming no responsibility, no knowledge 
whatsoever, and we know and the whole world should know--we've 
made it official. He seems to have a very high rating in 
Russia, so I don't think they're going to believe us. Do we 
have the ability to show from a technical aspect what was done?
    General Alexander. I think one of the benefits of his 
actual active campaign is it's had a great impact on his 
popularity in Russia. He's taken us on in these areas. I think 
saying ``It wasn't us'' is something that he would say ad 
infinitum. We saw this across the board, Thomas brought out, 
all the way back from Moonlight Maze and before Russian 
involvement, and they said it wasn't them. We knew it was.
    Senator Manchin. Do any one of you three have what you 
would recommend as the greatest retaliation for Russia for this 
type of activity? Let's start right down the line if you will, 
Dr. Rid. What would you recommend? How would we retaliate, 
basically, to make sure that we harm them or hurt them to the 
point they will not continue this type of behavior?
    Dr. Rid. That's a tough question.
    Senator Manchin. Militarily? Electronically?
    Dr. Rid. Certainly not militarily as there would be an 
escalation that is entirely inappropriate.
    Senator Manchin. Economically?
    Dr. Rid. In I believe it was the DHS publication at the end 
of December, 29th, the then-Obama government pointed out, the 
Administration pointed out, RT as a major outlet of Russian 
active measures. At this stage RT has a license in the United 
    General Alexander. I think we should step back, Senator, 
and say what is our objective with Russia? This was a single 
event. I think we should have--this is where the Administration 
from Secretary of State, Secretary of Defense, and others 
should get together--and we should give them the opportunity 
and time to do this--and say, what's our strategy going to be 
with Russia, which includes what you're asking? Because I don't 
think we want to do it tit for tat on these things and just 
    What we really want to do is, how do we get an engagement 
with Russia that puts us and the world in a better place? I 
think it's part engagement and saying, here's what we want to 
do, we know this, and we've got to figure out how to stop, and 
here's what's going to happen if we don't, and put those on the 
table. But I think that needs to be done more in private than 
in public if we're going to have a chance of success.
    You know, it's in our interests to address these problems 
now, when you look at what's going on in the Middle East, 
what's going on in Eastern Europe, and all the other problems 
we have. We've got to solve some of these by allowing the 
Administration to engage in that area. So I would push it over 
to the Administration. They have good people in this area.
    Senator Manchin. My time--go ahead.
    Mr. Mandia. Yes, sir. A lot of comments here. I've got a 
very simple--there's a carrot or a stick. There's either money 
or the 82nd Airborne. I'd agree with everything the General 
said--not time for that.
    I would caution the response if it's just in cyber space, 
the asymmetry. If all our tools work against them and all their 
tools worked against us in cyber space, Russia wins. So I don't 
think--there's too much asymmetry in cyber, based on our 
economy relying on it, our communications relying on it, our 
free press even. They can do an invasion on the privacy of 
everybody in this room. We can't really reciprocate that, hack 
Putin's email and post it and get the same results.
    So I would just advise cyber-on-cyber just feels like we're 
in the glass house throwing rocks at a mud hut. We're not going 
to pan out very well there.
    Senator Manchin. Thank you.
    Chairman Burr. Senator Harris.
    Senator Harris. Mr. Mandia, one main reason that we're 
doing this public hearing is so that the American public can 
actually understand what happened. So if we can just take a 
step back, because this is a fairly complex issue, and 
particularly when we start talking about bots and all these 
other things. Some people wonder, is it just a short form for a 
    Let me ask you--Americans, I think many whom I've spoken 
with can't help but feel that they have been played if they 
made their decision in this election based on fake news. How 
can they know that they are receiving fake news? How can they 
detect it so that they can ultimately make decisions like who 
will be their President based on accurate information?
    Mr. Mandia. That goes beyond my expertise as a cyber 
security individual. I can just say as a lay person everybody's 
got to take everything they hear and vet it against multiple 
sources. But I simply don't have the right tools to be an 
expert on how do you determine fake from non-fake news.
    Senator Harris. Do any of you feel experienced enough to 
answer that question?
    Dr. Rid. It's a simple answer. If it's in The New York 
Times or the Washington Post, it's not fake news. I mean, we 
have to believe in the center, so to speak. If we don't, if we 
can't trust the mainstream media any more, then we've lost.
    General Alexander. Could I add to that?
    Senator Harris. Yes, please.
    General Alexander. I think part of it is we at times 
sensationalize and inflame, not inform. How do we get a more 
informed set of reports out to the American people on some of 
these issues? That's something I don't have an answer to, but 
that's part of the problem. We've got to figure out how to 
address that as we go into this next age of having all the 
information available at an instant.
    We saw the attack on the White House, the theoretical 
attack about a year ago. It turned out to be fake news. I think 
we've got to take another few steps on that. That's where the 
news agencies, social media, and governments have to work 
together to help get the facts out there. Just the facts, 
    Senator Harris. So tell me--I'm going to direct it--I'll 
start with Mr. Mandia, but whoever can answer this question if 
you feel you have an answer. How can we tell if Fox manipulated 
a Google search to elevate the placement of fake news in the 
2016 elections, and what partnerships might we take with Google 
or any other search engine to avoid that happening in the 
    Mr. Mandia. I think that's a great question. I think Google 
probably has the answer. Here's the reality even that's going 
to be difficult for them. There's a lot of ways. What you're 
describing is what we used to call astroturfing. It's the way 
to manipulate public opinion just based on the number of hits 
and influences behind that. It depends on the platform. It's 
actually a complex challenge for us to pierce anonymity behind, 
is that a bot or a human, because bots keep getting smarter, 
replicating us.
    General Alexander. I would just add, I think Google has 
some great folks in this area, and that may be something that 
you get the folks at Google, Facebook, Twitter together along 
with some of the other social media and ask them that question: 
How can we jointly solve some of these issues? I think it's a 
great question and one that they would take on.
    Dr. Rid. Social media companies are--the market assesses 
social media companies on the basis of active users, the active 
user base. Now, if a certain amount of the active users are 
simply bots. There's a commercial interest in not revealing the 
fact that a tenth, a third of your user base actually is 
    Senator Harris. Thank you.
    General Alexander, as a former General--I asked this 
question of the earlier panel. We invest in our military and 
our soldiers as part of our defense system and rightly. But 
Russia seems to be investing a great amount in its cyber 
security as a tool of warfare. What would you recommend we do 
in terms of the United States Government to meet those 
challenges in terms of how we're investing in infrastructure to 
be able to combat, both on the point of deterrence, but also 
resilience; after we do detect, when and if we do detect that 
we've been hacked, how we can step back up and pick back up as 
quickly as possible; and then obviously what we need to do in 
terms of any sort of retaliation?
    General Alexander. I think there are several key points 
that we have to do. One is we have to fix the relationship 
between industry and the government for sharing information so 
that they can be protected. We have to set up the rules of 
engagement and the rules of what each of the departments are 
going to do and they have to understand and agree to those. We 
have to rehearse that within the government and between 
government and industry.
    Senator Harris. I only have a few seconds left, so I'd like 
you to direct your response--and I appreciate the points you 
made earlier on this, on this point. But we have a budget 
coming up. What would you advocate in terms of the budget that 
is going to be before us to vote on? It's called a skinny 
budget. There's a whole lot of discussion about where the 
limited resources and dollars are going to go. On this point, 
what would you advise us in terms of how we distribute those 
limited resources to meet these challenges, the challenges in 
terms of the Russian government and the finding by the FBI, 
NSA, and CIA that they hacked our systems?
    General Alexander. I think we definitely need to continue 
and increase the investment in what we have in our cyber 
capabilities, the forces and the infrastructure and the tools 
that we create. That's needed. I think we also have to look 
at--and one of the members over here brought out--government. 
Our IT in government is broke. We need to fix it, and we need 
to look at how we secure it. OPM was a great example that they 
used. I think that's something this Administration is already 
looking at, but we need to help them get there and figure out 
the best way to do that.
    When you think about it, they don't have the IT resources 
or the cyber security professionals to actually defend them. 
The solution has got to look at what we do with the commercial 
sector and how we add that to government. I think those are the 
key things.
    Senator Harris. I appreciate that. Thank you.
    Chairman Burr. Do any other members seek additional 
    Vice Chair.
    Vice Chairman Warner. I would just like to ask one quick 
one. I think this line of questioning we've heard about how we 
can react, very briefly because the Chairman hasn't asked his 
questions yet. But I do wonder. We saw the example that 
somebody did hack into former Prime Minister Medvedev's files, 
which showed lots and lots of luxury properties all over the 
world. In many ways that seemed to result in a series of 
protests across Russia, where unfortunately protesters were 
    But comment on that? Very briefly, since the Chairman 
hasn't had his questions.
    Dr. Rid. I'm not sure I understand the question properly. 
Are you implying that----
    Vice Chairman Warner. I'm inquiring whether the--I agree 
with Kevin on the notion of simply tit-for-tat actions in cyber 
because we're more technologically dependent. But there are 
activities kind of around active measures where Prime Minister, 
former President and now Prime Minister, Medvedev in Russia--
maybe I'm mispronouncing the name--suddenly all his extensive 
property holdings became public, which caused great 
consternation in Russia and a series of protests.
    Dr. Rid. We know from publicly available information that 
President Putin, Vladimir Putin, believes the Panama Papers 
leak, which broke on the 3rd of April in 2016, so right in the 
middle of the ramped-up targeting--targeting on their side 
ramped up before Panama Papers broke as a story, but we have to 
assume they knew about Panama Papers, that it was coming.
    Putin seems to believe Panama Papers was an American active 
measure against him. I don't think this was the case, but that 
puts the entire operation into a slightly different light and 
it's important to consider that.
    Chairman Burr. Thank you, Vice Chairman.
    Listen, we really are grateful to all three of you for 
making yourselves available. Keith, you're a guy that the 
committee has looked up to, not just because of the stars on 
your shoulder, but it's the knowledge in your head and how you 
have had a way for years to convey to the committee in a way 
that we could understand what the threat was, what our 
capabilities needed to be, the actions that we needed to take, 
why we needed to take them, and the objective of the effort.
    I think what concerns me is that this thing's speeding so 
fast now, it's like you pulled the string on the top when we 
were kids, and over time the top slowed down, and it looks like 
now the top starts spinning faster and faster and faster once 
you've pulled the string.
    So I want you to understand that we're probably going to 
invite you back in an informal setting, probably not a public 
setting, where some of the things we got into today we couldn't 
dig much deeper. And thank you for showing the constraint of 
doing that. For that reason, I'm not going to include you in my 
other two questions, because it might put you on the spot.
    I'm going to turn first to Dr. Rid. Do we have any idea how 
Russia transmitted emails to WikiLeaks? And if that's the 
process that everybody assumes happened, then how could 
WikiLeaks be, as you referred to, unwitting?
    Dr. Rid. That's a good question. Guccifer 2.0, the front 
that was created, tweeted that they gave emails to WikiLeaks. 
WikiLeaks tweeted that they received something from Guccifer 
2.0 before this was attributed to Russia. So that's the only 
evidence that we have publicly and I think it's quite strong, 
or it's certainly notable.
    Is WikiLeaks an unwitting agent? In truth, we can't answer 
the question because they haven't spoken on it. But we also 
can't just assume that they're not an unwitting agent. But 
ultimately it doesn't matter, because they are a very effective 
unwitting agent.
    Chairman Burr. Kevin, do the forensics that you're able to 
have done suggest that WikiLeaks continues to hold additional 
emails that have not been released?
    Mr. Mandia. I can't answer that. I can tell you from all my 
experience what we've seen publicly released is probably under 
one percent of what we've attributed to the Russian government 
    Chairman Burr. We're trying as a committee to come up to 
speed on not just terminology, but what that terminology means. 
So I'd like to give you an opportunity to walk us through how 
you identify an actor like APT28?
    Mr. Mandia. Yes, and here comes the details. First, for the 
first time ever we started getting better software in place 
beforehand so we'd see keystroke by keystroke what they're 
doing. I think most Senators do not do command line execution, 
but there's different commands you can type, there's different 
letters that you type in different orders. You start getting to 
know the attackers when you get that command-level access to 
    Then it's the malware they've created, the IP addresses 
they use, the infrastructure they use to attack, the people 
that they actually target, the encryption algorithms they use, 
the pass phrases they use when they encrypt things, and the 
list goes on and on.
    We tracked at one point--we created a scheme in about 2006 
on how do you categorize the intelligence or the evidence, the 
forensics, from an intrusion investigation, and we had over 650 
categories. I can't go into all of them today, but trust me, 
you observe a group for ten years or more; after a while, we 
got the bucket right. APT28 to us is a bucket. Every time we 
respond to them, there's enough criteria together that APT28 is 
our APT28, APT29 is our APT29, APT1 was PLA Unit 61398.
    The link is we couldn't take 28 and 29 and say GRU or FSB. 
It just isn't available to us in the trace evidence when we 
respond to intrusions. But it's time-stamps, compilations.
    I'll give you one last example because this is 
understandable. When you look at the malware that's been used 
in these attacks and their compile times, 98 percent or higher 
of it is compiled during business hours in Moscow or St. 
Petersburg. That's a pretty good clue. And whoever's doing it 
speaks Russian.
    Chairman Burr. If you'd rather not answer this or don't 
know the answer, punt it and I'll forget it. Had the DNC 
decided to provide their system for FBI to do forensics on, 
would we have gotten more information?
    Mr. Mandia. I don't know. I can tell you--I can't speak 
specifically to that one, but over the last five to six years 
we respond to a lot of breaches now where the FBI is there, and 
they are there. And they're not the ones traditionally doing 
forensics. They are relying on a lot of the private sector 
forensicators. That's a made-up word. But we're doing our 
forensics. We're producing it. And the customers are choosing, 
our clients are choosing, to share that with the FBI.
    I think the group that responded to the DNC is highly 
technical, highly capable. They got it right.
    Chairman Burr. It was a diplomatic way of asking, do we 
have different capabilities than the private sector. And you 
    Mr. Mandia. Yes. We've had tremendous help. When we respond 
and the FBI is in the room, it's fantastic help. Maybe they're 
cleansing intel from another agency or not. But there's been 
numerous cases where we're showing up and we know maybe three 
things to look for, and the FBI says: here's another 80; go 
look for those as well. So we are--and I've been doing this 20 
years. It's more likely than not when we respond to intrusion 
the FBI is actually there and responding with us.
    Chairman Burr. I sort of leave this hearing not having 
heard a word that I think we're going to use frequently based 
upon what's going on, and that's ``dox.'' My understanding of 
the term ``dox'' is it's the 21st century term for ``steal and 
leak.'' Am I going to hear ``dox'' a lot in the future?
    Mr. Mandia. It's an irritating word to hear, isn't it? But 
at the end of the day, yes, you'll probably hear it. That's the 
technique that, it looks like a state actor is using it. I can 
tell you the first time we saw North Korea delete things in the 
United States, that felt like it crossed a red line. Doxing 
appears to be the thing that crossed the line with the Russian 
    Chairman Burr. Thomas.
    Dr. Rid. One sentence on what Kevin just said about the FBI 
there. Usually in an investigation of the kind he was 
describing, you would make a so-called image of the computer 
hard disk, and if the FBI has these images, which I understand 
they may have, then you don't actually have to physically be 
there. It's as good as being there physically.
    But on the doxing observation, yes. Just to make another 
observation that may be personal for many of you here in this 
room, but the ethics rules in Congress may actually make 
members of Congress and in the Senate more vulnerable, because 
it forces you to use different devices, sometimes as many as 
three devices, I understand, to make different calls and 
different communications.
    So even if the main work device is actually secured 
properly, then it would push you down into a more vulnerable 
area. That is a problem that possibly can also be fixed.
    Chairman Burr. One last general statement, and I heed the 
advice you gave, General, and you backed up, Thomas, and I 
think, Kevin, you supported as well. Our response has to be 
well thought through, and it's not just what we do in reaction 
to, it's what we do as we set the course for some better 
defensive mechanism in the future.
    But you can't neglect the fact that Russia over a period of 
time has done things outside of cyber--invasion of Ukraine, 
Moldova, presence in Syria, presence in Egypt. It continues on. 
We might look at this today in the rear view mirror and say: 
Boy, they miscalculated. The only way they miscalculated is to 
have taken our neglect of reaction to what they did as an 
opportunity to push a little harder on the accelerator.
    Not being critical, but we've done nothing to Russia when 
they've made aggressive moves. And now all of a sudden this 
happened at home. It happened with elections. When you look at 
it from a standpoint of impact, I think the Ukrainian people 
would tell me what happened to them is much worse, and if it 
happened in the United States we would think that's much worse.
    But the fact is that this is going to require a global 
response, because the globe is just as exposed as the United 
States. It was our election system in 2016. It is the French, 
the Germans--I won't get into the long list of them. But we're 
within 30 days of what is a primary election in France. It 
could be that the Russians have now done enough to make sure 
that a candidate that went to Russia recently and a socialist 
make the runoff and they end up with a pro-Russian government 
in France. They've won. That was their intent, I feel certain.
    We're not sure what the effects are going to be in Germany, 
but we've actually seen them build up a party in Germany, not 
tear down but build up a party, and exploit things that were, 
when you look back on them, fake news, not that we created, but 
that was created within Germany, that never was news, but they 
used it, they exploited it. And look at what it's turned into.
    So we may have been the first victim, but we may not have 
been victimized as much as others are going to be in the short 
term, and we certainly should heed the warning and not be an 
additional victim in 2018 or 2020.
    Let me move to Senator King real quick.
    Senator King. Just a follow-up question to Dr. Rid. Tell me 
more about Guccifer 2.0. Is that a flesh-and-blood human being? 
Is it an office? Second question: is there any doubt that 
Guccifer 2.0 is an agent or somehow working for the Russian 
    Dr. Rid. Guccifer 2.0 is--we know this from the evidence 
that's available, not all of it public, but only private sector 
sources and academic sources, I may say. Guccifer 2.0 is 
certainly not just one individual, because in private 
interactions with journalists we can literally see different 
types of humans at play. Some use it consistently at a specific 
time, lots of smileys and very informal. Others are more 
formal. All communicating through the same channel.
    On the links, Guccifer 2.0 to others, APT28, as I mentioned 
and as I also lay out in my evidence in the written testimony, 
hacked 12 of the targets that were leaked, doxed, on DCLeaks. 
Guccifer 2.0 provided a password that was not publicly known, 
provided a password to DCLeaks to the smoking gun, the outlet. 
So that's a very strong forensic link there. The link I think--
the docs can be connected.
    Senator King. But how about my second part of my question? 
Is Guccifer 2.0 an agent of the Russian government in some way, 
shape, or form?
    Dr. Rid. If you mean by ``agent,'' an agency or sort of 
organization, it could be a subcontractor, it could be a team 
within an intelligence agency.
    Senator King. Affiliated or associated with the Russian 
    Dr. Rid. I am confident that the answer is yes.
    Senator King. Thank you.
    Thank you, Mr. Chairman.
    Chairman Burr. I thank all the members, and I thank our 
panel today. You have provided us some incredible insight and 
knowledge. We're grateful to you.
    This hearing is adjourned.
    [Whereupon, at 4:02 p.m., the hearing was adjourned.]

                         Supplemental Material