Forbes Breaking News
  • 7 months ago
The House Oversight Committee held a hearing entitled, "Red Alert: Countering the Cyberthreat from China."

Fuel your success with Forbes. Gain unlimited access to premium journalism, including breaking news, groundbreaking in-depth reported stories, daily digests and more. Plus, members get a front-row seat at members-only events with leading thinkers and doers, access to premium video that can help you get ahead, an ad-light experience, early access to select products including NFT drops and more:

https://account.forbes.com/membership/?utm_source=youtube&utm_medium=display&utm_campaign=growth_non-sub_paid_subscribe_ytdescript


Stay Connected
Forbes on Facebook: http://fb.com/forbes
Forbes Video on Twitter: http://www.twitter.com/forbes
Forbes Video on Instagram: http://instagram.com/forbes
More From Forbes: http://forbes.com
Transcript
00:00:00Good afternoon, y'all. I'm pleased to introduce our witnesses for today's hearing. Before
00:00:03we do that, I want to ask unanimous consent for Representative Moylan from Guam to be
00:00:07waved on to the subcommittee for today's hearing for the purposes of asking questions, so without
00:00:12objection, so ordered. Our first witness today is Mr. William Evanina, Chief Executive Officer
00:00:20of the Evanina Group and former Director of the National Counterintelligence and Security
00:00:24Center. Our second witness is Mr. Rob Joyce, owner of Joyce Cyber LLC and former Special
00:00:30Assistant to the President and White House Cybersecurity Coordinator. Our third witness
00:00:37is Mr. Charles Carmichael, Chief Technology Officer at Mandiant. And our fourth witness
00:00:42today is Mr. Stephen Kelly, Chief Trust Officer at the Institute for Security and Technology.
00:00:49I would now like to recognize myself for five minutes for my opening statement.
00:00:54Earlier this year, top intelligence and cybersecurity officials testified before the Select Committee
00:00:58on China about a vast long-term and ongoing campaign by the Chinese Communist Party, or
00:01:03CCP, to hack into the computer systems that operate America's critical infrastructure,
00:01:09our dams, power plants, transportation hubs, and other essential operations. We don't know
00:01:13the full extent of this campaign. Why? First, the hacks are done in a manner designed to
00:01:18avoid detection. Second, the perpetrators aren't trying to steal data or cause systems
00:01:23to immediately go haywire. It's worse. This campaign, labeled Volt Typhoon, has been underway
00:01:29for several years at a minimum. The Chinese government and its state-sponsored actors
00:01:34are using an infiltration tactic called living off the land. The hackers' aim is to blend
00:01:39in with normal Windows system and network activities and remain undetected, according
00:01:44to one cybersecurity expert. Using malicious software, Volt Typhoon finds vulnerabilities
00:01:49to penetrate Internet-connected systems to take control of devices like routers and
00:01:54security cameras, for example. The goal here isn't smash-and-grab-type theft or immediate
00:01:59system disruption. It's a lot more disturbing because China is playing the long game. It's
00:02:05silently pre-positioning itself for disruptive or destructive cyberattacks against U.S. critical
00:02:11infrastructure in the event of a major crisis or conflict with the United States. That's
00:02:16according to an advisory jointly issued this year by the National Security Agency, the
00:02:21FBI, and other federal agencies. In other words, the CCP is biding its time until it's
00:02:26reason to awaken these cyber sleeper cells. At the critical moment, they'll trigger them
00:02:30to create confusion and disarray across America by disrupting our power supply, our transportation,
00:02:37our communication networks, our water, and our food supply. This is a terrifying but
00:02:43realistic scenario. It also illustrates how China's cyber warfare against the United States
00:02:48has matured. It's now part and parcel of its military strategy and its plan to achieve
00:02:53its broader ambitions on the world stage. Earlier this year, General Paul Nakasone,
00:02:59former head of the NSA and U.S. Cyber Command, testified, the People's Republic of China
00:03:04poses a challenge unlike any our nation and allies have faced before, competing fiercely
00:03:09in the information domain. Today's hearing is a forum to discuss the challenge posed
00:03:13by China's cyber warfare and how we must, as a nation, meet that challenge. We know
00:03:19China is throwing massive money and manpower into its efforts. FBI Director Wray recently
00:03:24testified the PRC has a bigger hacking program than that of every major nation combined.
00:03:31In fact, if you took every single one of the FBI's cyber agents and intelligence analysts
00:03:37and focused them exclusively on the China threat, China's hackers would still outnumber
00:03:42FBI cyber personnel by at least 50 to one. 50 to one. What a massive, massive number.
00:03:53This speaks to the necessity of the U.S. maintaining its technological edge over China, including
00:03:58in cutting-edge fields like artificial intelligence and quantum computing. AI is increasingly
00:04:03being harnessed as both an offensive and defensive tool in cyber warfare, and post-quantum
00:04:09cryptography will be key to safeguarding critical data in the future. We also need to bolster
00:04:14cybersecurity partnerships between the federal government, the private sector, and international
00:04:19allies. These are vital pathways for sharing threat information.
00:04:23Finally, we need to widen our talent pipeline to help fill the hundreds of thousands of
00:04:28cybersecurity job vacancies that currently exist in the public and private sector of
00:04:33the United States. To facilitate today's dialogue, we are thrilled to have testifying
00:04:38today individuals who recently served at the highest levels of the federal intelligence
00:04:42community. But before we introduce, well, I already introduced them. I skipped the order.
00:04:47So you're here. So we will now recognize you for five minutes.
00:04:50Thank you, Madam Chairwoman. Forgive me for being a little late, but we have too many
00:04:55hearings. I have two markups, two hearings, two briefings, and two sets of votes today.
00:05:02So maybe we should cut back on some hearings. This past March, the Office of Director of
00:05:08National Intelligence released the annual threat assessment of the U.S. intelligence
00:05:12community. An excerpt from the report reads, quote, China remains the most active and persistent
00:05:18cyber threat to U.S. government, private sector, and critical infrastructure networks, unquote.
00:05:24Chinese Communist Party poses a significant threat to the safety and economic prosperity
00:05:29of the United States. Through a multipronged strategy that includes the Belt and Road Initiative,
00:05:35economic coercion, and military buildup, the CCP has sought to challenge the American-led
00:05:40rules-based international order. As part of its larger campaign to conduct asymmetric
00:05:47attacks on the United States, Beijing has turned to cyber attacks to steal American
00:05:53companies' intellectual property, undermine our civil society, and disrupt civilian and
00:05:58military infrastructure. Just two months ago, the Cybersecurity and Infrastructure
00:06:03Security Agency, or CISA, confirmed that CCP-sponsored groups like Volt Typhoon have successfully
00:06:11infiltrated the Federal Government's civilian and military systems. What's more, some of
00:06:17those groups have been on our networks for up to five years and lay in wait until the
00:06:22opportune moment to disrupt a military response or to disable our water and power infrastructure.
00:06:29Unfortunately, when it comes to cyber warfare, the threat extends beyond China. In fact,
00:06:35experts have identified that not just China, but also Iran and North Korea, are using Russia's
00:06:41well-known disinformation playbook to disrupt elections, infiltrate American companies,
00:06:47and generally cause malign behavior. Although disinformation campaigns and cyber attacks
00:06:54are not identical, they are two halves of the same chaotic coin. They similarly seek
00:07:01to inject uncertainty into daily operations and undermine the foundation of businesses,
00:07:07communities, and democratic values and tenets.
00:07:11Last November, MEDA released its third-quarter adversarial report, which outlined the removal
00:07:18of nearly 5,000 fake accounts, all based in China. MEDA removed those accounts for impersonating
00:07:25U.S. citizens and posting divisive rhetoric on deeply sensitive internal political issues
00:07:31with the intent to have an impact on the upcoming 2024 presidential election.
00:07:37But it's not just America at risk. Earlier this year, the CCP again employed Moscow's
00:07:43tactics of online disinformation to cast doubt upon Taiwan's government and to influence
00:07:50its recent elections. China has made a concerted effort to extend its power and influence across
00:07:55the world, especially in the global south. As roughly half of the world's population
00:08:01heads to the polls in 2024, China will take this opportunity, no question, to expand its
00:08:08influence and disrupt democratic processes using all tactics at hand.
00:08:14Fortunately, the Biden-Harris administration has taken unprecedented steps to counter these
00:08:19threats, both direct cyber attacks and disinformation campaigns. The White House released the first-ever
00:08:27national cybersecurity strategy in October of 2022, directing both public and private
00:08:32stakeholders to coordinate efforts to address new ambitious plans called the International
00:08:37Cyberspace and Digital Policy Strategy, seeking to work with allies to counter both Russia
00:08:43and China's global election interference efforts.
00:08:46I'm also proud to have partnered with this administration to safeguard networks against
00:08:52harmful nation-state actors. Historically, this subcommittee has held hearings to conduct
00:08:58meaningful oversight of federal IT programs and worked alongside the Government Accountability
00:09:03Office to produce a biannual scorecard on compliance with the TARP. Agencies then receive
00:09:10grades based on compliance with the law and other statutory-based IT priorities. The scorecard
00:09:18assesses compliance with the Federal Information Security Modernization Act, FSMA, evaluating
00:09:24all 24 CFO Act agency cybersecurity postures.
00:09:28For further transparency, and after years of congressional advocacy for metrics to replace
00:09:33the expiring Trump-era cross-agency priority data, OMB finally began publishing quarterly
00:09:40federal cybersecurity progress reports on performance on a performance.gov website.
00:09:48These reports measure agencies' progress in achieving milestones and implementing key
00:09:53cybersecurity measures articulated in President Biden's executive order on improving the nation's
00:10:00cybersecurity. The executive order encouraged adoption of zero-trust architecture, and I
00:10:06encourage the administration to revolve the performance.gov data and provide public metrics
00:10:11in order to assess agencies' implementation.
00:10:15To successfully stop our foreign adversaries, we need a whole-of-government approach with
00:10:20bipartisan congressional support to bolster our federal workforce and its IT infrastructure.
00:10:27And we need a whole-of-nation approach to combat the disinformation and misinformation
00:10:32coming out of Russia and China. A report from the Center for Security and Emerging Technology
00:10:37found that, quote, by 2025, Chinese universities will produce more than 77,000 STEM PhD graduates
00:10:46per year, compared to approximately 40,000, almost half that, here in the United States.
00:10:52If international students are excluded from that number in the United States, Chinese
00:10:57STEM PhD graduates would outnumber their U.S. counterparts by more than three to one.
00:11:04For our country to compete effectively with China, we need to implement the Office of
00:11:09the National Cyber Director's National Cyber Workforce and Education Strategies Recommendations
00:11:14and bolster our cyber workforce and cyber faculty pipelines.
00:11:18We'll soon introduce legislation to enhance the already highly successful CyberCorps program,
00:11:24which boasts an impressive 97 percent successful job placement rate. When passed, I hope that
00:11:31legislation will extend the scholarship cap of this program from three to five years and
00:11:36provide a pathway for more STEM-trained PhDs.
00:11:40We must properly fund the cyber defenses and basic government IT by reauthorizing and properly
00:11:46funding the TMF. In 2021, Democrats fought to secure $1 billion investment for that program
00:11:54although the president had requested $6 billion. Today, the TMF has funded 11 zero-trust efforts
00:12:01as well as numerous other cyber projects to protect our military and sensitive information
00:12:05while retiring vulnerable legacy systems.
00:12:09Congress usually sees IT as an easy thing to cut, but in most cases, IT modernization
00:12:14is a critical investment with a critical return on it with respect to the future. Pandemic
00:12:21exposed the cracks in the federal government's aging IT infrastructure and how it impeded
00:12:28mission-driven programs. Upgrading those systems is not just a national security priority.
00:12:34It's essential to making sure government stays effective and serves the people.
00:12:39State-sponsored cybersecurity and disinformation campaigns seek to undermine the very fabric
00:12:44of our society. Cyber attacks wreak chaos and prove costly. Disinformation campaigns
00:12:51obscure the truth and threaten democratic principles. We must work to resist and oppose
00:12:58both.
00:12:59I look forward to the hearing and I look forward to hearing from our witnesses. Thank you,
00:13:03Madam Chairman.
00:13:04I yield back.
00:13:05Ms. Schapiro. Pursuant to Committee Rule 9G, the witnesses, if you will please stand and
00:13:08raise your right hands. Do you solemnly swear or affirm that the testimony that you are
00:13:15about to give is the truth, the whole truth, and nothing but the truth, so help you God?
00:13:20Let the record show the witnesses all answered in the affirmative. We appreciate all of you
00:13:23being here today and look forward to your testimony.
00:13:26Let me remind the witnesses that we have read your written statements and they will appear
00:13:29in full in the hearing record. Please limit your oral arguments to five minutes. And as
00:13:34a reminder, please press the button on the microphone in front of you so that it is on
00:13:38and we can hear you up here.
00:13:40And when you begin to speak, the light in front of you will turn green. After four minutes,
00:13:43the light turns yellow and then red light comes on. Your five minutes has expired.
00:13:47And I will very kindly smile and wave this thing and ask you to wrap it up. So you all
00:13:53can be seated and I will recognize Mr. Ebonina to please begin your opening statement. Five
00:13:58minutes.
00:13:59Mr. Ebonina. Chairwoman Mace, Ranking Member Connolly, members of the Committee, it is
00:14:05an honor to appear before you today with my esteemed colleagues at the table.
00:14:10Our nation faces an array of diverse, complex, sophisticated, and unprecedented threats by
00:14:16nation-state actors, cybercriminals, and terrorist organizations. Each of them in their
00:14:21own distinct manner poses a serious threat to our nation, our systems, and our citizens.
00:14:27However, and unequivocally, the existential threat to our nation emanates from the Communist
00:14:32Party of China. This comprehensive threat is the most complex, pernicious, strategic,
00:14:38and aggressive threat our nation has ever faced. It is an existential threat to every
00:14:43fabric of our great nation, our capitalism, and our democracy.
00:14:48Xi Jinping drives a comprehensive and whole-of-country approach to the CCP's efforts to invest,
00:14:55leverage, infiltrate, influence, and steal from every corner of the United States. Naiveté
00:15:02by those who hope to otherwise believe the opposite will only accelerate Xi's intentions
00:15:07and progress. Additionally, the United States' private sector, critical infrastructure, academia,
00:15:13and research and development entities have all become the new battle space for the CCP's
00:15:18nefarious activities. As this Committee is aware, it is currently estimated that the
00:15:22economic loss from the theft of intellectual property from the Communist Party of China
00:15:26is nearing $600 billion per year. To make it more relevant and personal, that equates
00:15:33to approximately $6,000 per American families of four after taxes.
00:15:44China's ability to strategically obtain our intellectual property and trade secrets via
00:15:47legal, illegal, and sophisticated cyber and hybrid methods is like nothing we have ever
00:15:52witnessed before. It is said by many to be the largest theft of intellectual property
00:15:57in the history of the world. Technology, from ideation to manufacturing, is frequently the
00:16:01intended target of these efforts. Additionally, it is estimated that 80 percent of American
00:16:07adults have had all of their data stolen by the Communist Party of China. The other 20
00:16:12percent, just most of their data. Data and technology have become two of the most valuable
00:16:17commodities in the world, and acquiring them has been a high priority for the CCP.
00:16:24I believe we must approach this existential threat with the same sense of urgency, leadership,
00:16:29planning, and strategy as we have done for the past two decades in successfully preventing
00:16:33and deterring terrorism. I would offer to this committee that we are in a terrorism
00:16:37event, a slow, methodical, strategic, persistent, and enduring event which requires a degree
00:16:44of urgency of government, action, and corporate awareness. It is clear that under Xi Jinping,
00:16:49the CCP's economic war with the United States, combined with his intent to be the military
00:16:54leader of the world, has manifested itself into a terrorism-like framework.
00:17:00Let me be more specific. The CCP's capabilities and intent are second to none as an adversary.
00:17:06Countless cyberbreaches, insider threats, and nefarious penetrations into our critical
00:17:11infrastructure are ubiquitous and have been widely reported. Adding the CCP's crippling
00:17:18stranglehold to so many critical aspects of our supply chain and what results is domestic
00:17:23vulnerability we have not seen in generations, if ever. Now, we must confront and defend
00:17:29against these CCP efforts with all the known and unknown artificial intelligence accelerators
00:17:36which will come along. As we continue to drive forward with AI development for the good,
00:17:41we must also ensure security safeguards are implemented to protect from the bad. For all
00:17:46the progress we make, we must equally think of the potential of a zero-day exploit utilizing
00:17:51sophisticated AI. When we incorporate China's recent actions to include, as referenced by
00:17:56the Chairman and Ranking Member, the Volt Typhoon, sophisticated surveillance balloons
00:18:02across our sovereign land, technical surveillance stations just 90 miles away in Cuba, maritime
00:18:08port threats, Huawei, strategic land purchases near military installations, Fentanyl, TikTok,
00:18:17online influence, et cetera, the collage begins to paint a bleak picture that's beyond
00:18:23blinking red. I'm not even addressing space, deepfakes, or 5G or genomics. The inability
00:18:30or unwillingness to look behind China, the curtain they provide, and deal with the existential
00:18:35threat is no longer an option for the Congress, for the administration, academic institutions,
00:18:41and the private sector. There is no more curtain to look behind. It has been removed. There
00:18:46must be consequences levied for China's actions. Otherwise, there will continue to be no deterrent.
00:18:52Volt Typhoon should be the straw of the proverbial camel's back. Unfortunately, I believe more
00:18:59is to come. Thank you for the opportunity to join my esteemed fellow witnesses, and
00:19:03I look forward to answering your questions.
00:19:06Thank you. I will now recognize Mr. Joyce for five minutes.
00:19:11Chairwoman Mace, Ranking Member Connolly, members of the subcommittee, it's an honor
00:19:16to appear before you today. Thank you for this chance to discuss what I believe is the
00:19:21most significant cybersecurity issue faced by the U.S. That's the threat from cyberattack
00:19:26from the People's Republic of China, and the threat it poses to our critical infrastructure.
00:19:32I'm Rob Joyce. I served over 34 years at the National Security Agency, retiring as the
00:19:37Director of Cybersecurity, and I hope our conversation today, I get to provide you some
00:19:42insight into the sophistication and strategic implications of these PRC cyber threats,
00:19:48and really how the PRC competes fiercely in the cyber domain. It's been widely understood
00:19:54that for years, PRC hackers have stolen intellectual property. They've performed traditional espionage
00:20:00through cyber, but now they're preparing attacks against our critical infrastructure through
00:20:05cyberspace. So that first segment, they stole intellectual property. This is to aid their
00:20:11domestic industry. Chinese state-sponsored hacking groups like APT41 have systematically
00:20:17conducted cyber espionage campaigns to steal trillions of dollars worth of intellectual
00:20:22property and trade secrets from U.S. companies. It's been across critical sectors like aerospace,
00:20:27pharmaceuticals, energy, manufacturing, and more. For example, a multiyear campaign uncovered
00:20:33in 2022 showed APT41 had infiltrated over 30 multinational firms and exfiltrated hundreds
00:20:40of gigabytes of proprietary data, including designs for fighter jets, missiles, drugs,
00:20:45solar panels, and other cutting-edge technologies not yet patented. The brazen thefts rob American
00:20:52companies of their R&D investment and competitive advantages, undermining U.S. economic interests.
00:20:58The annual cost to the U.S. economy from IP theft is hundreds of billions of dollars,
00:21:04and that does not include the long-term impact where China closes technology gaps and brings
00:21:10competing products to markets using stolen information.
00:21:14In the second area I'd highlight is the hacking for traditional espionage. A good example
00:21:19of that cyber espionage is the intrusion last year into the U.S. State Department, in which
00:21:25the U.S. State Department discovered the compromise of its email system. The attackers accessed
00:21:29the inboxes of the U.S. Secretary of Commerce, the U.S. Ambassador to China, Congressman
00:21:35Don Bacon, and key State Department employees. All of this was before a sensitive visit by
00:21:41the Secretary of State to China. Microsoft assesses the intrusion was a Chinese threat
00:21:45actor they call Storm 0558. According to the Cyber Safety Review Board study of this event,
00:21:52of which I was a panel member, the activity was so stealthy, Microsoft still can't say
00:21:57with certainty how the credentials used in the attack were stolen from them.
00:22:02The issues of espionage and intellectual property theft have persisted for years, but now I
00:22:07want to highlight an even more troubling set of intrusions into critical infrastructure.
00:22:12In 2023, the U.S. cybersecurity community developed increased understanding that a set
00:22:17of PRC hackers called Volt Typhoon was pre-positioning on U.S. critical infrastructure. They were
00:22:23not there to steal our information, but instead prepared to disrupt vital critical infrastructure
00:22:30systems. They want to slow the U.S. military's ability to mobilize and deploy in time of
00:22:35crisis, and they want to sow societal panic at the time of their choosing. They hope we
00:22:41would turn inward and focus on serious critical infrastructure problems at home, rather than
00:22:46supporting any crisis on the other side of the globe.
00:22:50My colleague, the Honorable Evanina, talked about a simple description for their intent,
00:22:55domestic terrorism. They want to inspire panic inside our society. That's serious and disturbing.
00:23:04So this activity was discovered and validated through unique collaboration of government
00:23:08and industry, and I sit here today with some of my industry partners. Foreign intelligence
00:23:14was used in conjunction with the tremendous insight of industry, where NSA, along with
00:23:20multiple government agencies, both domestic and international, described the intrusions
00:23:25in a public advisory, and 11 of the biggest internet and telecommunication companies added
00:23:30their names to the publication as participating in the investigation. Subsequent work by
00:23:36FBI, CISA, and industry confirmed the compromise of IT systems in diverse infrastructure sectors,
00:23:43including communications, energy, transportation, water, and wastewater systems. They found
00:23:49prepositioning in the continental U.S., as well as the U.S. territory of Guam. Guam is
00:23:55significant because the island hosts the Anderson Air Force Base and Naval Base Guam, which play
00:24:00a crucial role in any potential conflict with China over Taiwan. The intrusions have
00:24:05gone on for quite some time, but have generally escaped notice. It's increasingly important
00:24:12that we understand this siege, that we work against it, and that we get our systems prepared
00:24:18to not only get them out, but keep them out. These activities by the Chinese government
00:24:23warrant your full attention and support, ensuring the PRC cannot undermine our national security,
00:24:29and I look forward to answering your questions alongside this knowledgeable panel.
00:24:32Thank you. And Mr. Carmichael, you're recognized for five minutes.
00:24:36Chairwoman Mace, Ranking Member Connolly, and members of the subcommittee, thank you
00:24:39for the opportunity to share my observations and experiences regarding this very important
00:24:44topic, as well as for your leadership on cybersecurity issues. My name is Charles Carmichael, and
00:24:49I'm the Chief Technology Officer at Mandiant. In my role at Mandiant, I oversee a team of
00:24:53security consultants and incident responders that help organizations both respond to security
00:24:58events and prepare for and mitigate the risk and impact of those security events. I lead
00:25:03the teams that are responsible for discovering and identifying the SolarWinds software supply
00:25:07chain attack in December 2020, the Colonial Pipeline cyber destructive attack in 2021,
00:25:13and the discovery of several novel and sophisticated cyber campaigns carried out by China Nexus
00:25:17threat actors. I'm here to talk about Mandiant and my personal experiences in defending against
00:25:23and responding to cyber threats emanating from the People's Republic of China. I'll
00:25:27share my firsthand observations and the observations of the team that I lead. Before we discuss
00:25:33today's threats, it's important to review what's happened over the past decade. On September
00:25:3725th, 2015, the United States and China agreed that neither government would conduct or knowingly
00:25:43support cyber-enabled theft of intellectual property for an economic advantage. The following
00:25:50year, in 2016, Mandiant analyzed our incident response cases to assess the impact of the
00:25:55agreement. We actually observed a reduction in cyber intrusions by China Nexus threat
00:26:00actors that began a year prior to the agreement. The relatively lower volume of intrusion activity
00:26:05continued until approximately 2020. Government-backed China Nexus threat actors operated notably
00:26:11differently prior to the agreement than they do in modern days. In my written testimony,
00:26:16I talk about specific ways in which China Nexus threat actors operated prior to the
00:26:20agreement. These actors operate very differently today. They're more coordinated, resourced,
00:26:26sophisticated, and clandestine. I want to talk about a few of the capabilities that
00:26:31we see them demonstrating as they effectively break into organizations across the globe,
00:26:36but specifically in the United States. We see them leveraging zero-day vulnerabilities,
00:26:41which essentially are vulnerabilities that are known by threat actors and exploited by
00:26:45threat actors before the vulnerability is known by the vendor. The tools and the know-how
00:26:50to exploit these vulnerabilities are shared amongst multiple discrete groups that conduct
00:26:54cyber operations for the benefit of the PRC. Over the past few years, we've observed targeted
00:26:59zero-day exploitation of vulnerabilities in VPN, firewall, email security gateway, hypervisors,
00:27:07and other technologies that don't commonly support endpoint detection and response solutions.
00:27:13Endpoint detection and response solutions have gotten more effective over the years
00:27:17and have enabled organizations to detect compromises in Windows environments. Therefore, we see
00:27:22China Nexus threat actors targeting those systems that don't traditionally support EDR
00:27:28solutions, which essentially makes it more difficult for organizations to detect compromises.
00:27:34To further exacerbate the problem, we see threat actors leveraging vulnerabilities in
00:27:38closed-box appliances, which are essentially systems that provide routing functionality,
00:27:44firewall functionality, or other security functionality to organizations. Because these
00:27:49appliances are closed-box, it makes it very difficult for organizations to actually determine
00:27:53if they're compromised. If an organization wants to forensically examine a compromised
00:27:58device, they often need to reach out to the vendor in order to be able to analyze it.
00:28:03Not all vendors will actually get permission to the victim organization to analyze the
00:28:06device. We also see China Nexus threat actors leveraging residential IP addresses to conduct
00:28:13their intrusion operations. Over the years, they've built a very large botnet or series
00:28:19of computers that essentially enable them to access victim environments such that they
00:28:24look like an employee of the organization by accessing the network in a close proximity
00:28:28to the employees or to the companies that they want to log into.
00:28:32So, for example, if they were targeting a company in Virginia and they wanted to emulate
00:28:36an employee that lived in Virginia, we would see them leveraging compromised home infrastructure
00:28:41that allows them to log into the VPN of that Virginia-based organization and look like
00:28:45an employee there. We also see them living off the land, which is essentially leveraging
00:28:50tools and technologies that are native to operating systems so that they can move laterally
00:28:54within environments and not get detected by the organizations.
00:28:59Given the advanced tradecraft leveraged by China Nexus threat actors, it's incredibly
00:29:02difficult for organizations to tell when they've been compromised. In fact, when we work with
00:29:07organizations and discover compromises, we often see that those compromises very often
00:29:12have lasted for weeks, months, and sometimes years.
00:29:16Over the years, I've personally observed multiple China Nexus threat actors with significant
00:29:20access and privileges to U.S.-based technology, defense, government, energy, construction,
00:29:25chemical, financial services, and health care organizations. Fortunately, I've not yet personally
00:29:30observed any actions taken by these actors that I consider to be overtly and intentionally
00:29:36destructive that could directly lead to negative kinetic outcomes or physically harm people.
00:29:42That could certainly change over time, but I just I want to share my personal experiences.
00:29:46On behalf of Mandiant, I thank you for this opportunity to testify before the subcommittee.
00:29:50Ms. Buerkle. Thank you. And, Mr. Kelly, you're now recognized for your five minutes.
00:29:54Mr. Kelly. Chairwoman Mace, Ranking Member Connolly, and members of the subcommittee,
00:29:57my name is Steve Kelly. I am the chief trust officer at the Institute for Security and
00:30:01Technology, a think tank that unites technology and policy leaders to create actionable solutions
00:30:06to emerging security threats. I came to IST almost a year ago after retiring from the
00:30:11FBI as a special agent working cyber issues. And during my tenure, I was honored to twice
00:30:16serve on the NSC staff. Bonnie and I have since moved back to Indiana, but I'm glad
00:30:20to be here in the nation's capital to discuss this pressing topic with you. I am gravely
00:30:25concerned by both the PRC's illiberal global agenda and the means by which it seeks to
00:30:31realize it. For at least two decades, the PRC has carried out a rob, replicate and replace
00:30:36strategy which allows Chinese firms to benefit from stolen American innovation, begin manufacturing
00:30:42identical products at a lower cost, and put the victimized firm out of business. Over
00:30:47time and across numerous research and development areas, this strategy, enabled by large scale
00:30:53economic espionage, has allowed the PRC's technology industry to rapidly catch up and,
00:30:58in some cases, surpass the United States and allied nations. Chinese technology products,
00:31:03both inside the PRC and for export, prioritize state level interests over user security and
00:31:09privacy, exposing users to government surveillance, acting as a vector for cyber operations, and
00:31:15potentially enabling denial and disruption operations. This has been a challenge here
00:31:20at home, leading Congress to fund ripping and replacing Huawei and CTE equipment from
00:31:25U.S. telecom networks. But the challenge is even greater in developing nations that
00:31:29often find the immediate need of economic development more pressing than the potential
00:31:33foreign intelligence risk. I am encouraged by a recent surge of interest in trusted technology
00:31:42within the investor community. For example, a group of leading investors recently announced
00:31:47their voluntary trusted capital investment principles and commitments. Another leading
00:31:51venture capital firm announced its American dynamism effort. And an array of investors
00:31:56and founders are driving a new defense tech-focused movement. While it has been a long time coming,
00:32:02many throughout the world have come to recognize the risks that often accompany lower cost
00:32:06Chinese products and are seeking more trustworthy sources, even at a price premium. I played
00:32:12a small part in planning and launching the U.S. Cyber Trustmark, a voluntary security
00:32:16labeling program for consumer Internet of Things devices, like smart home appliances.
00:32:21And I'm pleased by the enthusiasm shown by consumer technology manufacturers in this
00:32:25program. While the FCC is moving the program forward, I encourage Congress to ensure the
00:32:30program's future stability by specifically authorizing and funding it. The threat described
00:32:35by my fellow witnesses should inspire a new sense of urgency to remove the PRC's leverage
00:32:39by consistently counteracting and publicly exposing their cyber operations and by hindering
00:32:44and hardening U.S. critical infrastructure. Given numerous cyber attacks impacting critical
00:32:50infrastructure over the past several years, including the ransomware attacks on Colonial
00:32:53Pipeline, JBS Foods, and many hospitals, we are clearly not doing enough. While ransomware
00:32:59is not the focus of this hearing, it is instructive of the real-world impacts cyber operations
00:33:04can deliver. If Russian criminal gangs can achieve these effects, the People's Liberation
00:33:10Army most certainly can too. President Biden's national cybersecurity strategy calls for
00:33:15establishing minimum cybersecurity requirements for critical infrastructure through regulation,
00:33:20or where such authority does not exist, to seek it. While federal regulations are not
00:33:25appropriate or desired in all circumstances, I believe that safeguarding functions essential
00:33:29to national security, economic security, or public health and safety warrants a regulatory
00:33:34approach. If establishing baseline requirements is to be achieved, Congress will need to create
00:33:40or clarify regulatory authorities for certain sectors, and each sector risk management agency
00:33:45and regulator must be resourced to carry out the task. The infrastructure in need of protection
00:33:51is scattered throughout the nation, and it is difficult to meet their needs from Washington,
00:33:56D.C. Fortunately, there are a variety of players across the federal enterprise who are able
00:34:00to engage at the local level. CISA's Cybersecurity Advisor Program, which places personnel across
00:34:05the country, is still quite new, and often an entire region may have only one such advisor.
00:34:11While I encourage Congress to fund the sufficient advisors to cover the ground, what remains
00:34:15clear is the need for expanded and enhanced partnerships as force enablers. Fortunately,
00:34:22CISA's cyber advisors are not alone, as the FBI and Secret Service have task forces across
00:34:26the country. Emulating the successful Joint Terrorism Task Force Program, there exists
00:34:31incredible opportunity to team federal, state, and local cyber personnel to undertake both
00:34:35proactive and reactive cybersecurity efforts. National Guard units acting under their state
00:34:41authorities might also plug into this model. And given the topic of this hearing, I think
00:34:45it is worth considering what authorities might exist or be needed for active-duty cyber personnel
00:34:50under Title X to provide assistance or even protection to civilian entities essential
00:34:55to the operation of key military installations, also referred to as defense-critical infrastructure.
00:35:01While this approach may not scale, I believe there are scenarios under which that would
00:35:05make sense and should be explored. I want to thank the subcommittee for inviting me
00:35:09to participate in today's hearing and look forward to your questions.
00:35:13Thank you. I will now recognize myself for five minutes of questioning. I do have several
00:35:18questions, so if I could just ask if we could be brief and direct and straightforward in
00:35:22our responses, because I would like to try to get through all of them today.
00:35:26General Nakasone has stated that if a nation-state decided to attack our critical infrastructure,
00:35:31I would say that is above the threshold level of war. And in the testimonies that was prepared,
00:35:38it refers to China's cyberwarfare against the U.S. as a form of terrorism. And, Mr.
00:35:43Evanina, you said today it was an existential threat, in your words.
00:35:49So in the face of this terrorism, Mr. Evanina notes, there's little deterrence also. So
00:35:55my first question to you, Mr. Evanina, if these CCP-driven hacking campaigns are a form
00:36:00of war on terrorism, are we deterring China from conducting them?
00:36:06Thanks for the question, Chairman Mace. If we are deterring it, I'm not aware of that.
00:36:12From an intel perspective and a law enforcement perspective and a cyber perspective, what
00:36:16they are doing to us is on the border of—
00:36:19Why not? Why aren't we deterring?
00:36:22You would have to ask the policymakers in that space. But I do believe, in the same,
00:36:28as they're preparing for battle, as we heard, and a critical infrastructure, I don't think
00:36:33it's reasonable for the minimum standards to ask companies to defend against nation-state
00:36:38threat actors and their proxies. I think it's a big task for them to do. And I think U.S.
00:36:43government should take more of a hand in defeating and deterring the Chinese Communist
00:36:47Party.
00:36:48Is it safe to say this administration doesn't have a strategy for deterrence?
00:36:52I'm not aware what the current strategy is.
00:36:55Okay. Okay. So my next questions will be for Mr. Evanina and Mr. Joyce. Do we know how
00:37:00many of America's critical computer systems have been infiltrated via the Volt Typhoon
00:37:05hacking campaign? Do we know?
00:37:08I'm not aware.
00:37:09Mr. Joyce?
00:37:10I do not have that information.
00:37:11Okay. So if it's achieving its goal of gaining undetected system access, how would we know?
00:37:20So Madam Chairwoman, I believe, you know, the combination of intelligence, right, that
00:37:27revealed this campaign, as well as the capabilities of the U.S. cybersecurity industry, has the
00:37:36ability to find and defeat some of these activities. But it's going to take a combination
00:37:42of both the public efforts, the private efforts, as well as the targeted entities have to remove
00:37:50some of their outdated and legacy IT to be safe.
00:37:57The debate has been going on for the better part of 30 years, probably. Mr. Joyce, do
00:38:01we know how much money the CCP invests in cyber warfare?
00:38:04I do not.
00:38:05Mr. Evanina, do you know?
00:38:06I do not.
00:38:07Do we know what kind of manpower they throw into these efforts? We heard what FBI Director
00:38:11Wray said recently, 50 to 1, in terms of comparing it to FBI analysts. But do we know what kind
00:38:15of manpower they have?
00:38:18I think that's a conservative estimate by Director Wray, but I also would include in
00:38:21that the cyber criminal actors and their proxies that are supported by the MSS and the PLA
00:38:28should be included in that number, as well.
00:38:29Okay. AI and quantum computing are powerful new tools in the arsenal of both hackers and
00:38:33defenders in cyberspace. How much does defense of critical U.S. computer systems hinge on
00:38:39our ability to maintain and build upon our edge in AI over China? Either of you.
00:38:48I believe that AI is actually going to advantage the defense much more than the offense, especially
00:38:54in the near term. The ability to look at large scales of data to understand the tradecraft
00:38:59that might go undetected by human analysts is rapidly increasing by some of the innovations.
00:39:05So I do believe that's our advantage today.
00:39:08Mr. Carmichael, I have a minute left. Your testimony states that Mandiant, you helped
00:39:13identify SolarWinds and the Colonial Pipeline disruption in 2021. Would you say China's
00:39:19Volt Typhoon campaign is designed to make even these major hacks pale in comparison?
00:39:24So far, we've only seen intrusion operations that were very hard to detect, that were orchestrated
00:39:31by Volt Typhoon, plus many other threat actors emanating from China. We don't yet know what
00:39:36they might do, but we could tell you the capability and the access that they have is very significant.
00:39:42And they could certainly do anything similar to what happened to Colonial Pipeline or even
00:39:46much worse with the access that we know that they have.
00:39:49And how could we respond to a slew of disruptions to critical operators if all this is happening
00:39:55all at once, if they did something all at once?
00:39:57It would be very difficult to respond to. There's a finite amount of security talent
00:40:02and investigators and incident responders that could help respond to security events.
00:40:07And so if there were a cascading set of security attacks against organizations, it would be
00:40:11incredibly difficult to respond to it.
00:40:13All right. Thank you. And I'll now yield.
00:40:14Madam Chair, if you want to take another five minutes
00:40:17No, I'll wait.
00:40:18Okay. All right.
00:40:19Okay. And I will now yield to Mr. Connolly for five minutes.
00:40:21Thank you.
00:40:22Mr. Evanina, you were ringing the alarm bell some time ago. You served in the Trump administration.
00:40:30What was your position?
00:40:31Yeah, I started as the head of counterintelligence for the United States in 2014 under President
00:40:37Obama, and I stayed there until January 21.
00:40:39Okay. And you, among other things, led efforts to protect security and integrity of the 2020
00:40:47election from foreign threats. Is that correct?
00:40:49That's correct, sir.
00:40:51Last month, the New York Times published an article, China's Advancing Efforts to Influence
00:40:54the U.S. Election Raised Alarms, and it highlighted that during the 22 midterm elections, the
00:41:02cybersecurity firm Mandiant reported that an influence campaign linked to China tried
00:41:07to discourage Americans from voting while highlighting political polarization. The finding
00:41:14illustrates how China has been using Russia's disinformation to, quote, influence American
00:41:20politics with more of a willingness to target specific candidates and parties, including
00:41:26now President Biden. I ask that we insert this article into the record.
00:41:33Without objection.
00:41:34I thank the chair.
00:41:35Mr. Evanina, during the Trump administration, is it true you were already ringing the alarm
00:41:40that both CCP and Russia were trying to influence that 2020 election?
00:41:45Yes, sir.
00:41:47And in August of that year, you issued an official press release warning, quote, we
00:41:52assess that Russia is using a range of measures to primarily denigrate former Vice President
00:41:58Biden and what it sees as an anti-Russian establishment. Your statement added, quote,
00:42:05For example, pro-Russian Ukrainian parliamentarian Andriy Derkash is spreading claims about corruption,
00:42:13including through publicizing leaked phone calls to undermine President Biden and his
00:42:20candidacy in the Democratic Party. I ask unanimous consent to insert that press release into
00:42:26the record.
00:42:27Without objection.
00:42:28Mr. Evanina, is that the same Andriy Derkash who, according to reports, quote, gained access
00:42:37to Trump's inner circle through Rudy Giuliani, the president's personal lawyer?
00:42:42Yes, sir.
00:42:43Is that the gentleman in question?
00:42:45Yes, sir.
00:42:46And is he sitting with Rudy Giuliani?
00:42:49Yes, sir.
00:42:51Aha. In fact, just a month after you issued your statement, the Trump administration
00:42:56sanctioned him, to their credit, for being, quote, an active Russian agent for over a
00:43:03decade. Is that correct?
00:43:04I believe that's correct.
00:43:06Even though experts, including you and others, have repeatedly warned us about Russian efforts
00:43:12to smear Joe Biden with false information about corruption in Ukraine and, by the way,
00:43:16one of those informants who was the key witness of the oversight impeachment hearing is now
00:43:22in jail for lying to the FBI. Is that correct, Mr. Kelly? Are you familiar with that?
00:43:28I don't have firsthand knowledge of that.
00:43:30Well, do you have any thoughts, given your new role and your previous role, about the
00:43:35dangers that can ensue? Mr. Evanina warned us correctly about Russian disinformation
00:43:42inserting itself into our politics, and it sure did get into a very high level both here
00:43:47in Congress and in targeting the President of the United States with absolutely false
00:43:52information. What could go wrong with that, Mr. Kelly? What should we worry about with that?
00:43:57Malign foreign influence operations coming from Russia, China, or anywhere else is incredibly
00:44:03problematic, and in particular, in the context of elections. So I agree with that statement.
00:44:10So in some cases, credulous people might take at face value information coming from
00:44:16social media bots, false sources who create false identities as Americans when they're
00:44:25in fact not. In fact, recently, one of the big media companies just took down 5,000 accounts,
00:44:30I think I mentioned in my opening statement, all from China, pretending to be Americans.
00:44:35But the other is that political figures might use that information, knowing or not knowing
00:44:41it's false, for political gain that could in fact be harmful to our system, especially given
00:44:49the fact it's based on false information and a foreign actor with an agenda. Would that be a
00:44:54fair statement, do you think? Yes, that can absolutely happen. Thank you. I yield back.
00:45:00Thank you. I would like to say, for the record, most Republicans in Congress are actually banned
00:45:08from Russia. And when we're talking about false sources, false information, we could look no
00:45:15further in 2020 than mainstream media that covered up the laptop and the FBI and all those national
00:45:24security advisors that signed that letter. That was absolutely misinformation, disinformation,
00:45:28right before an election. So when we talk about foreign actors with an agenda, there are domestic
00:45:34actors with an agenda. So I would now like to recognize Mr. Moylan for five minutes.
00:45:39Thank you, Chairwoman Mace and Ranking Member Connolly, for allowing me to wave into this
00:45:46hearing and speak on an issue that has plagued my district and the United States at large. The
00:45:52problem is clear. The People's Republic of China has unabashedly conducted cyber
00:45:57welfare against the United States for over a decade. The PRC uses proxy groups like vote
00:46:04typhoon to step attribution for these cyber attacks. As a veteran, I can personally say
00:46:10that divesting cyber attacks on the Office of Personal Management in 2015 was a cyber wake-up
00:46:18call. While many cyber attacks target our federal government, Chinese hackers' indifference towards
00:46:25targeting civilians is apparent. Chinese leadership or their proxies has continued to demonstrate a
00:46:32lack of concern toward attacking civilian infrastructures. Regardless of source,
00:46:38the blatant disregard even to the extent of launching cyber attacks during an active
00:46:43Category 5 typhoon on Guam, shutting down Guam's communications while extreme weather
00:46:49destroys billions of dollars' worth of homes, businesses, and community facilities is simply
00:46:55inexcusable. So my question, Mr. Evelina, cyber represents a facet of Chinese gray zone warfare
00:47:05that the U.S. has struggled to contend with. Part of this problem stems from using cyber
00:47:10contractors to circumvent the Chinese Communist Party attributions for these attacks. With those
00:47:18companies in mind, could you recommend steps that the U.S. should take to properly distinguish
00:47:24who attacks us? Congressman Moynihan, I thank you for the question and thank you for your support
00:47:31and efforts in Guam and in the Pacific for us competing with our major adversary there. To
00:47:37answer your question, sir, I think first thing has to happen, we have to be more aggressive as a
00:47:42country, as an administration, working in partnership with Mandiant and others to attribute
00:47:46these criminal entities as what they are. They're proxies for a state-sponsored organization that
00:47:53we know is the Communist Party of China. China actors who are in the administrative state
00:47:58security or the People's Liberation Army oftentimes work part-time jobs in these cyber
00:48:03organizations and do the bidding of the Communist Party of China and oftentimes are utilized to do
00:48:08zero days and other cyber activities to obfuscate attribution by the Communist Party of China. I
00:48:13think we have to get more aggressive as a country in attributing those entities as what they are,
00:48:18long arms of the Communist Party of China. Thank you. Mr. Joyce, with the limited cyber
00:48:25personnel already, a Guam cyber infrastructure suffers from deterioration and lack of funding,
00:48:31leaving civilian and military assets vulnerable to cyber attacks, while with Guam being one of
00:48:36the closest U.S. territories to China. What policy advice would you give the president,
00:48:42governor, or even myself to solve Guam's cyber insecurity? Thank you, Congressman,
00:48:49for your question. I think the most important thing is we have to have the awareness and the
00:48:53priority on this crisis to give them the resources to get rid of old, outdated, and insecure hardware.
00:49:04A lot of the tactics used in the attacks are finding flaws that could have and should have
00:49:10been patched in old and obsolete equipment. So if you can get the budgets for the infrastructure
00:49:16so that they will have cyber-capable training, so that they will get rid of their old and antiquated
00:49:23technology, and that they have the resources to get the support of the private industry with the
00:49:28expertise, I think we can make a lot of headway on this problem. Perfect. Final question. We've
00:49:33got about a minute for either, both of you, please. China is using a national cyber power
00:49:38to harass districts and state-level actors. Could the panel briefly explain the necessity
00:49:43of developing federal, state, or local cyber defense and responses? Thank you, Congressman.
00:49:52I'll start. I think the state and local and tribal cyber capabilities are the weakest point for our
00:49:57nation. I think the Chinese Communist Party exploits that, especially at the county level.
00:50:01We see that throughout not only ransomware attacks, but also, as we'll start to see,
00:50:06in election infrastructure. It's the weakest level. And oftentimes, States throughout the
00:50:10United States don't have the money to invest and to replace the legacy hardware that Mr.
00:50:16Joyce talked about. I think that's going to be the first thing to do, is to pay for that
00:50:19legacy information, utilities to be removed. Mr. Joyce.
00:50:23I think it's got to be close collaboration between the private sector and the state,
00:50:31local and tribal entities. They are often resource and expertise poor. Someone going
00:50:39to school with a cybersecurity degree, they're not excited to go into the local water utility
00:50:47and be their CISO. So we've got to then augment them with private industry and technology
00:50:52so that they can have top-notch security. Thank you very much. Thank you to the panel.
00:50:57Thank you, Chairwoman Mace. Thank you.
00:51:01Thank you, Mr. Moylan. And we're going to go for a few extra minutes until votes, which
00:51:06could be in a minute, could be in 10 minutes. So I would like to recognize myself for five
00:51:11minutes. I had a few extra follow-up questions I wanted to ask.
00:51:14Mr. Carmichael, rapid incident reporting by hack victims enables the identification of
00:51:19specific threats and limits the harm that they can inflict. But critical infrastructure
00:51:23operators vary widely in their knowledge of incident reporting protocols and in their
00:51:28compliance with them. So what can be done to improve incident reporting by non-federal
00:51:33entities?
00:51:35Thank you very much for the question, Chairwoman. Incident reporting is a very difficult topic
00:51:39because there's a number of equities that need to be balanced. You can't disclose a
00:51:44security incident too early, especially if the threat actor still has access to the environment.
00:51:49It may do something more damaging where they might escalate their attack, where they might
00:51:53steal more data. Obviously, you also don't want organizations to wait too long to disclose
00:51:58that there was a security event. And so there's definitely a very tough balance in terms of
00:52:02how long it actually should take for an organization to disclose. But at a minimum, we do want
00:52:07organizations to disclose so that the whole community has the opportunity to learn from
00:52:11it.
00:52:12Does the government provide clear guidance about these protocols?
00:52:16There are a number of regulations and requirements for disclosure. So it is confusing to certain
00:52:22organizations to understand who do they need to report to, when do they need to report
00:52:26it. And they typically have to engage legal counsels to help understand the reporting
00:52:30complexities.
00:52:31And if you're engaging legal counsels, it's probably pretty expensive for a business in
00:52:35some cases.
00:52:36It certainly could be expensive, yes.
00:52:37Do companies ever get punished, you know, if they've been hacked by the government?
00:52:41Do they get sued? You know, is there, you know, that kind of thing going on, too, when
00:52:45these things happen?
00:52:46A lot of victims of cybercrime or cyberespionage feel like they are victimized multiple times.
00:52:53So they're first victimized by the threat actor, then they might be victimized by the
00:52:56media, by their customers, by their partners. And so, yes, it is certainly complicated,
00:53:02and they do feel like they're victimized often.
00:53:05Is the government effectively sharing information it has about threat actors with the private
00:53:09sector?
00:53:10There's a lot of information sharing that's occurring from a government perspective. Obviously,
00:53:14there could always be more information sharing, better information sharing, more timely sharing.
00:53:18But there is a lot of great things that are happening.
00:53:21That's good to hear. And so talk to me, in your testimony earlier, you talked about legacy
00:53:24systems for a little bit. Talk to me about that and what dire straits we're in right
00:53:29now with regards to our vulnerabilities.
00:53:31We very often find organizations that have antiquated technologies still deployed within
00:53:36their environment. Sometimes we see very old operating systems that are deployed that have
00:53:41not yet been retired, but are still used for business critical capabilities and functionality.
00:53:45What's the oldest one you've heard of? What's been around the longest?
00:53:49We still see Windows XP, which has been long end of life for quite some time.
00:53:53How long?
00:53:54I cannot remember how long it's been, but it's probably been more than a decade, if
00:53:57I'm not mistaken. That's in the IT environments. When you look at OT environments, or operating
00:54:02Is that government specifically, or just, as you're saying, private industry?
00:54:05Across the globe. When you look at the systems that are controlling safety at nuclear power
00:54:08plants or manufacturing facilities or pipelines, what we tend to find is that there's very
00:54:14old technology that exists out there that you can't actually apply software patches
00:54:19to. And so in the IT world, you expect that you would have to apply a critical security
00:54:24patch, you know, in hours or days or maybe a month. In the operational technology world,
00:54:29sometimes the patch timing takes months, maybe a year, or maybe it never happens at all.
00:54:35And there's, you know, generally speaking, there's other compensating controls that help
00:54:39mitigate the risk of a compromise of an OT environment. But essentially, if a threat
00:54:43actor could get into an operational technology environment, it could be a pretty bad day
00:54:48for that organization, because there are generally very little controls in those OT environments
00:54:53with very old technology.
00:54:55How do we incentivize technology updates, private and public sector?
00:54:59You know, I defer to my colleagues on this panel for, you know,
00:55:02Mr. Joyce and Mr. Evanina?
00:55:04I think one of the things you have to do is you have to look at regulation, right? We
00:55:09would not have anti-lock brakes and seatbelts in our cars if it were just up to the industry.
00:55:15I am not a huge fan of regulation, but I'm increasingly convinced that the bare cyber
00:55:20minimums need to be regulated.
00:55:23Mr. Evanina?
00:55:24I would add on to that that I think it's about leadership, and it starts with the government.
00:55:27I think if the government earmarked significant dollars, a moonshot, to update our own legacy
00:55:32systems, it would obviously prevent our adversaries from getting our government systems. And I
00:55:36think that would be a leading role to stimulate a private sector to do the same.
00:55:40Yeah, we've had a lot of hearings up here, and the amount that is wasted, even in tech.
00:55:46I mean, we had a hearing last year, and DOD had wasted $300 million on a software program.
00:55:51I can only imagine what we could have done with $300 million in the cybersecurity space,
00:55:55either hiring workers or, you know, updating and upgrading software packages and technology
00:56:01to keep them safer.
00:56:03So I appreciate your time today, and thank you for being here. Do you want to be recognized
00:56:07for five minutes, Mr. Connolly?
00:56:08Thank you, Chair. You know, I want to go back to the danger of relying on Russian and China
00:56:14sources because they have an active agenda of insinuating. We've established one that
00:56:19you're familiar with, Mr. Evanina, and that was a key source for Rudy Giuliani and his
00:56:24false claims about corruption involving Ukraine, Burisma, and then Vice President Biden. And
00:56:33it's very dangerous to rely on sources like that. I want to point out three key sources
00:56:42for the impeachment inquiry on my other committee, the Oversight Committee, the full committee,
00:56:46and on the Weaponization Committee. One, a man on the lam who's been charged by the United
00:56:53States government for being a Chinese spy outright. Second, a man who's in Federal prison
00:56:59today for having been convicted of fraud. Third, a man named Alexei Smirnoff, an FBI
00:57:08informant, in jail, charged by the FBI for lying to the FBI. He lied specifically about
00:57:16witnessing a cash bribe being given to President Biden, then Vice President, or out of office,
00:57:23actually, and his son, Hunter. Neither was true. In fact, it's been established Mr. Smirnoff
00:57:29didn't even meet anyone from Burisma until two or three years after the alleged exchange.
00:57:35And furthermore, Mr. Smirnoff has admitted that his sources were Russian agents. Other than that,
00:57:41these are reliable witnesses upon which one of the most solemn constitutional duties that falls
00:57:47upon Congress has occurred, the impeachment of a president. We relied on Russian and Chinese
00:57:55agents. That's an established fact. Mr. Evanina, what are the risks when political leaders assert
00:58:04that claims of Russian or Chinese interference are just a hoax? Could something go wrong
00:58:11when we don't take it seriously?
00:58:14Rear Chairman Connolly, I think it's important to note that we should fully expect the Communist
00:58:21Party of China, Russia, Iran, and others to participate in the same type of disinformation,
00:58:26misinformation on the upcoming election. And I think we have to be postured to be able to
00:58:30identify that quickly and notify the American public as fast and as furiously as we can,
00:58:34and then take action to notify individuals who are either part, wittingly or unwittingly, or being
00:58:39used by those nation states to promulgate their information. So I think that's really critical
00:58:43that we do that moving forward.
00:58:45So, I think, I don't want to put words in your mouth, but I'm hearing you say,
00:58:50look, before we politically decide to dismiss something as an inconvenient fact,
00:58:55we need to have some skepticism about sourcing because of what Russia and China are doing.
00:59:01Well, I think part of the playbook for Russia and China and others is to be able to sow doubt
00:59:06in all the reporting. And I think that's important. I think we should also take time to rely on the
00:59:11intelligence community, the law enforcement, the FBI, to be able to most effectively weed out some
00:59:15of this information, to be able to be in the best posture to provide that to decision makers.
00:59:20And that's what you did during the Trump administration.
00:59:23I think that's what the United States government...
00:59:25It's not a Democrat, or it shouldn't be a Democrat or Republican issue.
00:59:28Mr. Kelly, in your time in the FBI, does it echo what Mr. Evanina has cautioned us?
00:59:34Yes, there was a...
00:59:35I can't hear you.
00:59:36Yes. In the last administration, the Justice Department actually came out with a policy
00:59:41on this topic, which I think was actually a very wise approach, which is to flag the source of
00:59:49information. And so to the extent that they have information that a malicious foreign actor has set
00:59:54up a false persona on social media, they can notify the social media platform so that they can
01:00:00take action under their terms of use. But to not get into the business of fact-checking, because
01:00:05that gets very, very tricky. So I think where the facts are that we have identifiable bad foreign
01:00:11actors that are doing things, that's an opportunity then to notify the affected people, to notify
01:00:18technology platforms. And then when it relates to specifically the functions of an election,
01:00:25misinformation around the polls have closed or the polls are open or the voting day moved or
01:00:29whatever else is happening, those are the kinds of things that public officials need to come out
01:00:34and absolutely correct the factual record on.
01:00:36Thank you. I appreciate it. Thank you, Madam Chair.
01:00:40Thank you. And going back just to clarify with Alexei Smirnoff, this committee was actually
01:00:45told by the FBI that we didn't know his name when we got the access to the FBI 1020 form,
01:00:51but the FBI told this Oversight Committee, quote, that the witness was trustworthy, incredible,
01:00:56also repeated by Democrat colleagues here on the Oversight Committee, because that's what the FBI
01:01:01told us. And that witness actually was paid six figures by the FBI, over half a million dollars.
01:01:07So I don't know if the FBI just was incompetent in paying a witness that wasn't trustworthy,
01:01:13incredible, or if they were lying to Congress in this committee when they said the witness was
01:01:17trustworthy, incredible. And just a reminder, this hearing is about China. It's not about Russia.
01:01:23And we're talking about skepticism about sourcing. We should be very skeptical of mainstream media
01:01:30here today who has fed the American people lies hook, line and sinker. And in fact,
01:01:35the whole Russia hoax thing, Trump was not assisted by Russia. The Russia hoax was actually
01:01:43Joe Biden getting paid off with his family members by Russian oligarchies and then lying about it.
01:01:50And we saw that in the testimony of Hunter Biden and his deposition. And we've seen these lies told
01:01:55over and over again by my colleagues across the aisle. Every time it's an accusation, it's really
01:02:01a projection. So with that, I will recognize Mr. Timmons for five minutes. Thank you, Madam Chair.
01:02:06Back to China. I'm gonna talk about Huawei briefly, Mr. Evanita, Mr. Joyce, I'm going to ask
01:02:12you some questions at the end of it. So, you know, China was using Huawei to give next generation
01:02:18wireless technology to developing countries and to develop countries, many of which were allies. And
01:02:23they were doing that at a rate that was beyond competitive. It was essentially subsidized.
01:02:29And the FBI was able to reach out to our allies and essentially say, hey, this is a really bad
01:02:35idea. They have a backdoor in security. Their servers aren't secure. You're essentially letting
01:02:39the Chinese have all your data. And so what happened? Well, all of our allies said they
01:02:46either took steps to ban Huawei or they changed their course and are now using more secure next
01:02:54generation wireless technology. And that was done basically because the United States took
01:02:59a leadership role in informing our allies that China was not being a good actor and it's caused
01:03:05Huawei to have to completely adjust their approach to the global economy. Is that fair, Mr. Joyce?
01:03:13Absolutely. Okay. So I think this is a great model. It's a great model of how we can address
01:03:18larger concerns. So obviously, we're talking about cyber attacks, and there's no amount of
01:03:23money that the private or publicly held companies can spend to secure their networks from a
01:03:32government as big as China. There's just nothing they can do. It's not a question of if they're
01:03:36going to get a breach. It's a question of when. But what we can do is we can use the U.S. government
01:03:42and use our allies to create a consequence. So I don't see why the United States and like-minded
01:03:50countries will create a system through which the biggest issue is attribution in this proposal.
01:03:56If a company is breached and receives damages, and it's from a nation state, I think that company
01:04:01should be able to go to the government and say, look, we do all of these things right to try to
01:04:06protect our data, but China came after us. We had a breach. It cost us this amount of money.
01:04:11Obviously, there's going to be a civil suit. They're going to have to settle that civil suit
01:04:14with all of the individuals who had data breached. And so let's just say it's, I don't know, $100
01:04:20million. So then the United States says, all right, attribution's good. China did this. The
01:04:25government did this. Here's your $100 million, and then go and use trade tariffs to essentially
01:04:32make the United States whole. If we create a system like that, it can create a deterrent threat
01:04:39to nation states that are using cyber attacks as a tool. What do y'all think? Is that something
01:04:48that we should consider doing, Mr. Avenita? Congressman Timmons, yes, but I will caution
01:04:54the subcommittee here that I think the back end of this is the concern I have. Looking at Huawei
01:04:59for 15 years, we were able to get the threat relayed to the Congress who acted and had a
01:05:06replace legislation. The problem we have is Huawei is a legitimate business entity that
01:05:11functions fairly well with an intelligence collection apparatus tied to it. If we rip it,
01:05:16we need to replace it with something different. And the trouble we've had, because we don't have
01:05:21the innovation and technology based in the United States to replace Huawei, we're still stuck with
01:05:26Huawei across our country in our telecommunications systems. So to your point, I agree with, but we
01:05:31also have to have something to replace Huawei with when we rip it out. Mr. Joyce, do you think
01:05:37that the international community could create this deterrent threat that would hold China
01:05:41accountable? It's not just China, it's China, North Korea, Iran, Russia, anybody that is using
01:05:46cyber attacks as basically a state tool. Is that something that we could do? I do, Congressman,
01:05:54believe we've got to use all the elements of our national power, right? Whether it is military,
01:05:59cyber, but increasingly commercial and tariff related activities have proven pretty forceful,
01:06:07and we've seen the reactions to it. Unfortunately, a lot of these cyber criminals get to remain in
01:06:15places like North Korea, Russia, out of the reach of law enforcement cooperation. And so we've got
01:06:21to have other tools beyond law enforcement. So I think that we can resolve that by saying that any
01:06:26individual that is attacking the United States, I mean, it's no different than the Taliban. I mean,
01:06:32we sent hundreds of thousands of U.S. soldiers and waged war for decades in Afghanistan because
01:06:39the Taliban allowed al Qaeda to use it as a base of operations to attack the Twin Towers. So I mean,
01:06:44there's no difference if al Qaeda was using a computer in Afghanistan and using code to crash
01:06:51an energy grid in a hot area in the summer or a cold area in the winter. I mean, it could
01:06:59legitimately kill thousands and thousands of people if we are unable to provide heat in the
01:07:04Northeast during a winter storm, and it would be very easy to do that. And we would have to hold
01:07:11that individual accountable, but we'd have to hold the country that gave them safe harbor
01:07:17accountable. I mean, do we agree on this? I completely agree, and I think your analogy is
01:07:23right with the terrorism, because if al Qaeda had pre-deployed explosives or electromagnetic
01:07:30capability in New York City, is that different than Volt Typhoon and what they're doing here
01:07:34to potentially cause harm to our critical infrastructure? We have to look at that as a
01:07:38simple model. And if there was a cyber attack on Goldman Sachs resulting in a half a billion
01:07:44dollars in damages, are we not going to then make them whole when they did nothing wrong versus if
01:07:51you know, Hamas bombs their building? I mean, we're going to make them whole, so I don't think
01:07:55that we should view a terrorist cyber attack any differently than we would view a missile,
01:07:59because there's no difference effectively. Okay, I'm over time. Sorry. Thank you.
01:08:05I agree. Cyber security is national security. Thank you, Mr. Timmons. In closing, I want to
01:08:10thank our panelists who are here this afternoon once again for your testimony today. With that,
01:08:14and without objection, all members will have five legislative days within which to submit materials
01:08:18and to submit additional written questions for the witnesses, which will then be forwarded to
01:08:22the witnesses for their response. So there's no further business. Without objection,
01:08:26the subcommittee stands adjourned.

Recommended

1:28
I
Up next
Sadiq Khan is ‘tackling’ homelessness with charity football game
The Independent
1:08
Mishal Husain’s final message to BBC Radio 4 listeners after 11 years on air
The Independent
0:50
Car removed from swimming pool after driver crashes through fitness center’s wall
The Independent
3:44:29
House Rules Committee Debates Anti-ICC Bill After Arrest Warrants Issued Of Israel's Netanyahu
Forbes Breaking News
43:38
BREAKING NEWS: GOP Senators Tear Into Biden Over New Executive Order On Border Security And Asylum
Forbes Breaking News
3:53
Raul Ruiz Asked Point Blank: 'What's Your Position On Gain Of Function Research?'
Forbes Breaking News
3:56
Top Dem Defends 6-Foot Social Distancing After Bombshell Fauci Admission It 'Wasn't Based On Data'
Forbes Breaking News
0:33
AOC: 'Patently Unproductive' To Have Israel's Netanyahu Address Congress
Forbes Breaking News
14:50
Chuck Grassley Calls Out Hillary Clinton & Crossfire Hurricane In Response To Trump Guilty Verdict
Forbes Breaking News
14:38
'We Should've Been Honest': Brad Wenstrup Confronts Fauci Over His Handling Of COVID-19 Pandemic
Forbes Breaking News
2:26
JUST IN: Hunter Biden Arrives At Wilmington, Delaware, Federal Court For Hearing In His Gun Trial
Forbes Breaking News
31:46
BREAKING NEWS: Speaker Johnson, House GOP Leaders Rip 'Sham Trial' That Led To Trump Guilty Verdict
Forbes Breaking News
13:33
Bernie Sanders Slams 'Netanyahu And His Extremist Government' After Biden Announces Ceasefire Deal
Forbes Breaking News
7:08
BREAKING NEWS: Matt Gaetz Directly Confronts Merrick Garland About 'Lawfare Against Trump'
Forbes Breaking News
1:19
BREAKING NEWS: First Lady Dr. Jill Biden Arrives At Federal Court For Hunter Biden’s Gun Trial
Forbes Breaking News
4:01
'I Know Where You're Going': Fauci Grilled By GOP's Lawyer About Gain-Of-Function Research
Forbes Breaking News
31:31
WATCH: GOP Lawyer Spends Half An Hour Questioning Dr. Fauci About Vaccine Mandates, 6-Foot Rule
Forbes Breaking News
2:22
Dr. Fauci Asked Point Blank About How 6-Foot Social Distancing Rule Came About
Forbes Breaking News
1:10
Marjorie Taylor Greene Says Funding Government 'Does Not Matter' After Trump Guilty Verdict
Forbes Breaking News
1:07
VIRAL MOMENT: John Rose’s Son Steals The Show Making Funny Faces Behind Dad’s House Floor Speech
Forbes Breaking News
7:42
JUST IN: Senate Democrats Warn Of Threats To Reproductive Rights After Dobbs Decision
Forbes Breaking News
11:28
'Enormously Disappointed': Chrissy Houlahan Fires Back At Beth Van Duyne Over Abortion Amendment
Forbes Breaking News
1:19
JUST IN: Famed Sex Therapist, Dr. Ruth Westheimer, Dies At 96
Forbes Breaking News
4:05
Political Scientist Reveals Issues In Minnesota Under Gov. Tim Walz
Forbes Breaking News
7:25
‘SBA Has Failed To Substantially Produce Documents’: Beth Van Duyne Presses Offical On Delay
Forbes Breaking News