FINAL Prepared Statement of Jeh Charles Johnson Before the House Armed Services Committee Hearing on “Cyber Operations Today Preparing for 21st Century Challenges in an Information-Enabled Society” April 11 2018 Chairman Thornberry Ranking Member Smith and members of this Committee From February 10 2009 to December 31 2012 I served as General Counsel of the Department of Defense From December 23 2013 to January 20 2017 I served as Secretary of Homeland Security As Secretary I had the privilege of working with Congress to provide additional authorities to the Department of Homeland Security to defend the Nation’s and the federal government’s cybersecurity through the Cybersecurity Act of 2015 1 the National Cybersecurity Protection Act of 2014 2 the Federal Information Security Modernization Act of 2014 3 and other new laws 4 I am pleased the Committee has convened this hearing on the important topic of cyber operations and cybersecurity and I’m pleased to be joined at the witness table by Secretary Chertoff and General Alexander The views I express here are my own based upon my personal experiences in national security and now as a concerned private citizen You have asked the witnesses today to focus our testimony on the following T he current cybersecurity challenges and threats to U S military superiority being posed by Russia China and other state-sponsored actors aggressively engaged in the cyber domain conducting activities to enable information warfare below the traditional level of armed conflict Please also discuss policy and capabilities with respect to current U S plans and strategies including ways to improve interagency coordination for cyber threats Lastly we ask 1 2 3 4 Pub L No 114-113 129 Stat 2242 2935 2015 Pub L No 113-282 128 Stat 3066 2014 Pub L No 113-283 128 Stat 3073 2014 E g the Border Patrol Agent Pay Reform Act of 2014 Pub L No 113-277 128 Stat 2995 2014 including additional authorities for cybersecurity recruitment and retention 1 FINAL that you recommend ways and means to better prepare for 21st century challenges in an information-enabled society by improving the organization of the U S government The Threat Picture Cyberattacks on our homeland of all manner and from multiple sources are going to get worse before they get better In this realm and at this moment those on offense have the upper hand those on defense struggle to keep up Whether nation-state actors or non-state cyber-criminals hacktivists or those who engage in the growing industry of Ransomware those on offense are ingenious tenacious agile and getting better all the time To understand the current cybersecurity threats to our homeland from nation-states and others we must in my view divide them into five broad threat streams First the threat of cyberattack by a nation-state or other entity to seize disable or destroy components of our Nation’s critical infrastructure This form of cyberattack implicates national security and if significant enough in its effects may amount to an act of war 5 This form of cyberattack may also occur as part 5 A key question many ask is under what circumstances can a cyberattack constitute an act of war At the moment there is no legal definition for the term “cyberwar ” The 1022-page Department of Defense Law of War Manual which was published in 2015 and took decades literally to write contains a section on cyber operations but does not contain a definition of the term cyberwar or take on the question of when a cyberattack constitutes an act of war justifying an armed response On this issue I agree with the existing assessments from legal scholars I have come to know and trust Professors Jack Goldsmith Harvard Law Jack Goldsmith How Cyber Changes the Laws of War 24 EUR J INT’L L 129 2013 Oona Hathaway Yale Law Oona Hathaway et al The Law of Cyber Attack 100 CAL L REV 817 2012 and Major General ret Charles Dunlap Duke Law Charlie Dunlap Are Cyber Norms as to What Constitutes an “Act of War” Developing as We Would Want LAWFIRE Sept 15 2017 https sites duke edu lawfire 2017 09 15 are-cyber-norms-as-to-what-constitutes-an-act-of-wardeveloping-as-we-would-want among others Essentially the answer from them and me is “maybe ” or “it depends ” or “we will know it when we see it ” The experts recognize that the terms “use of force” and “armed attack” are hard to translate into the cyber realm However the consensus view calls for an analysis of the kinetic effects of an attack not just the kinetic means That is a cyberattack that causes serious kinetic effects such as the explosive destruction of an air field or an electric grid and or physical death and injury as opposed to cyber espionage or cyber theft of data should almost certainly be considered an act of war This is a simple common-sense approach to the issue In my judgment it is not in the interest of the United States to reach for a more creative or expansive definition An enlarged definition of a cyber “act of war” could be invoked by other nations unilaterally as a justification for an armed response under Article 51 of the UN Charter or 2 FINAL and parcel of an ongoing armed conflict that has begun in a traditional kinetic fashion Second cyber espionage practiced principally by nation-states and similar in purpose to forms of traditional espionage Third hacking and unwanted exfiltration and theft of data and intellectual property As General Alexander notes in his prepared statement the theft of intellectual property by nation-states is a significant part of this threat stream As we saw in 2016 this threat stream also includes but is hardly limited to the risk of attack on election infrastructure by nation-state actors which represents a threat to our very democracy Fourth the problem of widespread use and misuse but not necessarily theft of personal private data on the internet The reality is that the American public has surrendered and entrusted much of our private lives to the internet Technically with consent but often without our knowledge much of this private data is shared for marketing and commercial purposes and there is now a growing industry of data mining companies data brokers and data intelligence companies dedicated to further exploiting this target-rich environment Because of its prevalence on the internet private information is now discoverable and exploitable not only by conventional actors but by criminal hackers and nation-states Consequently this is not just an issue of privacy it is an issue of security Fifth and finally the problem that can be considered a form of cyberattack but not exclusively so – fake news and hateful extreme views published and republished on the internet used as a weapon by foreign and domestic forces seeking to alter elections sow discord or otherwise alter public opinion generally The recent indictment of 13 Russian individuals by the Special Counsel 6 confirms that this was part of the Russian attack against us in 2016 for invocation of Article 5 of the NATO treaty Mistakes in attribution—for which there is an enhanced concern in the cyber realm—could also complicate matters This is not meant to imply that the U S should not formulate a comprehensive strategy for these attacks—to the contrary we must continue to develop a set of international rules and norms of acceptable behavior in cyberspace and the United States should lead that effort 6 Indictment United States v Internet Research Agency LLC et al No 18-cr-00032-DLF D D C Feb 16 2018 ECF No 1 3 FINAL Roles Responsibilities and Capabilities There are vital roles for the U S military the intelligence community law enforcement and the Department of Homeland Security in the U S government’s cybersecurity efforts Broadly speaking the Department of Defense should be responsible for defending the Nation against attacks and securing national security and military systems the Department of Justice should be the lead agency responsible for investigating 7 and prosecuting cybercrimes and the lead agency for domestic national security operations and DHS should be the lead agency for protection prevention mitigation and recovery when it comes to domestic private and government cyber incidents as well as securing federal civilian networks In addition the head of each federal agency is responsible for the immediate security of his or her own agency’s particular network As between DOJ and DHS I concur with the approach taken in Presidential Policy Directive 41 8 which specifies that DOJ is the lead agency for “threat response” i e law enforcement and national security investigations to significant cyber incidents and DHS is the lead agency responsible for “asset response” i e patching vulnerabilities forensics and technical assistance to significant cyber incidents I also support efforts to reorganize DHS internally to more effectively address current cyber threats There should be a cybersecurity agency of the U S government DHS’s current “National Protection and Programs Directorate” should be reorganized into a leaner and more efficient “Cyber and Infrastructure Security Agency” that has two key missions cybersecurity and infrastructure protection and recognizes the interconnectivity of these two missions I support legislative efforts to accomplish these goals 9 7 8 9 In addition to the FBI the Secret Service and Homeland Security Investigations have considerable expertise and experience in investigating cybercrimes Presidential Policy Directive 41 United States Cyber Incident Coordination 2016 See Cybersecurity and Infrastructure Security Agency Act of 2017 H R 3359 115th Cong 2017 passed by the House in December 2017 and Department of Homeland Security Reauthorization Act H R 2825 115th Cong 2017 reported out of the Senate Homeland Security and Governmental Affairs Committee and pending in the Senate 4 FINAL As for the relative roles in cybersecurity between U S Cyber Command and NSA I defer to the views of General Alexander Inevitably given its nature cyber security must also be a public-private partnership As General Alexander notes in his prepared statement the vast majority of our Nation’s cyber infrastructure is owned and operated by the private sector In 2015 DHS established near-real-time automated information sharing capability with the private sector Through the Cybersecurity Act of 2015 Congress provided further incentives for the private sector to share cyber threat indicators with DHS As of the time I left office however not enough businesses had taken advantage of automated information sharing capability No matter how sophisticated a company’s cybersecurity is everyone benefits from information sharing about the latest cyber threats The federal government should focus on strengthening partnerships with the private sector to ensure better information sharing By contrast in my judgment addressing the problem of fake news and extremist views is not a matter for the security agencies of our government Foreign influence in federal elections is a matter for the federal election laws and activities that violate criminal laws are a matter for law enforcement Beyond that we must be extremely careful not to go down the road of empowering security agencies to regulate or restrict speech particularly political speech on the suspicion that it might have a foreign or extremist origin Self-regulation by private internet access providers should be the first solution And the public should be more skeptical about what we read and see To meet all of these demands continued U S government investments in both cyber talent and technology are key I am pleased that the President’s FY2019 budget proposes significant amounts for DHS’s Continuous Diagnostics and Mitigation Program and continued deployment of the EINSTEIN system to protect federal civilian networks The recruitment and retention of cybersecurity talent is perhaps the biggest cybersecurity challenge for DHS and other federal agencies 5 FINAL Beyond that I agree with Secretary Chertoff’s prepared statement that the U S government must define a cyberwarfare doctrine develop clear guidelines for determining attribution and continue to incentivize public-private information sharing and investments by the private sector in cybersecurity I am prepared to discuss further my own views on these topics and I look forward to your questions 6