[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
CYBER ATTACKS: AN UNPRECEDENTED THREAT TO U.S. NATIONAL SECURITY
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON EUROPE, EURASIA, AND EMERGING THREATS
OF THE
COMMITTEE ON FOREIGN AFFAIRS
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
__________
MARCH 21, 2013
__________
Serial No. 113-8
__________
Printed for the use of the Committee on Foreign Affairs
Available via the World Wide Web: http://www.foreignaffairs.house.gov/
or
http://www.gpo.gov/fdsys/
U.S. GOVERNMENT PRINTING OFFICE
80-123 WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
______
COMMITTEE ON FOREIGN AFFAIRS
EDWARD R. ROYCE, California, Chairman
CHRISTOPHER H. SMITH, New Jersey ELIOT L. ENGEL, New York
ILEANA ROS-LEHTINEN, Florida ENI F.H. FALEOMAVAEGA, American
DANA ROHRABACHER, California Samoa
STEVE CHABOT, Ohio BRAD SHERMAN, California
JOE WILSON, South Carolina GREGORY W. MEEKS, New York
MICHAEL T. McCAUL, Texas ALBIO SIRES, New Jersey
TED POE, Texas GERALD E. CONNOLLY, Virginia
MATT SALMON, Arizona THEODORE E. DEUTCH, Florida
TOM MARINO, Pennsylvania BRIAN HIGGINS, New York
JEFF DUNCAN, South Carolina KAREN BASS, California
ADAM KINZINGER, Illinois WILLIAM KEATING, Massachusetts
MO BROOKS, Alabama DAVID CICILLINE, Rhode Island
TOM COTTON, Arkansas ALAN GRAYSON, Florida
PAUL COOK, California JUAN VARGAS, California
GEORGE HOLDING, North Carolina BRADLEY S. SCHNEIDER, Illinois
RANDY K. WEBER SR., Texas JOSEPH P. KENNEDY III,
SCOTT PERRY, Pennsylvania Massachusetts
STEVE STOCKMAN, Texas AMI BERA, California
RON DeSANTIS, Florida ALAN S. LOWENTHAL, California
TREY RADEL, Florida GRACE MENG, New York
DOUG COLLINS, Georgia LOIS FRANKEL, Florida
MARK MEADOWS, North Carolina TULSI GABBARD, Hawaii
TED S. YOHO, Florida JOAQUIN CASTRO, Texas
LUKE MESSER, Indiana
Amy Porter, Chief of Staff Thomas Sheehy, Staff Director
Jason Steinbaum, Democratic Staff Director
------
Subcommittee on Europe, Eurasia, and Emerging Threats
DANA ROHRABACHER, California, Chairman
TED POE, Texas WILLIAM KEATING, Massachusetts
TOM MARINO, Pennsylvania GREGORY W. MEEKS, New York
JEFF DUNCAN, South Carolina ALBIO SIRES, New Jersey
PAUL COOK, California BRIAN HIGGINS, New York
GEORGE HOLDING, North Carolina ALAN S. LOWENTHAL, California
STEVE STOCKMAN, Texas
C O N T E N T S
----------
Page
WITNESSES
Mr. Christopher Painter, Coordinator, Office of the Coordinator
for Cyber Issues, U.S. Department of State..................... 7
Mr. Richard Bejtlich, chief security officer and security
services architect, Mandiant Corporation....................... 26
Mr. Greg Autry, senior economist, Coalition for a Prosperous
America........................................................ 36
Mr. Michael Mazza, research fellow, American Enterprise Institute 46
Martin C. Libicki, Ph.D., senior management scientist, RAND
Corporation.................................................... 55
LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING
The Honorable Dana Rohrabacher, a Representative in Congress from
the State of California, and chairman, Subcommittee on Europe,
Eurasia, and Emerging Threats: Prepared statement.............. 3
Mr. Christopher Painter: Prepared statement...................... 9
Mr. Richard Bejtlich: Prepared statement......................... 29
Mr. Greg Autry: Prepared statement............................... 38
Mr. Michael Mazza: Prepared statement............................ 48
Martin C. Libicki, Ph.D.: Prepared statement..................... 57
APPENDIX
Hearing notice................................................... 70
Hearing minutes.................................................. 71
CYBER ATTACKS: AN UNPRECEDENTED THREAT TO U.S. NATIONAL SECURITY
----------
THURSDAY, MARCH 21, 2013
House of Representatives,
Subcommittee on Europe, Eurasia, and Emerging Threats,
Committee on Foreign Affairs,
Washington, DC.
The subcommittee met, pursuant to notice, at 9 o'clock
a.m., in room 2172 Rayburn House Office Building, Hon. Dana
Rohrabacher (chairman of the subcommittee) presiding.
Mr. Rohrabacher. There it is. It is called to order and the
mic is on. And let me just note that when you are speaking
through a microphone, you are utilizing the energy that is
produced some way by someone at some cost. So I call this
meeting to order. And today's topic is Cyber Attacks: An
Unprecedented Threat to National Security.
After the ranking member and I each take 5 minutes to make
opening remarks, each member present will have 1 minute to make
their opening remarks, alternating between the majority and
minority. And without objection, all members may have 5 days to
submit statements, questions, and extraneous material for the
record, and hearing no objections, so ordered.
There have been several congressional hearings on cyber
warfare, but most have concentrated on the technology involved
and how we can devise defenses to block hackers from breaking
into our Government and business computers. The greatest danger
to our nation, the greatest dangers, however, are not really
about technology. It is about international relations, foreign
governments that employ cyber warriors to attack other
countries, or which allow hackers to attack other countries in
their behalf.
And what is it we are we talking about? We are talking
about something that should be considered as a hostile
government action against another act. It is as if the
government was supporting terrorism if they support the same
type of aggression, cyber aggression. These acts, which put our
country in severe jeopardy, must be met with the same national
security and diplomatic measures that we use to meet other
external threats.
The type of targets hackers assault are often placed in two
categories. Strategic targets are those which would be attacked
by military means in a war. For example, transportation
systems, power grids, defense industries, communications, and
government centers. And China, Iran, North Korea, and Russia
have all used cyber attacks aimed at strategic infrastructure
targets. Targets that would be attacked in another way if there
was a war.
In January, Iran conducted probing attacks on U.S. banks.
Such potential damaging and brazen attacks on the United States
should provoke a much more aggressive and powerful response
than we are currently exercising. We should deter, not just to
try to block, but we should deter cyber attacks and perhaps
counterattack. More insidious, however, is the ongoing attacks
on our economy by the Chinese, among others. This second form
of attack is in the form of commercial warfare. The scale upon
which it is being conducted is beyond anything we have
experienced and far exceeds traditional espionage.
The Mandiant report which came out last month identified a
unit of the Chinese People's Liberation Army that has been
conducting commercial warfare since 2006. A military unit
hacking business and industry targets, and then we have a
situation where these targets play a central role in the
economy of one nation and has a lot to do with the balance of
power between the nations. So you have a Chinese People's
Liberation Army involved in an attack that has a lot to do with
the power between our countries, and is a cyber attack.
The commander of U.S. Cyber Command, Keith Alexander,
estimated last year that computer hacking from overseas costs
the American economy $250 billion a year. He called it the
greatest transfer of wealth in history. The Mandiant study
found that the targets ``match industries that China has
identified as strategic for their growth, including four of the
seven strategic emerging industries that China has identified
as part of its 12th 5-year plan.''
The Chinese firms that compete in these industries are
dominated by state-owned enterprise which ties Communist Party
officials and their families to this crime against the United
States and others throughout the world. It is a matrix that not
only serves to grow the wealth and power of China but also the
personal fortunes of its leaders. Yet, even this is only the
tip of the iceberg. The transfer of wealth by the theft of
technology and other information vital to the development of
industry is then used to gain a competitive advantage in world
trade, which brings even more wealth to China.
Over the last 10 years, that is 2003 to 2012, the United
States trade deficit in goods with China totaled over $2.4
trillion. Entire industries have been moved across the Pacific
to create what we see as the rise of China. Well, we cannot
just rely on technology to defend against these type of
attacks. We must use diplomacy to deter them by telling Beijing
and others in clear terms that we will not allow their hacking
to continue without retaliation. We should sanction states that
support hacking just as we sanction states that support
terrorism or engage in other hostile actions. This war will not
just be waged in cyberspace, but across every front and using
every lever of American power to defeat an aggressor and to
take the profit out of attacking our businesses, our defenses,
and yes, our country.
[The prepared statement of Mr. Rohrabacher follows:]
----------
Mr. Rohrabacher. With that I would turn to Mr. Keating for
his opening remarks.
Mr. Keating. Well, thank you, Mr. Chairman, and thank you
for holding today's hearing.
During the highly publicized Benghazi hearing earlier this
year, Secretary Clinton warned this committee that cyber
threats would be at the top of our agenda in the coming months
and she certainly was correct in that prediction. With the
number of cyber threats escalating worldwide, the need for
comprehensive security analysis, assessment, and actions has
never been greater.
Although cyber attacks and instances of cyber espionage are
receiving a great degree of media attention and are undoubtedly
increasing and really evolving at a highly rapid rate, cyber
threats are not a new phenomenon. The GAO designated Federal
information security as a high-risk area in 1997, and in 2003
expanded this area to include protecting our nation's critical
infrastructure.
Ten years later, just this February, it was President Obama
that signed an executive order to facilitate information
sharing about emerging threats and solicit new, voluntary
cybersecurity standards for the nation's power grid, financial
sector, and other key institutions, yet the price of
cybersecurity is certainly not cheap. Government agencies would
need to boost cybersecurity spending more than seven times to
block 95 percent of hacker attacks according to Bloomberg
Government study.
This translates into an annual average spending of $190.3
million per agency, up from the current $26 million, according
to the study, based on interviews with officials of 48 Federal,
State, and municipal agencies. The current combined financial
impact on public and private sector cyber attacks is unknown
but estimates are in the billions.
As we add up the dollars and weigh the risks, we must not
forget that the greatest attack of all will be on the
confidence of the American people if even one large-scale cyber
attack scenario were to materialize. As a former district
attorney, I believe that our country's efforts toward deterence
and response to a known cyber attack do matter, even if we are
not always sure who the aggressor is, their motive is, or where
they might be. While the issuance of the executive order is a
welcome development, it will take responsible, legislative
action to fully address cyber threats and vulnerabilities to
critical infrastructure, and time is of the essence.
Further, the Internet is an open, international domain, and
cyber crimes clearly go beyond traditional law enforcement
models. For this reason, national policies are incomplete
without firm international cybersecurity standards and norms
between like-minded allies.
The U.S. recently played an incredibly constructive role
during the World Conference on International
Telecommunications, and beat back proposals by Russia, China,
Saudi Arabia, and others that sought to explicitly extend
International Telecommunications Regulations jurisdiction over
the Internet. Unfortunately, the U.S. also does not participate
in many of the concrete initiatives put forth by the
International Telecommunications Union, the ITU, and other
international organizations. However, these efforts further the
connectivity and the interoperability of the world's
telecommunication networks which, in turn, enhance America's
defense and intelligence communication capabilities.
Also just this week, NATO Secretary General Rasmussen was
in Estonia. As most of us here know, Estonia has experienced
devastating cyber attacks directed from Russia at its
Parliament, ministries, banking systems, newspapers, and
broadcasters, in 2007. This week's NATO meeting alluded to
these attacks. It highlighted the importance of moving on to an
interoperability paradigm between like-minded allies. It is
interesting with Estonia as well, I was informed this week that
they are going to have the model that the EU is adopting. And
even in Estonia it is interesting to note as well, they are
teaching cybersecurity in the first grade.
I am thankful for the participation of our witnesses here
today, and look forward to hearing their thoughts on our
current cyber state of affairs as well as ongoing cyber
espionage efforts and attacks stemming from China, Russia,
Iran, and others. And before I close, I would like to note that
this hearing is taking place at a time when the effects of
across-the-board spending cuts are just beginning to be
realized. And I look forward to hearing from you, Mr. Painter,
about how the sequester and the perpetual uncertainty around
budgeting impacts might affect our nation's cybersecurity
efforts. With that I go back to my chairman and yield back
time, all 5 seconds.
Mr. Rohrabacher. Thank you very much. You were noting what
was going on in Estonia, and yesterday, several banks and
broadcast outlets in South Korea were attacked, and apparently
the assumption was that the cyber attacks were from North
Korea. However, the news this morning is that South Korea is
claiming that these attacks were located, the attacker was
located in China. And the story is still developing, but it
raises questions as to whether China and North Korea are
cooperating in cyber warfare against people that they think are
their enemies.
But with that Mr. Duncan has an opening statement, I
understand.
Mr. Duncan of South Carolina. Thank you, Mr. Chairman. I
think that the hearing today is very, very timely, especially
in light of the director of National Intelligence on 12 March,
James Clapper, said this, ``We judge that there is a remote
chance of a major cyber attack against U.S. critical
infrastructure systems during the next 2 years that will result
in a long-term, wide-scale disruption of services such as
regional power outage.''
So I appreciate you having this hearing. As a member of the
House Committee on Homeland Security, we are taking cyber
threats very, very seriously. I know Chairman McCaul is very
interested in the cyber threats of this country in his role as
chairman of the House Homeland Security Committee. So I
appreciate the committee hearing, and I look forward to the
testimony of the witnesses. Thank you, I yield back.
Mr. Rohrabacher. Thank you very much. And if the
microphones go off and the lights go off, we will know someone
is watching. We are under attack. All right, Mr. Stockman, I
understand, has an opening statement as well.
Mr. Stockman. Yes, I was just going to comment that this
morning--you stole my thunder a little bit. I was going to
discuss the South Koreans. In fact, the IP address was that of
China, and now there is some discussion over that. But I think
it is a critical time that you do this hearing and I appreciate
it. But also I know our Chinese friends are probably watching.
I don't think that we should engage in this warfare, but if it
is started I am sure that the chairman would lead us through a
victorious end, because this is really alarming to many of us
in this country. Thank you.
Mr. Rohrabacher. Thank you very much. Our first panel is a
single witness. Christopher Painter is Coordinator for Cyber
Issues at the U.S. Department of State. Mr. Painter has served
in the White House as senior director for Cybersecurity Policy
in National Security Staff, and this is on the National
Security Council, is that correct? Okay. During his 2 years in
the White House, Mr. Painter conducted the President's Cyber
Policy Review, and subsequently served as acting cybersecurity
coordinator.
Mr. Painter began his Federal career as Assistant U.S.
Attorney in Los Angeles where he led some of the most high
profile and significant cyber crime prosecutions that took
place in our country, then moved onto Computer Crime and
Intellectual Property Section of the U.S. Department of Justice
and served there for a short time as deputy assistant director
of the FBI Cyber Division. He has worked with dozens of foreign
governments on these issues, and he is a graduate of Stanford
Law School and Cornell University.
Mr. Painter, you may proceed.
STATEMENT OF MR. CHRISTOPHER PAINTER, COORDINATOR, OFFICE OF
THE COORDINATOR FOR CYBER ISSUES, U.S. DEPARTMENT OF STATE
Mr. Painter. Chairman Rohrabacher and Ranking Member
Keating and members of the subcommittee, thank you for the
opportunity to testify on the State Department's role in
countering cyber threats. I commend the subcommittee for
focusing on this foreign policy imperative, and for your
support promoting diplomacy as a tool for improving our
nation's cybersecurity, and by extension, our national security
and economic interests.
The State Department plays a leading role in diplomatic
efforts to stabilize cyberspace and to advance the vision of an
open, interoperable, secure and reliable Internet articulated
in the President's 2011 International Strategy for Cyberspace.
We currently face several kinds of threats in cyberspace.
First, there are the operational threats, which you just
described, to our cyber networks that can potentially harm both
our security and our economic interests, like the recent
Distributed Denial of Service attacks against our financial
sector.
The State Department has worked closely in that instance
with our Department of Homeland Security and other agencies to
help share technical data that can then help mitigate the
threat, and the sharing has been with both our international
partners in countries and with industry. This kind of
information sharing not only helps counter the immediate
threat, but promotes a practice of international cooperation
that will help prevent future attacks. It creates a norm of
cooperation, if you will.
Another kind of threat that has been making the news lately
is obviously the large-scale wholesale theft, cyber theft of
intellectual property and trade secrets from the private
sector. The State Department has consistently raised our
concerns about these cyber intrusions with senior Chinese
officials, and we will continue to do so. I welcome recent
Chinese official statements that suggest a willingness to
engage in a more sustained dialogue and discussion on this
important issue.
It is critical that we continue to emphasize cyber issues
in all of our international engagements to promote global
cooperation, to ensure that states take threats seriously, to
build consensus on norms of responsible conduct in cyberspace
that enhance international cybersecurity, and to address the
kinds of malicious activity that have recently received such
extensive media coverage. Cyber policy issues are on the agenda
in every major international forum, and in those forums some
states seem to view the dynamism and innovation of the Internet
as a threat to the stability of their regimes. They reject the
successful multi-stakeholder model of Internet governance that
includes a role for states, for civil society, and for industry
in favor of top-down intergovernmental control that enables
both state control and regulation of content.
The U.S. strongly promotes an alternative vision. We
believe that a cyberspace that rewards innovation, empowers
individuals, develops communities, safeguards human rights, and
enhances personal privacy will build better governments and
strengthen national and international security. We promote this
vision by working not only with our closest partners and
allies, but also with states that are emerging as global
leaders in this area, and with developing nations looking for
ways to play a role in the cyber world and even with states
with whom we do not always see eye-to-eye. The U.S. engages on
cyber issues with a multitude of states bilaterally, regional
groups such as the European Union, and NATO.
In the last year alone we, my office, has launched
dedicated cyber, whole of government, meaning not just my
office but all the different agencies in our Government and the
counterpart governments, senior policy dialogues with India,
Brazil, South Africa, South Korea, Japan, and Germany in order
to share perspectives and build a consensus view of the future
of cyberspace. We continue to seek deeper engagement with
countries like Russia and China who clearly have a different
world view and with whom we have challenges but we need to find
ways to develop a stronger relationship.
The State Department will continue to focus on both the
kinds of operational threats that you have identified here
today, and on the long-term policy efforts that will help
mitigate them in the long run. In his confirmation hearing,
Secretary Kerry, then Senator Kerry, cited the importance of
``cyber diplomacy and cyber negotiations,'' stressing the need
to affirm `` `rules of the road' that help us be able to cope
with challenges in cyberspace.'' State is doing just that. We
are working with other nations on efforts that will not only
contribute to greater security and stability in cyberspace, but
will protect freedom of expression, ensure opportunities to
innovate, and promote economic growth around the world.
Thank you, Mr. Chairman and Ranking Member Keating, and I
look forward to your questions.
[The prepared statement of Mr. Painter follows:]
----------
Mr. Rohrabacher. Well, thank you very much. We also have
Congressman Lowenthal who has joined us. Thank you very much
for joining us this morning. Let us just figure out how serious
people are taking this. Have we gotten beyond the let-us-sit-
down-and-discuss-it phase with other countries, or do we have
an action plan that if we discover cyber attacks going on that
there will be some type of retaliation against the criminal
element or the government itself that is engaged in this cyber
crime?
Mr. Painter. So we face a wide range of threats in
cyberspace from nation states to transnationally organized
criminal groups. And how we respond to those different threats
depends on what the threat is. And one of the problems, of
course, is that attribution is difficult in this area and you
don't know, often, exactly which group is doing what activity.
However, speaking first from the cyber crime side, we are
promoting around the world what is called the Budapest
Convention on Cyber Crime so that every country will have
strong laws in this area. They will have the capability to
actually prosecute those laws, there will be better
international cooperation. We have something----
Mr. Rohrabacher. How many people have been prosecuted in
China for cyber crimes?
Mr. Painter. I would have to get back to you about it, sir.
I don't know.
[The information referred to follows:]
Written Response Received from Mr. Christopher Painter to Question
Asked During the Hearing by the Honorable Dana Rohrabacher
The lack of reliable or transparent statistical information on
prosecutions renders it impossible to say exactly how many persons in
China have been prosecuted for activities that we would consider to be
cybercrimes. When the U.S. discusses cybercrime, we speak in terms of
specific conduct criminalized in U.S. criminal laws, such as Title 18
U.S.C. Section 1030, the Computer Fraud and Abuse Act. China, however,
takes a very different approach and speaks in terms of ``criminal and
terrorist activities that use information and communications
technologies,'' as reflected in the Code of Conduct for Information
Security that they jointly authored with Russia. The Chinese government
considers cybercrime to include online speech that it views as
undermining ``political, economic and social stability,'' categories of
expression that would in almost all instances be protected in the
United States by our Constitution's First Amendment, and that is
protected by the right to freedom of expression in international human
rights instruments.
Addressing challenges in cyberspace, including combating
cybercrime, is a priority for the United States, and we engage
routinely with other nations to enhance international cooperation in
these areas. Of note, the U.S.-China Cybercrime Working Group, led by
the Department of Justice, is working to improve cooperation with China
on cybercrime cases.
Mr. Rohrabacher. Can you tell me any country in the world
where we have had the prosecutions and what they have composed
of?
Mr. Painter. We have had many prosecutions in the United
States.
Mr. Rohrabacher. No, no, not the United States, the other
countries of the world.
Mr. Painter. There have been prosecutions, and many of our
close allies in Australia and England, in Germany and France,
there have been prosecutions.
Mr. Rohrabacher. And what happens to someone in Australia
or----
Mr. Painter. It depends on their particular legal system.
Of course, in the United States we have pretty substantial
penalties based on financial harm for cyber crime. Other
countries have similar regimes. And what is important about
this Budapest Convention, this convention that is really the
only existing instrument and the best instrument for cyber
crime, is that it creates certain kinds of offenses that didn't
exist before.
So you may remember years ago when there was the ``I love
you'' virus, and they thought they found the perpetrator, and
the country where they found him didn't have any law that
criminalized that issue. So the Budapest Convention allows
countries to modernize their laws so there won't be safe havens
for this conduct and you can prosecute.
Mr. Rohrabacher. What would you suggest that we do, for
example, if we come to the conclusion that a cyber attack both
in terms of a criminal cyber attack and also strategic cyber
attacks are actually being blessed, if not perpetuated and
actually involved in the government of that country?
Mr. Painter. I think we have to look at all the tools that
we have at our disposal as a national government. But from my
perspective, obviously the tools that we employ are the
diplomatic tools. And those tools, I think, are important to
make clear to a government that conduct this is a concern.
Mr. Rohrabacher. And what are those tools, I mean
diplomatic tools?
Mr. Painter. Those diplomatic tools, I think, are two-fold.
One is engaging directly with that government and saying to
them that this conduct is something that we find unacceptable.
Mr. Rohrabacher. Well, I am sure that will upset them a
lot.
Mr. Painter. Well, but I think you have to look at their
overall relationship. With a lot of these countries we have
many different types of relationships--economic relationships,
other relationships.
Mr. Rohrabacher. Have we done any of that?
Mr. Painter. Yes. In fact, just recently the President has
made clear in his call with the new----
Mr. Rohrabacher. No, what actual sanctions have we put on
any country? For example, it is clear that China has been
deeply involved in this. Everybody knows it, supposedly. What
have we done to say, okay, here is your deadline and this is
exactly what is going to happen. You are no longer going to be
able to purchase certain things from the United States, or be
able to export to the United States, or whatever retaliation we
would have.
Mr. Painter. Sir, I would speak from my perspective and
what we are doing diplomatically. I would say one thing though.
I think with any of these threats we would have to be careful
of looking at this in terms of retaliation, if it is a
retaliation in terms of in-kind retaliation. We want to make
sure that we are addressing the problem and addressing it in
the larger context of any country we are dealing with. But what
I would say is if----
Mr. Rohrabacher. We have to accuse the right people, right?
Mr. Painter. Right. And I do think that if you look at the
statements just in the last couple of weeks, and let me go back
a ways. We have engaged the Chinese in a strategic security
dialogue on sensitive issues. We have only had two meetings of
that group, last year and the year before. We raised cyber at
both of those meetings. Secretary Clinton, last year, said that
the theft of intellectual property and trade secrets was one of
the greatest concerns of the United States, and we have had
very frank discussions. And I can't really get into our
bilateral private discussions in this setting, but I would be
happy to follow up later on.
And then recently, of course, you have heard Tom Donilon,
the National Security Advisor, talk about the great concern
that this poses for us and say three things. One, we want China
to understand the scope and seriousness of this problem of this
activity emanating from China. Two, that we want to make sure
that it stops. That they actually take some action to
investigate and stop this activity. And three, that we need a
sustained dialogue with the Chinese. And we have some dialogue,
but we don't have a sustained dialogue. And the President said
that----
Mr. Rohrabacher. Well, I am sure threatening to have a
sustained dialogue is really going to deter these fellows along
with proclamations of great concern. All I know is that I just
asked you a specific question about specific actions and all I
got was a list of words that had been spoken. And I am sure
that words coming out of the mouth of officials of the United
States is terribly frightening to the Chinese.
Let me turn to Mr. Keating now.
Mr. Keating. Thank you, Mr. Chairman. I mentioned in my
opening remarks, in 2007 our NATO ally Estonia was subject to a
series of cyber attacks directed at their Parliament, their
ministries, their banking systems, newspapers, and
broadcasters. NATO subsequently established the NATO
Cooperative Cyber Defence Centre of Excellence in Estonia to
enhance the capability, cooperation, and information sharing
among NATO and its partners in cyber defense.
Now does the State Department have any evaluation of the
effectiveness of that initiative? And furthermore, some of our
NATO allies have looked to the U.S. to lead on cyber
initiatives in NATO-member countries. What sort of role has the
U.S. had in this initiative going forward, and what kind of
role is it willing to play? What implications does this
initiative have on information sharing between all of the NATO
countries?
Mr. Painter. So a couple of things. The NATO Centre of
Excellence in Estonia, the U.S. is supporting that effort and
actually has personnel stationed there, and I think it is an
important effort to look at some of the larger issues involving
cyberspace. With respect to NATO, generally, as you know back
in the Lisbon Summit, for the first time, and this was a
proposal of the U.S., we made cyber a key part of NATO
strategic concept. And first and foremost in that concept was
making sure that NATO's own networks were secure, and that is
something they have been working on in the last couple of
years. They have also been promoting information sharing
between members of NATO.
Now NATO is not the only way we approach this. We deal
obviously with the EU who just released an international--well,
they released a strategy document for cyberspace. And it was
remarkable because three parts of the EU, the External Action
Service, the DG Connect as it is called, and their home
ministry got together and collaborated on this strategy. And
the strategy, the international part, is very similar to the
U.S. strategy. It is very consistent with our strategy around
the world, particularly in terms of promoting norms, and the
existence and applicability of international law, existing
international law, including the law of armed conflict to
cyberspace. Those are critical things.
So we are working with the EU. We are also working with key
member states. We are working with the U.K. We are working with
Germany. We are working closely with France. We are working
closely with the Netherlands, and many others in that context.
And we work through other forms, like the G8, for instance, and
the OECD, and other forms like that. So there has been a lot of
activity that we have been doing. There has also been our
Defense Department who works with our allies in making sure
that they have better defenses and building those defenses.
And finally, our Homeland Security Department has been
working with a number of countries and exchanging information
with their computer emergency response teams. One thing, I
think, that is a great development not just in Europe but
around the world is that countries are developing national
strategies for dealing with cyber. We have one here, and many
other countries now have them, but in Latin America and other
places those are being developed.
The one other thing I would say just to reflect on the last
question before yours, I do think it is important that we are
raising this issue at a very high level. I think it makes a
difference when the President raises this level, when Tom
Donilon raises this level. And we are also doing things to
protect us at home, like what DHS is doing to share information
with the private sector and help harden the targets, make sure
our defenses are better.
Mr. Keating. Yes, I am on the Cybersecurity Subcommittee in
Homeland Security as well. But how well are these other
countries doing, working with the private sector side? Because
governments can work all they want, but if we are not having a
dynamic approach dealing with the private side as well we are
not going to be successful in this. Are any of the other
countries you are familiar with, are they doing a better job
getting that kind of cooperation?
Mr. Painter. I think we are all trying to make sure that is
an effective partnership. I think it is extraordinarily
important because the private sector not only owns most of the
infrastructure but, frankly, government doesn't have all the
answers. We have to engage with the private sector and others
to make sure we go forward.
When I started this office, a little less than about 2
years ago now, one of the first things I did was start meeting
with various private sector groups. Because they may see
opportunities or dangers that perhaps we don't see in
government, and it is important to make sure that they
communicate with us on that, and they often go to some of these
international meetings.
Mr. Keating. Well, we are trying to balance here whether or
not we go through regulations, and government is telling the
private sector what they have to do. We are trying to balance
off that to a more cooperative way to see if we could do--what
are the approaches in some of these countries? Do we have
countries that you are aware of where they are just having
their own regulations on the private side and----
Mr. Painter. I think there are countries that are more
regulatory in nature, just by their nature. What we try to
argue when we have our dialogues with other countries is that
it is important for them to talk to the private sector. Some
countries, frankly, don't have a history or a culture of
talking to the private sector the way we do here. I think we
made great strides in that here. For instance, even building
our National Incident Response plan with the private sector
from the ground up, something I don't think we have ever done
before, and that was just in the last couple of years.
But one of the things we do is when we do, for instance,
capacity building, one of the great efforts of our office not
only to help build capacity, but to try to convince the
developing world that our way of looking at cyberspace is the
correct one and will help them, we bring private sector along
with us. We try to tell those governments, dealing with the
private sector is critical in actually securing your networks
in securing cyberspace.
And I think obviously the executive order is very
important, it is just the down payment on what we need. We
still need legislation, as you know, and we still need
legislation that we have talked about last year and talking
about this year, and we hope we get it, that allows that both
voluntary but very important connection between the private
sector and government.
Mr. Keating. I yield back, Mr. Chairman.
Mr. Rohrabacher. Mr. Marino?
Mr. Marino. Thank you, Chairman. Good morning, Mr. Painter.
I am sure that you participate in classified meetings
concerning intelligence that we accumulate and share with our
allies, and you are between the devil and the deep blue sea
here with what you can tell us and what you can't tell us. So I
am just going to assume that that is the case. But I am a
member of the NATO Parliamentary Assembly, and on a recent trip
from a NATO meeting in Belgium it did not appear to me that
this subject of cyber warfare was a top priority.
Can you give me a suggestion as to what the administration
is doing to make this a top priority, and are our allies behind
us or beside in this and will it have an impact on Russia and
China?
Mr. Painter. Okay. So first, just in terminology, rather
than use cyber warfare I just say the cyber threat and how we
deal with the cyber threat. And I would say that as I mentioned
before the fact that cyber is now part of NATO's operating
concept when it never was before is a key consideration. And it
is no small task for NATO to actually get its networks to the
shape that--this is a foundational thing. If you have your
networks, your own networks, NATO networks, and the member
states' networks secured, you can build on top of that.
I just met with Ambassador Iklody, yesterday, from NATO,
who is their cyber person, and they are doing a lot of activity
in this area making sure that they are having better security
of their networks, and they are sharing information between
member states, and I think that is the most important part.
Mr. Marino. I understand that. But do you really think we
are going to--let us get down in the weeds here. If the NATO
members get together and implement severe sanctions, do you
really think China and Russia are going to listen to us? I was
in China and Russia not too long ago and I brought up the issue
with them. They didn't like it. Actually, China acted like it
wasn't happening, and Russia simply said so what.
So let me give you a scenario here. Assume we have an
attack on Wall Street, the stock exchange, it crashes, and we
know from where it came. Have you worked out any scenarios as
to what will happen from that point forward on behalf of the
United States and some of its allies?
Mr. Painter. Yes, to the extent that we have actually, just
recently in the National Level Exercise that was conducted last
year, for the first time that focused on cyber. So we were
looking at very catastrophic events in the context of cyber in
that exercise. And that both exercised how we were going to
work together, but also we had some of our close allies
participating in that exercise.
And as with any other threat, and we lay this out in the
international strategy, we use every tool at our disposal
whether it be economic, diplomatic, I think we say
informational, or even military. Military is a last resort and
only after we have exhausted other options in law enforcement
of course too. But we have the full suite of tools and we have
close allies with whom we are discussing this with all the
time, and----
Mr. Marino. I do not mean to be facetious about this, but
do you think that this has been working to any extent at all? I
do not see any actual repercussions being implemented or any
scenarios that would cause the Chinese or the Russians to stop
it or curtail it at least.
Mr. Painter. Well, first of all, I would say that we have
certainly raised the pressure about how serious this issue is
for us recently, as you have seen from the President's
statement, from Tom Donilon's statement, et cetera. Other
countries, I think, are also looking at this issue and how they
are going to deal with this issue. We have made tremendous
progress even in the last 2 years in treating this issue as
much more, not just a technical issue but an economic issue, a
national security issue, and a foreign policy issue. Other
governments are doing that too but they are at different
stages, and we are dealing with them and talking with them.
Again, I really can't talk about our private conversations as
you know.
Mr. Marino. I understand. I have less than 20 seconds now.
And I am also involved on the Intellectual Property
Subcommittee, and it is a big issue with me, and we are losing
billions of dollars and tens of thousands, maybe hundreds of
thousands of jobs. But I have, maybe a little tongue-in-cheek
sarcasm remedy is since we owe China so much money for our
debt, why don't we deduct what they are stealing from us and
take it away from the debt? I yield back. Thank you.
Mr. Rohrabacher. Well, then they might have grave concerns
as well if we did something like that.
Mr. Duncan, you may proceed.
Mr. Duncan of South Carolina. Thank you, Mr. Chairman.
First off, I will just say America needs to realize that this
is a real threat. And we talk about cybersecurity a lot, and it
is not just some hacker stealing iTunes downloads or small-
scale intellectual property theft. This is on a grand scale. It
is not only on grand scale with intellectual property with
private corporations, but it is also the theft of military
hardware plans such as some of our fighter aircraft.
And so it is not just China. It is Iran. It is the
Russians. It is a lot of different groups, organized crime and
others that are pinging away at the United States trying to
find a chink in our cyber armor. And I think it is important
that we also realize that the electrical grid and a lot of the
components that keep America operating are also in the sights
of the cyber criminals and other entities. So I am concerned
about that. And the reason I brought Mr. Clapper's comments up
this morning is he also recognizes that this is an imminent
threat and concern to the United States.
And so I was reading about a Chinese operative, a scientist
who was allowed to work with NASA and Langley through a
contract, and was arrested by the FBI as he boarded an airplane
carrying hard drives, flashdrives, and computers that most
likely contained sensitive data that he downloaded. You can
carry a tremendous amount of information on a thumb drive or a
computer hard drive. But I think that pales in comparison to
what can be downloaded through hacking. And something that is
operating behind the scenes 24/7 without an actual person
sitting there downloading into a thumb drive, it is going on by
behind-the-scenes computers.
And so at what point, in my opinion, does the
administration consider that type theft, espionage, and damage
to the U.S. computer systems an act of war?
Mr. Painter. So again, what an act of war means and what an
act of war would trigger, I think, is, as I look at the
threats, as DNI Clapper articulated the threats, we have two
kinds of conduct. We have the fear of the threat of cyber
warfare, which is attacks on infrastructure that could be
crippling, which he said as of this point, is remote, but we
have to be worried about it, and then we have what we see every
day which is the large-scale, unacceptable theft of
intellectual property, and that is a real concern. It is a real
concern, for me it is a real concern. Throughout our Government
we are taking actions to try to both prevent that theft by
making sure we have better security. That is why the executive
order is there. That is why we are asking for legislation.
We are talking to countries that we believe are involved in
this activity. We are talking to our allies about this. We are
also considering other actions more generally. But I think it
is not that that is cyber warfare, but that is, I think,
something that is clearly damaging to the American economy. It
is the life's blood of these companies. It is taking away our
future innovation. So we are taking it incredibly seriously,
and I, certainly, even if I didn't have this job, as a former
prosecutor who prosecuted intellectual property cases, I think
this is a really important issue and it has gotten a lot of
attention, as it should, recently.
And so our part of this is trying to do a couple of things.
In the short term, we are working to help mitigate these
issues, working with DHS, working with other interagency
partners, and in our diplomatic efforts both bilaterally and
multi-laterally with other governments. In the long term, we
are trying to make clear that the norm in cyberspace, the norm
we are trying to promote is that this kind of theft of
intellectual property and trade secrets is simply unacceptable,
and countries that are outside of that core will get
marginalized much as we did with money laundering back in the
'70s. So this is something I think is both a short-term and
long-term effort and we are taking actions on both of those----
Mr. Duncan of South Carolina. And I appreciate your
willingness to say that because it is not only damaging our
economy and our abilities, it is taking our edge away
militarily, our advantage. If they are stealing the plans of an
F-35 and so we have to send F-35s against a comparable
aircraft, that is taking some of that competitive advantage
away that we have militarily to protect this country. And it is
taking our economic advantage away with cyber crime that is
taking intellectual property.
And so at some point in time I would love for this
administration to say no more. We are going to hold someone
accountable. We are going to hold someone accountable for the
theft. We are going to hold the host countries where the
operatives are using the cyber attacks, whether it is China or
Russia, we need to hold those host countries responsible to
some degree for what is going on within their borders. I think
we would do that to ourselves. I think the United States ought
to be responsible for what is going on within our borders with
regard to cyber crime, and I think we are.
And so I think at some point in time we need to make sure
that just a very clear line is drawn and a very clear
understanding within the international community of what is
acceptable and what is not acceptable with regard to cyber
crimes, prosecution, and going forward. So Mr. Chairman, I am
out of time, so with what I will yield back.
Mr. Rohrabacher. Yes. What is acceptable and not acceptable
and what the consequences are, because they don't care what is
acceptable or not acceptable. They have to know what the
consequences are, and so far we----
Mr. Duncan of South Carolina. You are saying it a little
more eloquently than I did, and I appreciate it.
Mr. Rohrabacher. No, it has been clear the consequences are
statements of great concern and statements of something that
will be sustained. And we will give you a chance to answer that
one after Mr. Stockman, who is one of our more timid members of
the committee, also known as being a ferocious patriot, Mr.
Stockman, you have 5 minutes.
Mr. Stockman. I just have a concern. My district
encompasses everything from NASA to petrochemical plants. And
we were touring some of the plants, and they were stating that
they were getting very little cooperation from the government
on helping deter some of the cyber attacks. And they were
mentioning that it could cripple our nation. Just by turning
off a few valves it could blow up a plant. And this is
something that is very serious.
This reminds me of 9/11 when we knew about the Philippines.
We picked up documents which showed that they wanted to use
planes as weapons, yet we ignored all the signs. I feel like we
are ignoring all the signs. And I have on the ground, plant
managers telling me their concerns and yet they don't feel we
are getting any help from the government. And I am asking you,
is there any kind of game plan to help critical infrastructure?
Have you identified it and said hey, we are going to talk to
you guys? Because one plant alone in my district produces about
600,000 barrels a day. If that were to be taken off the market
you would see a quick crisis occur. And if you took off several
plants it would shut down the United States.
Mr. Painter. So my DHS colleagues deal with this all the
time and, in fact, there have been designations of critical
infrastructures and ways set up to deal with those industries
and talk to those industries about cyber, not just about all
the other issues they face and all the other challenges, but
about cyber in particular. And certainly it is our goal to make
sure that those companies understand both the scope of the
problem, which is often a problem. Many companies don't
understand, really, what the threat they are facing is, and
that has been a problem we have had for the last 10 years, but
they understand that the government does care about this and
wants to work with them.
And there have been a lot of activities recently in terms
of sharing signature information, et cetera, with companies and
with ISPs and with other providers to better protect that
critical infrastructure. If you look at the executive order and
the proposed legislation, that is targeted, again, at critical
infrastructure. Narrowly defined but critical, because if
something happens to it, as you say, it could really bring us
to our knees. And that is extraordinarily important.
And I would say this also, other countries around the world
are focusing on critical infrastructure too. Certainly the U.K.
and Germany or others are looking at this and say, what is it
that we really need? What are the threats we are facing from
cyberspace, what can they do to us, and how can we build better
defenses? Part of it is building better defenses. Part of any
strategy, any deterrence has to be building better defenses,
and part of it, and my part of it has to be what we are going
to do diplomatically.
But that is only one part. This is a whole-of-government
effort that includes DHS, it includes DoD, it includes the
Commerce Department and Justice and the FBI in the full range
of our activities, but they have to work together. And it is
important that we have the foreign policy element, but that is
one of the many elements in our tool kit that has to be
integrated.
Mr. Stockman. Can I just do a follow-up question there? Can
you see from the plant manager's concern if you step in his
shoes, and this is recent, the frustration he has that he feels
like he is in a vulnerable situation and he is going to be held
accountable, but he is not getting any kind of feedback from
the administration or, quite frankly, anybody in the
governmental body? He is sounding the alarms and then it is
falling on deaf ears, so there is a great deal of frustration
from his viewpoint.
And I feel like maybe all of us in this committee and maybe
in Congress are ignoring his concerns. It is a legitimate
concern. As you know there is clips of things that were done
remotely that were very devastating, and I will just ask that
you somehow follow through on your plan to work with the
critical infrastructure of this nation.
Mr. Painter. I would just say that that is something that
has been a priority now for a few years in our Department of
Homeland Security, and other parts of our Government have been
working strongly to do that. Before I came to the State
Department in 2009, the cyberspace policy review we wrote talks
about this issue exactly, raising awareness and addressing some
of these concerns with the critical infrastructure.
And if that plant manager is feeling that way that is
certainly unfortunate, but we have to make sure that we are
working with him, and I think we are. And the other thing I
would say is that compared to even a few years ago the
awareness level and the coordination among government agencies
and the priority of this issue is higher than it has ever been.
Mr. Stockman. Thank you. And I yield back the balance of my
time, Mr. Chairman.
Mr. Rohrabacher. Thank you very much. I want to thank the
witness. And let us just note that we have a huge number of
targets in our country that can be attacked via this mechanism,
the cyber attack. And we cannot defend. It would be impossible
for us to defend all these targets. Thus, the only way that we
can defend ourselves is if those who are committing crimes
against us face serious consequences and thus will refrain from
those attacks.
At this point, from your testimony--and let me just say you
are a wonderful person and you take your job seriously. You are
a former prosecutor, and I am sure that you put people in jail
for committing crimes against other people and crimes against
our society, but we can't put in jail the people who threaten
us today and could do us great harm.
And people have got to know overseas whether or not there
is going to be a serious consequence, not just raising the
words at a discussion between heads of state, but a serious
consequence if they are found guilty here of being an
accomplice to a major crime. A crime of shutting down maybe
that oil refinery in order to give them leverage on some oil
deals someplace else in the world that they are trying to make,
or maybe even putting our air traffic control system out of
whack for a day. There is too many targets to defend, and right
now those people who could possibly commit these acts don't
know what those serious consequences are. And that lack of
definition that we have of what you are going to face if you do
this, I believe, could cause serious consequences to our
people. To our people, rather than the people committing the
crime.
So as you move forward in your job we wish you well this
year. This committee is here to work with you in trying to--
because we are supposed to handle emerging threats, and if
there ever was an emerging threat that is what we are talking
about. But as a prosecutor, as a tough guy that deals with
criminals, let us make sure that we are just as tough dealing
with these cyber threats to our well being.
And Mr. Keating, do you have a 1-minute summary would you
like to make?
Mr. Keating. Well, I think there is a lot of activity
going. One of the things that we didn't get into that is worth
mentioning is, as some countries move forward on these areas to
try and do it under the guise of getting control over cyber
threats, we have countries that are going to try and inhibit
communication, social media, the kind of communication that is
healthy in a democratic country. And so there is a balancing
act to be made in that respect, and I think it is worth
mentioning that that makes it difficult.
But I would just say this. That I hope that this Congress
can come forward with legislation this year. We will be
reacting quickly if, indeed, one of our five top financial
groups is hacked into for any extended period of time. It is
conceivable they could go bankrupt. And if you compare that
with what happened with the mortgage crisis, this would have
far more devastating impact.
And I do agree, just following up on what the chairman
said, internationally with our allies, I think we should have
more concrete sanctions and a ratcheting up once we have
accountability. Because I think that will indeed help as a
deterrence as well so people and countries will know what they
are facing as a result. But I thank you for your testimony and
your hard work in this area.
Mr. Rohrabacher. Let us give the witness the courtesy of
giving him the last comment, but not more than 1 minute.
Mr. Painter. Not long.
Mr. Rohrabacher. Not more than 1 minute.
Mr. Painter. I appreciate that very, very much, Mr.
Chairman. I would say that look, I am heartened that this has
gotten so much priority and so much interest. Having spent time
in this area now for over 20 years, the fact that over the last
few years it has now become not just a technical issue but a
real foreign policy priority, a real national priority, and a
real international priority. It is a huge step, and that is
something that we need to build on.
I would also say that taking out of the context of any
particular actor, even our international strategy, which by
itself--we were the first country to put together an
international strategy. We are the first country to create an
office like mine, and many other countries have now have
followed suit and that is important too. In international
strategy we have a deterrent policy there. We say we will use
all tools that we have. Diplomatic is one of them. It is just
one of them. Diplomatic, economic, law enforcement, military,
the full suite of tools in appropriate circumstances given the
circumstances that are there.
I think we are making a huge, it is a hugely complex issue.
We are dealing with the Internet freedom issues. We are dealing
with governance issues and keeping this a multi-stakeholder
governments' process. We are dealing with the international
security issue, the applicability of international law,
building confidence between countries so things don't escalate
out of control, so we can actually get some transparency to
other governments, and we are working on cyber crime. So all
these are important. It is a big lift over the next few years
but something, I think, we are really prepared to do. So thank
you.
Mr. Rohrabacher. Well, thank you. Life wasn't so
complicated before, was it? Thank you very much.
We have a second panel who will be joining us now. So we
have a very distinguished panel for our second panel. And
first, what we will do is I will introduce all of you and then
we will proceed with your statements and then we will go into
questions after that. And if you gentlemen could make your
statements around 5 minutes so that we have a little time for
questions. There are votes coming up in the next hour at least,
so we will have to adjourn at that point. So we will move
forward as soon as we can.
We will start with Mr. Richard Bejtlich is chief security
officer at--pronounce that for me.
Mr. Libicki. Mandiant.
Mr. Rohrabacher. Okay, I am blacking out on that
pronunciation. He was previously director of Incident Response
for General Electric. Prior to GE he operated the TaoSecurity
LLC as an independent consultant, where among other things he
protected national security interests for Mantech Corporation's
Computer Forensic and Intrusive Analysis Division. He began his
digital security career as a military intelligence officer
working for the Air Force Information Warfare Center and Air
Intelligence Agency. He graduated from Harvard University, and
the United States Air Force Academy.
We have Michael Mazza, a research fellow at the American
Enterprise Institute, and program manager for AEI's annual
Executive Program on National Security Policy and Strategy.
Michael Mazza has studied and lived in China and writes
regularly on U.S. strategy in Asia and on Taiwanese defense
strategies. He has a Masters degree in International Relations,
Strategic Studies and International Economics from the Paul H.
Nitze School of Advanced International Studies at Johns Hopkins
University, and a B.A. from Cornell. The second Cornell man we
have had today with us.
Greg Autry is a senior economist for the Coalition for a
Prosperous America. He is the co-author with Peter Navarro of
the book, ``Death by China,'' and I might add it is a great
book and a great movie. Considering how many times I was quoted
in it that is what makes it even better. And Greg holds a B.A.
in History from Cal Poly Pomona, and an M.B.A. from Merage
School of Management at UC Irvine.
And finally, Libicki. I am really bad at making these
pronunciations. With a name like Rohrabacher you are going to
have to--anybody can mispronounce my name, and we will make a
deal. A senior management scientist at Rand Corporation, he is
the author of Rand's study, ``Cyber Deterrence and Cyber War.''
Prior to joining Rand he spent 12 years at the National Defense
University, 3 years on the Navy staff as program sponsor for
industrial preparedness, and 3 years as a policy analyst for
the General Accounting Office's Energy and Mineral Division. He
has received a Ph.D. in Economics from the University of
California at Berkeley.
We will start with you.
STATEMENT OF MR. RICHARD BEJTLICH, CHIEF SECURITY OFFICER AND
SECURITY SERVICES ARCHITECT, MANDIANT CORPORATION
Mr. Bejtlich. Thank you, Mr. Chairman. Thank you, Ranking
Member Keating, distinguished members of the committee.
My name is Richard Bejtlich and I am the chief security
officer at Mandiant. Mandiant is a computer security company
that has one mission and that is to detect and respond to
advanced intruders. We have been doing that for 9 years. We are
unique in that respect that we were founded on the idea that
you can't stop determined attackers, and there needs to be
someplace for the private sector, or even in some cases,
government agencies to call for help. And that is what we do.
As I am sitting here today, we have teams out at somewhere
between 12 and 15 customers, helping them recover from
intrusions. Our software is helping dozens of other companies,
hundreds of others, actually, at this point. And that is what
we do as a company.
So who is APT 1? Who is this group that we outed in our
report? It is important to realize that APT 1--and APT stands
for Advanced Persistent Threat. It is a term that was invented
by an Air Force colonel in 2006 to tie back to Chinese threat
actors. APT 1 is one of two dozen groups that our company
tracks. APT 1 is the most prolific of these groups in terms of
the number of industries that are affected. We estimate there
is about 20 that we have personally witnessed including 141
companies, 115 of which are in the United States.
But there are other groups that we just did not decide to
document in our report. APT 1 is actually Unit 61398. This is a
unit of the People's Liberation Army. It is the second bureau
of the third department. And the third department in the PLA
General Staff does signals intelligence. So it makes sense. You
take a signals intelligence unit and you turn them into a
computer network operations unit. They operate primarily out of
a headquarters outside of Shanghai that was built in 2007,
130,000 square feet. And there has been TV coverage recently
where reporters from CNN tried to take some footage. They were
chased by soldiers and the footage was temporarily confiscated.
Why did we release this report? We released the report
because we wanted to move the discussion about this topic
forward. As you probably heard, there has been talk of Chinese
hackers. You couldn't tell if it was someone in his mother's
basement. You couldn't tell if it was an organized crime group
or such. We felt that we had been tracking this group for so
long, for 7 years, and using a combination of technical
indicators and non-technical indicators we were able to trace
it back, right to the doorstep of this building, and figure out
that this was this military unit.
We wanted to speak for victims. We help hundreds of
companies and they are all frustrated. They want something to
be done but they don't want to come forward and say something
about it. Very infrequently that happens. We have seen that now
with the New York Times, Google, RSA, U.S. Chamber of Commerce.
Outside of that no one talks about this. We also felt that the
time was right. We felt that the time for watching the
fireworks had passed, and our sense was that the government
wanted to talk about this and we had the evidence to talk about
it.
And the report is completely based on our work, completely
unclassified, not corroborated with government information. It
just shows you what a dedicated group of, in this case our
company is former military, former law enforcement, former
Intelligence Community, and then just very motivated, highly
skilled computer security people. This is what you can do if
you devote yourself to this project. We also felt that if we
provided the indicators of compromise, that data that talks
about who these guys are, what they do to Western companies,
and how they operate that people could defend themselves. And
that has been fairly gratifying over the last several weeks
since we released the report.
People are finding these groups inside their companies and
they are doing something about it. And it gives you an example
of what could be done, I think, if the government were more
forthcoming in sharing what the government knows about these
actors. It is also important to realize, what are you supposed
to do with this information? What I would say is, every company
in the United States that cares about security needs to be able
to take a report like ours, digest the information in it and
look for intruders in your company.
If you look at our report--and it is free. We are not
charging for it. You download it from the Internet. If you look
at this report and you can't do that, you can't figure out how
to find intruders in your company, that is probably job one.
You need to be able to do that. And secondly, you need to be
able to see over time how this affects you. We find too many
companies don't treat this as a business process. They treat it
as something that engineers and technicians need to deal with.
You need to realize that dealing with intruders is a fact of
life in the business world and it needs to be a continuous
business process that you deal with. I thank you for the
opportunity to testify today, and I look forward to your
questions.
[The prepared statement of Mr. Bejtlich follows:]
----------
Mr. Rohrabacher. Thank you very much. And let us just note
that we do rely on the police to protect us, but also
throughout our country we know that there are companies and
individuals that seek private protection with security
services, and they have guards at their gate and such as that.
And so in this case with this particular threat, we of course
need to all work together and it will encompass private sector
investment as well as government action.
Mr. Autry, you may proceed.
STATEMENT OF MR. GREG AUTRY, SENIOR ECONOMIST, COALITION FOR A
PROSPEROUS AMERICA
Mr. Autry. Thank you, Chairman Rohrabacher, Mr. Keating,
and members. I wanted to particularly thank Mr. Marino for your
strong comments with the earlier panelist.
Mandiant Corporation's brilliant report has made obvious to
everyone what we have known all along in that there is a giant
sucking sound in our economy and it is coming from China. The
military origin, the billions of dollars in damages, the
infrastructure, and the focus on technology make it clear that
this is a 21st century act of war. This is not some petty crime
happening by a bunch of Internet trolls in China. China
controls the Internet better than any country on earth. I know
that from strong personal experience. I guarantee you that if
they can find my emails to dissidents they can certainly track
down a giant organized cyber attack happening in their own
territory.
China does not view the U.S. as a valued trading partner
and a model for progress. We have got to give up on this naive
perception that China is doing everything they can to move
forward to become the United States. They are not. They view us
as a ideological adversary who they see as weak and foolish and
something that needs to be controlled.
The Internet was developed by the United States Government
at United States taxpayer expense. We in the United States and
in the U.S. military have every right to expect special
privileges in the Internet, and we need to make sure that it is
not debased by either hoodlums or nations who do not appreciate
the rule of law. It shouldn't be used by tyrants to repress
their citizens, and we shouldn't allow those same tyrants to
attack our corporations and our infrastructure. The Chinese
Government can't think of enough things to do with the money
that they have been earning from the economic warfare that they
have been executing against the United States.
While we are frustrated over a 2-percent cut, the Chinese
are launching moon missions, building maglev trains, launching
the biggest military buildup that we have seen since the 1930s.
Meanwhile, these cyber attacks against the United States are in
the same financial class as the 9/11 attacks. They are costing
clearly, billions, and I believe, hundreds of billions of
dollars, and this translates to real effect on American
individual workers, and this results in loss of life to
Americans as well.
And so I ask, why does China get a pass on this scurrilous
behavior and every other form of scurrilous behavior that they
engage in from economic abuse to human rights? I believe that
if Unit 61398 were a segment of the Iranian Republican Guard
located in Tehran that that building would be a smoldering pile
of rubble before I got a chance to testify, yet there seems to
be something going on with China.
And I think that the problem is, frankly, that a lot of
American corporations are co-opted by the Chinese regime. They
have such a huge interest in the production capabilities and
the ability to exploit Chinese labor and the Chinese
environment to lower their costs, and they are chasing the
delusional promise of this giant market that they are someday
actually going to be given access to that they don't dare
offend their Chinese host.
They are like the abused partner in an abusive spousal
relationship. They are not going to call the cops on the
Chinese, and they are really not going to do it when they know
that the cops don't show up and that the cops don't have any
guns, which is the situation that we are in now.
This is not a technical challenge, it is a military one. No
amount of locks or alarms could protect your home if there was
no belief that the police would show up or that the prosecutors
would do anything if you had burglars working in broad daylight
against whatever security you had put in place.
We need to do some serious actions. And I strongly
recommend, first of all, that we have a tariff on Chinese
technology that accounts for our governmental cost in
cybersecurity to defend against the Chinese, and for the
damages that we estimate against our corporations, until there
are no further signs of this sort of activity. We should have a
ban on the import of any Chinese networking hardware, and
specifically I mean Huawei. We need to stop the revolving door
at the State, Treasury, and Commerce Departments where
officials from those Departments come directly from doing
business with China or look forward to doing business with the
Chinese as soon as they get out of government service.
Finally, we need to stop educating our adversary. Our
computer science departments and engineering departments are
full of mainland Chinese students, the majority of whom return
to mainland China. Why are we educating these students of a
country who are using that technology that we are handing them
to oppose our interests? Thank you.
[The prepared statement of Mr. Autry follows:]
----------
Mr. Rohrabacher. Thank you very much.
Now we have 10 minutes before the vote is actually taking
place. What we could do is we will have the testimony from Mr.
Mazza. We will then recess. As soon as the votes are over we
will come back and have a few questions for the panel, if that
is all right. We apologize, but we don't have the control over
when the votes come.
Mr. Mazza, you have 5 minutes, and then we will have 5 more
minutes to get to the floor.
Go right ahead.
STATEMENT OF MR. MICHAEL MAZZA, RESEARCH FELLOW, AMERICAN
ENTERPRISE INSTITUTE
Mr. Mazza. Chairman Rohrabacher, Ranking Member Keating,
members of the subcommittee, thank you for the opportunity to
testify before you today on China's use of cyber capabilities.
China, I argue, sees cyber capabilities as a tool of
statecraft, and like any such tool, it can and should be put to
use in the pursuit of national interests. What are those
interests? In brief, the primary goal of the Chinese Communist
Party, or CCP, is to stay in power. No longer securing its
legitimacy on a foundation of Marxist ideology, the Party now
relies on delivering economic prosperity and on its claim to a
nationalist mantle to ensure its continued rule.
And in my remarks here I am going to focus on the more
traditional aspects of security implications rather than
economics. China's continued rise is crucial if the CCP is to
validate its claim that it and it alone can lead the country
back to what it sees as its traditional and rightful place atop
the Asian hierarchy. And to do so, Beijing must restore
sovereignty over territory supposedly wrongly taken from it.
Doing so would not only allow Beijing to complete what it sees
as an historic mission, but to enhance its own security.
Controlling islands in the East and South China Seas would
grant China greater strategic depth, allow it to more easily
safeguard or control sea lanes, and permit it to more easily
access the Pacific and Indian Oceans.
But of course, these waters are also home to U.S. treaty
allies, long-standing security partners, and new friends. And
it is in these littoral regions where tensions have been
running high, where conflict is most likely to break out, and
where U.S. and Chinese interests clash. Differing visions of
what Asian and perhaps global order should like have led China
and the United States into what is shaping up to be a long-term
strategic competition. For China, cyber capabilities are tools
to be used in waging this competition and in securing its
interest in the Asia Pacific. And in particular, I hear that
China uses cyber capabilities for three related but different
purposes.
First, Chinese hackers will engage in espionage activities
in the pursuit of both strategic and tactical intelligence.
Such activity is unwelcome but shouldn't be unexpected. The
United States and China are going to spy on each other. Second,
the People's Liberation Army, or PLA, will use cyber warfare as
part of its suite of anti-access/area denial capabilities, or
A2/AD. The PLA has been developing systems aimed at keeping
U.S. forces distant from Chinese shores, complicating in
particular the U.S. Navy's ability to operate freely in the
Asia-Pacific Theater and thus making U.S. intervention in the
Taiwan Strait or other conflict more difficult. In the event of
a conflict, PLA cyber forces would likely aim to disrupt U.S.
military command and communications networks, essentially
trying to blind, deafen, and silence U.S. forces.
Third, and in my opinion, most worrisome is China's
development of what might be called strategic cyber weapons.
Recent revelations of Chinese cyber intrusions into U.S.
critical infrastructure are especially troubling. That an
attacker a half a world away could threaten our electrical grid
or transportation security is of course a frightening thought,
but in my opinion, even more concerning is that China's
development of these capabilities is potentially destabilizing.
Because the weapons lack the ugliness of nuclear arms, Beijing
may come to see them as more usable than nuclear weapons. And
with such weapons likely to be seen as adding an intermediate
step on the escalation ladder, Beijing may come to see armed
conflict as less dangerous than it otherwise would have.
Fortunately there are steps the United States can take to
arrest China's use of cyber capabilities and ensure American
national security going forward. These steps fall into three
broad categories--legal, diplomatic, and military and that they
all be suggestions that require further thought, certainly. In
the legal realm there may be need for new legislation. My
colleague Dan Blumenthal has recently argued that Congress
should adopt a cyber attack exception to the Foreign Sovereign
Immunities Act to allow for civil suits against foreign
governments acting illegally in the cyber realm. This is
something that we have done in the realm of terrorism.
Diplomatically, there are several paths to take. Ideally,
of course, China will be willing to join in some broad based
international effort to establish norms and rules of the road
in the cyber realm, but as you have pointed out, China will
need incentive to do so. The Obama administration has suggested
that cyber threats will threaten the overall U.S.-China
relationship, but it needs to start elucidating just what that
means. What are the risks? Potential options include limiting
access to the U.S. market for Chinese state-owned enterprises
or pursuing action at the WTO.
In the military sphere the United States should be clear
about how we will respond to the use of strategic weapons on
American soil. The Department of Defense should explore whether
it is possible to conduct cyber exercises that will effectively
demonstrate U.S. capabilities, much as conventional exercises
are used, for example, to deter North Korea. If the United
States limits itself to just playing defense in cyberspace, it
is likely to find itself on the losing end in a competition
with China. Playing offense, not just militarily but in the
legal and diplomatic fields as well, will allow Washington to
impose costs on Beijing when necessary and enhance national
security. Thank you.
[The prepared statement of Mr. Mazza follows:]
----------
Mr. Rohrabacher. Thank you very much.
Now we have 4 minutes to go down and vote. And Dr. Libicki,
I am sorry that we are going to--or are you going to be able to
hold off? It will be about a half an hour by the time we get
back here.
Mr. Libicki. Certainly.
Mr. Rohrabacher. Thank you very much. So what we will do is
I will recess the hearing for 30 minutes, and so we should be
back in a half an hour. And let us just note for the record as
we recess that we are talking about here a--Mr. Keating, we
have heard testimony indicating that the cyber attack has been
traced directly back to a unit of the Chinese army, and this is
phenomenal that we can actually have evidence of an army of
another country involved in this type of criminal activity
aimed at Americans and others.
We have also heard testimony about the United States,
through our Chinese student graduate program have perhaps
educated some of the people in that Chinese army unit, who then
took the knowledge back that they gained in the United States,
to attack us. And so we will have some questions for our panel
along these lines when we come back, and Dr. Libicki will have
his testimony. So this hearing is now in recess for 30 minutes.
[Recess.]
Mr. Rohrabacher. Okay, this hearing is now called to order,
and we had a 30-minute break. We will now proceed with the rest
with the final witness, and then we will proceed to have some
questions, and hopefully we will be adjourned in about a half
an hour from now.
Dr. Libicki?
STATEMENT OF MARTIN C. LIBICKI, PH.D., SENIOR MANAGEMENT
SCIENTIST, RAND CORPORATION
Mr. Libicki. Good morning, Chairman Rohrabacher, Ranking
Chairman Keating, and other----
Mr. Rohrabacher. Someone has tampered with the electronics
and you are not coming through on that phone, or maybe you just
need to put it over here.
Mr. Libicki. Good morning, Chairman Rohrabacher----
Mr. Rohrabacher. There is a lesson to be learned in that.
Mr. Libicki [continuing]. Ranking Member Keating, and other
distinguished members of the subcommittee. Thank you for the
opportunity to testify today on cyber attacks, an unprecedented
threat to U.S. national security.
On September 11th, 2001, terrorists attacked the United
States. Three thousand people died and the physical damage was
upwards of $200 billion. On September 12th, the country
responded. The United States strengthened its homeland
security. We went to war twice. Over the next dozen years the
United States lost 6,000 in combat, 10,000 to 20,000 were
seriously injured. Total additional expenditures exceeded $1
trillion.
I point this out not to criticize the policies that
followed but to indicate that even though an attack on the
United States may be damaging the cycle of response and
counterresponse may be far more consequential. Accordingly,
even though a cyber 9/11 may be costly, it would be short-
sighted to evaluate the threat in terms of immediate damage
without considering how the United States would manage such a
crisis in order to yield an outcome that works best for the
American people.
We are right to be worried about a 9/11 in cyberspace, but
we also ought to worry about what a 9/12 in cyberspace would
look like. Indeed, one of the best reasons for working hard to
avoid a 9/11 in cyberspace is precisely to avoid having to deal
with a 9/12 in cyberspace. That noted, because a cyber 9/11 or
what looks like a cyber 9/11 might happen, it is worthwhile to
think about what we do the day after.
The issue of how the United States should manage crisis and
escalation in cyberspace is addressed in a recently published
Rand document of the same name. I now want to take the
opportunity to summarize some of the salient points in the
document. The first point is to understand that the answer to
the question, is this cyber attack an act of war?--is not a
conclusion but a decision. Cyber wars are wars of choice. A
country struck from cyberspace has the opportunity to ask, what
would be the most cost effective way of minimizing such future
suffering? Depending on circumstances it might be to go off to
war. Alternatively, it might not be.
The second is to take the time to think things through.
Computers may work in nanoseconds, but the target of any
response is not the computer, in large part because even if a
computer is taken out a substitute may be close at hand. The
true target of response is those who command cyber warriors,
that is, people. But people do not work in nanoseconds.
Persuasion and dissuasion of people are work at roughly the
same speed whether or not these people command cyber war or
command another form of war.
Third is to understand what is at stake before you react,
which is to say, what you hope to gain by making the attackers
cease their efforts. This goes for both responding to cyber
attack and to responding to what may be deemed intolerable
levels of cyber espionage. Fourth is to not take possession of
the crisis unnecessarily, or if you do take possession at least
do so only on your own terms. That is, do not back yourself
into a corner where you always have to respond whether doing so
is wise or not.
Fifth is to craft a narrative that facilitates taking the
crisis where you want to take it. In some cases, the narrative
has to allow the attacker to back down gracefully, which is to
say cease what they are doing. Sixth is to figure out what are
the norms of conduct in cyberspace, if any, work best for the
United States. It may be encouraging that last week both the
United States and China agreed to carry out high level talks on
cyber norms, but there are a lot of questions to work through.
Where, for instance, does one draw the many lines among cyber
war, cyber crime, cyber espionage, and violations of
international trade law?
Seventh is to manage the cyber escalation wisely. This not
only means remembering that the other side will likely react to
what you do, but understanding what a crude tool tit-for-tat
counterescalation is when it comes time to influencing the
behavior of the other side. In sum, while I believe it is
certainly a worthwhile effort to prevent the future 9/11 in
cyberspace, similar levels of care and thought need to be given
to how to manage a potential 9/12 in cyberspace. If not, we may
find as with the historical 9/11 that the consequences of the
reaction and counterreaction are far more serious than the
consequences of the original action itself. Thank you very
much.
[The prepared statement of Mr. Libicki follows:]
----------
Mr. Rohrabacher. Thank you very much.
Now we have heard some very thought-provoking testimony
today, and the complications that you just outlined and the
different levels that we have to consider and the timing of
consideration, as I said earlier that when we had our first
witness from the administration, things are a lot more
complicated now than they used to be basically in terms of
providing security for our country, but also providing a
methodology of dealing with criminal behavior on an
international and global scale.
We have heard today about especially when we were talking
originally about the Chinese military itself is engaged in
cyber espionage and perhaps cyber attacks. Let us note that
this is different than just having the Chinese army engaged in
some act of aggression against an enemy or against an adversary
of China. In this case the Chinese military is engaged in
activity that has security implications but also economic
implications, mainly for the leadership of China which is an
oppressive dictatorship, a cliquism. They may be utilizing this
apparatus to enrich themselves as well as their clique.
We also know that this what we are talking about is cyber
attacks, we are also talking about cyber oppression. That in
China you have so many people who are engaged in cyber
operations at the direction of their government, but those
directions may not be an attack on the United States or on a
competitor, but they also may be aimed at their own people in
oppressing their ability to utilize the Internet for a free
type of communication.
So we have all of these factors coming to play. Perhaps
what ties them all together is the fact that the United States
has been the enabler of all of this. Whether it is positive or
negative we have enabled this. The Internet is an invention of
the United States of America. It has been put in place
basically by our technologists. And on top of that, we have
trained and continue to train people to have expertise in this
new arena of human behavior.
So we have a relatively new arena, the cyber arena, and we
have indiscriminately, whether or not the people that we are
training are representing a positive force in the world or a
negative force in the world, we have been training them at our
universities and educating them at the highest level of
graduate studies into these type of scientific endeavors that
utilize the Internet. We have been training people to go home
and use them. For example, when we talk about Chinese military
unit, now are we suggesting that that Chinese unit is just a
bunch of corporals and privates, or do they have Ph.D.s in that
unit that you have tracked down? Are there Ph.D. students that
perhaps were trained in American universities?
Mr. Bejtlich. Sir, we don't have any specific information
about that sort of activity. What I will say is that we have
seen, and this is all through open source again, documents,
submissions to conferences by Ph.D.s who say their job is
working for 61398. And when they submit these papers they
didn't realize that by saying 61398 someone could later on tie
them to that Chinese military unit. In other words, that was a
code name that they never thought would be penetrated. So you
can find documents on the Internet talking about different ways
to conduct computer security, different ways to write software
where the authors will say, I am 61398.
Now I don't know of any case where you have tied that back
to say well, where did this person study? Did they study at Cal
Tech or something like that? I don't know of anyone who has
done that sort of analysis. But clearly you have very well
trained people. This unit was very focused on hiring English
speakers. That was the goal of this unit. You had to speak
English. You had to know computer security, computer science,
and as a result they were able to take that expertise and
target English-speaking companies.
Mr. Rohrabacher. I would suggest, and Mr. Autry, I would
like your opinion because you are the one who first brought up
this issue of actual educated individuals. If you provide a
person with the education in this arena of high technology type
understandings of physics, et cetera, we are actually arming
those people to do good things or bad things. And yet we are
not paying any attention as to whether or not those students
who we are educating in these graduate level classes,
especially the Chinese students, are going to go back to China
and participate in oppressing their fellow Chinese or
threatening the well being of other countries that are
considered adversaries by the Chinese Government. And maybe you
could expand upon that thought.
Mr. Autry. Yes, thank you, Chairman Rohrabacher. As a
lecturer and a Ph.D. student at the University of California
Irvine, I have noticed the ever-increasing predominance of
Chinese mainland nationals in our classrooms. In the business
school it is not unusual for the Ph.D. cohort to be fully 50
percent mainland Chinese students. In the M.B.A. programs I
often see a quarter of the classes mainland Chinese students.
My understanding is that in computer science and engineering,
classrooms with 40 percent mainland Chinese students is perhaps
the norm.
This should be of great concern to a nation who prides
itself on its technological development to drive its economy
and to make its defense second to none in the world. It is a
great thing when we open up our schools to students from around
the world who wish to embrace American values and learn from us
and take them home and emulate what we have done, but I have to
say of the Chinese cohort that I work with on a regular basis
many of them are at best apolitical. They certainly are not
here to embrace our ideological values, and many of them are
openly hostile to American ideological values and see any
criticism of the Chinese Government to be inappropriate and
something that they don't want to see happening.
I believe that limiting visas for students in computer
science to countries that do not engage in cyber attacks
against the United States is a very realistic option we should
consider. Thank you.
Mr. Rohrabacher. I have been aware of this problem for
awhile, and when I have spoken to presidents of major
universities like Stanford University, for example, I just get
the answer that well, that is for the government to worry about
but not for us, not in academics. Security issues should be
handled by the Federal Government not by academics.
I would suggest that this is, what we are talking about
today is the equivalent of equipping a hostile power, let us
say, 50, 60, 70 years ago, but helping to equip a hostile power
with the ability to build a nuclear weapon. I mean if you have
students from Germany and you say, well, we can't really make a
decision about the nature of the regime that controls Germany,
or Stalinist Russia, and then we equip graduate students with
the knowledge of how to put together a nuclear weapon, that is
an insane, suicidal, national suicidal policy, and would have
been then and our people certainly recognize that.
I guess it is hard today when China is presenting itself as
our adversary wherever they can, allying themselves with the
rotten regimes in the world and trying to make hostile
territorial claims as well as of course their economic, what I
consider to be economic aggression. But as we just heard that
the cost of 9/11 was $200 billion. Is that what----
Mr. Libicki. Yes, correct, the cost of 9/11, roughly, in
property damage. Somewhere between----
Mr. Rohrabacher. So the cost of 9/11 is $200 billion, but
we also heard earlier that your report suggested that there was
about $250 billion a year lost to cyber attacks of some kind or
another. So what we have here is a huge issue of security that
should consider even our major universities as to what kind of
knowledge that they are permitting to be provided to people who
might do us harm. And I would think and I would suggest that we
are not now paying attention to that.
And again, every time you hear about we are going to bring
people in, foreign students, and it is all done in the name of
taming a potential adversary. But if you are bringing these
people in and they are only taking science classes or
mathematics classes at the highest level, you are not taming
them at all. You are just providing them with technical
knowledge and technical know-how. Perhaps we should insist that
we do have exchange students coming in from every country
including China, but they have to be social science majors, and
they have to be aimed at understanding freedom of thought and
intersocial interaction and perhaps even economics instead of
how to make bombs and how to destroy people through the cyber
system.
Let me see, some of the other questions that I had here for
us today. So let me just say, I would like to make this
statement for if the Chinese people are listening. I would like
to say something directly to the Chinese people and the Chinese
cyber intelligence personnel. Intelligence gathering among
nations has been going on for thousands of years, and I
understand that and everybody on this panel understands that.
But what differs with what governments did in the past and
what they are doing and what is being done now by the leaders
of China and other countries, is they are using the nation's
intelligence apparatus to enrich themselves. You have an elite
in China using the intelligence system including the cyber
potential to enrich themselves, yes, to to give their country
leverage, but for the first time we see the enemy has a
personal motive in committing this aggression and having the
ability to do so. The elites' use of China's intelligence
agency is like having a private corporate detective, and
basically you can have a private detective working for you if
you have a company, but if you are using it for a personal
reason you are cheating your company.
The people of China are being cheated in that the apparatus
that has been set up to protect them is being used to enrich
the elite, and at the same time put China into a hostile
relationship with the United States and other free countries of
the world. And on top of that, the elite in China are using
this not to protect China, not to make it more prosperous, but
also to repress their own people. And do people that work for
the Chinese Government, do they want to be a cog in a system
that is designed to destroy the potential for freedom of all of
their fellow Chinese?
The elite in China, their vanity and their desire for more
wealth and power has led China down a wrong path, and I would
urge those people in China, which is the vast majority, the
people of goodwill there, to push this elite that is running
their country that is raping their country and putting us on a
path to conflict, to push them out of power and to reach out to
the United States with a hand of friendship as we would reach
out and want to reach out to them. In the cyber field this is
vitally important.
And what I will do is give the witnesses each 1 minute more
to comment and then we will probably close the hearing. We will
start at this end because you had to wait for a long time to
start, so go right ahead.
Mr. Libicki. I think we need a better understanding of the
impact of Chinese economically motivated cyber espionage on the
United States' economy. We hear a lot of numbers being thrown
around. We don't really know how they are derived or how
consistent they are with how we know economics works.
We are fairly confident that terabytes of data go from the
United States and end up in China. We have very little
visibility about what happens when they go to China and
supposedly go to people who can make use of them. So I would
suggest, in fact, that it is an important issue, because just
to throw random numbers around here, if it is a trillion-dollar
problem we treat it one way, if it is a billion-dollar problem
we treat it another way. Our relationship with China is
extremely complicated, has many facets, and it is useful for us
to get our priorities correct, and that kind of information
will help do so.
Mr. Rohrabacher. Mr. Mazza?
Mr. Mazza. Thank you, Mr. Chairman. In my remarks today and
others have cited this as well, that what is really needed is
sort of a, I guess a whole-of-government approach you could
call it, really using all of the arms of American power to
achieve our ends. But I think it can't be understated how
important the U.S. military is in this effort. As we heard, the
PLA is playing a very direct role both in the commercial
espionage as well as the more traditional in military
activities, and a military response is needed. We need to
consider whether or not that needs to be purely cyber in the
future or not, and what options we will have in the event of
conflict to put a stop to cyber activities emanating from
China.
Mr. Rohrabacher. Mr. Autry?
Mr. Autry. I concur that it would be great to know more
about this, but I think that we know enough already in that
there is hundreds of billions of dollars in damage, which means
thousands if not millions of American jobs, and consequently,
American lives lost in this issue. It is not our burden of
responsibility to prove exactly what the damages is, but it is
our responsibility to stop this hostile and overt action by the
Chinese military against the United States of America.
Mr. Rohrabacher. Mr. Bejtlich?
Mr. Bejtlich. One of the key elements of our report was the
finding that this particular group was, on average, present
inside Western companies for a year before anyone was able to
find them. There are some cases that stretch up to 5 years. I
would encourage, when Congress is considering legislation, to
go beyond just the idea of continuous monitoring. That is a
term that means essentially checking baselines, looking for
configuration flaws, and instead go to a more operational model
where you are looking for intruders on your network.
You need to have teams of people equipped with the sort of
privacy-friendly intelligence that is in the Mandiant report,
using that information, looking for intruders on the network
and then dealing with them once you find them. It is not enough
to just be patching your flaws, to have good software. The
intruders will find a way in. You have to be out there looking
for them in order to succeed. Thank you.
Mr. Rohrabacher. And so let me finish it off with it is not
enough to know that we are willing to go out and find those
people who are hacking the system, whether it is an organized
group out of China that represents a government aggression upon
the other nations and other people or whether it is just
individual hackers or criminals around the world who are
engaged in trying to get into people's bank accounts and take
money or in some way to mess with the system.
So it is all of these elements, but identifying them is not
just, we have to also understand what we are going to do in
response. And I will have to say that so far especially from
our first witness who is not here to make a further comment
although I would give him that opportunity now, but I am sure
that he is doing his job but I don't believe that the United
States Government is doing its job in making sure that we are
prepared to deal with a threat as expansive as this threat,
which is going to get even worse and worse as we become more
and more dependent on this cyber world for us to remain an
effective society and a safe society. But at this point I have
not heard what we will do once we find out all of that
information.
Now we know there is a building and we know there is
People's Liberation Army people in the building and we know
that that is the source of cyber attacks or cyber oppression
coming out of that building, so what are we going to do about
it? Well, I think it has got to be more than well, we are just
going to--what was the wording we had earlier about raising,
basically raising the level of rhetoric. And I would suggest
that raising the level of rhetoric does not mean anything to
bullies and gangsters. And if you are dealing with bullies and
gangsters there has got to be some form of retaliation. And we
have not had any examples of what we can actually do, except
Mr. Autry, I think, explained something about we can determine
what the price tag is and maybe put a tariff on goods coming in
from China or other countries.
But remember what happened today. What happened today was
we thought that South Korea, which has been attacked, their
banking system and other parts of their economy have been
attacked, today identified not North Korea but China as the
aggressor in this situation. So you may have China hiding
behind North Korea, which it has done in many cases, or various
groups hiding and portraying themselves actually as these
attacks are coming from someone else.
Well, we need to know. It is getting more complicated. It
is not going to get less complicated. But one thing is for
sure, our Government is not prepared to deal with this threat.
We are unprepared. And when something happens, if it is of a
huge magnitude or someone fiddles with the air traffic control
system or the grid, as Steve Stockman mentioned, even the oil
industry now they could hack into that and screw up our entire
production of energy, of oil and gas. If something big like
this happens and if it is a well thought out plan, if a small
group of fanatics can organize an effort that caused $200
billion of damage on 9/11, one can imagine that a country run
by a criminal element could do even more damage.
So we are not prepared to meet this threat. We need to have
more discussions like this. I want to make sure that all of you
that we keep in touch, because we will have another hearing
like this probably in about 6 months to 1 year to see if we
have made any progress in that 6 months. And I will be asking
you to tell me what you have seen if, there has been any
progress made.
With that said I would like to thank the witnesses and
thank my staff. I appreciate that Mr. Keating, the ranking
member, had an Appropriations hearing that he had to go to, but
his participation earlier was much appreciated. So thank you
all very much and this hearing is adjourned.
[Whereupon, at 11:37 a.m, the subcommittee was adjourned.]
A P P E N D I X
----------
Material Submitted for the Hearing RecordNotice deg.
\\ts\
�