[House Hearing, 115 Congress] [From the U.S. Government Publishing Office] BOLSTERING THE GOVERNMENT'S CYBERSECURITY: A SURVEY OF COMPLIANCE WITH THE DHS DIRECTIVE ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON OVERSIGHT COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY HOUSE OF REPRESENTATIVES ONE HUNDRED FIFTEENTH CONGRESS FIRST SESSION __________ November 14, 2017 __________ Serial No. 115-38 __________ Printed for the use of the Committee on Science, Space, and Technology [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://science.house.gov __________ U.S. GOVERNMENT PUBLISHING OFFICE 27-677PDF WASHINGTON : 2018 ---------------------------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected]. COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY HON. LAMAR S. SMITH, Texas, Chair FRANK D. LUCAS, Oklahoma EDDIE BERNICE JOHNSON, Texas DANA ROHRABACHER, California ZOE LOFGREN, California MO BROOKS, Alabama DANIEL LIPINSKI, Illinois RANDY HULTGREN, Illinois SUZANNE BONAMICI, Oregon BILL POSEY, Florida AMI BERA, California THOMAS MASSIE, Kentucky ELIZABETH H. ESTY, Connecticut JIM BRIDENSTINE, Oklahoma MARC A. VEASEY, Texas RANDY K. WEBER, Texas DONALD S. BEYER, JR., Virginia STEPHEN KNIGHT, California JACKY ROSEN, Nevada BRIAN BABIN, Texas JERRY McNERNEY, California BARBARA COMSTOCK, Virginia ED PERLMUTTER, Colorado BARRY LOUDERMILK, Georgia PAUL TONKO, New York RALPH LEE ABRAHAM, Louisiana BILL FOSTER, Illinois DRAIN LaHOOD, Illinois MARK TAKANO, California DANIEL WEBSTER, Florida COLLEEN HANABUSA, Hawaii JIM BANKS, Indiana CHARLIE CRIST, Florida ANDY BIGGS, Arizona ROGER W. MARSHALL, Kansas NEAL P. DUNN, Florida CLAY HIGGINS, Louisiana RALPH NORMAN, South Carolina ------ Subcommittee on Oversight HON. DRAIN LaHOOD, Illinois, Chair BILL POSEY, Florida DONALD S. BEYER, Jr., Virginia, THOMAS MASSIE, Kentucky Ranking Member BARRY LOUDERMILK, Georgia JERRY MCNERNEY, California ROGER W. MARSHALL, Kansas ED PERLMUTTER, Colorado CLAY HIGGINS, Louisiana EDDIE BERNICE JOHNSON, Texas RALPH NORMAN, South Carolina LAMAR S. SMITH, Texas C O N T E N T S November 14, 2017 Page Witness List..................................................... 2 Hearing Charter.................................................. 3 Opening Statements Statement by Representative Darin LaHood, Chairman, Subcommittee on Oversight, Committee on Science, Space, and Technology, U.S. House of Representatives....................................... 4 Written Statement............................................ 6 Statement by Representative Donald S. Beyer, Jr., Ranking Member, Subcommittee on Oversight, Committee on Science, Space, and Technology, U.S. House of Representatives...................... 8 Written Statement............................................ 10 Statement by Representative Lamar S. Smith, Chairman, Committee on Science, Space, and Technology, U.S. House of Representatives................................................ 12 Written Statement............................................ 13 Statement by Representative Eddie Bernice Johnson, Ranking Member, Committee on Science, Space, and Technology, U.S. House of Representatives............................................. 16 Written Statement............................................ 17 Witnesses: Ms. Jeanette Manfra, Assistant Secretary for Cybersecurity and Communications, National Protection and Programs Directorate, U.S. Department of Homeland Security Oral Statement............................................... 18 Written Statement............................................ 21 Ms. Renee Wynn, Chief Information Officer, National Aeronautics and Space Administration Oral Statement............................................... 25 Written Statement............................................ 27 Ms. Essye Miller, Deputy Chief Information Officer for Cybersecurity, U.S. Department of Defense Oral Statement............................................... 31 Written Statement............................................ 32 Dr. Mark Jacobson, Associate Teaching Professor, Edmund Walsh School of Foreign Service, Georgetown University Oral Statement............................................... 37 Written Statement............................................ 39 Discussion....................................................... 47 Appendix I: Answers to Post-Hearing Questions Ms. Jeanette Manfra, Assistant Secretary for Cybersecurity and Communications, National Protection and Programs Directorate, U.S. Department of Homeland Security........................... 70 Ms. Renee Wynn, Chief Information Officer, National Aeronautics and Space Administration....................................... 74 Ms. Essye Miller, Deputy Chief Information Officer for Cybersecurity, U.S. Department of Defense...................... 79 Dr. Mark Jacobson, Associate Teaching Professor, Edmund Walsh School of Foreign Service, Georgetown University............... 84 Appendix II: Additional Material For The Record Statement submitted by Mr. Troy A. Newman, President, Cyber5, LLC 88 BOLSTERING THE GOVERNMENT'S CYBERSECURITY: A SURVEY OF COMPLIANCE WITH THE DHS DIRECTIVE ---------- Tuesday, November 14, 2017 House of Representatives, Subcommittee on Oversight and Committee on Science, Space, and Technology, Washington, D.C. The Subcommittee met, pursuant to call, at 10:08 a.m., in Room 2318 of the Rayburn House Office Building, Hon. Darin LaHood [Chairman of the Subcommittee] presiding. [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Chairman LaHood. Good morning. The Subcommittee on Oversight will come to order. Without objection, the Chair is authorized to declare recesses of the Subcommittee at any time. Welcome to today's hearing entitled ``Bolstering the Government's Cybersecurity: A Survey of Compliance with the DHS Directive.'' The subject of today's hearing involves some information that is classified. I remind members that their questions may call for a response that the witnesses know to be classified. Please be mindful of this fact. I would like to instruct the witness to answer to the best of their ability, but should an answer call for sensitive information, members will understand if you respond that you are unable to answer in this setting. I now recognize myself for five minutes for an opening statement. Good morning and welcome to today's Oversight Subcommittee hearing, ``Bolstering the Government's Cybersecurity: A Survey of Compliance with the DHS Directive.'' The purpose of this hearing is to examine and assess implementation of the Department of Homeland Security (DHS) Binding Operational Directive (BOD) 17-01, which was the removal of the Kaspersky- branded products by federal government departments and agencies. This hearing marks the second time the Committee has convened to examine the issues and concerns surrounding Kaspersky Lab. On October 25, 2017, the Committee examined the potential risks, vulnerabilities, and threats posed to federal ICT systems by Kaspersky software. During that hearing, we heard from experts about the specific nature of threats posed by Kaspersky, action the federal government has taken or plans to take to mitigate the threat, and steps that could be taken to avoid similar threats in the future. The Trump Administration has taken steps to remediate the Kaspersky issue. In July of this year, the GSA removed Kaspersky from its government-wide contracts. Although it was a step in the right direction, it did not completely eliminate the threat. On September 13, 2017, the Administration took additional steps to harden the security of federal information systems against the Kaspersky threat when DHS issued Binding Operational Directive 17-01. The directive requires federal departments and agencies to complete three consecutive phases of implementation. First, they must scan their systems to identify the use or presence of Kaspersky software. Second, they must develop an action plan for the removal and replacement of any Kaspersky software identified on their systems. Finally, they are required to implement their action plan and must begin the process of removal and replacement. Federal departments and agencies are also required to submit status reports to DHS as they implement each of the directive's three phases. The status reports provide data and information that is useful for assessing compliance with the directive, and for quantifying the pervasiveness of Kaspersky installations across federal systems, the extent of threats posed by the software, and the complexities associated with complete removal. Today, we will focus primarily on the status reports to guide our assessment of compliance with the directive. In doing so, we hope to learn whether agencies have complied with the first two phases of the directive and whether any Kaspersky installations were found on federal systems. Additionally, we hope to understand more about the specific action plans for removal and replacement of any identified Kaspersky installations and DHS' anticipated timeline for full implementation of the directive. Finally, we hope to learn about the directive's applicability to federal contractors. I want to thank Ms. Miller for being here to represent the Department of Defense. Annually, the DOD spends approximately $30 billion on information technology. We are interested in whether the directive applies to DOD's contractors and, if so, are they currently complying? If not, what must be done to ensure that contractors take appropriate action to mitigate the Kaspersky threat? I'm hopeful that our witnesses today can help us resolve these important questions and better understand the next steps that must be taken to ensure the integrity, resilience, and security of federal information systems. Cybersecurity is a complex and evolving issue that affects U.S. national and economic security. We must remain diligent in our efforts to strengthen and secure federal systems, and our approaches to addressing cybersecurity issues must evolve to keep pace with everchanging threats. Bolstering the cybersecurity of federal information systems is among the Committee's top priorities, and I am hopeful that our efforts here today will take us one step closer toward accomplishing this objective. [The prepared statement of Chairman LaHood follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Chairman LaHood. At this time, I now recognize the Ranking Member, the gentleman from Virginia, for his opening statement. Mr. Beyer. Thank you, Chairman LaHood, and thank you for holding this second hearing on Kaspersky. Two weeks ago we held a hearing on security concerns regarding the use of Kaspersky Lab software on federal computer networks, and I think most members on both sides of the aisle agree that using the services or software of Kaspersky Lab, a Moscow-based company that reportedly has close ties to Russian intelligence services, using this on federal networks presents risks not worth taking. So back in September, the Department of Homeland Security also recognized this and issued a directive for federal agencies to identify and initiate actions to remove Kaspersky Lab software from their networks. So I understand that we're holding this hearing as a follow-up to ensure that our federal agencies are complying with this DHS directive in a timely manner, which is essentially important. However, it seems that in holding a second oversight hearing solely on Kaspersky Lab products we're missing the forest for the trees. Kaspersky products are not the biggest security risk we face in Russia. As I mentioned at our last hearing and as we saw throughout the 2016 election cycle, cybersecurity is no longer just about defending our data. It is on a larger scale about defending our democracy from unwanted foreign influence and disinformation campaigns. Please listen to these actual numbers. One hundred and twenty-six million Americans received Russian-backed content on their Facebook newsfeeds during the 2016 election. Twitter has found 36,746 bots linked to Russia, and these accounts sent a combined 1.4 million tweets and were seen 288 million times. Google has uncovered tens of thousands of ads purchased by Kremlin-linked buyers on YouTube, Gmail--its search page--and in double-click ads. The Kremlin directly sponsored fake Black Lives Matter activists who posted videos to Facebook, Twitter, and YouTube. Last month, the Computational Propaganda Project released a study mapping how Russia-linked Twitter accounts seek to target U.S. military personnel and veterans. So instead of focusing just on Kaspersky Lab software, we should also be examining how enemies of democracy are using communications technologies in new, precise, and powerful ways to disrupt our democratic institutions and influence the American public. We should be specifically looking into how the Russians have done this just during the 2016 presidential election and how we can develop tools, technologies, and public awareness to diminish similar attacks in the future. We should also examine the state of our cybersecurity practices in defending our critical election infrastructure from covert interference and manipulation. The House Science, Space, and Technology Committee has an important role in publicly addressing these issues. We do have a specific responsibility to provide oversight on the deeply existential role of technology in our society. And, Mr. Chairman, at the last Kaspersky hearing I requested that we hold a hearing on these larger issues, and I respectfully ask again today. I'm glad that one of our witnesses today will help put the security concerns regarding Kaspersky Lab's software in context and helps examine the broader Russian strategy of undermining our democratic institutions and influencing our democracy. Dr. Mark Jacobson, a professor at Georgetown University, has written frequently on the impact of Russia's influence operations against the United States in the past few years. I look forward to his testimony and all your testimony. I'm also attaching to my statement a minority staff report that addresses Russia's cyber influence campaign against the United States. This report has already been shared with the majority staff. Thank you, Mr. Chairman, and I yield back. [The prepared statement of Mr. Beyer follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Chairman LaHood. Thank you, Mr. Beyer. I now recognize the Chairman of the full Committee, Mr. Smith, for his opening statement. Chairman Smith. Thank you, Mr. Chairman. The risk to U.S. security that Kaspersky Lab, a Russian company, has created is undeniable and the harm, incalculable. The founder of Kaspersky Lab, Eugene Kaspersky, attended a KGB- funded intelligence institute and served in Russia's Ministry of Defense. For years, there has been speculation that Kaspersky's antivirus software could be used by the Russians for information gathering. Continued investigations have disclosed more details on the extent to which Kaspersky Lab is a tool for the Russian Government. Press reports claim that Kaspersky's prior federal government customers include the Departments of State, Justice, Energy, Defense, Treasury, Army, Navy and Air Force. This is of more than passing concern; it is alarming. Last month, The New York Times reported that Russian Government hackers conducted a global search of computers looking for the code names of American intelligence programs. The hackers used the antivirus software made by Kaspersky Lab. This Russian operation stole classified documents from at least one National Security Agency employee, who had Kaspersky antivirus software installed on his home computer. Kaspersky's antivirus software allowed Russia to have unlimited access to data stored on computers with Kaspersky products. The magnitude and widespread use of Kaspersky's software--400 million users worldwide--gives the company unprecedented access and retrieval capabilities. To date, it is unclear what additional American security secrets Russia may have acquired through Kaspersky's scans for classified programs. This only confirms the need for the actions this Administration and this Committee have taken. The Science Committee has engaged in continued oversight of Kaspersky Lab since questions were raised by Science Committee member Congressman Higgins earlier this year. On July 27, 2017, this committee requested that all federal departments and agencies disclose their use of Kaspersky Lab products. On September 13, 2017, the Department of Homeland Security issued a Binding Operational Directive to all agencies and departments. This directive sought the complete removal of Kaspersky products from federal systems after 90 days. Today, the Committee is interested in whether federal agencies are complying with the directive. How common are Kaspersky products in our federal systems? What is the extent of the risk? And are the actions required in the DHS directive sufficient to protect U.S. interests? The Committee expects to uncover all risk associated with Kaspersky Lab. This includes identifying all necessary actions needed to eliminate risks even beyond the risk to federal systems. Based on the NSA contractor's personal computer being targeted, we are interested in what steps DHS has taken to assist civilian employees and contractors who are at risk of exposure. We also are interested in proactive steps and coordination among our federal agencies and departments. We need to use all resources to ensure that Kaspersky products on federal systems have been completely removed. Beyond an interest in the risk caused by Kaspersky products, the Science Committee will continue to address the federal government's cybersecurity weaknesses. This committee, along with the Committee on Oversight and Government Reform, plans to bring a revised version of H.R. 1224, the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, to the House Floor soon. NIST should welcome the opportunity to use its expertise to help protect our national security. The bill amends the Federal Information Security Management Act to require that federal agencies' Inspectors General coordinate with NIST in conducting their cybersecurity evaluations. Anyone with knowledge of potential cybersecurity risks should contact the committee and share their information with us. We must eliminate the threat of Kaspersky Lab to our national security systems. Thank you, Mr. Chairman. I'll yield back. [The prepared statement of Chairman Smith follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Chairman LaHood. Thank you, Chairman Smith. I now recognize the Ranking Member of the full Committee, Ms. Johnson, for her opening statement. Ms. Johnson. Thank you very much, Mr. LaHood. In September, the Department of Homeland Security banned the use of Kaspersky Lab software on federal government computer networks. The U.S. intelligence community believes this Russian company's products pose an unnecessary potential risk to our security from Russia's intelligence services. Whether or not the company is aware of these threats is irrelevant. I trust the judgment of the American intelligence community in this matter, and I'm also confident that federal agencies will successfully eliminate the Kaspersky Lab software from their respective computer systems. I am much more concerned, though, about the persistent threat foreign actors pose to our electoral system. During the previous Kaspersky Lab hearing the Subcommittee held three weeks ago, I noted that, prior to the 2016 election, this committee held a hearing to review the guidelines for protecting voting and election systems, including voter registration databases and voting machines. I asked that this committee hold a follow-up hearing to discuss protecting these same systems in the light of last year's events, as well as to examine the sophisticated influence operations conducted by the Russian Intelligence Service to disrupt our democratic processes and damage our democracy. Today, I want to reiterate that request. Russian actors attempted to hack into voter databases in multiple States before the 2016 election, successfully compromising a small number of networks according to the Department of Homeland Security. But Russia, as we all know, did not only attempt to penetrate these sorts of hard targets, they sought to influence public opinion and undermine our democratic institutions through their use of trolls, bots, and social media platforms. Rather than simply examine the specific threat posed by Kaspersky Lab software, we need to take a much wider view and look at the evolving and expanding threat that Russians' cyber attacks and influence operations pose today in our society. I'm happy that Dr. Mark Jacobson, our witness today, can speak about Russia's history of influence operations against the United States and the many ways that Russia seeks to undermine Western democracies. I thank you for coming today, Dr. Jacobson. I ask again for the Science Committee to commit to holding a 2016 election postmortem with an eye on ways the Science Committee can help discourage foreign interference in future elections and how we can encourage the development of tools and technologies to help identify these threats and limit their impact on our government, public, and society. I thank you, Mr. Chairman, and I yield back the balance of my time. [The prepared statement of Ms. Johnson follows:] [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Chairman LaHood. Thank you, Ms. Johnson. At this time let me introduce our witnesses here today. Our first witness today is Ms. Jeanette Manfra, Assistant Secretary for Cybersecurity and Communications for the National Protection and Programs Directorate at the U.S. Department of Homeland Security. Ms. Manfra has held multiple positions related to cybersecurity at the Department, and prior to serving at DHS, Ms. Manfra served in the U.S. Army as a Communications Specialist and a Military Intelligence Officer. Welcome. Our second witness is Ms. Renee Wynn, Chief Information Officer at NASA. Ms. Wynn previously served as the Acting Assistant Administrator for the Office of Environment Information at the EPA. She holds a bachelor of arts in economics from DePauw University in Indiana. Welcome, Ms. Wynn. Our third witness is Ms. Essye Miller. She is the Deputy Chief Information Officer for Cybersecurity at the U.S. Department of Defense. Ms. Miller previously served as the Director of Cybersecurity for the Army Chief Information Officer. She received her bachelor's degree from Talladega College and a master's from Troy State University, as well as from Air University at the Air War College. Welcome. Our last witness today is Dr. Mark Jacobson. He is an Associate Teacher Professor for the Edmund Walsh School of Foreign Service at Georgetown University. Dr. Jacobson previously held appointments as a Senior Advisor to the Secretary of Defense and as a Special Assistant to the Secretary of the Navy. He has also served as the Deputy NATO Representative and Director of International Affairs at the International Security Assistance Force. Dr. Jacobson holds degrees from the University of Michigan, the King's College, University of London, and a Ph.D. in military history from Ohio State University. Welcome. At this time I now recognize Ms. Manfra for five minutes to present her testimony. TESTIMONY OF MS. JEANETTE MANFRA, ASSISTANT SECRETARY FOR CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY Ms. Manfra. Thank you, sir. Mr. Chairman, Ranking Member Beyer, Mr. Smith, and Ranking Member Johnson, and members of the committee, today's hearing is an opportunity to discuss the Department of Homeland Security's actions regarding Kaspersky Lab products. As the Assistant Secretary for Cybersecurity and Communications, I lead many of the Department's efforts to safeguard and secure cyberspace, a core homeland security mission. We work every day to protect federal government agencies and collaborate with state, local, tribal, and territorial governments and the private sector to enhance the security and resilience of our cyber and physical infrastructure. Earlier this year, the President signed an executive order on strengthening the cybersecurity of federal networks and critical infrastructure. This executive order set in motion a series of assessments and deliverables to improve our defenses and lower our risk to cyber threats. DHS has organized around these deliverables by working with government and private sector partners. Federal agencies have been implementing the NIST cybersecurity framework. Agencies are reporting to DHS and the Office of Management and Budget on their cybersecurity risk mitigation and acceptance choices. DHS and OMB are evaluating the totality of these agency reports in order to comprehensively assess the adequacy of the federal government's overall cybersecurity risk management posture. In addition to our efforts to protect government networks, we are focused on how government and industry work together to protect the Nation's critical infrastructure. We are prioritizing deeper more collaborative public-private partnerships. Protecting federal information systems requires addressing risks within supply chain. The Department has been actively engaged in its own efforts, as well as broader interagency efforts to address IT supply chain threats. As we build on best practices to improve the federal government's own actions within this space, we will coordinate and share information with our state and local government partners, as well as the private sector critical infrastructure community. Among other authorities, the Federal Information Security Modernization Act of 2014, commonly referred to as FISMA, authorizes the Department of Homeland Security to develop and oversee the implementation of binding operational directives, or BODs. These directives to federal agencies are for purposes of safeguarding federal information and information systems from a known or reasonably suspected information security threat, vulnerability, or risk. Federal agencies are required to comply with these DHS-developed directives. On September 13 of this year DHS's Acting Secretary signed a binding operational directive to address the use or presence of Kaspersky Lab products, solutions, and services on federal information systems. After careful consideration of available information and consultation with interagency partners, DHS determined Kaspersky Lab products present a known or reasonably suspected information security risk to federal information systems. In a public statement, the Department identified concerns regarding, one, the ties between certain Kaspersky officials and Russian intelligence and other government officials; two, the requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks; and three, the broad access to files and elevated privileges provided by antivirus products and services, including Kaspersky products, that can be exploited by malicious cyber actors to compromise information systems. The action taken is a reasonable, measured approach to the information security risks posed by these threats--or posed by these products to the federal government. In addition to the reports from agencies required by this directive, our National Cybersecurity and Communications Integration Center continues to operate important capabilities that help DHS better understand the use of these products within the federal government. For instance, we operate capabilities that monitor NetFlow at federal agencies commonly referred to as Einstein. We also provide agencies tools within our Continuous Diagnostics and Mitigation program. Both of these capabilities enabled us to further our understanding of the presence of Kaspersky products on agency networks. I want to thank Congress for your focus on these issues and highlighting the concerns here. Your focus has been extremely helpful to us as we have evaluated the evidence, communicated with our colleagues around the interagency, and made the decision to issue the binding operational directive. It is important for the committee to understand that DHS is providing an opportunity for Kaspersky and any other entity that claims its commercial interests will be directly impacted to submit a written response and any additional information or evidence. DHS will review any submissions closely and make adjustments to a directive--to our directive if appropriate. Before closing, I want to assure the Committee that I will answer your questions to the extent I can in an open hearing and at this time. Some of your questions may require the discussion of classified information, which I clearly cannot address in an open hearing. Other questions may not be appropriate to address at this time because we are in the middle of an administrative process with the affected entity, and there could be litigation related to this directive. Because we need to provide the company with a meaningful opportunity to be heard, and there may be federal court review of our actions and decisions, there may be certain issues that it would not be appropriate for me to comment on until the conclusion of this administrative process. Thank you very much for the opportunity to testify today, and I look forward to your questions. [The prepared statement of Ms. Manfra follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Chairman LaHood. Thanks, Ms. Manfra. At this time I now recognize Ms. Wynn for five minutes to present her testimony. TESTIMONY OF MS. RENEE WYNN, CHIEF INFORMATION OFFICER, NATIONAL AERONAUTICS AND SPACE ADMINISTRATION Ms. Wynn. Great. Good morning, Mr. Chairman, Ranking Member, and distinguished Members of the Subcommittee. Thank you for the opportunity to testify before you today regarding NASA's efforts to comply with the recent Department of Homeland Security binding operational directive regarding Kaspersky- branded products. As NASA's Chief Information Officer, my number-one priority is to effectively manage and protect NASA's information technology assets in an everchanging threat landscape. Each day, hundreds of thousands of NASA personnel, contractors, academics, international partners, and members of the public access some part of NASA's IT infrastructure, which is a complex array of information systems with more than 160,000 components geographically dispersed around the globe and beyond. NASA works closely with our federal cybersecurity partners to ensure NASA's network is safeguarded from threats, assessed against stringent federal and agency security requirements, and continuously monitored for compromise and the effectiveness of our security measures. New cybersecurity tools, particularly the Department of Homeland Security's Continuous Diagnostics and Mitigation program, are allowing us to have better insights into our networks, which allows us to better mitigate threats. However, given the evolving nature of threats, our work is never done. Antivirus software is one component of endpoint protection implemented to safeguard NASA systems and data. NASA has been using Symantec Endpoint Protection software as its desktop standard load since 2010. Therefore, Kaspersky-branded products, the focus of today's hearing, are not part of NASA's standard load software. Between January 1, 2013, and mid-August 2017, NASA identified a small number of machines which had Kaspersky- branded products preinstalled. When discovered, these instances were removed to comply with NASA's desktop standard software configuration. Another item of importance is that NASA's Office of Procurement has no record of NASA funds being used to purchase individual instances of Kaspersky-branded products. Therefore, we believe that the limited instances of Kaspersky- branded products found to exist on agency hardware were likely the result of larger procurements and bundled preinstalled software. On September 13, 2017, NASA received the Binding Operational Directive 17-01, which required all federal executive branch departments and agencies to take action with regard to Kaspersky-branded products on federal IT systems. NASA notified the Department of Homeland Security on Friday, October 13, that no Kaspersky-branded products were identified on NASA systems. Therefore, no additional actions are required by NASA under the terms of the binding operational directive. Also of note, in 1993, the General Services Administration asked NASA to be part of a pilot project for the governmentwide acquisition contracts. Subsequently, NASA was one of three agencies designated to provide a governmentwide contract vehicle for other agencies to use when acquiring IT products and services for their own agencies. This vehicle is known at NASA as the Solutions for Enterprise-Wide Procurement or SEWP. In July 2017, in coordination with the General Services Administration, NASA removed all offerings of Kaspersky-branded products from the SEWP database and installed filters to prevent Kaspersky-branded products from being re-added. In conclusion, protecting and upgrading and better managing NASA's IT infrastructure is and will remain a top agency priority. When threats such as unauthorized software are detected, NASA personnel take action. NASA is fully committed to becoming more secure, effective, and resilient, and we are actively pursuing this on all levels. Thank you for the opportunity to testify before you today, and I'd be happy to answer any questions that you may have. [The prepared statement of Ms. Wynn follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Chairman LaHood. Thank you, Ms. Wynn. At this time, I recognize Ms. Miller for five minutes for her testimony. TESTIMONY OF MS. ESSYE MILLER, DEPUTY CHIEF INFORMATION OFFICER FOR CYBERSECURITY, U.S. DEPARTMENT OF DEFENSE Ms. Miller. Good morning, Mr. Chairman, Ranking Member, and distinguished Members of the Subcommittee. Thank you for this opportunity to testify today on the Department of Defense position regarding the federal government's use of Kaspersky Lab software. I currently serve as the Deputy Chief Information Officer for Cybersecurity at the Department of Defense. Additionally, I serve as the Department's Chief Information Security Officer. My primary responsibility is to ensure that the Department has a well-defined and executed cybersecurity program. I am also responsible for coordinating cybersecurity standards, policies, and procedures with federal agencies, coalition partners, and industry. In this unclassified setting, I can state that as a matter of DOD enterprise cybersecurity, antivirus software does play a role. However, Kaspersky Lab is not part--a part of the Department of Defense antivirus solution. Currently, the DOD has enterprise licenses for both McAfee and Symantec Antivirus for DOD devices, as well as for DOD personnel's home computer use. Kaspersky Lab is not on the approved products list for the Department, and there are currently no contract awards for the software listed in the federal procurement data system. Although the Department of Homeland Security's binding operational directive does not apply statutorily to defined national security systems, nor to certain systems operated by the Department of Defense, the Department has implemented the intent of the directive. Prior to the directive's release on August 3, 2017, Joint Force Headquarters DODIN Defense Information Network issued a task order to mitigate any potential threats to the Department networks. Within the bounds of the directive requirements, we conducted a search of DOD systems and confirmed that we did not have the listed Kaspersky products on any of our systems. Kaspersky Lab products remain an ongoing supply chain risk management for the Department. To reduce these risks, DOD issued instruction 5200.44, protection of mission-critical functions to achieve trusted systems and networks. Additional details on that instruction are contained in my written statement, along with the detailed processes and enterprise resources DOD has implemented. I would like to thank the subcommittee for supporting these important cybersecurity issues. Protecting the networks for the warfighter is a top priority for the Department of Defense. Thank you again for the opportunity to testify before you today, and I look forward to answering your questions. [The prepared statement of Ms. Miller follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Chairman LaHood. Thank you, Ms. Miller. At this time, I will recognize Dr. Jacobson for five minutes for his testimony. TESTIMONY OF DR. MARK JACOBSON, ASSOCIATE TEACHING PROFESSOR, EDMUND WALSH SCHOOL OF FOREIGN SERVICE, GEORGETOWN UNIVERSITY Dr. Jacobson. Thank you. Mr. Chairman, Ranking Members, thank you for the opportunity and the kind introduction. I'm going to enjoy speaking with you all today. I hope I'm not too professorial for the hearing. I also want to note that I'm here in my personal capacity and not representing any of my employers, the Navy Reserve, or the Department of Defense. My intent is to try and put the Kaspersky situation within a larger foreign policy context. The Committee is already well aware of the dangers in the cyber arena and the imperative of cyber hygiene as a defense. I believe it's also critical to understand that Russian activities are part of broader foreign policy objectives, part of their political warfare campaign. Thus, regardless of whether or not there's a relationship between Kaspersky Labs and the Russian Government or it's simply a vulnerable piece of software, that becomes an entry point for Russian subversive activities, propaganda operations, or espionage. Put simply, while cyber attacks and political warfare campaigns are a danger on their own, cyber activities that enable political warfare campaigns can prove incredibly effective at influencing attitudes and changing behaviors. Put another way, in political warfare campaigns, it is the human mind that is the center of gravity. It's worth noting our adversaries have not hidden their intentions. Both the Russians and the Chinese have made it clear that they believe in the power of political warfare. Russia's well-financed and deliberate intervention in the American political dialogue is part of a broader effort to undermine America's faith in its free institutions, diminish U.S. political cohesion, weaken transatlantic relations, diminish the international appeal of the United States, and ultimately reduce American power abroad. Thus, we must think about U.S. national security more broadly rather than focusing on a single hack, one election cycle, or a single social media or antivirus company. Propaganda and political warfare campaigns are certainly not new. It's worth noting that 500 years ago, Martin Luther's 95 Theses were probably the first element of intellectual thought to go viral. Of course, the Twitter of his day was the printing press and his own social media networks that allowed a message of religious reform to go viral and spread across all of Christendom in about four weeks. Today, that timeline might be four hours. The Cold War also provides some insights into how the Russians think about disinformation and subversion. Soviet efforts not only included campaigns to discredit Martin Luther King and try and make the civil rights movement more extreme and more violent, but they also sought to provoke a full-blown race war in the United States. Perhaps more dramatically in 1983, the Soviets planted newspaper articles alleging that the AIDS virus had been developed by the U.S. Government to target African Americans and the homosexual community. Within four years, that story had been repeated in over 80 countries, doing tremendous damage to U.S. credibility abroad and at home. Indeed, at least one study as late as 2005 found that almost 50 percent of African Americans believed HIV was a manmade virus designed to wipe out the African-American community. Today, the fingerprints of Russian disinformation campaigns have been left on both sides of the Atlantic, whether it's Brexit or the American election, Russia propaganda still infects U.S. social media networks, and we see the same sort of divisive propaganda that we saw during the Cold War. Again, the goal is to divide and exploit divisions, yes, that already exist in our country, but they are exacerbating the problem. So what do we do about this? While robust cybersecurity practices in the regulation of political advertising on social media are a good start, we must strengthen the public's ability to interact with information in the digital world. Broadly, we must begin a concerted effort to inoculate the American public against the viral threat of disinformation through more civic education and media literacy. Specifically, these must become bedrocks of our formal and informal education systems in order to make our population more immune to the threat. This may require the same level of effort that President Eisenhower showed with the National Defense Education Act in 1958 in an attempt to bolster poor American efforts in math, science, and foreign language education. Indeed, Eisenhower believed those skills were critical in keeping up with the Russians during the post-Sputnik world. Today, it may be critical thinking and media literacy that can protect our freedoms. To conclude, in 1900 Mark Twain celebrated the anniversary of the Gutenberg printing press, and he noted that everything that is good in the world today and everything that is bad is a result of that invention. That device had, in Twain's words, ``found truth walking and given it a pair of wings, but it also found falsehood trotting and gave it two pair of wings. It had set peoples free but at the same time made despotism more possible where it was not possible before.'' In short, the internet revolution may surpass Gutenberg's printing press is the greatest event in secular history, and it's already created wonderful opportunities and wicked problems. But we must understand that in the end it's used by human beings, and it's in human beings where we will need to strengthen, as the Chairman said earlier, resiliency. Thank you very much, and I look forward to your questions. [The prepared statement of Dr. Jacobson follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Chairman LaHood. Thank you, Dr. Jacobson. And we will now move to the question portion of our hearing today. And let me just thank all the witnesses for your valuable testimony here today for this important hearing. And the Chair now will recognize himself for five minutes. And, Ms. Manfra, I want to start with you. It's my understanding that DHS notified Kaspersky of the BOD or the Directive 17-01 outlining the concerns that led to the issuance of the directive and provided Kaspersky the opportunity to initiate a review by DHS by providing a written response by November 3 of 2017. Did DHS receive a response from Kaspersky by that date? Ms. Manfra. Sir, we did give them a one-week extension to November 10, and we did receive a response. Chairman LaHood. And have you initiated a review of that response? Ms. Manfra. Yes, sir. My legal counsel is reviewing the response right now. Chairman LaHood. And can you give us an update on that today? Ms. Manfra. I cannot, sir. Chairman LaHood. Can you tell us whether you've received any evidence or information from Kaspersky that addresses or alleviates the Department's concerns at this time? Ms. Manfra. I cannot say that we have. The legal counsel is still reviewing it. We just received it on Friday night. So once they review it, I will review it as well, and we'll make the determination to send it out to the Acting Secretary in order for her to make a decision. Chairman LaHood. And have you reviewed it yourself? Ms. Manfra. Not yet, sir. Chairman LaHood. Do you know how long it was, the response? Ms. Manfra. It was significant, sir. I'm not sure how many pages it was. Chairman LaHood. And you referenced earlier your concern about litigation as it pertains to Kaspersky. Can you elaborate on that on your specific concerns? Ms. Manfra. Sir, the company, should we make a decision that they do not believe is appropriate, they always have the option to take this to court to have a judge make a decision about whether the Department made an appropriate decision. Chairman LaHood. And have you reviewed the legal aspects of this, and have you made a determination on what was done here was legally proper? Ms. Manfra. I am not a lawyer, sir. I have had the lawyers review it and spoke with them about it. I do believe that it was legally proper. Chairman LaHood. Ms. Manfra, the directive was issued on September 13, and within 30 calendar days, federal departments and agencies were required to identify the user presence of Kaspersky products on their systems and provide DHS a report containing preliminary findings such as the number of endpoints impacted by each product and the methodologies used to detect the presence of Kaspersky. Has DHS received this information from all agencies? Ms. Manfra. We have received it from the majority, sir. There are a small number of very small agencies that we are assisting them. They do not have the tools that other larger agencies might have, but we've received them from 94 percent of the federal agencies. Chairman LaHood. And can you give us an update on what you have received thus far? Ms. Manfra. What we've received is that, again, out of all the federal agencies, a very small number have identified the use or presence in some aspect of their system of Kaspersky- branded products, about 15 percent of agencies who have reported. Chairman LaHood. And where are you in the process of determining in the next phase whether anything was compromised or where we're at with that? Ms. Manfra. We're working with each agency individually. Some of them have chosen to go ahead and remove the products ahead of schedule, and so we're working to understand where the presence was, what doing an audit if you will of what information may have transited those systems and whether there was any cause for concern for the most part. We have not identified any yet, but we're still working with agencies. Chairman LaHood. And do you believe the phased system that's been put in place, that you'll be able to comply with that fully? Ms. Manfra. Yes, sir. Chairman LaHood. Within 60 calendar days of the issuance of the directive, agencies were required to develop and provide DHS a detailed action plan to remove and discontinue future uses of Kaspersky products. Since the 60-day deadline has passed, can you confirm that all agencies or departments have submitted their required action plan? Ms. Manfra. Not all of the agencies have submitted the required action plan. As I mentioned, some of them have gone ahead and just identified a way to remove the software, so they're going about that. A couple of the agencies needed additional help, so we're working with them on that so they can meet the deadline. Chairman LaHood. Thank you. Those are all my questions at this time. I'll yield to Mr. Beyer for his questions. Mr. Beyer. Thank you, Mr. Chairman. Thanks all of you very much for being with us. This is fascinating. Dr. Jacobson, in your testimony--I'm going to quote from your written one because I have it written down. You said, ``Russia's well-financed and deliberate intervention in the American political dialogue is part of a much broader effort to undermine America's faith in its free institutions, diminish U.S. political cohesion, erode confidence in Western democracies and the credibility of Western institutions, weaken transatlantic relationships, including NATO, and diminish the international appeal of the United States, as well as reduce American power abroad.'' I'd just love it if you could emphasize that this is a bipartisan concern, much larger than the 2016 presidential election. Dr. Jacobson. Thank you, Ranking Member Beyer. I grew up as a child of the Cold War and watched how Ronald Reagan strengthened U.S. efforts against the Soviets, but I also think it's interesting--and at the risk of invoking ire even from my Democratic friends--so did Jimmy Carter in different ways. And I think that we had a bipartisan consensus throughout the Cold War that the Russians were a threat. I actually--in listening to the Committee today, I see a recognition of that, and I think there's an understanding that there are things that need to be done to strengthen America's ability to be a strong ally abroad and look out for our vital national security interests that don't have to cross partisan lines. And I think if we look at what the Russian effort is doing and look at dealing with the technical, as well as dealing with this war against our population in terms of disinformation, I think there are a number of avenues where Congress can lead the way in terms of a bipartisan effort. Mr. Beyer. Let me go further on that. I love the--Ph.D. in military history. It was a fascinating educational background. So as a professor, you talked about the human mind is the center of gravity in political warfare and then cited President Eisenhower with the whole notion of the ability to evaluate information, thank critically, maintain a healthy skepticism, understand the some messages out there are deliberately deceptive will make our population much more conscious about the information they absorb. How do we get there? Dr. Jacobson. It's a great challenge, sir. The Stanford History Education Group just did a study that's a bit disheartening, and what it did was take undergraduate students, high school students, as well as trained historians--my colleagues in the academic arena--and all of them failed pretty miserably at identifying fake news. The folks who did do pretty well were professional fact-checkers, and the reason is not only do they look for the source of information, they were comparing things horizontally. As I say to my students, ``Watch MSNBC, watch CNN, watch Fox, even read Breitbart.'' You need to understand what everyone is doing about looking at a story, and you can pick up the anomalies. You can see what does not make sense. But I think what's even more critical is to understand we have to start this at the K-through-12 level. By the time our children are 18 years of age, it's almost hardwired in their system where they can't identify or can't see the difference between an advertisement and a factual news article, an opinion piece, and false information. So this is an education issue. It's also a training issue as well, even for folks like myself, even for all of us sitting here today. Mr. Beyer. Thank you. I confess the number of emails I get every week from family members that have the wildest possible theories, including the fact that Chairman LaHood and I are going to be paid our full salary for the rest of our lives after serving one day in Congress, that kind of disinformation is out there. You talk about cyber hygiene imperative. You know, our electoral system is widely, widely distributed, you know, precincts. Virginia's got 2,500 precincts. How do we ever get cyber hygiene down to the towns and the counties around America? Dr. Jacobson. Again, I think the first step is awareness, but I'm actually glad I'm on this side of the table here and don't have to worry too much about implementation, but I think it's important to understand that this is not just a federal government issue; it's a state and local issue as well. And the reason I emphasize cyber hygiene is all the technology in the world, as we used to say in the Army, is not going to G.I.- proof that computer against someone who picks up a USB stick on the sidewalk and decides to plug it into their computer. There are stupid things that smart people do that can help infect systems. And I think helping to make things easy for our federal workforce to understand in terms of what to do and what not to do but also educating the general public in terms of understanding malicious links. And anyone who's looked at emails or read in the newspapers about even our most senior military leaders were duped by phishing attempts, this is difficult, but again, I think the solution in terms of teaching people what to do and what not to do is a bit easier than we might concede. Mr. Beyer. Great. Thank you very much. Mr. Chair, I yield back. Chairman LaHood. Thank you, Mr. Beyer. I now recognize the gentleman from Florida, Mr. Posey, for his questions. Mr. Posey. Thank you, Mr. Chairman. Ms. Manfra, it staggers the imagination that our government approved and purchased security software from Russia's Kaspersky Labs, known to have ties to the Kremlin's intelligence community. I mean, it's just--it's still hard for me to get my arms around the fact that we really allowed that to happen and that in fact that that software doesn't protect us. Obviously, it harms America's security by allowing malicious actors to get total access to our computers. Who approved the purchase of that software? Ms. Manfra. Sir, it's hard to say in every case. Often, what we see is that that software was bundled into other purchases, so you buy a computer and the antivirus was installed with the computer, so they weren't necessarily aware that they were explicitly purchasing that, which is why it took a little bit of time to--for agencies to go through and identify that. You know, in the end it is the procurement of individuals who are making some of these choices, but what we did see is a very low percentage of that presence. But for the most case, what we believe happened was it was often bundled into other purchases. Mr. Posey. So where does the buck stop? Ms. Manfra. Sir, in the end it is up to every agency head to make cybersecurity risk management decisions, and we are working across the federal government to approve--to improve our processes for supply chain risk management to be able to address issues such as this and to be able to make it clear what software and hardware agencies are purchasing and what risk that introduces into the system. Mr. Posey. Okay. So every agency head ultimately is responsible? Ms. Manfra. Yes, sir. Mr. Posey. According to the directives, already you were supposed to receive some reports from every agency that was affected. I think the Chairman asked you about that earlier. Would you mind stating for me which agencies have complied thus far? Ms. Manfra. Sir, all of the agencies have complied with the first phase except for a very small number of very small agencies who just don't have the resources and we're helping them with that. We're still in the--sort of the second phase. Mr. Posey. When we say all the agencies except a few, how many agencies are we talking about? Ms. Manfra. Six, sir. Mr. Posey. Six agencies have complied? Ms. Manfra. Six have not complied yet with the first phase, which is the reporting whether they have the products on their system. Mr. Posey. How many have complied? Ms. Manfra. About--so, there's 102 total agencies, six-- Mr. Posey. All right, 96, 98, okay. Ms. Manfra. Yes. Mr. Posey. Which agencies have not complied? Ms. Manfra. Sir, I'd be happy to work with your staff, not an open hearing, to talk to you about the specific agencies. They are working very hard, sir. It's not like they're-- Mr. Posey. Well, I know they're---- Ms. Manfra. --not trying-- Mr. Posey. --working hard. I don't see, you know, what risk there is in naming who hasn't complied. I'm just curious. I don't know if other members are, but I'm curious to know which ones haven't complied. Ms. Manfra. We would prefer to keep those not public, sir. We don't believe that it is helpful to name them publicly. Mr. Posey. How would that harm anything? Ms. Manfra. I think it could have two aspects, sir. It would, you know, alert anybody who was looking to use potentially the presence of that software on their systems if-- should they have it. It would also harm the relationship that we have. A lot of our work depends on a trusted relationship with these agencies. Mr. Posey. And so if you told Congress that they weren't behaving appropriately, it might hurt your relationship? Ms. Manfra. Sir, I don't mean to imply that they're not behaving appropriately. What I imply is that these are very small agencies, some of them with only 6 to 10 people in them that do not currently have the resources, and we're just assisting them with identifying what products are on their system. Mr. Posey. Now, you talked about fear of litigation from Kaspersky Labs a little while ago when somebody else mentioned that. How in the world could you possibly fear any action by them? I mean, you wouldn't have signed an agreement with them that would allow them to sue you and you not defend yourself, would you? Ms. Manfra. I don't fear any action from them, sir, but they do--they could potentially take action, and I want to ensure that we are in a position to address any concerns that a judge may have. Mr. Posey. Yes. I think the audacity--I think to paraphrase Clint Eastwood, ``Go ahead and make my day.'' Ms. Manfra. Yes, sir. Mr. Posey. Can you explain to me the penalties to the executive agencies if they don't comply? Ms. Manfra. We would work with the Office of Management and Budget to determine what the issue was. Sometimes the issue is they don't have the resources, and whether it is to identify the products or it is to replace them, so it may not be a stick that they need but actually additional resources, or if there was a stick required, then we would work with OMB to address that. Mr. Posey. Have there been any enforcement actions thus far? Ms. Manfra. No, sir. We have issued six binding operational directives, and in each case every agency that we've worked with has been willing and eager to comply with them. Some of them are challenged with resources, though. Mr. Posey. Thank you, Mr. Chairman. I see my time's expired. Chairman LaHood. Thank you, Mr. Posey. I now yield to the Ranking Member, Ms. Johnson. Ms. Johnson. Thank you very much. Dr. Jacobson, you referred to fake news generated by the Soviet Union during the Cold War and cite the disinformation campaign by Soviets that claimed that the U.S. Government developed the AIDS virus intentionally to target homosexuals and African Americans. You say these stories spread to 80 countries and were translated into 30 languages in just four years, a timeline which today could probably be as little as 4 hours or perhaps 4 minutes to circulate around the world. You said one of the reasons the Soviets generated this fake story was to heighten racial divisions in America. Just last month, CNN reported that Russia had created a fake group called Black Fist and Russian trolls linked to this operation paid personal trainers in New York, Florida, and other States to run self-defense classes for African Americans. They were apparently attempting to sow animosity and tension along racial lines. But this group was created in January of 2017, 2 months after the 2016 U.S. presidential election. Dr. Jacobson, do you believe that Russia's influence campaign against America is only tied to trying to manipulate our elections or do they have other wider interests in influencing American citizens? Dr. Jacobson. Thank you, Congressman--Congresswoman. I believe the Russians have long-term objectives. They are not simply concerned with one election cycle. This is a campaign designed to continue to divide the United States. And if you take a look at some of the sites you've mentioned, you had mentioned Black Fist. There was also the Blacktivist, a fake site. There was also one called Heart of Texas. And the whole idea is to take the divide we have--and the Russians don't want to see reconciliation. They don't want to see dialogue and debate. What they would like to see is both sides of an issue resort to violence in the end. And I'm overstating the simplicity of doing that, but that's their long-term effort because it requires us then to look inside and not look at what's happening around the world and thereby advance Russian foreign policy objectives. Ms. Johnson. You mentioned the need for better standards and fact-checking by reputable news organizations to help them avoid being duped by fake news. Social media sites are not newspapers, but they do generate news. At the same time, we don't want to limit anyone's ability to speak out publicly and share their own thoughts or opinions, so how do we emphasize fact-checking in news-related stories and distinguish that from someone being able to offer their own opinion? Dr. Jacobson. I think there are a couple pieces there. I'll be the last person who wants to mess with the business model or content on social media sites. I mean, you look at one of the strengths of our nation, it's the idea of freedom of expression. But I think there are certain limits we can place. For the social media world, they're are as much media companies today as they are social, and they have to understand that when it comes to political advertisements they should be subject to the same regulations that traditional media are. I think there are ways--you look at a company like Twitter where there's a verification blue check that says to the world, ``This individual is who they say they are.'' I also think if you look at systems like Moody's for the financial network, let's find an independent organization that gives a rating to either traditional or social media outlets. Now, not all the traditional or social media outlets will be particularly happy with it, but it's just a start. And in fact I'm--I believe that Silicon Valley could come up with some even better ways to do it if they put their mind to it. Ms. Johnson. Thank you very much. Mr. Chairman, I yield back. Chairman LaHood. Thank you, Ms. Johnson. I now yield to the gentleman from Louisiana, Mr. Higgins, for his questions. Mr. Higgins. Thank you, Mr. Chairman. At this time I ask unanimous consent to enter into the record the written testimony of cybersecurity expert Troy Newman of Cyber5. Chairman LaHood. Without objection. [The information appears in Appendix II] Mr. Higgins. Ms. Wynn, Mr. Newman has advised myself and other Members of this Committee that a simple software uninstall can't guarantee that all components of the application are removed. He elaborated that the best, most secure software removal process for remediation of threat is first an immediate uninstall and then a scheduled complete hard drive replacement. Can you briefly elaborate for those of us that don't understand things of this nature why a simple software uninstall is insufficient and why complete hard drive replacement is the best solution? Ms. Wynn. Thank you for your question. I would have to take that back to some serious experts in terms of hard drive management and truly erasing software and breadcrumbs and footprints associated with that software that get left behind on hard drives. What I can speak to is that NASA takes very seriously its cybersecurity responsibility, and when we find unauthorized or unapproved software, we work very quickly to remove that. We also have lines of defense that if--that are sort of layered in terms of--so that if you don't do very well on your first pass there are other ways and other mitigations that we do to protect our network to try to contain any threats to our environment. Mr. Higgins. So when members of this panel have referred to agencies that have attempted to comply with the directive by removing Kaspersky software from their systems, would you concur that that doesn't mean that Kaspersky is actually gone from the system? Ms. Wynn. I would say that cybersecurity is never a 100 percent deal and that what we have to-- Mr. Higgins. If the hard drive is removed, is it a 100 percent deal? Ms. Wynn. Sir, I can't speak to a hypothetical computer. I think you'd have to take a look at how a computer might be, let's say, infected to decide whether the hard drive was one where you could reuse again or if you would just decide not to put that hard drive back into your computer. Mr. Higgins. So that would require--that's an excellent answer, thank you, Madam. And that would require further evaluation of that particular system? Ms. Wynn. You need to always monitor your network to make sure it's fully protected. Mr. Higgins. Very well. Thank you for your answer. Ms. Manfra, thank you for your service to your country. The Binding Operational Directive 17-01 in its initial statement calls for a 30-day period to identify the use of Kaspersky products and then a 60-day period to provide detailed plans to remove and discontinue the present and future use of the products and then a 90-day period to begin to implement the agency plans to discontinue use and remove the products from information systems. However, there's a clause stating in there--stating that unless directed otherwise by DHS based on new information at--by what measure, Madam, would DHS ever determine never mind, let's go ahead and keep this product on our systems? Why is that clause in there? Ms. Manfra. Sir, after extensive review of this process by our legal counsel, we felt that it was important to allow Kaspersky Labs and any other potentially affected entity a meaningful opportunity to respond to the decision that we had made. Mr. Higgins. So that clause is inserted into the DHS DOD 17-01, the binding operational directive for United States Government agencies--that clause was inserted to protect Kaspersky---- Ms. Manfra. No, sir. Mr. Higgins. --as opposed to government agencies? Ms. Manfra. No, sir. That clause was inserted that should the Kaspersky or another commercial entity come back with new information that would result in the Acting Secretary reconsidering her decision, then we would issue new guidance based off of that new information. Mr. Higgins. And what could that new guidance be other than to discontinue the process of removing Kaspersky products? Ms. Manfra. That would probably be it, sir, if that was the Acting Secretary's decision but it would have to be based off of new information that had previously not been understood or considered. Mr. Higgins. Mr. Chairman, I have one brief question if you would allow. Chairman LaHood. Yes, go ahead, Mr. Higgins. Mr. Higgins. Regarding code, Ms. Manfra, it's my understanding that the directive does not apply to Kaspersky code embedded into products of other companies. Is that correct? Ms. Manfra. I wouldn't say that it doesn't apply to Kaspersky code because that would be-- Mr. Higgins. The directive applies to removal of the products---- Ms. Manfra. Correct, sir. Mr. Higgins. --but what about the code behind? Ms. Manfra. It--what we focused on was products that is clearly identified as Kaspersky. What we have not focused on in this directive that we are continuing to pursue is understanding how they may be embedded in other products that are not Kaspersky and working toward the process to address those. Mr. Higgins. Thank you for your answer. Mr. Chairman, my time is expired. I would just share that it's concerning--it's exactly what we're talking about, the entire series of Kaspersky-related hearings, concerns, and apparently known or reasonably suspected information security threat that the Kremlin has embedded itself in our federal systems, and may I submit that that should certainly include code. I thank you for your indulgence, Mr. Chairman. I yield back. Chairman LaHood. Thank you, Mr. Higgins. I now recognize the gentleman from California, Mr. McNerney. Mr. McNerney. Well, I thank the Chairman and I thank the witnesses. Dr. Jacobson, three prominent U.S. security agencies including the CIA and the NSA, concluded that the Russians had operations intended to influence the 2016 presidential election but declined to comment on whether that effort had been successful. Do you have an opinion if the Russian efforts were successful in influencing the 2016 elections? Dr. Jacobson. Well, I'm cognizant of not getting ahead of where the multiple congressional investigations are, and of course I'm as eager to see what the conclusions are there, and I'm eager to see the U.S. intelligence community speak more publicly about this. What I am very confident in saying is that there is clear evidence of attitude changes amongst the U.S. population as a--in response to the numerous social media efforts undertaken by the Russians and Russian agents. And I would point to in particular a study by the Oxford Computational Propaganda project, which noted changes in the way--in the attitudes of individuals commenting on the election on social media after spikes in Russian-bot activity. But I have not done that original research, so I'm reliant on what they have done. But to me, as someone who worked on psychological warfare operations in the Army for quite some time, there is clear evidence of an attitude change amongst the population. Mr. McNerney. Well, has the Russian effort in any way diminished as a result of the publicity around the 2016 election? Dr. Jacobson. I don't think it's diminished. I think maybe the target sets have changed, so in short, no. Mr. McNerney. Okay. In your testimony you state that social media companies must start to see themselves more as media companies because their ability to spread information and influence the public. What actions can we take in Congress to ensure that the social media companies assume that responsibility more seriously, especially regarding political ads? Dr. Jacobson. As Dr. Jim Ludes and I said earlier this year in our co-authored report, it's probably time that the social media companies have the same standards in terms of regulation of political advertising transparency that traditional media companies have. I actually think the larger problem--so you have one problem of advertising--paid advertising on the social media networks. The larger problem is the one of fake sites, and I think that the continued dialogue between Congress, which I don't think wants to regulate the social media companies any more than necessary, and the social media companies which don't want regulation should continue this dialogue because their-- the social media companies' terms of service are very powerful weapon against these fake sites. And we've actually already seen Facebook and YouTube use their terms of service to eliminate these fake sites, including one that was targeting veterans in particular. Mr. McNerney. Thank you. Ms. Miller, last month Reuters reported that H.P. Enterprises allowed a Russian defense agency to review the source code of H.P. cybersecurity software ArcSight as a condition of gaining certification to sell the product in Russia's public sector. In the same article, Reuters reported that ArcSight serves as a cybersecurity nerve center for much of the U.S. military and that vulnerabilities discovered during the source code review could make the U.S. military more vulnerable to cyber attacks. Is the DOD using ArcSight software? Ms. Miller. Sir, we use ArcSight primarily in our intel community, but unfortunately, I can't speak to the details at present. Mr. McNerney. Is the DOD taking steps to secure its systems since learning about the ArcSight code review? Ms. Miller. I would have to take that as a question for the record, sir. Mr. McNerney. Thank you. Does the DOD use any other software that's subject to source review by a foreign government--source code review? Ms. Miller. Well, actually, we have processes in place, sir, to help us work through that process, yes, we do. Mr. McNerney. Okay. Ms. Wynn, does NASA use ArcSight cybersecurity software? Ms. Wynn. I'm trying to think about that for a second. We're going through a process of significant change in terms of the tools in the layers of our cyber defense, and I actually can't remember if ArcSight is coming in or leaving our network, so I'll take for the record and get back to you. Mr. McNerney. Okay. Ms. Manfra, same question. Does DHS use ArcSight cybersecurity software? Ms. Manfra. Yes, sir. I'll get back to you. We're working through a process to address this change similar to the other agencies. Mr. McNerney. Okay. Thank you. Mr. Chairman, I yield back. Chairman LaHood. Thank you. At this time I yield to the Chairman of the full committee, Mr. Smith, for his questions. Chairman Smith. Thank you, Mr. Chairman. Just a comment, I'm really surprised our witnesses didn't have a better answer for the gentleman from California. I hope you will be able to answer my questions. And let me direct first ones, Ms. Manfra, to you. Are you aware of any breaches to our national security that have been facilitated by the Kaspersky products? Ms. Manfra. Sir, I can't discuss that in this forum. Chairman Smith. I don't understand your answer. Ms. Manfra. Sir, I prefer to have that discussion in a classified---- Chairman Smith. No, you don't need to have that in a classified hearing. I'm not asking for any specifics. I'm just asking if there have been breaches. I'm not talking about who had their systems breached, when it occurred, or how it occurred, just whether breaches did occur. Ms. Manfra. Sir, we're still working through the process to identify---- Chairman Smith. We've heard that phrase several times today, ``working through the process.'' That is just not sufficient of an answer. Ms. Manfra. Sir, is not conclusive at this time. Chairman Smith. You don't know whether or not systems have been breached by Kaspersky Lab products yet? Ms. Manfra. We do not currently have evidence that-- conclusive evidence that they have been breached. I want to do a thorough review to ensure that we have a full picture of---- Chairman Smith. What about the NSA employee? You don't think that was considered a breach? Ms. Manfra. Sir, I would have to direct any questions on NSA to the NSA. Chairman Smith. But sure--are you aware of that episode? Ms. Manfra. Sir, we'd have to have that discussion with the NSA. Chairman Smith. I'm not--are you aware of the episode and do you consider it a breach? Ms. Manfra. I'm aware of the allegations of what has been publicly reported in the press and would have to discuss any further details with the NSA. Chairman Smith. Okay. Let me try a different question. How did the Russian software--some people would consider it spyware--get on the approved list by Department of Homeland Security? Ms. Manfra. Are you referring to the GSA---- Chairman Smith. Yes. Ms. Manfra. --sir? Yes. As I mentioned, we need to modernize our supply chain risk management processes within the government. Currently, our processes within the civilian government are largely focused on lowest-cost if you will. Chairman Smith. The fact that it was a Russian firm operated by a Russian who had some perhaps association with the KGB and certainly the Department of Defense and Russia, that didn't raise any red flags to anyone? Ms. Manfra. Sir, I wasn't a part of the GSA decision-making process. What I can say is that when we had enough information to make this risk decision, we engaged the GSA, NASA, and others who had these governmentwide contracts to begin to execute a process to remove it. Chairman Smith. But wasn't that after we called it to your attention? Didn't anybody see any red flags before that? Ms. Manfra. Yes, sir. One of the things when I assumed the acting position that I'm now appointed to in January was to conduct a thorough review of our use of Kaspersky, the intelligence associated with it---- Chairman Smith. Yes, that's---- Ms. Manfra. --and initiate a plan to remove it. Chairman Smith. Yes, that's not what I'm asking. That's after the fact. I'm asking about several years ago when it was on the approved GSA list. Are you aware of any agency that might have raised any red flags or not? Ms. Manfra. The government has been aware of some increasing concerns about Kaspersky, and we did--not me personally but the agencies with that information did engage with other agencies that had---- Chairman Smith. Okay. Ms. Manfra. --those procurement responsibilities. Chairman Smith. I have a question to DOD about that in a second, but one other question. Did the license agreement with Kaspersky allow penetration beyond the usual type of agreements you have with similar types of companies? Ms. Manfra. No. Chairman Smith. Okay. We have pretty good evidence that that's not the case, and we'll get back to you on that and have a further discussion. Ms. Miller, let me address a couple questions to you. We're under the impression that in 2012 the Department of Defense made a decision not to use Kaspersky Lab products. Are you aware of that or is that even true? Ms. Miller. Sir, I'm not even sure that was true. However, we have used processes that I can't discuss at this point based on intel information---- Chairman Smith. Right. Ms. Miller. --to decide not to use the product. Chairman Smith. Okay. When did you decide not to use the products? Ms. Miller. I don't know a date, sir. Chairman Smith. A year? Ms. Miller. I don't have a year. I think it's been a couple, but I would have to check. Chairman Smith. Okay. It might have been 2012. I think we might have the same information. And can you say why they decided not to use--why DOD decided not to use Kaspersky Lab products? Ms. Miller. I cannot discuss that in open forum, but it was based on intel information that we had. Chairman Smith. And security--are you aware of any security breaches that occurred at DOD as a result of Kaspersky products? Ms. Miller. I have no knowledge of any within DOD. Chairman Smith. Itself, okay. And in 2012 or however many years it was ago that DOD decided not to use Kaspersky Lab products--and you say you'll get back to us as to why they decided that; there had to be a good reason I assume--do you know if they notified any other agencies of their concerns? Ms. Miller. I'm not aware of any notification, sir. Chairman Smith. Okay. Can you double-check that for me? And that'll be an easy question to find out. If you can get back to us by this afternoon on those two questions that I asked you. And then a couple questions, Ms. Manfra, I asked you if you can get back this afternoon as well. They're easy to answer. And if you have to talk to me directly, that's fine, but I would ask you not to take advantage of the cover of classified unless individual's names are involved or unless it's in regard to specifics. If it's very general, that shouldn't be classified. Okay. Thank you, Mr. Chairman. I yield back. Chairman LaHood. Thank you, Mr. Smith. I now recognize the gentleman from Colorado, Mr. Perlmutter. Mr. Perlmutter. Thank you, Mr. Chair. So Mr. Higgins talked about the Kremlin has embedded itself in the structure of the United States. And in prior hearings we've had conversations about foreign intelligence risk, espionage, meddling in U.S. affairs by the Russians and by Mr. Putin himself. And in Danang just a few days ago when asked about Russia meddling in U.S. affairs, the President said, quote, ``I asked him again about meddling. You can only ask so many times. He said he absolutely''--he, Putin--``absolutely did not meddle in our election. He did not do what they are saying he did. I really believe that when he tells me that. He means it. I think he's very insulted if you want to know the truth.'' So, Mr. Jacobson, you know, we're here and it's a real issue, Kaspersky having embedded itself potentially for the benefit of the Kremlin and Russia in our software, in our Defense Department, in NASA, in Homeland Security, but let me ask you about Mr. Putin and about whether or not, given his background, the President should just take him at his word. What do you think about that? Dr. Jacobson. Well, Mr. Putin's an ex-KGB officer. I'm not sure I would take him at his word if he told me the sun were shining and I was standing outside and there were blue skies and the sun was shining down on me. Mr. Perlmutter. You used the word psychological warfare earlier. Would Mr. Putin be familiar with that? Is that something he did as the head of the KGB? Dr. Jacobson. Mr. Putin would be intimately familiar with not only operations he may have been involved in but the entire history of Soviet disinformation and propaganda campaigns. I mean, this is something embedded in the nature of KGB officers and not just propaganda designed to influence and shape American foreign policy that might be truthful. We're talking about deliberate attempts to mislead and obfuscate, covert action, sabotage, subversion, what have you. I don't trust anything coming out the Russian Government. Mr. Perlmutter. And I appreciate the Chairman and the Republican majority for having this hearing and looking at Kaspersky and how it may have corrupted some of our computer systems, but, you know, when I take a look at the connections that this Administration has to Russia, Michael Flynn, Jeff Sessions had some contacts, Carter Page, Roger Stone, Jared Kushner, Donald Trump Junior, Michael Cohen, J.D. Gordon, Paul Manafort, Mr. Gates, Mr. Papadopoulos. I mean, that's where this investigation, not just--should not just be on Kaspersky, which is coming in through the back door through different kinds of software that may have tainted the system, but what about the front door which is at the White House? So are you familiar with these different connections that this Administration may have with Russia? Dr. Jacobson. Only insofar as what I read in the newspaper. And like everyone else, I'm eager to see what the various congressional investigations or the Special Counsel's Office comes up with on this. Mr. Perlmutter. You answered a question that Ms. Johnson asked you about, well, what's the real purpose? What is it that we're worried about? Why are we worried about Kaspersky having corrupted some of our systems? Why are we worried about these gentlemen with connections to Russia and with the President saying he believes Mr. Putin? What's the worry here? Dr. Jacobson. I think there are a couple things here. As we've heard during this hearing, there are concerns about--and it's not a back door; it's a front door. You know, we've given Kaspersky access--if I'm putting antivirus software on my home computer, I'm giving that software company some access. It can be used for espionage. It can be used--I'm particularly worried about data manipulation as well. But again with respect to my area of expertise, I think once you start to get into a system, it becomes a vector for propaganda and influence. It allows you to discredit federal organizations if you want. It allows you to manipulate data and try and create poor policy decisions. But it's also part of a broader effort. If we think of cyber--and again the alleged Kaspersky situation is just one battle in a larger war. You know, imagine if cyber attacks augment rhetorical propaganda attacks that seek to influence the American people's attitudes on Ukraine or Syria or U.S. involvement in the NATO alliance. You can see how the ability of the internet to penetrate, to get to every single individual, and the ability of the Russians to take advantage of the enormity of the marketing data created by Facebook so they can tailor propaganda messages to individuals, it's something--we've never seen anything on that scale. Mr. Perlmutter. Thank you. And I yield back. Chairman LaHood. Thank you. Next yield to the gentleman from South Carolina, Mr. Norman. Mr. Norman. Thank you, Mr. Chairman. You know, as we in Congress hear your testimony and look back over the facts and what you're discussing, you know, I looked at your bios. You've each got, if you combine it, over 100 years in this area, so you're experts in what you do. As-- if we look back over the time frame, Kaspersky didn't come up just recently, did it? When did--Ms. Manfra, when did this--the idea of having a problem with the product come up? Ms. Manfra. When I first became engaged was around 2014---- Mr. Norman. Okay. So this President has been here for nine months, so it's prior to this President coming into office---- Ms. Manfra. Yes, sir. Mr. Norman. --the issue came up. Ms. Manfra. Yes, sir. Mr. Norman. Now, you mentioned--Chairman Smith mentioned the ULA agreements. Are you familiar with those? Ms. Manfra. Yes, sir. Mr. Norman. Walk me through the process for approving a ULA agreement. Ms. Manfra. It's somewhat dependent on the agency, but generically, when a company decides to procure a certain software, they would receive what the company would like that end user license agreement to look like. In some cases we can negotiate some differences. Generally, we don't, but that is again a generic sort of process, so each agency might have different implementation. Mr. Norman. So how many sets of eyes would look on a--would read a ULA agreement? Ms. Manfra. Ideally, you would have a legal review--well, you would absolutely have a legal review. You would also have the procurement officials involved, and ideally, you would also have the mission owners, and then you would have those individuals that are responsible for authorizing that network to operate and whatever software goes on that---- Mr. Norman. So a lot of eyes go on it and detail people that know or experienced in reading them. Ms. Manfra. Yes, sir. Mr. Norman. And you say--I think your testimony was there's no abnormality in the ULA agreements that were signed? Ms. Manfra. No, sir. Mr. Norman. Okay. Is it normal to agree to binding arbitration and no trial by jury? Is it normal to give access to all data, microphones, and cameras? Is that part of--is that boilerplate language that each agency would agree to? Ms. Manfra. Sir, I can't comment on what each agency boilerplate language is, but access to much of your computer system is often required for antivirus systems and security software, which was one of the reasons that we looked to understand how that data will be used and ensure we have a trusted relationship with that provider. Mr. Norman. Well, I guess my question is do you--is it to waive a trial by jury? Ms. Manfra. That, sir, I would have to get back to on as to whether that was common practice. Mr. Norman. Well, we have testimony by Mr. Newman that was an abnormality, that that was agreed to by somebody, somewhere, some agency. Ms. Manfra. It seems unusual, sir. Mr. Norman. Okay. If--and you don't know which agency--your testimony was this agreement was reviewed by experts in the field, by a lot of different agencies. Now, if that's not a routine clause, who would have put that in there? Ms. Manfra. Sir, I'd have to understand the details of what the testimony is that you're referring to, the expert testimony, and we can get back to you with details on what might be unusual that that gentleman is referring to. Mr. Norman. Okay. If you could get that in writing---- Ms. Manfra. Yes, sir. Mr. Norman. --to all of the members--anybody here that would be interested in seeing it. I think all of us would. Ms. Manfra. Yes, sir. Mr. Norman. The exact language that was agreed to, any abnormality that was not normal---- Ms. Manfra. Yes, sir. Mr. Norman. --if you could highlight that, and then give us names of the different--I'm sure there are lawyers within the agencies that would agree that looked at this--give us some names of who looked at this ULA agreement. Ms. Manfra. I will do my best, sir. Mr. Norman. I yield back. Chairman LaHood. Thank you. I now yield to Mr.--the gentleman from Georgia, Mr. Loudermilk. Mr. Loudermilk. Well, Thank you, Mr. Chairman. Ms. Wynn, in 2013 the Science Committee staff emailed the legislative affair teams at NASA to ensure that Kaspersky Lab was not being used on any NASA systems. Do you have any record of that request? Ms. Wynn. No, sir, I'm not aware of that request, but I can certainly check on the record status within NASA. I didn't join NASA until 2015. Mr. Loudermilk. Okay. If you would and get back to the Committee on that, I'd appreciate it. Today, you testified that Kaspersky Lab products were identified on a small number of machines that had access to the NASA internal network. Is that correct? Ms. Wynn. Yes, that's correct. Mr. Loudermilk. Okay. What was the time frame that Kaspersky was present on the NASA systems? Was it after 2013? Ms. Wynn. We discovered between 2013 and the assurances that we did in recent past that there had been Kaspersky on the network. Our belief is that it was part of either a larger procurement or bundled within a series of software that then, because our tools are getting smarter, able for us to identify it and go ahead and get that removed. Mr. Loudermilk. Okay. So some of it may have been software bundled on a computer that was purchased? Ms. Wynn. It could have been within a computer that was purchased or within a package of software that was put on the network. Mr. Loudermilk. Can you tell us why it was not remedied earlier and disclosed to the Committee as part of the response to the Chairman's July 27 letter to all departments and agencies? Ms. Wynn. So at NASA we've been working very hard to deploy the continuous diagnostic and mitigation tools which allow us to have absolute insights to every single part of NASA's IT infrastructure, which is over 160,000 components. Prior to the CDM coming on board, NASA's ability to take a look at its entire footprint was fragmented and therefore pulling together and synthesizing an entire picture was very, very difficult to do that. Mr. Loudermilk. Okay. Ms. Manfra, on October 10 the New York Times reported additional details regarding hackers working for the Russian Government stealing details about the NSA's cyber capabilities from a contractor who had stored the information on his home computer. I think everyone is aware of that report. These new revelations were that Israeli intelligence uncovered the breach and the Russian hackers' use of Kaspersky software. The article details that ``Israeli intelligence officers informed NASA that in the course of their Kaspersky hack, they uncovered evidence that Russian Government hackers were using Kaspersky's access to aggressively scan for American Government classified program.'' This thing reads like a Clancy novel, spies spying on spies. But in your opinion would this be considered concrete evidence that Kaspersky Lab has ties to the Russian Government? Ms. Manfra. Sir, I can't make a judgment based off of a press reporting, but I understand the allegations outlined in that report, and should those be true, I would say that that was evidence, yes, sir. Mr. Loudermilk. So if the intelligence community were to verify this, then you would agree that that's concrete evidence there's ties? Ms. Manfra. Yes. Mr. Loudermilk. Okay. Thank you for your candor there. If this happened in 2014 and the NSA was alerted immediately, why did it take until 2017 for action to take place to secure our systems by removing the software? Ms. Manfra. Sir, the binding operational directive was just the latest in a series of actions that we have been taking within the government over the past few years to address this. We had been briefing at a classified level across the federal government, as well as critical infrastructure, as well as--as much unclassified information as we can share. I was not satisfied with the progress, and so we looked for other avenues to escalate to ensure that we had full removal across the federal government. Mr. Loudermilk. But it took three years to really take action once this was known? Ms. Manfra. Sir, we--this is a more recent authority that we were given. It is just, again, one of the tools that we had. We were exhausting all of the tools through information-sharing mechanisms throughout, again, the government and others, and this was just one of the public tools that we took to remove the---- Mr. Loudermilk. Okay. Ms. Manfra. --software. Mr. Loudermilk. Dr. Jacobson, in a recent interview with Reuters, Mr. Kaspersky admitted his company widely used antivirus software to copy files from personal computers, files that did not pose a threat to the personal computers of those customers. I worked 30 years in the IT business. I did not know this as being a standard practice. Is this typical of industry to copy files that are known not to be threats? Dr. Jacobson. Congressman, I don't know. I don't have that sort of expertise. However, what I will say is that I stopped using Kaspersky years ago just because of the first sets--this has to be maybe four, five years ago--because there were a number of articles in trade journals that suggested that they just didn't have the types of standards that you want if you're a home computer user so--but beyond that, I can't answer your question. Mr. Loudermilk. Ms. Miller, is there any other antivirus software that you know that would copy files not known to be threats? Ms. Miller. None that I'm---- Mr. Loudermilk. Okay. Ms. Miller. None that I'm aware of, sir. Mr. Loudermilk. All right. Thank you. Ms. Manfra, last question. Would you review--would a review of Kaspersky's Lab source code, as recently offered by the CEO of Kaspersky, help alleviate concerns or is this merely a publicity stunt? Ms. Manfra. Sir, I have heard the offer to review the source code, and while we would welcome opportunity to hear from Kaspersky on what potential new information and mitigations they could put in place, the source code review would not be sufficient in my opinion. Mr. Loudermilk. Okay. Thank you. Mr. Chairman, I yield back. Chairman LaHood. Thank you. I have a few additional questions here to ask. Ms. Miller, you commented earlier that the Department of Defense at some point made a determination based on intelligence that you were not going to engage with Kaspersky products. Is that correct? Ms. Miller. Yes, sir, based on threat information and other intel feeds that we had. Chairman LaHood. In that threat information and concerns, was that information relayed to DHS or other agencies? Ms. Miller. I'm not aware--not sure, sir. I would have to confirm. Chairman LaHood. And do you know why that information wouldn't have be relayed? Are you saying it could have been relayed and you're not aware of it? Ms. Miller. It could have been relayed and I'm not aware of it. I would have to confirm. Chairman LaHood. Okay. And how long will it take you to confirm that and get that back to the committee on that? Ms. Miller. We can do that within the next day or so, sir. Chairman LaHood. Okay. Ms. Manfra, are you aware of the intelligence information that DOD relied upon when they made the decision not to engage with Kaspersky products? Ms. Manfra. I believe I'm aware of the same information, sir, yes. Chairman LaHood. And when did you become aware or when did the Department become aware? Ms. Manfra. I would have to get back to you on when the Department became aware. I can tell you that I first became aware of concerns in the 2014 time frame. Chairman LaHood. And can you tell us why a similar decision in 2014 wasn't made similar to what DOD did? Ms. Manfra. Some agencies such as the Department of Homeland Security did engage in an effort to remove the Kaspersky software from their systems. What we identified was largely agencies who are more security-focused or had the ability to receive classified briefings or removing the software. Where there was a gap was in the civilian agencies that did not have that infrastructure necessarily in place where they could rely on classified information to make procurement decisions. So we wanted to provide further direction across the civilian government for them to be able to make the same choices based off of the risk management decisions that we had made. Chairman LaHood. Ms. Manfra, does the September 2, 2017, directive apply to federal contractors? Ms. Manfra. Yes, sir. Chairman LaHood. Okay. And to your--can you give us an update or where is it at? Have all federal contractors been compliant? Where is that at in terms of your follow-up with them and how do you keep track of that? Ms. Manfra. We have a couple of different mechanisms to keep track. Every agency is responsible for defining what contractors constitute their federal information system and reporting that up to us. What we see is what the agencies report to us. We also, as I mentioned, have sensors deployed both internal to agency networks as well as at the perimeter that can identify what agencies may be calling out to Kaspersky IP addresses so that that would indicate that they probably have it on their systems as well. So we're looking at a variety of different avenues to identify whether they have it. And that would include a contractor system if they identify it to us. However, it is up to the agency to identify that contractor system to us. Chairman LaHood. And do you feel like you have full knowledge of all the contractors that the different agencies engaged with? Ms. Manfra. I do not--I could not say that I have full knowledge of all the contractors that agencies engage with. I can say that for all of the largest agencies I feel very confident that they have done an assessment of not only the internal government-owned and -operated networks as well--but as well as the contractor-owned or -operated networks and systems. But there--to say that I have full insight into every contractor that the civilian government uses, I probably do not have that right now. Chairman LaHood. Ms. Miller, in previous testimony before this committee, cybersecurity experts stated, quote, ``The Federal Government should take the lead on developing a trusted vendor list that provides guidance on approved cybersecurity vendors with a secure supply chain that agencies can have confidence in,'' unquote. In your opinion, how would the federal government go about establishing such a trusted vendor list? And what agencies should lead the federal government's effort to do so? Ms. Miller. Sir, I'll start with the second question. I'm not sure what agency I would recommend leading it, but I think we have a responsibility as we work with our vendors to ensure we have supply chain management processes in place to evaluate what they're bringing to us. We've established relationships with DIA and the--what--I can't think of the acronym right now--that give us an opportunity to identify critical components where supply chain managements are of real concern and put processes in place to help us avoid any risk introduced by our industry partners. At the same time, we have had very strong conversations with members of the defense industrial base to make sure they understand risk associated with use of the Kaspersky products, and the Defense Security Service has directed all of them to remove the products for any--especially of our classified systems. And we're working with our unclassified--or our vendors in the unclassified arena now with the Defense Federal Acquisition Regulation clause that we've put in place to help them not only understand the risk but to understand the products that they're using and their responsibility to protect government information and the government network as they relate to mission operations. Chairman LaHood. Thank you. That's all my time. Mr. Perlmutter, I recognize you for additional questions. Mr. Perlmutter. Just a couple questions about Kaspersky, and this is to the whole panel. In October 2015 the U.S. subsidiary of Kaspersky Lab, which is called Kaspersky Government Security Solutions, paid President Trump's former National Security Advisor Lieutenant General Michael Flynn $11,250 for a speaking fee. So just to the panel I would ask, are you aware of anybody from your agencies speaking at any Kaspersky conferences not for payment but just as one of their speakers? And what is it again, Dr. Jacobson, that we're worried about to have a guy like Michael Flynn speaking at a Kaspersky conference? Some open-ended questions, start with you, Ms. Manfra. Do you know if anybody from GSA or your agency has spoken at any Kaspersky conferences? Ms. Manfra. Sir, we not done a thorough review of speaking engagements at Kaspersky-sponsored events. I can say that we-- the guidance to my workforce is to not engage with Kaspersky- sponsored events. Mr. Perlmutter. Ms. Wynn? Ms. Wynn. I am not aware of anyone speaking at a Kaspersky- sponsored conference, and I would say that there is a thorough vetting review by our Office of General Counsel with respect to any speaking engagements of NASA personnel. Mr. Perlmutter. Ms. Miller? Ms. Miller. Sir, same with DOD. We go through a rigorous review with the general counsel before we approve speaking engagements, and to my knowledge, we've not had any DOD employees speak at a Kaspersky event. Mr. Perlmutter. Dr. Jacobson? Dr. Jacobson. Can I provide you a very unsatisfying answer? You know, I don't know the specifics of that case, but I think this is exactly why we need to understand that the Russians are going to continue to try and find key influencers, whether in government or in the media space or amongst the public, to help them with their information or disinformation campaigns in the United States. I mean, all foreign governments try and influence the United States. That's why we have laws that regulate the level of transparency there. But let me also state that this is why I think there's a great opportunity for a bipartisan sponsored commission like the 9/11-style commission, the Iraq study group, or the Afghanistan study group to really look forward and see how do we combat information campaigns or disinformation, whether it's Russian, Chinese, or terrorist networks in the future? And that would be a last point in terms of urging what the committee and Congress overall could do. Mr. Perlmutter. Well, and to that point, again, sort of looking for these different crevices or potential vulnerable spots, in December 2016 Kaspersky Lab awarded $18,000 in funding to three universities to help identify and--to help develop identity and verification methodologies for secure online voting systems. So, you know, obviously, they're looking for different places to take advantage of, you know, America and an open--pretty open system that we have. Just curious, if you were at DHS, Ms. Manfra, if you were advising these universities, what would you advise them about speaking and taking money from Kaspersky Lab? It's a very hypothetical question and it calls for speculation on your part, but I'm still going to ask it. Ms. Manfra. Yes, sir. I can't presume to advise a university on what money they might take or engagements they might speak at, but I would encourage them to ensure that they consider the risk associated with those interactions as a part of their engagement and their funding. Mr. Perlmutter. Dr. Jacobson? Dr. Jacobson. Well, I'm definitely not speaking for Georgetown University here, but I was thinking of three things. If I was asked today whether I would advise a university on that, I would think about three things: one, politically, it would be absolutely unacceptable to do given what's going on with Kaspersky and the allegations in the committee right now; second, from a public relations perspective, it would be a really bad idea; and third, there's prudence. We know in the university and think tank world there's certain countries and certain companies you just really think twice about taking money from, and again, if someone asked me, I would recommend they not take it today. Mr. Perlmutter. Okay. I yield back. Chairman LaHood. Thank you, Mr. Perlmutter. That concludes our questions today. I would just advise that the Committee--the Oversight Subcommittee on this is going to continue to monitor this situation, and as the directive continues to get implemented, we look forward to continuing to work with you on this issue. It's important that we as a committee and subcommittee stay engaged on this, and we'll look forward to the next phase of our hearing series on this and look forward to continuing to work with you. With that, our hearing is concluded. Thank you. [Whereupon, at 11:53 a.m., the Subcommittee was adjourned.] Appendix I ---------- [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Appendix II ---------- Additional Material for the Record [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] [all]