Hearing Type: 
Date & Time: 
Wednesday, September 21, 2022 - 2:30pm
Hart 216

Title:  Protecting American Innovation: Industry, Academia, and the National Counterintelligence and Security Center

Chairman Mark Warner:  Opening Statement

Vice Chairman Marco Rubio:  Opening Statement

Report:  Organizational Assessment:  The National Counterintelligence and Security Center


William R.
Founder and CEO
Evanina Group and Former Director for the National Counterintelligence & Security Center (NCSC)
Michelle Van
Senior Advisor
Jack Kemp Foundation and Former National Counterintelligence Executive (NCIX)
Associate Vice Chancellor and Chief Research Security Officer
Texas A&M University System
Director, Public Policy & Strategy

Full Transcript

[Senate Hearing 117-599]
[From the U.S. Government Publishing Office]

                                                        S. Hrg. 117-599

                             OPEN HEARING:
                      INDUSTRY, ACADEMIA, AND THE
                          AND SECURITY CENTER



                               BEFORE THE


                                 OF THE

                          UNITED STATES SENATE


                             SECOND SESSION


                           SEPTEMBER 21, 2022


      Printed for the use of the Select Committee on Intelligence

        Available via the World Wide Web: http://www.govinfo.gov

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
50-083                      WASHINGTON : 2023                    

           [Established by S. Res. 400, 94th Cong. 2d Sess.]

                   MARK R. WARNER, Virginia, Chairman
                  MARCO RUBIO, Florida, Vice Chairman

DIANNE FEINSTEIN, California         RICHARD BURR, North Carolina
RON WYDEN, Oregon                    JAMES E. RISCH, Idaho
ANGUS KING, Maine                    ROY BLUNT, Missouri
MICHAEL F. BENNET, Colorado          TOM COTTON, Arkansas
BOB CASEY, Pennsylvania              JOHN CORNYN, Texas

                  CHUCK SCHUMER, New York, Ex Officio
                 MITCH McCONNELL, Kentucky, Ex Officio
                  JACK REED, Rhode Island, Ex Officio
                   JAMES INHOFE, Oklahoma, Ex Officio

                     Michael Casey, Staff Director
                  Brian Walsh, Minority Staff Director
                   Kelsey Stroud Bailey, Chief Clerk
                           C O N T E N T S


                           SEPTEMBER 21, 2022
                           OPENING STATEMENTS

Warner, Hon. Mark R., a U.S. Senator from Virginia...............     1
Rubio, Hon. Marco, a U.S. Senator from Florida...................     4


Evanina, William R., Founder and CEO, Evanina Group; Former 
  Director, National Counterintelligence and Security Center.....     5
    Prepared Statement for the Record............................     7
Van Cleave, Michelle, Senior Advisor, Jack Kemp Foundation; 
  Former National Counterintelligence Executive..................    24
    Prepared Statement for the Record............................    26
Gamache, Kevin, Ph.D., Associate Vice Chancellor and Chief 
  Research Security Officer, Texas A&M University System.........    40
    Prepared Statement for the Record............................    42
Sheldon, Robert, Director, Public Policy & Strategy, Crowdstrike.    47
    Prepared Statement for the Record............................    49

                         SUPPLEMENTAL MATERIAL

Answers to questions for the record from Michelle Van Cleave.....    76
Answers to questions for the record from Kevin Gamache...........    90
Answers to questions for the record from Robert Sheldon..........    97



                     WEDNESDAY, SEPTEMBER 21, 2022

                                       U.S. Senate,
                          Select Committee on Intelligence,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 2:44 p.m., in 
Room SH-216 of the Hart Senate Office Building, Hon. Mark R. 
Warner, Chairman of the Committee, presiding.
    Present: Senators Warner, Rubio, Feinstein, Wyden, Bennet, 
Casey, Collins, Blunt, Cotton, Cornyn, and Sasse.


    Chairman Warner. Good afternoon. I'm going to call this 
hearing to order. And I want to welcome to our nongovernment 
expert witnesses, although at least two have served with 
distinction in the government.
    Let me start with the Honorable Bill Evanina, former 
Director of the National Counterintelligence and Security 
Center. He's also the founder and CEO of the Evanina Group.
    The Honorable Michelle Van Cleave, senior adviser, Jack 
Kemp Foundation, and again, former National Counterintelligence 
Executive at the Office of Director of National Intelligence.
    Dr. Kevin Gamache, who is the Vice Chancellor and Chief 
Research Officer at Texas A&M University System.
    And Mr. Robert Sheldon, the Director of Public Policy and 
Strategy at CrowdStrike.
    Today's hearing, ``Protecting American Innovation: 
Industry, Academia, and the National Counterintelligence 
Security Center,'' will examine the implications of the 
findings of our Committee's bipartisan report on the NCSC, 
which we publicly released yesterday.
    This is the first in a series of hearings on the report. 
Future hearings will include current U.S. counterintelligence 
officials to discuss, in more depth, concrete changes that may 
be necessary for the NCSC and the government's 
counterintelligence enterprise.
    I think we all understand that the traditional model of 
intelligence that evolved post-World War II and, in many cases, 
in our country and countries like the U.K., evolved a long time 
earlier, particularly post-World War II, when we, the Brits, 
the Russians had a series of espionage agents oftentimes 
working out of an embassy and basically trying to discover 
information or secrets about a foreign adversary. That classic 
spy-versus-spy model is pretty much in the historic dustbins at 
this point. As I think we know, our Nation now faces a 
dramatically different threat landscape than it did even a 
couple of decades ago. Today's foreign intelligence threats are 
not just obviously targeting the government but are 
increasingly looking at the private sector to gain 
technological edge over industries.
    One of the remarkable statistics is that as much as $600 
billion of intellectual property is stolen each year from the 
United States. And that doesn't even count what's stolen from 
some of our allies and partners around the world. New threats 
and new technologies mean that we need to make serious and 
substantive adjustments to how we address the issue of 
counterintelligence if we are to protect America's national and 
economic security.
    For many years, Members of this Committee were constantly 
hearing the alarm bell ringing when we got briefings on these 
foreign intelligence threats. We felt it was important not just 
to be made aware of that threat but to also do something about 
it. So, I want to thank Senator Rubio, Senator Cornyn--I think 
Senator Cotton appeared--and Members on my side of the aisle, 
where we went out, and oftentimes with Bill Evanina, did what 
we called a series of classified roadshows to focus 
particularly on the challenge and nontraditional means of 
espionage put forward by the PRC.
    We did that with tech companies, we did it with VCs, and we 
did it in academia, again, to really look at the challenge 
presented by the CCP and the leadership of Xi Jinping. As I 
mentioned, we did aerospace, advanced manufacturing, artificial 
intelligence, biotech, data analytics--a whole host of areas 
where we are now engaged in a tremendous competition. We 
started to take action on that competition.
    I'm proud of the fact that, in a broadly bipartisan way, 
there is now a law to make sure that we can bring part of that 
semiconductor industry back to the United States. My belief is 
there may be other technology domains where we have to make 
similar investments, because clearly, we know that the CCP is 
making these investments.
    I was an old telecom guy and it was more than stunning to 
me when it became clear that not only had the PRC suddenly 
obtained the leading international company in 5G in the form of 
Huawei, but that they were also setting the rules, standards, 
and protocols for that emerging technology. FBI Director Wray 
has stated the bureau literally opens up a new PRC-related 
counterintelligence investigation every ten hours. Thousands of 
these cases are open. China has stolen more American personal 
and corporate data than every other nation in the world 
    With this hearing, we are broadening our 
counterintelligence focus to also look at the malign role 
played by other large state adversaries like Russia, as well as 
Iran, North Korea, and other states. However, as we discuss 
what the CCP in particular is doing in the United States, I 
want to make myself crystal clear that my concern lies squarely 
with Xi Jinping and the Chinese Communist Party, not the people 
of China and certainly not with Chinese or Asian-Americans or 
any parts of the Chinese diaspora anywhere in the world. Matter 
of fact, failure to make that distinction oftentimes will play 
right into the CCP's propaganda agenda. And many times, it is 
Chinese-Americans who are the victim of the CCP's intelligence 
service activities. Similarly, we've recently seen those brave 
Russians who came out at some level of force to protest against 
Vladimir Putin's war. We saw the arrest of the opposition 
leader, Navalny. Again, our beef is not with the Russian people 
or immigrants of Russian descent but with the kleptocratic and 
murderous regime of Vladimir Putin.
    The Committee's report is the product of years of 
independent research by nonpartisan Committee staff to assess 
the mission, authorities, and resourcing of the NCSC and its 
mission to coordinate the government's counterintelligence 
    Among the report's findings are: one, that the United 
States faces threats from a wide variety of adversaries, 
including powerful state rivals such as China and Russia, 
regional adversaries, minor states, and the organizations that 
play out these entities' operations, oftentimes not simply 
within the traditional spy services. Foreign intelligence 
entities are targeting a wide set of public and private 
entities, including U.S. government departments and agencies 
that are not part of the Intelligence Community and not part of 
our national labs or other traditional sources. But they are 
going after the financial sector, our energy sector, and a lot 
of folks in the industrial base and academia.
    Today's adversaries have access to a much wider variety of 
tools for stealing information, influencing U.S. officials, or 
inflaming social and political tensions than in the past, 
including nontraditional human, cyber, advanced technical, and 
other source Intelligence operations to collect against U.S. 
plans and policies, sensitive technology, and personally 
identifiable information. How we make sure we protect that as 
well as our intellectual product in this country is part of our 
responsibility in this Committee. Despite the wide-ranging and 
sophisticated number of counterintelligence threats facing the 
U.S., the United States counterintelligence enterprise is not 
postured to confront the whole-of-society threat facing the 
country today, with the NCSC lacking a clear mission as well as 
sufficient and well-defined authorities and resources to 
effectively deal with this.
    Now, I'd love to say that report came up with a series of 
specific recommendations. It did not. I think it posed a number 
of the problems, but this hearing and others is how we get at 
this issue. And we clearly have folks who played from inside 
the government role, on the IC side, and outside experts as 
    So the core questions for this hearing are: what role 
should academia and industry play in protecting information 
with national security implications? Are there legislative or 
policy changes needed to codify that role? What government 
resources may be needed to help academia and industry protect 
their data technologies and people? And what role is the NCSC, 
as the lead agency for national counterintelligence, expected 
to play in informing and coordinating with all of these 
entities? Given the increasingly important role of 
counterintelligence--due to the threats from these foreign 
governments--I think I have some real questions about this, I 
    The report posited the question, does the U.S. government 
need an independent counterintelligence agency to tackle them? 
I have some doubts about that. While no consensus, as I 
mentioned, has been raised, we're going to look at this problem 
in a comprehensive way. And we welcome not only the panel but 
others' input into this determination.
    The truth is the intelligence traditions have changed 
dramatically from the postwar era, from the Cold War era. We 
are engaged, particularly with the PRC, but with others as 
well, in a technology competition that will define who becomes 
the security and economic leader of the 21st-century. It's my 
hope that America maintains that leadership role. But to do 
that, we've got to have an effective counterintelligence 
    And with that, I turn to my friend, the Vice Chairman.


    Vice Chairman Rubio. Well, thank you, Mr. Chairman. Thank 
you all for coming here today. I think you've covered most of 
it. And I think our Audits & Projects team has done a good job 
of identifying the problem. And part of these hearings is now 
to begin to think through what are some of the things that we 
can do from our end to either mandate or provide a pathway 
toward solutions.
    The core problem is this--and you've stated it well--the 
way I would describe it, in general, is: our entire system is 
set up for an era in which counterintelligence, basically 
espionage, was governments trying to steal government secrets. 
Getting into the Defense Department, learning about things that 
have to do with nation-state proprietary information and 
classified information. We're now in an era in which the 
activities of intelligence agencies from around the world come 
from a variety of countries with different intentions. They 
range from cyber intrusions designed to both steal secrets and 
also to generate revenue to disinformation and misinformation 
to try to steer and influence and shape American policy and 
divide us and distract us or debilitate us to, obviously, 
academia, both because they're interested in research, but 
frankly, in many cases, to try to influence students.
    It's a long-range plan to look at someone who's 20 years 
old today and say we can shape their narrative about China and 
Taiwan, or China and Tibet, or China and Uyghur Muslims in 
Xinjiang. Twenty years from now, these individuals will be 
running companies or key agencies in government--and maybe even 
elected--and that will help us. This is a multifaceted, new-era 
type challenge, which our agencies simply weren't created to 
address. They were created in an era where there wasn't great 
power competition, where the number of nations around the world 
that had the capability to even do intelligence operations 
against the United States domestically, not to mention 
globally, was much smaller than it is today.
    So, really, the hope here today is to understand how we can 
help clarify the mission, particularly of the National 
Counterintelligence and Security Center, the NCSC. How we can 
give it a clear mission that captures the full array of 
challenges, provides them with well-defined authorities that 
allow them to do that, and then understand whether or not we're 
providing sufficient resources to be able to carry that out?
    And those three things, having the clear mission, having 
the authorities to carry out the mission, and having the 
resources to carry out that mission are the path forward. But 
it really begins with understanding a clear mission as to what 
it entails and all the intricacies and complications that would 
come with that.
    All of you have been involved in different ways with this, 
and we're grateful you came in today to help us begin to chart 
the way forward.
    Chairman Warner. And thank you, Vice Chairman Rubio. I'm 
proud of the staff work that put together this report. The 
tradition of this Committee is that we do things bipartisan. 
This at least gives a roadmap of what some of the issues are. 
Now, we're looking to sort through what the answer should be.
    So, I want to start, Bill, with you, and we're going to go 
left to right down the panel.

                        SECURITY CENTER

    Mr. Evanina. Chairman Warner, Vice Chairman Rubio, Members 
of the Committee, it's a pleasure. Humbled to be back here in 
front of you in this Committee, especially with an esteemed 
panel of experts here today.
    I want to first thank the Committee and the Members of the 
Committee for your continued leadership commitment to the 
Intelligence Community, law enforcement, and the dedicated 
women and men around the globe keeping us safe and free.
    Our enduring democracy and unsurpassed economy, along with 
the best military in the history of the world, affords us with 
fundamental and unparalleled freedom and security. Protecting 
those freedoms and security are in some part due to those 
dedicated women and men serving in the counterintelligence 
    However, the job has never been more difficult than it is 
today. The threat landscape has dramatically expanded in the 
past decade, specifically with the counterintelligence 
battlespace transitioning to the private sector, especially 
with respect to the Communist Party of China. The past decade 
has also provided us with a very clear mosaic of the 
modernization of the nation-state threat actors conducting 
persistent, strategic, and sometimes destructive cyberattacks 
on American government agencies, corporations, and academic 
institutions. Their data, their systems, and their employees 
have all been targeted. Strategically-placed insiders in cyber 
penetrations are the most commonly utilized modalities of the 
Communist Party of China. With 21st-century asymmetric threats 
increasing exponentially, it is time to take an honest, modern, 
and reimagined view of counterintelligence.
    Counterintelligence is not just catching spies or insiders 
from adversarial countries, but also, it is a key defense 
mechanism of our Nation's key source of strength and posterity: 
our economy. We must also approach counterintelligence with the 
same sense of urgency, spending, and strategy we have done for 
the past two decades in preventing terrorism.
    I would offer to this Committee that we are in a terrorism 
event--a slow, methodical, strategic, persistent, and enduring 
event--which requires a degree of urgency of action. As much as 
counterintelligence investigations, strategy, and policy are 
inherently government functions and responsibilities, U.S. 
corporations, research institutions, non-Title 50 
organizations, and academia must become a larger part of the 
process of protecting their own proprietary data, trade 
secrets, and fundamental research. China and others are 
attempting every day to take what they ideate and develop. This 
is especially true when such organizations receive federal 
grants and funding. Currently prescient is the passage of the 
CHIPS and Science Act, as well as the Inflation Reduction Act. 
Rest assured, China has already begun their strategic and 
comprehensive efforts to acquire, both legally and illegally, 
any and all ideation, research, and trade secrets emanating 
from the existing and extensive funding provisions and 
technological incentives provided by these legislative actions.
    I would offer emerging renewable energy technologies and 
semiconductor production will be targeted the most aggressively 
by China. From a counterintelligence perspective, where does 
this protection responsibility reside? This is a 
counterintelligence issue. Ten years from now, this Committee 
cannot be holding hearings and asking how China stole our 
federally-funded and -subsidized capabilities and secrets and 
progress, and then selling them back to us as customers.
    I would like to close by acknowledging that defending our 
Nation, especially in the counterintelligence arena, has become 
complicated and encompassing. However, I would be remiss if I 
did not mention the United States possesses the finest 
offensive capabilities and counterintelligence personnel the 
world has ever seen. As this Committee is fully aware, their 
dedication, their successes are impactful. They're enduring, 
and they properly remain silent. Our Nation is grateful.
    Thank you for the opportunity to be here today, and I look 
forward to your questions.
    [The prepared statement of Hon. Evanina follows:]

    Ms. Van Cleave. Mr. Chairman, Vice Chairman Rubio, Members 
of the Committee, let me begin by echoing the praise that my 
colleague, Bill, has just iterated for our counterintelligence 
professionals. It was my honor to have served as the Director 
of Senate Security from 2020 to 2021. So, I feel warmly at home 
appearing before you here today.
    I was also deeply honored when President George W. Bush 
appointed me the first statutory head of U.S. 
counterintelligence. That position, as you know, was created by 
the Counterintelligence Enhancement Act of 2002, which was, as 
it happens, voted out of Committee 20 years ago next week--
voted out of the Senate, rather--20 years ago next week under 
the careful leadership of this Committee.
    I believe that your leadership is sorely needed again. Mr. 
Chairman, to that end, I have prepared a written statement 
which I hope may be of help to you, and I ask that it be 
included in the record.
    Chairman Warner. So ordered.
    Ms. Van Cleave. Foreign powers use their intelligence 
capabilities to advance their goals and to prejudice ours. In 
today's volatile geopolitical environment, their operations are 
intensifying against us, not waning. Russia's war on Ukraine 
has changed everything, setting the stage for what President 
Biden has called a battle between democracy and autocracy.
    Having lived through the events of January 6 with all of 
you, I am acutely aware of the lines of fragility in our 
democracy, which foreign powers have and will continue to seek 
to exploit. The bottom line I would offer is this. The core 
counterintelligence mission to identify, assess, and defeat 
foreign intelligence operations has never been more crucial to 
U.S. national security. Protective security plans and programs, 
to be sure, are profoundly important. And I have little doubt 
that we are all agreed on that point. But they will never be 
enough. In my view, the United States cannot afford to cede the 
initiative to those who are working against us. The stakes are 
too high.
    Indeed, the old wisdom is still true: the best defense is a 
good offense. But unfortunately, our counterintelligence 
enterprise has never been configured to be able to preempt. 
Preemption requires strategic national planning and coordinated 
operations against foreign intelligence threats. By contrast, 
our CI agencies have very distinct and separate missions, and 
they operate within their own lanes. And each is very good at 
what they do, but as experience has shown, that is not enough. 
These are the very deficiencies that the CI Enhancement Act of 
2002 intended to correct.
    However, while the law back then created a national CI 
mission to integrate CI activities, it did not create the means 
by which that could be carried out. So, the first National 
Counterintelligence Strategy, which was issued by President 
Bush, called for creating a strategic CI capability to 
proactively disrupt foreign intelligence threats, starting with 
working the target abroad. Where are they situated? How do they 
recruit? Who are their personnel? What are their liaison 
services? How are they tasked? What are their vulnerabilities? 
How can those vulnerabilities be exploited? There was a pilot 
program to do that on a select high-priority target that was 
started under my watch with congressional support. But it was 
quietly terminated after I left.
    Subsequent national counterintelligence strategies have 
omitted this key goal altogether, and the national office has 
moved on to do other things. So, we've been stuck in neutral 
for 20 years. To date, neither strategic counterintelligence 
nor a strategic CI program is defined in law or anywhere else. 
The very concept of a national counterintelligence mission, 
different from what the operating arms are already doing, was 
and remains new and untested.
    Without the discipline of a national program, our CI 
management will continue to measure performance against the 
individual agency metrics for which they are accountable, as 
they must. But is that enough to counter the foreign 
intelligence threats directed against the United States? I fear 
that scorecard may be very much in doubt, which I hope the 
Committee will choose to explore in greater detail as part of 
your much-needed oversight of U.S. counterintelligence and this 
series of hearings.
    As for the national mission and office, I think this 
Committee had it right 20 years ago. The challenge still 
remains how to pull together a strategic counterintelligence 
program: one team, one plan, and one goal. Your leadership and 
some carefully crafted clarifying amendments to that 20-year-
old law could make all the difference.
    I look forward to your questions.
    [The prepared statement of Hon. Van Cleave follows:]

    Dr. Gamache. Chairman Warner, Vice Chairman Rubio, Senator 
Cornyn, and members of the committee. Thanks for allowing me 
the opportunity to testify before you today. I'm the Chief 
Research Security Officer for the Texas A&M University System 
and come today to discuss the unique challenges universities 
face in protecting cutting-edge U.S. research. With four 
decades protecting our national security, first as an Air Force 
nuclear operations and maintenance officer, for 14 years in my 
current position, and as a faculty member at Texas A&M, I'm 
glad to have the opportunity to bring these perspectives to 
this critical issue.
    One of the primary roles universities play is the free and 
open generation and dissemination of knowledge. The 
collaborative nature of the U.S. research enterprise is a prime 
source of discovery and innovation. International collaboration 
is crucial to scientific advancement and the success of U.S. 
research institutions. American universities are a magnet for 
students and researchers worldwide to join forces to advance 
science and solve our most pressing problems. Unfortunately, 
we're not playing on a level field. Our technological 
leadership is under siege from countries like Russia, China, 
Iran, and others whose rules for research integrity differ from 
    I'd like to highlight a few organizational and process 
changes we've implemented to address this significant threat. 
A&M Chancellor John Sharp established the Research Security 
Office at the system level in 2016 to provide program 
management and oversight of sensitive research across the 19 
A&M System members.
    We require mandatory disclosure of all foreign 
collaborations and approval of foreign travel.
    We conduct continuous network monitoring using techniques 
explicitly focused on identifying malign foreign actors.
    We updated our conflict of interest and commitment policies 
and established processes for reviewing and approving 
collaborations and agreements.
    We established a secure computing enclave that is available 
system-wide to protect system federally-funded research.
    Understanding our collaborators and their funders is the 
most critical aspect of our research security program. It is 
equally important to know if a foreign government nexus exists 
and the risk it poses to the institution.
    We must also understand whether these risks can be 
mitigated or must be eliminated. We use a robust, open-source, 
risk-based due diligence process to review visiting scholars 
and postdoctoral researchers to answer these questions. You may 
have heard it said: we can't arrest our way out of this 
problem. We agree and have developed strong relationships with 
the FBI, DCSA, and other IC members to address issues promptly.
    Federal-level opportunities to significantly impact the 
problem also exist. A national research security center of 
excellence in academia--working with the FBI, DCSA, and other 
agencies to coordinate the flow of counterintelligence 
information between academia, law enforcement, and the 
Intelligence Community--would enhance efficiency and 
    Secondly, our adversaries would be less effective if U.S. 
faculty and students were resourced more fully through enhanced 
federal research funding. Top international scholars in our 
universities enhance innovation and knowledge but also prevent 
risks. Partnering with federal agencies to mitigate existing 
and emerging threats, educate our researchers, and provide 
clear avenues to address security concerns are crucial. Doing 
so will allow the U.S. academy to continue producing game-
changing research and a skilled workforce and ensure U.S. 
technological and economic superiority.
    Thank you for the opportunity to testify. I look forward to 
your questions.
    Chairman Warner. Thank you.
    Mr. Sheldon.
    [The prepared statement of Dr. Gamache follows:]
                     STRATEGY, CROWDSTRIKE

    Mr. Sheldon. Chairman Warner, Vice Chairman Rubio, Members 
of the Committee, thank you for the opportunity to testify 
    Innovation is an essential theme of the American story. 
While the private sector is not the sole source of innovation 
in the country, it plays the leading role in making new 
innovations accessible to everyone. The private sector is 
incredibly diverse. When explaining CrowdStrike perspectives to 
the policy community, I mentioned that we protect 15 of the top 
20 U.S. banks and a significant and growing portion of the U.S. 
``dot gov'' domain. But given the nature of the hearing today, 
I also want to emphasize that we protect small organizations, 
from family-owned farms to cutting-edge startups. Cyberthreats 
have devastating consequences for families, communities, and 
the economy. In the aggregate, these consequences extend to 
national security.
    I'm honored to share some insights from our work across 
government and industry and identify some areas where we, as a 
nation, can strengthen cybersecurity outcomes.
    Today, the private sector faces a punishing array of cyber 
threats. CrowdStrike research published this month identified 
campaigns targeting 37 distinct industries and a 50 percent 
increase in interactive intrusions over the past year. 
Regarding nation-states, China, Russia, Iran, and North Korea 
present the most potent threats. States utilize cyber means for 
espionage, theft, extortion, coercion, disruption, destruction, 
and subversion. I've provided more detail on these threats in 
my written testimony, but here I want to cite intellectual 
property theft and supply chain attacks as key concerns for 
national resilience.
    Different segments of the private sector have different 
needs, constraints, and capacities to defend against 
cyberattacks. Organizations with cybersecurity mandates have 
proliferated in recent years, but victims still struggle to 
know who to contact for what types of issues. Sometimes lost is 
a fundamental reality of the cybersecurity landscape. When a 
private company is the victim of a cyberattack and it cannot 
remediate the issue independently, it must turn to a private 
sector incident response provider. There is no U.S. government 
agency that has the authorities and capabilities to provide 
end-to-end cybersecurity services from hunting to remediation 
at scale.
    As you consider options to clarify and strengthen NCSC 
roles and missions, please consider two points.
    First, in some cases, significant IC information can be 
shared without impacting sources and methods. Government 
disclosures this year regarding Russian plans and intentions 
for Ukraine, including warnings about specific disinformation 
themes and advisories about specific cyberthreats, were very 
well received by industry.
    Second, NCSC should endeavor to operate at scale. This 
probably means a preference for leveraging existing government 
structures, like the Joint Cyber Defense Collaborative and 
commercial service providers with significant reach. During my 
time at CrowdStrike, some of the most impactful changes I've 
seen have involved the advent of groundbreaking managed threat-
hunting services and broader managed security services.
    These provide a reliable, consistently high degree of 
protection 24/7/365, and it's worth exploring opportunities to 
make such services more widely available. It's further worth 
considering additional programs or efforts to make available 
concrete cybersecurity services.
    As a community, we should undertake a more serious 
conversation about expanding national incident response 
capacity. A program that retains scope providers in advance for 
use during significant cyber incidents could expand the 
cybersecurity workforce and strengthen national resilience.
    Thank you again for the opportunity to testify today, and I 
look forward to your questions.
    [The prepared statement of Mr. Sheldon follows:]
    Chairman Warner. I want to thank the panel for their 
    There will be a second vote at some point. We're going to 
work through that vote. And unlike our normal process where we 
do seniority at the gavel in our public hearings, we do 
straight seniority. So, we'll do five-minute rounds.
    My first question is for the panel. And it's a two-part 
question. One of the things that this Committee took on after 
literally years of having almost weekly and sometimes biweekly 
briefs around the threats posed by the CCP was it seemed like 
we were existing in two parallel worlds. We were hearing all 
these threats and concerns, and yet, the economic message that 
was going around was the more we partner with China, the 
better. The more we bring China into the global world order, 
the more that we're going to have similar systems. Starting 
back in 2017, we, on a bipartisan basis, started going out--and 
I know you were involved in a number of these, and I want to 
thank all my colleagues who participated--and did a series of 
classified briefings for industry sector after industry sector. 
And the disconnect between what we were hearing in the 
intelligence briefings and what they were being told by Wall 
Street, or in terms of academic exchanges or academic freedom, 
was night and day.
    And some of those were challenging sessions. Dr. Gamache, 
I'm glad to hear your comments about what you started doing 
2019, but the number of universities that had no idea about, 
somehow, professors getting all-expense-paid trips to lecture 
in China and not thinking about even preconditions, like maybe 
you ought to not bring your laptop along, were pretty chilling.
    We've done close to 20 of these. We did a number of them 
before COVID. Post-COVID, we've seen a great tick-up, and I 
want to thank academia for improving. And I think we have 
started to reach some ideas around consensus. Again, a lot of 
us on this Committee led the effort to try to put in place a 
cyber-incident reporting requirement.
    But the question I have, and I'm going to break it into 
three categories:
    Non-intel U.S. government and state government and local 
government entities; Academia; and private enterprises.
    Assuming you got a continuum that at least in terms of 
government, where there maybe ought to be higher standards, are 
there standards? Legal, moral? What are the roles of informing 
those three entities about the threat? And should we just rely 
on best practices in terms of academic protections? Should we 
put in jeopardy federal funding? We have started on cyber 
incident reporting. I think there's a greater recognition. 
Obviously, well-regulated industries have standards, but cross-
cutting standards we still lack.
    I think I'll go down the list the same way we started. If 
you want to comment briefly on all three of those categories 
and whether there should be simply moral challenges, legal, or 
    And I know Senator Cornyn, Senator Casey have got some 
legislation about investing, but let's take those three areas, 
legal, moral, and standard, as a setting in each of those three 
    Mr. Evanina. Thank you, Senator. A really difficult 
question. And I think that gets to the crux of where we are 
on--in today's battle in this gray area of--even from open 
research to private sector to our adversaries. I think we look 
at your question, I think Texas A&M should be commended for 
what they have done and what Dr. Gamache has done in the last 
few years in setting a standard with others in the academic 
community from a compliance perspective.
    And I would proffer that they do more than 95 percent of 
the other academic institutions and research institutions do. 
And I think setting at least a minimum standard would be great 
from what the--using Texas A&M as a model. But I also proffered 
to you on the state, local, and federal government, and the 
non-Title 50s don't do anywhere near what Texas A&M does, 
specifically with their federal funding and subsidies that they 
give to research institutions.
    So, I think there is a baseline to start with. And I would 
make it analogous to the idea of the Internet of Things. If we 
don't start with the baseline fundamental security apparatus, 
we're never going to get to a utopia state of having the right 
structural organization authorities. But understanding the 
problem is phase number one. And I thank or commend this 
Committee, yourself and Senator Rubio and Senator Burr and 
others for those road shows because they were influential to 
the people who drive our national economy, for making them 
understand the complexities on the global engagement and 
economic well-being in dealing with China.
    The same time, their role and responsibility in protecting 
our Nation in what they do.
    Chairman Warner. Michelle.
    Ms. Van Cleave. Mr. Chairman, what you have described is no 
small challenge to business and industry to academia. I would 
offer that while the scale and magnitude of what we're facing 
today is staggering, it's not entirely new in the way the 
United States had to deal with threats to our business and 
    And I recall being then in the Bush 41 White House, working 
in the Science Office for the President when the wall came down 
and everything changed. Globalization meant that there was more 
commerce and interaction and movement of people. And our 
immediate concern was, so we're going to find that the U.S. R&D 
and S&T base is now going to be raided all the more by foreign 
actors who are exfiltrating IT and technology, and everything's 
to their own benefit.
    So, back then, I remember on my first interaction, working 
with the FBI, they were setting up, at the time, something 
called the National Security Threat List where they were trying 
to understand what things might be targeted by business and 
industry. Well, fast forward. And I think that we have a 
continuing need for providing awareness that the 
counterintelligence world gains the insights into what these 
foreign intelligence services are doing and how they're doing 
it against us, and foreign intelligence services and beyond 
using other instruments beyond their intelligence community to 
acquire and target our IT and our proprietary information.
    And those relationships that the FBI has established, 
they're working very hard. They've created a national CI Task 
Force, and task forces within all of the 56 field offices, to 
build upon the relationships that they have with business and 
industry to try and do outreach with them. And I do think we 
need to be doing as much of that as possible.
    But I would offer that, first, we have to have the 
insights. And first, we have to understand what the foreign 
intelligence services in other countries are doing against us. 
In order to have those insights, we're turning to our 
counterintelligence world--hard-core CI going out and learning 
how these services are operating against us so that we can 
better protect ourselves and stop them.
    Chairman Warner. Thank you. Dr. Gamache.
    Dr. Gamache. I'd like to say that from what I see in 
academia, things have greatly changed over the last five years. 
The level of awareness, I think, is definitely heightened over 
what it was five years ago. But that's not good enough. You 
know, we've come a long way. The awareness level is greatly 
enhanced, but we've got a long way to go. I think NSPM-33 is a 
great start, but it's probably not enough in terms of providing 
direction and creating avenues for awareness that don't exist 
right now.
    Helping academia understand how to address the threat once 
they become aware of it and having a structure to partner with, 
federal agencies--you know, right now, it's a pickup game. I 
think increasing the level of awareness in academia, providing 
guidance on how to address the threat, and then creating a 
structure to partner with federal agencies in a consistent 
manner is important.
    Chairman Warner. Thank you. Mr. Sheldon.
    Mr. Sheldon. Thank you, Mr. Chairman.
    Awareness of the threat is important. There are of course 
of people in town who frequently will remind people that there 
is a cyberthreat. It is very significant. People should do 
basic things like increase hygiene on their networks, do things 
that are best practices like use multifactor authentication. 
And that will only ever get us so far. I think that there's a 
couple of ways that we can incentivize organizations to move 
more quickly to provide defense for themselves. Those include 
some of the more regulatory options that we're exploring right 
now as a community. I think that this Committee was 
instrumental in starting off the conversation around incident 
reporting, and we'll see how that shapes out at CISA. But, 
certainly, there's a lot of good progress made toward that. 
That looks like it will be able to empower CISA to be able to 
make more assessments about how they can improve mitigations 
for particularly industries that are targeted within the same 
    The other part of the conversation from our point of view 
is being able to start having more detailed plans for making 
resources more broadly available to the most vulnerable 
organizations, because for folks that are Fortune 500 
companies, for example, very frequently, they have robust 
security programs. And they're doing what can be done to stop 
the threat that they're facing. But there's a lot of small- and 
medium-sized businesses that are being left behind for lack of 
resources. And the problem isn't exactly lack of awareness.
    Thank you.
    Chairman Warner. Thank you. I'm sure we're going to come 
back and revisit. And second vote has started.
    Senator Rubio.
    Vice Chairman Rubio. And I'm going to shorten my question.
    So, I guess the first, Mr. Evanina, going back to your time 
in service, if you were to go back and sort of reanalyze some 
of the authorities and/or mission that you wish had been 
clearly delineated, what would those have been, given the new 
threat landscape that we've described here already?
    Mr. Evanina. Senator Rubio, looking back at the six-plus 
years I spent there, a lot of the success the NCSC had was 
predicated upon a few things:
    Partnership with the other intelligence agencies and some 
of the non-Title 50 agencies in the spirit of trust;
    Lack of duplicity, ensuring that we did not do the same 
type of analysis and operational work as any other agency and 
we were not operational.
    But thirdly, I think the demand signal that we got from the 
private sector and others about what is the threat and how it's 
    I think we look at the other agencies in that space, their 
job is operational OCONUS and CONUS. And NCSC took that ball 
and ran with the policy and strategy part of it. I think the 
hardship that you're talking about now would be, and to 
Michelle's point, the lack of clarity in the legislation, in 
the enhancement act, about legitimate authorities and roles.
    I think that would be one thing. Starting all over again, a 
reunification of that act and what those roles, 
responsibilities are, it's beyond being the strategy policy 
    Vice Chairman Rubio. I think one of the hardest things to 
do today is to go to someone in public life or a public figure 
and say, these individuals that you think are your friend, 
they're your friends, these individuals that are business 
people, these individuals you know that are former politicians 
or claim to be journalists--are actually being sent here.
    They may not even know it to sort of influence the things 
you're writing, saying, or repeating. The disinformation piece 
is really complicated because sometimes people think they're 
getting verifiable information. They think they have a scoop, 
or they just want to say something relevant. That's just not 
the way we think of foreign intelligence operating, especially 
if they're using multiple cutouts to get to that stage. And 
that's what we're going to be struggling with for some time.
    Mr. Sheldon, on the challenge that I know with cyber in 
general, we often think about it as ransomware and things of 
that nature. But one of the hardest things to do is to convince 
small and midsize companies that they are targets--that these 
people even know they exist. And so, some North Korean cyber 
actor, a Russian cyber actor that wants to hold you ransom, 
that's certainly a threat. And that's one thing. But there are 
some that are systemically important because somewhere along 
the supply chain or somewhere along the influence chain or 
somewhere along any of these chains, even though there are 
small- or midsized-companies, they're important, or they could 
create regional havoc.
    What do you think are the things we can be doing in the way 
we stand up this function to better convince small and midsized 
businesses and entities that they could become a target? 
They're not anonymous. Just because they're not Boeing or 
whatever doesn't mean they're not systemically important at the 
right time for the right reason.
    Mr. Sheldon. Thank you, Vice Chairman.
    This is, indeed, one of the biggest problems from my point 
of view. There are still some organizations that need to be 
persuaded that they are a target. But we've seen so much 
progress over the past few years as collectively as an 
industry. Academia, folks in government, including Mr. Evanina 
and his colleagues, have gone out and done road shows, talked 
with folks in industry to try and flag this problem for them.
    The other piece of the problem is maybe someone's persuaded 
that they will be a target, and it's just a matter of 
resourcing the right types of tech tools, technologies, 
processes, and getting the right talent of people to be able to 
face the threat. From that standpoint, there's been some really 
significant progress over the past number of years about 
managed services that, I think, are really helping to solve 
this problem for people that are exploring that pathway.
    If you're a small company, a dozen people or 20 people or 
even less than 100 people, it's very difficult to have that 24/
7/365 security team that can handle an intrusion. So, a lot of 
people are saying, ``Let's partner with an outside provider who 
can provide some of those things.'' And that helps--
particularly small organizations.
    So, those are some capabilities that we think are driving 
improvement in the area.
    Chairman Warner. Senator Feinstein.
    Senator Feinstein. Now, just very quickly, how do you see 
that the foreign intelligence landscape threat has changed 
since Congress last substantially updated U.S. laws in 2002? 
And what gaps have these changes exposed in the way that the IC 
views the CI mission? Whoever would like to take it?
    Ms. Van Cleave. Senator, I'd be happy to leap into that 
    In 2002, when the act was first passed, you'll recall that 
the country was in the middle of a horrible war. And this new 
office was stood up for the purpose of trying to deal with 
foreign intelligence threats at a time when most of the 
national security leadership of the country was seized, and 
rightly so, with the problem of countering terrorist 
    Subsequent to that time, we've seen some changes in the 
national security focus. But what, in fact, happened back then 
is that counterintelligence resources that had previously been 
available to deal with these foreign intelligence services were 
slewed over to work the counterterrorism problem. And that is 
in the face of having a big drawdown what we thought was the 
end of the Cold War of those resources--then again moved. So, 
if you were to look today at what----
    Senator Feinstein. How do you see that changing?
    Ms. Van Cleave. So, what I see is that we've had a change 
here in CI and the devotion of our resources to the mission. 
But, at the same time, the foreign intelligence threat has 
continued to be very aggressive, very persistent, and very 
fruitful from their perspective. And certainly, most recently, 
the expansion into malign influence operations is something 
that is really, I think, of very serious concern to our country 
and to society and to our government and everyone.
    Senator Feinstein. And just do you see this as progress or 
not or the opposite?
    Ms. Van Cleave. Progress by the bad guys or by us?
    Senator Feinstein. Yes.
    Ms. Van Cleave. So, I think the bad guys, in fact, are 
making progress because we're stretched so very thin to try to 
deal with the threats that they present to us. And I think that 
our open society as a--you know, we're a bit of a candy store 
for them. And they're here in force. And I do think that they 
will continue to use those intelligence capabilities in order 
to advance their interests.
    I'm speaking specifically now about Russia, and whatever it 
means for its future, and, certainly, China, and there are, 
obviously, others. But it's a very serious concern, and we need 
to take it seriously and respond appropriately.
    Senator Feinstein. Well, let me ask this question. Should 
the statutory definition of CI be updated?
    Ms. Van Cleave. I think the statutory definition of CI is 
sufficiently understood and broad to be where we need it to be. 
Where I would love to see some new legislative language is on 
the very question of what is strategic counterintelligence 
    Senator Feinstein. Anybody else on that question?
    Mr. Evanina. Senator, to answer both your questions, I 
think the fundamental basis for this Committee's hearing today, 
I think when we look at the Counterintelligence Enhancement Act 
of 2002, a couple of things were there. It was predicated 
solely upon spies, you know, the Hanssen and Ames reaction, the 
Russians penetrating our government entities. And I think that 
was the premise for the act and the counterintelligence 
mission. That has completely changed now.
    The landscape is completely asymmetric. We are less 
concerned about those government-to-government spies. And the 
battle space is now in the private sector, and it is mostly 
China. So, we have changed, not only the actors but the way 
they act here in the Nation.
    Secondarily, 2002, we were just in the early stages of the 
Internet. So, with the advent of the Internet and the ability 
to scale cyber capabilities at-will of our adversaries puts, I 
think, the counterintelligence threat in a new lexicon that has 
to include cyber.
    Senator Feinstein. Anybody else on that question quickly?
    [No response.]
    Thanks, Mr. Chairman.
    Chairman Warner. Senator Collins.
    Senator Collins. Thank you. Dr. Gamache, in your testimony, 
you talked about efforts that Texas A&M has taken to try to 
secure its academic research. In your written testimony, you 
listed conflict of commitment, financial conflict of interest, 
external employment, and international travel policies as 
having important research security implications.
    And I certainly agree with you. Unfortunately, not every 
academic institution is as advanced as Texas A&M in having 
well-thought-out policies and reporting requirements governing 
those potential vulnerabilities.
    Do you think that the federal government, as a condition 
for federal funding for research, should require an institution 
to adopt policies similar to those that Texas A&M has?
    Dr. Gamache. As I stated in my opening remarks, I think 
NSPM-33 is a start in that direction. I think academia is 
moving in that direction on its own from what I see. But I 
think there should be some guidance on what is important to 
protect and how we do that from a federal level.
    Senator Collins. My experience is that academia tends to 
move very slowly. And we've seen that with the Confucius 
Institutes, for example, and how long it took colleges and 
universities to break their connections. Mr. Sheldon, do you 
have any comments in this area as well?
    Mr. Sheldon. Thank you, Senator. In my spare time, I'm a 
professor at a university here and in DC, American University. 
And I know that this is just based on that experience. I know 
this is something that universities take very seriously. I 
mentioned previously that, with respect to the cyberthreat, it 
may not be enough to just enumerate best practices if those 
best practices at this point are widely known.
    I think I would defer to Dr. Gamache about whether all 
universities that are in receipt of federal funds have a clear 
understanding of those best practices, or whether there's some 
scope for a committee or another effort of some kind to outline 
what those would be before making more fulsome requirements of 
potential recipients.
    Senator Collins. Let me be clear that I think many colleges 
and universities do understand the threat, are concerned, and 
are starting to adopt policies that are similar to Texas A&M. 
But--and the Chairman has done yeoman's work with our Ranking 
Member, our Vice Chair, in trying to educate academia about the 
threat and the private sector about the threat.
    But my experience is that it's been sort of this push and 
pull, this tugging to try to get the seriousness of the threat 
recognized and precautions put in place. Mr. Chairman, I do 
need to go vote, and I know you do also. So, I'm going to 
forego a second question and just ask if either of our other 
two witnesses has any advice to the Committee in this area.
    Ms. Van Cleave, why don't you go first?
    Ms. Van Cleave. I don't really have anything more to add to 
what was just been said.
    Thank you.
    Senator Collins. Thank you.
    Mr. Evanina. Senator Collins, I'd like to add in Dr. 
Gamache's perspective on NSPM-33. I think it is a good start, 
and I do think this Committee and Congress, from a legislative 
body, should consider regulatory action to at least have a 
bare-bone minimum, especially starting with federal-funded 
facilities that are using U.S. taxpayer dollars to perform 
research that is oftentimes targeted by adversaries.
    Senator Collins. I'm thinking, for example, of our national 
labs, which are likely to have far better security than many 
institutions. But thank you.
    Chairman Warner. Thank you, Senator Collins. Senator Wyden.
    Senator Wyden. Have you voted already, Senator Bennet?
    Senator Bennet. I have.
    Chairman Warner. Would you mind yielding to Senator Bennet?
    Senator Wyden. Then if I could follow him, that'll be 
    Chairman Warner. Yes. And then you'll follow.
    Senator Bennet. Thank you very much, Senator Wyden. I 
deeply appreciate it.
    Thank you for being here today. I think it is so important, 
Mr. Chairman, to have these hearings in public is so the 
American people can understand what some of you have described 
as the lack of symmetry that exists between the United States, 
an open democracy, and our adversaries, who are surveillance 
states, as the Chairman said, through no fault of the people 
that live in these countries. But it would be hard to describe 
two societies as different as the United States and China is 
today and what it means to our counterintelligence mission and 
their counterintelligence mission. To our intelligence mission 
and to their intelligence mission. There's almost no degree of 
    If you want to comment on that, I'd be curious about what 
you think. We have had a generation of American politicians 
before us who had said, ``Just wait. You'll see what happens 
when the Internet gets to China. They're going to democratize. 
They're going to democratize.'' Like we were saying the same 
thing about trade as well. And it turns out that almost nothing 
that we said in those think tanks or from these podiums turned 
out to be real. It was the opposite. China has, Beijing has, 
been able to export its surveillance state as a result of 
Internet technology and technology generally. And I wonder, 
given that backdrop or that set of observations, whether you 
could talk a little bit--I'm coming at Senator Collins's 
question a slightly different way--whether you could talk about 
what it would look like over the next decade if we actually 
were getting our act together here--if we were treating this as 
seriously as we need to treat it, if the private sector were 
doing--whether they were compelled to do it or not--if they 
were doing the right thing that our universities, our 
government agencies--.
    What would that universe look like?
    Mr. Sheldon, maybe I'll start with you, if you don't mind. 
If there are others that would like to comment, that would be 
great, too.
    Mr. Sheldon. Thank you, Senator. I think that serious 
mobilization to the scope of the threat that you've described 
entails, for the part of the private sector, full and 
comprehensive understanding of what's at stake. And I think 
that from a response standpoint, that means having really 
robust internal security programs so that there's someone at 
every company, whether it's small or large, really meaningfully 
looking at risk. It could be risk of insiders. It should 
definitely be risk of cyberthreats. And then broader threats 
like what sort of partnerships are companies engaged in, where 
are they locating manufacturing facilities, where are they, who 
are they partnering with, and so on. And it involves 
integrating continual guidance from government organizations 
that are using their sources and means to be able to inform how 
that threat will change over time.
    The threats do change, because from time to time, 
organizations in the government will actually flag, ``This is a 
new research priority for us, or this is a new development 
priority for us.'' And then later on, that will materialize as 
new intelligence tasking orders for state intelligence 
    So, it's important to have inputs from government 
organizations that are looking at that. It's important to have 
inputs from private sector and research organizations that are 
looking at it from their own vantage. Cybersecurity companies, 
for example, are on the front lines in terms of understanding 
different campaigns targeting specific sensitive technologies.
    We do our best to work with organizations like JCDC at CISA 
to be able to share information about that. And there's a lot 
more work that we all can do as a community to make sure that, 
when we identify threats, we can share those. And then, 
companies are positioned because of having a robust internal 
security program to be able to action those.
    Thank you.
    Senator Bennet. I've got a minute left. If somebody wants 
to take it, or I'll give it back. Yes.
    Mr. Evanina. Senator Bennet, I think you bring up an 
interesting dilemma culturally for our Nation. I think when you 
look at--three things I could describe with your question. 
Culturally, we don't have an adversarial view of the Communist 
Party of China, which--just like we have in Russia and Iran. We 
have a history. You know, Cold War and the Ayatollah and the 
hostage-taking in 1979. We have that view. We don't have that 
from the Communist Party of China.
    Secondarily, we grew up in this great country where we have 
a clear bifurcation between the government, the private sector, 
and the criminal element. That's not the case in the Communist 
Party of China. They're all together. Same thing with Iran and 
Russia. So, from a paradigm perspective, we don't learn that in 
school. And when we find out about that, it's too late. We're 
usually a victim of a U.S. company or institution. So, 
culturally, we have a lot to do, understanding those countries 
and how they operate different from us as a democracy.
    Senator Bennet. Thank you, Mr. Chairman. And I thank the 
senator from Oregon for your courtesy.
    Chairman Warner. We'll go to the senator from Oregon.
    Vice Chairman Rubio [presiding].
    Senator Wyden. Great. Thank you, Mr. Chairman.
    Good to see all of you. And I'm going to start with the 
export of Americans' private data to our adversaries, because 
my view is this poses a serious counterintelligence risk. This 
data alone or in combination with data stolen through major 
cybersecurity breaches threatens national security and, 
certainly, the privacy of millions of Americans. Now, there is, 
currently before the Senate, bipartisan legislation to ensure 
that Americans' most private data cannot be sold off in bulk to 
countries that would use it against us.
    So, my first question, and I'd really like a yes or no 
answer, Mr. Evanina and Ms. Van Cleave, should our adversaries 
be able to legally purchase bulk data about Americans, their 
web browsing activities, their location data, and other 
sensitive data?
    Mr. Evanina.
    Mr. Evanina. No.
    Senator Wyden. Ms. Van Cleave.
    Ms. Van Cleave. No.
    Senator Wyden. Very good. Now, my second question deals 
with cyberthreats. The Chinese government or cyber actors based 
in China have hacked into Equifax and Marriott, Anthem, and 
OPM. My view is part of our response could be using the Federal 
Trade Commission, which is in a position to hold companies 
accountable for weak cybersecurity and also send a very strong 
signal to other companies that baseline security, along the 
lines of what, as the agency is saying, needs to be adopted. 
But as far as I can tell, the government doesn't really look to 
the Federal Trade Commission and the authorities that it has to 
beef up cybersecurity.
    Mr. Evanina, when you headed the NCSC, did you and your 
staff regularly talk to the Federal Trade Commission, warn them 
about specific industries and firms that were vulnerable to, 
for example, hacking?
    Mr. Evanina. Yes, Senator Wyden, we did, as well as other 
regulatory agencies in this space.
    Senator Wyden. Good. Ms. Van Cleave, same question.
    Ms. Van Cleave. Senator, when I was in that job, we didn't 
have a security portfolio. We were responsible only for--quote/
unquote, only--for counterintelligence, which meant that, no, 
we didn't have interaction with organizations like the FTC.
    Senator Wyden. Do you wish you had that authority?
    Ms. Van Cleave. Well, I don't know. I think that the 
responsibilities for security and for enhancing our security 
across legal and other measures are broader than one 
organization alone. And I have to say, contrary to people who 
look at a job and want to build the empire larger, I thought I 
had my hands full as it was, taking on the CI mission, and I'd 
look to others to handle the security responsibilities.
    Senator Wyden. No, I get your point. It's just that if you 
have a sister agency that can hold companies accountable, which 
is one of the charges of the FTC, I'd like to see us use it.
    One last question, if I might, for you, Mr. Sheldon. You've 
expressed concern about requirements to provide nonpublic 
encryption information to governments and about the 
governmental imposition of ``excessive lawful access 
requirements.'' And you characterized this, I gather, as ``a 
form of mandated vulnerability by coercion.'' And you focused, 
of course, on the People's Republic of China.
    Now, is it correct to say that requirements by any 
government, including our own, to impose vulnerabilities in 
encryption are a threat in our ability to defend ourselves from 
sophisticated adversaries who are looking to exploit those 
    Mr. Sheldon. Thank you, Senator Wyden. The statement in my 
written testimony that you're referring to was directed at 
foreign adversaries. I've spent less time looking at this issue 
on the U.S. side.
    Senator Wyden. Okay. Again, I would say the requirements by 
any government to impose vulnerabilities in encryption, I 
think, make our country less strong. You know, there has been 
all this debate about encryption and: is it for security or is 
it for liberty? You know, the fact is we are safer with strong 
encryption. And it is, I think, a tool that has to be an 
imperative for America's security in the future.
    Thank you, all, for being with us.
    Mr. Evanina, I'm just going to close with one last point, 
because I asked the staff about it. We were looking for your 
responses to the questions for the record that we sent after a 
previous appearance. If there's any way that you can do it, 
this is not to give you a hard time or anything, I'd like to 
see those answers because I respect your opinion.
    Vice Chairman Rubio. Thank you. Senator Blunt.
    Senator Blunt. Thank you, Senator Rubio.
    Let's talk a little about campus security and research 
security on campuses largely, I think. Dr. Gamache, you have 
the professional designation on security, and you're 
representative of an academic institution here. What are the 
best and worst practices you've seen from the federal 
government trying to be helpful, or, on the best practices 
side, I guess it would be being helpful? Give me some of the 
things you've seen that you thought were the least effective 
and most effective.
    Dr. Gamache. In terms of awareness, I think some of the 
things that are least effective happen when government agencies 
try to do a search-and-replace with industry for academia. You 
know, I think a lot of the things that we see from the 
government in academia don't reflect a real understanding of 
the academic culture.
    We have the greatest higher education system in the world 
for a number of reasons. We've got an open and collaborative 
environment. We have a willingness to collaborate 
internationally. We have a desire to push science and the 
creation of knowledge as--as far as we can.
    We have cutting-edge technology. That is all very, very 
important to our standing as the best in the world. And I don't 
think what we see coming from the federal government all the 
time reflects an understanding of what makes us strong. I would 
hate to see a mandate break the system, for lack of a better 
word, trying to fix it.
    Senator Blunt. What about the best thing you've seen, the 
most helpful thing?
    Dr. Gamache. You know, what I have seen over the last five 
years is kind of a mind shift from a number of agencies who 
have really tried and worked hard to understand what the 
academic community is all about. And, I'll single the FBI out, 
in particular. I think they have worked very hard with us to 
understand academia.
    Recently, the Department of Commerce has reached out to do 
the same thing. Academia created a group back in 2017 called 
the Academic Security and Counter Exploitation Program. We have 
about 200 universities involved in that right now. We have 10 
major universities on our executive committee, and we've got 
six government agencies that are involved in that as well.
    So, I think that collaborative effort between academia and 
the federal government down at the grassroots level is really 
paying dividends in terms of awareness.
    Senator Blunt. So, both of those sort of reflect the same 
thing. And it's understanding culture----
    Dr. Gamache. Right.
    Senator Blunt [continuing]. Before you decide how you're 
really going to effectively deal with the institution.
    Dr. Gamache. Yes, sir.
    Senator Blunt. Mr. Evanina and Mr. Sheldon, what are your 
thoughts about how we get people there in the nongovernment 
sector who are targets to recognize the fact that they are 
targets? What are some of the things you'd suggest we do a 
better job of helping targets know they could be targets or 
maybe that they already are targets and haven't determined that 
    Mr. Sheldon.
    Mr. Sheldon. Thank you, Senator.
    I think that a lot of people who are being heavily targeted 
right now know that they're being heavily targeted, and they're 
investing in security programs to try and stop it. I think 
there's still work to be done to make sure that everyone who's 
being targeted has a clear sense of that.
    And I think that to the extent that, we, either in industry 
or folks in government, can provide real, actionable advisories 
about when adversaries shift that targeting or where a new 
priority emerges that is attention-getting. And I think that 
there are examples of times where we in industry have published 
white papers or blog posts that said some specific type of 
technology--might be additive manufacturing, might be satellite 
communications, might be any number of other specific things--
being targeted by a specific campaign or threat actors maybe 
from China, maybe from Russia. That tends to get attention and 
drive action.
    But it has to be very specific. There is a little bit of 
alert fatigue at this juncture here where we stand in 2022, 
where people have been told that they need to be concerned 
about cyber for a long period of time. So, if we don't get 
really targeted messages to people that apply to them, they may 
find themselves ignoring it. But if you name a specific 
technology that a small company is working on, researching, and 
they just invested a lot of effort and a lot of resources in 
bringing that to market, and you're able to point to that, that 
tends to catalyze action.
    So, government and industry can both make progress there.
    Senator Blunt. Thank you.
    Mr. Evanina, do you anything to add to that?
    Mr. Evanina. Just to amplify: outreach at scale. I think a 
true public-private partnership between the government and a 
private sector consortium to advise and inform companies, large 
and small, to the small-time manufacturer in Kansas to 
Microsoft and Google, what those threats are. That's scalable 
as well. Where do you find that direct information that's not 
only real-time but actionable for small companies and medium-
sized companies? And as we've seen in the last few years, every 
company is vulnerable and every company will be penetrated.
    Senator Blunt. But Mr. Sheldon's concept that if you know 
there's something out there that our adversaries are really 
interested in, to let people who are working in that area know 
that. Is that something we're doing effectively?
    Mr. Evanina. Yes, Senator Blunt. I think, as I wrote also 
in my statement for the record, the government, the ``big 
government,'' must be more effective and efficient at notifying 
industry of those threats when we see them in a classified 
manner. The more effective way to declassify in real time, to 
be able to provide that industry of a specific company--similar 
to what we do in terrorism--needs to transition here, and the 
nation-state threat actors as well.
    Senator Blunt. Thank you. Thank you, Chairman.
    Vice Chairman Rubio. Senator Casey.
    Senator Casey. Thanks very much. I want to thank the panel 
for your testimony your presence here today.
    Mr. Evanina, I have to point out your roots in northeastern 
Pennsylvania, Peckville, Pennsylvania. We share the same home 
county, Lackawanna County. So, I want to note that for the 
record. And thanks for your service and the work of everyone on 
the panel.
    I wanted to start with legislation that I worked on with 
Senator Cornyn. The two of us have been leading this 
legislation in the Senate for a good while now. Senator Rubio 
and others have worked with us on this. And it's a piece of 
legislation called the National Critical Capabilities Defense 
Act. What we're trying to achieve with this legislation is to 
have an outbound review of investments so that we can focus on 
either services or assets that are vital to the United States 
national security, whether it's agriculture security, health 
security, homeland security, energy, infrastructure, natural 
resources. It goes on and on.
    We haven't been successful at getting it enacted into law 
yet, but we're getting close, or at least a version of it. And 
I guess one question I have in light of the discussion is 
whether or not--and I'll start with you, Former Director--could 
NCSC, or the IC more broadly, help to educate the private 
sector with regard to the risks of outbound investment, 
especially when it comes to China or other foreign adversaries?
    Do you think there's a role for either the IC more broadly 
or NCSC, and especially in the early stages of technology 
    Mr. Evanina. Senator Casey, thanks for the question. And 
pleasure to share our home county.
    The answer is yes. And I do believe there's success 
currently--the way it's done in the Intelligence Community on 
CFIUS, and the way that the Intelligence Community partners 
with Treasury and Commerce and others to identify potential 
investments in the United States. And I do think this 
legislation reverses that to say the same type of vulnerability 
and threats to national security occur outbound, especially 
investment in Asia, China and other entities that have 
    So, I do think there's a role for the government to play in 
that space, specifically whether it's NCSC or the ODNI. But for 
sure, the Intelligence Community, with real-time threat 
indications or warning, can certainly advise you and inform an 
investor of the perils of investing overseas.
    Senator Casey. Anyone else on the panel on this question in 
terms of a perspective on it?
    [No response.]
    Let me move to my second question--I think it would be my 
only other question--which is, in terms of all the challenges 
you've outlined in your testimony to society more broadly, 
whether it's the academic community, academia itself, or the 
private sector--I want to put the ball back in the court of 
Congress now and ask you what other incentives or resources do 
you think Congress can provide to help these non-IC entities to 
better protect their--whether it's intellectual property or 
research or technology or otherwise?
    Maybe, Mr. Sheldon, we can start with you and go right to 
    Mr. Sheldon. Great. Thank you, Senator.
    I want to flag a couple of things I think we're doing well. 
So, I mentioned this previously, but I think we're doing a good 
job, as a community, really raising awareness. So, that's 
helpful. And I think there's been some new structures that have 
come up in government now to help with collaboration and 
coordination, in particular, on cyberthreats. So, I think that 
we're making progress there.
    Further, I could say, I think there's also some new 
requirements either from the SEC or on incident reporting 
through CISA that are going to really force companies to be 
more forthcoming if there's been issues that might be important 
for national security and disclose information about those. 
That should help organizations like the SEC and CISA provide 
good information and advisories to the community. I think it's 
now likely time to start the conversation about what extra 
resources can we bring to bear to actually provide 
cybersecurity capabilities to companies that need it and can't 
get it for whatever reason.
    Normally, it's because of resource constraints. So, I've 
mentioned a couple of things in my written testimony that, I 
think, are worth like [inaudible] are worth exploring. One of 
those is trying to look at tax mechanisms to try and understand 
if there's a way that we can get small businesses, in 
particular, technologies like managed security services so that 
they can actually meet the threats that they face.
    And another one would be just having a program that could 
create more incident response capacity. So, if there is an 
issue of some kind that we, as a Nation, have enough resources 
standing by to be able to meet those threats?
    Thank you.
    Dr. Gamache. I would like to echo the theme of resources. 
You know, we have a staff within the A&M System of 19 that are 
looking solely at the research security effort and the cyber 
piece that goes with that. It's all being taken out of hide 
because we believe it's important. But as we get more and more 
requirements like NIST-800-171 and what's coming down now 
within NSPM-33. We're a well-resourced university system. 
Smaller colleges have the same requirement to protect that 
information but can't make the same business case that we can. 
And I think that needs to be taken into consideration.
    Ms. Van Cleave. Senator, I think that there are a lot of 
new creative solutions with respect to security where there is 
a lot of work being done in the private sector and in 
government that that needs to continue. For example, within the 
Defense Department, there is a program called Deliver 
Uncompromised, which looks to all of the providers, the 
contractors, for the DOD to come look at security as an 
objective to be achieved rather than a cost to be minimized.
    And so, when you start having practices like that, I think 
you're going to improve things overall. But I would note that 
one can continue down the road of security--as we must, to 
improve it--as we must, to come up with better ideas--as we 
must. And yet, there will always be a determined adversary 
looking for ways to break through.
    So, if you ask what is it that Congress can help do, 
Congress can help refocus on the core counterintelligence 
mission that says the role of the U.S. government--in addition 
to advising business, industry, and academia and all the things 
it needs to do to protect itself against--the role of 
government uniquely, that we can't ask Texas A&M to do and we 
can't ask CrowdStrike to do, is to go after the bad guys.
    And we are failing in that mission right now, in my 
opinion, sir.
    Senator Casey. Thank you.
    Chairman Warner [presiding]. Let me pick up on this. I got 
a couple more questions, notion of responsibilities. I 
appreciate Dr. Gamache, and we are saying that correctly, 
right? I want to make sure that we're right. We have not all 
completely butchered your name for two hours here.
    Dr. Gamache. Yes, you are.
    Chairman Warner. Thank you.
    You know, on this cascading issue from large systems like 
Texas A&M to a smaller liberal arts college, you know, we see 
it in the cyberspace as well, from incident reporting or--one 
of the areas that this Committee again wrestled with. And we 
all said, you know, you got to have at least de minimis cyber 
standards within all the centers on the Internet of Things. And 
trying to get people to adopt that has been, I think, a real 
    You know, one of the areas--you know, Senator Wyden is 
always keeping us on our toes on kind of privacy issues--but 
one of the things that I don't think we do a very good job of 
at all, and it's almost like--not that the IC is reluctant to 
look and the FBI is reluctant to look--is just looking back at 
the supply chain. If you look even from our defense contractors 
where not first tier or second tier but third tier in smaller 
suppliers where some of that originates. I think, again, COVID 
exposed so many vulnerabilities from Russia and China. There 
are some private sector companies out there doing that now, but 
do we need to rethink authorities on this issue to allow the 
IC--. In a sense, how do we grapple with it? Looking at a 
question like supply chain, having the IC look at an otherwise 
well-functioning company, no sense of them being targeted, 
although we know almost all these companies are, and go back in 
terms of their sourcing of their materials. That would make a 
lot of folks in the IC right now very uncomfortable.
    Do you think that's something that we ought to have a 
requirement? And where would you put that?
    Ms. Van Cleave. Mr. Chairman, if I might offer a 
perspective on that. When I was serving in the 
counterintelligence office, we were assigned the responsibility 
of providing intelligence support to CFIUS, as CFIUS was making 
the decisions about what constituted a national security 
concern. And I will tell you that the problem is, when you go 
to the Intelligence Community and you say, ``Please show me 
what you got on Company X, Y, or Z,'' those files are not going 
to be very comprehensive. And that's because we haven't really 
looked at these targets for intelligence assessment purposes in 
order to be able to understand those operations. And so, there 
is a tug and pull on how you want to array your intelligence 
resources and what the priorities are. And perhaps there's an 
opportunity to prioritize these things a little more than we 
    Chairman Warner. Although there's the challenge that 
because we don't generally want the IC looking at domestic, 
obviously, domestic persons but also some domestic content, the 
ability to kind of go--CFIUS or otherwise--up the food chain, I 
think some of the large enterprises, even in the defense area, 
don't know where their third-tier suppliers are originating.
    I think some of these private sector companies are exposing 
that, or the ability, particularly of the CCP--I think we 
became alerted to CCP direct investments in America. And I 
still remember one of our roadshows in Texas, actually, Dr. 
Gamache, where some small AI company said, ``Well, I wondered 
why the Chinese VC was paying three times more than anyone 
else.'' And we didn't have that information. And the CCP has 
gotten smarter where they now may invest, not through a 
Chinese-based entity, but through some European subsidiary and 
entity, and our ability of trace, again, up the food chain is 
really challenging.
    Bill, did you want to comment on that?
    Mr. Evanina. Senator, I do think that if we are going to 
get to a place where we could have an effective supply chain 
risk mitigation program, or even get to zero trust, we have to 
have a carve-out somewhere where the parts of the Intelligence 
Community can play in the space and be comfortable advising and 
informing U.S. industries that there is a threat, or there is a 
vulnerability in a coding aspect, or somewhere along the IT 
supply chain or in the procurement supply chain. That's very 
easy to do, just a matter, to your point of the uncomfortable 
nature of the IC getting involved in that is natural and it's 
prudent. I just truly think that if we're going to move in a 
place where we can have a protection of our supply chain, the 
IC is going to have to play because they have left-of-boom 
activity and intelligence collection they could share with 
those entities.
    Chairman Warner. I think, again, there's both that ability 
to look at--from a national security standpoint. Some of that, 
up the domestic supply chain in terms of origination, I think, 
is important. I also think it's something we've stressed a 
couple of times here. I think we did. And with your help, do a 
good job of those classified roadshows.
    In many ways, they needed to be classified, though, because 
at just the non-classified level, if you can't share the 
experiences, the enterprise or industry sector may not--they 
might say ``What do you mean?'' We can't give them some 
details. But I wonder, at times, if we had not initiated that, 
if we'd left it to the--I think the FBI stepped up their 
ability to make those presentations.
    But again, I think because we took the bull by the horns or 
whatever the analogy is, but I'm not sure that's a systemic way 
to address this on informing our folks. So, that leads me to 
the question, which I would have some trepidation on, but one 
of the things around this whole CI mission, and I'm not sure 
where I'm going to start on this one, but do we try to look at 
the British model where they actually have a domestic 
counterintelligence entity?
    Now, clearly, the U.K. has a whole set, a different set 
of--. We have a whole set of protections, First Amendment and 
otherwise, that I think make our system better. But, you know, 
they have Scotland Yard, and yet they have MI5.
    Maybe I'll go the reverse route again this time.
    Is it time to look seriously at the idea of an independent 
counterintelligence entity in the United States?
    Mr. Sheldon. Thank you, Mr. Chairman.
    I think, from my perspective, there are other folks on the 
panel that are better suited to address the organizational 
    I just want to add quickly that for some aspects of 
industry, especially industry where you have international 
clients and business, maybe places in Europe and elsewhere, 
it's more straightforward to liaise for the purposes of 
something like JCDC with an organization that is removed 
somewhat from the Intelligence Community, because that makes 
everyone's customers more comfortable. So, that's an important 
equity to protect if there's going to be a reorganization. It's 
just to ensure that there are ways to collaborate between 
industry and government through more civil authorities.
    Thank you.
    Chairman Warner. And I think, again, it's still a work in 
process, but CISA--. You know, I think I was wrong that having 
CISA have enforcement proceedings against people who fail to 
incident report is the wrong approach because CISA ought to be 
that friendly entity that is not in the regulatory sense, 
    Dr. Gamache.
    Dr. Gamache. I would defer on the organizational portion of 
that, Senator, but I believe that there has to be a way to plug 
academia into whatever solution you come up with.
    Chairman Warner. Michelle.
    Ms. Van Cleave. Mr. Chairman, I do have some strong views 
on this, actually. In my view, one of the strengths of U.S. 
counterintelligence is the diversity of talents and skills and 
approaches and training represented in the very different 
agencies and the responsibilities that they have had across our 
government. There's value in having a national 
counterintelligence service, as most other foreign governments 
do have a centralized service.
    But I think that we have untapped potential in the fact 
that we've got such a tremendous variety of people and skills. 
The missing element is the ability for select high-priority 
targets in a strategic way to meld those things together, those 
activities together, so that they can operate as one team with 
one plan and one goal when required.
    That's the missing element, in my opinion.
    Chairman Warner. Bill.
    Mr. Evanina. Senator Warner, I'm going to wrap a few things 
together and get back to Dr. Gamache.
    First of all, I do think our higher education should be 
looked at as part of the national security and defense program. 
I do think that it's worthy of putting it in a bucket with 
other entities we spend money to protect, number one.
    Number two is, if you just juxtapose when we talked about 
the changing landscape of counterintelligence over the last two 
decades, I would proffer to this Committee, if you look at our 
counterintelligence strategy now, protecting critical 
infrastructure, ensuring a supply chain, economic security, 
malign foreign influence, who has the authority legislatively 
to handle all those parts of the defense process?
    They're Whack-A-Mole through different organizations. And I 
do think that if we are going to modernize the concept and 
lexicon of counterintelligence, we have to look at what's being 
affected here in the U.S. And it comes to cybersecurity. At the 
end of every single breach that Mr. Sheldon talked about, 
there's a human being somewhere and a keyboard, either in China 
or Russia or Iran. So that cannot be forgotten.
    I think when we look at how we structure this, we have to 
look at--the 2002 Counterintelligence Enhancement Act did not 
take all these things into play. It was more spy versus spy. 
So, I'm not sure an MI5, MI6 model is required. I do think we 
have existing structures that are probably predicated in a 
1980s mindset, but I do think we have to find the way to fill 
in the gray space to protect where the battlespace is now in 
the private sector.
    Chairman Warner. You know, one of things we want to try to 
do is solicit input, but I start with a, for a variety of 
reasons, prejudice against a new entity. And I am very 
conscious--, you know, we think about some of the prominent 
American companies when we got into AI, and sometimes, they 
were reluctant to work with the community. I think many of the 
Members of this Committee believe that this is such a 
technology competition now, beyond the traditional mill-to-mill 
and identifying that technology where we're going to go deep. I 
think we have done a little bit on the 5G piece and the chips 
    The Committee, in a bipartisan a way, has agreed to look at 
synthetic and bioprocessing series areas there and things 
around advanced energy to think about those because they would 
not have been in the category of a traditional national 
security, counterespionage, intel agenda ten years ago, maybe 
not even five years ago, but I think clearly are now.
    Ms. Van Cleave. Mr. Chairman, if I might just?
    Chairman Warner. Yes, please.
    Ms. Van Cleave. To interject, and before this comes to a 
close, and thanking you again for your leadership and for your 
decision to hold this hearing and the subsequent hearings that 
you are planning on counterintelligence. There is one point 
that I believe I would be remiss if I didn't speak to the 
record on this point.
    And that is that I want to assure you and the Committee 
that, sadly, traditional espionage is still ongoing. It is 
still directed against us. It is still very much a threat to 
our national security, to the secrets that are most important 
to our national security, to the people and treasure who work 
with our Intelligence Community, to our troops in the field. 
These kinds of penetrations into the U.S. government that are 
traditional espionage is very much ongoing. It is very much the 
focus of our adversary, and I would urge, as the Committee 
moves forward, to keep your eye on that as well.
    Chairman Warner. Oh, we are very aware, and this kind of 
open setting is not the place to go into that. But even in 
terms of some of our near-peer competitors, just the number of 
people they have in-country under some level of traditional 
diplomatic status, whether their embassy or through the UN, is 
a huge issue.
    It is not an either-or proposition. I know there are a 
number of other Members--with the vote schedule, sometimes, it 
is a hodgepodge--but I very much appreciate everybody's 
presentation, and obviously, we've got some more work to do. 
Committee is adjourned. Thank you all.
    [Whereupon the hearing was adjourned at 4:21 p.m.]

                         Supplemental Material