Hearings
Hearing Type:
Open
Date & Time:
Thursday, September 24, 2015 - 2:30pm
Location:
Hart 216
Witnesses
Admiral
Michael
Rogers
Commander, U.S. Cyber Command and Director, National Security Agency/Chief, Central Security Service
United States Navy
Full Transcript
[Senate Hearing 114-772]
[From the U.S. Government Publishing Office]
S. Hrg. 114-772
OPEN HEARING: NATIONAL SECURITY AGENCY
ACTIVITIES AND ITS ABILITY TO MEET
ITS DIVERSE MISSION REQUIREMENTS
=======================================================================
HEARING
BEFORE THE
SELECT COMMITTEE ON INTELLIGENCE
OF THE
UNITED STATES SENATE
ONE HUNDRED FOURTENTH CONGRESS
FIRST SESSION
__________
THURSDAY, SEPTEMBER 24, 2015
__________
Printed for the use of the Select Committee on Intelligence
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
29-493 PDF WASHINGTON : 2018
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, gpo@custhelp.com.
SELECT COMMITTEE ON INTELLIGENCE
[Established by S. Res. 400, 94th Cong., 2d Sess.]
RICHARD BURR, North Carolina, Chairman
DIANNE FEINSTEIN, California, Vice Chairman
JAMES E. RISCH, Idaho RON WYDEN, Oregon
DAN COATS, Indiana BARBARA MIKULSKI, Maryland
MARCO RUBIO, Florida MARK R. WARNER, Virginia
SUSAN COLLINS, Maine MARTIN HEINRICH, New Mexico
ROY BLUNT, Missouri ANGUS KING, Maine
JAMES LANKFORD, Oklahoma MAZIE HIRONO, Hawaii
TOM COTTON, Arkansas
MITCH McCONNELL, Kentucky, Ex Officio
HARRY REID, Nevada, Ex Officio
JOHN McCAIN, Arizona, Ex Officio
JACK REED, Rhode Island, Ex Officio
----------
Chris Joyner, Staff Director
David Grannis, Minority Staff Director
Desiree Thompson-Sayle, Chief Clerk
CONTENTS
----------
SEPTEMBER 24, 2015
OPENING STATEMENTS
Burr, Hon. Richard, Chairman, a U.S. Senator from North Carolina. 1
Feinstein, Hon. Dianne, Vice Chairman, a U.S. Senator from
California..................................................... 2
WITNESS
Admiral Michael S. Rogers, USN, Director, National Security
Agency; Commander, U.S. Cyber Command; and Chief, Central
Security Service............................................... 3
Opening statement............................................ 8
SUPPLEMENTAL MATERIAL
November 18, 2014, article in DefenseOne.com, ``Political
Dysfunction Is a Worse Threat Than Putin, Say National Security
Workers'' by Kevin Baron....................................... 26
OPEN HEARING: NATIONAL SECURITY
AGENCY ACTIVITIES AND ITS ABILITY
TO MEET ITS DIVERSE MISSION REQUIREMENTS
----------
THURSDAY, SEPTEMBER 24, 2015
U.S. Senate,
Select Committee on Intelligence,
Washington, DC.
The Committee met, pursuant to notice, at 2:32 p.m. in Room
SH-216, Hart Senate Office Building, Hon. Richard Burr
(Chairman of the Committee) presiding.
Present: Senators Burr, Feinstein, Risch, Coats, Rubio,
Collins, Lankford, Cotton, Wyden, Warner, King, and Hirono.
OPENING STATEMENT OF HON. RICHARD BURR, CHAIRMAN, A U.S.
SENATOR FROM NORTH CAROLINA
Chairman Burr. I'd like to call this hearing to order.
Admiral, welcome. I'd like to welcome Admiral Rogers,
Director of the National Security Agency. Mike, as you well
know, we typically hold our hearings in closed session so that
we can review your classified programs. Given the sensitive
nature of these programs and the need to protect sources and
methods by which intelligence is gathered, that position is
certainly understandable. Today, however, we want to take time
to ensure that the American people have an opportunity to learn
more about the NSA, the mission your workforce is tasked with,
and what you're doing to combat the increasing cyber threat to
our Nation.
Cyber threats to our U.S. national and economic security
are a top priority for the intelligence community, and
destructive cyber intrusions and attacks are increasing in
scale, scope, complexity, and severity of impact. The Office of
Personnel Management recently suffered from one of the biggest
cyber breaches our government has ever encountered, and there
are countless other recent examples of cyber breaches and
attacks in both the public and the private sector.
While NSA typically works in secrecy, I think all of us on
this Committee expect that you'll be front and center on the
issue for the foreseeable future, informing and educating the
American public.
I'd like to take a moment to thank you and your workforce
for your dedication and the critical work you continue to do to
protect our Nation. You are by now accustomed to the different
and direct questions which we ask you often in closed session,
and you know that we do so to challenge you and your
organization always to be better.
Admiral, today represents a unique opportunity for you to
educate the American people on what you do, how you do it, how
your agency's postured to address the growing cyber threat for
both state and non-state actors.
I want to thank you again for joining us and I look forward
to your testimony as you seek to separate the myth of the NSA
from the reality of the NSA, to the extent you can do so in an
open setting, and we recognize how different that is.
I would also respectfully remind my colleagues to avoid any
questions that touch on classified programs or questions that
would require Admiral Rogers to divulge any sensitive
information, and the Vice Chair and I will consult if in fact
we believe that we've put Admiral Rogers in that type of
situation.
Again, welcome, Admiral. I turn to the Vice Chairman.
OPENING STATEMENT OF HON. DIANNE FEINSTEIN, VICE CHAIRMAN, A
U.S. SENATOR FROM CALIFORNIA
Vice Chairman Feinstein. Thanks very much, Mr. Chairman,
and thanks for holding this open hearing to allow the Committee
to discuss in public the important work that the NSA does and
some of the current challenges they face to keep up with
national security threats against us.
Director Rogers, welcome back before the Committee. As we
have discussed many times in closed sessions, NSA and Cyber
Command are at the forefront of a number of major national
security challenges and policy decisions. So I look forward to
this discussion today.
Before getting to the rest of my statement, I want to
publicly praise the work the NSA has done in collecting
intelligence that has enabled the rest of the government to
identify and stop terrorist plots directed or inspired by the
Islamic State of Iraq and the Levant here in the homeland. This
threat is by no means over, but there have been a number of
important disruptions thanks to good intelligence and good law
enforcement work, and you figure in that in a major way. So
thank you very much.
As FBI Director Jim Comey noted in his testimony before our
Committee in July, and I quote: ``The foreign terrorist now has
direct access into the United States like never before.'' End
quote. There are now more than 200 Americans who have traveled
or attempted to travel to Syria to participate in the conflict
and that remains a significant concern.
I'd appreciate your assessment of the ISIL threat and the
threat to the United States from others as well. Of course,
when discussing that threat we also have to recognize that, due
in part to leaks of classified information, improved
operational security by terrorist groups, and the availability
of encrypted means of communications that cannot be collected,
there is increasingly a limit on what NSA will be able to
contribute. I know we'll have a chance to discuss that change.
There are also numerous press reports in the past week or
two suggesting that the Administration is rethinking its
support for any legislative solutions to this problem. We
welcome your thoughts on how to approach the so-called ``going
dark'' issue. I think the more you can tell the public about it
here today, the better.
Certainly, the hack on the OPM database, as the Chairman
said, demonstrates the need for better protection of personal
information. But I'd very much like to hear your views on
whether this is an either-or situation or if there's a way to
keep private communications protected while still allowing the
government to gain access to critical information when it's
doing so pursuant to a court order or other appropriate legal
process. As the head of one of the most technically proficient
agencies in the government, your input into this question is
very important.
Next, while the Committee has been following the
implementation of the USA Freedom Act, today presents a good
opportunity for the American public to hear how that transition
is going. Under the new law, the NSA will no longer collect
phone metadata directly from phone companies and conduct its
own tailored queries of those data. Instead, the government
will have to obtain a court order in order to ask
telecommunications providers to query their own records and
produce the responsive information.
It's important, I think, for the public, as well as for us,
to know whether this transition will be complete at the end of
a 180-day period and whether you assess, if the system is in
place at that time, if you assess it will meet your operational
needs.
I'd also like to know whether this system, once fully in
place, will achieve the goal of providing NSA with responsive
information from a broader set of records than it had before
the USA Freedom Act passed or whether there will still be the
relatively small percentage of phone records that were
available to you before the change.
Finally, you've briefed the Committee recently on the
reorganization you're putting into place in the NSA. It would
be appropriate at this hearing for you to describe that
reorganization to the extent that you can, why it's needed, and
what changes are being made.
Again, thank you very much for the work your agency does.
I've been very proud of it, and thank you for your leadership.
Chairman Burr. Thank you, Vice Chairman.
For the purposes of Members, we will skip the one-question
round for this open hearing and we'll go to five-minute
questions after the Admiral has testified. We will do that
based upon seniority, which I'm sure Senator Wyden and Senator
Risch will complain to me about since they're on time today and
typically they might be running a few minutes behind.
But with that, Admiral Rogers, the floor is yours. Again,
welcome.
STATEMENT OF ADMIRAL MICHAEL S. ROGERS, USN, DIRECTOR, NATIONAL
SECURITY AGENCY; COMMANDER, U.S. CYBER COMMAND; AND CHIEF,
CENTRAL SECURITY SERVICE
Admiral Rogers. Thank you. Chairman Burr, Vice Chairman
Feinstein, Members of the Committee: Thank you for inviting me
today. It's a distinct honor and privilege to appear before
you. I appreciate this opportunity to speak to you about the
National Security Agency, about who we are, what we do, and how
we contribute to the Nation's security. In talking with you,
moreover, I'm grateful for this chance to explain to the
American public whom you represent what it is that their fellow
citizens at NSA do to defend our Nation as well as support
allies and partners around the world.
NSA plays a critical role in protecting the United States'
national security systems and providing insightful and
actionable foreign intelligence to our leaders, military
commanders, and foreign partners. We're the Nation's
cryptologic arm and America and her allies depend on our
efforts.
The NSA workforce, approximately 40,000 civilian and
military employees, is headquartered at Fort Meade, Maryland,
just outside Washington, as you know. We have facilities in 31
states and a global presence that spans the world. The team
that I am proudly a member of comprises a diverse group of
individuals who come from every corner of America. About 40
percent of our team is uniformed military, representing every
service, with both active duty and reserve members. Our team
members at NSA include analysts, collectors, operators,
mathematicians, linguists, cryptographers, engineers, computer
scientists, and too many other skills to list here by name.
Our workforce ranges from high school interns to junior
enlisted members of the military to senior executives of the
civilian service and flag-rank officers in the military. NSA
personnel are well educated, with over 75 percent of our
civilians holding bachelor's degree or higher. Our military and
civilian linguists working in our foreign intelligence mission
have proficiency in over 120 different foreign languages.
Almost 40 percent of our employees work in the science,
technology, engineering, and mathematics fields, and they hold
the majority of the over 200 patents that have been granted to
members of the NSA workforce, more patents than any other
Federal agency.
In addition to working every day to keep our country safe,
our employees help to enhance their local communities by doing
things like volunteering in classrooms, planting community
gardens, and helping to clear the Appalachian Trail. They
donate thousands of gallons of blood to the Red Cross every
year, contribute millions of dollars to Federal charity drives,
and give tons of food to the ``Feds Feed Families'' hunger
drive. NSA and its affiliates are volunteer firemen, Marines
collecting for the ``Toys for Tots'' campaign, Airmen serving
with the Civil Air Patrol, Soldiers coaching Little League,
Sailors volunteering to clean the Chesapeake Bay, and civilians
leading Girl and Boy Scout troops. In short, they are your
neighbors.
NSA employees work hard and they work well to keep our
Nation safe and protect our civil liberties and privacy. Let me
explain their main duties and missions in a little bit more
detail. NSA's Information Assurance mission--Information
Assurance mission--is to protect national security systems,
such as systems that process classified information. We
generate ideas for defending these networks and impart valuable
security insights so the public and our allies may benefit. In
short, we ensure that our Nation's leaders and military can
communicate securely and that adversaries cannot gain access to
our Nation's secrets. That work also enables us to develop new
opportunities to share warning and cyber insights with the
private sector, so America can improve the overall security and
integrity of its information systems and critical
infrastructure.
NSA has evolved with changes in technology as the world has
shifted from analog to digital communications, following the
emergence of networks and the convergence of devices and
functions in our modern mobile society. As a result, NSA now
plays a key role in cyber space, assisting U.S. Government
efforts to see, mitigate, and deter cyber security threats. In
concert with public, private, and foreign partners, our work
helps to ensure users, operators, and administrators maintain
control of their systems and data.
NSA also gives our leaders unique insights into the hostile
activities of foreign powers and their agents. Our people lead
the Nation's signals intelligence enterprise, defending America
and our allies by collecting, analyzing, and reporting foreign
intelligence and counter-intelligence information derived from
the interception of foreign signals and communications. NSA
does this work in accordance with law and strict guidelines,
and only by collecting foreign intelligence in response to
specific requirements from U.S. policymakers and senior U.S.
commanders which are deemed necessary to advance the Nation's
policy goals to warn and report on strategic and military
developments around the world and to prevent strategic
surprise.
What NSA collects and analyzes is driven by the priorities
listed by our Nation's political and military leaders in formal
and constantly reviewed tasking documents. We work within a
framework of law, rules, and oversight provided by Congress,
the Executive Branch, and, as appropriate, the courts. That
system of accountability ensures the privacy and civil
liberties of U.S. persons.
On a daily basis, NSA provides insights into hostile plans
and intentions so that our customers and partners can counter
threats across the globe. Our military and its partners rely on
NSA to help them achieve tactical and operational success. Our
products are part of the fight, as essential to military
operations as food, fuel, and ammunition.
Our requirements include a wide range of SIGINT missions.
One of our most important SIGINT missions is counterterrorism,
discovering terrorist plans, intentions, communications, and
locations to disrupt and defeat their attacks. As a combat
support agency, NSA directly supports the military with
information to perform its missions and to provide force
protection, indications and warning, and over watch support to
keep our troops out of harm's way.
Our work also helps the United States and its allies to
capture bomb makers, spot illicit fund transfers, work
transnational crime, and explain to other nations how
terrorists hope to transit their territory.
We also work to identify potential threats to U.S.
citizens, military personnel, and embassies around the world.
In addition, we devote considerable resources to the
international campaign to halt the spread of weapons of mass
destruction, tracking, reporting, and sharing data to keep
nuclear, biological, and chemical weapons out of the wrong
hands to keep the Nation safe.
We also assist the efforts of the Department of Homeland
Security to protect America's critical infrastructure from
cyber attacks. Finally, we support U.S. Cyber Command, which I
also lead, and will continue to help the Command develop the
capability and capacity it needs to accomplish its vital
missions.
As you well know, the threat environment both in cyber
space and in the physical world is constantly evolving, and we
must keep pace in order to maintain our advantage and generate
the insights that our Nation is counting on. Our Nation's
networks, communications, and data are increasingly at risk
from diverse and persistent threats. These include rogue
states, organized criminal enterprises, and terrorists, who are
showing a willingness and an aptitude to employ sophisticated
capabilities against us, our allies, and indeed anyone who they
perceive as a threat or a lucrative target.
Various self-proclaimed cyber activists also cloud the
threat picture. In addition, certain states are disposed to
conduct cyber coercion against their neighbors and rivals and
to fund campaigns of cyber exploitation against us and our
allies. The targets of their efforts extend well beyond
government and to privately owned businesses and personally
identifiable information, putting the privacy and data of all
Americans at risk.
Terrorist tactics, techniques, and procedures continue to
evolve. Those who would seek to harm us use the same internet,
the same mobile communication devices, and the same social
media platforms that we all use in our everyday lives. As
terrorists become more savvy about protecting their
communications, we must keep pace in order to protect the
Nation and our allies.
NSA will continue to rise to these challenges. As an
enterprise, we have had to reinvent ourselves before and we
will do so again. The use of intelligence to protect our Nation
dates back to the United States' very origins during the
Revolutionary War. NSA's predecessors, working with their World
War II partners, found German U-boats by solving Enigma machine
messages. They helped turn the tide of the war in the Pacific
at Midway by cracking the Japanese codes.
Today the men and women of NSA fight terrorists around the
globe. Today we target the communications of terrorist
organizations who mean to do us harm, helping to uncover and
thwart their efforts to communication with sleeper cells around
the world or recruit fighters to their cause. The means of
communications have changed, but the requirement to maintain
our ability to collect and exploit the communications of
hostile foreign actors remains constant.
When the information revolution transformed communications,
NSA helped lead the way towards information assurance and
pioneered intelligence in cyber space, while enabling military
and counterterrorism operations in real time, in full
compliance with the Constitution and the law. Every NSA
employee takes an oath to preserve, protect, and defend our
Constitution and its civil liberties and the privacy of our
citizens that the Constitution guarantees. We just repeated
this oath across our workforce on 9-11. Security and privacy
are not tradeoffs to be balanced, but complementary
imperatives, and NSA supports both.
The complex issues before us today represent an opportunity
to write yet another chapter in our agency's rich tradition of
service to the Nation. NSA plays an indispensable role in
enabling our leaders to keep the peace and secure the Nation.
Our value lies in facilitating positive outcomes for the Nation
and our allies, and we have delivered this for well over 60
years. Our unique capabilities are more in demand and more
important to the Nation's security than ever. We are rightfully
proud of that accomplishment and what we continue to
accomplish, and we are striving to ensure that the American
people take pride in NSA.
Mr. Chairman, Madam Vice Chairman, and Members of the
Committee: Thank you again for the opportunity to be here with
you today, and I look forward to your questions.
[The prepared statement of Admiral Rogers follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Burr. Admiral Rogers, thank you.
Again, for Members, we'll go directly to five-minute rounds
based upon seniority.
Admiral, cyber threats continue to grow, both for the
public and the private sector. NSA faces stiff competition from
the private sector at recruiting those individuals with the
skills that are needed. What can you offer at NSA that Silicon
Valley can't offer?
Admiral Rogers. I think the difference for us is that, as
you have acknowledged, Chairman, we're competing for much of
the same workforce. The advantage that we have in my mind is
not unique to the cyber mission. I've experienced this as a
uniformed individual for the last 34 years. It's the power of
mission and the sense of serving something bigger than
yourself. That ultimately is the edge that we have. That's not
something you can easily replicate on the outside. It enables
us to attract cutting-edge technology, incredibly motivated and
capable men and women, even in the face of the fact that they
could earn a tremendously greater amount of money working on
the outside. But it's that sense of mission, it's that sense of
purpose, it's that ethos of culture and compliance, if you
will, that I think is our greatest advantage.
Chairman Burr. Admiral, NSA plays a significant role in
counterterrorism efforts, discovering terrorist plans,
intentions, communications, and locations, to disrupt or to
defeat their attack. Obviously, we can't go into great detail
here, but to what extent can you discuss it, and please
elaborate on what NSA is doing to combat terrorism and, more
specifically, please elaborate on what NSA's doing to combat
terrorism and, more specifically, something that every
American's focused on, and that's ISIL?
Admiral Rogers. Without going into the details of how we do
this, we broadly use our ability to work communications in the
foreign space to generate insights as to what ISIL and other
groups are doing, largely through our cyber and our signals
intelligence expertise.
The challenge I would argue in the counterterrorism mission
set for us, whether it's ISIL--I've seen the same thing in Al-
Qaeda and Al-Qaeda in the Arabian Peninsula, for example--I've
seen more changes in their behavior in the last two years
probably than any other target. They actively reference some of
the compromises and media leaks of the last couple of years,
and we know that they have achieved a level of insight as to
what we do, how we do it, and the capabilities we have that,
quite frankly, they didn't have in the past.
As a result of that, quite frankly, it has become harder,
more difficult, to achieve insights as to what they are doing,
combined with, in fairness, the broader changes in technology
we're seeing--encryption, use of apps that offer end-to-end
encryption, more complicated attempts to hide in the broader
set of noise, if you will, that's out there.
The positive side, though, to me is in the end it's not
technology; it's about the motivated men and women of NSA.
That's our edge. I always remind them, the nature of our
profession is that we tend to gain advantage and lose advantage
over time, because technology and the opponent's behavior
always change.
Chairman Burr. Admiral, why should the American people care
whether you're successful or not?
Admiral Rogers. Because the insights that NSA is able to
generate directly help to ensure the security of every citizen
of this Nation, as well as those of allies and friends. I will
not for one minute pretend that we are a perfect organization,
but I am very proud of our mission set, the way we do it. And
quite frankly, the only reason I'm still doing this is because
I think the mission that NSA does is incredibly important to
the Nation and our allies.
Chairman Burr. What's your greatest resource challenge
right now?
Admiral Rogers. Requirements far exceeding resources,
whether it's--if you look at the growth in cyber challenges,
you look at the proliferation of communications technology,
trying to stay on top of this with a workforce that has not
grown.
We're in our--fiscal year 2016, which we will start on
October the 1st, we'll see how the budget comes out, but we
project this will be the fifth straight year of a declining
budget. So one of my challenges as a leader is how do we
continue to generate the insights the Nation is counting on
even as the resources that we use to generate those insights
continue to decline.
Chairman Burr. Thank you, Admiral.
I'll turn to the Vice Chairman.
Vice Chairman Feinstein. Thanks very much, Mr. Chairman.
I'm going to try to get through three questions in five
minutes.
Let's go, if I might, Admiral, to the USA Freedom Act. How
long did it take one of your analysts to do a query under the
old bulk collection system and how long does it take to do a
query under the new system at the telecom companies?
Admiral Rogers. Now, if I could, I assume by asking how
long it takes to conduct a query that includes both getting the
court's approval, the analysis that goes into deciding that we
need to query the data. Under the old system there were several
different--we had emergency authorities, for example, that I
could use, which were the very quickest. Under those
authorities, generally, we could do the analysis, the team
could make a case to me as to why I needed to use those
emergency authorities when I believed that there wasn't
sufficient time to get to the court.
On those handful of occasions in which I have done that, I
had to notify the Attorney General in writing, I had to notify
the FISA Court in writing as to what I did and why I did it,
and what the basis of my determination was. In each case, the
times that I have done it to date were all driven by the fact
that we were getting ready to pursue tactical action somewhere
in the world that I was afraid was going to precipitate a
reaction from ISIL and other groups and as a result I
authorized access to the data and then informed the court and
the Attorney General.
That process, probably all the analysis, them briefing me,
me approving it, them going in and looking at the data,
probably something less than 24 hours if you count everything.
The average under the old system, not using that emergency
basis, was something--I think the fastest we ever did the
entire process was something on the order of two days using the
normal processes. The average was closer to four to six.
Vice Chairman Feinstein. Well now, are you saying you have
to use the emergency more often?
Admiral Rogers. No.
Vice Chairman Feinstein. You said five or six instances.
Admiral Rogers. No. We queried the data multiple times
through a court approval. There were a handful of times that
I----
Vice Chairman Feinstein. Well, you're saying it's faster
now?
Admiral Rogers. No. That is under the old system. You asked
me to compare old versus new. I'm just trying to give you a
framework for under the old system.
Under the new system, because it's not implemented I can't
tell you right now. Remember, we're in the process of
transitioning. The transition must be complete by the end of
November 28th.
Vice Chairman Feinstein. So you haven't done any?
Admiral Rogers. We have not completed the process yet.
That's why the legislation we had asked--this is going to take
some number of months to work with the providers, to make the
technical changes on the provider side.
Vice Chairman Feinstein. Got it.
Second subject. Sunday's ``New York Times'' reported that
our country will ask the Chinese to embrace the United Nations
Code of Conduct on Principles for Cyberspace that no state
should allow activity, quote, ``that intentionally damages
critical infrastructure and otherwise impairs the use and
operation of critical infrastructure to provide services to the
public.'' From your perspective, would a cyber arms control
agreement along these lines be valuable? Would it be
enforceable?
Admiral Rogers. First, that's a broad policy question. In
terms of the input, my opinion, the devil is always in the
details. I'd want to understand the specifics of exactly what
we are talking about.
Vice Chairman Feinstein. That's a good duck. It just
doesn't quack.
Admiral Rogers. I apologize, but there are so many
variables in this.
Vice Chairman Feinstein. Let's move on. I wanted to ask you
about the use of encrypted communications by terrorists and
criminals. The FBI Director came before us, as you know, and
gave us very stark testimony about going dark and how big the
problem was. Do you believe that the increased use of this kind
of encryption and apps, as you pointed out, poses a national
security threat?
Admiral Rogers. Yes, ma'am. I am concerned that the
direction we're going is effectively--if we make no changes,
represents a significant challenge for us in terms of our
ability to generate insights that the Nation is counting on.
Vice Chairman Feinstein. Can we make changes?
Admiral Rogers. I'm the first to acknowledge it's a complex
issue. I'd make a couple points. First, I don't think you want
the government deciding, hey, what the right answer is here. We
have got to collectively get together between the private
sector, government, industry, policy, the technical side and
sit down and figure out how we're going to work our way through
this, because I'm the first to acknowledge this is an
incredibly complex topic and there are no simple and easy
answers here.
I believe that, like anything, hey, if we put our mind to
it, we can ultimately come up with a solution that is
acceptable to a majority. It likely won't be perfect and I'm
the first to acknowledge you don't want me or an intelligence
organization making those kinds of decisions, you don't want us
able to unilaterally do that. I'm the first to acknowledge
that.
Vice Chairman Feinstein. Thank you.
Thank you, Mr. Chairman.
Chairman Burr. Senator Coats.
Senator Coats. Thank you for your service. I appreciate it.
To follow up on Senator Feinstein's questions, if I heard you
right, under the old system, given the procedures that you go
through, if it's an emergency you can get clearance in less
than 24 hours?
Admiral Rogers. Under the previous framework, I as the
Director of NSA was delegated the authority in emergency
situations to authorize access to the data. I then had to go to
the court and to the Attorney General and put in writing why I
did it, what I did, and what the basis of that decision was.
Senator Coats. What if it's imminent? What if you get a
call that a plane took off in Boston, turned south toward New
York when it was scheduled to go to Montreal, and you said that
will arrive in New York air space in 15 minutes? What happens?
Admiral Rogers. That's one of the reasons for that
emergency authority, so that I have the authority under the
current system. Now, as we transition to the new law, which
again we have to have permanently in place by November the
29th, I have lost that authority. It has now been raised to the
Attorney General. So I will have to approach the Attorney
General for why she, in this case she, needs to authorize
emergency access.
Senator Coats. So we're adding time to the process?
Admiral Rogers. It's probably going to be longer, I suspect
we're going to find out.
Senator Coats. And based on my question and your answer,
something that imminent probably can't be addressed in time to
put up the defenses?
Admiral Rogers. Not in minutes. I doubt we could do it in
minutes.
Senator Coats. You stated in your statement here that NSA
works daily to protect privacy and civil liberties. We've seen
breaches of tens of millions of Federal employees' records.
We've seen breaches of well over 50 million of a major
insurance company in my State. We've seen breaches of
everything from retail stores to you name it.
Obviously, those occur partly because those entities did
not have the procedures in place to block that. NSA does. Yet
you're criticized, your agency's been criticized, for being too
loose on privacy, can't trust you. But all the information--and
you're collecting phone numbers and names of individuals you
don't know. And the breaches are occurring with all kinds of
information of when you were born and what your Social Security
number is and what your bank account number is and everything
else.
So give me again for the record just what kind of things
NSA went through and continues to go through that protects
privacy and civil liberties, and if you can an explanation of
why NSA is deemed untrustworthy holding information, and yet we
rely on institutions that leak the stuff by the tens of
millions?
Admiral Rogers. If I could, let me answer the second part
first. It's one of the great challenges for me as a leader and
I would argue for us as a Nation. Increasingly, we find
ourselves as a society distrustful of government, writ large,
and in the aftermath of media leaks, NSA in broad terms.
I think that's both a part of this broader environment that
we currently live in right now--you see it in the fact that
we're unable to achieve--you live this every day in your
political lives--we're unable to achieve political consensus on
difficult issues that face the Nation. We have strong opinions
and yet we can't seem to come to a consensus about how we move
forward on many things.
What is happening to NSA is a part of that broader context.
So we find ourselves in a position where we acknowledge we must
follow the law, we acknowledge we must operate within a legal
framework and the set of authorities and policies. We do not
indiscriminately collect. Everything we do is driven by the law
and a set of priorities as to exactly what we do and what we
focus on. Those priorities designed to generate insights to
help defend our Nation, not to violate people's privacy.
But in the world we're living in now, that seems to get
lost in the ether in many ways, part of the challenge being as
a classified organization, if you will, the how we do what we
do, because I can't go into great details about, well, this is
exactly why you should feel comfortable, let me walk you
through all the things we have done that you have no clue about
but you should feel very comfortable with as a citizen or an
ally about what we've been able to forestall.
In terms of what we put in place to attempt to ensure the
privacy and civil liberties of our society, you look at the
legal framework that collectively was created for the call data
records, USA Freedom Act. You look at what we have done in
terms of complying with court orders. You look at what we have
done in terms of NSA has had three major outside reviews--702,
the Section 215, the call data records, of our collection in
general. Every one of those reviews has come back with the same
conclusion: You can argue that the law is good or bad, but NSA
is fully compliant with the law.
NSA has a systematic system in place designed to ensure
oversight and protection of the data we collect. We ensure that
not everyone in our workforce can just access any one that we
collect. The call data records, for example, Section 215, out
of an organization, as I told you in my opening statement
that's close to 40,000, we have limited access to that data to
30, approximately 30 people by design. We want--we understand
the sensitivity and the importance of the data that we collect,
and we need to ensure that we can tell you as our oversight, as
well as the broader citizens we defend, that we are not
arbitrarily misusing this data, that we are not opening it up
to just anyone in our workforce who wants to look at it.
We take those duties and those responsibilities very
seriously, and each one of the three major independent reviews
we've had in the last 18 months have come to the exact same
conclusion in that regard.
Chairman Burr. Senator Wyden.
Senator Wyden. Thank you, Mr. Chairman.
Thank you, Admiral, for your professionalism.
Let's see if we can do the first question on bulk
collection, this matter of collecting all the millions of phone
records on law-abiding people, with just a yes or no answer,
because I know Senator Feinstein got into some of the questions
with respect to implementation. I have heard you comment on
this, but I'd like to see if we could do this on the record. Do
you expect that ending bulk collection is going to
significantly reduce your operational capabilities?
Admiral Rogers. Yes.
Senator Wyden. In what way?
Admiral Rogers. Right now, bulk collection gives us the
ability to generate insights--we call it discovery--gives us
the ability to generate insights as to what's going on out
there. I'd also encourage the panel, as well as the Committee,
as well as the Nation, to review the National Academy of
Sciences review, in which they were specifically asked: Is
there an alternative to bulk collection? Is there software or
other things that we could develop that could potentially
replace NSA's current approach to bulk collection? That
independent, impartial, scientifically founded body came back
and said: No, under the current structure there is no real
replacement and that bulk collection as used by NSA generates
value.
Senator Wyden. But, as you know, the President's Advisory
Committee disagreed with you. They had an independent group
appointed and they said--and I believe it's at page 104 of
their testimony--that there was no value to bulk collection
that could not be obtained through conventional means, and it's
specifically cited.
Let me ask you about encryption, because in my view this is
a problem largely created by your predecessors, General Hayden
and General Alexander specifically. I believe they overreached
with bulk collection. That undermined the confidence of
consumers and the companies responded because they were
concerned about the status of their products with strong
encryption.
So at that point I began to be pretty concerned because it
looked like the government's position was companies would be
required to build weaknesses into their products. Now the
discussion has shifted to whether there should be the
availability of encryption keys to access these products. Now,
I don't want to go into anything classified or matters relating
to Executive Branch discussions. But let me ask you about a
policy matter. As a general matter, is it correct that any time
there are copies of an encryption key and they exist in
multiple places, that also creates more opportunities for
malicious actors or foreign hackers to get access to the keys?
Admiral Rogers. Again, it depends on the circumstances. But
if you want to paint it very broadly like that for a yes and
no, then I would probably say yes.
Senator Wyden. Okay. I'll quit while I'm ahead.
What concerns me, Admiral, seriously is that as this
question of access to encryption keys is pursued--and I think
that's where we move, as I indicated to you in our
conversation, from the original position, which looked like
companies would have to build weaknesses into their products,
which I think is a staggering development, it seems now it has
shifted with Ms. Yates's comments and others to this question
of the availability of keys.
You've just told me as a general proposition when there are
multiple keys--and there will be multiple keys--that creates
more opportunities for malicious actors or foreign hackers. And
to me, the good guys are not going to be the only people with
the keys. There are going to be people who do not wish this
country well. That's going to provide more opportunities for
the kinds of hacks and the kinds of damaging conduct by
malicious actors that I think makes your job harder.
I think you're doing a good job. I think you've been
straight with the Congress and certainly with me. But that's
what concerns me about access to malicious keys, and I
appreciate your answer on that.
Go take a look at page 104 of the President's Advisory
Committee, because on this question of operational
capabilities, not only do we not have any cases that indicated
that there was a compromise of the abilities of our
intelligence community, it was the unanimous finding of the
President's experts. That page will give it to you.
Thank you, Mr. Chairman.
Chairman Burr. Senator Rubio.
Senator Rubio. Thank you.
Thank you, Admiral, for being here. As you're aware, the
Chinese president, the leader of the Chinese Communist Party,
Xi Jing Ping, is going to be in the White House this week and
to receive the full honors of a state visit. But our
relationship with China is not at a good place at this moment.
They've breached the U.S. Government databases, they continue
cyber attacks against other elements of our government. Over
the last 20 years we've witnessed the single largest transfer
of wealth in the history of the world as Chinese companies,
backed by the Chinese government, have stolen proprietary data
and U.S. State secrets, and now, of course, the personal data
of at least 25 million Americans, if not more.
One of the things I've advocated is a three-step process. I
think we should be expelling known Chinese spies that are
operating in the U.S. as retaliation for these cyber attacks. I
think we should be disconnecting all sensitive databases from
the internet and ensure that our agencies that are responsible
for protecting government databases are doing their job. And I
think we need to make clear that we're going to respond in kind
to deter adversaries like China who will continue to attack us.
I guess my question begins by asking you: Would you agree
that a public discussion on an offensive cyber capability would
be an effective deterrent?
Admiral Rogers. I think we as a Nation need to have a very
public discussion about how do we achieve this idea of
deterrence, because if we don't change the current dynamic we
are not in a good place. We have got to fundamentally change
the dynamic we're dealing with now.
Senator Rubio. As the Director of NSA and as Commander of
U.S. Cyber Command, have you provided advice to the President--
I'm not asking what the advice is, but have you provided advice
to the President or the White House on ways to defend against
cyber attacks, cyber deterrent strategy, and appropriate
measures for us to respond to such attacks?
Admiral Rogers. Yes.
Senator Rubio. I understand that you're not charged with
creating policy, but has the White House sought your opinions
on policies relating to these matters, specifically on a more
effective cyber deterrent and best practices for securing U.S.
Government systems?
Admiral Rogers. Yes. I'm very happy in the process in the
sense that, hey, I'm just one perspective. I certainly
understand that. But I've certainly had the opportunity to
communicate my views as to what I think we need to do.
Senator Rubio. I guess my last question is going back to
the points that I've raised about expelling Chinese spies
operating in the U.S. as retaliation and also disconnecting the
sensitive databases from the internet. Are these measures that
you think are worthy of exploration? Would they have any sort
of deterrent effect or be part of the broader public discussion
about this issue?
Admiral Rogers. Certainly in my experience one of the
things we've found and one of the challenges, particularly for
Cyber Command, my other hat where I deal with penetrations in
the Department of Defense, one of the things that we have come
to understand is you need to minimize your exposure with what
we call public-interfacing web sites, connectivity with the
internet.
The flip side, though, is that there is a requirement in
many instances to ensure information flow from the internet in
the system. And so the idea that you're going to be able to do
some of these things with no internet connectivity, again it
depends on the situation. It can be problematic if you expect
data to flow back and forth.
Senator Rubio. I just have one last question. I apologize.
It's kind of a matter of doctrine, more or less. Our doctrine,
the doctrine of most nations, if not all on Earth, is that
there is a difference between intelligence gathering on
governments and intelligence gathering on private entities.
Clearly, multiple nations, if not all around the world, have
some sort of intelligence gathering capability and it's
targeted primarily at the governments and government actors in
other nations, especially those they have an adversarial
position with.
Is it fair to say that for the Chinese there is no such
distinction, that for them the notion of intelligence
gathering, they view commercial intelligence gathering and
governmental intelligence gathering as all part of their
foreign policy and intelligence gathering capability? They
don't have that distinction that we have or other nations have;
is that an accurate assessment?
Admiral Rogers. They clearly don't have the same line in
the sand, if you will, in that regard. I watch some of my
counterparts there do things that under our system I could
never do.
Senator Rubio. Exactly. So the point I'm trying to drive
at, because many Americans are not perhaps fully aware of this,
is that the Chinese government actively encourages as part of
their national policy the stealing of commercial secrets of
American companies for purposes of building up their own
capability, and this is directed by government. This is not
like a Chinese company hacking an American company. This is
directed, influenced, and funded by the network government
itself.
Admiral Rogers. Yes.
Senator Rubio. Thank you so much for your service.
Chairman Burr. Senator Warner.
Senator Warner. Thank you, Admiral Rogers, for your
service.
Let me just add an editorial comment here to the Chair and
the Vice Chair. My hope would be, in light of the testimony of
Admiral Rogers, that we could urge the respective leaders in
both parties to bring that information-sharing bill that's
passed out of our Committee back to the floor. I think we do a
great disservice to our country if we don't act on that
legislation as quickly as possible.
Chairman Burr. The Vice Chair and I can assure all the
Members we are working aggressively to get that back up, and my
hope is that Members will have an opportunity, not only to
debate it, but to amend it if need be in the month of October.
Senator Warner. Thank you, Mr. Chairman.
Admiral Rogers, I'm going to spend a couple moments on the
OPM breach. Obviously, 22 million-plus individuals, now we're
understanding 5.6 million fingerprints. We dug into that and I
know you can't comment too much, but that we found--and Senator
Collins and I are working on legislation that says as we look
at the responsibilities of DHS to try to protect the dot-gov
regime, they don't have the same kind of abilities and
responsibilities that you have to defend the dot-mil regime
when it comes to cyber hygiene. DHS actually has an ability to
recommend, but not actually enforce.
Recognizing this may be more asking for your editorial view
here, do you want to make a comment on that?
Admiral Rogers. First, I would argue those authorities to
defend DOD networks really reside operationally more in my U.S.
Cyber Command role. But it's fair to say--and again, it's all I
guess part of the cultures that spawn us--in the Department of
Defense our culture is you're always focused on generating
actionable outcomes. You're focused on empowering individuals
and clearly identifying responsibility and authority and then
holding people accountable.
I think what we want to get to in the dot-gov domain is
something quite similar over time. I think it's fair to say
that we're not there right now.
Senator Warner. We have, Senator Collins and I, have
legislation that would give DHS similar type authorities, as
well as that in effect chain of command. There still seems to
be some lack of clarity about who's in charge. We hear
constantly, even including OPM, that DHS made recommendations
about cyber hygiene that were not implemented by OPM and a
variety of other dot-gov regimes. That to me seems not good
process going forward.
Can you speak to, within this setting, what responsibility
you have in protecting cyber--in protecting sensitive but
unclassified data on the dot-gov side of the house?
Admiral Rogers. I do not have immediate responsibility, in
the sense that the structure is that I at NSA work through DHS
to provide support when it's requested. I am not in those
networks. I am not monitoring those networks.
Senator Warner. And post-OPM, has DHS requested your
assistance?
Admiral Rogers. Yes.
Senator Warner. Again, this is an area that I believe would
be addressed as well, hopefully with at least an amendment to
the information-sharing bill, something I know Senator Collins
and I, and I think most of our other colleagues share, we need
to give DHS those same tools.
Let me switch over to an area where Senator Rubio was. I
concur with him that, while we've not formally identified the
source of the OPM breach, there is obviously speculation
amongst Members and the press. My comment as well is that we do
need a deterrence as part of our overall national strategy.
I'd like you to make any comment you might have on--again,
we're playing on different standards. The Chinese in July
passed legislation that required all of their information
systems and companies that do business in China to have systems
that were secure and controllable in terms of access by the
Chinese authorities, which not only precludes any of the kind
of encryption tools that American domestic companies are
looking at, and again I think raise huge concerns--I agree
fully with Senator Wyden, but I do think there are concerns to
be raised. But also, this ``secure and controllable language,''
wouldn't that be in effect an open ability for Chinese
authorities to potentially get into those companies' databases
for intellectual property theft and other activities?
Admiral Rogers. The Chinese have a fundamentally different
construct than we do. They believe in essence that access to
the content of communications and data is a sovereign right. We
reject that notion. It leads to some of the things that we have
seen them do. It's why we have very publicly discussed this
with our Chinese counterparts, because in the end we want to
get to a place where we can both work together. But the current
approach, where we are so fundamentally apart, we've been very
up front that this is just not acceptable. We can't sustain a
long-term relationship, the kind of relationship we want, if
this is the approach, that the privacy of individuals, the
access to intellectual property, is just viewed as something
the state can do at the time and place of its choosing. It goes
totally against our framework.
Senator Warner. I hope our President will continue to raise
this.
Again, Mr. Chairman, my hope is that so many of the
businesses that we saw meeting with President Xi the other day
in Seattle, I hope they will not default to a lower standard in
their rush to try to access the Chinese market. Thank you, Mr.
Chairman.
Chairman Burr. Senator Collins.
Senator Collins. Thank you, Mr. Chairman.
Admiral Rogers, let me add my thanks to those of the
Committee for your dedicated service.
You mentioned, in response to a question from Senator
Coats, that only 30 NSA employees had access to the metadata,
were authorized to query the database. Am I correct in assuming
that those 30 employees were well vetted, they were trained,
and that they would be held responsible if there were any
misuse of the information?
Admiral Rogers. Yes, ma'am.
Senator Collins. Has there ever been any misuse of the
information that you're aware of?
Admiral Rogers. No, ma'am. The only thing I would highlight
in terms of oversight and compliance, for example, for those 30
individuals, we monitor every keystroke they use in trying to
access the data. We don't do that for every one of our tens of
thousands of other employees. We do it in this regard because
we realize the sensitivity of the data.
Senator Collins. I think that's an excellent point that
should have been reassuring to me. It's very ironic that the
USA Freedom Act was passed under the guise of increasing
privacy protections for the American people when there are
1,400 telcom companies, 160 wireless carriers. Not that you're
necessarily going to have to deal with all of those, but isn't
it likely that far more than 30 people will now be involved in
this process?
Admiral Rogers. Yes, I would expect that to be the case.
Senator Collins. And given that those companies market and
sell a lot of this information, aren't the privacy implications
far greater with this new system than under the careful system
that you described, with only 30 people authorized?
Admiral Rogers. I would respectfully submit that's for
others to decide.
Senator Collins. Well, I think from your--I understand why
you're saying that, but I think if one just looks at the
numbers the case becomes very evident.
In the USA Freedom Act, there's no requirement for the
telcom companies to retain the call detail data, and by that
I'm not talking about content. I'm talking about call detail
data. That's another misconception that some people have.
There's no requirement that that data be held for any
particular period of time. Companies hold it for their own
business records purpose. Is that a concern to you?
Admiral Rogers. Based on our initial interactions with the
providers as we move from the old structure to the new
structure where the providers hold the data, in talking to them
there's a pretty wide range. We're right now dealing with the
three largest, who really have been the focus of the previous
structure. We will bring additional on line, as you have
indicated. Among those three that we're starting with
initially, a pretty wide range of how long they opt to retain
data and for what purposes. Again, under the construct that's
their choice. We'll have to work our way through this.
One of the things I have always promised in the discussion
that led as part of the legislation was, once we get into this
new structure, what I promise will be honest and direct
feedback on how this is working. Is it effective, is it not
effective? What kind of time duration is it taking us? What
have been the operational impacts? I have promised I will bring
that back once we get some actual experience.
Senator Collins. We appreciate that.
Let me turn to a different issue and that is the protection
of our critical infrastructure from cyber threats and cyber
intrusions, which is an issue that's long been of huge concern
to me. The Department of Homeland Security has identified more
than 60 entities in our critical infrastructure report damage
caused by a single cyber incident could reasonably result in
$50 billion in economic damages or 2,500 immediate deaths or a
severe degradation of our national defense.
Your testimony, your written testimony, talks a little bit
about this issue. Your predecessor, General Alexander,
previously has said that our Nation's preparedness when it
comes to protecting against a cyber attack against our critical
infrastructure is about a three on a scale of one to ten. Where
do you think that we are on that scale?
Admiral Rogers. It varies by sector, but on average I'd
probably say right now, again depending on the sector, we're
probably a five or a six. That's not where we need to be,
clearly.
Senator Collins. So there's still a severe problem in this
area that makes us very vulnerable as a Nation?
Admiral Rogers. Yes, ma'am.
Senator Collins. Thank you.
Chairman Burr. Senator King.
Senator King. Admiral Rogers, greetings.
Would a shutdown of the Federal Government next week
compromise national security?
Admiral Rogers. Yes. And if I could, just to go beyond
that. In the last five days or so, as we now are publicly
talking about this possibility, watching the reaction of the
workforce at NSA and U.S. Cyber Command, who are going
``Again?,'' who could easily get jobs on the outside and earn
significantly more amounts of money, this instability, this
message to the workforce that--this is probably a pejorative,
but--you are a secondary consideration in a much larger game,
if you will, that drives----
Senator King. No, no. It's a smaller game, Admiral.
Admiral Rogers. Smaller game. It just drives the workforce,
to the point where today I literally was talking to the
leadership about, we need to sit down and figure out how we're
going to keep these men and women. If their attitude
increases----
Senator King. Keeping these talented men and women is hard
enough to begin with because of higher salaries outside.
There's a survey I commend to your attention, I'll submit for
the record, done late last year of national security
professionals across the government. One of the fascinating
results is that U.S. political dysfunction they ranked as a
higher threat to national security than a nuclear-armed Iran,
Vladimir Putin, China's military buildup, or North Korea. The
only thing above political dysfunction was Islamic extremism.
So that is shocking.
[The material referred to follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Senator King. Let me move on. Political dysfunction being a
national security threat: Pogo: ``We have met the enemy and he
is us.''
A couple of other questions. Deterrence. You've talked
about it briefly. I want to emphasize--you testified that you
were in communication with the White House and the President on
this issue. I think this has got to be a high priority.
Deterrence doesn't work unless people know about it, and it's
got to be a strategy because right now we are in a fight. The
cyber war has started and we are in the cyber war with our
hands tied behind our backs. We would never build a destroyer
without guns.
We've talked about this before. I think--I hope you will
carry this message back, because we've got to fashion a theory
of deterrence. Otherwise, we are going to lose. You cannot
defend, defend, defend, defend and never punch back. And if
your opponent knows you're not going to punch back, it's just
not going to go anywhere.
If you can find a question in there, you're welcome to it.
But I think you understand.
Admiral Rogers. Yes, sir.
Senator King. I hope you will take that message back.
You're a very strong advocate and you're the right guy to take
that message.
Another question that's been touched upon is the idea of a
cyber-nonproliferation treaty. I find that a fascinating
concept and I wish you would expand a bit on that, that we can
establish some rules of the road in this field for our mutual
protection of the various countries that are cyber capable.
Admiral Rogers. I certainly think we can get to the idea of
norms. Formal treaty, I don't know, because one of the
challenges in my mind is how do we build a construct that
ultimately works for both nation-states and non-state actors.
One of the challenges inherent in cyber is the fact that you
are dealing--unlike the nuclear world where you're dealing with
a handful of actors, all nation-states, you're dealing with a
much greater number of actors, many of whom, quite frankly, are
not nation-states and have no interest in sustaining the status
quo, so to speak. In fact, if you look at ISIL and other
groups, their vision would be to tear the status quo down.
They're not interested in stability.
Senator King. I just think that this is a promising area
with other nation-states. Obviously, it's not going to be the
whole solution, but if there are states like Russia or China
that are willing to have this discussion I think it's a
profitable discussion.
Admiral Rogers. Right.
Senator King. Along with the idea of deterrence, because we
are asymmetrically vulnerable in this war. We're the most wired
country on Earth and that makes us the most vulnerable country
on Earth.
Well, I appreciate your testimony and the work that you're
doing. Oh, you testified a few minutes ago that you had a
variety of reactions from the telecoms about retention levels.
You said they were short to long. What's the shortest that
you've been informed of?
Admiral Rogers. I want to say it's something on the order
of 12 to 18 months.
Senator King. Okay, so that's on the short end. I hope you
will let this Committee know if it goes below that level,
because at that point it becomes very problematic as to whether
or not the data being retained will be of usefulness in a
national emergency.
Admiral Rogers. I will.
Senator King. Thank you, Admiral.
Thank you, Mr. Chairman.
Chairman Burr. Senator Lankford.
Senator Lankford. Admiral, thanks for being here. Thanks
for your leadership in your work. We've had multiple
conversations and I appreciate what you bring to this. Answer
this for me: What else can NSA do to help other agencies deal
with cyber deficiencies? We've had some extremely public cyber
deficiencies of the Federal Government of late. What assets can
NSA bring to bear to be able to help on this? I think you end
up coming in to clean up the mess as much as you end up trying
to help defend. How do we get proactive on this?
Admiral Rogers. What I'd like to do--and again, we'll be
part, NSA will be part of a broader team. What I'd like to do
is be proactive and get ahead of this problem set.
Senator Lankford. Currently the agencies have
responsibility to be able to take on and make sure that their
systems are all protected. There doesn't seem to be a lot of
accountability in the structure. There are people advising
agencies, but what can be done proactively?
Admiral Rogers. I'd be interested, for example, in could we
build a framework where someone from outside the organization
is doing an independent assessment, as an example. I can within
the DOD, largely under U.S. Cyber Command authority, but I also
do this with NSA. I can go into any dot-mil network anywhere in
our structure. I can assess it. I can test it. I can attempt to
penetrate it. I don't have to give notice to the network owner,
as an example. That really doesn't exist on that scale anywhere
else in the government.
I'd like to see what we can do to try to, again, get ahead
of the problem set, try to replicate some of the activities
we're seeing from opponents ahead of time before they do it,
and test our abilities.
Senator Lankford. Let me ask about auditing and how you do
that for your own people and processes. You mentioned, for
instance, on these 30 folks in the past every keystroke has
been monitored. How often do you do auditing and how do you
audit that? You have an incredible group of folks that serve
the Nation, but obviously the accountability of the network is
extremely important. We've had rogue folks in the past take
information.
Admiral Rogers. Auditing varies. As I've said, those 30
individuals, the call data record database, that's probably the
area we put more external monitoring and controls in than any
other part of our structure. On the other hand, in the
aftermath of the media leaks, we've sat back and asked
ourselves, so how could this have happened? What have we failed
to do as an organization and what do we need to do to ensure it
doesn't happen again?
We put a series of capabilities in place where we can
monitor behavior. We put a series of capabilities in place
where we look at personal behavior more, although I will tell
this is another issue that often can provoke a strong reaction
from the workforce, who says: So let me understand this;
because of the actions of one individual, you are now
monitoring me; you're now watching my behavior in a way that
you didn't necessarily do before. Do I want to work in a place
like that?
We try to sit down with the workforce and walk through:
here's what we do and here's why we do it. But there's a reason
behind it, that each one of us as we voluntarily accept access
to the information that we're given, we hold ourselves to a
higher standard. We hold ourselves to a different level of
accountability. That's part of the quid pro quo here if you're
going to be an NSA professional, if you're going to be an NSA
employee. But it is not lost on our workforce at times.
Senator Lankford. Let's talk about the cyber war we're
dealing with internationally at this point. The biggest threats
that we have, are they state actors or non-state actors at this
point internationally?
Admiral Rogers. Let me answer it this way if I could. The
greatest amount of activity is still criminal-based, but when I
look at from a national security perspective, I would argue at
the moment the nation-state represents the greater national
security challenge, if you will.
When I look at the future, there's three things--and I've
said this publicly before--that concern me the most when it
comes to cyber. Number one is something directed, destructive
activity directed against critical infrastructure. Number two
is manipulation, changes to data. At the moment, most of the
activity has been theft. What if someone gets in the system and
starts just manipulating, changing data, to the point where now
as an operator you no longer believe what you're seeing in your
system?
The third area that I think about in terms of concerns
about the future, really to go to your question, is what
happens when the non-state actor decides that the web now is a
weapon system, not just something to recruit people, not just
something to generate revenue, not just something to share
their ideology?
Senator Lankford. So the relationship between private
industry infrastructure, both state and local utilities, and
the Federal Government, where do you think we are on the
conversation level at this point?
Admiral Rogers. We're having the conversations, clearly.
DHS really is in the lead here. We're having the conversation.
It's a little uneven, some sectors more than others. But we're
all victims of the culture we're from. The culture that I'm
from as a uniformed individual is it isn't enough to talk; you
must physically get down to execution-level detail about how
you are going to make this work, how are we going to coordinate
this?
I don't want to get into a crisis and the first time I've
dealt with someone is when their network's penetrated. I'm
watching data stream out in the gigabit level, and I'm going:
so could you tell me about your basic structure? That's not the
time to have this dialogue.
Senator Lankford. Thank you.
Chairman Burr. Senator Hirono.
Senator Hirono. Thank you, Mr. Chairman.
Admiral, thank you for your service and for being here
today. You and Director Clapper testified before a House
committee that data manipulation and what you refer to as data
destruction is probably on the horizon and, while we can't do
very much about those kinds of behaviors on the part of non-
state actors, isn't it very incumbent on us to engage in
discussions and, as some of my colleagues have referred to it,
proceeding toward the goal of a cyber arms control agreement
with certain state actors who have that capability?
Admiral Rogers. I don't know if an arms control agreement
is the right answer.
Senator Hirono. Whatever it is, that we come to some kind
of understanding so that state actors do not engage in
manipulation and destruction of data. I think that would be
just totally----
Admiral Rogers. I would agree. We have been able
historically--as a sailor, I can remember at the height of the
Cold War we knew exactly how far we could push each other out
there. We've got to get to the same level of understanding in
this domain, and we are not there right now.
Senator Hirono. Do you know whether, with the President of
China's visit, whether the cyber issues will be discussed by
the two leaders?
Admiral Rogers. I think the National Security Adviser and
the President have been very public in saying they will raise
the full spectrum of issues, to include cyber, with their
Chinese counterparts.
Senator Hirono. I have a question relating to the OPM
breach. Our understanding is that 19 or 20 of 24 major agencies
have declared that cyber security is a significant deficiency
for their agencies, and you indicated that the NSA doesn't have
immediate responsibility to help these other agencies, but that
you would respond at the request of DHS. So has DHS made such a
request to NSA that you become engaged in helping these other
dot-gov agencies to become, well, cyber-safe?
Admiral Rogers. Not in terms of the day to day per se.
There hasn't been a major penetration in the Federal Government
in the last 18 months that NSA hasn't been called in to
respond. I think the challenge--and I know DHS shares this--is
we've got to move beyond the ``Cleanup on Aisle 9'' scenario,
to how to--and it goes to my response to Senator Lankford--how
do we get ahead of this problem and start talking to
organizations about, what are the steps you need to take now to
ensure they can't get in, not, well, they're already in, let me
walk you through how to get them out.
Senator Hirono. Are you engaged in that process now with
the 19 agencies?
Admiral Rogers. Not with every agency in the Federal
Government, no.
Senator Hirono. Why not?
Admiral Rogers. Again, under the current construct DHS has
overall responsibility for the dot-gov domain. For me, I have
to be asked.
Senator Hirono. Well, that was my question.
Admiral Rogers. Not just unilaterally.
Senator Hirono. So it's on an agency by agency basis that
DHS asks you? And if they were to ask you to deal with all of
the dot-gov agencies, would you have the resources to help?
Admiral Rogers. My first comment would be, we've got to
prioritize, because I'm expended to defend all of the dot-mil,
and now if there's an expectation that same capacity is also
going to work on the dot-gov, my first comment would be we have
got to prioritize. What's the most essential things we need to
protect?
Senator Hirono. As I all things, we have to prioritize. But
I think that it would behoove DHS--well, it would help if they
would make such a request, and then you can engage in
prioritizing.
Speaking of resources, I want to thank you for your frank
assessment of what would happen if there is a government
shutdown. You also indicated in your testimony that recruiting
and retaining people is going to be an ongoing challenge for
our country to stay ahead in the cyber arena.
I did have the opportunity to visit our very large NSA
facility in Hawaii and I thank all the people there for the
work that they're doing. But can you talk a little bit about
what you're doing, how aggressively you're going after getting
the appropriate people to sign on to work for NSA?
Admiral Rogers. So, knock on wood, both our retention of
our STEM, or high technical workforce, continues to be good, as
has our ability to recruit. We have more people trying to get
in with the right skills than we, quite frankly, have space for
right now.
I am always mindful, though, of what are the advance
indicators that would suggest that's changing, that we're going
to lose more than we can bring in. I would tell you, the
workforce at NSA and U.S. Cyber Command still will talk to me
about the shutdown in 2013, as an example: hey--I get this
every time, literally, when I talk to our workforce around the
world: sir, is this going to happen again? Am I going to be
told I can't come to work, I may not be paid, or I'm going to
be put on furlough again, as we did in 2013? And the situation
that we're facing now and what the workforce is reading in the
media right now is not helpful.
Senator Hirono. I agree. Thank you.
Chairman Burr. Senator Cotton.
Senator Cotton. Thank you.
Admiral Rogers, nice to see you in an open setting for
once. I've enjoyed our many classified briefings, my visit to
your headquarters, and my visits with your many personnel all
around the world. On behalf of the three million Arkansans I
represent, I want to thank not just you, but more importantly
the thousands of men and women you represent. They are
patriots, they are professionals, and they're responsible for
saving thousands of American lives.
In 2014 North Korea state-sponsored hackers launched a
cyber attack against Sony Pictures. Sony responded by quickly
calling the FBI and asking for help. My understanding is that
Sony chose this course of action largely due to the FBI's
expertise in this area, specifically cyber forensic and
defense, their belief that a crime had been committed, and
because of the strong relationship that they had developed with
the FBI. Do you believe Sony did the right thing by calling the
FBI?
Admiral Rogers. I'm not in a position to tell you why they
did it. I'm glad they reached out, because then very quickly
the FBI reached out to NSA and we ended up partnering. Again,
never thought I would be dealing with a motion picture company
about cyber security. But I was grateful for their willingness
to be very upfront and very honest: we have received a major
penetration with a massive theft of intellectual property and
we need help from the government.
Senator Cotton. In the same way that we would encourage a
bank that's been held up or a brick and mortar company that's
been physically attacked to contact the FBI, you believe that
we should encourage these private sector actors to contact the
FBI?
Admiral Rogers. I think the FBI needs to be a part of this.
Now, whether it should be DHS, the FBI--part of the things I
believe we need to do is we have got to simplify things for the
private sector. When I talk to companies around the United
States and I'm often approached, hey, can't you do more
directly for us, and I'm going, no, I cannot under the current
construct, I'm struck by them telling me: you guys have got to
make this easier; I can't figure out if I'm supposed to go to
the FBI, DHS, do we go to you? Because, for example, I'm in the
financial sector, should I go to Treasury?
I think collectively in the government, in the Federal
Government, we've got to do a better job of simplifying this so
potentially it's one access point and then everything at
machine-to-machine speed, to ensure as well accountability and
privacy, but the data quickly is disseminated across all of us,
because there are so many organizations that to be effective
you have to bring to bear in a very orchestrated, very
structured way. It can't be like kids with a soccer ball: hey,
everybody just runs.
Senator Cotton. The NSA is in charge of information
assurance operations for the Federal Government, meaning that
the NSA is in charge of assuring our national security systems.
Am I correct that NSA from time to time will also help Federal
agencies protect their unclassified systems?
Admiral Rogers. Yes, when they request assistance.
Senator Cotton. I realize this is before your time, but to
your knowledge did the State Department ever ask the NSA about
the wisdom of setting up a private server so Secretary Clinton
could conduct official State Department business?
Admiral Rogers. I'm not aware of whether they did or they
didn't, sir.
Senator Cotton. What would be your response if the current
Secretary of State or another Cabinet member came to you and
said: Admiral Rogers, I'd like to set up a private, non-
governmental server and use that to conduct official business?
Admiral Rogers. You really want to drag me into this one,
sir?
Senator Cotton. I'd simply like your professional opinion.
Admiral Rogers. My comment would be: you need to ensure
you're complying with the applicable regulations and structures
for your Department. I'll be the first to admit I'm not smart
about what the rules and regulations are for every element
across the Federal Government.
Senator Cotton. Are the communications of the seniormost
advisers to the President of the United States, even those that
may be unclassified, a top priority for foreign intelligence
services in your opinion?
Admiral Rogers. Yes.
Senator Cotton. If an NSA employee came to you and said,
hey, boss, we have reason to believe that Russian Foreign
Minister Sergei Lavrov or Iranian Foreign Minister Javad Zarif
is conducting official business on a private server, how would
you respond?
Admiral Rogers. From a foreign intelligence perspective,
that represents opportunity.
Senator Cotton. Are you aware of any NSA officials who
emailed Secretary Clinton at her private account?
Admiral Rogers. No, I have no knowledge. I apologize.
Senator Cotton. Are you aware of any NSA officials who were
aware that Secretary Clinton had a private email account and
server?
Admiral Rogers. Now you're talking about something before
my time, Senator. I apologize; I just don't know the answer.
Senator Cotton. Could I ask you to check your records and
respond back to us in writing, please?
Admiral Rogers. Yes, sir. I'll take the question for the
record.
Senator Cotton. Thank you.
Chairman Burr. Vice Chairman.
Vice Chairman Feinstein. I don't see the relevance of that
to this Committee. However, that's just my opinion.
I do have a question. Admiral, you indicated in a private
session that you were taking a look at reorganization. I know
that isn't completed yet; it's still under way. What can you
share with the public about the reasons for it and what you
believe it might bring about?
Admiral Rogers. I've been the Director at NSA now for
approximately 18 months and I spent the first portion of those
18 months really focused on the aftermath of media leaks,
trying to make sure that we are structured as an organization
to deal with that challenge and to make sure that we were in a
position to be able to tell our oversight as well as the
citizens of the Nation; we are fully compliant with the law and
regulation and we're in a place where you should be comfortable
that we're able to execute our missions, at the same time
ensuring the protection of the data that we access, as well as
the broad privacy of U.S. citizens.
I then posed the following question to our workforce: ``If
we stay exactly the way we are, if we change nothing, in five
to ten years are we going to be able to say that we are the
world's preeminent SIGINT and information assurance
organization?''
I said, ``I'm asking you this question because my concern
is if we make no changes, I don't think we're going to be able
to say that, and I believe that part of my responsibility as a
leader is whenever I turn the organizations over I want to be
able to tell whoever relieves me: you should feel good that
we've structured this so that you're ready to do what you need
to do.''
As a result of that, I posed a series of questions to the
workforce, from how do we build the workforce of the future, to
what should our organizational structure look like, to how do
we need to optimize ourselves for cyber, because my argument
was cyber in the next 15 years will be like counterterrorism
has been for the last 15 years; it will be a foundational
mission set that drives us as an organization, and it will
require us to do things on a scale we've never done before and
to do it more broadly. And to do that, particularly in a
declining resource environment, we have got to be more
efficient to be effective, guys.
As a result of that, the other point I made to the team was
that I don't want this decided by senior leadership at Fort
Meade. We're a global enterprise composed of hard-working men
and women, and I want them to have a vote, so to speak, an
input into what should the organization of the future look
like? What do we need to structure ourselves so that in five to
ten years, given the changes that we see happening in the world
around us, we can say NSA remains the preeminent signals
intelligence and information assurance organization in the
world?
As a result of that, we spent about six months. The
organization, the workforce, has teed up a set of
recommendations to me. They probably number in excess of 200.
They cover from very minor things to very broad things.
There's three final areas that I said I want you to spend
more time on. The first was the military part of the workforce.
I tried to remind everybody, as I said in my opening statement
to you, we are an enterprise composed of civilian employees,
military men and women, active and reserve, officer and
enlisted, as well as contractors, and we have to optimize every
single part of this enterprise to get where we need to be.
The second issue I said was, I want you to think a little
more broadly about cyber, because I don't think we're being
far-reaching enough in the recommendations you've given me.
The last one was organizational structure. I said, if you
look at--if you were building NSA from the ground up today, is
this the structure you would have created? I said, our
structure reflects a series of changes and choices that have
literally been made over the last 20 years. The last major
organizational change at NSA on a wide swath was 1999, 1998,
coming up on 20 years ago now, and the world has really
changed, and our missions have evolved, and I just want to make
sure we're optimized to meet the future.
So I'll receive the final input back on those three by the
1st of October. In fact, I think I'm going to actually review a
draft this weekend, to be honest. I'm told they think they have
some initial work for me to look at this weekend.
As I had indicated previously, once we sit down and we
decide what we think we ought to do, it's my intention to come
back to the Committee in its role as oversight to say: this is
what's been recommended, this is what I intend to do, here's
why I intend to do it, this is what I think it will generate in
terms of value.
Vice Chairman Feinstein. Thank you. Thank you. I think NSA
is in good hands. Thank you very much.
Chairman Burr. Admiral Rogers, I seldom get the opportunity
to highlight North Carolina's high tech successes, especially
given the fact that my Vice Chairman represents Silicon Valley.
I keep reminding her, I have the Research Triangle Park. But
I'd like to note that, while there are 99 days left in the
NSA's LTS Net Codebreaker Challenge, that North Carolina State
University is currently ranked number one out of 182 entries.
Vice Chairman Feinstein. Is that good?
[Laughter.]
Chairman Burr. It depends on whether the Admiral thinks
it's important to please the Chairman.
[Laughter.]
It is good. But I think it highlights again something that
Dianne and I both know, that that's the fertile ground that you
go to recruit. It's where we develop the next talent that not
only works at Research Triangle Park or Silicon Valley, but it
works at the NSA, and it really is the backbone of our
intelligence organizations.
Admiral, your mission continues to change, in large measure
because of the technology explosion. It's an explosion like
we've never seen before, really. It'll only speed up; it will
not slow down. And your mission will be impacted by that
innovation.
I want to say as we conclude, the Committee is here to be a
partner. We're anxious to hear your reorganization plans
because that reorganization I think gives you the flexibility
to move to wherever the challenge forces the NSA to go.
I speak on behalf of the Vice Chairman and myself when I
ask you to please go back to the 40,000-plus NSA employees and
on behalf of the Committee thank them for the work that they
do, work that many times the American people don't understand
the value of, but sleep safely at night because of that work.
This hearing is adjourned.
[Whereupon, at 12:24 p.m., the hearing was adjourned.]
[all]