FBI director Christopher Wray testifies on China's growing cyber threat against U.S. — 1/31/24

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

morning that we've spent a lot of time on this committee um debating or thinking about the question of whether xiin ping will make a move militarily against Taiwan and what would be the timeline of such a move and obviously this is a unknowable uh question and people continue to debate it but in some meaningful sense I wonder if such an invasion or the preparation for such an invasion which would be incredibly costly is the ranking member uh very eloquently pointed out yesterday uh has already begun if the intelligence preparation of the battle space has already begun uh put differently for over 20 years the CCP has been attacking us our government our defense contractors our technology firms in cyberspace that is a fact and for a long time these attacks were focused on theft just robbing us of valuable technology uh That Was Then used to drive their military modernization a really unprecedented military modernization but another focus of attack has been Gathering sensitive information on hundreds of millions of Americans with attacks on companies like Anthem health the office of personnel management I'm sure uh Mr Molton and Mr aen Claus and anyone else who served in the military got a nice letter from OPM after our military records have been compromised mine is framed in my office in my basement um according to the FBI China's vast hacking program is the world's largest and they have stolen more Americans personal and business data than every other Nation combined but that wasn't enough for the CCP in the past few years our intelligence and cyber security agency have discovered that the CCP has hacked into American critical infrastructure for the sole purpose of disabling and destroying our critical infrastructure in the event of a conflict a conflict over Taiwan for example this is the cyber space equivalent of placing bombs on American Bridges water treatment facilities and power plants there is no economic benefit for these actions there's no pure intelligence gathering rationale the sole purpose is to be ready to destroy American infrastructure which would inevitably result in chaos confusion and potentially Mass casualties it's outrageous it's an active and direct threat to our homeland to our military our ability to Surge forces forward in the event of a conflict and it's not hypothetical as our witnesses will testify today the Chinese government has already done it our cyber Warriors are doing everything they can to stop it we're dealing with malware and water utilities oil and gas pipelines power grids and other Utilities in our Western most territories and across the American Homeland and the Damage that could be done by this is almost hard to imagine we need to step up and defend our critical infrastructure defend ourselves in cyberspace it's a critical part of deterrence it will take unprecedented collaboration between the public and private sectors to create the kind of layered cyber deterrence we need to prevent disaster because it's not just a government problem it's a whole of society problem our committee is called the select committee on strategic competition between the United States and the Chinese Communist party that's a that's a long title but in a very real way the name of our committee vastly understates the problem set it's not just strategic competition but a strategic threat pointed at the heart of America if we do not address this threat then the CCP will have the ability to turn off the lights for everyday Americans shut down cities and cause massive loss of American lives that's unacceptable I believe men and women of good faith in both parties can come together to prevent that from happening and that's what today's hearing is all about I now recognize the ranking member rajer chrishan morthy for his opening statement thank you so much much Mr chair and thank you to the witnesses uh for coming today I understand that General nakason today's your change of command and you made time to come and see us and so I expect this will be nakason unplugged and so we really look forward to today's testimony um well look folks today we're going to talk about ugly gorilla and Candy goo and no these are not my kids Instagram Handles in fact these are aliases used by CCP hackers working for the people's Liberation Army otherwise known as PLA and specifically this wanted poster shows members of unit 61398 whom we indicted in 2014 for hacking into American companies and stealing intellectual property this was the first time we've ever indicted PRC Nationals for computer hacking in the US for years the CCP carefully studied how the US ran cyber operations to develop its own concepts for cyber warfare Xi Jinping himself has called for the PRC to become a quote cyber superpower and to dominate the world through information Warfare in the last Dozen Years the CCP has used cyber operations for stealing IP from companies collecting private citizens data hacking into government emails and even potentially Gathering personal data from apps like Tik Tock however today we will be discussing an even darker side of the ccp's cyber warfare tactics activities that go far beyond merely stealing information last May sisa FBI NSA and our five eyes Partners released a joint advisory that CCP cyber attacks were targeting us critical infrastructure including American power and Utility Systems oil and gas pipelines and rail systems among others this cyber campaign titled volt typhoon has been inactive since 2021 CCP hackers access computer systems of about two dozen critical entities including in Hawaii and in Guam the hackers even attempted to access the Texas electric grid the purpose of the hacking was not to gather intelligence the purpose was to install malware that once activated would disrupt or damage the infrastructure you might ask why very simple to potentially harm us in a time of conflict pla strategists openly talk about coordinating missile strikes with cyber attacks as part of its offensive operations former sisa director Brandon will stated that quote Chinese attempts to compromise critical infrastructure are to prevent the US from being able to project power in Asia or to cause societal chaos inside the United States this means targeting Americans this means we could suffer large scale blackouts in major cities we could lose access to our cell towers and the internet we could lose access to clean water and fuel so how do we respond first we must be cleare eyed about the threat the ccp's objectives for a Cyber attack are not just to impede military Readiness they also seek to Target military INF I'm sorry civilian infrastructure to cause political economic and social chaos and in the pla's own world words quote shake the enemy's will to war second we must hunt and Destroy malware we need to discover and Destroy destroy all malicious code the CCP is attempting to hide within our networks and our critical infrastructure in fact less than 48 hours ago Reuters reported that the justice department and the FBI were authorized to remotely dis dis able aspects of a CCP hacking campaign underway now in order to protect our networks and devices this is exactly the type of proactive action that we need to take and we need to work with our partners and allies to do the same I look forward to hopefully learning more from the witnesses about this particular C this counter campaign third we must deter our adversaries while malicious Chinese code hasn't yet disrupted any of our Network any Cyber attack that results in physical damage or loss of life would Grant the United States the inherent right to selfdefense if the CCP were to activate code that could cause harm we need to make sure that we have the capability to respond and to respond decisively I look forward to hearing from our Witnesses today and yield back the balance of my time thank the ranking member uh we are privileged to have a great panel of witnesses uh honorable Harry Coker Jr is the nation's second confirmed National cyber director uh a position which came out of our work on the cyers space Solarium commission Christopher Ray is obviously the director of the FBI Jen easterly is the director of the cyber security and infrastructure Security Agency and general Paul nakason is commander of the United States cyber command and director of the National Security Agency I too want to thank you General nakason I don't want to play favorites on the panel but uh when I called you to try and convince you to do this I felt a little guilty because you're doing your change of command today but the fact that you were willing to do this I think is the ultimate Testament more than any of the awards you're you're wearing uh on your uniform today uh uh just to the type of public servant that you are that you would be willing to do this and I you know like whether you're uh redeploying or changing command usually you kind of drop your pack with about a week to go you took a massive new rock in your pack because you felt so passionate about this issue my experience working with you as chairman of the cyers space Solarium commission you were always forthcoming and generous with your time so I just want at the outset of this hearing to thank you for an exceptional career of Public Service the nation owes you a great debt of gratitude I would stand for that that was uh that was me lulling you into a false sense of security before the questioning begins uh with that I I want to ask the the witnesses to stand and raise your right hand I'll swear you in do you swear or affirm under penalty of perjury that the testimony you're about to give is true and correct to the best of your knowledge information and belief so help you God you may be seated let the records show that the witnesses have answered in the affirmative thank you all with thanks to the National cyber director director Ray will begin with his opening remarks uh which I believe will include a major announcement so Mr Ray you may proceed thank you chairman Gallagher ranking member chrishna Mory uh and to the members of the select committee for inviting me here to testify today to discuss the FBI's ongoing efforts to protect our nation from actions taken by the Chinese government that threaten Americans safety and prosperity uh before I go on I do want to make very clear that my comments today are not about the Chinese people and certainly not about Chinese Americans who contribute much to our country and are frankly often the victims of Chinese Communist Party aggression themselves rather when I talk about the threat posed by China I mean the government of China in particular led by by the CCP the ccp's dangerous actions China's multi-pronged assault on our national and economic security make it the defining threat of Our Generation now when I described the CCP as a threat to American Safety a moment ago I meant that quite literally there has been far too little public focus on the fact that PRC hackers are targeting our critical infrastructure our water treatment plants our electrical grid our oil and natural gas pipelines our transportation systems and the risk that poses to every American requires our attention now China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real world harm to American citizens and communities if and when China decides Ides the time has come to strike they're not focused just on political and Military targets we can see from where they position themselves across civilian infrastructure that low blows aren't just a possibility in the event of a conflict low blows against civilians are part of China's plan but the prc's Cyber Onslaught goes Way Beyond prepositioning for future conflict today and literally every day they're actively attacking our Economic Security engaging in wholesale theft of our Innovation and our personal and corporate data nor is cyber the only PRC threat we Face the PRC cyber threat is made vastly more dangerous by the way they knit cyber into a whole of government campaign against us they recruit human sources to Target our businesses using in insiders to steal the same kinds of innovation and data that their hackers are targeting while also engaging in corporate deception hiding beijing's hand in transactions joint ventures and Investments to do the same and they don't just hit our security and economy they target our freedoms reaching inside our borders Across America to silence coerce and threaten some of our citizens and residents but I can assure you the FBI is laser focused on the threat posed by Bing we've got cyber Counter Intelligence criminal and wmd experts just an name a few defending against it and we're working in Partnership partnership with the private sector partnership with our allies abroad and partnership at all levels of the US government especially the NSA cyber command sisa and oncd whose leaders I'm honored to be here with today in fact just this morning we announced an operation where we and our partners identified hundreds of routers that had been taken over by the PRC state sponsored hacking group known as volt typhoon the volt typhoon malware enabled China to hide among other things pre-operational reconnaissance and network exploitation against critical infrastructure like our Communications energy transportation and water sectors steps China was taking in other words to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous and let's be clear cyber threats to our critical infrastructure represent real world threats to our physical safety so working with our partners the FBI ran a court authorized on network operation to shut down Vol typhoon and the access it enabled now this operation was an important step but there's a whole lot more to do and we need your help to do it to quantify what we're up against the PRC has a bigger hacking program than that of every major Nation combined in fact in fact if you took every single one of the FBI cyber agents and intelligence analysts and focused them exclusively on the China threat China's hackers would still outnumber FBI cyber Personnel by at least 50 to1 so as we sit here while important budget discussions are underway I will note that this is a time to be keeping ahead of the threat by investing in our capabilities rather than cutting them we need to ensure that we sustain and build on the gains that we've made that have enabled us to take actions like the volt typhoon operation I just mentioned the budgets that emerge from discussions underway now will dictate what kind of resources we have ready in 2027 a year that as this committee knows all too well the CCP has circled on its calendar and that year will be on us before you know it as I've described the PRC is already today putting their pieces in place I do not want those watching today to think we can't protect ourselves but I do want the American people to know that we cannot afford to sleep on this danger as a government and a society we've got to remain a Vigilant and actively defend against the threat that Beijing poses otherwise China has shown it will make us pay thank you and look forward to today's discussion thank you sir director Coker you're recognized for your opening statement chairman Gallagher ranking member Christian morthy and distinguished members of the select committee thank you for the opportunity to testify I have been honored to lead the office of the national cyber director oncd in the white house for a little over a month now and I am grateful to Congress and your leadership Mr chairman for creating this office and Mr ranking member I appreciated our conversation yesterday and your abiding interest in our Workforce challenges oncd was established by Congress to advise the president on cyber security policy and strategy in particular we coordinate many important agencies with cyber mission across the government to ensure Federal coherence on cyber security policy we have budgetary responsibilities to ensure the government is making appropriate investments in cyber defense and resilience and we focus on implementation and ensuring the president's strategy is excuse me successfully and transparently executed coordination and collaboration are Central to our ethos cyber security remains a team effort and I am proud to be testifying with some of our nation's finest leaders director easterly director Ray and general nakason this hearing is timely because the American public needs to be aware of the threat to our critical infrastructure our intelligence Community has noted that a PRC threat actor is prepositioning to in the event of conflict conduct disruptive and potentially destructive attacks the the PRC threat actor volt typhoon has as it has been named by a private sector partner has conducted cyber operations Focus not on financial gain or Espionage but on deploying deep access in into critical infrastructure systems that put those systems at risk their aim is clear in the early stages of a conflict they want to disrupt our military's ability to mobilize and to impact the systems that allow us to to thrive in our increasingly digital world we can must and importantly are seizing the initiative from adversaries in order to protect and defend the American people last year President Biden issued the national cyber security strategy which outlines a bold vision for a prosperous connected future and calls for us to build a future that has a foundation of deep and enduring collaboration among stakeholders in the digital ecosystem the national cyber security strategy is threat agnostic technology agnostic and is built on two fundamental shifts that we must one rebalance the responsibility to defend cyberspace and two realign incentives to favor long-term Investments today in users of Technology the individuals small businesses and critical infrastructure entities that make up constituencies in your districts bear too much responsibility for keeping our nation secure we must demand more from the most capable act capable actors in cyers space including the government and we must build future systems to be more inherently defensible and resilient this means that market forces and public programs alike must reward security and resilience this leads directly to the first pillar of the strategy which is simple in concept but daunting in scope defend critical infrastructure as we can see from PRC targeting critical infrastructure systems are on the terrain on which our adversaries wish to engage us and critical infrastructure owners and operators the majority of whom are private entities not governments are on the front lines part of our success then will come from scaling public private partnership and collaboration Beyond scaling these collaborative mechanisms and setting clear harmonized cyber security requirements the government must also be a good partner when an incident has occurred and federal assistance is required and even as we Shore up our defense we must also look to change the Dynamics in cyberspace to favor Defenders that means for example addressing the open research problem of software measurability that makes it difficult to understand the quality of code we use a topic that oncd is working working to elevate we are also working to address the over half a million open jobs in cyber Fields it is vital that we invest in Workforce programs to improve the pipeline of talent expand opportunities for all citizens to learn digital skills and open these good paying jobs and careers to all segments of society including those who have never seen themselves in cyber this Administration is tackling this through through implementation of the national cyber Workforce and education strategy released by oncd in July the administration's focus on cyber security has put us on a firm strategic footing to counter the threats from the PRC actors and others but we will only seize the initiative by leveraging the foundational partners that we rely on including Congress ultimately cyber security requires a Unity of effort no one entity can achieve our shared goals alone sitting here today with our close Partners I hope you'll see how our us team is enhanced by thoughtful patriotic cyber practitioners at all levels of government and from ac across industry working together to build a defensible resilient digital ecosystem again I thank you for the opportunity to testify today and I look forward to your questions thank you sir director easterly you are recognized for your opening statement chairman Gallagher ranking member Chris morthy members of the committee thank you for the opportunity to testify on Sis's efforts to protect the nation from the preeminent cyber threat from the People's Republic of China as America's civilian cyber Defense Agency and the national coordinator for critical infrastructure resilience and security we have long been focused on the Cyber threat from China but as you've heard in recent years we have seen a deeply concerning evolution in Chinese targeting of us critical infrastructure in particular we've seen Chinese cyber actors including those known as volt typhoon burrowing deep into our critical infrastructure to enable destructive attacks in the event of a major crisis or conflict this is a world where a major crisis halfway across the planet could well endanger the lives of Americans here at home through the disruption of our pipelines the severing of our telecommunications the pollution of our water facilities the crippling of our transportation modes all to ensure that they can incite societal panic and chaos and to deter our ability to Marshall military might and civilian will now the threat is not theoretical leveraging information from our government and Industry Partners sisa teams have found and eradicated Chinese intrusions in multiple critical infrastructure sectors including Aviation water energy Transportation now based on this information this is likely just the tip of the iceberg so we are working aggressively with our partners in industry and across the US government to take action now knowing that this threat is real and this threat is urgent first through authorities from the Congress based on a recommendation from the cyers space salarium commission we are using our joint cyber defense collaborative or jcd to catalyze robust operational collaboration with industry and government to enable us to uncover additional chines malicious activity and to develop ways to more rapidly detect it we are also using our free services and resources and providing intelligence to critical infrastructure owners and operators across the country so that they can detect and prevent Chinese malicious activity and we're using our now hundreds of subject matter experts and advisers acoss Across the Nation to work directly with businesses to help them improve the security and resilience of the critical services that Americans rely on every hour of every day the reality is however eradicating Chinese intrusions bolstering resilience and even some of the great disruptive work that director talked about it's all necessary but it's not sufficient the truth is the Chinese cyber actors have taken advantage of very basic flaws in our technology we've made it easy on them unfortunately the technology underpinning our critical infrastructure is inherently insecure because of Decades of software developers not being held liable for defective technology that has led to incentives where features and speed to Market have been prioritized against security leaving our nation vulnerable to cyber Invasion that has to stop technology manufacturers must ensure that China and other cyber actors cannot exploit the weaknesses in our technology to saunter through the open doors of our critical infrastructure to destroy it it has to change we are at a critical juncture for our national security today's hearing should serve as an urgent call to action specifically every victim of a cyber incident should report it to sisa or FBI every every time knowing that a threat to one is a threat to all and cyber security is National Security every critical infrastructure entity should establish a relationship with their local sis team and take advantage of our free services including vulnerability scanning to ensure they can identify and prevent the vulnerabilities that the Chinese cyber actors are using every critical infrastructure entity should use these services and CIS of cyber security performance goals uh as well as the ad advisories that we've published with NSA and FBI and international Partners to do the necessary investments in cyber hygiene to ensure that they can protect their networks including throughout their supply chains every critical infrastructure entity needs to double down on resilience businesses need to prepare for and expect an attack and test and prepare for and exercise their critical systems so that they can continue to operate through A disruption and recover rapidly to provide services to the American people finally every technology manufacturer must build test and deploy technology that is secure by Design we have to drive towards a future where cyber actors cannot take advantage of Technology defects to break into our critical infrastructure this is a future underpinned by a software liability regime based on a measure meble standard of care and safe haven for those software developers who do responsibly innovate by prioritizing Security First now none of this is possible unless every CEO every business leader every board member for a critical infrastructure company recognizes that cyber risk is business risk and managing it is a matter of both good governance and fundamental National Security thank you for the opportunity I look forward to your questions thank you very much General noon you're recognized chairman Gallagher ranking member Christian morthy members of the select committee I'm honored to represent the men and women of us cyber command and the National Security Agency as my time as the commander and director draws to a close thank you for this opportunity to reflect on the considerable changes I've witnessed in the technological and operational environments over my nearly six-year tenure and to hear your concerns the People's Republic of China poses a challenge unlike any our nation and all allies have ever faced Computing fiercely in the information domain PRC cyber actors are pre-positioning in our us critical infrastructure and it is not acceptable defending against this activity is our top priority the men and women of us cyber command and the National Security Agency continue to maintain our strategic Advantage by contesting the threats posed by the PRC in cyberspace by using the full scope of our authorities and the full spectrum of our capabilities to impose costs deny benefits and encourage restraint on the part of our adversary we will continue to strengthen Partnerships across the US government foreign partners and Private Industry so that we may operate anywhere we are needed we are ready and posture to contest PRC malicious activities at home and abroad while cyberspace threats have increased our forced to counter these threats are stronger and more capable us cyber command and the National Security Agency are using our capabilities and Partnerships to deny the PRC opportunities frustrate their strategic efforts and systematically eradicate intrusions one significant contribution in our ability to counter these threats is our relationship with the private sector us cyber command and the National Security Agency Partnerships with Industries have underpinned the US government's ability to track detect and mitigate the prc's activity against us infrastructure at scale one example of the impact of these strong relationship was demonstrated in May of 2023 with the cyber security advisory which was the first documented PRC activity against us critical infrastructure referred to publicly as volt typhoon for the first time ever 11 different industry Partners co- sealed the NSA advisory along with our inter agency partners additionally other industry Partners contributed behind the scenes in partnership with our cyber security collaboration Center lastly I would like to reiterate my appreciation for the opportunity to speak with you this afternoon and recognize the community's continued efforts to bring attention to this critically important issue which impacts our national security and the lives and livelihoods of the American people I look forward to our conversation thank you sir um director easterly uh you your opening statement uh both written and and spoken I I commend the written statement as well really kind of teases out the troubling implications of a of an attack on our critical infrastructure I read it and I'm sort of left with the implication that China's pursuing a strategy designed to either Hold Us hostage in the event of an international incident such that we would be afraid to respond or to actually cause casualties on the Homeland is that is that an accurate assessment that I could take from your testimony uh absolutely so you know as I mentioned uh as I alluded to it is Chinese military Doctrine to attempt to to induce societal panic in their adversary and arguably the Chinese government got a little bit of a taste of this in the aftermath of the ransomware attack on Colonial pipeline May of 2021 that shut down gas to the Eastern Seaboard for several days Americans couldn't get to work they couldn't take their kids to school get folks to the hospital uh it caused a bit of panic now imagine that on a massive scale imagine not one pipeline but many pipelines disrupted uh telecommunications going down so people can't use their cell phone people start getting sick from polluted water trains get derailed air traffic control system po Port control systems are malfunctioning this is truly and everything everywhere all at once scenario and it's one where the Chinese government believes that it will likely Crush American will for the US to defend Taiwan in the event of a major conflict there now this is also a scenario that we can and indeed must prevent through both the robust practices that I mentioned in my statement which amounts to deterrence by denial and resilience but also through the deterrence and escalation of punishment a credible threat and then perhaps most importantly through American strength and unity and the power of our values and uh general noxon what would if you have to assume they're targeting our critical infrastructure in Guam and other territories in the Pacific what would a attack on that critical infrastructure mean for our ability to respond in the event of a crisis it could have a very significant impact on what we need to do to provide a series of different options that uh that our commander in the indopacific region would want to respond with Communications uh an ability to be able to uh leverage our most lethal Weapons Systems these are all areas that uh that we would rely on and director Ray remind me again of the STA I thought was stunning in your opening statement that if you if you focused all of the FBI cyber professionals on the China threat we would still be at what sort of disadvantage with respect to the humans in China that are focusing on America we would be at a disadvantage of at least 50 to one 50 to one and part of the reason I say at least is because one of the things we've also seen from the Chinese government which has devoted massive resources to the biggest hacking program in the world by by a mile is that they also work with cyber criminals yeah which is then a whole Force multiplier to that already significant Enterprise roughly how many people or percentage of your resources are devoted to China would you say of our resources I mean it is the biggest chunk of our Counter Intelligence program by far uh and probably the biggest chunk of our cyber program by far and then of course we have other divisions like our weapons of mass destruction uh folks who are the ones who who did the work on covid Origins for example for the FBI uh we have criminal folks uh criminal investigation folks working on sort of the fentel part which of course much of that is coming from precursors in China uh so it it's really a threat that pervades uh and permeates almost all of our programs and you have previously testified um when it comes to tikt that it screams of National Security concerns why why what is the risk by Tik Tok in your opinion well the most important starting point is the role of the Chinese government the apps parent company is effectively beholden to the Chinese government and that is what in turn creates a series of National Security concerns in the PRC government's ability to leverage that uh that access for that Authority so first the data gives them the ability to control data collection on millions of users which could be used for all sorts of intelligence operations or influence operations second the recommendation algorithm which could be used for all sorts of influence operations or to sew divisiveness Discord uh and again that's something that we wouldn't readily detect which makes it even more of a pernicious threat and AI of course enhances all of that their ability to collect us person data and feed it into those influence operations makes it exponentially more dangerous to Americans and then third and finally it gives them the ability should they so choose to control the software on millions of devices uh which means the opportunity to technically compromise millions of devices so as you put all those things together uh it is a threat that I think is very very significant and again it all St starts back with the starting point which is the Chinese government itself and their role and their ability uh to control these different aspects of it thank you my time has expired I'm excited to recognize the ranking member because his game his questioning game and prop game improves with every hearing so and as they say game respects game the rank member recognized thank you Mr chair first I want to uh discuss the impact of cyber attacks real world cyber attacks that are happening today in Ukraine at the behest of Russia recently the Russians cut off Internet access for tens of millions of ukrainians in one Cyber attack alone and they then cut off power for hundreds of thousands of ukrainians in a separate Cyber attack and and so I have a question for General Nason um you know we actually depict this here it could look something like this in a conflict situation the CCP could aim to attack American infrastructure the same way that the Russians are attacking Ukraine right that's correct let me let me turn to a potential real Cyber attack by the CCP uh General nakason so far we've discovered CCP malware in certain critical infrastructure but they haven't been activated yet in the event that this malware were activated you'd be able to attribute it back to the CCP just like you did with volt typhoon right we are very good at uh attributing that's correct now General Nason in 2018 you were at the Aspen security morum and here's a picture of you 5 years ago uh and you said this which really caught my eye it said if a nation state decided to attack our critical infrastructure that's above the threshold of War isn't that what you said so I I do recall appearing there and uh from that quote yes and uh I probably would have said it differently today ranking member and um then the next part of that uh quotation also caught my eye you you continued by saying and we would certainly respond and in your written statement you talk about imposing costs on potential adversaries so I just want you to say very clearly here cybercom indeed has the capability to respond decisively it does and and this is a really important Point uh we cannot be episodic in looking at this threat we need to be persistently engaged every single day with a series of different capabil working with a series of different partners to both enable and act what we have done over the past 5 years is been able to look at imposing cost in a much broader fashion whether or not it's publishing an unclassified manner what the adversary is doing whether or not it's working with the bureau whether or not it's being able to work closely with Justice and treasury this is the idea of consistently being able to persistently be engaged with your adversary I just want to send a message to anybody who's paying attention here whether it's a CCP or anyone else who would intend to put malware into our critical infrastructure first we will attribute it back to you if it's activated secondly that could be a an act of war and third we will respond decisively let me move to another topic and I'd like to touch on Tik Tock as well director Ry um the Tik Tock CEO came to Capitol Hill and said a couple things that I'd like to get your response on one is he said that our data privacy concerns with regard to Tik tock are not unique compared to other companies like Facebook and X or otherwise known as Twitter I personally agree that other social media apps have various data privacy concerns but the key difference is that unlike Tik Tock they're not owned by a company beholden to the CCP and I just want to get your reaction to that I I presume that you agree that Tik Tock is unique in the sense that it's owned by a company beholden to the CCP well it's certainly unique by compared to Western companies uh which which are by their very nature not beholden to Western governments and what makes Tick Tock so uh challenging is and therefore so risky from a national security perspective is that we're talking about a government in the Chinese government that has over and over and over again demonstrated contempt for the rule of law and international norms and lines that we consider very important in the US and in the west between the private sector and the government those are lines that are at best blurry if not non-existent in the Chinese system director Ray I want to ask you about the news that you broke during your uh testimony uh thank you for your proactive action with regard to uh disrupting remotely disabling this volt typhoon campaign uh couple questions one is um in this year of Elections um obviously Wang ye the foreign minister recently told Jake Sullivan assured him that the CCP is not going to interfere with our elections this year how do we prevent that from happening well China's promised a lot of things over the years so I I guess I'll believe it when I see it it would be the starting point uh second we work very hard across the inner agency uh all the agencies you see represented here plus a whole host of other partners to try to anticipate uh and prevent any efforts to interfere in our elections um and there have been enormous strides made over the years uh not just amongst all three of our agencies but between our agencies and state and local election officials secretaries of State Etc to try to prevent cyber interference for example in our electoral system then there's of course also the pervasive problem of malign foreign influence in terms of disinformation campaigns and things like that and there again we have to work with the private sector and not just the inter agency but all that has to be combined with the Public's role in being a more Discerning um and media literate uh populace um because they have a role to play here too sorry one last the routers you talked about how many states were they located in I don't have the number of states uh with me I know that there was hundreds of routers um and it it it is a good example of the point that director easterly was making in her opening statement these small office uh home office routers were very outdated which made them easy targets for the Chinese government and these small office home office routers were not themselves the intended targets the targets of course were our critical infrastructure but what the Chinese were doing were using these easy targets to hide and obfuscate their role in the hacking of our critical infrastructure and so that's why the point uh that was made about making sure that we're not uh creating an easier attack surface for them is so important Mr Whitman thank you Mr chairman I'd like to thank our Witnesses for joining us today thanks again for your service General aason thanks so much for your 37 years of service to our nation I'd like to begin with you there are some that would assert that other nations conduct cyber operations some of those things could have consequences on on entities like hospitals and water systems and power grids and other civilian targets what makes the PRC activities like embedding uh latent malware into systems what makes it unique uh in relation to other responsible cyber actors responsible cyber actors of uh democracies like our own do not Target the civilian infrastructure there's no reason for them to be be in our water there's no reason for them to be in our power uh this is uh a decision by uh an actor to actually uh focus on civilian targets that's not what we do let me ask this too the ranking member talked about uh attribution determining exactly who was behind the cyber attacks and then making sure that there are repercussions for those actions I would argue too it's not just about us playing defense because we will never get out in front of the insidiousness that happens with with cyber attacks and those folks that dream up ways to attack our system but one thing that we can do very effectively is to have a very robust offensive capability as a deterrent so that folks understand like China that if there is a Cyber attack on this nation that goes after our critical infrastructure that what will be coming back their way will be orders of magnitude greater uh first of all do we have the capability to do that and if so do we communicate that in various ways so that China knows what the consequences will be if they take such an action we do have the capability and we're very very good the best uh and in terms of the way that we communicate it we communicate it in many different ways uh from our policy makers who have these discussions to the exercises that we conduct uh to the real world uh examples that uh that we do with a series of different partners the other thing that I would tell you is that first of all is that we have discovered what they're doing and we have exposed it secondly the Partnerships that exist here between our agents genes and our commands is something that concerns the Chinese and finally it's the work with a private sector that gives us scale they may have 50 to one but when we have the private sector we outnumber them so nakan I'm also very concerned about the CCP prepositioning within our critical infrastructure like oil and gas pipelines give me a a reason why someone would preposition in those critical infrastructure and and what conclusions should we reach as Congress and the American people from these reports as director e talked about uh this is an attempt uh to provide the Chinese options in crisis or conflict uh when we have discovered them in these critical infrastructures the first thing that we need to do is to make sure that we get them out uh and the second thing is that we need to have a vigilance that continues onward this is not an episodic threat that we're going to face this is persistent this is the generational piece that Direct a talk to we have to operate every day we have to have a vigilance we have to have offensive and defensive capabilities Dr easly you talked about holding software companies liable for the software that they've written for a variety of different sources especially uh the electric grid give me your perspective on how we would most effectively do that how could we do that in a timely way how could we make sure that it's done in in two ways to make sure that any future software that's written is is held liable for its vulnerabilities and how do we retroactively then address software that's already there that exposes those liabilities yeah thank you for the question um as you pointed out this is both a current problem and a legacy issue what is critical is that we start now to develop a regime and this was part of the national cyber strategy that can actually hold software makers liable for creating defective technology because frankly I believe if we had something like that and that was put in place at the dawn of the internet and when software was developed we would not be in a world where the internet's full of malware and software is ripe with vulnerabilities so we need a software liability regime that's based on a measurable standard of care but also Safe Harbor for those software developers who do responsibly innovate by prioritizing security not speed to Market not cool features so that's really important and a place where Congress could be incredibly helpful we also have been working directly with industry as general nakason pointed out the force multiplier of having their uh presence in all of these discussions industry to put a priority on secure by Design Software as well as International Partners the last thing that I'd say is we need to ensure that individual consumers are also aware that they need to be asking for products that are secure by Design and not defective we are making things too easy for our adversaries thank you Mr chairman I'll you back Miss Caster thank you Mr chairman thank you all for being here today and do and everything you do to keep American Safe uh director easterly I understand a high percentage of cyber attacks uh in the US are in the energy sector how would you characterize the The Coop the cooperation the proactive nature of public and private uh entities across the energy sector yeah thanks for the question so as the national coordinator for critical infrastructure resilience and security we work with what's called sector uh uh committees essentially that have representation from critical infrastructure owners and operators one of the things that I found most impressive uh since I came into this role is that the energy sector the people at that table are C CEOs and you do not see that across every sector and that really shows that CEOs in the energy sector understand this issue and understand the need to make significant investments in their cyber security and in their cyber resilience and so that is a very positive thing we have catalyzed very good working relationships across the sector and of course with the Department of energy and Caesar which handles all of their cyber work to ensure that energy companies understand the threat we did this very aggressively around the Russian invasion of Ukraine as part of our Shields up campaign but importantly understand the steps that they need to take to reduce risk to our energy grid and there the grid across the country is an aging and often PL in many places is decrepid and there's a lot of innovation going on there are a lot of new uh clean energy sources coming online there are there's uh innovation in dist distributed systems I think of uh after Hurricane Ian hit hit Southwest Florida the the subdivision the neighborhood that had that was had a distributed system that didn't go off grid they had backup power is there um are you thinking ahead working with Department of energy on how to build those more resilient systems that where you're not as dependent on volatile fuel sources you're you're thinking about the cyber tax but also long-term resiliency how how is that working and and do you have any recommendations for congress on that yeah absolutely and in fact that is the key word uh we are living in a highly digitized highly vulnerable highly connected world where frankly it is impossible to prevent all bad things it's impossible to prevent disruption so we have been working with our in agency and our industry Partners to focus on that resilience to expect that there will be disruption and to be able to continue to operate through A disruption and to recover and some of the uh exercises that we've worked on with our industry and our federal Partners really double down on that concept uh incredibly important to the point about the Aging energy grid it sort of goes back to Congressman Whitman's question about Legacy infrastructure we also have to ensure that we are investing in building resilience into the Legacy infrastructure it's a difficult thing to do I'm encouraged that there may be some use of artificial intelligence to have help us rewrite some of the code bases at least in the technology world where you have very sketchy code that is uh creating vulnerabilities we could actually help to shore it up and do you want to say anything about these aging routers uh that that director Ray referred to with with volt typhoon and and how are uh they they targeting Americans and what folks need to know yeah thanks for the question so just to um help folks understand and and um my teammates can weigh in as well when we talk about malware malware has been mentioned several times this is actually not a malware issue uh and that's why the name of that cyber security advisory was living off the land what these act Chinese cyber actors are doing is essentially um finding a vulnerability and and then finding ways to live within a computer's operating system so they're actually very very hard to detect because they look like any other person who's operating on it and they've elevated their ability to act like a system administrator so you really can't tell that's a Chinese actor that's essentially what they're doing on these routers so that they can build these large essentially botn nets for command and control to allow them to have a launching pad on our critical infrastructure or where they take advantage of yet another vulnerability so the routers themselves may not be aging they just essentially were created to be terribly insecure they don't update their software they allow for um very insecure uh interfaces with the internet and I I think just today at some point in time uh sisa and FBI will actually publish what we call a secure by Design alert specifically for the manufacturers of routers and those small small office home office capabilities that director Ray talked about of the very basic things that need to be done to shut off the Chinese cyber actors from using these these routers as launch points thank you I you back Mr new house thank you Mr chairman uh let me also express my thanks to each and every one of you for your dedication to keeping our um our country as safe as possible as you all know there's an election coming up this year um the ranking member apprach the subject I wanted to delve a little little deeper into this uh uh notion of election Integrity you know over the past year we as a committee we've heard from a lot of different experts it's good to see you again Dr easterly um on uh many of the emerging trends that we've been seeing in Advanced Technologies that are being used in misinformation campaigns We've Got U deep fakes AI all kinds of social media and algorithmic uh types of warfare you know certainly the four countries China Russia Iran North Korea keep coming up but there's also a lot of non-state actors that we hear about as well so um I've got several questions I think not directed to any of you but all of you if you could if we have time to weigh in so so given the what I would call ever expanding nature of advanced technology IES and all of these non-state actors capabilities what concerns you most about us election Integrity in in the possibility of future election interference importantly for us to hear also to adapt to these kinds of changing conditions what policies should we consider amending and which programs do you rely on uh in particular for resources um General mentioned this should the government expand its role in the public private Partnerships um and all of this how does this all occur without infringing on the First Amendment the right to free speech and also each State's constitutional free and equal elections clause and then just for people listening to this uh this hearing uh what gives you confidence and faith that in our ability to ensure free and fair elections so I'll start with General nakason let me start with the last uh part of your question Congressman which is we've done this before and we've done it successfully before 2018 2020 2022 all of the agencies uh at this table have been working together this is our fourth uh um effort in terms of election security and I'm very confident in terms of what we will be able to deliver a safe and secure election uh that's based upon the fact that not only has our methodology gotten better but our Partnerships have expanded Ed it's not just the partners at the table it's the private sector it's understanding internationally where we need to be able to partner and see what adversaries are doing outside the United States and do that very effectively it's a really important question thank you so sisa serves as a sector risk management Agency for election infrastructure security so we lead the federal effort to support state and local election officials who are those on the front line of managing and administering and defending election infrastructure I have confidence because of the enormous amount of time that I've spent with secretaries of state chief election officials state election directors who work every day to ensure that they can effectively defend their election infrastructure from the full range of threats from cyber threats from physical threats from operational risks and from foreign malign influence and I think what's incredibly important is for the American people to understand the enormous amount of work that's been done with our partners in the federal government but at the state and local level and with industry to improve the security and the resilience of our election infrastructure one thing to note that it's the diversity and de decentralization of our election infrastructure because it's managed by state by 8,800 separate jurisdictions around the country that heterogeneity gives it resilience and there's also enormous amounts of controls physical techn technological procedural that keeps that infrastructure resilient so the American people should have confidence in the Integrity of our election infrastructure and every American if they have any questions about it serve as a pole worker serve as an obser an observer talk to your local election officials and ask them questions it's a transparent process but every everybody should support their election officials who are working hard to ensure the Integrity of our most foundational Democratic process thank you Mr Ray well I I would second the the remarks of both of my colleagues uh I will just add in terms of things that were concerned about you alluded to the role of deep fakes obviously AI will enhance some of the same information Warfare that we've seen from our foreign adversaries uh for quite some time we're also concerned about the ways in which uh misinformation disinformation Warfare if you will from a foreign adversary and cyber attacks can work in Tandem and I think uh for example about the uh Iranians effort in the fall of 2020 that director rackliffe and I uh did a a public announcement about where you had a cyber intrusion that was not as effective as the Iranians might have wanted others to think it was but they had built sort of a disinformation campaign on top of it uh we were able to expose it and largely render it ineffective uh working with all of our partners up here but that's the kind of thing that I think we will see more of so what am I confident in I'm confident in my partners uh Americans can be confident in our election system and our democracy but I am also mindful of the fact that our adversaries are getting more and more sophisticated uh and that there more and more foreign adversaries who want to get in on this game thank you gentlemen's time has expired Mr Molton thank you Mr chairman it's easy to think of the threat not working maybe that would help thank you Mr chairman it's easy to think of the threat posed by the Chinese Communist party as something far away they may be carrying out a genocidal campaign against ethnic minorities in their own country they may be building more nuclear weapons more quickly than any other country in the world and they may steal secrets from our military and our private businesses every single day but your testimony makes clear that what the Chinese Communist party is also doing right now is positioning themselves to change the lives of every American in ways that we wouldn't expect every single day to cut us off from our water or electricity whenever they want to take control of our phones or our personal data to take out the GPS system that we rely on that helps our kids get home those of us who see classified intelligence have seen China building these capabilities for years but most of our critical infrastructure our electricity and water and rail systems they're run by state and local governments or the private sector they may not understand these threats so director easterly how do we in the federal government ensure that these entities are protecting the system so vital to all of us how do I convince a a small town in my district like Marblehead a town of 20,000 where I grew up to invest in cyber security to stop the Chinese military I mean I'm all for holding software Mak makers accountable but if a water authority doesn't update their software for 10 years that may be too late so how do we protect ourselves today yeah it's a great question so we have to attack it both at the software developer level but then of course at the software user level but as we know many of these public utilities and even smaller critical infrastructure entities are Target rich but cyber poor they might have two people who are focused on security and they're the same two people who are doing Administration or the finances for the company and so one of the things that we've done with the support of Congress is built a very large Field Force of advisers and subject matter experts to be our Frontline forces to work with all of the critical infrastructure owners and operators the businesses large and small to ensure that they are aware of the free services that we have that can make it easy on these entities to actually uh ensure their security and resilience so very basic things it well I think that a lot of entities probably don't know those exist and so this is a place where we'd love to work with you on the on the committee to make sure these small towns and that would be fantastic s.gov all our free stuff but the other thing just one last Point basic basic basic cyber hygiene it's not rocket science if they do the basics they can stay safe director Ray you explained that Tik Tok is beholden to the Chinese Communist party which can access users private personal data influence their feeds earlier this month Cloud Fair reported that Taiwan experienced a 3,000% increase in distributed denial of service cyber attacks last quarter um 3,000% i' imagine that's a coincident with their election so the Chinese Communist party has shown a willingness to influence elections I'm heartened by the experience and competence of the federal government in protecting the Integrity of our election system but I mean just to understand if the CCP were to want to change Tik Tock feeds to bias one candidate or another in the upcoming presidential election would they be able to do so uh my understanding is that under Chinese law that would be something that they would be permitted to do and we already know they influence Chinese children to study science and math could they be able to suggest to American kids that they use more drugs again I my understanding is that the Chinese government and the Chinese Communist party if it wants to exercise that Authority can easily exercise that Authority General nakason China describes its cyber efforts as proceeding along four vectors deterrence reconnaissance offense and defense deterrence how do they think about deterrence and how do we think about deterrence and response so in terms of the way that we think about it Congressman we think about a deterrence by denial and deterrence by cost imposition deterrence by denial is what we're discussing here in terms of publishing and being able to expose what the Chinese are doing in an unclassified manner this is the difference this is the challenge China now faces we have uncovered what they're going to what they they're doing and we will continue to do that so as as we un as we uncover this and I'm I'm running out of time but I want want you to comment on one other thing General noon it's clear from all we've heard including the workforce challenges that director Ry described that we need more cyber experts to serve our country given the threats that we've laid out today do you have a message for Young Americans who might want to do something about this the future of our nation the future of our economy is tied so closely to the future of our ability to operate in cyberspace if you're looking for challenge if you're looking for fulfillment uh I would tell you that any of the agencies that you see here provide a mission and a responsibility that would dwarf your imaginable uh expectations and I truly believe in the the importance of national service and I would encourage all Americans to think about that thank you Mr chairman thank you I feel like we can make Seth the colonel in the reserves or something you know you could take advantage of that uh Mr mullard thank you Mr chairman and thank you all for being here today um director re I Reay I wanted to follow up with you on some of the comments that you had made uh in addition to the cyber security issues um you talked about the human sources the Insiders corporate deception Beijing uh hiding their hand in in uh corporate joint ventures um in this whole topic of Leverage and beholden to the CCP um when you appeared in October on uh 60 Minutes you mentioned you had seen a variety of efforts by Chinese businesses attempting to acquire businesses land and infrastructure in the United States in a way that presents National Security concerns I saw that and I thought that was a very powerful statement uh I followed up with a letter to you outlining some concerns I had about a investment in my own District uh in my own District there's a company Goan which is a CCP Affiliated company it's worked with the PLA and many of its top leaders including the leader of its North American operations have ties to the CCP uh Goan is uh wanting to build an electric vehicle battery Factory my district and it's been given hundreds of millions of dollars in federal state and local tax dollars to do so um to build and operate its Factory in my district Goan plans to bring 20 to 50 Chinese Nationals to Michigan if that happens how confident are you that it will not be used for Espionage uh in other words do you believe there's a risk these individuals will be spies working in the United States well I'd have to drill in deeper on the specific example to be able to weigh in on that but what I what I can tell you is that um a lot of this ultimately traces back to uh the blurry if not non-existent line between the Chinese government um and its private sector um and their ability the Chinese government's ability to should they choose to leverage that Authority that reach that access uh in a way that undermines our national security which is why Acquisitions buying land buying businesses and so forth while maybe legal can still raise National Security concerns because it provides a vehicle for them to if they want to leverage that uh access to conduct surveillance uh or other uh operations that undermine our national security and we've seen time and time again where they have used that access leveraged that access to do that uh and in a way it ties into the the operation that we're here talking about this morning which is leveraging in a different sense the access is the problem we don't want to wait until they've actually stolen whatever the information is we need to try to get as they say in the counterterrorism context left a boom how confident are you in the state Department's vetting process when it comes to Chinese Nationals in this country well I'm not I'm not the expert on State Department processes um uh and I want to be clear as I said in my opening that our concerns are not just with all Chinese Nationals Our concern is with the Chinese Communist party and the Chinese government and the Chinese government has shown a willingness to leverage insiders uh who have no Origins uh in China for example so uh vetting is a very important part of our of our resilience and our national security but uh it's is not sufficient in its own right so your concern is with the leverage they could do that with Chinese Nationals they could use it with other individuals as well um what what kind of Leverage are you seeing right now the Chinese Communist Party using in this country well it's it covers covers the Waterfront right so um I'll give you one example uh that's public um so GE Aviation amazing major public very sophisticated company uh entered into a joint venture with it wasn't a Chinese company um but the Chinese were able to recruit an Insider at the joint venture the joint venture was then able to get access to sensitive G information which then it used he used to uh help Chinese Intelligence Officers back in China hack ge's systems um so you had the joint Venture which enabled the recruitment of The Insider which enabled the Cyber hacking and then for extra credit the guy was able to essentially cover the tracks because of his Insider access now fortunately there's a happy ending to that story because GE did which what we want all businesses to do had a good relationship with the FBI and our local field office and we were able to essentially run a sting operation back against the Chinese prevent millions and millions and millions and millions of dollars of R&D from being fleeced by the Chinese and essentially lure an MSS officer who was involved uh to Brussels where he was arrested and we extradite him and he's now uh in federal prison that's what we need to happen more often but it also shows that if a company is sophisticated and big as GE can fall prey to this what company couldn't so GE did the right thing if the company was a CCP Affiliated company would they have done the same thing I wouldn't count on it thank you yeah gent time expire m Kim thank you Mr chair thank you to the four of you for coming on out here today uh I guess I want to just build on something that Congressman Molton was talking about uh director easterly you talked about uh just the importance of being able to connect in with the different communities across our nation uh I was very interested what you said about the field force of making people aware uh and organizations aware of the services that are being provided and a lot of the conversation today has been talking about you know how can we prevent some of this type of situation where we would have these vulnerabilities with our critical infrastructure uh but but director easterly you also framed it and I thought it was a very poignant way to frame it talking about some of the concern of societal panic I think is the the phrase that you used something that can be done against us that can uh very much damage our ability to operate create that kind of concern amongst the American people that could sway political decisionmaking and weighing decisions in that way so I guess I just wanted to ask the four of you yes we put everything that we can into trying to prevent something from happening but God forbid something were to happen some type of major disruption whether GPS or something else of that nature what kind of active planning are we doing in a in a whole of government way are are the four of you brought into that type of coordinated effort for that kind of you know zero hour day after type of planning I just want to have some sort of assurance or some sort of understanding of of what kind of work you all are doing in that responsive way not the preventive way uh to to tackle this issue and prevent that type of societal Panic that you all were worrying us about please uh uh wherever you want to start directory Easter yeah I'm happy to start um and and really it's it's not my phrase societal Panic it's the Chinese uh part of their Doctrine and it's a pretty scary phrase for L but we are working very closely with FEMA uh our partners in the department and they are going to lead a whole of nation planning effort to ensure that uh we can respond to significant National Security events now this is of course building on years and years of national Readiness plans and National Response plans with respect to cyber in particular we were asked by the national cyber director as part of the national cyber security strategy to update the national cyber incident response plan so dealing with massive attacks across the country and we're working on that very closely with our government Partners as well as with our industry partners because as you've heard industry plays uh a critical role in this because they often times have the best information on what's happening in private critical infrastructure so that connectivity will be incredibly important for us to catalyze an effective response if there is a major attack on our nation okay Mr Coker I just want to turn to you how do you feel about our Readiness and preparation in in that kind of capacity are we doing everything we need to at the federal state and and local level thank you for the question and the concern and while I am uh very confident that we're taking the steps that we need to for example I think you heard um about some of the exercises that we worked with sisa on to prepare our sector risk management agencies for these types of situation um am concerned uh that we continue to work with the state local tribal and territorial governments um we've said several times today they're on the front lines of these types of actions and I view them as being u a combatant commander if you will with many of us being supporting commanders they're the ones who need our support so it's uh part of our our shift in the National cyber security strategy to shift the burden uh the responsibility to those that are most capable in this instance um it's the federal government that's most capable to prevent and then to lead the resilience in the case of an instance like this okay well look I I'd love to keep up with this because I mean look in New Jersey you know we we have a lot of Readiness in responding to the hurricanes and other storms but you know I I just uh don't really feel like there's a lot of muscle memory and understand how to be able to deal with some of these other types of approaches I'll just end with director e again you know we're talking about these the Readiness that we need uh I have a real concern about some of the funding discussions we're having here on Capitol Hill last September House Republicans voted uh on uh on a budget that would cut 22% to sisa I guess I just wanted to get a sense from you what that would do in terms of our impacts and Readiness it it would have a catastrophic impact on our ability to protect and defend the critical infrastructure that Americans rely on every hour of every day thanks for heading home y back Mel Hood thank you Mr chairman I want to thank uh all of our Witnesses today for your valuable testimony and the work you do to help protect Americans on a daily basis in particular General nakason uh want to wish you continued success in a well-deserved retirement um I want to focus my remarks initially on the importance of reauthorizing section 702 of fisa the foreign intelligence surveillance act and as we know section 7 102 of fisa set to expire here in Congress uh if we fail to reauthorize that program on April 19th of this year and I I would argue it's of existential importance to this country from a national security standpoint and uh 702 is a crucial tool for providing the US with the ability to Target foreign people overseas to gather information that allows us to protect our citizens both abroad and here at home and when we think about today's topic the CCP cyber threat to the American Homeland and National Security I want to direct my questions to director Ray and general nakason can you uh talk or explain on how the information derived from section 702 a as we specifically focus on our topic today AIDS in protecting our troops from China's malign activities in the Pacific and the US effort to counter China's cyber Espionage here here on us soil and our efforts to prevent transnational oppression well I I I want to strongly second uh your comments about section 702 and its indispensability to our National Defense from foreign threats uh specifically in the context of today's hearing 702 is the greatest tool the FBI has to combat PRC hacking groups uh I just to give a concrete example uh just last year thanks to FBI 7 uh fisa 702 information we were able to ident identify PRC state sponsored cyber actors taking initial steps to access us a particular us Transportation Hub uh and we were able to quickly notify the entity and share technical details which enabled them to be able to kick the Chinese off the networks before harm could be done before some of the more apocalyptic scenarios we've been talking about here could transpire that's the kind of thing that happens frankly not infrequently in our work that is 702 enabling us to identify PRC malicious cyber activity targeting Americans targeting American critical infrastructure enabling us to warn victims to notify them with details that enable them to take effective defensive action uh and so in my view failure to reauthorize section 702 or for that matter reauthorizing it in a way that severely restricted our ability to use it would be a form of unilateral Al disarmament in the face of the Chinese Communist party which I can assure the American people the Chinese government is not tying its hands behind its back it's going the other direction and we need to do the same thank you General maason Congressman 702 section 702 is the most important Authority that the National Security Agency uses every single day to keep Americans safe and to secure our nation as someone who was at the Pentagon on 9/11 to consider that we would return to the days before section 702 where we couldn't connect the dots is almost inexplicable to me the other piece that I would add to your question is 702 is so agile that it provides us an ability to see the Chinese precursor chemicals that are being used to feed fentanyl which is the scourge of our nation 100,000 Americans lost their lives in 2022 702 allows us to identify those precursors that saves lives the final point that I would offer is that of the surveillance authorities that are out there today the most transparent the most effective the most important Authority is 702 it balances civil liberties and privacy and the requirements of our national security thank you I yield back thank you I thank the gentleman for his incredible work uh on that issue as well uh Mr Torres thank you uh General nakason the United States is a cyber superpower do you consider China a comparable cyber superpower Congressman I I consider China a near perer adversary yes and what is the likelihood of China out competing the United States in cyberspace uh given the uh I think given the attention that we're putting on this today the realization that our nation must change the Strategic environment that must change our national defense strategy our national security strategy uh I think we are will uh will maintain that superiority a reassuring answer uh during World War II the United States was concerned that Nazi Germany would be the first to develop an atomic bomb today we're concerned that China could be the first to develop a quantum computer capable of breaking modern encryption uh director easterly who's winning the quantum Computing arms race I would probably ask General nakason to weigh in on that specifically Congress you uh point out one of the the critical things that we're moving towards right now our agency creates the keys codes and cryptography that ensures the underlying encryption of our nation we are developing those keys codes and cryptography in partnership with nist to ensure that our nation is safe from a quantum computer which you described National Security memorandum 10 talks about this we are well on the way to being able to do that and we will be able to defeat any type of quantum capability the Chinese have in the future so we're waiting the R we are great uh artificial intelligence there's a real risk that advanced AI could enable anyone anywhere to carry out a Cyber attack on critical infrastructure what can be done to prepare ourselves for a world of widely distributed cyber weapons of mass destruction this is an area where I have significant significant concerns because AI is moving faster uh it is moving at a speed that is three times the speed of morals law it is unpredictable and it will probably be the most powerful weapon of Our Generation most powerful weapon of the last generation was owned and operated by Nations who are disincentivized to use it these are generally owned and operated and produced by private sector companies who are driven by a profit motive so we need to be very very uh specific about the guard rails and ultimately the type of Regulation that will help prevent the use of these capabili ities for nefarious purposes by Rogue Nations by cyber criminals by terrorists and we need to move incredibly quickly to do that I think th this and China are the two generational issues that we need to be riveted on to protect our nation and as you noted you know AI development is largely unfolding among a small number of companies in secretly behind the scenes and I think most of us even in Congress are out of the loop do you feel like these companies are keeping you a breast of the latest advances in Ai and the implications that those advances would have for cyber security well I think one of the good news story is because of the illumination of this issue and the inherent risks by the Congress by the administration industry has had to come to the table and actually work in a more transparent way which we greatly appreciate but we need to see more of that and frankly we need to have secure guidelines in place there needs to be secure by design for AI which is why we've been working with all the big generative AI companies and international Partners to ensure that when these capabilities are created security are the is the top priority there are multiple leaders the sza director National cyber director the deputy National Security adviser for cyber and emergency technology the head of cybercom who play a role in setting cyber policy and there are multiple law enforcement agencies FBI Secret Service Homeland Security investigations that play a role in combating cyber crimes like ransomware who is in charge of coordinating the various moving parts of cyber policymaking and law enforcement statutorily it's the office of the national cyber director that serves that purpose sir and how does your role differ from that of the Deputy National Security adviser for cyber and emerging Technologies what's the difference between those two roles National Security Council at large yields all um mechanisms of National Power and cyber is but one so when they when the NSE provides guidance and advice to the president it's far broader than cyber our domain is on no but there's there's a deputy NSA specifically for cyber so how does that role differ from yours we work very closely together but the big difference is uh there is more of an operational flavor to to that role than than my role uh again our office is providing strategic and policy guidance not operational guidance which is what uh the National Security Council does with our colleagues again far broader uh than cyber but more operational than the office of national cyber director but I I also want to be real clear that we work very closely together uh literally weekly we have a sync um leader to leer but our staffs are working together uh daily G's time has expired Mr dson director easterly director Ray I just want to have a conversation with the two of you largely around the the maritime the port situation it seems to me that our ports are becoming more reliant on Equipment Technology infrastructure from PRC Affiliated firms I find that concerning is that a legitimate threat yes so I think it's a good example of the the theme that we've been talking about in this hearing in other contexts as well right which is if you're talking about Chinese businesses uh there is the potential that they can be leveraged by the Chinese government for all manner of concerns U when you combine that with some of the cyber security concerns that have also been discussed here in the context of ports and Maritime security uh it's sort of a double whammy yeah I mean this these Supply chains of course are so interconnected and so heavily Reliant upstream and Downstream it it doesn't take very much hitch and a giddy up to start to strangle our ability to engage in international trade or to power the American economy what's your how do you assess the awareness of our Maritime Partners the port operators shippers carriers about this threat yeah so one of the issues and you may be alluding to this sir is that 80% of cranes in our ports are zpmc so it goes to the point about Chinese controlled infrastructure in our critical infrastructure part of the issue is uh and we work very closely with the Coast Guard who serve as the sector risk management Agency for maritime Transportation Systems we make uh all of the owners and operators aware of the very real threat and the risk but when you have such almost a monopoly in um in a manufacturer it's very hard to rip and replace uh same concerns with the communications infrastructure so what we do is we provide working with the Coast Guard information on the threat and we provide what they can do to mitigate the impact of that threat so there are things that can be done to lessen that risk but of course we should work to be able to um not have to depend on this type of Chinese infrastructure which ultimately is controlled by the CCP well and you're exactly right and I think that's worth double underlining that 80% of the ship to shore cranes are manufactured by PRC Affiliated firms it does seem like that is a a quite a liability all things being considered director Ray more to add on that front well I I would agree with uh both your comments and director easty I would just add that it's uh it's about more than just the ports and the cranes um you know Maritime sector more broadly is something that we know the Chinese have targeted uh and that's part of why together with sisa and Coast Guard and others we've uh tried to put out a lot of information about best practices mitigation guidance Etc to try to reduce the risk but ultimately if we're going to be in a more secure posture we're going to have to be mindful of the Chinese government's ability to leverage its businesses so let's assume that yall are doing everything right you've done a good job educating these private sector partners because so much of this infrastructures we've talked about whether it's electricity whether it's water and now we're talking about ports really is owned and operated by the private sector let's assume you've done a perfect job of educating them what do you assess they need to do better over the course of the next 3 to five years to minimize the the dangers of this threat I'm happy to start um one other thing I would mention uh FBI and sis actually put out something specific about Chinese manufactured drones which is another area we have significant concerns in but in terms of what they need to do it goes back to ensuring that they have an awareness of the threat in environment and that they are taking those measures to invest in basic cyber hygiene some of this are just taking the basics to understand your infrastructure to know what the vulnerabilities are so you can drive remediation of them that cyber hygiene is so important I I I made the point in the opening statement but I really think it's worth doubling down every CEO every board member every business leader of a critical infrastructure owner or operator has to see cyber risk as Core Business risk they have to manage it as a matter of good governance and National Security so that's an important message to anybody that leads an organization in this nation I would just add to those very good points that uh much as director eally referred to in her opening statement same thing in the context of ports and Maritime uh security more broadly we need victims to reach out to us immediately because the victim who reaches us to immediately is the one who's going to supply the information that will enable us not just to be able to share information with them to better mitigate and uh prevent their attack from becoming worse but more importantly in many ways prevent the attack from metastasizing to other sectors and other businesses so the first victim that gets contacted that victim's information is the what helps us Pro protect all the other organizations and victims that are potentially out there and so we see all the time when it's done right businesses reaching out to their local FBI field office we're able to be there often within an hour or just a little bit more sharing technical indicators that they wouldn't have had the dots get connected they're better able to PR prevent that attack from getting worse but then they're also able to share intelligence which enables us collectively to then arm other businesses and other ports let's say in this case from being victims uh and get again getting further left of Boom Mr chair I would close by noting that we have hyper optimized these Supply chains for uh efficiency but we cannot leave resilience behind including of course cyber thanks I yield Mr roen Claus thank you chairman uh for for today bringing together Witnesses with such credibility and commitment to defending our democracy I appreciate it uh this hearing brings to mind my favorite anecdote from the Civil War uh it was 1864 and Grant just took command uh of the army of the pomac and he was surrounded by his senior staff and they were preparing for their March into Northern Virginia and they kept on saying well Lee's going to do this and Lee's going to do that and what if Lee thinks about this and he he snapped and he said stop worrying about what General Lee is going to do let's make him worry about what we're going to do to them and I think about that a lot when it comes to cyber because we have to do all of these things that that Mr Johnson put forward so uh articulately about making ourselves resilient but we also have to make them worry about what we're going to do to them and it strikes me that the best offense we have is not actually the nsa's ability to hit uh their critical infrastructure although I know we can do that and we're in the clear right now and I'm not going to ask you all the details but that needs to be there but actually the best offense that we have is to turn their domestic populations on those regimes to allow their own people to debate to deliberate to ask themselves whether they like three-year covid lockdowns uh to whether they like Invasion invading another Sovereign Nation uh and starlink in the last several years has proven that it can open up those channels of Civic discourse that are so corrosive to authoritarian regimes this question is for any of you who want to tackle it but what can we in the US government do to one turbocharge our ability to turn on their civic discourse whether with starlink or other means and to two to make sure that that decision is US government's decision not Elon musk's decision I'd like to start Congressman um I think the key piece that you've just talked about is what we've all realized which is the what we do hasn't changed a lot the National Security Agency we do signals intelligence we do cyber security at us cyber command we do cyberspace operations it's the how the how is changing so rapidly and this is where we have an impact against China much in the same way Grant in the Wilderness Campaign decided that we're going to focus on our strengths not worry about his adversary that's the same thing we have here we have our strengths our strengths begin with our partnership our strengths begin with the fact that we are uh able to talk with our private sector and be able to understand broadly what is going on the fact that we are now publishing these type of insights in an unclassified manner hanging them on our websites must and will but do we have a plan General do we have and maybe this is for Mr Coker or Miss easterly but do we have a plan for internet freedom in Iran in Russia in China so that their populations can Engage The aat told is 84 years old he's got Advanced prostate cancer there's going to be a succession soon uh are we ensuring that the Iranian people have as much of a voice as possible in making their discontent known as that succession planning is happening same thing of course in in China that's what really keeps Zing ping up at night I believe is not actually us politics it's lat in Chinese politics well I'll come at it from from the FBI's end I mean much of what you're talking about are operations that would take place you know in those countries but that's why when we call out trans trans National repression by all the governments you listed off that's so important because those repressive repressive techniques that you're talking about they're not just doing them in their home countries they're exporting it onto US soil and their victims their intended victims are primarily diaspora of those countries dissidents and critics here who have the audacity in their view to criticize those regimes the Chinese the Iranians the Russians Etc and so when we take action through exercise of the rule of law here to protect those victims and call out that behavior those families are in contact with their family members back in those countries which helps create the dynamic you're talking about I I agree with you and we've had excellent hearings on transnational repression and I understand the feedback loops I would say though that we need a whole of government strategy for starlink on steroids for these authoritarian regimes uh in my last 30 seconds director Ray um I want to compliment you on the work that you've done since October 7th to to um improve Public Safety in the United States I know there's been a focus for yours of yours and that in December you testified that you saw blinking lights everywhere and that you were especially concerned about Hamas inspired domestic terrorism uh and um and we know that the Chinese are are fomenting that frankly um the regrettably the the Boston City Council in my home in my home state rejected $13 million of federal terrorism funds that would help in part with cyber security but also terrorism preparation operations um what would be your message for municipalities and localities about the importance of regional preparation to defend against terrorism both cyber security as well as connetic we are uh since October 7th in a heightened threat environment uh from various forms of terrorist uh risk the biggest one is an inspired attack by the conflict in the Middle East but an attack that's inspiring some individual here and a horribly misguided way to commit an attack and that risk uh is more likely to be a lone actor targeting so-called soft targets uh here in the United States which is uh you know facilities houses of worship schools places that people every day in America Go including in municipalities like the ones you're talking about and so that to defend the public we all serve we need to be mindful of that heightened terrorist risk Miss Henson thank you Mr chairman um good afternoon to our distinguished guests thank you so much for appearing before our committee to discuss these uh blatant uh threats that the PRC poses not only to our cyber security but to our uh National Security on many many levels and um director R I wrote it down when you gave your opening statement you you talked about you know they want to wreak havoc and real world harm on us um and we need to be ready if and when and I think it's very clear today from our discussion that it's not if it's it's already happening so our answer um is resiliency its prevention and its accountability and so I I'm pleased to hear about the work that you're doing um inter agency to uh to counter these threats um and back in September the chairman and I let a letter to you director Ray as well as to secretary Austin requesting um that the FBI and Pentagon brief members of this committee specifically on um the gate Crashers at uh many of our sensitive facilities uh US military bases critical infrastructure um and it's unacceptable that the PRC was even able to gain uh access to many of these sensitive sites um they scuba dived around sensitive military equipment they uh were able to infiltrate our army test sites missile sites um and then of course the most egregious example of the Spy balloon going across our country um it's a blatant attack on our country um to undermine our national security and um and breach our military and and Technical Innovation so I appreciate the The Prompt response to our letter um and I want to ensure that this conversation continues that our security agencies are prioritizing this at the highest level so I would be curious what um the FBI is doing right now to further secure these critical areas um to ensure that we are stopping these threats uh to the American people before they happen so we are tackling it through a combination of Investigations intelligence sharing and engagement uh and to break that down a little bit further we have in all 50 six of our field offices Counter Intelligence task forces uh that are FBI Le but that have Representatives serving on them from uh the relevant military uh agencies that are in that uh area uh as well as in many cases State local law enforcement who are a very important part of giving us sort of additional Fort multiplier to help counter the threat and so we' have any number of Investigations into different kinds of efforts uh by actors associated with the people PRC uh to uh spy on if you will or in other ways Target our military installations intelligence sharing obviously things that we learned through our investigations we're able to Marshall that and then share that back with our DOD Partners so that they can use that to be uh even savier about how they defend their installations and then engagement we're trying to make sure that the lines of communication are are wide open between us and whatever military facility is in that particular area when I visit an FBI field office and I've visited all 56 twice I'm on my third round now uh it never fails uh to inspire me the close relationship that exists between the local FBI field office and the military presence in that uh in that state yeah and I'm sure there are many many of those Partnerships that have been very very successful in stopping many of these threats but uh we we can't rest on our Laurels and obviously continuing those conversations is going to be critical and look forward to maybe further conversations there perhaps in classified setting about um what more we can be doing um I want to quick follow up in the remaining time that I have about rip and replace because that is a huge huge concern um recently introduced a bill with many members of this committee including the chairman and the ranking member um representative molinar um to help uh kind of breach that critical funding Gap um that exists for rip and replace but it's um certainly concerning when you hear about these routers um and all the different equipment that exists within our Telecom and some of them are very very small organizations that uh do not have the resources so um we want to of course repurpose some of those Co funds and put them toward um ripping out this Chinese Telecom equipment that is a huge vulnerability so um director easterly this question is for you can you address really the um importance of a rip and replace program um not just for this level but maybe do we need to look at um expanding it further um and what are the consequences of of us not taking action here yeah I mean it it's in incredibly complex Supply chains as you know uh but when it comes down to some basic fund fals I think you pointed out uh around the the bill itself 24,000 pieces of Chinese uh software in these uh Supply chains and so it's imperative that we help uh the owners of some of these less resourced entities to be able to make these important changes to reduce risk two things I would add is we co-lead What's called the information uh Communications technology supply chain risk management uh task force and so I'm not even sure that they know that there may be capabilities with funding to do that rip and replace so I think that education there is incredibly important uh the other thing that I I think we need to be aware of and we of course the FCC has a covered list with a variety of different Chinese equipment from dawa to Huawei to ZT to haera uh what we do is we make critical infrastructure aware that they may that may exist in their crit in their systems so they can also be aware of the threat either mitigate it or replace it I think the whole effort is incredibly important and commend you for the for the bill yeah well certainly we have a lot of vulnerability and we're we're working to get a and I realize I'm almost out of time Mr chairman but uh we're working to get a true accounting of what vulnerability still exists within even government buildings or even least government buildings so um thank you uh for all of you appearing before our committee today I yield back Mr chair thank you Miss Brown thank you Mr chairman I want to thank each of our Witnesses for leading extraordinary agencies at a time of great turbulence and instability in the world our cyber security capabilities are perhaps one of our greatest threats and opportunities in the 21st century we must do more to deter and respond to threats to our systems coming from the Hostile actors across the world including North Korea Russia and Iran and we know the Chinese Communist party has incredibly sophisticated cyber infrastructure and will become or has been discussed today already one of our fiercest competitors on this front one of our greatest assets something which the CCP overlooks is our diversity as Speaker amerita Nancy Pelosi and vice president kamla Harris have both said our diversity is our power one aspect in which we can can and must do so much more is to build and rely on a diverse pool of talent in the field of cyber security I know this is a top priority for the Biden Harris Administration and for all of you as Leaders of your respective agencies so turning to you director Coker I know this topic is something important to you and you have spoken about it before can you speak on the administration's broad effort to increase our cyber Workforce by sourcing Talent from diverse places and the benefit it brings to our ability to combat CCP efforts thank you so much for that uh question that important topic and to me and the administration diversity is all about achieving positive Mission outcomes uh that message cannot be U be um misunderstood it's about positive Mission outcomes and we do that by having the strongest teams possible um I talked to 500,000 uh open cyber jobs so whatever we've been doing lately hasn't been working so what do we need to do to fix that uh we have the national Cate Workforce and education strategy uh that has its pillar um the two that are most relevant to your question are expanding the federal cyber Workforce and then America's rid large uh we need to do that by number one having people realize the impact to National Security talked about national service I think Americans want to serve our nation and need to be clear about cyber security is serving our nation uh growing up if you about the only national service we had by and large was wearing a uniform uh voting and paying taxes that's changed today um all those critical infrastructure uh segments that we have that's National Security so we need to make sure there's an opportunity to serve our nation in cyber uh number two um it used to be a misnomer that cyber security and cyber in general was a a technical Endeavor uh that's not the case folks think they have to be stem U cyber security is about critical thinking it's about agility it's about being open-minded so one need not be an engineer or a scientist to make contributions um in cyber security also want to add that there are communities across the country that aren't exposed to these opportunities um I'm a rural kid kid from Kansas I didn't know I could serve until there happened to be a uh a recruiter that came from the Naval Academy uh I hadn't even heard of the Naval Academy um you can expand that to cyber security so we need to go places where we haven't gone before and you know leaders know that we need to take opportunities um for people uh there's a level of risk need not lower standards at all but sometimes qualifications that are listed are not valid um people can learn we find the right people we develop them we uh retain them and we turn them loose so the administration's perspective is let's find the right people looking in places we haven't necessarily looked before and why because we need more better different people to achieve positive Mission outcomes thank you so very much um I now want to turn to another important topic which weighs on all of our minds and that's the 2024 national election um as we frequently remind everyone the 2020 presidential election was the same safest most secure election in our nation's history however the 2016 election preceding it was scarred by Russian hacking and Broad disinformation campaigns which severely compromised the Integrity of the election um anyone on the panel um if you would be willing to answer the question or address this um in an unclassified setting is there any evidence at this time the CCP is using artificial intelligence to interfere in the US elections and how do we ensure this election is free from CCP influence and I only have 8 seconds so sorry negative 11 seconds probably refer to my Intel uh colleagues on whether the CT CCP is actively using artificial intelligence but based on the dni's report in December about the activity in the 2022 midterms which talked about the aggregate scope and scale of foreign uh activity and influence and inter erence uh being uh more than we saw in 2018 and specifically Chinese uh attempts at influence we should expect it we should absolutely expect that foreign actors will attempt to influence and that they will interfere but to be very clear Americans should have confidence in the Integrity of our election infrastructure because of the enormous amount of work that's been done by state and local election officials by the federal government by vendors by the private sector since since 2016 since election infrastructure was designated as critical infrastructure it's that work that should make the American people confident in the security resilience and integrity of the American election system's time has expired Mr Jimenez thank you Mr chairman um I actually share the uh the the thoughts of uh my colleague on the other side Mr U Asen gloss about uh the the need to provide technology so that the people that live in repressive regimes like Russia China Iran uh we actually start a second front without shedding any blood so that the people inside can actually they're they're all seeking freedom and we need to help them achieve Freedom uh and and show and throw the shackles of this regime so hopefully we can have that kind of Technology allow them to communicate with themselves uh so that can happen one of the one of the things that happened very interesting uh there was a there are hundreds of thousands of people took to the streets of Cuba back in in a couple years ago in July and the first thing that the Cuban government did was shut down the internet uh identified the leaders and then took them out if we can find a technology that allows the people to communicate with themselves I think we can we can actually help the cause of Freedom around the world and so you know I'll be working with my colleague there to see how we can make that happen I actually believe that Cy the Cyber war that we're conducting right now is a battle and I think actually the the race is really the race to AI uh do you agree with that um Miss easterly I think AI will play a tremendous role in the battlefield to come but both on private sector as well the how important is the accumulation of data in this race to AI well it's all about data at the end of the day so data is the gold so here here's where I'm going is the oil okay there's 150 million users of Tik Tok in the United States how valuable is that data to the CCP enormously valuable okay so M Mr Ray knowing that it is critical for the United States to win the race to Ai and Tik Tock is a huge source of data actually in a language that they need because I believe that that the Chinese language is actually a dis advantage and that they need more Western languages in order to win that race how critical to to our security is is well Tik Tok is is providing all this data to the CCP do you think that's a security threat to the United States I I have very significant security concerns about Tik Tock uh and it's it's a combination of the ability that the Chinese government would have to if they choose to exercise it to control the collection of the data to control the recommendation algorithm and if they wanted to to be able to control and compromise devices uh and if you layer AI as you're saying right on top of all that uh it just amplifies those concerns because the ability to collect us person data and feed that into their AI engine um it just magnifies the problem we look at AI as a concern in the the wrong hands but we also know that American AI Innovation is the Envy of the world and the Chinese are trying to steal it so the big concern of course is that they will not only steal American data uh and feed it into their AI engine but that they'll steal American AI Innovation and make their theft even more effective and all you have to do is look at the Equifax hack from several years ago where they were able to steal the personally identifiable information from 150 million American people director I'm running out of time and I need to ask you a question it's a direct question it's a tough one probably I don't know how you're going to answer it would you ban Tik Tok in the United States say yes or no well there's a decision-making process is outside my Lane but let me try to answer it this way as long as the Chinese government has the ability to control all these aspects of the business I don't see how how you get your way clear to mitigating those concerns fair enough um I also share the concerns of my colleague uh Mr Johnson over the past eight months I've worked with the chairman Gallagher and members of the committee on homeland security led by my transportation and Maritime security subcommittee conduct a joint investigation examining cyber security and supply chain threats at us Maritime Port ports posed by the People's Republic of China I anticipate sharing our in joint investigative report soon um when I was the mayor of Miami Dade County uh we we operate one of the biggest ports uh you know in the United States and lo and behold when I look at our cranes they all had Chinese writing on it so they all came from China 80% of the world's cranes are actually are actually manufactured in China but what's worse I thought that we were okay with software maybe software developed in Western countries uh was okay operating these cranes but uh we ALS also found out that a lot in a lot of instances the software is shipped to China stays there for over a year and then it's installed in China and we don't know what happens it what happens to it in that time and so operating that software knowing that that software either reporting back to China or that somehow it can be turned off at any time think about it 80% of the world's Commerce is is controlled by those cranes so thank you and I'm way over so thank you very much for indulging me Mr Mr apparently the lights are also controlled by somebody uh Carlos and I climbed up in one of those crayons I I didn't in Miami I didn't know that I was afraid of heights until that moment but it was Illuminating Miss Stevens I'm always learning about our chairman um it it this is a real honor to to be with all you this is another just top doch hearing and and and certainly you know we're not the hom and security committee or um even armed services and so yes getting into these points about the entanglements of cyber security threats and its realities of which I'd love to ask you about I I just wanted to start from a more elevated place and and maybe this is a question for Mr Ray and Mr um Coker I what is the ccp's motivation as far as you know and can share with cyber security threats and actions because they've been we we've been hearing colleagues and everyone talking about all these little examples and all the tools and this and that but what's the goal here is it to chip away at our economy is it to make us look weak and and in fact I think even just some of what we're positing today is perpetuating I I think some of this position of weakness rather than strength because much of this technology is technology we've created but that's another point I'm I'm more interested in the why well my starting point would be that uh as with most questions uh about the Chinese government's uh tactics and strategy when one asks is it a b or c the answer is usually D all the above and in the context of cyber threats uh they are using their biggest hacking program in the world to try to steal our intellectual property to advance their own uh economic engine they're trying to steal our personally identifiable information to feed into the influence operations and other uh tactics that we've talked about here already in this hearing they're using their cyber targeting to suppress dissidents and critics and as is uh revealed through the operation we've talked about and announced here this morning they're using their cyber targeting to preposition on our critical infrastructure to be able able should they so choose to conduct a destructive or disruptive uh attack on our critical infrastructure at the time of a conflict so they're doing all those things they all feed up ultimately into their goal uh to supplant the us as the world's greatest superpower I'm in agreement and that uh the goal is to supplant the us we are in a competition with China and and frankly they're the only nation that has the uh means to reshape the international order and means being diplomatic uh economic uh military uh we are in a competition we have to acknowledge that will not lose sight of it we also need to manage that competition responsibly uh to avoid the confrontation and conflict and we can do that uh by continuing to operate with confidence not yielding the initiative U not merely staying on the defense but being as strong as United States has always been we look at the National Security strategy uh it says to invest at home to maintain our strength so we shouldn't consider cyber security attacks Warfare I mean I know nak General Nason you're here and I'm do they what are they doing over there I mean do they have a department that is just focused on cyber attacks because this is sort of in some respects hard to wrap our heads around right I mean we don't I know Rey you've got your whole Kaboodle that you can talk about and then can't talk about but I'm just more or less interested in terms of you know how are we choosing to respond to these things what's our Purge and what do we know about how they're actually putting all this stuff together well we know a lot about what they're doing as as we've talked about today we also know who's doing it uh we know how they're structured we know their version of the National Security Agency and US cyber command uh we also know that they have very very specific organizations that are targeting different parts of the world to include the United States of America and now I think the important thing is uh now that we know that what are we doing about it and this is to the point of the department strategy is that we defend forward we operate outside the United States to be able to impose cost on our adversaries either by enabling our partners or acting and that's the important piece I I am just out of time but miss easterly it as someone who founded the women in stem caucus here bipartisan caucus in the in the Congress it it is such a treat to hear your expertise you've been phenomenal all of you have thank you and I yield back Miss de thank you Mr chairman critical infrastructure and intellectual property across California are at risk of being attacked by the CCP and other adversaries this could have serious consequences for my constituents in May the LA Times wrote about threats of cyber attacks on our water infrastructures and then I'm you know seeing all these directors and then you head of cyber attacks or cyber security ahe of all these departments what we do inter agency coordination on cyber attacks and vulnerability at ports around the world with US Military and Commercial present because I think anybody can answer because you are talking about what your agency has been doing and how you are protecting you know from the cyber attacks but how we working together with all these different agencies so I I'll start say a couple things so with respect to Ports uh specifically so sisa was built by Congress in 2018 to serve the role as the national coordinator for critical infrastructure security and resilience so so we work with all of the sector risk management agencies to ensure that we can work with industry to help them understand the risk so that they can manage that risk and reduce that risk and we have a phenomenal partnership with the US Coast Guard where we work with them day in and day out to do cyber assessments to uh help with vulnerability scanning to ensure that all of the maritime uh Transportation sector uh has what they need to reduce risks the other point I'd make um particularly if uh the CCP is watching this hearing and I assume that they are is the strength of our cyber capabilities in the United States of America is that we operate as a team there may be different people doing different things but all of us work incredibly closely together and we know that our strength is our Unity uh as we work together how about how about other allies because like a loging or Maritime tracking system we are not using unfortunately here in this country but you know what our allies like Japan South Korea Portugal Spain they're using it and China CCP knows exactly what's going in and out and even that our nabal ships are going into those countries how we protect that and how we going to work with other countries too so we uh almost invariably on almost all the things we've been talking about here today especially in cyber are working with foreign Partners our closest foreign Partners who are are themselves as you say also being targeted by the CCP and especially in the context of cyber our focus is on conducting joint sequenced operations which almost invariably involve not just us partners but sometimes as many as 10 or 20 foreign Partners all working together in tandem to try to have the whole be greater than the sum of the part we' talked a lot about numbers the disadvantage that we're at relative to the CCP but as general Nason said one thing we have is Partnerships true Partnerships which allow us to have kind of our two the US's two together with some other country say it's Japans to and have it equal five to get synergies when working together and that's ultimately our best defense against the CCP so China is ready to attack um by 2027 Taiwan and we heard and we had a great meeting with a former Defense uh secretary gate and he was the one actually talking about more of it's not going to be the war but more of the commercial stops means that they're going to just stop all these ships going in and out that's the way they're going to isolate Taiwan but when the other countries still using those systems and especially in the the United States our cranes were made by China and they're actually controlling it you were talking about that just litter gas line that you know we got into trouble but when they stop all those cranes that what we are using in the United States ports we are in big trouble and then we cannot communicate or we can communicate maybe don't know but you know what we cannot really bring anything to Taiwan since that's uh Island so we really have a big problem so what kind of thing that we are really preparing that you know how we're going to really go inside of CCP and find out that exactly what they are doing and I think congresswoman Stevens was talking about that do they have their own Department I think they do and just only do cyber attacks so how much we know that inside of China that what they are doing to to us and to other countries we have a tremendous amount of Insight in terms of how they're organized what their plans are and what they're doing this is one of the things that the National Security Agency spends a tremendous amount of time at uh and we have a very very good Insight in terms of uh what their intent is gentlemen lady oh anyone else want to comment thank you very much for all Witnesses today and learned a lot I had to get out because w means committee meetings but thank you so much chairman thank you home stretch two more I think I just jinxed it someone may come back Mr cona thank you Mr Mr chairman director Ray uh could you assure the American public today that no nonviolent protester about a ceasefire of the Middle East will be investigated or surveilled by the FBI we are not going to be investigating nonviolent First Amendment activity and could you just assure whatever their position is on the Middle East or the 2024 election if there is an American who's out there engaged in expressing their view whether that is for a ceasefire or whatever that is the FBI is not going to be investigating them or surveilling them correct our mission is to protect the American people and uphold the Constitution and we intend to do both we Embrace both parts of that mission in our view it doesn't matter what you're ticked off about or who you're ticked off at there's a right way under the First Amendment to exercise those views and we're going to help protect that and there's a wrong way to exercise those views and that's violence and threats and we are going to investigate that I appreciate you're saying that because I think it I share your view that the First Amendment and peaceful protest is at the heart of our democracy I also have appreciated some of your views on making sure that as we appropriately uh investigate Chinese threats to infrastructure and uh the Chinese Communist party's threats and deal with the cyber security you've been very clear that you do not think that that should involve the profiling of Chinese Americans and I think you've been sensitive in some remarks you made at University of Michigan about how in the past uh that has happened can you speak to some of the past history of profiling of asian-americans and how under your leadership you're going to make sure that that doesn't happen as we appropriately investigate Chinese Communist Party threats to the United States we are going to aggressively pursue the threat posed by the CCP uh with investigations that are predicated on the facts and the law and our policies and they're not going to be based on race ethnicity or national origin and they haven't been now it is the case uh that the Chinese government aggressively targets uh individuals here to enlist them uh in their efforts but they also aggressively suppress and coerce and harass Chinese Americans and Chinese visitors here uh and so we view as part of our role to help protect those people uh and so part of the key is drawing the distinction uh in between the Chinese government the Chinese Communist Party the malicious actor and Chinese Americans Chinese dissonant the victims and as you do this uh director and like I said I think under your leadership from your public comments uh you've been quite good about drawing that distinction but do you bring to it a historical awareness that asian-americans in this country have been profiled in in our history just like I'm sure you have an historical awareness of the FBI's role during the Civil Rights Movement certainly there have been abuses or mistakes in the past and we're determined to make sure that those things don't happen again uh but I do want to make clear that our work at least since I've been director focused uh on Chinese aggression uh is based on the fact on the law and proper predication and you can assure sort of Chinese Americans that they aren't being profiled or targeted in any way uh based on their ethnicity or race we are not going to open investigations based on profiling people for race ethnicity or national origin or anything of that sort thank you I'm done with my questions thank you uh and finally a special guest the esteemed chairman of the Homeland Security subcommittee on cyber security and infrastructure protection representative Garbarino I have to ask unanimous consent for the gentlemen to participate and ask questions at this hearing unanimous consent ominous Dominus gentleman is recognized thank you chairman thank you R member for allowing me to visit today as a special guest uh and I look forward to contining work with you all on uh building resilience our CCP cyber threat uh first director Ray I'll like to say I took an international trip with some other uh colleagues and we met with some of your um uh some some of your employees over your uh your men and women in and in some other countries and they are doing a phenomenal job especially on the Cyber threat uh level so I'm saying great job with that uh director e it's good to see you um I want to ask you a question uh the intelligence Community has been warning for years that China has the ability to launch cyber attacks to disrupt us critical infrastructure in response to the Persistence of this threat I understand sisa has hired a new associate director to lead China operations um can you please provide an update on the work of what's been completed over the last 6 months and what do you have for the remainder what plans for the remainder of the Year great thanks so much great to see you chairman uh yeah early uh early last year we decided to stand up a whole element uh under the associate director for China operations and so we hired a uh terrific subject matter expert Andrew Scott to lead that effort really a cross agency effort to ensure we had a deep understanding of the threat to critical infrastructure and that we could work effectively with our partners across the inter agency at the state and local level and of course with industry to be able to build the security and the resilience that we need to defend the nation from these uh from these threats since that period of time we of course as we've been talking about in this hearing we have affirmatively found and eradicated Chinese intrusions in our critical infrastructure a whole variety of sectors that we believe are being used to preposition and prepare for destructive cyber attacks so we have many lines of effort one is one is about evicting cyber actors one is about providing our free services to all of our stakeholders across the country so they have the vulnerability capabilities to identify and drive remediation of these vulnerabilities and exploits taken advantage of uh by the Chinese cyber actors and then as we've been talking about here really catalyzing that operational collaboration those public private Partnerships because between government and the intelligence Community uh we really need industry to help build that Mosaic so we have a deep understanding of the threat so that we can together reduce risk to the American people is the jcdc you talk about those uh those collaborations The jcdc Joint cyber defense collaborative um what what value is that adding to the your uh China operations yeah this was of course the great Innovation brought To Us by the uh cyberspace Arium commission started out as the jicko we turned it into the jcdc because I like rock and roll uh but we've had that stood up for over two and a half years now we went from 10 companies that we're working with to over 200 and it really has been the platform that we've used to catalyze that operational collaboration which is rooted in three fundamental things a recognition that a threat to one business could be a threat to many why informing why letting FBI and sisa know about a cyber threat incident is so critical second it's really the reciprocal responsibilities of government and Industry to recognize that we have to share information in real time uh that has to be transparent the government has to add value the government has to be responsible in terms of how we protect data and then finally what the jcdc offers is a scalable way for us to share information not just with the private sector but very important Partners across the government like the National Security Agency cyber collaboration cell and FBI's NCI jtf so it really does help to put operational collaboration across the Cyber ecosystem on steroids and again we're very grateful to the Congress uh for helping to fund it and authorize it and to the cyberspace salarium commission for coming up with that great idea thank you director uh director Kroger congratulations on the new position I I wanted to in your opening testimony you mentioned the administration's focusing on harmonizing s cyber regulation uh and furtherance of the national cyber strategy as you understand the SEC recently finalized a cyber incident uh rule that goes what I believe is against CA and I Al so does the Department of Homeland Security and many sectors have said that with this new rule their cyber employees are going to be spending half their time on Appliance instead of facing the threats from CCP cyber threats um as as we pursue a CRA this week uh the Senate I might pass it and we're going to try to pass in the house what is the administration doing to harmonize between agencies and departments and thank you for your kind words and for raising this uh important topic to us as part of the national cyber security strategy has been to do Regulatory harmonization and the point point of that regulatory harmonization is to reduce the burden of compliance and the way we're going about that we have uh issued at a request for information and received more than 80 responses from uh the private sector and public sector uh right now we're going through the process of better understanding those again with the goal of reducing the the burden of compliance so that's that's our uh goal right there we understand that um I appreciate that amount of time so but someone should tell the SEC that though okay I thank the gentleman and pleasure to have you here you're welcome back anytime well maybe not anytime but uh two comments and then uh we'll close and I'll recognize a ranking member um one of the first things I said in our first hearing was that the stakes of this competition were existential now I got a lot of blowback for that but I don't think after the testimony we've heard today there could be any doubt I mean there is one path where we stumble into a war for which we're ill-prepared and even Victory might have existential consequences in the sense that it would transform America into a Garrison State or there's another path in which we slowly succumb to the sedation of tick tock and we surrender and we no longer stand for the ideals and values that uh America stands for that the rest of the world is looking to us to stand for and so while this hearing has revealed many things we need to do and while the competition in cyber with China is one that's going to outlast my time in Congress I'm confident of that there are things that we must do now urgently foremost among them in my opinion particularly in light of the testimony we heard from director Ray either ban or Force the sale of Tik Tock I mean this is this is It's bordering on National Suicide if we continue down this road and I get that Tik Tok has hired an army of lobbyists including former members of Congress who are collecting a paycheck but the time is now to do something about this and by the way if if you're invested in bite dance you're not going to take Tik Tok public in America under the current ownership structure so if only in your own financial interest we have to find a way to force a separation the time is now to act okay on that happy note I will transition to uh recognizing the hard work of the Democrat staff director John Styers who is departing the committee this week after 25 years of service on the hill almost as long as general noxon has been in uniform um I will confess John uh I we've worked together for a year you have aged me personally three years in that time there have been moments when I've lied awake in bed thinking you know life would be easier if you did leave but now I'm sad now that it's happening and uh one thing I've learned in working with John and particularly working in the human rights Community he's uh he's been doing this since before it was cool and he's truly a hero in the human rights uh community and it's been very cool to be able to see that and I'll give you the highest compliment I could give you John which is that if I had to negotiate with xiin ping with the fate of the Free World on the line I would want you on my team because I know you would drive him crazy so it's been a pleasure to work with you and with that I recognize the ranking member thank thank you so much chairman and thank you to all the witnesses this is truly been a a really important hearing a call to action more than anything else I think that we Mike and I were talking during the hearing about several ideas that you folks generated that we need to follow up on and we'll do so on a bipartisan basis uh and thank you for your service thank you general nakason for everything that you've done for our nation and uh for uh coming today uh as well as all of you and I will remember cisa.gov uh from uh Miss easterly so thank you so much uh as we try to enlist our civilian partners uh in our Collective defense Collective Cy cyber defense and employ what you call cyber hygiene uh which I love um and then I would also like to recognize our staff director John uh who's uh departing today um you know Mike covered the highlights but he's also uh had other very distinguished roles in government he was an assistant administrator for Asia usaid he was a commissioner to the US China Economic Security review he was a senior adviser to leader Pelosi and um you know now he's uh off to uh uh other other uh the next chapter next 25 years um and so uh I look forward to uh continuing to collaborate uh between us and you uh in your next roles and uh I just want to give him a big round of applause for his service I'm not done I'm I am done I yield back thank you uh without objection uh wait questions for the record are due one week from today without objection the Committee hearing is adjourned you

Info

Channel: CNBC Television

Views: 49,319

Rating: undefined out of 5

Keywords: CNBC, business news, finance stock, stock market, news channel, news station, breaking news, us news, world news, cable, cable news, finance news, money, money tips, AI, artificial intelligence, financial services, banks, banking insittutions, congress, senate, senate banking comittee, senate hearing, AI in finance, AI in banks, AI in banking

Id: W-MpWmGg5Kw

Channel Id: undefined

Length: 146min 40sec (8800 seconds)

Published: Wed Jan 31 2024