Hearings
Hearing Type:
Open
Date & Time:
Wednesday, September 21, 2022 - 2:30pm
Location:
Hart 216
Title: Protecting American Innovation: Industry, Academia, and the National Counterintelligence and Security Center
Chairman Mark Warner: Opening Statement
Vice Chairman Marco Rubio: Opening Statement
Report: Organizational Assessment: The National Counterintelligence and Security Center
Witnesses
Hon.
William R.
Evanina
Founder and CEO
Evanina Group and Former Director for the National Counterintelligence & Security Center (NCSC)
Hon.
Michelle Van
Cleave
Senior Advisor
Jack Kemp Foundation and Former National Counterintelligence Executive (NCIX)
Dr.
Kevin
Gamache
Associate Vice Chancellor and Chief Research Security Officer
Texas A&M University System
Mr.
Robert
Sheldon
Director, Public Policy & Strategy
CrowdStrike
Full Transcript
[Senate Hearing 117-599]
[From the U.S. Government Publishing Office]
S. Hrg. 117-599
OPEN HEARING:
ON PROTECTING AMERICAN INNOVATION:
INDUSTRY, ACADEMIA, AND THE
NATIONAL COUNTERINTELLIGENCE
AND SECURITY CENTER
=======================================================================
HEARING
BEFORE THE
SELECT COMMITTEE ON INTELLIGENCE
OF THE
UNITED STATES SENATE
ONE HUNDRED SEVENTEENTH CONGRESS
SECOND SESSION
__________
SEPTEMBER 21, 2022
__________
Printed for the use of the Select Committee on Intelligence
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
50-083 WASHINGTON : 2023
-----------------------------------------------------------------------------------
SELECT COMMITTEE ON INTELLIGENCE
[Established by S. Res. 400, 94th Cong. 2d Sess.]
MARK R. WARNER, Virginia, Chairman
MARCO RUBIO, Florida, Vice Chairman
DIANNE FEINSTEIN, California RICHARD BURR, North Carolina
RON WYDEN, Oregon JAMES E. RISCH, Idaho
MARTIN HEINRICH, New Mexico SUSAN COLLINS, Maine
ANGUS KING, Maine ROY BLUNT, Missouri
MICHAEL F. BENNET, Colorado TOM COTTON, Arkansas
BOB CASEY, Pennsylvania JOHN CORNYN, Texas
KIRSTEN E. GILLIBRAND, New York BEN SASSE, Nebraska
CHUCK SCHUMER, New York, Ex Officio
MITCH McCONNELL, Kentucky, Ex Officio
JACK REED, Rhode Island, Ex Officio
JAMES INHOFE, Oklahoma, Ex Officio
----------
Michael Casey, Staff Director
Brian Walsh, Minority Staff Director
Kelsey Stroud Bailey, Chief Clerk
C O N T E N T S
----------
SEPTEMBER 21, 2022
OPENING STATEMENTS
Page
Warner, Hon. Mark R., a U.S. Senator from Virginia............... 1
Rubio, Hon. Marco, a U.S. Senator from Florida................... 4
WITNESSES
Evanina, William R., Founder and CEO, Evanina Group; Former
Director, National Counterintelligence and Security Center..... 5
Prepared Statement for the Record............................ 7
Van Cleave, Michelle, Senior Advisor, Jack Kemp Foundation;
Former National Counterintelligence Executive.................. 24
Prepared Statement for the Record............................ 26
Gamache, Kevin, Ph.D., Associate Vice Chancellor and Chief
Research Security Officer, Texas A&M University System......... 40
Prepared Statement for the Record............................ 42
Sheldon, Robert, Director, Public Policy & Strategy, Crowdstrike. 47
Prepared Statement for the Record............................ 49
SUPPLEMENTAL MATERIAL
Answers to questions for the record from Michelle Van Cleave..... 76
Answers to questions for the record from Kevin Gamache........... 90
Answers to questions for the record from Robert Sheldon.......... 97
OPEN HEARING: ON PROTECTING AMERICAN INNOVATION: INDUSTRY, ACADEMIA,
AND THE NATIONAL COUNTERINTELLIGENCE AND SECURITY CENTER
----------
WEDNESDAY, SEPTEMBER 21, 2022
U.S. Senate,
Select Committee on Intelligence,
Washington, DC.
The Committee met, pursuant to notice, at 2:44 p.m., in
Room SH-216 of the Hart Senate Office Building, Hon. Mark R.
Warner, Chairman of the Committee, presiding.
Present: Senators Warner, Rubio, Feinstein, Wyden, Bennet,
Casey, Collins, Blunt, Cotton, Cornyn, and Sasse.
OPENING STATEMENT OF HON. MARK R. WARNER, A U.S. SENATOR FROM
VIRGINIA
Chairman Warner. Good afternoon. I'm going to call this
hearing to order. And I want to welcome to our nongovernment
expert witnesses, although at least two have served with
distinction in the government.
Let me start with the Honorable Bill Evanina, former
Director of the National Counterintelligence and Security
Center. He's also the founder and CEO of the Evanina Group.
The Honorable Michelle Van Cleave, senior adviser, Jack
Kemp Foundation, and again, former National Counterintelligence
Executive at the Office of Director of National Intelligence.
Dr. Kevin Gamache, who is the Vice Chancellor and Chief
Research Officer at Texas A&M University System.
And Mr. Robert Sheldon, the Director of Public Policy and
Strategy at CrowdStrike.
Today's hearing, ``Protecting American Innovation:
Industry, Academia, and the National Counterintelligence
Security Center,'' will examine the implications of the
findings of our Committee's bipartisan report on the NCSC,
which we publicly released yesterday.
This is the first in a series of hearings on the report.
Future hearings will include current U.S. counterintelligence
officials to discuss, in more depth, concrete changes that may
be necessary for the NCSC and the government's
counterintelligence enterprise.
I think we all understand that the traditional model of
intelligence that evolved post-World War II and, in many cases,
in our country and countries like the U.K., evolved a long time
earlier, particularly post-World War II, when we, the Brits,
the Russians had a series of espionage agents oftentimes
working out of an embassy and basically trying to discover
information or secrets about a foreign adversary. That classic
spy-versus-spy model is pretty much in the historic dustbins at
this point. As I think we know, our Nation now faces a
dramatically different threat landscape than it did even a
couple of decades ago. Today's foreign intelligence threats are
not just obviously targeting the government but are
increasingly looking at the private sector to gain
technological edge over industries.
One of the remarkable statistics is that as much as $600
billion of intellectual property is stolen each year from the
United States. And that doesn't even count what's stolen from
some of our allies and partners around the world. New threats
and new technologies mean that we need to make serious and
substantive adjustments to how we address the issue of
counterintelligence if we are to protect America's national and
economic security.
For many years, Members of this Committee were constantly
hearing the alarm bell ringing when we got briefings on these
foreign intelligence threats. We felt it was important not just
to be made aware of that threat but to also do something about
it. So, I want to thank Senator Rubio, Senator Cornyn--I think
Senator Cotton appeared--and Members on my side of the aisle,
where we went out, and oftentimes with Bill Evanina, did what
we called a series of classified roadshows to focus
particularly on the challenge and nontraditional means of
espionage put forward by the PRC.
We did that with tech companies, we did it with VCs, and we
did it in academia, again, to really look at the challenge
presented by the CCP and the leadership of Xi Jinping. As I
mentioned, we did aerospace, advanced manufacturing, artificial
intelligence, biotech, data analytics--a whole host of areas
where we are now engaged in a tremendous competition. We
started to take action on that competition.
I'm proud of the fact that, in a broadly bipartisan way,
there is now a law to make sure that we can bring part of that
semiconductor industry back to the United States. My belief is
there may be other technology domains where we have to make
similar investments, because clearly, we know that the CCP is
making these investments.
I was an old telecom guy and it was more than stunning to
me when it became clear that not only had the PRC suddenly
obtained the leading international company in 5G in the form of
Huawei, but that they were also setting the rules, standards,
and protocols for that emerging technology. FBI Director Wray
has stated the bureau literally opens up a new PRC-related
counterintelligence investigation every ten hours. Thousands of
these cases are open. China has stolen more American personal
and corporate data than every other nation in the world
combined.
With this hearing, we are broadening our
counterintelligence focus to also look at the malign role
played by other large state adversaries like Russia, as well as
Iran, North Korea, and other states. However, as we discuss
what the CCP in particular is doing in the United States, I
want to make myself crystal clear that my concern lies squarely
with Xi Jinping and the Chinese Communist Party, not the people
of China and certainly not with Chinese or Asian-Americans or
any parts of the Chinese diaspora anywhere in the world. Matter
of fact, failure to make that distinction oftentimes will play
right into the CCP's propaganda agenda. And many times, it is
Chinese-Americans who are the victim of the CCP's intelligence
service activities. Similarly, we've recently seen those brave
Russians who came out at some level of force to protest against
Vladimir Putin's war. We saw the arrest of the opposition
leader, Navalny. Again, our beef is not with the Russian people
or immigrants of Russian descent but with the kleptocratic and
murderous regime of Vladimir Putin.
The Committee's report is the product of years of
independent research by nonpartisan Committee staff to assess
the mission, authorities, and resourcing of the NCSC and its
mission to coordinate the government's counterintelligence
efforts.
Among the report's findings are: one, that the United
States faces threats from a wide variety of adversaries,
including powerful state rivals such as China and Russia,
regional adversaries, minor states, and the organizations that
play out these entities' operations, oftentimes not simply
within the traditional spy services. Foreign intelligence
entities are targeting a wide set of public and private
entities, including U.S. government departments and agencies
that are not part of the Intelligence Community and not part of
our national labs or other traditional sources. But they are
going after the financial sector, our energy sector, and a lot
of folks in the industrial base and academia.
Today's adversaries have access to a much wider variety of
tools for stealing information, influencing U.S. officials, or
inflaming social and political tensions than in the past,
including nontraditional human, cyber, advanced technical, and
other source Intelligence operations to collect against U.S.
plans and policies, sensitive technology, and personally
identifiable information. How we make sure we protect that as
well as our intellectual product in this country is part of our
responsibility in this Committee. Despite the wide-ranging and
sophisticated number of counterintelligence threats facing the
U.S., the United States counterintelligence enterprise is not
postured to confront the whole-of-society threat facing the
country today, with the NCSC lacking a clear mission as well as
sufficient and well-defined authorities and resources to
effectively deal with this.
Now, I'd love to say that report came up with a series of
specific recommendations. It did not. I think it posed a number
of the problems, but this hearing and others is how we get at
this issue. And we clearly have folks who played from inside
the government role, on the IC side, and outside experts as
well.
So the core questions for this hearing are: what role
should academia and industry play in protecting information
with national security implications? Are there legislative or
policy changes needed to codify that role? What government
resources may be needed to help academia and industry protect
their data technologies and people? And what role is the NCSC,
as the lead agency for national counterintelligence, expected
to play in informing and coordinating with all of these
entities? Given the increasingly important role of
counterintelligence--due to the threats from these foreign
governments--I think I have some real questions about this, I
know.
The report posited the question, does the U.S. government
need an independent counterintelligence agency to tackle them?
I have some doubts about that. While no consensus, as I
mentioned, has been raised, we're going to look at this problem
in a comprehensive way. And we welcome not only the panel but
others' input into this determination.
The truth is the intelligence traditions have changed
dramatically from the postwar era, from the Cold War era. We
are engaged, particularly with the PRC, but with others as
well, in a technology competition that will define who becomes
the security and economic leader of the 21st-century. It's my
hope that America maintains that leadership role. But to do
that, we've got to have an effective counterintelligence
operation.
And with that, I turn to my friend, the Vice Chairman.
OPENING STATEMENT OF HON. MARCO RUBIO, A U.S. SENATOR FROM
FLORIDA
Vice Chairman Rubio. Well, thank you, Mr. Chairman. Thank
you all for coming here today. I think you've covered most of
it. And I think our Audits & Projects team has done a good job
of identifying the problem. And part of these hearings is now
to begin to think through what are some of the things that we
can do from our end to either mandate or provide a pathway
toward solutions.
The core problem is this--and you've stated it well--the
way I would describe it, in general, is: our entire system is
set up for an era in which counterintelligence, basically
espionage, was governments trying to steal government secrets.
Getting into the Defense Department, learning about things that
have to do with nation-state proprietary information and
classified information. We're now in an era in which the
activities of intelligence agencies from around the world come
from a variety of countries with different intentions. They
range from cyber intrusions designed to both steal secrets and
also to generate revenue to disinformation and misinformation
to try to steer and influence and shape American policy and
divide us and distract us or debilitate us to, obviously,
academia, both because they're interested in research, but
frankly, in many cases, to try to influence students.
It's a long-range plan to look at someone who's 20 years
old today and say we can shape their narrative about China and
Taiwan, or China and Tibet, or China and Uyghur Muslims in
Xinjiang. Twenty years from now, these individuals will be
running companies or key agencies in government--and maybe even
elected--and that will help us. This is a multifaceted, new-era
type challenge, which our agencies simply weren't created to
address. They were created in an era where there wasn't great
power competition, where the number of nations around the world
that had the capability to even do intelligence operations
against the United States domestically, not to mention
globally, was much smaller than it is today.
So, really, the hope here today is to understand how we can
help clarify the mission, particularly of the National
Counterintelligence and Security Center, the NCSC. How we can
give it a clear mission that captures the full array of
challenges, provides them with well-defined authorities that
allow them to do that, and then understand whether or not we're
providing sufficient resources to be able to carry that out?
And those three things, having the clear mission, having
the authorities to carry out the mission, and having the
resources to carry out that mission are the path forward. But
it really begins with understanding a clear mission as to what
it entails and all the intricacies and complications that would
come with that.
All of you have been involved in different ways with this,
and we're grateful you came in today to help us begin to chart
the way forward.
Chairman Warner. And thank you, Vice Chairman Rubio. I'm
proud of the staff work that put together this report. The
tradition of this Committee is that we do things bipartisan.
This at least gives a roadmap of what some of the issues are.
Now, we're looking to sort through what the answer should be.
So, I want to start, Bill, with you, and we're going to go
left to right down the panel.
STATEMENT OF HON. WILLIAM R. EVANINA, FOUNDER & CEO, EVANINA
GROUP; FORMER DIRECTOR, NATIONAL COUNTERINTELLIGENCE AND
SECURITY CENTER
Mr. Evanina. Chairman Warner, Vice Chairman Rubio, Members
of the Committee, it's a pleasure. Humbled to be back here in
front of you in this Committee, especially with an esteemed
panel of experts here today.
I want to first thank the Committee and the Members of the
Committee for your continued leadership commitment to the
Intelligence Community, law enforcement, and the dedicated
women and men around the globe keeping us safe and free.
Our enduring democracy and unsurpassed economy, along with
the best military in the history of the world, affords us with
fundamental and unparalleled freedom and security. Protecting
those freedoms and security are in some part due to those
dedicated women and men serving in the counterintelligence
arena.
However, the job has never been more difficult than it is
today. The threat landscape has dramatically expanded in the
past decade, specifically with the counterintelligence
battlespace transitioning to the private sector, especially
with respect to the Communist Party of China. The past decade
has also provided us with a very clear mosaic of the
modernization of the nation-state threat actors conducting
persistent, strategic, and sometimes destructive cyberattacks
on American government agencies, corporations, and academic
institutions. Their data, their systems, and their employees
have all been targeted. Strategically-placed insiders in cyber
penetrations are the most commonly utilized modalities of the
Communist Party of China. With 21st-century asymmetric threats
increasing exponentially, it is time to take an honest, modern,
and reimagined view of counterintelligence.
Counterintelligence is not just catching spies or insiders
from adversarial countries, but also, it is a key defense
mechanism of our Nation's key source of strength and posterity:
our economy. We must also approach counterintelligence with the
same sense of urgency, spending, and strategy we have done for
the past two decades in preventing terrorism.
I would offer to this Committee that we are in a terrorism
event--a slow, methodical, strategic, persistent, and enduring
event--which requires a degree of urgency of action. As much as
counterintelligence investigations, strategy, and policy are
inherently government functions and responsibilities, U.S.
corporations, research institutions, non-Title 50
organizations, and academia must become a larger part of the
process of protecting their own proprietary data, trade
secrets, and fundamental research. China and others are
attempting every day to take what they ideate and develop. This
is especially true when such organizations receive federal
grants and funding. Currently prescient is the passage of the
CHIPS and Science Act, as well as the Inflation Reduction Act.
Rest assured, China has already begun their strategic and
comprehensive efforts to acquire, both legally and illegally,
any and all ideation, research, and trade secrets emanating
from the existing and extensive funding provisions and
technological incentives provided by these legislative actions.
I would offer emerging renewable energy technologies and
semiconductor production will be targeted the most aggressively
by China. From a counterintelligence perspective, where does
this protection responsibility reside? This is a
counterintelligence issue. Ten years from now, this Committee
cannot be holding hearings and asking how China stole our
federally-funded and -subsidized capabilities and secrets and
progress, and then selling them back to us as customers.
I would like to close by acknowledging that defending our
Nation, especially in the counterintelligence arena, has become
complicated and encompassing. However, I would be remiss if I
did not mention the United States possesses the finest
offensive capabilities and counterintelligence personnel the
world has ever seen. As this Committee is fully aware, their
dedication, their successes are impactful. They're enduring,
and they properly remain silent. Our Nation is grateful.
Thank you for the opportunity to be here today, and I look
forward to your questions.
[The prepared statement of Hon. Evanina follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
STATEMENT OF HON. MICHELLE VAN CLEAVE, SENIOR ADVISOR, JACK
KEMP FOUNDATION; FORMER NATIONAL COUNTERINTELLIGENCE EXECUTIVE
Ms. Van Cleave. Mr. Chairman, Vice Chairman Rubio, Members
of the Committee, let me begin by echoing the praise that my
colleague, Bill, has just iterated for our counterintelligence
professionals. It was my honor to have served as the Director
of Senate Security from 2020 to 2021. So, I feel warmly at home
appearing before you here today.
I was also deeply honored when President George W. Bush
appointed me the first statutory head of U.S.
counterintelligence. That position, as you know, was created by
the Counterintelligence Enhancement Act of 2002, which was, as
it happens, voted out of Committee 20 years ago next week--
voted out of the Senate, rather--20 years ago next week under
the careful leadership of this Committee.
I believe that your leadership is sorely needed again. Mr.
Chairman, to that end, I have prepared a written statement
which I hope may be of help to you, and I ask that it be
included in the record.
Chairman Warner. So ordered.
Ms. Van Cleave. Foreign powers use their intelligence
capabilities to advance their goals and to prejudice ours. In
today's volatile geopolitical environment, their operations are
intensifying against us, not waning. Russia's war on Ukraine
has changed everything, setting the stage for what President
Biden has called a battle between democracy and autocracy.
Having lived through the events of January 6 with all of
you, I am acutely aware of the lines of fragility in our
democracy, which foreign powers have and will continue to seek
to exploit. The bottom line I would offer is this. The core
counterintelligence mission to identify, assess, and defeat
foreign intelligence operations has never been more crucial to
U.S. national security. Protective security plans and programs,
to be sure, are profoundly important. And I have little doubt
that we are all agreed on that point. But they will never be
enough. In my view, the United States cannot afford to cede the
initiative to those who are working against us. The stakes are
too high.
Indeed, the old wisdom is still true: the best defense is a
good offense. But unfortunately, our counterintelligence
enterprise has never been configured to be able to preempt.
Preemption requires strategic national planning and coordinated
operations against foreign intelligence threats. By contrast,
our CI agencies have very distinct and separate missions, and
they operate within their own lanes. And each is very good at
what they do, but as experience has shown, that is not enough.
These are the very deficiencies that the CI Enhancement Act of
2002 intended to correct.
However, while the law back then created a national CI
mission to integrate CI activities, it did not create the means
by which that could be carried out. So, the first National
Counterintelligence Strategy, which was issued by President
Bush, called for creating a strategic CI capability to
proactively disrupt foreign intelligence threats, starting with
working the target abroad. Where are they situated? How do they
recruit? Who are their personnel? What are their liaison
services? How are they tasked? What are their vulnerabilities?
How can those vulnerabilities be exploited? There was a pilot
program to do that on a select high-priority target that was
started under my watch with congressional support. But it was
quietly terminated after I left.
Subsequent national counterintelligence strategies have
omitted this key goal altogether, and the national office has
moved on to do other things. So, we've been stuck in neutral
for 20 years. To date, neither strategic counterintelligence
nor a strategic CI program is defined in law or anywhere else.
The very concept of a national counterintelligence mission,
different from what the operating arms are already doing, was
and remains new and untested.
Without the discipline of a national program, our CI
management will continue to measure performance against the
individual agency metrics for which they are accountable, as
they must. But is that enough to counter the foreign
intelligence threats directed against the United States? I fear
that scorecard may be very much in doubt, which I hope the
Committee will choose to explore in greater detail as part of
your much-needed oversight of U.S. counterintelligence and this
series of hearings.
As for the national mission and office, I think this
Committee had it right 20 years ago. The challenge still
remains how to pull together a strategic counterintelligence
program: one team, one plan, and one goal. Your leadership and
some carefully crafted clarifying amendments to that 20-year-
old law could make all the difference.
I look forward to your questions.
[The prepared statement of Hon. Van Cleave follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
STATEMENT OF KEVIN GAMACHE, PhD, ASSOCIATE VICE CHANCELLOR AND
CHIEF RESEARCH SECURITY OFFICER, TEXAS A&M UNIVERSITY SYSTEM
Dr. Gamache. Chairman Warner, Vice Chairman Rubio, Senator
Cornyn, and members of the committee. Thanks for allowing me
the opportunity to testify before you today. I'm the Chief
Research Security Officer for the Texas A&M University System
and come today to discuss the unique challenges universities
face in protecting cutting-edge U.S. research. With four
decades protecting our national security, first as an Air Force
nuclear operations and maintenance officer, for 14 years in my
current position, and as a faculty member at Texas A&M, I'm
glad to have the opportunity to bring these perspectives to
this critical issue.
One of the primary roles universities play is the free and
open generation and dissemination of knowledge. The
collaborative nature of the U.S. research enterprise is a prime
source of discovery and innovation. International collaboration
is crucial to scientific advancement and the success of U.S.
research institutions. American universities are a magnet for
students and researchers worldwide to join forces to advance
science and solve our most pressing problems. Unfortunately,
we're not playing on a level field. Our technological
leadership is under siege from countries like Russia, China,
Iran, and others whose rules for research integrity differ from
ours.
I'd like to highlight a few organizational and process
changes we've implemented to address this significant threat.
A&M Chancellor John Sharp established the Research Security
Office at the system level in 2016 to provide program
management and oversight of sensitive research across the 19
A&M System members.
We require mandatory disclosure of all foreign
collaborations and approval of foreign travel.
We conduct continuous network monitoring using techniques
explicitly focused on identifying malign foreign actors.
We updated our conflict of interest and commitment policies
and established processes for reviewing and approving
collaborations and agreements.
We established a secure computing enclave that is available
system-wide to protect system federally-funded research.
Understanding our collaborators and their funders is the
most critical aspect of our research security program. It is
equally important to know if a foreign government nexus exists
and the risk it poses to the institution.
We must also understand whether these risks can be
mitigated or must be eliminated. We use a robust, open-source,
risk-based due diligence process to review visiting scholars
and postdoctoral researchers to answer these questions. You may
have heard it said: we can't arrest our way out of this
problem. We agree and have developed strong relationships with
the FBI, DCSA, and other IC members to address issues promptly.
Federal-level opportunities to significantly impact the
problem also exist. A national research security center of
excellence in academia--working with the FBI, DCSA, and other
agencies to coordinate the flow of counterintelligence
information between academia, law enforcement, and the
Intelligence Community--would enhance efficiency and
effectiveness.
Secondly, our adversaries would be less effective if U.S.
faculty and students were resourced more fully through enhanced
federal research funding. Top international scholars in our
universities enhance innovation and knowledge but also prevent
risks. Partnering with federal agencies to mitigate existing
and emerging threats, educate our researchers, and provide
clear avenues to address security concerns are crucial. Doing
so will allow the U.S. academy to continue producing game-
changing research and a skilled workforce and ensure U.S.
technological and economic superiority.
Thank you for the opportunity to testify. I look forward to
your questions.
Chairman Warner. Thank you.
Mr. Sheldon.
[The prepared statement of Dr. Gamache follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
STATEMENT OF ROBERT SHELDON, DIRECTOR, PUBLIC POLICY &
STRATEGY, CROWDSTRIKE
Mr. Sheldon. Chairman Warner, Vice Chairman Rubio, Members
of the Committee, thank you for the opportunity to testify
today.
Innovation is an essential theme of the American story.
While the private sector is not the sole source of innovation
in the country, it plays the leading role in making new
innovations accessible to everyone. The private sector is
incredibly diverse. When explaining CrowdStrike perspectives to
the policy community, I mentioned that we protect 15 of the top
20 U.S. banks and a significant and growing portion of the U.S.
``dot gov'' domain. But given the nature of the hearing today,
I also want to emphasize that we protect small organizations,
from family-owned farms to cutting-edge startups. Cyberthreats
have devastating consequences for families, communities, and
the economy. In the aggregate, these consequences extend to
national security.
I'm honored to share some insights from our work across
government and industry and identify some areas where we, as a
nation, can strengthen cybersecurity outcomes.
Today, the private sector faces a punishing array of cyber
threats. CrowdStrike research published this month identified
campaigns targeting 37 distinct industries and a 50 percent
increase in interactive intrusions over the past year.
Regarding nation-states, China, Russia, Iran, and North Korea
present the most potent threats. States utilize cyber means for
espionage, theft, extortion, coercion, disruption, destruction,
and subversion. I've provided more detail on these threats in
my written testimony, but here I want to cite intellectual
property theft and supply chain attacks as key concerns for
national resilience.
Different segments of the private sector have different
needs, constraints, and capacities to defend against
cyberattacks. Organizations with cybersecurity mandates have
proliferated in recent years, but victims still struggle to
know who to contact for what types of issues. Sometimes lost is
a fundamental reality of the cybersecurity landscape. When a
private company is the victim of a cyberattack and it cannot
remediate the issue independently, it must turn to a private
sector incident response provider. There is no U.S. government
agency that has the authorities and capabilities to provide
end-to-end cybersecurity services from hunting to remediation
at scale.
As you consider options to clarify and strengthen NCSC
roles and missions, please consider two points.
First, in some cases, significant IC information can be
shared without impacting sources and methods. Government
disclosures this year regarding Russian plans and intentions
for Ukraine, including warnings about specific disinformation
themes and advisories about specific cyberthreats, were very
well received by industry.
Second, NCSC should endeavor to operate at scale. This
probably means a preference for leveraging existing government
structures, like the Joint Cyber Defense Collaborative and
commercial service providers with significant reach. During my
time at CrowdStrike, some of the most impactful changes I've
seen have involved the advent of groundbreaking managed threat-
hunting services and broader managed security services.
These provide a reliable, consistently high degree of
protection 24/7/365, and it's worth exploring opportunities to
make such services more widely available. It's further worth
considering additional programs or efforts to make available
concrete cybersecurity services.
As a community, we should undertake a more serious
conversation about expanding national incident response
capacity. A program that retains scope providers in advance for
use during significant cyber incidents could expand the
cybersecurity workforce and strengthen national resilience.
Thank you again for the opportunity to testify today, and I
look forward to your questions.
[The prepared statement of Mr. Sheldon follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Warner. I want to thank the panel for their
presentations.
There will be a second vote at some point. We're going to
work through that vote. And unlike our normal process where we
do seniority at the gavel in our public hearings, we do
straight seniority. So, we'll do five-minute rounds.
My first question is for the panel. And it's a two-part
question. One of the things that this Committee took on after
literally years of having almost weekly and sometimes biweekly
briefs around the threats posed by the CCP was it seemed like
we were existing in two parallel worlds. We were hearing all
these threats and concerns, and yet, the economic message that
was going around was the more we partner with China, the
better. The more we bring China into the global world order,
the more that we're going to have similar systems. Starting
back in 2017, we, on a bipartisan basis, started going out--and
I know you were involved in a number of these, and I want to
thank all my colleagues who participated--and did a series of
classified briefings for industry sector after industry sector.
And the disconnect between what we were hearing in the
intelligence briefings and what they were being told by Wall
Street, or in terms of academic exchanges or academic freedom,
was night and day.
And some of those were challenging sessions. Dr. Gamache,
I'm glad to hear your comments about what you started doing
2019, but the number of universities that had no idea about,
somehow, professors getting all-expense-paid trips to lecture
in China and not thinking about even preconditions, like maybe
you ought to not bring your laptop along, were pretty chilling.
We've done close to 20 of these. We did a number of them
before COVID. Post-COVID, we've seen a great tick-up, and I
want to thank academia for improving. And I think we have
started to reach some ideas around consensus. Again, a lot of
us on this Committee led the effort to try to put in place a
cyber-incident reporting requirement.
But the question I have, and I'm going to break it into
three categories:
Non-intel U.S. government and state government and local
government entities; Academia; and private enterprises.
Assuming you got a continuum that at least in terms of
government, where there maybe ought to be higher standards, are
there standards? Legal, moral? What are the roles of informing
those three entities about the threat? And should we just rely
on best practices in terms of academic protections? Should we
put in jeopardy federal funding? We have started on cyber
incident reporting. I think there's a greater recognition.
Obviously, well-regulated industries have standards, but cross-
cutting standards we still lack.
I think I'll go down the list the same way we started. If
you want to comment briefly on all three of those categories
and whether there should be simply moral challenges, legal, or
standard.
And I know Senator Cornyn, Senator Casey have got some
legislation about investing, but let's take those three areas,
legal, moral, and standard, as a setting in each of those three
subsets.
Bill.
Mr. Evanina. Thank you, Senator. A really difficult
question. And I think that gets to the crux of where we are
on--in today's battle in this gray area of--even from open
research to private sector to our adversaries. I think we look
at your question, I think Texas A&M should be commended for
what they have done and what Dr. Gamache has done in the last
few years in setting a standard with others in the academic
community from a compliance perspective.
And I would proffer that they do more than 95 percent of
the other academic institutions and research institutions do.
And I think setting at least a minimum standard would be great
from what the--using Texas A&M as a model. But I also proffered
to you on the state, local, and federal government, and the
non-Title 50s don't do anywhere near what Texas A&M does,
specifically with their federal funding and subsidies that they
give to research institutions.
So, I think there is a baseline to start with. And I would
make it analogous to the idea of the Internet of Things. If we
don't start with the baseline fundamental security apparatus,
we're never going to get to a utopia state of having the right
structural organization authorities. But understanding the
problem is phase number one. And I thank or commend this
Committee, yourself and Senator Rubio and Senator Burr and
others for those road shows because they were influential to
the people who drive our national economy, for making them
understand the complexities on the global engagement and
economic well-being in dealing with China.
The same time, their role and responsibility in protecting
our Nation in what they do.
Chairman Warner. Michelle.
Ms. Van Cleave. Mr. Chairman, what you have described is no
small challenge to business and industry to academia. I would
offer that while the scale and magnitude of what we're facing
today is staggering, it's not entirely new in the way the
United States had to deal with threats to our business and
industry.
And I recall being then in the Bush 41 White House, working
in the Science Office for the President when the wall came down
and everything changed. Globalization meant that there was more
commerce and interaction and movement of people. And our
immediate concern was, so we're going to find that the U.S. R&D
and S&T base is now going to be raided all the more by foreign
actors who are exfiltrating IT and technology, and everything's
to their own benefit.
So, back then, I remember on my first interaction, working
with the FBI, they were setting up, at the time, something
called the National Security Threat List where they were trying
to understand what things might be targeted by business and
industry. Well, fast forward. And I think that we have a
continuing need for providing awareness that the
counterintelligence world gains the insights into what these
foreign intelligence services are doing and how they're doing
it against us, and foreign intelligence services and beyond
using other instruments beyond their intelligence community to
acquire and target our IT and our proprietary information.
And those relationships that the FBI has established,
they're working very hard. They've created a national CI Task
Force, and task forces within all of the 56 field offices, to
build upon the relationships that they have with business and
industry to try and do outreach with them. And I do think we
need to be doing as much of that as possible.
But I would offer that, first, we have to have the
insights. And first, we have to understand what the foreign
intelligence services in other countries are doing against us.
In order to have those insights, we're turning to our
counterintelligence world--hard-core CI going out and learning
how these services are operating against us so that we can
better protect ourselves and stop them.
Chairman Warner. Thank you. Dr. Gamache.
Dr. Gamache. I'd like to say that from what I see in
academia, things have greatly changed over the last five years.
The level of awareness, I think, is definitely heightened over
what it was five years ago. But that's not good enough. You
know, we've come a long way. The awareness level is greatly
enhanced, but we've got a long way to go. I think NSPM-33 is a
great start, but it's probably not enough in terms of providing
direction and creating avenues for awareness that don't exist
right now.
Helping academia understand how to address the threat once
they become aware of it and having a structure to partner with,
federal agencies--you know, right now, it's a pickup game. I
think increasing the level of awareness in academia, providing
guidance on how to address the threat, and then creating a
structure to partner with federal agencies in a consistent
manner is important.
Chairman Warner. Thank you. Mr. Sheldon.
Mr. Sheldon. Thank you, Mr. Chairman.
Awareness of the threat is important. There are of course
of people in town who frequently will remind people that there
is a cyberthreat. It is very significant. People should do
basic things like increase hygiene on their networks, do things
that are best practices like use multifactor authentication.
And that will only ever get us so far. I think that there's a
couple of ways that we can incentivize organizations to move
more quickly to provide defense for themselves. Those include
some of the more regulatory options that we're exploring right
now as a community. I think that this Committee was
instrumental in starting off the conversation around incident
reporting, and we'll see how that shapes out at CISA. But,
certainly, there's a lot of good progress made toward that.
That looks like it will be able to empower CISA to be able to
make more assessments about how they can improve mitigations
for particularly industries that are targeted within the same
sector.
The other part of the conversation from our point of view
is being able to start having more detailed plans for making
resources more broadly available to the most vulnerable
organizations, because for folks that are Fortune 500
companies, for example, very frequently, they have robust
security programs. And they're doing what can be done to stop
the threat that they're facing. But there's a lot of small- and
medium-sized businesses that are being left behind for lack of
resources. And the problem isn't exactly lack of awareness.
Thank you.
Chairman Warner. Thank you. I'm sure we're going to come
back and revisit. And second vote has started.
Senator Rubio.
Vice Chairman Rubio. And I'm going to shorten my question.
So, I guess the first, Mr. Evanina, going back to your time
in service, if you were to go back and sort of reanalyze some
of the authorities and/or mission that you wish had been
clearly delineated, what would those have been, given the new
threat landscape that we've described here already?
Mr. Evanina. Senator Rubio, looking back at the six-plus
years I spent there, a lot of the success the NCSC had was
predicated upon a few things:
Partnership with the other intelligence agencies and some
of the non-Title 50 agencies in the spirit of trust;
Lack of duplicity, ensuring that we did not do the same
type of analysis and operational work as any other agency and
we were not operational.
But thirdly, I think the demand signal that we got from the
private sector and others about what is the threat and how it's
manifesting.
I think we look at the other agencies in that space, their
job is operational OCONUS and CONUS. And NCSC took that ball
and ran with the policy and strategy part of it. I think the
hardship that you're talking about now would be, and to
Michelle's point, the lack of clarity in the legislation, in
the enhancement act, about legitimate authorities and roles.
I think that would be one thing. Starting all over again, a
reunification of that act and what those roles,
responsibilities are, it's beyond being the strategy policy
organization.
Vice Chairman Rubio. I think one of the hardest things to
do today is to go to someone in public life or a public figure
and say, these individuals that you think are your friend,
they're your friends, these individuals that are business
people, these individuals you know that are former politicians
or claim to be journalists--are actually being sent here.
They may not even know it to sort of influence the things
you're writing, saying, or repeating. The disinformation piece
is really complicated because sometimes people think they're
getting verifiable information. They think they have a scoop,
or they just want to say something relevant. That's just not
the way we think of foreign intelligence operating, especially
if they're using multiple cutouts to get to that stage. And
that's what we're going to be struggling with for some time.
Mr. Sheldon, on the challenge that I know with cyber in
general, we often think about it as ransomware and things of
that nature. But one of the hardest things to do is to convince
small and midsize companies that they are targets--that these
people even know they exist. And so, some North Korean cyber
actor, a Russian cyber actor that wants to hold you ransom,
that's certainly a threat. And that's one thing. But there are
some that are systemically important because somewhere along
the supply chain or somewhere along the influence chain or
somewhere along any of these chains, even though there are
small- or midsized-companies, they're important, or they could
create regional havoc.
What do you think are the things we can be doing in the way
we stand up this function to better convince small and midsized
businesses and entities that they could become a target?
They're not anonymous. Just because they're not Boeing or
whatever doesn't mean they're not systemically important at the
right time for the right reason.
Mr. Sheldon. Thank you, Vice Chairman.
This is, indeed, one of the biggest problems from my point
of view. There are still some organizations that need to be
persuaded that they are a target. But we've seen so much
progress over the past few years as collectively as an
industry. Academia, folks in government, including Mr. Evanina
and his colleagues, have gone out and done road shows, talked
with folks in industry to try and flag this problem for them.
The other piece of the problem is maybe someone's persuaded
that they will be a target, and it's just a matter of
resourcing the right types of tech tools, technologies,
processes, and getting the right talent of people to be able to
face the threat. From that standpoint, there's been some really
significant progress over the past number of years about
managed services that, I think, are really helping to solve
this problem for people that are exploring that pathway.
If you're a small company, a dozen people or 20 people or
even less than 100 people, it's very difficult to have that 24/
7/365 security team that can handle an intrusion. So, a lot of
people are saying, ``Let's partner with an outside provider who
can provide some of those things.'' And that helps--
particularly small organizations.
So, those are some capabilities that we think are driving
improvement in the area.
Chairman Warner. Senator Feinstein.
Senator Feinstein. Now, just very quickly, how do you see
that the foreign intelligence landscape threat has changed
since Congress last substantially updated U.S. laws in 2002?
And what gaps have these changes exposed in the way that the IC
views the CI mission? Whoever would like to take it?
Ms. Van Cleave. Senator, I'd be happy to leap into that
one.
In 2002, when the act was first passed, you'll recall that
the country was in the middle of a horrible war. And this new
office was stood up for the purpose of trying to deal with
foreign intelligence threats at a time when most of the
national security leadership of the country was seized, and
rightly so, with the problem of countering terrorist
organizations.
Subsequent to that time, we've seen some changes in the
national security focus. But what, in fact, happened back then
is that counterintelligence resources that had previously been
available to deal with these foreign intelligence services were
slewed over to work the counterterrorism problem. And that is
in the face of having a big drawdown what we thought was the
end of the Cold War of those resources--then again moved. So,
if you were to look today at what----
Senator Feinstein. How do you see that changing?
Ms. Van Cleave. So, what I see is that we've had a change
here in CI and the devotion of our resources to the mission.
But, at the same time, the foreign intelligence threat has
continued to be very aggressive, very persistent, and very
fruitful from their perspective. And certainly, most recently,
the expansion into malign influence operations is something
that is really, I think, of very serious concern to our country
and to society and to our government and everyone.
Senator Feinstein. And just do you see this as progress or
not or the opposite?
Ms. Van Cleave. Progress by the bad guys or by us?
Senator Feinstein. Yes.
Ms. Van Cleave. So, I think the bad guys, in fact, are
making progress because we're stretched so very thin to try to
deal with the threats that they present to us. And I think that
our open society as a--you know, we're a bit of a candy store
for them. And they're here in force. And I do think that they
will continue to use those intelligence capabilities in order
to advance their interests.
I'm speaking specifically now about Russia, and whatever it
means for its future, and, certainly, China, and there are,
obviously, others. But it's a very serious concern, and we need
to take it seriously and respond appropriately.
Senator Feinstein. Well, let me ask this question. Should
the statutory definition of CI be updated?
Ms. Van Cleave. I think the statutory definition of CI is
sufficiently understood and broad to be where we need it to be.
Where I would love to see some new legislative language is on
the very question of what is strategic counterintelligence
and----
Senator Feinstein. Anybody else on that question?
Mr. Evanina. Senator, to answer both your questions, I
think the fundamental basis for this Committee's hearing today,
I think when we look at the Counterintelligence Enhancement Act
of 2002, a couple of things were there. It was predicated
solely upon spies, you know, the Hanssen and Ames reaction, the
Russians penetrating our government entities. And I think that
was the premise for the act and the counterintelligence
mission. That has completely changed now.
The landscape is completely asymmetric. We are less
concerned about those government-to-government spies. And the
battle space is now in the private sector, and it is mostly
China. So, we have changed, not only the actors but the way
they act here in the Nation.
Secondarily, 2002, we were just in the early stages of the
Internet. So, with the advent of the Internet and the ability
to scale cyber capabilities at-will of our adversaries puts, I
think, the counterintelligence threat in a new lexicon that has
to include cyber.
Senator Feinstein. Anybody else on that question quickly?
[No response.]
No?
Thanks, Mr. Chairman.
Chairman Warner. Senator Collins.
Senator Collins. Thank you. Dr. Gamache, in your testimony,
you talked about efforts that Texas A&M has taken to try to
secure its academic research. In your written testimony, you
listed conflict of commitment, financial conflict of interest,
external employment, and international travel policies as
having important research security implications.
And I certainly agree with you. Unfortunately, not every
academic institution is as advanced as Texas A&M in having
well-thought-out policies and reporting requirements governing
those potential vulnerabilities.
Do you think that the federal government, as a condition
for federal funding for research, should require an institution
to adopt policies similar to those that Texas A&M has?
Dr. Gamache. As I stated in my opening remarks, I think
NSPM-33 is a start in that direction. I think academia is
moving in that direction on its own from what I see. But I
think there should be some guidance on what is important to
protect and how we do that from a federal level.
Senator Collins. My experience is that academia tends to
move very slowly. And we've seen that with the Confucius
Institutes, for example, and how long it took colleges and
universities to break their connections. Mr. Sheldon, do you
have any comments in this area as well?
Mr. Sheldon. Thank you, Senator. In my spare time, I'm a
professor at a university here and in DC, American University.
And I know that this is just based on that experience. I know
this is something that universities take very seriously. I
mentioned previously that, with respect to the cyberthreat, it
may not be enough to just enumerate best practices if those
best practices at this point are widely known.
I think I would defer to Dr. Gamache about whether all
universities that are in receipt of federal funds have a clear
understanding of those best practices, or whether there's some
scope for a committee or another effort of some kind to outline
what those would be before making more fulsome requirements of
potential recipients.
Senator Collins. Let me be clear that I think many colleges
and universities do understand the threat, are concerned, and
are starting to adopt policies that are similar to Texas A&M.
But--and the Chairman has done yeoman's work with our Ranking
Member, our Vice Chair, in trying to educate academia about the
threat and the private sector about the threat.
But my experience is that it's been sort of this push and
pull, this tugging to try to get the seriousness of the threat
recognized and precautions put in place. Mr. Chairman, I do
need to go vote, and I know you do also. So, I'm going to
forego a second question and just ask if either of our other
two witnesses has any advice to the Committee in this area.
Ms. Van Cleave, why don't you go first?
Ms. Van Cleave. I don't really have anything more to add to
what was just been said.
Thank you.
Senator Collins. Thank you.
Mr. Evanina. Senator Collins, I'd like to add in Dr.
Gamache's perspective on NSPM-33. I think it is a good start,
and I do think this Committee and Congress, from a legislative
body, should consider regulatory action to at least have a
bare-bone minimum, especially starting with federal-funded
facilities that are using U.S. taxpayer dollars to perform
research that is oftentimes targeted by adversaries.
Senator Collins. I'm thinking, for example, of our national
labs, which are likely to have far better security than many
institutions. But thank you.
Chairman Warner. Thank you, Senator Collins. Senator Wyden.
Senator Wyden. Have you voted already, Senator Bennet?
Senator Bennet. I have.
Chairman Warner. Would you mind yielding to Senator Bennet?
Senator Wyden. Then if I could follow him, that'll be
great.
Chairman Warner. Yes. And then you'll follow.
Senator Bennet. Thank you very much, Senator Wyden. I
deeply appreciate it.
Thank you for being here today. I think it is so important,
Mr. Chairman, to have these hearings in public is so the
American people can understand what some of you have described
as the lack of symmetry that exists between the United States,
an open democracy, and our adversaries, who are surveillance
states, as the Chairman said, through no fault of the people
that live in these countries. But it would be hard to describe
two societies as different as the United States and China is
today and what it means to our counterintelligence mission and
their counterintelligence mission. To our intelligence mission
and to their intelligence mission. There's almost no degree of
symmetry.
If you want to comment on that, I'd be curious about what
you think. We have had a generation of American politicians
before us who had said, ``Just wait. You'll see what happens
when the Internet gets to China. They're going to democratize.
They're going to democratize.'' Like we were saying the same
thing about trade as well. And it turns out that almost nothing
that we said in those think tanks or from these podiums turned
out to be real. It was the opposite. China has, Beijing has,
been able to export its surveillance state as a result of
Internet technology and technology generally. And I wonder,
given that backdrop or that set of observations, whether you
could talk a little bit--I'm coming at Senator Collins's
question a slightly different way--whether you could talk about
what it would look like over the next decade if we actually
were getting our act together here--if we were treating this as
seriously as we need to treat it, if the private sector were
doing--whether they were compelled to do it or not--if they
were doing the right thing that our universities, our
government agencies--.
What would that universe look like?
Mr. Sheldon, maybe I'll start with you, if you don't mind.
If there are others that would like to comment, that would be
great, too.
Mr. Sheldon. Thank you, Senator. I think that serious
mobilization to the scope of the threat that you've described
entails, for the part of the private sector, full and
comprehensive understanding of what's at stake. And I think
that from a response standpoint, that means having really
robust internal security programs so that there's someone at
every company, whether it's small or large, really meaningfully
looking at risk. It could be risk of insiders. It should
definitely be risk of cyberthreats. And then broader threats
like what sort of partnerships are companies engaged in, where
are they locating manufacturing facilities, where are they, who
are they partnering with, and so on. And it involves
integrating continual guidance from government organizations
that are using their sources and means to be able to inform how
that threat will change over time.
The threats do change, because from time to time,
organizations in the government will actually flag, ``This is a
new research priority for us, or this is a new development
priority for us.'' And then later on, that will materialize as
new intelligence tasking orders for state intelligence
services.
So, it's important to have inputs from government
organizations that are looking at that. It's important to have
inputs from private sector and research organizations that are
looking at it from their own vantage. Cybersecurity companies,
for example, are on the front lines in terms of understanding
different campaigns targeting specific sensitive technologies.
We do our best to work with organizations like JCDC at CISA
to be able to share information about that. And there's a lot
more work that we all can do as a community to make sure that,
when we identify threats, we can share those. And then,
companies are positioned because of having a robust internal
security program to be able to action those.
Thank you.
Senator Bennet. I've got a minute left. If somebody wants
to take it, or I'll give it back. Yes.
Mr. Evanina. Senator Bennet, I think you bring up an
interesting dilemma culturally for our Nation. I think when you
look at--three things I could describe with your question.
Culturally, we don't have an adversarial view of the Communist
Party of China, which--just like we have in Russia and Iran. We
have a history. You know, Cold War and the Ayatollah and the
hostage-taking in 1979. We have that view. We don't have that
from the Communist Party of China.
Secondarily, we grew up in this great country where we have
a clear bifurcation between the government, the private sector,
and the criminal element. That's not the case in the Communist
Party of China. They're all together. Same thing with Iran and
Russia. So, from a paradigm perspective, we don't learn that in
school. And when we find out about that, it's too late. We're
usually a victim of a U.S. company or institution. So,
culturally, we have a lot to do, understanding those countries
and how they operate different from us as a democracy.
Senator Bennet. Thank you, Mr. Chairman. And I thank the
senator from Oregon for your courtesy.
Chairman Warner. We'll go to the senator from Oregon.
Vice Chairman Rubio [presiding].
Senator Wyden. Great. Thank you, Mr. Chairman.
Good to see all of you. And I'm going to start with the
export of Americans' private data to our adversaries, because
my view is this poses a serious counterintelligence risk. This
data alone or in combination with data stolen through major
cybersecurity breaches threatens national security and,
certainly, the privacy of millions of Americans. Now, there is,
currently before the Senate, bipartisan legislation to ensure
that Americans' most private data cannot be sold off in bulk to
countries that would use it against us.
So, my first question, and I'd really like a yes or no
answer, Mr. Evanina and Ms. Van Cleave, should our adversaries
be able to legally purchase bulk data about Americans, their
web browsing activities, their location data, and other
sensitive data?
Mr. Evanina.
Mr. Evanina. No.
Senator Wyden. Ms. Van Cleave.
Ms. Van Cleave. No.
Senator Wyden. Very good. Now, my second question deals
with cyberthreats. The Chinese government or cyber actors based
in China have hacked into Equifax and Marriott, Anthem, and
OPM. My view is part of our response could be using the Federal
Trade Commission, which is in a position to hold companies
accountable for weak cybersecurity and also send a very strong
signal to other companies that baseline security, along the
lines of what, as the agency is saying, needs to be adopted.
But as far as I can tell, the government doesn't really look to
the Federal Trade Commission and the authorities that it has to
beef up cybersecurity.
Mr. Evanina, when you headed the NCSC, did you and your
staff regularly talk to the Federal Trade Commission, warn them
about specific industries and firms that were vulnerable to,
for example, hacking?
Mr. Evanina. Yes, Senator Wyden, we did, as well as other
regulatory agencies in this space.
Senator Wyden. Good. Ms. Van Cleave, same question.
Ms. Van Cleave. Senator, when I was in that job, we didn't
have a security portfolio. We were responsible only for--quote/
unquote, only--for counterintelligence, which meant that, no,
we didn't have interaction with organizations like the FTC.
Senator Wyden. Do you wish you had that authority?
Ms. Van Cleave. Well, I don't know. I think that the
responsibilities for security and for enhancing our security
across legal and other measures are broader than one
organization alone. And I have to say, contrary to people who
look at a job and want to build the empire larger, I thought I
had my hands full as it was, taking on the CI mission, and I'd
look to others to handle the security responsibilities.
Senator Wyden. No, I get your point. It's just that if you
have a sister agency that can hold companies accountable, which
is one of the charges of the FTC, I'd like to see us use it.
One last question, if I might, for you, Mr. Sheldon. You've
expressed concern about requirements to provide nonpublic
encryption information to governments and about the
governmental imposition of ``excessive lawful access
requirements.'' And you characterized this, I gather, as ``a
form of mandated vulnerability by coercion.'' And you focused,
of course, on the People's Republic of China.
Now, is it correct to say that requirements by any
government, including our own, to impose vulnerabilities in
encryption are a threat in our ability to defend ourselves from
sophisticated adversaries who are looking to exploit those
vulnerabilities?
Mr. Sheldon. Thank you, Senator Wyden. The statement in my
written testimony that you're referring to was directed at
foreign adversaries. I've spent less time looking at this issue
on the U.S. side.
Senator Wyden. Okay. Again, I would say the requirements by
any government to impose vulnerabilities in encryption, I
think, make our country less strong. You know, there has been
all this debate about encryption and: is it for security or is
it for liberty? You know, the fact is we are safer with strong
encryption. And it is, I think, a tool that has to be an
imperative for America's security in the future.
Thank you, all, for being with us.
Mr. Evanina, I'm just going to close with one last point,
because I asked the staff about it. We were looking for your
responses to the questions for the record that we sent after a
previous appearance. If there's any way that you can do it,
this is not to give you a hard time or anything, I'd like to
see those answers because I respect your opinion.
Vice Chairman Rubio. Thank you. Senator Blunt.
Senator Blunt. Thank you, Senator Rubio.
Let's talk a little about campus security and research
security on campuses largely, I think. Dr. Gamache, you have
the professional designation on security, and you're
representative of an academic institution here. What are the
best and worst practices you've seen from the federal
government trying to be helpful, or, on the best practices
side, I guess it would be being helpful? Give me some of the
things you've seen that you thought were the least effective
and most effective.
Dr. Gamache. In terms of awareness, I think some of the
things that are least effective happen when government agencies
try to do a search-and-replace with industry for academia. You
know, I think a lot of the things that we see from the
government in academia don't reflect a real understanding of
the academic culture.
We have the greatest higher education system in the world
for a number of reasons. We've got an open and collaborative
environment. We have a willingness to collaborate
internationally. We have a desire to push science and the
creation of knowledge as--as far as we can.
We have cutting-edge technology. That is all very, very
important to our standing as the best in the world. And I don't
think what we see coming from the federal government all the
time reflects an understanding of what makes us strong. I would
hate to see a mandate break the system, for lack of a better
word, trying to fix it.
Senator Blunt. What about the best thing you've seen, the
most helpful thing?
Dr. Gamache. You know, what I have seen over the last five
years is kind of a mind shift from a number of agencies who
have really tried and worked hard to understand what the
academic community is all about. And, I'll single the FBI out,
in particular. I think they have worked very hard with us to
understand academia.
Recently, the Department of Commerce has reached out to do
the same thing. Academia created a group back in 2017 called
the Academic Security and Counter Exploitation Program. We have
about 200 universities involved in that right now. We have 10
major universities on our executive committee, and we've got
six government agencies that are involved in that as well.
So, I think that collaborative effort between academia and
the federal government down at the grassroots level is really
paying dividends in terms of awareness.
Senator Blunt. So, both of those sort of reflect the same
thing. And it's understanding culture----
Dr. Gamache. Right.
Senator Blunt [continuing]. Before you decide how you're
really going to effectively deal with the institution.
Dr. Gamache. Yes, sir.
Senator Blunt. Mr. Evanina and Mr. Sheldon, what are your
thoughts about how we get people there in the nongovernment
sector who are targets to recognize the fact that they are
targets? What are some of the things you'd suggest we do a
better job of helping targets know they could be targets or
maybe that they already are targets and haven't determined that
yet?
Mr. Sheldon.
Mr. Sheldon. Thank you, Senator.
I think that a lot of people who are being heavily targeted
right now know that they're being heavily targeted, and they're
investing in security programs to try and stop it. I think
there's still work to be done to make sure that everyone who's
being targeted has a clear sense of that.
And I think that to the extent that, we, either in industry
or folks in government, can provide real, actionable advisories
about when adversaries shift that targeting or where a new
priority emerges that is attention-getting. And I think that
there are examples of times where we in industry have published
white papers or blog posts that said some specific type of
technology--might be additive manufacturing, might be satellite
communications, might be any number of other specific things--
being targeted by a specific campaign or threat actors maybe
from China, maybe from Russia. That tends to get attention and
drive action.
But it has to be very specific. There is a little bit of
alert fatigue at this juncture here where we stand in 2022,
where people have been told that they need to be concerned
about cyber for a long period of time. So, if we don't get
really targeted messages to people that apply to them, they may
find themselves ignoring it. But if you name a specific
technology that a small company is working on, researching, and
they just invested a lot of effort and a lot of resources in
bringing that to market, and you're able to point to that, that
tends to catalyze action.
So, government and industry can both make progress there.
Senator Blunt. Thank you.
Mr. Evanina, do you anything to add to that?
Mr. Evanina. Just to amplify: outreach at scale. I think a
true public-private partnership between the government and a
private sector consortium to advise and inform companies, large
and small, to the small-time manufacturer in Kansas to
Microsoft and Google, what those threats are. That's scalable
as well. Where do you find that direct information that's not
only real-time but actionable for small companies and medium-
sized companies? And as we've seen in the last few years, every
company is vulnerable and every company will be penetrated.
Senator Blunt. But Mr. Sheldon's concept that if you know
there's something out there that our adversaries are really
interested in, to let people who are working in that area know
that. Is that something we're doing effectively?
Mr. Evanina. Yes, Senator Blunt. I think, as I wrote also
in my statement for the record, the government, the ``big
government,'' must be more effective and efficient at notifying
industry of those threats when we see them in a classified
manner. The more effective way to declassify in real time, to
be able to provide that industry of a specific company--similar
to what we do in terrorism--needs to transition here, and the
nation-state threat actors as well.
Senator Blunt. Thank you. Thank you, Chairman.
Vice Chairman Rubio. Senator Casey.
Senator Casey. Thanks very much. I want to thank the panel
for your testimony your presence here today.
Mr. Evanina, I have to point out your roots in northeastern
Pennsylvania, Peckville, Pennsylvania. We share the same home
county, Lackawanna County. So, I want to note that for the
record. And thanks for your service and the work of everyone on
the panel.
I wanted to start with legislation that I worked on with
Senator Cornyn. The two of us have been leading this
legislation in the Senate for a good while now. Senator Rubio
and others have worked with us on this. And it's a piece of
legislation called the National Critical Capabilities Defense
Act. What we're trying to achieve with this legislation is to
have an outbound review of investments so that we can focus on
either services or assets that are vital to the United States
national security, whether it's agriculture security, health
security, homeland security, energy, infrastructure, natural
resources. It goes on and on.
We haven't been successful at getting it enacted into law
yet, but we're getting close, or at least a version of it. And
I guess one question I have in light of the discussion is
whether or not--and I'll start with you, Former Director--could
NCSC, or the IC more broadly, help to educate the private
sector with regard to the risks of outbound investment,
especially when it comes to China or other foreign adversaries?
Do you think there's a role for either the IC more broadly
or NCSC, and especially in the early stages of technology
development?
Mr. Evanina. Senator Casey, thanks for the question. And
pleasure to share our home county.
The answer is yes. And I do believe there's success
currently--the way it's done in the Intelligence Community on
CFIUS, and the way that the Intelligence Community partners
with Treasury and Commerce and others to identify potential
investments in the United States. And I do think this
legislation reverses that to say the same type of vulnerability
and threats to national security occur outbound, especially
investment in Asia, China and other entities that have
vulnerabilities.
So, I do think there's a role for the government to play in
that space, specifically whether it's NCSC or the ODNI. But for
sure, the Intelligence Community, with real-time threat
indications or warning, can certainly advise you and inform an
investor of the perils of investing overseas.
Senator Casey. Anyone else on the panel on this question in
terms of a perspective on it?
[No response.]
Let me move to my second question--I think it would be my
only other question--which is, in terms of all the challenges
you've outlined in your testimony to society more broadly,
whether it's the academic community, academia itself, or the
private sector--I want to put the ball back in the court of
Congress now and ask you what other incentives or resources do
you think Congress can provide to help these non-IC entities to
better protect their--whether it's intellectual property or
research or technology or otherwise?
Maybe, Mr. Sheldon, we can start with you and go right to
left.
Mr. Sheldon. Great. Thank you, Senator.
I want to flag a couple of things I think we're doing well.
So, I mentioned this previously, but I think we're doing a good
job, as a community, really raising awareness. So, that's
helpful. And I think there's been some new structures that have
come up in government now to help with collaboration and
coordination, in particular, on cyberthreats. So, I think that
we're making progress there.
Further, I could say, I think there's also some new
requirements either from the SEC or on incident reporting
through CISA that are going to really force companies to be
more forthcoming if there's been issues that might be important
for national security and disclose information about those.
That should help organizations like the SEC and CISA provide
good information and advisories to the community. I think it's
now likely time to start the conversation about what extra
resources can we bring to bear to actually provide
cybersecurity capabilities to companies that need it and can't
get it for whatever reason.
Normally, it's because of resource constraints. So, I've
mentioned a couple of things in my written testimony that, I
think, are worth like [inaudible] are worth exploring. One of
those is trying to look at tax mechanisms to try and understand
if there's a way that we can get small businesses, in
particular, technologies like managed security services so that
they can actually meet the threats that they face.
And another one would be just having a program that could
create more incident response capacity. So, if there is an
issue of some kind that we, as a Nation, have enough resources
standing by to be able to meet those threats?
Thank you.
Dr. Gamache. I would like to echo the theme of resources.
You know, we have a staff within the A&M System of 19 that are
looking solely at the research security effort and the cyber
piece that goes with that. It's all being taken out of hide
because we believe it's important. But as we get more and more
requirements like NIST-800-171 and what's coming down now
within NSPM-33. We're a well-resourced university system.
Smaller colleges have the same requirement to protect that
information but can't make the same business case that we can.
And I think that needs to be taken into consideration.
Ms. Van Cleave. Senator, I think that there are a lot of
new creative solutions with respect to security where there is
a lot of work being done in the private sector and in
government that that needs to continue. For example, within the
Defense Department, there is a program called Deliver
Uncompromised, which looks to all of the providers, the
contractors, for the DOD to come look at security as an
objective to be achieved rather than a cost to be minimized.
And so, when you start having practices like that, I think
you're going to improve things overall. But I would note that
one can continue down the road of security--as we must, to
improve it--as we must, to come up with better ideas--as we
must. And yet, there will always be a determined adversary
looking for ways to break through.
So, if you ask what is it that Congress can help do,
Congress can help refocus on the core counterintelligence
mission that says the role of the U.S. government--in addition
to advising business, industry, and academia and all the things
it needs to do to protect itself against--the role of
government uniquely, that we can't ask Texas A&M to do and we
can't ask CrowdStrike to do, is to go after the bad guys.
And we are failing in that mission right now, in my
opinion, sir.
Senator Casey. Thank you.
Chairman Warner [presiding]. Let me pick up on this. I got
a couple more questions, notion of responsibilities. I
appreciate Dr. Gamache, and we are saying that correctly,
right? I want to make sure that we're right. We have not all
completely butchered your name for two hours here.
Dr. Gamache. Yes, you are.
Chairman Warner. Thank you.
You know, on this cascading issue from large systems like
Texas A&M to a smaller liberal arts college, you know, we see
it in the cyberspace as well, from incident reporting or--one
of the areas that this Committee again wrestled with. And we
all said, you know, you got to have at least de minimis cyber
standards within all the centers on the Internet of Things. And
trying to get people to adopt that has been, I think, a real
challenge.
You know, one of the areas--you know, Senator Wyden is
always keeping us on our toes on kind of privacy issues--but
one of the things that I don't think we do a very good job of
at all, and it's almost like--not that the IC is reluctant to
look and the FBI is reluctant to look--is just looking back at
the supply chain. If you look even from our defense contractors
where not first tier or second tier but third tier in smaller
suppliers where some of that originates. I think, again, COVID
exposed so many vulnerabilities from Russia and China. There
are some private sector companies out there doing that now, but
do we need to rethink authorities on this issue to allow the
IC--. In a sense, how do we grapple with it? Looking at a
question like supply chain, having the IC look at an otherwise
well-functioning company, no sense of them being targeted,
although we know almost all these companies are, and go back in
terms of their sourcing of their materials. That would make a
lot of folks in the IC right now very uncomfortable.
Do you think that's something that we ought to have a
requirement? And where would you put that?
Ms. Van Cleave. Mr. Chairman, if I might offer a
perspective on that. When I was serving in the
counterintelligence office, we were assigned the responsibility
of providing intelligence support to CFIUS, as CFIUS was making
the decisions about what constituted a national security
concern. And I will tell you that the problem is, when you go
to the Intelligence Community and you say, ``Please show me
what you got on Company X, Y, or Z,'' those files are not going
to be very comprehensive. And that's because we haven't really
looked at these targets for intelligence assessment purposes in
order to be able to understand those operations. And so, there
is a tug and pull on how you want to array your intelligence
resources and what the priorities are. And perhaps there's an
opportunity to prioritize these things a little more than we
have----
Chairman Warner. Although there's the challenge that
because we don't generally want the IC looking at domestic,
obviously, domestic persons but also some domestic content, the
ability to kind of go--CFIUS or otherwise--up the food chain, I
think some of the large enterprises, even in the defense area,
don't know where their third-tier suppliers are originating.
I think some of these private sector companies are exposing
that, or the ability, particularly of the CCP--I think we
became alerted to CCP direct investments in America. And I
still remember one of our roadshows in Texas, actually, Dr.
Gamache, where some small AI company said, ``Well, I wondered
why the Chinese VC was paying three times more than anyone
else.'' And we didn't have that information. And the CCP has
gotten smarter where they now may invest, not through a
Chinese-based entity, but through some European subsidiary and
entity, and our ability of trace, again, up the food chain is
really challenging.
Bill, did you want to comment on that?
Mr. Evanina. Senator, I do think that if we are going to
get to a place where we could have an effective supply chain
risk mitigation program, or even get to zero trust, we have to
have a carve-out somewhere where the parts of the Intelligence
Community can play in the space and be comfortable advising and
informing U.S. industries that there is a threat, or there is a
vulnerability in a coding aspect, or somewhere along the IT
supply chain or in the procurement supply chain. That's very
easy to do, just a matter, to your point of the uncomfortable
nature of the IC getting involved in that is natural and it's
prudent. I just truly think that if we're going to move in a
place where we can have a protection of our supply chain, the
IC is going to have to play because they have left-of-boom
activity and intelligence collection they could share with
those entities.
Chairman Warner. I think, again, there's both that ability
to look at--from a national security standpoint. Some of that,
up the domestic supply chain in terms of origination, I think,
is important. I also think it's something we've stressed a
couple of times here. I think we did. And with your help, do a
good job of those classified roadshows.
In many ways, they needed to be classified, though, because
at just the non-classified level, if you can't share the
experiences, the enterprise or industry sector may not--they
might say ``What do you mean?'' We can't give them some
details. But I wonder, at times, if we had not initiated that,
if we'd left it to the--I think the FBI stepped up their
ability to make those presentations.
But again, I think because we took the bull by the horns or
whatever the analogy is, but I'm not sure that's a systemic way
to address this on informing our folks. So, that leads me to
the question, which I would have some trepidation on, but one
of the things around this whole CI mission, and I'm not sure
where I'm going to start on this one, but do we try to look at
the British model where they actually have a domestic
counterintelligence entity?
Now, clearly, the U.K. has a whole set, a different set
of--. We have a whole set of protections, First Amendment and
otherwise, that I think make our system better. But, you know,
they have Scotland Yard, and yet they have MI5.
Maybe I'll go the reverse route again this time.
Is it time to look seriously at the idea of an independent
counterintelligence entity in the United States?
Mr. Sheldon. Thank you, Mr. Chairman.
I think, from my perspective, there are other folks on the
panel that are better suited to address the organizational
question.
I just want to add quickly that for some aspects of
industry, especially industry where you have international
clients and business, maybe places in Europe and elsewhere,
it's more straightforward to liaise for the purposes of
something like JCDC with an organization that is removed
somewhat from the Intelligence Community, because that makes
everyone's customers more comfortable. So, that's an important
equity to protect if there's going to be a reorganization. It's
just to ensure that there are ways to collaborate between
industry and government through more civil authorities.
Thank you.
Chairman Warner. And I think, again, it's still a work in
process, but CISA--. You know, I think I was wrong that having
CISA have enforcement proceedings against people who fail to
incident report is the wrong approach because CISA ought to be
that friendly entity that is not in the regulatory sense,
but--.
Dr. Gamache.
Dr. Gamache. I would defer on the organizational portion of
that, Senator, but I believe that there has to be a way to plug
academia into whatever solution you come up with.
Chairman Warner. Michelle.
Ms. Van Cleave. Mr. Chairman, I do have some strong views
on this, actually. In my view, one of the strengths of U.S.
counterintelligence is the diversity of talents and skills and
approaches and training represented in the very different
agencies and the responsibilities that they have had across our
government. There's value in having a national
counterintelligence service, as most other foreign governments
do have a centralized service.
But I think that we have untapped potential in the fact
that we've got such a tremendous variety of people and skills.
The missing element is the ability for select high-priority
targets in a strategic way to meld those things together, those
activities together, so that they can operate as one team with
one plan and one goal when required.
That's the missing element, in my opinion.
Chairman Warner. Bill.
Mr. Evanina. Senator Warner, I'm going to wrap a few things
together and get back to Dr. Gamache.
First of all, I do think our higher education should be
looked at as part of the national security and defense program.
I do think that it's worthy of putting it in a bucket with
other entities we spend money to protect, number one.
Number two is, if you just juxtapose when we talked about
the changing landscape of counterintelligence over the last two
decades, I would proffer to this Committee, if you look at our
counterintelligence strategy now, protecting critical
infrastructure, ensuring a supply chain, economic security,
malign foreign influence, who has the authority legislatively
to handle all those parts of the defense process?
They're Whack-A-Mole through different organizations. And I
do think that if we are going to modernize the concept and
lexicon of counterintelligence, we have to look at what's being
affected here in the U.S. And it comes to cybersecurity. At the
end of every single breach that Mr. Sheldon talked about,
there's a human being somewhere and a keyboard, either in China
or Russia or Iran. So that cannot be forgotten.
I think when we look at how we structure this, we have to
look at--the 2002 Counterintelligence Enhancement Act did not
take all these things into play. It was more spy versus spy.
So, I'm not sure an MI5, MI6 model is required. I do think we
have existing structures that are probably predicated in a
1980s mindset, but I do think we have to find the way to fill
in the gray space to protect where the battlespace is now in
the private sector.
Chairman Warner. You know, one of things we want to try to
do is solicit input, but I start with a, for a variety of
reasons, prejudice against a new entity. And I am very
conscious--, you know, we think about some of the prominent
American companies when we got into AI, and sometimes, they
were reluctant to work with the community. I think many of the
Members of this Committee believe that this is such a
technology competition now, beyond the traditional mill-to-mill
and identifying that technology where we're going to go deep. I
think we have done a little bit on the 5G piece and the chips
piece.
The Committee, in a bipartisan a way, has agreed to look at
synthetic and bioprocessing series areas there and things
around advanced energy to think about those because they would
not have been in the category of a traditional national
security, counterespionage, intel agenda ten years ago, maybe
not even five years ago, but I think clearly are now.
Ms. Van Cleave. Mr. Chairman, if I might just?
Chairman Warner. Yes, please.
Ms. Van Cleave. To interject, and before this comes to a
close, and thanking you again for your leadership and for your
decision to hold this hearing and the subsequent hearings that
you are planning on counterintelligence. There is one point
that I believe I would be remiss if I didn't speak to the
record on this point.
And that is that I want to assure you and the Committee
that, sadly, traditional espionage is still ongoing. It is
still directed against us. It is still very much a threat to
our national security, to the secrets that are most important
to our national security, to the people and treasure who work
with our Intelligence Community, to our troops in the field.
These kinds of penetrations into the U.S. government that are
traditional espionage is very much ongoing. It is very much the
focus of our adversary, and I would urge, as the Committee
moves forward, to keep your eye on that as well.
Chairman Warner. Oh, we are very aware, and this kind of
open setting is not the place to go into that. But even in
terms of some of our near-peer competitors, just the number of
people they have in-country under some level of traditional
diplomatic status, whether their embassy or through the UN, is
a huge issue.
It is not an either-or proposition. I know there are a
number of other Members--with the vote schedule, sometimes, it
is a hodgepodge--but I very much appreciate everybody's
presentation, and obviously, we've got some more work to do.
Committee is adjourned. Thank you all.
[Whereupon the hearing was adjourned at 4:21 p.m.]
Supplemental Material
=======================================================================
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]