[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
BOLSTERING THE GOVERNMENT'S CYBERSECURITY:
A SURVEY OF COMPLIANCE
WITH THE DHS DIRECTIVE
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON OVERSIGHT
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
November 14, 2017
__________
Serial No. 115-38
__________
Printed for the use of the Committee on Science, Space, and Technology
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://science.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
27-677PDF WASHINGTON : 2018
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma EDDIE BERNICE JOHNSON, Texas
DANA ROHRABACHER, California ZOE LOFGREN, California
MO BROOKS, Alabama DANIEL LIPINSKI, Illinois
RANDY HULTGREN, Illinois SUZANNE BONAMICI, Oregon
BILL POSEY, Florida AMI BERA, California
THOMAS MASSIE, Kentucky ELIZABETH H. ESTY, Connecticut
JIM BRIDENSTINE, Oklahoma MARC A. VEASEY, Texas
RANDY K. WEBER, Texas DONALD S. BEYER, JR., Virginia
STEPHEN KNIGHT, California JACKY ROSEN, Nevada
BRIAN BABIN, Texas JERRY McNERNEY, California
BARBARA COMSTOCK, Virginia ED PERLMUTTER, Colorado
BARRY LOUDERMILK, Georgia PAUL TONKO, New York
RALPH LEE ABRAHAM, Louisiana BILL FOSTER, Illinois
DRAIN LaHOOD, Illinois MARK TAKANO, California
DANIEL WEBSTER, Florida COLLEEN HANABUSA, Hawaii
JIM BANKS, Indiana CHARLIE CRIST, Florida
ANDY BIGGS, Arizona
ROGER W. MARSHALL, Kansas
NEAL P. DUNN, Florida
CLAY HIGGINS, Louisiana
RALPH NORMAN, South Carolina
------
Subcommittee on Oversight
HON. DRAIN LaHOOD, Illinois, Chair
BILL POSEY, Florida DONALD S. BEYER, Jr., Virginia,
THOMAS MASSIE, Kentucky Ranking Member
BARRY LOUDERMILK, Georgia JERRY MCNERNEY, California
ROGER W. MARSHALL, Kansas ED PERLMUTTER, Colorado
CLAY HIGGINS, Louisiana EDDIE BERNICE JOHNSON, Texas
RALPH NORMAN, South Carolina
LAMAR S. SMITH, Texas
C O N T E N T S
November 14, 2017
Page
Witness List..................................................... 2
Hearing Charter.................................................. 3
Opening Statements
Statement by Representative Darin LaHood, Chairman, Subcommittee
on Oversight, Committee on Science, Space, and Technology, U.S.
House of Representatives....................................... 4
Written Statement............................................ 6
Statement by Representative Donald S. Beyer, Jr., Ranking Member,
Subcommittee on Oversight, Committee on Science, Space, and
Technology, U.S. House of Representatives...................... 8
Written Statement............................................ 10
Statement by Representative Lamar S. Smith, Chairman, Committee
on Science, Space, and Technology, U.S. House of
Representatives................................................ 12
Written Statement............................................ 13
Statement by Representative Eddie Bernice Johnson, Ranking
Member, Committee on Science, Space, and Technology, U.S. House
of Representatives............................................. 16
Written Statement............................................ 17
Witnesses:
Ms. Jeanette Manfra, Assistant Secretary for Cybersecurity and
Communications, National Protection and Programs Directorate,
U.S. Department of Homeland Security
Oral Statement............................................... 18
Written Statement............................................ 21
Ms. Renee Wynn, Chief Information Officer, National Aeronautics
and Space Administration
Oral Statement............................................... 25
Written Statement............................................ 27
Ms. Essye Miller, Deputy Chief Information Officer for
Cybersecurity, U.S. Department of Defense
Oral Statement............................................... 31
Written Statement............................................ 32
Dr. Mark Jacobson, Associate Teaching Professor, Edmund Walsh
School of Foreign Service, Georgetown University
Oral Statement............................................... 37
Written Statement............................................ 39
Discussion....................................................... 47
Appendix I: Answers to Post-Hearing Questions
Ms. Jeanette Manfra, Assistant Secretary for Cybersecurity and
Communications, National Protection and Programs Directorate,
U.S. Department of Homeland Security........................... 70
Ms. Renee Wynn, Chief Information Officer, National Aeronautics
and Space Administration....................................... 74
Ms. Essye Miller, Deputy Chief Information Officer for
Cybersecurity, U.S. Department of Defense...................... 79
Dr. Mark Jacobson, Associate Teaching Professor, Edmund Walsh
School of Foreign Service, Georgetown University............... 84
Appendix II: Additional Material For The Record
Statement submitted by Mr. Troy A. Newman, President, Cyber5, LLC 88
BOLSTERING THE GOVERNMENT'S CYBERSECURITY:
A SURVEY OF COMPLIANCE WITH THE DHS DIRECTIVE
----------
Tuesday, November 14, 2017
House of Representatives,
Subcommittee on Oversight and
Committee on Science, Space, and Technology,
Washington, D.C.
The Subcommittee met, pursuant to call, at 10:08 a.m., in
Room 2318 of the Rayburn House Office Building, Hon. Darin
LaHood [Chairman of the Subcommittee] presiding.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Good morning. The Subcommittee on
Oversight will come to order.
Without objection, the Chair is authorized to declare
recesses of the Subcommittee at any time.
Welcome to today's hearing entitled ``Bolstering the
Government's Cybersecurity: A Survey of Compliance with the DHS
Directive.'' The subject of today's hearing involves some
information that is classified. I remind members that their
questions may call for a response that the witnesses know to be
classified. Please be mindful of this fact. I would like to
instruct the witness to answer to the best of their ability,
but should an answer call for sensitive information, members
will understand if you respond that you are unable to answer in
this setting.
I now recognize myself for five minutes for an opening
statement.
Good morning and welcome to today's Oversight Subcommittee
hearing, ``Bolstering the Government's Cybersecurity: A Survey
of Compliance with the DHS Directive.'' The purpose of this
hearing is to examine and assess implementation of the
Department of Homeland Security (DHS) Binding Operational
Directive (BOD) 17-01, which was the removal of the Kaspersky-
branded products by federal government departments and
agencies.
This hearing marks the second time the Committee has
convened to examine the issues and concerns surrounding
Kaspersky Lab. On October 25, 2017, the Committee examined the
potential risks, vulnerabilities, and threats posed to federal
ICT systems by Kaspersky software. During that hearing, we
heard from experts about the specific nature of threats posed
by Kaspersky, action the federal government has taken or plans
to take to mitigate the threat, and steps that could be taken
to avoid similar threats in the future.
The Trump Administration has taken steps to remediate the
Kaspersky issue. In July of this year, the GSA removed
Kaspersky from its government-wide contracts. Although it was a
step in the right direction, it did not completely eliminate
the threat.
On September 13, 2017, the Administration took additional
steps to harden the security of federal information systems
against the Kaspersky threat when DHS issued Binding
Operational Directive 17-01. The directive requires federal
departments and agencies to complete three consecutive phases
of implementation. First, they must scan their systems to
identify the use or presence of Kaspersky software. Second,
they must develop an action plan for the removal and
replacement of any Kaspersky software identified on their
systems. Finally, they are required to implement their action
plan and must begin the process of removal and replacement.
Federal departments and agencies are also required to
submit status reports to DHS as they implement each of the
directive's three phases. The status reports provide data and
information that is useful for assessing compliance with the
directive, and for quantifying the pervasiveness of Kaspersky
installations across federal systems, the extent of threats
posed by the software, and the complexities associated with
complete removal.
Today, we will focus primarily on the status reports to
guide our assessment of compliance with the directive. In doing
so, we hope to learn whether agencies have complied with the
first two phases of the directive and whether any Kaspersky
installations were found on federal systems. Additionally, we
hope to understand more about the specific action plans for
removal and replacement of any identified Kaspersky
installations and DHS' anticipated timeline for full
implementation of the directive. Finally, we hope to learn
about the directive's applicability to federal contractors.
I want to thank Ms. Miller for being here to represent the
Department of Defense. Annually, the DOD spends approximately
$30 billion on information technology. We are interested in
whether the directive applies to DOD's contractors and, if so,
are they currently complying? If not, what must be done to
ensure that contractors take appropriate action to mitigate the
Kaspersky threat? I'm hopeful that our witnesses today can help
us resolve these important questions and better understand the
next steps that must be taken to ensure the integrity,
resilience, and security of federal information systems.
Cybersecurity is a complex and evolving issue that affects
U.S. national and economic security. We must remain diligent in
our efforts to strengthen and secure federal systems, and our
approaches to addressing cybersecurity issues must evolve to
keep pace with everchanging threats. Bolstering the
cybersecurity of federal information systems is among the
Committee's top priorities, and I am hopeful that our efforts
here today will take us one step closer toward accomplishing
this objective.
[The prepared statement of Chairman LaHood follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. At this time, I now recognize the Ranking
Member, the gentleman from Virginia, for his opening statement.
Mr. Beyer. Thank you, Chairman LaHood, and thank you for
holding this second hearing on Kaspersky.
Two weeks ago we held a hearing on security concerns
regarding the use of Kaspersky Lab software on federal computer
networks, and I think most members on both sides of the aisle
agree that using the services or software of Kaspersky Lab, a
Moscow-based company that reportedly has close ties to Russian
intelligence services, using this on federal networks presents
risks not worth taking.
So back in September, the Department of Homeland Security
also recognized this and issued a directive for federal
agencies to identify and initiate actions to remove Kaspersky
Lab software from their networks. So I understand that we're
holding this hearing as a follow-up to ensure that our federal
agencies are complying with this DHS directive in a timely
manner, which is essentially important.
However, it seems that in holding a second oversight
hearing solely on Kaspersky Lab products we're missing the
forest for the trees. Kaspersky products are not the biggest
security risk we face in Russia. As I mentioned at our last
hearing and as we saw throughout the 2016 election cycle,
cybersecurity is no longer just about defending our data. It is
on a larger scale about defending our democracy from unwanted
foreign influence and disinformation campaigns.
Please listen to these actual numbers. One hundred and
twenty-six million Americans received Russian-backed content on
their Facebook newsfeeds during the 2016 election. Twitter has
found 36,746 bots linked to Russia, and these accounts sent a
combined 1.4 million tweets and were seen 288 million times.
Google has uncovered tens of thousands of ads purchased by
Kremlin-linked buyers on YouTube, Gmail--its search page--and
in double-click ads. The Kremlin directly sponsored fake Black
Lives Matter activists who posted videos to Facebook, Twitter,
and YouTube. Last month, the Computational Propaganda Project
released a study mapping how Russia-linked Twitter accounts
seek to target U.S. military personnel and veterans.
So instead of focusing just on Kaspersky Lab software, we
should also be examining how enemies of democracy are using
communications technologies in new, precise, and powerful ways
to disrupt our democratic institutions and influence the
American public. We should be specifically looking into how the
Russians have done this just during the 2016 presidential
election and how we can develop tools, technologies, and public
awareness to diminish similar attacks in the future. We should
also examine the state of our cybersecurity practices in
defending our critical election infrastructure from covert
interference and manipulation.
The House Science, Space, and Technology Committee has an
important role in publicly addressing these issues. We do have
a specific responsibility to provide oversight on the deeply
existential role of technology in our society. And, Mr.
Chairman, at the last Kaspersky hearing I requested that we
hold a hearing on these larger issues, and I respectfully ask
again today.
I'm glad that one of our witnesses today will help put the
security concerns regarding Kaspersky Lab's software in context
and helps examine the broader Russian strategy of undermining
our democratic institutions and influencing our democracy. Dr.
Mark Jacobson, a professor at Georgetown University, has
written frequently on the impact of Russia's influence
operations against the United States in the past few years. I
look forward to his testimony and all your testimony.
I'm also attaching to my statement a minority staff report
that addresses Russia's cyber influence campaign against the
United States. This report has already been shared with the
majority staff.
Thank you, Mr. Chairman, and I yield back.
[The prepared statement of Mr. Beyer follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Mr. Beyer.
I now recognize the Chairman of the full Committee, Mr.
Smith, for his opening statement.
Chairman Smith. Thank you, Mr. Chairman.
The risk to U.S. security that Kaspersky Lab, a Russian
company, has created is undeniable and the harm, incalculable.
The founder of Kaspersky Lab, Eugene Kaspersky, attended a KGB-
funded intelligence institute and served in Russia's Ministry
of Defense. For years, there has been speculation that
Kaspersky's antivirus software could be used by the Russians
for information gathering. Continued investigations have
disclosed more details on the extent to which Kaspersky Lab is
a tool for the Russian Government. Press reports claim that
Kaspersky's prior federal government customers include the
Departments of State, Justice, Energy, Defense, Treasury, Army,
Navy and Air Force. This is of more than passing concern; it is
alarming.
Last month, The New York Times reported that Russian
Government hackers conducted a global search of computers
looking for the code names of American intelligence programs.
The hackers used the antivirus software made by Kaspersky Lab.
This Russian operation stole classified documents from at least
one National Security Agency employee, who had Kaspersky
antivirus software installed on his home computer.
Kaspersky's antivirus software allowed Russia to have
unlimited access to data stored on computers with Kaspersky
products. The magnitude and widespread use of Kaspersky's
software--400 million users worldwide--gives the company
unprecedented access and retrieval capabilities.
To date, it is unclear what additional American security
secrets Russia may have acquired through Kaspersky's scans for
classified programs. This only confirms the need for the
actions this Administration and this Committee have taken. The
Science Committee has engaged in continued oversight of
Kaspersky Lab since questions were raised by Science Committee
member Congressman Higgins earlier this year. On July 27, 2017,
this committee requested that all federal departments and
agencies disclose their use of Kaspersky Lab products. On
September 13, 2017, the Department of Homeland Security issued
a Binding Operational Directive to all agencies and
departments. This directive sought the complete removal of
Kaspersky products from federal systems after 90 days.
Today, the Committee is interested in whether federal
agencies are complying with the directive. How common are
Kaspersky products in our federal systems? What is the extent
of the risk? And are the actions required in the DHS directive
sufficient to protect U.S. interests? The Committee expects to
uncover all risk associated with Kaspersky Lab. This includes
identifying all necessary actions needed to eliminate risks
even beyond the risk to federal systems.
Based on the NSA contractor's personal computer being
targeted, we are interested in what steps DHS has taken to
assist civilian employees and contractors who are at risk of
exposure. We also are interested in proactive steps and
coordination among our federal agencies and departments. We
need to use all resources to ensure that Kaspersky products on
federal systems have been completely removed.
Beyond an interest in the risk caused by Kaspersky
products, the Science Committee will continue to address the
federal government's cybersecurity weaknesses.
This committee, along with the Committee on Oversight and
Government Reform, plans to bring a revised version of H.R.
1224, the NIST Cybersecurity Framework, Assessment, and
Auditing Act of 2017, to the House Floor soon. NIST should
welcome the opportunity to use its expertise to help protect
our national security.
The bill amends the Federal Information Security Management
Act to require that federal agencies' Inspectors General
coordinate with NIST in conducting their cybersecurity
evaluations. Anyone with knowledge of potential cybersecurity
risks should contact the committee and share their information
with us. We must eliminate the threat of Kaspersky Lab to our
national security systems. Thank you, Mr. Chairman. I'll yield
back.
[The prepared statement of Chairman Smith follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Chairman Smith.
I now recognize the Ranking Member of the full Committee,
Ms. Johnson, for her opening statement.
Ms. Johnson. Thank you very much, Mr. LaHood.
In September, the Department of Homeland Security banned
the use of Kaspersky Lab software on federal government
computer networks. The U.S. intelligence community believes
this Russian company's products pose an unnecessary potential
risk to our security from Russia's intelligence services.
Whether or not the company is aware of these threats is
irrelevant. I trust the judgment of the American intelligence
community in this matter, and I'm also confident that federal
agencies will successfully eliminate the Kaspersky Lab software
from their respective computer systems.
I am much more concerned, though, about the persistent
threat foreign actors pose to our electoral system. During the
previous Kaspersky Lab hearing the Subcommittee held three
weeks ago, I noted that, prior to the 2016 election, this
committee held a hearing to review the guidelines for
protecting voting and election systems, including voter
registration databases and voting machines. I asked that this
committee hold a follow-up hearing to discuss protecting these
same systems in the light of last year's events, as well as to
examine the sophisticated influence operations conducted by the
Russian Intelligence Service to disrupt our democratic
processes and damage our democracy.
Today, I want to reiterate that request. Russian actors
attempted to hack into voter databases in multiple States
before the 2016 election, successfully compromising a small
number of networks according to the Department of Homeland
Security. But Russia, as we all know, did not only attempt to
penetrate these sorts of hard targets, they sought to influence
public opinion and undermine our democratic institutions
through their use of trolls, bots, and social media platforms.
Rather than simply examine the specific threat posed by
Kaspersky Lab software, we need to take a much wider view and
look at the evolving and expanding threat that Russians' cyber
attacks and influence operations pose today in our society.
I'm happy that Dr. Mark Jacobson, our witness today, can
speak about Russia's history of influence operations against
the United States and the many ways that Russia seeks to
undermine Western democracies. I thank you for coming today,
Dr. Jacobson.
I ask again for the Science Committee to commit to holding
a 2016 election postmortem with an eye on ways the Science
Committee can help discourage foreign interference in future
elections and how we can encourage the development of tools and
technologies to help identify these threats and limit their
impact on our government, public, and society.
I thank you, Mr. Chairman, and I yield back the balance of
my time.
[The prepared statement of Ms. Johnson follows:]
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Ms. Johnson.
At this time let me introduce our witnesses here today. Our
first witness today is Ms. Jeanette Manfra, Assistant Secretary
for Cybersecurity and Communications for the National
Protection and Programs Directorate at the U.S. Department of
Homeland Security. Ms. Manfra has held multiple positions
related to cybersecurity at the Department, and prior to
serving at DHS, Ms. Manfra served in the U.S. Army as a
Communications Specialist and a Military Intelligence Officer.
Welcome.
Our second witness is Ms. Renee Wynn, Chief Information
Officer at NASA. Ms. Wynn previously served as the Acting
Assistant Administrator for the Office of Environment
Information at the EPA. She holds a bachelor of arts in
economics from DePauw University in Indiana. Welcome, Ms. Wynn.
Our third witness is Ms. Essye Miller. She is the Deputy
Chief Information Officer for Cybersecurity at the U.S.
Department of Defense. Ms. Miller previously served as the
Director of Cybersecurity for the Army Chief Information
Officer. She received her bachelor's degree from Talladega
College and a master's from Troy State University, as well as
from Air University at the Air War College. Welcome.
Our last witness today is Dr. Mark Jacobson. He is an
Associate Teacher Professor for the Edmund Walsh School of
Foreign Service at Georgetown University. Dr. Jacobson
previously held appointments as a Senior Advisor to the
Secretary of Defense and as a Special Assistant to the
Secretary of the Navy. He has also served as the Deputy NATO
Representative and Director of International Affairs at the
International Security Assistance Force. Dr. Jacobson holds
degrees from the University of Michigan, the King's College,
University of London, and a Ph.D. in military history from Ohio
State University. Welcome.
At this time I now recognize Ms. Manfra for five minutes to
present her testimony.
TESTIMONY OF MS. JEANETTE MANFRA,
ASSISTANT SECRETARY FOR CYBERSECURITY
AND COMMUNICATIONS,
NATIONAL PROTECTION AND PROGRAMS DIRECTORATE,
U.S. DEPARTMENT OF HOMELAND SECURITY
Ms. Manfra. Thank you, sir. Mr. Chairman, Ranking Member
Beyer, Mr. Smith, and Ranking Member Johnson, and members of
the committee, today's hearing is an opportunity to discuss the
Department of Homeland Security's actions regarding Kaspersky
Lab products. As the Assistant Secretary for Cybersecurity and
Communications, I lead many of the Department's efforts to
safeguard and secure cyberspace, a core homeland security
mission. We work every day to protect federal government
agencies and collaborate with state, local, tribal, and
territorial governments and the private sector to enhance the
security and resilience of our cyber and physical
infrastructure.
Earlier this year, the President signed an executive order
on strengthening the cybersecurity of federal networks and
critical infrastructure. This executive order set in motion a
series of assessments and deliverables to improve our defenses
and lower our risk to cyber threats. DHS has organized around
these deliverables by working with government and private
sector partners.
Federal agencies have been implementing the NIST
cybersecurity framework. Agencies are reporting to DHS and the
Office of Management and Budget on their cybersecurity risk
mitigation and acceptance choices. DHS and OMB are evaluating
the totality of these agency reports in order to
comprehensively assess the adequacy of the federal government's
overall cybersecurity risk management posture.
In addition to our efforts to protect government networks,
we are focused on how government and industry work together to
protect the Nation's critical infrastructure. We are
prioritizing deeper more collaborative public-private
partnerships.
Protecting federal information systems requires addressing
risks within supply chain. The Department has been actively
engaged in its own efforts, as well as broader interagency
efforts to address IT supply chain threats. As we build on best
practices to improve the federal government's own actions
within this space, we will coordinate and share information
with our state and local government partners, as well as the
private sector critical infrastructure community.
Among other authorities, the Federal Information Security
Modernization Act of 2014, commonly referred to as FISMA,
authorizes the Department of Homeland Security to develop and
oversee the implementation of binding operational directives,
or BODs. These directives to federal agencies are for purposes
of safeguarding federal information and information systems
from a known or reasonably suspected information security
threat, vulnerability, or risk. Federal agencies are required
to comply with these DHS-developed directives.
On September 13 of this year DHS's Acting Secretary signed
a binding operational directive to address the use or presence
of Kaspersky Lab products, solutions, and services on federal
information systems. After careful consideration of available
information and consultation with interagency partners, DHS
determined Kaspersky Lab products present a known or reasonably
suspected information security risk to federal information
systems. In a public statement, the Department identified
concerns regarding, one, the ties between certain Kaspersky
officials and Russian intelligence and other government
officials; two, the requirements under Russian law that allow
Russian intelligence agencies to request or compel assistance
from Kaspersky and to intercept communications transiting
Russian networks; and three, the broad access to files and
elevated privileges provided by antivirus products and
services, including Kaspersky products, that can be exploited
by malicious cyber actors to compromise information systems.
The action taken is a reasonable, measured approach to the
information security risks posed by these threats--or posed by
these products to the federal government.
In addition to the reports from agencies required by this
directive, our National Cybersecurity and Communications
Integration Center continues to operate important capabilities
that help DHS better understand the use of these products
within the federal government. For instance, we operate
capabilities that monitor NetFlow at federal agencies commonly
referred to as Einstein. We also provide agencies tools within
our Continuous Diagnostics and Mitigation program. Both of
these capabilities enabled us to further our understanding of
the presence of Kaspersky products on agency networks.
I want to thank Congress for your focus on these issues and
highlighting the concerns here. Your focus has been extremely
helpful to us as we have evaluated the evidence, communicated
with our colleagues around the interagency, and made the
decision to issue the binding operational directive.
It is important for the committee to understand that DHS is
providing an opportunity for Kaspersky and any other entity
that claims its commercial interests will be directly impacted
to submit a written response and any additional information or
evidence. DHS will review any submissions closely and make
adjustments to a directive--to our directive if appropriate.
Before closing, I want to assure the Committee that I will
answer your questions to the extent I can in an open hearing
and at this time. Some of your questions may require the
discussion of classified information, which I clearly cannot
address in an open hearing. Other questions may not be
appropriate to address at this time because we are in the
middle of an administrative process with the affected entity,
and there could be litigation related to this directive.
Because we need to provide the company with a meaningful
opportunity to be heard, and there may be federal court review
of our actions and decisions, there may be certain issues that
it would not be appropriate for me to comment on until the
conclusion of this administrative process.
Thank you very much for the opportunity to testify today,
and I look forward to your questions.
[The prepared statement of Ms. Manfra follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thanks, Ms. Manfra.
At this time I now recognize Ms. Wynn for five minutes to
present her testimony.
TESTIMONY OF MS. RENEE WYNN,
CHIEF INFORMATION OFFICER,
NATIONAL AERONAUTICS
AND SPACE ADMINISTRATION
Ms. Wynn. Great. Good morning, Mr. Chairman, Ranking
Member, and distinguished Members of the Subcommittee. Thank
you for the opportunity to testify before you today regarding
NASA's efforts to comply with the recent Department of Homeland
Security binding operational directive regarding Kaspersky-
branded products.
As NASA's Chief Information Officer, my number-one priority
is to effectively manage and protect NASA's information
technology assets in an everchanging threat landscape. Each
day, hundreds of thousands of NASA personnel, contractors,
academics, international partners, and members of the public
access some part of NASA's IT infrastructure, which is a
complex array of information systems with more than 160,000
components geographically dispersed around the globe and
beyond.
NASA works closely with our federal cybersecurity partners
to ensure NASA's network is safeguarded from threats, assessed
against stringent federal and agency security requirements, and
continuously monitored for compromise and the effectiveness of
our security measures.
New cybersecurity tools, particularly the Department of
Homeland Security's Continuous Diagnostics and Mitigation
program, are allowing us to have better insights into our
networks, which allows us to better mitigate threats. However,
given the evolving nature of threats, our work is never done.
Antivirus software is one component of endpoint protection
implemented to safeguard NASA systems and data. NASA has been
using Symantec Endpoint Protection software as its desktop
standard load since 2010. Therefore, Kaspersky-branded
products, the focus of today's hearing, are not part of NASA's
standard load software.
Between January 1, 2013, and mid-August 2017, NASA
identified a small number of machines which had Kaspersky-
branded products preinstalled. When discovered, these instances
were removed to comply with NASA's desktop standard software
configuration. Another item of importance is that NASA's Office
of Procurement has no record of NASA funds being used to
purchase individual instances of Kaspersky-branded products.
Therefore, we believe that the limited instances of Kaspersky-
branded products found to exist on agency hardware were likely
the result of larger procurements and bundled preinstalled
software.
On September 13, 2017, NASA received the Binding
Operational Directive 17-01, which required all federal
executive branch departments and agencies to take action with
regard to Kaspersky-branded products on federal IT systems.
NASA notified the Department of Homeland Security on Friday,
October 13, that no Kaspersky-branded products were identified
on NASA systems. Therefore, no additional actions are required
by NASA under the terms of the binding operational directive.
Also of note, in 1993, the General Services Administration
asked NASA to be part of a pilot project for the governmentwide
acquisition contracts. Subsequently, NASA was one of three
agencies designated to provide a governmentwide contract
vehicle for other agencies to use when acquiring IT products
and services for their own agencies. This vehicle is known at
NASA as the Solutions for Enterprise-Wide Procurement or SEWP.
In July 2017, in coordination with the General Services
Administration, NASA removed all offerings of Kaspersky-branded
products from the SEWP database and installed filters to
prevent Kaspersky-branded products from being re-added.
In conclusion, protecting and upgrading and better managing
NASA's IT infrastructure is and will remain a top agency
priority. When threats such as unauthorized software are
detected, NASA personnel take action. NASA is fully committed
to becoming more secure, effective, and resilient, and we are
actively pursuing this on all levels.
Thank you for the opportunity to testify before you today,
and I'd be happy to answer any questions that you may have.
[The prepared statement of Ms. Wynn follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Ms. Wynn.
At this time, I recognize Ms. Miller for five minutes for
her testimony.
TESTIMONY OF MS. ESSYE MILLER,
DEPUTY CHIEF INFORMATION OFFICER
FOR CYBERSECURITY, U.S.
DEPARTMENT OF DEFENSE
Ms. Miller. Good morning, Mr. Chairman, Ranking Member, and
distinguished Members of the Subcommittee. Thank you for this
opportunity to testify today on the Department of Defense
position regarding the federal government's use of Kaspersky
Lab software.
I currently serve as the Deputy Chief Information Officer
for Cybersecurity at the Department of Defense. Additionally, I
serve as the Department's Chief Information Security Officer.
My primary responsibility is to ensure that the Department has
a well-defined and executed cybersecurity program. I am also
responsible for coordinating cybersecurity standards, policies,
and procedures with federal agencies, coalition partners, and
industry.
In this unclassified setting, I can state that as a matter
of DOD enterprise cybersecurity, antivirus software does play a
role. However, Kaspersky Lab is not part--a part of the
Department of Defense antivirus solution. Currently, the DOD
has enterprise licenses for both McAfee and Symantec Antivirus
for DOD devices, as well as for DOD personnel's home computer
use. Kaspersky Lab is not on the approved products list for the
Department, and there are currently no contract awards for the
software listed in the federal procurement data system.
Although the Department of Homeland Security's binding
operational directive does not apply statutorily to defined
national security systems, nor to certain systems operated by
the Department of Defense, the Department has implemented the
intent of the directive. Prior to the directive's release on
August 3, 2017, Joint Force Headquarters DODIN Defense
Information Network issued a task order to mitigate any
potential threats to the Department networks. Within the bounds
of the directive requirements, we conducted a search of DOD
systems and confirmed that we did not have the listed Kaspersky
products on any of our systems.
Kaspersky Lab products remain an ongoing supply chain risk
management for the Department. To reduce these risks, DOD
issued instruction 5200.44, protection of mission-critical
functions to achieve trusted systems and networks. Additional
details on that instruction are contained in my written
statement, along with the detailed processes and enterprise
resources DOD has implemented.
I would like to thank the subcommittee for supporting these
important cybersecurity issues. Protecting the networks for the
warfighter is a top priority for the Department of Defense.
Thank you again for the opportunity to testify before you
today, and I look forward to answering your questions.
[The prepared statement of Ms. Miller follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Ms. Miller.
At this time, I will recognize Dr. Jacobson for five
minutes for his testimony.
TESTIMONY OF DR. MARK JACOBSON,
ASSOCIATE TEACHING PROFESSOR,
EDMUND WALSH SCHOOL OF FOREIGN
SERVICE, GEORGETOWN UNIVERSITY
Dr. Jacobson. Thank you. Mr. Chairman, Ranking Members,
thank you for the opportunity and the kind introduction. I'm
going to enjoy speaking with you all today. I hope I'm not too
professorial for the hearing.
I also want to note that I'm here in my personal capacity
and not representing any of my employers, the Navy Reserve, or
the Department of Defense.
My intent is to try and put the Kaspersky situation within
a larger foreign policy context. The Committee is already well
aware of the dangers in the cyber arena and the imperative of
cyber hygiene as a defense. I believe it's also critical to
understand that Russian activities are part of broader foreign
policy objectives, part of their political warfare campaign.
Thus, regardless of whether or not there's a relationship
between Kaspersky Labs and the Russian Government or it's
simply a vulnerable piece of software, that becomes an entry
point for Russian subversive activities, propaganda operations,
or espionage.
Put simply, while cyber attacks and political warfare
campaigns are a danger on their own, cyber activities that
enable political warfare campaigns can prove incredibly
effective at influencing attitudes and changing behaviors. Put
another way, in political warfare campaigns, it is the human
mind that is the center of gravity.
It's worth noting our adversaries have not hidden their
intentions. Both the Russians and the Chinese have made it
clear that they believe in the power of political warfare.
Russia's well-financed and deliberate intervention in the
American political dialogue is part of a broader effort to
undermine America's faith in its free institutions, diminish
U.S. political cohesion, weaken transatlantic relations,
diminish the international appeal of the United States, and
ultimately reduce American power abroad. Thus, we must think
about U.S. national security more broadly rather than focusing
on a single hack, one election cycle, or a single social media
or antivirus company.
Propaganda and political warfare campaigns are certainly
not new. It's worth noting that 500 years ago, Martin Luther's
95 Theses were probably the first element of intellectual
thought to go viral. Of course, the Twitter of his day was the
printing press and his own social media networks that allowed a
message of religious reform to go viral and spread across all
of Christendom in about four weeks. Today, that timeline might
be four hours.
The Cold War also provides some insights into how the
Russians think about disinformation and subversion. Soviet
efforts not only included campaigns to discredit Martin Luther
King and try and make the civil rights movement more extreme
and more violent, but they also sought to provoke a full-blown
race war in the United States. Perhaps more dramatically in
1983, the Soviets planted newspaper articles alleging that the
AIDS virus had been developed by the U.S. Government to target
African Americans and the homosexual community. Within four
years, that story had been repeated in over 80 countries, doing
tremendous damage to U.S. credibility abroad and at home.
Indeed, at least one study as late as 2005 found that almost 50
percent of African Americans believed HIV was a manmade virus
designed to wipe out the African-American community.
Today, the fingerprints of Russian disinformation campaigns
have been left on both sides of the Atlantic, whether it's
Brexit or the American election, Russia propaganda still
infects U.S. social media networks, and we see the same sort of
divisive propaganda that we saw during the Cold War. Again, the
goal is to divide and exploit divisions, yes, that already
exist in our country, but they are exacerbating the problem.
So what do we do about this? While robust cybersecurity
practices in the regulation of political advertising on social
media are a good start, we must strengthen the public's ability
to interact with information in the digital world. Broadly, we
must begin a concerted effort to inoculate the American public
against the viral threat of disinformation through more civic
education and media literacy. Specifically, these must become
bedrocks of our formal and informal education systems in order
to make our population more immune to the threat.
This may require the same level of effort that President
Eisenhower showed with the National Defense Education Act in
1958 in an attempt to bolster poor American efforts in math,
science, and foreign language education. Indeed, Eisenhower
believed those skills were critical in keeping up with the
Russians during the post-Sputnik world. Today, it may be
critical thinking and media literacy that can protect our
freedoms.
To conclude, in 1900 Mark Twain celebrated the anniversary
of the Gutenberg printing press, and he noted that everything
that is good in the world today and everything that is bad is a
result of that invention. That device had, in Twain's words,
``found truth walking and given it a pair of wings, but it also
found falsehood trotting and gave it two pair of wings. It had
set peoples free but at the same time made despotism more
possible where it was not possible before.''
In short, the internet revolution may surpass Gutenberg's
printing press is the greatest event in secular history, and
it's already created wonderful opportunities and wicked
problems. But we must understand that in the end it's used by
human beings, and it's in human beings where we will need to
strengthen, as the Chairman said earlier, resiliency.
Thank you very much, and I look forward to your questions.
[The prepared statement of Dr. Jacobson follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Dr. Jacobson. And we will now
move to the question portion of our hearing today.
And let me just thank all the witnesses for your valuable
testimony here today for this important hearing. And the Chair
now will recognize himself for five minutes.
And, Ms. Manfra, I want to start with you. It's my
understanding that DHS notified Kaspersky of the BOD or the
Directive 17-01 outlining the concerns that led to the issuance
of the directive and provided Kaspersky the opportunity to
initiate a review by DHS by providing a written response by
November 3 of 2017. Did DHS receive a response from Kaspersky
by that date?
Ms. Manfra. Sir, we did give them a one-week extension to
November 10, and we did receive a response.
Chairman LaHood. And have you initiated a review of that
response?
Ms. Manfra. Yes, sir. My legal counsel is reviewing the
response right now.
Chairman LaHood. And can you give us an update on that
today?
Ms. Manfra. I cannot, sir.
Chairman LaHood. Can you tell us whether you've received
any evidence or information from Kaspersky that addresses or
alleviates the Department's concerns at this time?
Ms. Manfra. I cannot say that we have. The legal counsel is
still reviewing it. We just received it on Friday night. So
once they review it, I will review it as well, and we'll make
the determination to send it out to the Acting Secretary in
order for her to make a decision.
Chairman LaHood. And have you reviewed it yourself?
Ms. Manfra. Not yet, sir.
Chairman LaHood. Do you know how long it was, the response?
Ms. Manfra. It was significant, sir. I'm not sure how many
pages it was.
Chairman LaHood. And you referenced earlier your concern
about litigation as it pertains to Kaspersky. Can you elaborate
on that on your specific concerns?
Ms. Manfra. Sir, the company, should we make a decision
that they do not believe is appropriate, they always have the
option to take this to court to have a judge make a decision
about whether the Department made an appropriate decision.
Chairman LaHood. And have you reviewed the legal aspects of
this, and have you made a determination on what was done here
was legally proper?
Ms. Manfra. I am not a lawyer, sir. I have had the lawyers
review it and spoke with them about it. I do believe that it
was legally proper.
Chairman LaHood. Ms. Manfra, the directive was issued on
September 13, and within 30 calendar days, federal departments
and agencies were required to identify the user presence of
Kaspersky products on their systems and provide DHS a report
containing preliminary findings such as the number of endpoints
impacted by each product and the methodologies used to detect
the presence of Kaspersky. Has DHS received this information
from all agencies?
Ms. Manfra. We have received it from the majority, sir.
There are a small number of very small agencies that we are
assisting them. They do not have the tools that other larger
agencies might have, but we've received them from 94 percent of
the federal agencies.
Chairman LaHood. And can you give us an update on what you
have received thus far?
Ms. Manfra. What we've received is that, again, out of all
the federal agencies, a very small number have identified the
use or presence in some aspect of their system of Kaspersky-
branded products, about 15 percent of agencies who have
reported.
Chairman LaHood. And where are you in the process of
determining in the next phase whether anything was compromised
or where we're at with that?
Ms. Manfra. We're working with each agency individually.
Some of them have chosen to go ahead and remove the products
ahead of schedule, and so we're working to understand where the
presence was, what doing an audit if you will of what
information may have transited those systems and whether there
was any cause for concern for the most part. We have not
identified any yet, but we're still working with agencies.
Chairman LaHood. And do you believe the phased system
that's been put in place, that you'll be able to comply with
that fully?
Ms. Manfra. Yes, sir.
Chairman LaHood. Within 60 calendar days of the issuance of
the directive, agencies were required to develop and provide
DHS a detailed action plan to remove and discontinue future
uses of Kaspersky products. Since the 60-day deadline has
passed, can you confirm that all agencies or departments have
submitted their required action plan?
Ms. Manfra. Not all of the agencies have submitted the
required action plan. As I mentioned, some of them have gone
ahead and just identified a way to remove the software, so
they're going about that. A couple of the agencies needed
additional help, so we're working with them on that so they can
meet the deadline.
Chairman LaHood. Thank you. Those are all my questions at
this time. I'll yield to Mr. Beyer for his questions.
Mr. Beyer. Thank you, Mr. Chairman. Thanks all of you very
much for being with us. This is fascinating.
Dr. Jacobson, in your testimony--I'm going to quote from
your written one because I have it written down. You said,
``Russia's well-financed and deliberate intervention in the
American political dialogue is part of a much broader effort to
undermine America's faith in its free institutions, diminish
U.S. political cohesion, erode confidence in Western
democracies and the credibility of Western institutions, weaken
transatlantic relationships, including NATO, and diminish the
international appeal of the United States, as well as reduce
American power abroad.'' I'd just love it if you could
emphasize that this is a bipartisan concern, much larger than
the 2016 presidential election.
Dr. Jacobson. Thank you, Ranking Member Beyer. I grew up as
a child of the Cold War and watched how Ronald Reagan
strengthened U.S. efforts against the Soviets, but I also think
it's interesting--and at the risk of invoking ire even from my
Democratic friends--so did Jimmy Carter in different ways. And
I think that we had a bipartisan consensus throughout the Cold
War that the Russians were a threat.
I actually--in listening to the Committee today, I see a
recognition of that, and I think there's an understanding that
there are things that need to be done to strengthen America's
ability to be a strong ally abroad and look out for our vital
national security interests that don't have to cross partisan
lines. And I think if we look at what the Russian effort is
doing and look at dealing with the technical, as well as
dealing with this war against our population in terms of
disinformation, I think there are a number of avenues where
Congress can lead the way in terms of a bipartisan effort.
Mr. Beyer. Let me go further on that. I love the--Ph.D. in
military history. It was a fascinating educational background.
So as a professor, you talked about the human mind is the
center of gravity in political warfare and then cited President
Eisenhower with the whole notion of the ability to evaluate
information, thank critically, maintain a healthy skepticism,
understand the some messages out there are deliberately
deceptive will make our population much more conscious about
the information they absorb. How do we get there?
Dr. Jacobson. It's a great challenge, sir. The Stanford
History Education Group just did a study that's a bit
disheartening, and what it did was take undergraduate students,
high school students, as well as trained historians--my
colleagues in the academic arena--and all of them failed pretty
miserably at identifying fake news. The folks who did do pretty
well were professional fact-checkers, and the reason is not
only do they look for the source of information, they were
comparing things horizontally. As I say to my students, ``Watch
MSNBC, watch CNN, watch Fox, even read Breitbart.'' You need to
understand what everyone is doing about looking at a story, and
you can pick up the anomalies. You can see what does not make
sense.
But I think what's even more critical is to understand we
have to start this at the K-through-12 level. By the time our
children are 18 years of age, it's almost hardwired in their
system where they can't identify or can't see the difference
between an advertisement and a factual news article, an opinion
piece, and false information. So this is an education issue.
It's also a training issue as well, even for folks like myself,
even for all of us sitting here today.
Mr. Beyer. Thank you. I confess the number of emails I get
every week from family members that have the wildest possible
theories, including the fact that Chairman LaHood and I are
going to be paid our full salary for the rest of our lives
after serving one day in Congress, that kind of disinformation
is out there.
You talk about cyber hygiene imperative. You know, our
electoral system is widely, widely distributed, you know,
precincts. Virginia's got 2,500 precincts. How do we ever get
cyber hygiene down to the towns and the counties around
America?
Dr. Jacobson. Again, I think the first step is awareness,
but I'm actually glad I'm on this side of the table here and
don't have to worry too much about implementation, but I think
it's important to understand that this is not just a federal
government issue; it's a state and local issue as well. And the
reason I emphasize cyber hygiene is all the technology in the
world, as we used to say in the Army, is not going to G.I.-
proof that computer against someone who picks up a USB stick on
the sidewalk and decides to plug it into their computer. There
are stupid things that smart people do that can help infect
systems. And I think helping to make things easy for our
federal workforce to understand in terms of what to do and what
not to do but also educating the general public in terms of
understanding malicious links.
And anyone who's looked at emails or read in the newspapers
about even our most senior military leaders were duped by
phishing attempts, this is difficult, but again, I think the
solution in terms of teaching people what to do and what not to
do is a bit easier than we might concede.
Mr. Beyer. Great. Thank you very much. Mr. Chair, I yield
back.
Chairman LaHood. Thank you, Mr. Beyer.
I now recognize the gentleman from Florida, Mr. Posey, for
his questions.
Mr. Posey. Thank you, Mr. Chairman.
Ms. Manfra, it staggers the imagination that our government
approved and purchased security software from Russia's
Kaspersky Labs, known to have ties to the Kremlin's
intelligence community. I mean, it's just--it's still hard for
me to get my arms around the fact that we really allowed that
to happen and that in fact that that software doesn't protect
us. Obviously, it harms America's security by allowing
malicious actors to get total access to our computers. Who
approved the purchase of that software?
Ms. Manfra. Sir, it's hard to say in every case. Often,
what we see is that that software was bundled into other
purchases, so you buy a computer and the antivirus was
installed with the computer, so they weren't necessarily aware
that they were explicitly purchasing that, which is why it took
a little bit of time to--for agencies to go through and
identify that. You know, in the end it is the procurement of
individuals who are making some of these choices, but what we
did see is a very low percentage of that presence. But for the
most case, what we believe happened was it was often bundled
into other purchases.
Mr. Posey. So where does the buck stop?
Ms. Manfra. Sir, in the end it is up to every agency head
to make cybersecurity risk management decisions, and we are
working across the federal government to approve--to improve
our processes for supply chain risk management to be able to
address issues such as this and to be able to make it clear
what software and hardware agencies are purchasing and what
risk that introduces into the system.
Mr. Posey. Okay. So every agency head ultimately is
responsible?
Ms. Manfra. Yes, sir.
Mr. Posey. According to the directives, already you were
supposed to receive some reports from every agency that was
affected. I think the Chairman asked you about that earlier.
Would you mind stating for me which agencies have complied thus
far?
Ms. Manfra. Sir, all of the agencies have complied with the
first phase except for a very small number of very small
agencies who just don't have the resources and we're helping
them with that. We're still in the--sort of the second phase.
Mr. Posey. When we say all the agencies except a few, how
many agencies are we talking about?
Ms. Manfra. Six, sir.
Mr. Posey. Six agencies have complied?
Ms. Manfra. Six have not complied yet with the first phase,
which is the reporting whether they have the products on their
system.
Mr. Posey. How many have complied?
Ms. Manfra. About--so, there's 102 total agencies, six--
Mr. Posey. All right, 96, 98, okay.
Ms. Manfra. Yes.
Mr. Posey. Which agencies have not complied?
Ms. Manfra. Sir, I'd be happy to work with your staff, not
an open hearing, to talk to you about the specific agencies.
They are working very hard, sir. It's not like they're--
Mr. Posey. Well, I know they're----
Ms. Manfra. --not trying--
Mr. Posey. --working hard. I don't see, you know, what risk
there is in naming who hasn't complied. I'm just curious. I
don't know if other members are, but I'm curious to know which
ones haven't complied.
Ms. Manfra. We would prefer to keep those not public, sir.
We don't believe that it is helpful to name them publicly.
Mr. Posey. How would that harm anything?
Ms. Manfra. I think it could have two aspects, sir. It
would, you know, alert anybody who was looking to use
potentially the presence of that software on their systems if--
should they have it. It would also harm the relationship that
we have. A lot of our work depends on a trusted relationship
with these agencies.
Mr. Posey. And so if you told Congress that they weren't
behaving appropriately, it might hurt your relationship?
Ms. Manfra. Sir, I don't mean to imply that they're not
behaving appropriately. What I imply is that these are very
small agencies, some of them with only 6 to 10 people in them
that do not currently have the resources, and we're just
assisting them with identifying what products are on their
system.
Mr. Posey. Now, you talked about fear of litigation from
Kaspersky Labs a little while ago when somebody else mentioned
that. How in the world could you possibly fear any action by
them? I mean, you wouldn't have signed an agreement with them
that would allow them to sue you and you not defend yourself,
would you?
Ms. Manfra. I don't fear any action from them, sir, but
they do--they could potentially take action, and I want to
ensure that we are in a position to address any concerns that a
judge may have.
Mr. Posey. Yes. I think the audacity--I think to paraphrase
Clint Eastwood, ``Go ahead and make my day.''
Ms. Manfra. Yes, sir.
Mr. Posey. Can you explain to me the penalties to the
executive agencies if they don't comply?
Ms. Manfra. We would work with the Office of Management and
Budget to determine what the issue was. Sometimes the issue is
they don't have the resources, and whether it is to identify
the products or it is to replace them, so it may not be a stick
that they need but actually additional resources, or if there
was a stick required, then we would work with OMB to address
that.
Mr. Posey. Have there been any enforcement actions thus
far?
Ms. Manfra. No, sir. We have issued six binding operational
directives, and in each case every agency that we've worked
with has been willing and eager to comply with them. Some of
them are challenged with resources, though.
Mr. Posey. Thank you, Mr. Chairman. I see my time's
expired.
Chairman LaHood. Thank you, Mr. Posey.
I now yield to the Ranking Member, Ms. Johnson.
Ms. Johnson. Thank you very much.
Dr. Jacobson, you referred to fake news generated by the
Soviet Union during the Cold War and cite the disinformation
campaign by Soviets that claimed that the U.S. Government
developed the AIDS virus intentionally to target homosexuals
and African Americans. You say these stories spread to 80
countries and were translated into 30 languages in just four
years, a timeline which today could probably be as little as 4
hours or perhaps 4 minutes to circulate around the world. You
said one of the reasons the Soviets generated this fake story
was to heighten racial divisions in America.
Just last month, CNN reported that Russia had created a
fake group called Black Fist and Russian trolls linked to this
operation paid personal trainers in New York, Florida, and
other States to run self-defense classes for African Americans.
They were apparently attempting to sow animosity and tension
along racial lines. But this group was created in January of
2017, 2 months after the 2016 U.S. presidential election.
Dr. Jacobson, do you believe that Russia's influence
campaign against America is only tied to trying to manipulate
our elections or do they have other wider interests in
influencing American citizens?
Dr. Jacobson. Thank you, Congressman--Congresswoman. I
believe the Russians have long-term objectives. They are not
simply concerned with one election cycle. This is a campaign
designed to continue to divide the United States. And if you
take a look at some of the sites you've mentioned, you had
mentioned Black Fist. There was also the Blacktivist, a fake
site. There was also one called Heart of Texas. And the whole
idea is to take the divide we have--and the Russians don't want
to see reconciliation. They don't want to see dialogue and
debate. What they would like to see is both sides of an issue
resort to violence in the end. And I'm overstating the
simplicity of doing that, but that's their long-term effort
because it requires us then to look inside and not look at
what's happening around the world and thereby advance Russian
foreign policy objectives.
Ms. Johnson. You mentioned the need for better standards
and fact-checking by reputable news organizations to help them
avoid being duped by fake news. Social media sites are not
newspapers, but they do generate news. At the same time, we
don't want to limit anyone's ability to speak out publicly and
share their own thoughts or opinions, so how do we emphasize
fact-checking in news-related stories and distinguish that from
someone being able to offer their own opinion?
Dr. Jacobson. I think there are a couple pieces there. I'll
be the last person who wants to mess with the business model or
content on social media sites. I mean, you look at one of the
strengths of our nation, it's the idea of freedom of
expression.
But I think there are certain limits we can place. For the
social media world, they're are as much media companies today
as they are social, and they have to understand that when it
comes to political advertisements they should be subject to the
same regulations that traditional media are.
I think there are ways--you look at a company like Twitter
where there's a verification blue check that says to the world,
``This individual is who they say they are.'' I also think if
you look at systems like Moody's for the financial network,
let's find an independent organization that gives a rating to
either traditional or social media outlets. Now, not all the
traditional or social media outlets will be particularly happy
with it, but it's just a start. And in fact I'm--I believe that
Silicon Valley could come up with some even better ways to do
it if they put their mind to it.
Ms. Johnson. Thank you very much.
Mr. Chairman, I yield back.
Chairman LaHood. Thank you, Ms. Johnson.
I now yield to the gentleman from Louisiana, Mr. Higgins,
for his questions.
Mr. Higgins. Thank you, Mr. Chairman. At this time I ask
unanimous consent to enter into the record the written
testimony of cybersecurity expert Troy Newman of Cyber5.
Chairman LaHood. Without objection.
[The information appears in Appendix II]
Mr. Higgins. Ms. Wynn, Mr. Newman has advised myself and
other Members of this Committee that a simple software
uninstall can't guarantee that all components of the
application are removed. He elaborated that the best, most
secure software removal process for remediation of threat is
first an immediate uninstall and then a scheduled complete hard
drive replacement. Can you briefly elaborate for those of us
that don't understand things of this nature why a simple
software uninstall is insufficient and why complete hard drive
replacement is the best solution?
Ms. Wynn. Thank you for your question. I would have to take
that back to some serious experts in terms of hard drive
management and truly erasing software and breadcrumbs and
footprints associated with that software that get left behind
on hard drives. What I can speak to is that NASA takes very
seriously its cybersecurity responsibility, and when we find
unauthorized or unapproved software, we work very quickly to
remove that.
We also have lines of defense that if--that are sort of
layered in terms of--so that if you don't do very well on your
first pass there are other ways and other mitigations that we
do to protect our network to try to contain any threats to our
environment.
Mr. Higgins. So when members of this panel have referred to
agencies that have attempted to comply with the directive by
removing Kaspersky software from their systems, would you
concur that that doesn't mean that Kaspersky is actually gone
from the system?
Ms. Wynn. I would say that cybersecurity is never a 100
percent deal and that what we have to--
Mr. Higgins. If the hard drive is removed, is it a 100
percent deal?
Ms. Wynn. Sir, I can't speak to a hypothetical computer. I
think you'd have to take a look at how a computer might be,
let's say, infected to decide whether the hard drive was one
where you could reuse again or if you would just decide not to
put that hard drive back into your computer.
Mr. Higgins. So that would require--that's an excellent
answer, thank you, Madam. And that would require further
evaluation of that particular system?
Ms. Wynn. You need to always monitor your network to make
sure it's fully protected.
Mr. Higgins. Very well. Thank you for your answer.
Ms. Manfra, thank you for your service to your country. The
Binding Operational Directive 17-01 in its initial statement
calls for a 30-day period to identify the use of Kaspersky
products and then a 60-day period to provide detailed plans to
remove and discontinue the present and future use of the
products and then a 90-day period to begin to implement the
agency plans to discontinue use and remove the products from
information systems. However, there's a clause stating in
there--stating that unless directed otherwise by DHS based on
new information at--by what measure, Madam, would DHS ever
determine never mind, let's go ahead and keep this product on
our systems? Why is that clause in there?
Ms. Manfra. Sir, after extensive review of this process by
our legal counsel, we felt that it was important to allow
Kaspersky Labs and any other potentially affected entity a
meaningful opportunity to respond to the decision that we had
made.
Mr. Higgins. So that clause is inserted into the DHS DOD
17-01, the binding operational directive for United States
Government agencies--that clause was inserted to protect
Kaspersky----
Ms. Manfra. No, sir.
Mr. Higgins. --as opposed to government agencies?
Ms. Manfra. No, sir. That clause was inserted that should
the Kaspersky or another commercial entity come back with new
information that would result in the Acting Secretary
reconsidering her decision, then we would issue new guidance
based off of that new information.
Mr. Higgins. And what could that new guidance be other than
to discontinue the process of removing Kaspersky products?
Ms. Manfra. That would probably be it, sir, if that was the
Acting Secretary's decision but it would have to be based off
of new information that had previously not been understood or
considered.
Mr. Higgins. Mr. Chairman, I have one brief question if you
would allow.
Chairman LaHood. Yes, go ahead, Mr. Higgins.
Mr. Higgins. Regarding code, Ms. Manfra, it's my
understanding that the directive does not apply to Kaspersky
code embedded into products of other companies. Is that
correct?
Ms. Manfra. I wouldn't say that it doesn't apply to
Kaspersky code because that would be--
Mr. Higgins. The directive applies to removal of the
products----
Ms. Manfra. Correct, sir.
Mr. Higgins. --but what about the code behind?
Ms. Manfra. It--what we focused on was products that is
clearly identified as Kaspersky. What we have not focused on in
this directive that we are continuing to pursue is
understanding how they may be embedded in other products that
are not Kaspersky and working toward the process to address
those.
Mr. Higgins. Thank you for your answer.
Mr. Chairman, my time is expired. I would just share that
it's concerning--it's exactly what we're talking about, the
entire series of Kaspersky-related hearings, concerns, and
apparently known or reasonably suspected information security
threat that the Kremlin has embedded itself in our federal
systems, and may I submit that that should certainly include
code.
I thank you for your indulgence, Mr. Chairman. I yield
back.
Chairman LaHood. Thank you, Mr. Higgins.
I now recognize the gentleman from California, Mr.
McNerney.
Mr. McNerney. Well, I thank the Chairman and I thank the
witnesses.
Dr. Jacobson, three prominent U.S. security agencies
including the CIA and the NSA, concluded that the Russians had
operations intended to influence the 2016 presidential election
but declined to comment on whether that effort had been
successful. Do you have an opinion if the Russian efforts were
successful in influencing the 2016 elections?
Dr. Jacobson. Well, I'm cognizant of not getting ahead of
where the multiple congressional investigations are, and of
course I'm as eager to see what the conclusions are there, and
I'm eager to see the U.S. intelligence community speak more
publicly about this. What I am very confident in saying is that
there is clear evidence of attitude changes amongst the U.S.
population as a--in response to the numerous social media
efforts undertaken by the Russians and Russian agents. And I
would point to in particular a study by the Oxford
Computational Propaganda project, which noted changes in the
way--in the attitudes of individuals commenting on the election
on social media after spikes in Russian-bot activity. But I
have not done that original research, so I'm reliant on what
they have done. But to me, as someone who worked on
psychological warfare operations in the Army for quite some
time, there is clear evidence of an attitude change amongst the
population.
Mr. McNerney. Well, has the Russian effort in any way
diminished as a result of the publicity around the 2016
election?
Dr. Jacobson. I don't think it's diminished. I think maybe
the target sets have changed, so in short, no.
Mr. McNerney. Okay. In your testimony you state that social
media companies must start to see themselves more as media
companies because their ability to spread information and
influence the public. What actions can we take in Congress to
ensure that the social media companies assume that
responsibility more seriously, especially regarding political
ads?
Dr. Jacobson. As Dr. Jim Ludes and I said earlier this year
in our co-authored report, it's probably time that the social
media companies have the same standards in terms of regulation
of political advertising transparency that traditional media
companies have. I actually think the larger problem--so you
have one problem of advertising--paid advertising on the social
media networks. The larger problem is the one of fake sites,
and I think that the continued dialogue between Congress, which
I don't think wants to regulate the social media companies any
more than necessary, and the social media companies which don't
want regulation should continue this dialogue because their--
the social media companies' terms of service are very powerful
weapon against these fake sites. And we've actually already
seen Facebook and YouTube use their terms of service to
eliminate these fake sites, including one that was targeting
veterans in particular.
Mr. McNerney. Thank you. Ms. Miller, last month Reuters
reported that H.P. Enterprises allowed a Russian defense agency
to review the source code of H.P. cybersecurity software
ArcSight as a condition of gaining certification to sell the
product in Russia's public sector. In the same article, Reuters
reported that ArcSight serves as a cybersecurity nerve center
for much of the U.S. military and that vulnerabilities
discovered during the source code review could make the U.S.
military more vulnerable to cyber attacks. Is the DOD using
ArcSight software?
Ms. Miller. Sir, we use ArcSight primarily in our intel
community, but unfortunately, I can't speak to the details at
present.
Mr. McNerney. Is the DOD taking steps to secure its systems
since learning about the ArcSight code review?
Ms. Miller. I would have to take that as a question for the
record, sir.
Mr. McNerney. Thank you. Does the DOD use any other
software that's subject to source review by a foreign
government--source code review?
Ms. Miller. Well, actually, we have processes in place,
sir, to help us work through that process, yes, we do.
Mr. McNerney. Okay. Ms. Wynn, does NASA use ArcSight
cybersecurity software?
Ms. Wynn. I'm trying to think about that for a second.
We're going through a process of significant change in terms of
the tools in the layers of our cyber defense, and I actually
can't remember if ArcSight is coming in or leaving our network,
so I'll take for the record and get back to you.
Mr. McNerney. Okay. Ms. Manfra, same question. Does DHS use
ArcSight cybersecurity software?
Ms. Manfra. Yes, sir. I'll get back to you. We're working
through a process to address this change similar to the other
agencies.
Mr. McNerney. Okay. Thank you. Mr. Chairman, I yield back.
Chairman LaHood. Thank you. At this time I yield to the
Chairman of the full committee, Mr. Smith, for his questions.
Chairman Smith. Thank you, Mr. Chairman. Just a comment,
I'm really surprised our witnesses didn't have a better answer
for the gentleman from California. I hope you will be able to
answer my questions. And let me direct first ones, Ms. Manfra,
to you. Are you aware of any breaches to our national security
that have been facilitated by the Kaspersky products?
Ms. Manfra. Sir, I can't discuss that in this forum.
Chairman Smith. I don't understand your answer.
Ms. Manfra. Sir, I prefer to have that discussion in a
classified----
Chairman Smith. No, you don't need to have that in a
classified hearing. I'm not asking for any specifics. I'm just
asking if there have been breaches. I'm not talking about who
had their systems breached, when it occurred, or how it
occurred, just whether breaches did occur.
Ms. Manfra. Sir, we're still working through the process to
identify----
Chairman Smith. We've heard that phrase several times
today, ``working through the process.'' That is just not
sufficient of an answer.
Ms. Manfra. Sir, is not conclusive at this time.
Chairman Smith. You don't know whether or not systems have
been breached by Kaspersky Lab products yet?
Ms. Manfra. We do not currently have evidence that--
conclusive evidence that they have been breached. I want to do
a thorough review to ensure that we have a full picture of----
Chairman Smith. What about the NSA employee? You don't
think that was considered a breach?
Ms. Manfra. Sir, I would have to direct any questions on
NSA to the NSA.
Chairman Smith. But sure--are you aware of that episode?
Ms. Manfra. Sir, we'd have to have that discussion with the
NSA.
Chairman Smith. I'm not--are you aware of the episode and
do you consider it a breach?
Ms. Manfra. I'm aware of the allegations of what has been
publicly reported in the press and would have to discuss any
further details with the NSA.
Chairman Smith. Okay. Let me try a different question. How
did the Russian software--some people would consider it
spyware--get on the approved list by Department of Homeland
Security?
Ms. Manfra. Are you referring to the GSA----
Chairman Smith. Yes.
Ms. Manfra. --sir? Yes. As I mentioned, we need to
modernize our supply chain risk management processes within the
government. Currently, our processes within the civilian
government are largely focused on lowest-cost if you will.
Chairman Smith. The fact that it was a Russian firm
operated by a Russian who had some perhaps association with the
KGB and certainly the Department of Defense and Russia, that
didn't raise any red flags to anyone?
Ms. Manfra. Sir, I wasn't a part of the GSA decision-making
process. What I can say is that when we had enough information
to make this risk decision, we engaged the GSA, NASA, and
others who had these governmentwide contracts to begin to
execute a process to remove it.
Chairman Smith. But wasn't that after we called it to your
attention? Didn't anybody see any red flags before that?
Ms. Manfra. Yes, sir. One of the things when I assumed the
acting position that I'm now appointed to in January was to
conduct a thorough review of our use of Kaspersky, the
intelligence associated with it----
Chairman Smith. Yes, that's----
Ms. Manfra. --and initiate a plan to remove it.
Chairman Smith. Yes, that's not what I'm asking. That's
after the fact. I'm asking about several years ago when it was
on the approved GSA list. Are you aware of any agency that
might have raised any red flags or not?
Ms. Manfra. The government has been aware of some
increasing concerns about Kaspersky, and we did--not me
personally but the agencies with that information did engage
with other agencies that had----
Chairman Smith. Okay.
Ms. Manfra. --those procurement responsibilities.
Chairman Smith. I have a question to DOD about that in a
second, but one other question. Did the license agreement with
Kaspersky allow penetration beyond the usual type of agreements
you have with similar types of companies?
Ms. Manfra. No.
Chairman Smith. Okay. We have pretty good evidence that
that's not the case, and we'll get back to you on that and have
a further discussion.
Ms. Miller, let me address a couple questions to you. We're
under the impression that in 2012 the Department of Defense
made a decision not to use Kaspersky Lab products. Are you
aware of that or is that even true?
Ms. Miller. Sir, I'm not even sure that was true. However,
we have used processes that I can't discuss at this point based
on intel information----
Chairman Smith. Right.
Ms. Miller. --to decide not to use the product.
Chairman Smith. Okay. When did you decide not to use the
products?
Ms. Miller. I don't know a date, sir.
Chairman Smith. A year?
Ms. Miller. I don't have a year. I think it's been a
couple, but I would have to check.
Chairman Smith. Okay. It might have been 2012. I think we
might have the same information. And can you say why they
decided not to use--why DOD decided not to use Kaspersky Lab
products?
Ms. Miller. I cannot discuss that in open forum, but it was
based on intel information that we had.
Chairman Smith. And security--are you aware of any security
breaches that occurred at DOD as a result of Kaspersky
products?
Ms. Miller. I have no knowledge of any within DOD.
Chairman Smith. Itself, okay. And in 2012 or however many
years it was ago that DOD decided not to use Kaspersky Lab
products--and you say you'll get back to us as to why they
decided that; there had to be a good reason I assume--do you
know if they notified any other agencies of their concerns?
Ms. Miller. I'm not aware of any notification, sir.
Chairman Smith. Okay. Can you double-check that for me? And
that'll be an easy question to find out. If you can get back to
us by this afternoon on those two questions that I asked you.
And then a couple questions, Ms. Manfra, I asked you if you
can get back this afternoon as well. They're easy to answer.
And if you have to talk to me directly, that's fine, but I
would ask you not to take advantage of the cover of classified
unless individual's names are involved or unless it's in regard
to specifics. If it's very general, that shouldn't be
classified.
Okay. Thank you, Mr. Chairman. I yield back.
Chairman LaHood. Thank you, Mr. Smith.
I now recognize the gentleman from Colorado, Mr.
Perlmutter.
Mr. Perlmutter. Thank you, Mr. Chair.
So Mr. Higgins talked about the Kremlin has embedded itself
in the structure of the United States. And in prior hearings
we've had conversations about foreign intelligence risk,
espionage, meddling in U.S. affairs by the Russians and by Mr.
Putin himself. And in Danang just a few days ago when asked
about Russia meddling in U.S. affairs, the President said,
quote, ``I asked him again about meddling. You can only ask so
many times. He said he absolutely''--he, Putin--``absolutely
did not meddle in our election. He did not do what they are
saying he did. I really believe that when he tells me that. He
means it. I think he's very insulted if you want to know the
truth.''
So, Mr. Jacobson, you know, we're here and it's a real
issue, Kaspersky having embedded itself potentially for the
benefit of the Kremlin and Russia in our software, in our
Defense Department, in NASA, in Homeland Security, but let me
ask you about Mr. Putin and about whether or not, given his
background, the President should just take him at his word.
What do you think about that?
Dr. Jacobson. Well, Mr. Putin's an ex-KGB officer. I'm not
sure I would take him at his word if he told me the sun were
shining and I was standing outside and there were blue skies
and the sun was shining down on me.
Mr. Perlmutter. You used the word psychological warfare
earlier. Would Mr. Putin be familiar with that? Is that
something he did as the head of the KGB?
Dr. Jacobson. Mr. Putin would be intimately familiar with
not only operations he may have been involved in but the entire
history of Soviet disinformation and propaganda campaigns. I
mean, this is something embedded in the nature of KGB officers
and not just propaganda designed to influence and shape
American foreign policy that might be truthful. We're talking
about deliberate attempts to mislead and obfuscate, covert
action, sabotage, subversion, what have you. I don't trust
anything coming out the Russian Government.
Mr. Perlmutter. And I appreciate the Chairman and the
Republican majority for having this hearing and looking at
Kaspersky and how it may have corrupted some of our computer
systems, but, you know, when I take a look at the connections
that this Administration has to Russia, Michael Flynn, Jeff
Sessions had some contacts, Carter Page, Roger Stone, Jared
Kushner, Donald Trump Junior, Michael Cohen, J.D. Gordon, Paul
Manafort, Mr. Gates, Mr. Papadopoulos. I mean, that's where
this investigation, not just--should not just be on Kaspersky,
which is coming in through the back door through different
kinds of software that may have tainted the system, but what
about the front door which is at the White House? So are you
familiar with these different connections that this
Administration may have with Russia?
Dr. Jacobson. Only insofar as what I read in the newspaper.
And like everyone else, I'm eager to see what the various
congressional investigations or the Special Counsel's Office
comes up with on this.
Mr. Perlmutter. You answered a question that Ms. Johnson
asked you about, well, what's the real purpose? What is it that
we're worried about? Why are we worried about Kaspersky having
corrupted some of our systems? Why are we worried about these
gentlemen with connections to Russia and with the President
saying he believes Mr. Putin? What's the worry here?
Dr. Jacobson. I think there are a couple things here. As
we've heard during this hearing, there are concerns about--and
it's not a back door; it's a front door. You know, we've given
Kaspersky access--if I'm putting antivirus software on my home
computer, I'm giving that software company some access. It can
be used for espionage. It can be used--I'm particularly worried
about data manipulation as well. But again with respect to my
area of expertise, I think once you start to get into a system,
it becomes a vector for propaganda and influence. It allows you
to discredit federal organizations if you want. It allows you
to manipulate data and try and create poor policy decisions.
But it's also part of a broader effort. If we think of
cyber--and again the alleged Kaspersky situation is just one
battle in a larger war. You know, imagine if cyber attacks
augment rhetorical propaganda attacks that seek to influence
the American people's attitudes on Ukraine or Syria or U.S.
involvement in the NATO alliance. You can see how the ability
of the internet to penetrate, to get to every single
individual, and the ability of the Russians to take advantage
of the enormity of the marketing data created by Facebook so
they can tailor propaganda messages to individuals, it's
something--we've never seen anything on that scale.
Mr. Perlmutter. Thank you. And I yield back.
Chairman LaHood. Thank you. Next yield to the gentleman
from South Carolina, Mr. Norman.
Mr. Norman. Thank you, Mr. Chairman.
You know, as we in Congress hear your testimony and look
back over the facts and what you're discussing, you know, I
looked at your bios. You've each got, if you combine it, over
100 years in this area, so you're experts in what you do. As--
if we look back over the time frame, Kaspersky didn't come up
just recently, did it? When did--Ms. Manfra, when did this--the
idea of having a problem with the product come up?
Ms. Manfra. When I first became engaged was around 2014----
Mr. Norman. Okay. So this President has been here for nine
months, so it's prior to this President coming into office----
Ms. Manfra. Yes, sir.
Mr. Norman. --the issue came up.
Ms. Manfra. Yes, sir.
Mr. Norman. Now, you mentioned--Chairman Smith mentioned
the ULA agreements. Are you familiar with those?
Ms. Manfra. Yes, sir.
Mr. Norman. Walk me through the process for approving a ULA
agreement.
Ms. Manfra. It's somewhat dependent on the agency, but
generically, when a company decides to procure a certain
software, they would receive what the company would like that
end user license agreement to look like. In some cases we can
negotiate some differences. Generally, we don't, but that is
again a generic sort of process, so each agency might have
different implementation.
Mr. Norman. So how many sets of eyes would look on a--would
read a ULA agreement?
Ms. Manfra. Ideally, you would have a legal review--well,
you would absolutely have a legal review. You would also have
the procurement officials involved, and ideally, you would also
have the mission owners, and then you would have those
individuals that are responsible for authorizing that network
to operate and whatever software goes on that----
Mr. Norman. So a lot of eyes go on it and detail people
that know or experienced in reading them.
Ms. Manfra. Yes, sir.
Mr. Norman. And you say--I think your testimony was there's
no abnormality in the ULA agreements that were signed?
Ms. Manfra. No, sir.
Mr. Norman. Okay. Is it normal to agree to binding
arbitration and no trial by jury? Is it normal to give access
to all data, microphones, and cameras? Is that part of--is that
boilerplate language that each agency would agree to?
Ms. Manfra. Sir, I can't comment on what each agency
boilerplate language is, but access to much of your computer
system is often required for antivirus systems and security
software, which was one of the reasons that we looked to
understand how that data will be used and ensure we have a
trusted relationship with that provider.
Mr. Norman. Well, I guess my question is do you--is it to
waive a trial by jury?
Ms. Manfra. That, sir, I would have to get back to on as to
whether that was common practice.
Mr. Norman. Well, we have testimony by Mr. Newman that was
an abnormality, that that was agreed to by somebody, somewhere,
some agency.
Ms. Manfra. It seems unusual, sir.
Mr. Norman. Okay. If--and you don't know which agency--your
testimony was this agreement was reviewed by experts in the
field, by a lot of different agencies. Now, if that's not a
routine clause, who would have put that in there?
Ms. Manfra. Sir, I'd have to understand the details of what
the testimony is that you're referring to, the expert
testimony, and we can get back to you with details on what
might be unusual that that gentleman is referring to.
Mr. Norman. Okay. If you could get that in writing----
Ms. Manfra. Yes, sir.
Mr. Norman. --to all of the members--anybody here that
would be interested in seeing it. I think all of us would.
Ms. Manfra. Yes, sir.
Mr. Norman. The exact language that was agreed to, any
abnormality that was not normal----
Ms. Manfra. Yes, sir.
Mr. Norman. --if you could highlight that, and then give us
names of the different--I'm sure there are lawyers within the
agencies that would agree that looked at this--give us some
names of who looked at this ULA agreement.
Ms. Manfra. I will do my best, sir.
Mr. Norman. I yield back.
Chairman LaHood. Thank you. I now yield to Mr.--the
gentleman from Georgia, Mr. Loudermilk.
Mr. Loudermilk. Well, Thank you, Mr. Chairman.
Ms. Wynn, in 2013 the Science Committee staff emailed the
legislative affair teams at NASA to ensure that Kaspersky Lab
was not being used on any NASA systems. Do you have any record
of that request?
Ms. Wynn. No, sir, I'm not aware of that request, but I can
certainly check on the record status within NASA. I didn't join
NASA until 2015.
Mr. Loudermilk. Okay. If you would and get back to the
Committee on that, I'd appreciate it.
Today, you testified that Kaspersky Lab products were
identified on a small number of machines that had access to the
NASA internal network. Is that correct?
Ms. Wynn. Yes, that's correct.
Mr. Loudermilk. Okay. What was the time frame that
Kaspersky was present on the NASA systems? Was it after 2013?
Ms. Wynn. We discovered between 2013 and the assurances
that we did in recent past that there had been Kaspersky on the
network. Our belief is that it was part of either a larger
procurement or bundled within a series of software that then,
because our tools are getting smarter, able for us to identify
it and go ahead and get that removed.
Mr. Loudermilk. Okay. So some of it may have been software
bundled on a computer that was purchased?
Ms. Wynn. It could have been within a computer that was
purchased or within a package of software that was put on the
network.
Mr. Loudermilk. Can you tell us why it was not remedied
earlier and disclosed to the Committee as part of the response
to the Chairman's July 27 letter to all departments and
agencies?
Ms. Wynn. So at NASA we've been working very hard to deploy
the continuous diagnostic and mitigation tools which allow us
to have absolute insights to every single part of NASA's IT
infrastructure, which is over 160,000 components. Prior to the
CDM coming on board, NASA's ability to take a look at its
entire footprint was fragmented and therefore pulling together
and synthesizing an entire picture was very, very difficult to
do that.
Mr. Loudermilk. Okay. Ms. Manfra, on October 10 the New
York Times reported additional details regarding hackers
working for the Russian Government stealing details about the
NSA's cyber capabilities from a contractor who had stored the
information on his home computer. I think everyone is aware of
that report. These new revelations were that Israeli
intelligence uncovered the breach and the Russian hackers' use
of Kaspersky software. The article details that ``Israeli
intelligence officers informed NASA that in the course of their
Kaspersky hack, they uncovered evidence that Russian Government
hackers were using Kaspersky's access to aggressively scan for
American Government classified program.'' This thing reads like
a Clancy novel, spies spying on spies. But in your opinion
would this be considered concrete evidence that Kaspersky Lab
has ties to the Russian Government?
Ms. Manfra. Sir, I can't make a judgment based off of a
press reporting, but I understand the allegations outlined in
that report, and should those be true, I would say that that
was evidence, yes, sir.
Mr. Loudermilk. So if the intelligence community were to
verify this, then you would agree that that's concrete evidence
there's ties?
Ms. Manfra. Yes.
Mr. Loudermilk. Okay. Thank you for your candor there. If
this happened in 2014 and the NSA was alerted immediately, why
did it take until 2017 for action to take place to secure our
systems by removing the software?
Ms. Manfra. Sir, the binding operational directive was just
the latest in a series of actions that we have been taking
within the government over the past few years to address this.
We had been briefing at a classified level across the federal
government, as well as critical infrastructure, as well as--as
much unclassified information as we can share. I was not
satisfied with the progress, and so we looked for other avenues
to escalate to ensure that we had full removal across the
federal government.
Mr. Loudermilk. But it took three years to really take
action once this was known?
Ms. Manfra. Sir, we--this is a more recent authority that
we were given. It is just, again, one of the tools that we had.
We were exhausting all of the tools through information-sharing
mechanisms throughout, again, the government and others, and
this was just one of the public tools that we took to remove
the----
Mr. Loudermilk. Okay.
Ms. Manfra. --software.
Mr. Loudermilk. Dr. Jacobson, in a recent interview with
Reuters, Mr. Kaspersky admitted his company widely used
antivirus software to copy files from personal computers, files
that did not pose a threat to the personal computers of those
customers. I worked 30 years in the IT business. I did not know
this as being a standard practice. Is this typical of industry
to copy files that are known not to be threats?
Dr. Jacobson. Congressman, I don't know. I don't have that
sort of expertise. However, what I will say is that I stopped
using Kaspersky years ago just because of the first sets--this
has to be maybe four, five years ago--because there were a
number of articles in trade journals that suggested that they
just didn't have the types of standards that you want if you're
a home computer user so--but beyond that, I can't answer your
question.
Mr. Loudermilk. Ms. Miller, is there any other antivirus
software that you know that would copy files not known to be
threats?
Ms. Miller. None that I'm----
Mr. Loudermilk. Okay.
Ms. Miller. None that I'm aware of, sir.
Mr. Loudermilk. All right. Thank you.
Ms. Manfra, last question. Would you review--would a review
of Kaspersky's Lab source code, as recently offered by the CEO
of Kaspersky, help alleviate concerns or is this merely a
publicity stunt?
Ms. Manfra. Sir, I have heard the offer to review the
source code, and while we would welcome opportunity to hear
from Kaspersky on what potential new information and
mitigations they could put in place, the source code review
would not be sufficient in my opinion.
Mr. Loudermilk. Okay. Thank you. Mr. Chairman, I yield
back.
Chairman LaHood. Thank you. I have a few additional
questions here to ask.
Ms. Miller, you commented earlier that the Department of
Defense at some point made a determination based on
intelligence that you were not going to engage with Kaspersky
products. Is that correct?
Ms. Miller. Yes, sir, based on threat information and other
intel feeds that we had.
Chairman LaHood. In that threat information and concerns,
was that information relayed to DHS or other agencies?
Ms. Miller. I'm not aware--not sure, sir. I would have to
confirm.
Chairman LaHood. And do you know why that information
wouldn't have be relayed? Are you saying it could have been
relayed and you're not aware of it?
Ms. Miller. It could have been relayed and I'm not aware of
it. I would have to confirm.
Chairman LaHood. Okay. And how long will it take you to
confirm that and get that back to the committee on that?
Ms. Miller. We can do that within the next day or so, sir.
Chairman LaHood. Okay. Ms. Manfra, are you aware of the
intelligence information that DOD relied upon when they made
the decision not to engage with Kaspersky products?
Ms. Manfra. I believe I'm aware of the same information,
sir, yes.
Chairman LaHood. And when did you become aware or when did
the Department become aware?
Ms. Manfra. I would have to get back to you on when the
Department became aware. I can tell you that I first became
aware of concerns in the 2014 time frame.
Chairman LaHood. And can you tell us why a similar decision
in 2014 wasn't made similar to what DOD did?
Ms. Manfra. Some agencies such as the Department of
Homeland Security did engage in an effort to remove the
Kaspersky software from their systems. What we identified was
largely agencies who are more security-focused or had the
ability to receive classified briefings or removing the
software. Where there was a gap was in the civilian agencies
that did not have that infrastructure necessarily in place
where they could rely on classified information to make
procurement decisions. So we wanted to provide further
direction across the civilian government for them to be able to
make the same choices based off of the risk management
decisions that we had made.
Chairman LaHood. Ms. Manfra, does the September 2, 2017,
directive apply to federal contractors?
Ms. Manfra. Yes, sir.
Chairman LaHood. Okay. And to your--can you give us an
update or where is it at? Have all federal contractors been
compliant? Where is that at in terms of your follow-up with
them and how do you keep track of that?
Ms. Manfra. We have a couple of different mechanisms to
keep track. Every agency is responsible for defining what
contractors constitute their federal information system and
reporting that up to us. What we see is what the agencies
report to us. We also, as I mentioned, have sensors deployed
both internal to agency networks as well as at the perimeter
that can identify what agencies may be calling out to Kaspersky
IP addresses so that that would indicate that they probably
have it on their systems as well. So we're looking at a variety
of different avenues to identify whether they have it. And that
would include a contractor system if they identify it to us.
However, it is up to the agency to identify that contractor
system to us.
Chairman LaHood. And do you feel like you have full
knowledge of all the contractors that the different agencies
engaged with?
Ms. Manfra. I do not--I could not say that I have full
knowledge of all the contractors that agencies engage with. I
can say that for all of the largest agencies I feel very
confident that they have done an assessment of not only the
internal government-owned and -operated networks as well--but
as well as the contractor-owned or -operated networks and
systems. But there--to say that I have full insight into every
contractor that the civilian government uses, I probably do not
have that right now.
Chairman LaHood. Ms. Miller, in previous testimony before
this committee, cybersecurity experts stated, quote, ``The
Federal Government should take the lead on developing a trusted
vendor list that provides guidance on approved cybersecurity
vendors with a secure supply chain that agencies can have
confidence in,'' unquote. In your opinion, how would the
federal government go about establishing such a trusted vendor
list? And what agencies should lead the federal government's
effort to do so?
Ms. Miller. Sir, I'll start with the second question. I'm
not sure what agency I would recommend leading it, but I think
we have a responsibility as we work with our vendors to ensure
we have supply chain management processes in place to evaluate
what they're bringing to us. We've established relationships
with DIA and the--what--I can't think of the acronym right
now--that give us an opportunity to identify critical
components where supply chain managements are of real concern
and put processes in place to help us avoid any risk introduced
by our industry partners.
At the same time, we have had very strong conversations
with members of the defense industrial base to make sure they
understand risk associated with use of the Kaspersky products,
and the Defense Security Service has directed all of them to
remove the products for any--especially of our classified
systems. And we're working with our unclassified--or our
vendors in the unclassified arena now with the Defense Federal
Acquisition Regulation clause that we've put in place to help
them not only understand the risk but to understand the
products that they're using and their responsibility to protect
government information and the government network as they
relate to mission operations.
Chairman LaHood. Thank you. That's all my time.
Mr. Perlmutter, I recognize you for additional questions.
Mr. Perlmutter. Just a couple questions about Kaspersky,
and this is to the whole panel.
In October 2015 the U.S. subsidiary of Kaspersky Lab, which
is called Kaspersky Government Security Solutions, paid
President Trump's former National Security Advisor Lieutenant
General Michael Flynn $11,250 for a speaking fee. So just to
the panel I would ask, are you aware of anybody from your
agencies speaking at any Kaspersky conferences not for payment
but just as one of their speakers? And what is it again, Dr.
Jacobson, that we're worried about to have a guy like Michael
Flynn speaking at a Kaspersky conference? Some open-ended
questions, start with you, Ms. Manfra. Do you know if anybody
from GSA or your agency has spoken at any Kaspersky
conferences?
Ms. Manfra. Sir, we not done a thorough review of speaking
engagements at Kaspersky-sponsored events. I can say that we--
the guidance to my workforce is to not engage with Kaspersky-
sponsored events.
Mr. Perlmutter. Ms. Wynn?
Ms. Wynn. I am not aware of anyone speaking at a Kaspersky-
sponsored conference, and I would say that there is a thorough
vetting review by our Office of General Counsel with respect to
any speaking engagements of NASA personnel.
Mr. Perlmutter. Ms. Miller?
Ms. Miller. Sir, same with DOD. We go through a rigorous
review with the general counsel before we approve speaking
engagements, and to my knowledge, we've not had any DOD
employees speak at a Kaspersky event.
Mr. Perlmutter. Dr. Jacobson?
Dr. Jacobson. Can I provide you a very unsatisfying answer?
You know, I don't know the specifics of that case, but I think
this is exactly why we need to understand that the Russians are
going to continue to try and find key influencers, whether in
government or in the media space or amongst the public, to help
them with their information or disinformation campaigns in the
United States. I mean, all foreign governments try and
influence the United States. That's why we have laws that
regulate the level of transparency there.
But let me also state that this is why I think there's a
great opportunity for a bipartisan sponsored commission like
the 9/11-style commission, the Iraq study group, or the
Afghanistan study group to really look forward and see how do
we combat information campaigns or disinformation, whether it's
Russian, Chinese, or terrorist networks in the future? And that
would be a last point in terms of urging what the committee and
Congress overall could do.
Mr. Perlmutter. Well, and to that point, again, sort of
looking for these different crevices or potential vulnerable
spots, in December 2016 Kaspersky Lab awarded $18,000 in
funding to three universities to help identify and--to help
develop identity and verification methodologies for secure
online voting systems. So, you know, obviously, they're looking
for different places to take advantage of, you know, America
and an open--pretty open system that we have.
Just curious, if you were at DHS, Ms. Manfra, if you were
advising these universities, what would you advise them about
speaking and taking money from Kaspersky Lab? It's a very
hypothetical question and it calls for speculation on your
part, but I'm still going to ask it.
Ms. Manfra. Yes, sir. I can't presume to advise a
university on what money they might take or engagements they
might speak at, but I would encourage them to ensure that they
consider the risk associated with those interactions as a part
of their engagement and their funding.
Mr. Perlmutter. Dr. Jacobson?
Dr. Jacobson. Well, I'm definitely not speaking for
Georgetown University here, but I was thinking of three things.
If I was asked today whether I would advise a university on
that, I would think about three things: one, politically, it
would be absolutely unacceptable to do given what's going on
with Kaspersky and the allegations in the committee right now;
second, from a public relations perspective, it would be a
really bad idea; and third, there's prudence. We know in the
university and think tank world there's certain countries and
certain companies you just really think twice about taking
money from, and again, if someone asked me, I would recommend
they not take it today.
Mr. Perlmutter. Okay. I yield back.
Chairman LaHood. Thank you, Mr. Perlmutter.
That concludes our questions today. I would just advise
that the Committee--the Oversight Subcommittee on this is going
to continue to monitor this situation, and as the directive
continues to get implemented, we look forward to continuing to
work with you on this issue. It's important that we as a
committee and subcommittee stay engaged on this, and we'll look
forward to the next phase of our hearing series on this and
look forward to continuing to work with you.
With that, our hearing is concluded. Thank you.
[Whereupon, at 11:53 a.m., the Subcommittee was adjourned.]
Appendix I
----------
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Appendix II
----------
Additional Material for the Record
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]