FBI Director Wray Testifies in House Hearing on Chinese Cybersecurity Threat to U.S. Transcript

And obviously this is a unknowable question and people continue to debate it. But in some meaningful sense, I wonder if such an invasion or the preparation for such an invasion, which would be incredibly costly, as the ranking member very eloquently pointed out yesterday, has already begun. If the intelligence preparation of the battle space has already begun.

(00:23)
Put differently, for over 20 years the CCP has been attacking us, our government, our defense contractors, our technology firms in cyberspace. That is a fact. And for a long time, these attacks were focused on theft, just robbing us of valuable technology that was then used to drive their military modernization, a really unprecedented military modernization.

(00:44)
But another focus of attack has been gathering sensitive information on hundreds of millions of Americans with attacks on companies like Anthem Health, the Office of Personnel Management. I’m sure Mr. Molten and Mr. Auchincloss and anyone else who served in the military got a nice letter from OPM after our military records have been compromised. Mine is framed in my office, in my basement.

(01:06)
According to the FBI, China’s vast hacking program is the world’s largest and they have stolen more Americans personal and business data than every other nation combined. But that wasn’t enough for the CCP. In the past few years, our intelligence and cybersecurity agency have discovered that the CCP has hacked into American critical infrastructure for the sole purpose of disabling and destroying our critical infrastructure in the event of a conflict, a conflict over Taiwan for example.

(01:36)
This is the cyberspace equivalent of placing bombs on American bridges, water treatment facilities, and power plants. There is no economic benefit for these actions. There’s no pure intelligence gathering rationale. The sole purpose is to be ready to destroy American infrastructure, which would inevitably result in chaos, confusion, and potentially mass casualties. It’s outrageous. It’s an active and direct threat to our homeland, to our military, our ability to surge forces forward in the event of a conflict.

(02:12)
And it’s not a hypothetical. As our witnesses will testify today, the Chinese government has already done it. Our cyber warriors are doing everything they can to stop it. We are dealing with malware in water utilities, oil and gas pipelines, power grids, and other utilities in our westernmost territories and across the American homeland. And the damage that could be done by this is almost hard to imagine. We need to step up and defend our critical infrastructure, defend ourselves in cyberspace. It’s a critical part of deterrence. It will take unprecedented collaboration between the public and private sectors to create the kind of layered cyber deterrence we need to prevent disaster. Because it’s not just a government problem, it’s a whole of society problem.

(02:59)
Our committee is called the Select Committee on Strategic Competition Between the United States and the Chinese Communist Party. That’s a long title. But in a very real way, the name of our committee vastly understates the problem set. It’s not just strategic competition, but a strategic threat pointed at the heart of America. If we do not address this threat, then the CCP will have the ability to turn off the lights for everyday Americans, shut down cities and cause massive loss of American lives. That’s unacceptable. I believe men and women of good faith in both parties can come together to prevent that from happening, and that’s what today’s hearing is all about.

(03:40)
I now recognize the ranking member, Raja Krishnamoorthi, for his opening statement.

Thank you so much Mr. Chair and thank you to the witnesses for coming today. I understand that General Nakasone, today is your change of command and you made time to come and see us. And so I expect this will be Nakasone unplugged, and so we really look forward to today’s testimony. Well look, folks, today we’re going to talk about Ugly Gorilla and Candy Goo. And no, these are not my kids’ Instagram handles. In fact, these are aliases used by CCP hackers working for the People’s Liberation Army, otherwise known as PLA. And specifically, this wanted poster shows members of Unit 61398, whom we indicted in 2014 for hacking into American companies and stealing intellectual property. This was the first time we’ve ever indicted PRC nationals for computer hacking in the US.

(04:36)
For years, the CCP carefully studied how the US ran cyber operations to develop its own concepts for cyber warfare. Xi Jinping himself has called for the PRC to become a, quote, “cyber superpower” and to dominate the world through information warfare. In the last dozen years, the CCP has used cyber operations for stealing IP from companies, collecting private citizens data, hacking into government emails, and even potentially gathering personal data from apps like TikTok. However, today we will be discussing an even darker side of the CCP cyber warfare tactics, activities that go far beyond merely stealing information.

(05:19)
Last May, CISA, FBI, NSA and our Five Eyes partners released a joint advisory that CCP cyber attacks were targeting US critical infrastructure, including American power and utility systems, oil and gas pipelines, and rail systems, among others. This cyber campaign titled Volt Typhoon has been active since 2021. CCP hackers accessed computer systems of about two dozen critical entities, including in Hawaii and in Guam. The hackers even attempted to access the Texas Electric Grid.

(05:58)
The purpose of the hacking was not to gather intelligence. The purpose was to install malware that once activated would disrupt or damage the infrastructure. You might ask why, very simple, to potentially harm us in a time of conflict. PLA strategists openly talk about coordinating missile strikes with cyber attacks as part of its offensive operations. Former CISA director Brandon Whale stated that, quote, “Chinese attempts to compromise critical infrastructure are to prevent the US from being able to project power in Asia or to cause societal chaos inside the United States.” This means targeting Americans. This means we could suffer large scale blackouts in major cities. We could lose access to our cell towers and the internet. We could lose access to clean water and fuel.

(06:57)
So how do we respond? First, we must be clear-eyed about the threat. The CCP’s objectives for a cyber attack are not just to impede military readiness. They also seek to target civilian infrastructure, to cause political, economic and social chaos. And in the PLA’s own words, quote, “Shake the enemy’s will to war.”

(07:23)
Second, we must hunt and destroy malware. We need to discover and destroy all malicious code the CCP is attempting to hide within our networks and our critical infrastructure. In fact, less than 48 hours ago, Reuters reported that the Justice Department and the FBI were authorized to remotely disable aspects of A CCP hacking campaign underway now, in order to protect our networks and devices. This is exactly the type of proactive action that we need to take, and we need to work with our partners and allies to do the same. I look forward to hopefully learning more from the witnesses about this counter campaign.

(08:07)
Third, we must deter our adversaries. While malicious Chinese code hasn’t yet disrupted any of our networks, any cyber attack that results in physical damage or loss of life would grant the United States the inherent right to self-defense. If the CCP were to activate code that could cause harm, we need to make sure that we have the capability to respond and to respond decisively. I look forward to hearing from our witnesses today and yield back the balance of my time.

I thank the ranking member. We are privileged to have a great panel of witnesses. The Honorable Harry Coker Jr. is the nation’s second confirmed national cyber director, a position which came out of our work on the Cyberspace Solarium Commission. Christopher Wray is obviously the director of the FBI. Jen Easterly is the director of the Cybersecurity and Infrastructure Security Agency, and General Paul Nakasone is commander of the United States Cyber Command and Director of the National Security Agency.

(09:04)
I too want to thank you, General Nakasone. I don’t want to play favorites on the panel, but when I called you to try and convince you to do this, I felt a little guilty because you’re doing your change of command today. But the fact that you were willing to do this I think is the ultimate testament, more than any of the awards you’re wearing on your uniform today, just to the type of public servant that you are, that you would be willing to do this. And whether you’re redeploying or changing command, usually you kind of drop your pack with about a week to go. You took a massive new rock in your pack because you felt so passionate about this issue. My experience working with you as chairman of the Cyberspace Solarium Commission, you were always forthcoming and generous with your time. So I just want at the outset of this hearing to thank you for an exceptional career of public service. The nation owes you a great debt of gratitude.

(09:56)
I would stand for that.

(10:21)
That was me lulling you into a false sense of security before the questioning begins. With that, I want to ask the witnesses to stand and raise your right hand, I’ll swear you in.

(10:35)
Do you swear or affirm under penalty of perjury that the testimony you’re about to give is true and correct to the best of your knowledge, information, and beliefs, so help you God? You may be seated. Let the record show that the witnesses have answered in the affirmative. Thank you all. With thanks to the national cyber director, Director Wray will begin with his opening remarks, which I believe will include a major announcement. So Mr. Wray, you may proceed.

Thank you Chairman Gallagher, Ranking Member Krishnamoorthi, and to the members of the Select Committee for inviting me here to testify today, to discuss the FBI’s ongoing efforts to protect our nation from actions taken by the Chinese government that threaten Americans safety and prosperity. Before I go on, I do want to make very clear that my comments today are not about the Chinese people and certainly not about Chinese Americans who contribute much to our country and are frankly often the victims of Chinese Communist Party aggression themselves.

(11:36)
Rather, when I talk about the threat posed by China, I mean the government of China, in particular led by the CCP. The CCP’s dangerous actions, China’s multi-pronged assault on our national and economic security make it the defining threat of our generation. Now, when I described the CCP as a threat to American safety a moment ago, I meant that quite literally. There has been far too little public focus on the fact that PRC hackers are targeting our critical infrastructure, our water treatment plants, our electrical grid, our oil and natural gas pipelines, our transportation systems. And the risk that poses to every American requires our attention now. China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real world harm to American citizens and communities if and when China decides the time has come to strike. They’re not focused just on political and military targets. We can see from where they position themselves across civilian infrastructure that low blows aren’t just a possibility in the event of a conflict. Low blows against civilians are part of China’s plan.

(13:07)
But the PRC’s cyber onslaught goes way beyond pre-positioning for future conflict. Today and literally every day, they’re actively attacking our economic security, engaging in wholesale theft of our innovation and our personal and corporate data. Nor is cyber the only PRC threat we face. The PRC cyber threat is made vastly more dangerous by the way they knit cyber into a whole of government campaign against us. They recruit human sources to target our businesses, using insiders to steal the same kinds of innovation and data that their hackers are targeting while also engaging in corporate deception. Hiding Beijing’s hand in transactions, joint ventures and investments to do the same. And they don’t just hit our security and economy, they target our freedoms. Reaching inside our borders across America to silence, coerce and threaten some of our citizens and residents. But I can assure you, the FBI is laser focused on the threat posed by Beijing. We’ve got cyber, counterintelligence, criminal and WMD experts just to name a few, defending against it. And we’re working in partnership, partnership with the private sector, partnership with our allies abroad and partnership at all levels of the US Government, especially the NSA, Cyber Command, CISA and ONCD, whose leaders I’m honored to be here with today.

(14:50)
In fact, just this morning we announced an operation where we and our partners identified hundreds of routers that had been taken over by the PRC state-sponsored hacking group known as Volt Typhoon. The Volt Typhoon malware enabled China to hide, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation and water sectors. Steps China was taking, in other words, to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous.

(15:36)
And let’s be clear, cyber threats to our critical infrastructure represent real world threats to our physical safety. So working with our partners, the FBI ran a court authorized on network operation to shut down Volt Typhoon and the access it enabled. Now, this operation was an important step, but there’s a whole lot more to do and we need your help to do it.

(16:04)
To quantify what we’re up against, the PRC has a bigger hacking program than that of every major nation combined. In fact, if you took every single one of the FBI’s cyber agents and intelligence analysts and focused them exclusively on the China threat, China’s hackers would still outnumber FBI cyber personnel by at least 50 to one. So as we sit here, while important budget discussions are underway, I will note that this is a time to be keeping ahead of the threat by investing in our capabilities rather than cutting them.

(16:45)
We need to ensure that we sustain and build on the gains that we’ve made, that have enabled us to take actions like the Volt Typhoon operation I just mentioned. The budgets that emerge from discussions underway now will dictate what kind of resources we have ready in 2027, a year that as this committee knows all too well, the CCP has circled on its calendar. And that year will be on us before you know it. As I’ve described, the PRC is already today putting their pieces in place.

(17:26)
I do not want those watching today to think we can’t protect ourselves, but I do want the American people to know that we cannot afford to sleep on this danger. As a government and a society, we’ve got to remain vigilant and actively defend against the threat that Beijing poses. Otherwise, China has shown it will make us pay. Thank you and look forward to today’s discussion.

Thank you, sir. Director Coker, you’re recognized for your opening statement.

Chairman Gallagher, Ranking Member Krishnamoorthi, and distinguished members of the Select Committee, thank you for the opportunity to testify. I have been honored to lead the office of the National Cyber Director, ONCD, in the White House for a little over a month now. And I’m grateful to Congress and your leadership, Mr. Chairman, for creating this office. And Mr. Ranking Member, I appreciated our conversation yesterday and your abiding interest in our workforce challenges.

(18:32)
ONCD was established by Congress to advise the president on cybersecurity policy and strategy. In particular, we coordinate many important agencies with cyber missions across the government to ensure federal coherence on cybersecurity policy. We have budgetary responsibilities to ensure the government is making appropriate investments in cyber defense and resilience, and we focus on implementation and ensuring the president’s strategy is, excuse me, successfully and transparently executed.

(19:07)
Coordination and collaboration are essential to our ethos. Cybersecurity remains a team effort and I am proud to be testifying with some of our nation’s finest leaders, Director Easterly, Director Wray, and General Nakasone.

(19:23)
This hearing is timely because the American public needs to be aware of the threat to our critical infrastructure. Our intelligence community has noted that A PRC threat actor is pre-positioning to, in the event of conflict, conduct disruptive and potentially destructive attacks. The PRC threat actor, Volt Typhoon as it has been named by a private sector partner, has conducted cyber operations focused not on financial gain or espionage, but on deploying deep access into critical infrastructure systems that put those systems at risk. Their aim is clear. In the early stages of a conflict, they want to disrupt our military’s ability to mobilize and to impact the systems that allow us to thrive in our increasingly digital world.

(20:17)
We can, must, and importantly are seizing the initiative from adversaries in order to protect and defend the American people. Last year, president Biden issued the National Cybersecurity Strategy, which outlines a bold vision for a prosperous connected future and calls for us to build a future that has a foundation of deep and enduring collaboration among stakeholders in the digital ecosystem.

(20:44)
The National Cybersecurity Strategy is threat agnostic, technology agnostic, and is built on two fundamental shifts. That we must, one, rebalance the responsibility to defend cyberspace. And two, realign incentives to favor long-term investments. Today, end users of technology, the individuals, small businesses and critical infrastructure entities that make up constituencies in your districts, bear too much responsibility for keeping our nation secure.

(21:17)
We must demand more from the most capable actors in cyberspace, including the government. And we must build future systems to be more inherently defensible and resilient. This means that market forces and public programs alike must reward security and resilience. This leads directly to the first pillar of the strategy, which is simple in concept, but daunting in scope, defend critical infrastructure.

(21:46)
As we can see from PRC targeting, critical infrastructure systems are the terrain on which our adversaries wish to engage us. And critical infrastructure owners and operators, the majority of whom are private entities not governments, are on the front lines. Part of our success then will come from scaling public-private partnership and collaboration. Beyond scaling these collaborative mechanisms and setting clear harmonized cybersecurity requirements, the government must also be a good partner when an incident has occurred and federal assistance is required.

(22:23)
And even as we shore up our defense, we must also look to change the dynamics in cyberspace to favor defenders. That means, for example, addressing the open research problem of software measurability that makes it difficult to understand the quality of code we use, a topic that ONCD is working to elevate.

(22:45)
We are also working to address the over half a million open jobs in cyber fields. It is vital that we invest in workforce programs to improve the pipeline of talent, expand opportunities for all citizens to learn digital skills, and open these good paying jobs and careers to all segments of society, including those who have never seen themselves in cyber. This administration is tackling this through implementation of the national cyber workforce and education strategy, released by ONCD in July. The administration’s focus on cybersecurity has put us on a firm strategic footing to counter the threats from the PRC actors and others, but we will only seize the initiative by leveraging the foundational partners that we rely on, including Congress.

(23:37)
Ultimately, cybersecurity requires a unity of effort. No one entity can achieve our shared goals alone. Sitting here today with our close partners, I hope you’ll see how our US team is enhanced by thoughtful, patriotic cyber practitioners at all levels of government and from across industry, working together to build a defensible, resilient digital ecosystem. Again, I thank you for the opportunity to testify today, and I look forward to your questions.

Thank you, sir. Director Easterly, you’re recognized for your opening statement.

Chairman Gallagher, Ranking Member Krishnamoorthi, members of the committee, thank you for the opportunity to testify on CISA’s efforts to protect the nation from the preeminent cyber threat from the People’s Republic of China.

(24:25)
As America’s civilian Cyber Defense Agency and the national coordinator for critical infrastructure resilience and security, we have long been focused on the cyber threat from China. But as you’ve heard, in recent years we have seen a deeply concerning evolution in Chinese targeting of US critical infrastructure. In particular, we’ve seen Chinese cyber actors, including those known as Volt Typhoon, burrowing deep into our critical infrastructure to enable destructive attacks in the event of a major crisis or conflict.

(24:58)
This is a world where a major crisis halfway across the planet could well endanger the lives of Americans here at home through the disruption of our pipelines, the severing of our telecommunications, the pollution of our water facilities, the crippling of our transportation modes. All to ensure that they can incite societal panic and chaos, and to deter our ability to marshal military might and civilian will.

(25:28)
Now, the threat is not theoretical. Leveraging information from our government and industry partners, CISA teams have found and eradicated Chinese intrusions in multiple critical infrastructure sectors, including aviation, water, energy, transportation. Now, based on this information, this is likely just the tip of the iceberg. So we are working aggressively with our partners in industry and across the US Government to take action now, knowing that this threat is real and this threat is urgent.

(26:04)
First, through authorities from the Congress, based on a recommendation from the Cyberspace Solarium Commission, we are using our Joint Cyber Defense Collaborative, or JCDC, to catalyze robust operational collaboration with industry and government, to enable us to uncover additional Chinese malicious activity and to develop ways to more rapidly detect it.

(26:26)
We are also using our free services and resources and providing intelligence to critical infrastructure owners and operators across the country so that they can detect and prevent Chinese malicious activity. And we’re using our now hundreds of subject matter experts and advisors across the nation to work directly with businesses to help them improve the security and resilience of the critical services that Americans rely on every hour of every day.

(26:53)
The reality is, however, eradicating Chinese intrusions, bolstering resilience, and even some of the great disruptive work that Director talked about, it’s all necessary but it’s not sufficient. The truth is, the Chinese cyber actors have taken advantage of very basic flaws in our technology. We’ve made it easy on them. Unfortunately, the technology underpinning our critical infrastructure is inherently insecure because of decades of software developers not being held liable for defective technology. That has led to incentives where features and speed to market have been prioritized against security, leaving our nation vulnerable to cyber invasion.

(27:41)
That has to stop. Technology manufacturers must ensure that China and other cyber actors cannot exploit the weaknesses in our technology to saunter through the open doors of our critical infrastructure to destroy it. It has to change. We are at a critical juncture for our national security. Today’s hearing should serve as an urgent call to action. Specifically, every victim of a cyber incident should report it to CISA or FBI every time, knowing that a threat to one is a threat to all and cybersecurity is national security.

(28:18)
Every critical infrastructure entity should establish a relationship with their local CISA team and take advantage of our free services, including vulnerability scanning, to ensure they can identify and prevent the vulnerabilities that the Chinese cyber actors are using. Every critical infrastructure entity should use these services and CISA cybersecurity performance goals, as well as the advisories that we’ve published with NSA and FBI and international partners, to do the necessary investments in cyber hygiene to ensure that they can protect their networks, including throughout their supply chains.

(28:56)
Every critical infrastructure entity needs to double down on resilience. Businesses need to prepare for and expect an attack and test and prepare for and exercise their critical systems so that they can continue to operate through a disruption and recover rapidly to provide services to the American people. Finally, every technology manufacturer must build, test and deploy technology that is secure by design. We have to drive towards a future where cyber actors cannot take advantage of technology defects to break into our critical infrastructure. This is a future underpinned by a software liability regime based on a measurable standard of care and safe haven for those software developers who do responsibly innovate by prioritizing security first.

(29:52)
Now, none of this is possible unless every CEO, every business leader, every board member for a critical infrastructure company

… Company recognizes that cyber risk is business risk and managing it is a matter of both good governance and fundamental national security. Thank you for the opportunity. I look forward to your questions.

Thank you very much. General Nakasone, you’re recognized.

Chairman Gallagher, Ranking Member Krishnamurthy, members of the select committee. I’m honored to represent the men and women of US Cyber Command and the National Security Agency as my time as the commander and director draws to a close. Thank you for this opportunity to reflect on the considerable changes I’ve witnessed in the technological and operational environments over my nearly six year tenure, and to hear your concerns. The People’s Republic of China poses a challenge unlike any our nation and allies have ever faced. Competing fiercely in the information domain. PRC’s cyber actors are pre-positioning in our US critical infrastructure and it is not acceptable. Defending against this activity is our top priority. The men and women of US Cyber Command and the National Security Agency continue to maintain our strategic advantage, by contesting the threats posed by the PRC in cyberspace, by using the full scope of our authorities and the full spectrum of our capabilities to impose costs, deny benefits, and encourage restraint on the part of our adversary.

(31:21)
We will continue to strengthen partnerships across the US Government, foreign partners and private industries so that we may operate anywhere we are needed. We are ready in posture to contest PRC malicious activities at home and abroad. While cyberspace threats have increased, our force to counter these threats are stronger and more capable. US Cyber Command and the National Security Agency are using our capabilities and partnerships to deny the PRC opportunities, frustrate their strategic efforts and systematically eradicate intrusions.

(31:53)
One significant contribution in our ability to counter these threats is our relationship with the private sector. US Cyber Command and the National Security Agency partnerships with industries have underpinned the US government’s ability to track, detect and mitigate the PRC’s activity against US infrastructure at scale. One example of the impact of these strong relationships was demonstrated in May of 2023 with the Cyber Security Advisory, which was the first documented PRC activity against US critical infrastructure, referred to publicly as Volt Typhoon.

(32:27)
For the first time ever, 11 different industry partners, co-sealed the NSA advisory, along with our interagency partners. Additionally, other industry partners contributed behind the scenes in partnership with our Cyber Security Collaboration Center. Lastly, I would like to reiterate my appreciation for the opportunity to speak with you this afternoon and recognize the community’s continued efforts to bring attention to this critically important issue which impacts our national security, and the lives and livelihoods of the American people. I look forward to our conversation.

Thank you, sir. Director Easterly, your opening statement both written and spoken, I commend the written statement as well, really kind of teases out the troubling implications of an attack on our critical infrastructure. I read it and I’m sort of left with the implication that China’s pursuing a strategy designed to either hold us hostage in the event of an international incident, such that we would be afraid to respond, or to actually cause casualties on the homeland. Is that an accurate assessment that I could take from your testimony?

Absolutely. So as I mentioned, as I alluded to, it is Chinese military doctrine to attempt to induce societal panic in their adversary. And arguably the Chinese Government got a little bit of a taste of this in the aftermath of the ransomware attack on Colonial pipeline, May of 2021, that shut down gas to the eastern seaboard for several days. Americans couldn’t get to work, they couldn’t take their kids to school, get folks to the hospital. It caused a bit of panic.

(34:06)
Now imagine that on a massive scale, imagine not one pipeline, but many pipelines disrupted. Telecommunications going down so people can’t use their cell phone. People start getting sick from polluted water, trains get derailed, air traffic control system, port control systems are malfunctioning. This is truly an everything, everywhere, all at once scenario. And it’s one where the Chinese Government believes that it will likely crush American will, for the US to defend Taiwan in the event of a major conflict there. Now, this is also a scenario that we can and indeed must prevent through both the robust practices that I mentioned in my statement, which amounts to deterrence by denial and resilience, but also through the deterrence and escalation of punishment, a credible threat. And then perhaps most importantly, through American strength and unity and the power of our values.

And General Nakasone, you have to assume they’re targeting our critical infrastructure in Guam and other territories in the Pacific, what would an attack on that critical infrastructure mean for our ability to respond in the event of a crisis?

It could have a very significant impact on what we need to do to provide a series of different options that our commander in the Indo-Pacific region would want to respond with. Communications, an ability to be able to leverage our most lethal weapon systems. These are all areas that we would rely on.

Director Wray, remind me again of the stat. I thought it was stunning in your opening statement, that if you focused all of the FBI’s cyber professionals on the China threat, we would still be at what sort of disadvantage with respect to the humans in China that are focusing on America?

We would be at a disadvantage of at least 50 to one.

50 to one.

And part of the reason I say at least is because one of the things we’ve also seen from the Chinese Government, which has devoted massive resources to the biggest hacking program in the world by a mile, is that they also work with cyber criminals. Which is then a whole force multiplier to that already significant enterprise.

Roughly how many people or percentage of your resources are devoted to China, would you say?

Of our resources?

Yeah.

I mean it is the biggest chunk of our counterintelligence program by far and probably the biggest chunk of our cyber program by far. And then of course we have other divisions like our weapons of mass destruction folks who are the ones who did the work on COVID origins, for example, for the FBI. We have criminal folks, criminal investigation folks working on the fentanyl part, which of course much of that is coming from precursors in China. So it’s really a threat that pervades and permeates almost all of our programs.

And you have previously testified when it comes to TikTok that it screams of national security concerns. Why? What is the risk posed by TikTok in your opinion?

Well, the most important starting point is the role of the Chinese Government. The app’s parent company is effectively beholden to the Chinese Government, and that is what in turn creates a series of national security concerns in the PRC Government’s ability to leverage that access or that authority. So first the data, it gives them the ability to control data collection on millions of users, which could be used for all sorts of intelligence operations or influence operations.

(37:47)
Second, the recommendation algorithm, which could be used for all sorts of influence operations or to sew divisiveness discord. And again, that’s something that we wouldn’t readily detect, which makes it even more of a pernicious threat. And AI of course enhances all of that. Their ability to collect US person data and feed it into those influence operations makes it exponentially more dangerous to Americans. And then third and finally, it gives them the ability, should they so choose, to control the software on millions of devices. Which means the opportunity to technically compromise millions of devices. As you put all those things together, it is a threat that I think is very, very significant. And again, it all starts back with the starting point, which is the Chinese Government itself and their role and their ability to control these different aspects of it.

Thank you. My time has expired. I’m excited to recognize the ranking member because his questioning game and prop game improves with every hearing. And as they say, game respects game. The ranking member is recognized.

Thank you, Mr. Chair. First I want to discuss the impact of cyber attacks, real world cyber attacks that are happening today in Ukraine at the behest of Russia. Recently, the Russians cut off internet access for tens of millions of Ukrainians, in one cyber attack alone. And they then cut off power for hundreds of thousands of Ukrainians in a separate cyber attack. And so I have a question for General Nakasone, we actually depict this here, it could look something like this. In a conflict situation, the CCP could aim to attack American infrastructure the same way that the Russians are attacking Ukraine, right?

That’s correct.

Let me turn to a potential real cyber attack by the CCP. General Nakasone, so far we’ve discovered CCP malware in certain critical infrastructure, but they haven’t been activated yet. In the event that this malware were activated, you’d be able to attribute it back to the CCP, just like you did with Volt Typhoon, right?

We are very good at attributing, that’s correct.

Now, general Nakasone, in 2018, you were at the Aspen Security Forum, and here’s a picture of you, five years ago. And you said this, which really caught my eye. It said, “If a nation state decided to attack our critical infrastructure, that’s above the threshold of war.” Isn’t that what you said?

So I do recall appearing there from that quote, yes, and I probably would’ve said it differently today, ranking member.

And then the next part of that quotation also caught my eye. You continued by saying, “And we would certainly respond.” And in your written statement you talk about imposing costs on potential adversaries, so I just want you to say very clearly here, Cybercom indeed has the capability to respond decisively.

It does, and this is a really important point. We cannot be episodic in looking at this threat. We need to be persistently engaged, every single day, with a series of different capabilities working with a series of different partners to both enable and act. What we have done over the past five years is been able to look at imposing cost in a much broader fashion, whether or not it’s publishing an unclassified manner, what the adversary is doing, whether or not it’s working with the Bureau, whether or not it’s being able to work closely with Justice and Treasury. This is the idea of consistently being able to persistently be engaged with your adversary.

I just want to send a message to anybody who’s paying attention here, whether it’s the CCP or anyone else who would intend to put malware into our critical infrastructure. First, we will attribute it back to you if it’s activated. Secondly, that could be an act of war, and third, we will respond decisively. Let me move to another topic, and I’d like to touch on TikTok as well, Director Wray. The TikTok, CEO, came to Capitol Hill and said a couple of things that I’d like to get your response on. One is he said that our data privacy concerns with regard to TikTok are not unique compared to other companies like Facebook and X, or otherwise known as Twitter. I personally agree that other social media apps have various data privacy concerns, but the key difference is that unlike TikTok, they’re not owned by a company beholden to the CCP. And I just want get your reaction to that. I presume that you agree that TikTok is unique in the sense that it’s owned by a company beholden to the CCP.

Well, it’s certainly unique compared to Western companies, which are by their very nature not beholden to Western Governments. And what makes TikTok so challenging, and therefore so risky from a national security perspective, is that we’re talking about a government, in the Chinese Government, that has over and over and over again demonstrated contempt for the rule of law and international norms. And lines that we consider very important in the US and in the west between the private sector and the government, those are lines that are at best blurry, if not non-existent in the Chinese system.

Director Wray, I want to ask you about the news that you broke during your testimony. Thank you for your proactive action with regard to disrupting, remotely disabling this Volt Typhoon campaign. A couple of questions. One is, in this year of elections, obviously Wang Yi, the Foreign Minister, recently told Jake Sullivan, assured him that the CCP is not going to interfere with our elections this year. How do we prevent that from happening?

Well, China’s promised a lot of things over the years, so I guess I’ll believe it when I see it, would be the starting point. Second, we work very hard across the interagency, all the agencies you see represented here, plus a whole host of other partners, to try to anticipate and prevent any efforts to interfere in our elections. And there’ve been enormous strides made over the years, not just amongst all three of our agencies, but between our agencies and state and local election officials, secretaries of state, et cetera, to try to prevent cyber interference, for example, in our electoral system. And there’s of course also the pervasive problem of malign foreign influence in terms of disinformation campaigns and things like that. And there again, we have to work with the private sector and not just the interagency. But all that has to be combined with the public’s role in being a more discerning and media literate populace, because they have a role to play here too.

Sorry, one last… The routers you talked about, how many states were they located in?

I don’t have the number of states with me. I know that it was hundreds of routers, and it is a good example of the point that Director Easterly was making in her opening statement. These small office, home office routers were very outdated, which made them easy targets for the Chinese Government. And these small office, home office routers were not themselves the intended targets. The targets of course, were our critical infrastructure. But what the Chinese were doing, were using these easy targets to hide and obfuscate their role in the hacking of our critical infrastructure. And so that’s why the point that was made about making sure that we’re not creating an easier attack surface for them is so important.

Mr. Wittman.

Thank you, Mr. Chairman. I’d like to thank our witnesses for joining us today. Thanks again for your service. General Nakasone, thanks so much for your 37 years of service to our nation. I’d like to begin with you, there are some that would assert that other nations conduct cyber operations. Some of those things could have consequences on entities like hospitals and water systems and power grids and other civilian targets. What makes the PRC activities, like embedding latent malware into systems, what makes it unique in relation to other responsible cyber actors?

Responsible cyber actors of democracies like our own, do not target the civilian infrastructure. There’s no reason for them to be in our water. There’s no reason for them to be in our power. This is a decision by an actor to actually focus on civilian targets. That’s not what we do.

Let me ask this too. The ranking member talked about attribution, determining exactly who was behind the cyber attacks and then making sure that there are repercussions for those actions. I would argue too, it’s not just about us playing defense because we will never get out in front of the insidiousness that happens with cyber attacks and those folks that dream up ways to attack our system. But one thing that we can do very effectively is to have a very robust offensive capability, as a deterrent so that folks understand like China, that if there is a cyber attack on this nation that goes after our critical infrastructure, that what will be coming back their way will be orders of magnitude greater. First of all, do we have the capability to do that? And if so, do we communicate that in various ways so that China knows what the consequences will be if they take such an action?

We do have the capability and we’re very, very good, the best. And in terms of the way that we communicate it, we communicate it in many different ways. From our policymakers who have these discussions to the exercises that we conduct, to the real world examples that we do with a series of different partners. The other thing that I would tell you is that, first of all, is that we have discovered what they’re doing and we have exposed it. Secondly, the partnerships that exist here between our agencies and our commands is something that concerns the Chinese. And finally, it’s the work with the private sector that gives us scale. They may have 50 to one, but when we have the private sector, we outnumber them.

Sir Nakasone, I’m also very concerned about the CCP pre-positioning within our critical infrastructure like oil and gas pipelines. Give me a reason why someone would pre-position in those critical infrastructure and what conclusion should we reach, as Congress and the American people, from these reports?

As Director Easterly talked about, this is an attempt to provide the Chinese options in crisis or conflict. When we have discovered them in these critical infrastructures, the first thing that we need to do is to make sure that we get them out. And the second thing is that we need to have a vigilance that continues onward. This is not an episodic threat that we’re going to face. This is persistent. This is the generational piece that Director A talked to. We have to operate every day. We have to have a vigilance. We have to have offensive and defensive capabilities.

Director Easterly, you talked about holding software companies liable for the software that they’ve written for a variety of different sources, especially the electric grid. Give me your perspective on how we would most effectively do that. How could we do that in a timely way? How could we make sure that it’s done in two ways to make sure that any future software that’s written is held liable for its vulnerabilities, and how do we retroactively then address software that’s already there, that exposes those liabilities?

Yeah, thank you for the question. As you pointed out, this is both a current problem and a legacy issue. What is critical is that we start now to develop a regime, and this was part of the national cyber strategy that can actually hold software makers liable for creating defective technology. Because frankly, I believe if we had something like that and that was put in place at the dawn of the internet, and when software was developed, we would not be in a world where the Internet’s full of malware and software is rife with vulnerabilities. So we need a software liability regime that’s based on a measurable standard of care, but also safe harbor for those software developers who do responsibly innovate by prioritizing security, not speed to market, not cool features. So that’s really important, and a place where Congress could be incredibly helpful.

(50:44)
We also have been working directly with industry as general Nakasone pointed out, the force multiplier of having their presence in all of these discussions, industry to put a priority on secure by design software as well as international partners. The last thing that I’d say is we need to ensure that individual consumers are also aware that they need to be asking for products that are secure by design and not defective. We are making things too easy for our adversaries.

Thank you, Mr. Chairman, I yield back.

Ms. Castor.

Thank you, Mr. Chairman. Thank you all for being here today and everything you do to keep Americans safe. Director Easterly, I understand a high percentage of cyber attacks in the US are in the energy sector. How would you characterize the cooperation, the proactive nature of public and private entities across the energy sector?

Yeah, thanks for the question. So as the national coordinator for critical infrastructure, resilience and security, we work with what’s called sector committees essentially, that have representation from critical infrastructure owners and operators. One of the things that I found most impressive since I came into this role is that the energy sector, the people at that table are CEOs, and you do not see that across every sector. And that really shows that CEOs in the energy sector understand this issue and understand the need to make significant investments in their cybersecurity and in their cyber resilience. And so that is a very positive thing. We have catalyzed very good working relationships across the sector and of course with the Department of Energy and CESER, which handles all of their cyber work to ensure that energy companies understand the threat. We did this very aggressively around the Russian invasion of Ukraine as part of our Shields Up campaign. But importantly, understand the steps that they need to take to reduce risk to our energy grid.

And the grid across the country is aging and often in many places is decrepit, and there’s a lot of innovation going on there, a lot of new clean energy sources coming online. There’s innovation in distributed systems. I think of after Hurricane Ian hit Southwest Florida, the subdivision, the neighborhood that had a distributed system that didn’t go off-grid, they had backup power. Are you thinking ahead, working with the Department of Energy on how to build those more resilient systems where you’re not as dependent on volatile fuel sources, you’re thinking about the cyber attacks, but also long-term resiliency. How is that working and do you have any recommendations for Congress on that?

Yeah, absolutely. And in fact, that is the key word. We are living in a highly digitized, highly vulnerable, highly connected world, where frankly, it is impossible to prevent all bad things. It’s impossible to prevent disruption. So we have been working with our inner agency and our industry partners to focus on that resilience, to expect that there will be disruption and to be able to continue to operate through a disruption and to recover. And some of the exercises that we’ve worked on with our industry and our federal partners really double down on that concept, incredibly important. To the point about the aging energy grid, it sort of goes back to Congressman Whitman’s question about legacy infrastructure. We also have to ensure that we are investing in building resilience into the legacy infrastructure. It’s a difficult thing to do. I’m encouraged that there may be some use of artificial intelligence to help us rewrite some of the code bases, at least in the technology world, where you have very sketchy code that is creating vulnerabilities, we could actually help to shore it up.

And do you want to say anything about these aging routers that Director Wray referred to with Volt Typhoon? And how are they targeting Americans and what folks need to know?

Yeah, thanks for the question. So just to help folks understand, and my teammates can weigh in as well. When we talk about malware, malware has been mentioned several times. This is actually not a malware issue, and that’s why the name of that cybersecurity advisory was living off the land. What these Chinese cyber actors are doing is essentially finding a vulnerability and then finding ways to live within a computer’s operating system. So they’re actually very, very hard to detect because they look like any other person who’s operating on it, and they’ve elevated their ability to act like a system administrator. So you really can’t tell that’s a Chinese actor. That’s essentially what they’re doing on these routers so that they can build these large, essentially botnets for command and control to allow them to have a launching pad on our critical infrastructure where they take advantage of yet another vulnerability.

(56:12)
So the routers themselves may not be aging. They just essentially were created to be terribly insecure. They don’t update their software. They allow for very insecure interfaces with the internet. And I think just today at some point in time, CESER and FBI will actually publish what we call a secure by design alert, specifically for the manufacturers of routers and those small office, home office capabilities that Director Wray talked about, of the very basic things that need to be done to shut off the Chinese cyber actors from using these routers as launch points.

Thank you. I yield back

Mr. Newhouse.

Thank you, Mr. Chairman. Let me also express my thanks to each and every one of you for your dedication to keeping our country as safe as possible. As you all know, there’s an election coming up this year. The ranking member broached the subject, I wanted to delve a little deeper into this notion of election integrity. Over the past year, we as a committee, we’ve heard from a lot of different experts, it’s good to see you again, Dr. Easterly, on many of the emerging trends that we’ve been seeing in advanced technologies that are being used in misinformation campaigns. We’ve got deep fakes, AI, all kinds of social media and algorithmic types of warfare.

(57:47)
Certainly the four countries, China, Russia, Iran, North Korea keep coming up, but there’s also a lot of non-state actors that we hear about as well. So I’ve got several questions, and I think not directed to any of you, but all of you, if we have time to weigh in. So given the, what I would call ever-expanding nature of advanced technologies in all of these non-state actors capabilities, what concerns you most about US election integrity and the possibility of future election interference? Importantly for us to hear also, to adapt to these kinds of changing conditions, what policies should we consider amending? And which programs do you rely on in particular for resources?

(58:38)
The General mentioned this, should the Government expand its role in the public-private partnerships? And all of this, how does this all occur without infringing on the First Amendment, the right to free speech and also each state’s constitutional free and equal elections clause? And then just for people listening to this hearing, what gives you confidence and faith in our ability to ensure free and fair elections? So I’ll start with you, General Nakasone.

Let me start with the last part of your question, Congressman, which is, we’ve done this before and we’ve done it successfully before. 2018, 2022, all of the agencies at this table have been working together. This is our fourth effort in terms of election security, and I’m very confident in terms of what we will be able to deliver, a safe and secure election. That’s based upon the fact that not only has our methodology gotten better, but our partnerships have expanded. It’s not just the partners at this table, it’s the private sector. It’s understanding internationally where we need to be able to partner and see what adversaries are doing outside the United States and do that very effectively.

It’s a really important question, thank you. So CESER serves as a sector risk management agency for election

… and infrastructure security. So we lead the federal effort to support state and local election officials who are those on the front line of managing, administering and defending election infrastructure. I have confidence because of the enormous amount of time that I’ve spent with secretaries of state, chief election officials, state election directors who work every day to ensure that they can effectively defend their election infrastructure from the full range of threats, from cyber threats, from physical threats, from operational risks, and from foreign malign influence. And I think what’s incredibly important is for the American people to understand the enormous amount of work that’s been done with our partners in the federal government, but at the state and local level and with industry to improve the security and the resilience of our election infrastructure.

(01:00:56)
One thing to note that it’s the diversity and decentralization of our election infrastructure because it’s managed by state, by 8,800 separate jurisdictions around the country, that heterogeneity gives it resilience. And there’s also enormous amounts of controls, physical, technological, procedural that keeps that infrastructure resilient. So the American people should have confidence in the integrity of our election infrastructure. And every American, if they have any questions about it, serve as a poll worker, serve as an observer, talk to your local election officials and ask them questions. It’s a transparent process, but everybody should support their election officials who are working hard to ensure the integrity of our most foundational democratic process.

Thank you. Mr. Wray.

Well, I would second the remarks of both of my colleagues. I’ll just add in terms of things that we’re concerned about. You alluded to the role of DeepFakes. Obviously, AI will enhance some of the same information warfare that we’ve seen from our foreign adversaries for quite some time. We’re also concerned about the ways in which misinformation, disinformation warfare, if you will, from a foreign adversary and cyber attacks can work in tandem.

(01:02:15)
And I think for example, about the Iranians’ effort in the fall of 2020, that Director Ratcliffe and I did a public announcement about where you had a cyber intrusion that was not as effective as the Iranians might have wanted others to think it was, but they had built sort of a disinformation campaign on top of it. We were able to expose it and largely render it ineffective working with all of our partners up here. But that’s the kind of thing that I think we will see more of. So what am I confident in? I’m confident in my partners, Americans can be confident in our election system and our democracy, but I am also mindful of the fact that our adversaries are getting more and more sophisticated and that there are more and more foreign adversaries who want to get in on this game.

Thank you. Gentleman’s time has expired. Mr. Moulton.

Thank you, Mr. Chairman. It’s easy to think of the threat… Not working. Maybe that would help. Thank you, Mr. Chairman. It’s easy to think of the threat posed by the Chinese Communist Party is something far away. They may be carrying out a genocidal campaign against ethnic minorities in their own country. They may be building more nuclear weapons more quickly than any other country in the world, and they may steal secrets from our military and our private businesses every single day. But your testimony makes clear that what the Chinese Communist Party is also doing right now is positioning themselves to change the lives of every American in ways that we wouldn’t expect, every single day, to cut us off from our water or electricity whenever they want, to take control of our phones or our personal data, to take out the GPS system that we rely on that helps our kids get home.

(01:04:04)
Those of us who see classified intelligence have seen China building these capabilities for years. But most of our critical infrastructure, our electricity and water and rail systems, they’re run by state and local governments or the private sector, they may not understand these threats. So Director Easterly, how do we in the federal government ensure that these entities are protecting the system so vital to all of us? How do I convince a small town in my district like Marblehead, a town of 20,000 where I grew up to invest in cyber security to stop the Chinese military? I mean, I’m all for holding software makers accountable, but if a water authority doesn’t update their software for 10 years, that may be too late. So how do we protect ourselves today?

Yeah, it’s a great question. So we have to attack it both at the software developer level, but then of course at the software user level. But as we know, many of these public utilities and even smaller critical infrastructure entities are target rich but cyber poor. They might have two people who are focused on security and they’re the same two people who are doing administration or the finances for the company. And so one of the things that we’ve done with the support of Congress is built a very large field force of advisors and subject matter experts to be our frontline forces to work with all of the critical infrastructure owners and operators, the businesses large and small, to ensure that they are aware of the free services that we have that can make it easy on these entities to actually ensure their security and resilience. So very basic things.

Well, I think that a lot of entities probably don’t know those exist. And so this is a place where we’d love to work with you on the committee to make sure these small towns [inaudible 01:05:51].

That would be fantastic. Cisa.gov, all our free stuff. But the other thing, just one last point. Basic, basic, basic cyber hygiene. It’s not rocket science. If they do the basics, they can stay safe.

Director Wray, you explained that TikTok is beholden to the Chinese Communist Party, which can access users’ private personal data, influence their feeds. Earlier this month, Cloud Fair reported that Taiwan experienced a 3000% increase in distributed denial of service cyber attacks last quarter. 3000%, I imagine that’s a coincidence with their election. So the Chinese Communist Party has shown a willingness to influence elections. I’m heartened by the experience and competence of the federal government in protecting the integrity of our election system. But I mean, just to understand, if the CCP were to want to change TikTok feeds to bias one candidate or another in the upcoming presidential election, would they be able to do so?

My understanding is that under Chinese law, that would be something that they would be permitted to do.

And we already know they influenced Chinese children to study science and math. Could they be able to suggest to American kids that they use more drugs?

Again, my understanding is that the Chinese government and the Chinese Communist Party, if it wants to exercise that authority can easily exercise that authority.

General Nakasone, China describes its cyber efforts as proceeding along four vectors, deterrence, reconnaissance, offense, and defense. Deterrence. How do they think about deterrence and how do we think about deterrence in response?

So in terms of the way that we think about it, congressmen, as we think about a deterrence by denial and deterrence by cost imposition. Deterrence by denial is what we’re discussing here in terms of publishing and being able to expose what the Chinese are doing in an unclassified manner. This is the difference. This is the challenge China now faces. We have uncovered what they’re doing and we will continue to do that.

So as we uncover this, and I’m running out of time, but I want you to comment on one other thing, General Nakasone. It’s clear from all we’ve heard, including the workforce challenges that Director Wray described, that we need more cyber experts to serve our country. Given the threats that we’ve laid out today, do you have a message for young Americans who might want to do something about this?

The future of our nation, the future of our economy, is tied so closely to the future of our ability to operate in cyberspace. If you’re looking for challenge, if you’re looking for fulfillment, I would tell you that any of the agencies that you see here provide a mission and a responsibility that would dwarf your imaginable expectations. And I truly believe in the importance of national service and I would encourage all Americans to think about that.

Thank you, Mr. Chairman.

Thank you. I feel like we could make Seth a colonel in the reserves or something. You could take advantage of that.

Thank you, Mr. Chairman. And thank you all for being here today. Director Wray. I wanted to follow up with you on some of the comments that you had made in addition to the cyber security issues. You talked about the human sources, the insiders, corporate deception, Beijing hiding their hand in corporate joint ventures and this whole topic of leverage and beholden to the CCP. When you appeared in October on 60 Minutes, you mentioned you’d seen a variety of efforts by Chinese businesses attempting to inquire businesses, land and infrastructure in the United States in a way that presents national security concerns. I saw that and I thought that was a very powerful statement.

(01:09:40)
I followed up with a letter to you outlining some concerns I had about an investment in my own district. In my own district, there’s a company, Goshen, which is a CCP affiliated company. It’s worked with the PLA and many of its top leaders, including the leader of its North American operations, have ties to the CCP. Goshen is wanting to build an electric vehicle battery factory in my district, and it’s been given hundreds of millions of dollars in federal, state and local tax dollars to do so. To build and operate its factory in my district, Goshen plans to bring 20 to 50 Chinese nationals to Michigan. If that happens, how confident are you that it will not be used for espionage? In other words, do you believe there’s a risk these individuals will be spies working in the United States?

Well, I’d have to drill in deeper on the specific example to be able to weigh in on that. But what I can tell you is that a lot of this ultimately traces back to the blurry, if not nonexistent line between the Chinese government and its private sector and the Chinese government’s ability to, should they choose to leverage that authority, that reach, that access in a way that undermines our national security. Which is why acquisitions, buying land, buying businesses and so forth, while maybe legal can still raise national security concerns because it provides a vehicle for them, if they want to leverage that access, to conduct surveillance or other operations that undermine our national security.

(01:11:32)
And we’ve seen time and time again where they have used that access, leveraged that access to do that. And in a way it ties into the operation that we’re here talking about this morning, which is leveraging in a different sense, the access is the problem. We don’t want to wait until they’ve actually stolen whatever the information is. We need to try to get, as they say in the counterterrorism context, left of boom.

How confident are you in the State Department’s vetting process when it comes to Chinese nationals in this country?

Well, I’m not the expert on State Department processes. And I want to be clear, as I said in my opening, that our concerns are not just with all Chinese nationals, our concerns with the Chinese Communist Party and the Chinese government. And the Chinese government has shown a willingness to leverage insiders who have no origins in China, for example. So vetting is a very important part of our resilience and our national security, but it’s not sufficient in its own right.

So your concern is with the leverage, they could do that with Chinese nationals, they could use it with other individuals as well. What kind of leverage are you seeing right now the Chinese Communist Party using in this country?

Well, it covers a covers of the waterfront. So I’ll give you one example that’s public. So GE Aviation, a major public, very sophisticated company, entered into a joint venture with, it wasn’t a Chinese company, but the Chinese were able to recruit an insider at the joint venture. The joint venture was then able to get access to sensitive GE information, which then he used to help Chinese intelligence officers back in China hack GE’s systems. So you had the joint venture, which enabled the recruitment of the insider, which enabled the cyber hacking. And then for extra credit, the guy was able to essentially cover the tracks because of his insider access.

(01:13:48)
Now, fortunately, there’s a happy ending to that story because GE did what we want all businesses to do, had a good relationship with the FBI and our local field office, and we were able to essentially run a sting operation back against the Chinese, prevent millions and millions and millions and millions of dollars of R&D from being fleeced by the Chinese, and essentially lure an MSS officer who was involved to Brussels where he was arrested, and we extradited him and he’s now in federal prison. That’s what we need to happen more often. But it also shows that if a company is sophisticated and big as GE can fall prey to this, what company couldn’t?

So GE did the right thing. If the company was a CCP affiliated company, would they have done the same thing?

I wouldn’t count on it.

Thank you.

Gentleman’s time has expired. Mr. Kim.

Thank you, Mr. Chair. Thank you to the four of you for coming on out here today. I guess I wanted to just build on something that Congressman Moulton was talking about. Director Easterly, you talked about just the importance of being able to connect in with the different communities across our nation. I was very interested in what you said about the field force of making people aware and organizations aware of the services that are being provided. And a lot of the conversation today has been talking about how can we prevent some of this type of situation where we would have these vulnerabilities with our critical infrastructure. But Director Easterly, you also framed it and I thought it was a very poignant way to frame it, talking about some of the concern of societal panic, I think is the phrase that you used. Something that can be done against us that can very much damage our ability to operate, create that kind of concern amongst the American people that could sway political decision-making and weighing decisions in that way.

(01:15:37)
So I guess I just wanted to ask the four of you. Yes, we put everything that we can into trying to prevent something from happening, but God forbid, something were to happen, some type of major disruption, whether GPS or something else of that nature. What kind of active planning are we doing in a whole of government way? Are the four of you brought into that type of coordinated effort for that kind of zero hour day after type of planning? I just want to have some sort of assurance or some sort of understanding of what kind of work you all are doing in that responsive way, not the preventative way, to tackle this issue and prevent that type of societal panic, though you all were worrying us about. Please, wherever you want to start, Director Easterly.

Yeah, I’m happy to start. And really, it’s not my phrase, societal panic. It’s the Chinese, part of their doctrine, and it’s a pretty scary phrase frankly. But we are working very closely with FEMA, our partners in the department, and they are going to lead a whole of nation planning effort to ensure that we can respond to significant national security events. Now, this is of course building on years and years of national readiness plans and national response plans.

(01:16:59)
With respect to cyber in particular, we were asked by the national cyber director as part of the national cybersecurity strategy to update the national cyber incident response plan. So dealing with massive attacks across the country, and we’re working on that very closely with our government partners as well as with our industry partners because as you’ve heard, industry plays a critical role in this because they oftentimes have the best information on what’s happening in private critical infrastructure. So that connectivity will be incredibly important for us to catalyze an effective response if there is a major attack on our nation.

Mr. Coker, I just want to turn to you. How do you feel about our readiness and preparation in that kind of capacity? Are we doing everything we need to at the federal, state, and local level?

Thank you for the question and the concern. And while I am very confident that we’re taking the steps that we need to. For example, I think you heard about some of the exercises that we’ve worked with CISA on to prepare our sector risk management agencies for these types of situation. I am concerned that we continue to work with the state, local, tribal, and territorial governments. We’ve said several times today, they’re on the front lines, these types of actions, and I view them as being a combatant commander, if you will, with many of us being supporting commanders. They’re the ones who need our support. So it’s part of our shift in the national cybersecurity strategy to shift the burden, the responsibility to those that are most capable. In this instance, it’s the federal government that’s most capable to prevent and then to lead the resilience in the case of an instance like this.

Okay. Well, look, I love to keep up with this because I mean, look, in New Jersey, we have a lot of readiness in responding to the hurricanes and other storms, but I just don’t really feel like there’s a lot of muscle memory in order to understand how to be able to deal with some of these other types of approaches. I’ll just end with Director Easterly again, we’re talking about the readiness that we need. I have a real concern about some of the funding discussions we’re having here on Capitol Hill. Last September, House Republicans voted on a budget that would cut 22% to CISA. I guess I just wanted to get a sense from you what that would do in terms of our impacts and readiness.

It would have a catastrophic impact on our ability to protect and defend the critical infrastructure that Americans rely on every hour of every day.

Thanks for heading home. I yield back.

Mr. LaHood.

Thank you, Mr. Chairman. I want to thank all of our witnesses today for your valuable testimony and the work you do to help protect Americans on a daily basis. In particular, General Nakasone, I want to wish you continued success in a well-deserved retirement. I want to focus my remarks initially on the importance of reauthorizing Section 702 of FISA, the Foreign Intelligence Surveillance Act. And as we know, Section 702 of FISA is set to expire here in Congress, if we failed to reauthorize that program on April 19th of this year.

(01:20:16)
And I would argue it’s of existential importance to this country from a national security standpoint. And 702 is a crucial tool for providing the US with the ability to target foreign people overseas to gather information that allows us to protect our citizens both abroad and here at home. And when we think about today’s topic, the CCP cyber threat to the American homeland and national security, I want to direct my questions to Director Wray and General Nakasone. Can you talk or explain on how the information derived from Section 702, as we specifically focus on our topic today, aides in protecting our troops from China’s malign activities in the Pacific and the US effort to counter China’s cyber espionage here, here on US soil and our efforts to prevent transnational repression?

Well, I want to strongly second your comments about Section 702 and its indispensability to our national defense from foreign threats. Specifically in the context of today’s hearing. 702 is the greatest tool the FBI has to combat PRC hacking groups. Just to give a concrete example, just last year thanks to FISA 702 information, we were able to identify PRC state cyber actors taking initial steps to access a particular US transportation hub. And we were able to quickly notify the entity and share technical details, which enabled them to be able to kick the Chinese off the networks before harm could be done, before some of the more apocalyptic scenarios we’ve been talking about here could transpire.

(01:22:02)
That’s the kind of thing that happens, frankly, not infrequently in our work. That is 702, enabling us to identify PRC malicious cyber activity, targeting Americans, targeting American critical infrastructure and enabling us to warn victims, to notify them with details that enable them to take effective defensive action. And so in my view, failure to reauthorize Section 702 or for that matter, reauthorizing it in a way that severely or restricted our ability to use it would be a form of unilateral disarmament in the face of the Chinese Communist Party, which I can assure the American people, the Chinese government is not tying its hands behind its back, it’s going the other direction, and we need to do the same.

Thank you. General Nakasone.

Congressman, Section 702 is the most important authority that the National Security Agency uses every single day to keep Americans safe and to secure our nation. As someone who was at the Pentagon on 9/11, to consider that we would return to the days before Section 702 where we couldn’t connect the dots is almost inexplicable to me. The other piece that I would add to your question is 702 is so agile that it provides us an ability to see the Chinese precursor chemicals that are being used to feed fentanyl, which is the scourge of our nation. A hundred thousand Americans lost their lives in 2022. 702 allows us to identify those precursors that saves lives. The final point that I would offer is that of the surveillance authorities that are out there today, the most transparent, the most effective, the most important authority is 702. It balances civil liberties and privacy and the requirements of our national security.

Thank you. I yield back.

Thank you. I thank the gentleman for his incredible work on that issue as well. Mr. Torres.

Thank you. General Nakasone, the United States is a cyber superpower. Do you consider China a comparable cyber superpower?

Congressman, I consider China a near-peer adversary. Yes.

And what is the likelihood of China out-competing the United States in cyberspace?

I think given the attention that we’re putting on this today, the realization that our nation must change the strategic environment, that it must change our national defense strategy, our national security strategy, I think we will maintain that superiority.

A reassuring answer. During World War II, the United States was concerned that Nazi Germany would be the first to develop an atomic bomb. Today, we’re concerned that China could be the first to develop a quantum computer capable of breaking modern encryption. Director Easterly, who’s winning the quantum computing arms race?

I would probably ask General Nakasone to weigh in on that specifically.

Sure.

Congressman, you pointed out one of the critical things that we’re moving towards right now. Our agency creates the keys, codes and cryptography that ensures the underlying encryption of our nation. We are developing those keys, codes and cryptography and partnership with NIST to ensure that our nation is safe from a quantum computer, which you described. National Security Memorandum 10 talks about this. We are well on the way to being able to do that, and we will be able to defeat any type of quantum capability of the Chinese have in the future.

So we’re winning the race?

We are.

Artificial intelligence. There’s a real risk that advanced AI could enable anyone anywhere to carry out a cyber attack on critical infrastructure. What can be done to prepare ourselves for a world of widely distributed cyber weapons of mass destruction?

This is an area where I have significant, significant concerns because AI is moving faster. It is moving at a speed that is three times the speed of Moore’s law. It is unpredictable, and it will probably be the most powerful weapon of our generation. Most powerful weapon of the last generation was owned and operated by nations who are disincentivized to use it. These are generally owned and operated and produced by private sector companies who are driven by a profit motive. So we need to be very, very specific about the guardrails and ultimately the type of regulation that will help prevent the use of these capabilities for nefarious purposes by rogue nations, by cyber criminals, by terrorists. And we need to move incredibly quickly to do that. I think this and China are the two generational issues that we need to be riveted on to protect our nation.

And as you noted, AI development is largely unfolding among a small number of companies, secretly behind the scenes. And I think most of us, even in Congress, are out of the loop. Do you feel like these companies are keeping you abreast of the latest advances in AI and the implications that those advances would have for cybersecurity?

Well, I think one of the good news stories is because of the illumination of this issue and the inherent risks by the Congress, by the administration, industry has had to come to the table and actually work in a more transparent way, which we greatly appreciate. But we need to see more of that. And frankly, we need to have secure guidelines in place. There needs to be secure by design for AI, which is why we’ve been working with all the big generative AI companies and international partners to ensure that when these capabilities are created, security is the top priority.

There are multiple leaders, the CISA director, National Cyber Director, the Deputy National Security Advisor for Cyber and Emergency Technology, the Head of CYBERCOM, who play a role in setting cyber policy. And there are multiple law enforcement agencies, FBI, Secret Service, Homeland Security investigations that play a role in combating cyber crimes like ransomware. Who is in charge of coordinating the various moving parts of cyber policymaking and law enforcement?

Statutorily, it’s the Office of the National Cyber Director that serves that purpose, sir.

And how does your role differ from that of the Deputy National Security Advisor for cyber and Emerging Technologies? What’s the difference between those two roles?

The National Security Council at large yields all mechanisms of national power and cyber is but one, so when the NSA provides guidance and advice to the president, it’s far broader than cyber. Our domain is on-

No, but there’s a deputy NSA specifically for cyber. So how does that role differ from yours?

We work very closely together, but the big difference is there is more of an operational flavor to that role than my role. Again, our office is providing strategic and policy guidance, not operational guidance, which is what the National Security Council does with our colleagues. Again, far broader than cyber, but more operational than the Office of National Cyber Director. But I also want to be real clear that we work very closely together. Literally weekly, we have a sync leader to leader, but our staffs are working together daily.

Gentleman’s time is expired. Mr. Johnson.

Director Easterly and Director Wray, I just want to have a conversation with the two of you, largely around the maritime, the port situation. It seems to me that our ports are becoming more reliant on equipment, technology, infrastructure from PRC-affiliated firms. I find that concerning.

Is that a legitimate threat?

Yes.

So I think it’s a good example of the theme that we’ve been talking about in this hearing, in other contexts as well, which is if you’re talking about Chinese businesses, there is the potential that they can be leveraged by the Chinese government for all manner of concerns. When you combine that with some of the cybersecurity concerns that have also been discussed here in the context of ports and maritime security, it’s sort of a double whammy.

Yeah, I mean, these supply chains, of course, are so interconnected and so heavily reliant upstream and downstream. It doesn’t take very much hitch in a giddy-up to start to strangle our ability to engage an international trader to power the American economy. How do you assess the awareness of our maritime partners, the port operators, shippers, carriers about this threat?

Yeah, so one of the issues, and you may be alluding to this sir, is that 80% of cranes in our ports are ZPMC. So it goes to the point about Chinese controlled infrastructure in our critical infrastructure. Part of the issue is, and we work very closely with the Coast Guard who serve as the Sector Risk Management Agency for maritime transportation systems. We make all of the owners and operators aware of the very real threat and the risk. But when you have such almost a monopoly in a manufacturer, it’s very hard to rip-and-replace, same concerns with the communications infrastructure. So what we do is we provide working with the Coast Guard information on the threat and we provide what they can do to mitigate the impact of that threat. So there are things that can be done to lessen that risk, but of course we should work to be able to not have to depend on this type of Chinese infrastructure, which ultimately is controlled by the CCP.

And you’re exactly right, and I think that’s worth double underlining that 80% of the ship to shore cranes are manufactured by PRC affiliated firms. It does seem like that is quite a liability, all things being considered. Director Wray, more to add on that front?

Well, I would agree with both your comments and Director Easterly’s. I would just add that it’s about more than just the ports and the cranes. Maritime sector more broadly is something that we know the Chinese have targeted, and that’s part of why together with CISA and Coast Guard and others, we’ve tried to put out a lot of information about best practices, mitigation, guidance, et cetera, to try to reduce the risk. But ultimately, if we’re going to be in a more secure posture, we’re going to have to be mindful of the Chinese government’s ability to leverage its businesses.

So let’s assume that y’all are doing everything right. You’ve done a good job educating these private sector partners because so much of this infrastructure as we’ve talked about, whether it’s electricity, whether it’s water, and now we’re talking about ports really is owned and operated by the private sector. Let’s assume you’ve done a perfect job of educating them. What do you assess they need to do better over the course of the next three to five years to minimize the dangers of this threat?

I’m happy to start. One other thing I’ve mentioned, FBI and CISA actually put out something specific about Chinese manufactured drones, which is another area we have significant concerns in. But in terms of what they need to do, it goes back to ensuring that they have an awareness of the threat environment and that they’re taking those measures to invest in basic cyber hygiene. Some of this are just taking the basics to understand your infrastructure, to know what the vulnerabilities are so you can drive remediation of them. That cyber hygiene is so important. I made the point in the opening statement, but I really think it’s worth doubling down. Every CEO, every board member, every business leader of a critical infrastructure owner or operator has to see cyber risk as a core business risk. They have to manage it as a matter of good governance and national security. So that’s an important message to anybody that leads an organization in this nation.

I would just add to those very good points that much as a Director Easterly referred to in her opening statement, same thing in the kind of supports in maritime security more broadly, we need victims to reach out to us immediately, because the victim who reaches out to us immediately is the one who’s going to supply the information that will enable us not just to be able to share information with them to better mitigate and prevent their attack from becoming worse, but more importantly in many ways, prevent the attack from metastasizing to other sectors and other businesses. So the first victim that gets contacted, that victim’s information is what helps us protect all the other organizations and victims that are potentially out there.

(01:35:08)
And so we see all the time when it’s done right, businesses reaching out to their local FBI field office, we’re able to be there often within an hour or just a little bit more sharing technical indicators that they wouldn’t have had. The dots get connected. They’re better able to prevent that attack from getting worse. But then they’re also able to share intelligence which enables us collectively to then arm other businesses and other ports, let’s say in this case from being victims and get again, you’re getting further left of boom.

Mr. Chair, I would close by noting that we have hyper optimize these supply chains for efficiency, but we cannot leave resilience behind, including of course cyber. Thanks. I yield.

Mr. Auchincloss.

Thank you, Chairman, for today bringing together witnesses with such credibility and commitment to defending our democracy. I appreciate it. This hearing brings to mind my favorite anecdote from the Civil War. It was 1864 and Grant just took command of the army of the Potomac and he was surrounded by his senior staff and they were preparing for their march into Northern Virginia and they kept on saying, “Well, Lee’s going to do this and Lee’s going to do that. And what if Lee thinks about this?” And he snapped, and he said, “Stop worrying about what General Lee is going to do. Let’s make him worry about what we’re going to do to them.” And I think about that a lot when it comes to cyber, because we have to do all of these things that Mr. Johnson put forward so articulately about making ourselves resilient, but we also have to make them worry about what we’re going to do to them.

(01:36:52)
And it strikes me that the best offense we have is not actually the NSA’s ability to hit their critical infrastructure, although I know we can do that. And we’re in the clear right now, and I’m not going to ask you all the details, but that needs to be there. But actually the best offense that we have is to turn their domestic populations on those regimes, to allow their own people to debate, to deliberate, to ask themselves whether they like three-year COVID lockdowns, to whether they like invading another sovereign nation. And Starlink in the last several years has proven that it can open up those channels of civic discourse that are so corrosive to authoritarian regimes. This question is for any of you who want to tackle it, but what can we in the US government do to one, turbocharge our ability to turn on their civic discourse, whether with Starlink or other means, and to two, to make sure that that decision is US government’s decision, not Elon Musk’s decision.

I’d like to start Congressman. I think the key piece that you’ve just talked about is what we’ve all realized, which is the what we do hasn’t changed a lot. The National Security Agency, we do signals intelligence, we do cybersecurity, at US Cyber Command, we do cyberspace operations. It’s the how, the how is changing so rapidly. And this is where we have an impact against China. Much in the same way Grant in the Wilderness Campaign decided that we’re going to focus on our strengths, not worry about his adversary. That’s the same thing we have here. We have our strengths. Our strengths begin with our partnership. Our strengths begin with the fact that we are able to talk with our private sector and be able to understand broadly what is going on. The fact that we are now publishing these type of insights in unclassified manner, hanging them on our websites must and will concern the Chinese.

And maybe this is for Mr. Coker or Ms. Easterly, but do we have a plan for internet freedom in Iran, in Russia, in China so that their populations can engage. The Ayatollah is 84 years old, he’s got advanced prostate cancer, there’s going to be a succession soon. Are we ensuring that the Iranian people have as much of a voice as possible in making their discontent known as that succession planning is happening? Same thing of course in China. That’s what really keeps Xi Jinping up at night, I believe, is not actually US politics, it’s latent Chinese politics.

Well, I’ll come at it from the FBI’s end. I mean, much of what you’re talking about are operations that would take place in those countries, but that’s why when we call out transnational repression by all the governments you listed off, that’s so important because those repressive techniques that you’re talking about, they’re not just doing them in their home countries, they’re exporting it onto US soil. And their victims, their intended victims are primarily diaspora of those countries, dissidents and critics here who have the audacity in their view to criticize those regimes. The Chinese, the Iranians, the Russians, et cetera. And so when we take action through exercise of the rule of law here to protect those victims and call out that behavior, those families are in contact with their family members back in those countries, which helps create the dynamic you’re talking about.

I agree with you and we’ve had excellent hearings on transnational repression and I understand the feedback loops. I would say though that we need a whole of government strategy for Starlink on steroids for these authoritarian regimes. In my last 30 seconds, Director Wray, I want to compliment you on the work that you’ve done since October 7th to improve public safety in the United States. I know that’s been a focus of yours and that in December you testified that you saw blinking lights everywhere and that you were especially concerned about Hamas inspired domestic terrorism. And we know that the Chinese are fomenting that frankly. Regrettably, the Boston City Council in my home state rejected $13 million of federal terrorism funds that would help in part with cybersecurity but also terrorism preparation operations. What would be your message for municipalities and localities about the importance of regional preparation to defend against terrorism, both cybersecurity as well as kinetic?

We are, since October 7th in a heightened threat environment from various forms of terrorist risk. The biggest one is an inspired attack by the conflict in the Middle East, but an attack that’s inspiring some individual here in a horribly misguided way to commit an attack. And that risk is more likely to be a lone actor targeting so-called soft targets here in the United States, which is facilities, houses of worship, schools, places that people every day in America go, including in municipalities like the ones you’re talking about. And so to defend the public we all serve, we need to be mindful of that heightened terrorist risk.

Thank you.

The gentleman’s time has expired. Ms. Henson.

Thank you, Mr. Chairman. Good afternoon to our distinguished guests. Thank you so much for appearing before our committee to discuss these blatant threats that the PRC poses not only to our cybersecurity but to our national security on many, many levels. And Director Wray, I wrote it down when you gave your opening statement, you talked about they want to wreak havoc and real world harm on us and we need to be ready if and when. And I think it’s very clear today from our discussion that it’s not if, it’s already happening. So our answer is resiliency, it’s prevention and it’s accountability. And so I’m pleased to hear about the work that you’re doing inter-agency to counter these threats. And back in September, the chairman and I led a letter to you, Director Wray, as well as to Secretary Austin requesting that the FBI and Pentagon brief members of this committee, specifically on the gate crashers at many of our sensitive facilities, US military base is critical infrastructure and it’s unacceptable that the PRC was even able to gain access to many of these sensitive sites.

(01:43:15)
They scuba dived around sensitive military equipment. They were able to infiltrate our army test sites, missile sites. And then of course, the most egregious example of the spy balloon going across our country. It’s a blatant attack on our country to undermine our national security and breach our military and technical innovation. So I appreciated the prompt response to our letter and I want to ensure that this conversation continues, that our security agencies are prioritizing this at the highest level. So I would be curious what the FBI is doing right now to further secure these critical areas to ensure that we are stopping these threats to the American people before they happen.

So we are tackling it through a combination of investigations, intelligence sharing and engagement. And to break that down a little bit further, we have in all 56 of our field offices counterintelligence task forces that are FBI led, but that have representatives serving on them from the relevant military agencies that are in that area as well as in many cases, state local law enforcement who are a very important part of giving us sort of additional fort multiplier to help counter the threat. And so we’ve any number of investigations into different kinds of efforts by actors associated with the PRC to spy on, if you will, or in other ways target our military installations.

(01:44:42)
Intelligence sharing obviously things that we learned through our investigations, we’re able to marshal that and then share that back with our DOD partners so that they can use that to be even savvier about how they defend their installations. And then engagement, we’re trying to make sure that the lines of communication are wide open between us and whatever military facility is in that particular area. When I visit an FBI field office and I’ve visited all 56 twice, I’m on my third round now, it never fails to inspire me the close relationship that exists between the local FBI field office and the military presence in that state.

Yeah. And I’m sure there are many, many of those partnerships that have been very, very successful in stopping many of these threats, but we can’t rest on our laurels and obviously continuing those conversations is going to be critical and look forward to maybe further conversations there, perhaps in classified setting about what more we can be doing. I want to quickly follow up in the remaining time that I have about rip-and-replace because that is a huge, huge concern. Recently introduced a bill with many members of this committee, including the chairman and the Ranking Member Representative Moolenaar to help kind of breach that critical funding gap that exists for rip-and-replace. But it’s certainly concerning when you hear about these routers and all of the different equipment that exists within our telecom. Some of them are very, very small organizations that do not have the resources. So we want to of course, repurpose some of those COVID funds and put them toward ripping out this Chinese telecom equipment that is a huge vulnerability.

(01:46:10)
So Director Easterly, this question’s for you. Can you address really the importance of a rip-and-replace program, not just for this level, but maybe do we need to look at expanding it further and what are the consequences of us not taking action here?

Yeah, I mean, it’s incredibly complex supply chains as you know, but when it comes down to some basic fundamentals, I think you pointed out around the bill itself, 24,000 pieces of Chinese software in these supply chains. And so it’s imperative that we help the owners of some of these less resourced entities to be able to make these important changes to reduce risk. Two things I would add is we co-lead what’s called the Information Communications Technology Supply Chain Risk Management Task Force. And so I’m not even sure that they know that there may be capabilities with funding to do that rip-and-replace. So I think that education there is incredibly important. The other thing that I think we need to be aware of, and we of course the FCC has a covered list with a variety of different Chinese equipment from Dahua, to Huawei, to ZT, to Hytera. What we do is we make critical infrastructure aware that that may exist in their systems, so they can also be aware of the threat, either mitigate it or replace it. I think the whole effort is incredibly important and commend you for the bill.

Yeah, well, certainly we have a lot of vulnerability and we’re working to get… And I realize I’m almost out of time, Mr. Chairman, but we’re working to get a true accounting of what vulnerabilities still exists within even government buildings or even leased government buildings. So thank you for all of you appearing before our committee today. I yield back, Mr. Chair.

Thank you. Ms. Brown.

Thank you, Mr. Chairman. I want to thank each of our witnesses for leading extraordinary agencies at a time of great turbulence and instability in the world. Our cybersecurity capabilities are perhaps one of our greatest threats and opportunities in the 21st century. We must do more to deter and respond to threats to our systems coming from the hostile actors across the world, including North Korea, Russia, and Iran. And we know the Chinese Communist Party has incredibly sophisticated cyber infrastructure and will become more or has been discussed today already one of our fiercest competitors on this front. One of our greatest assets, something which the CCP overlooks is our diversity. As speaker Emerita Nancy Pelosi and Vice President Kamala Harris have both said, our diversity is our power.

(01:48:54)
One aspect in which we can and must do so much more is to build and rely on a diverse pool of talent in the field of cybersecurity. I know this is a top priority for the Biden-Harris Administration and for all of you as leaders of your respective agencies. So turning to you, Director Coker, I know this topic is something important to you and you have spoken about it before. Can you speak on the administration’s broad effort to increase our cyber workforce by sourcing talent from diverse places and the benefit it brings to our ability to combat CCP efforts?

Thank you so much for that question, that important topic. And to me and the administration, diversity is all about achieving positive mission outcomes. That message cannot be misunderstood. It’s about positive mission outcomes, and we do that by having the strongest teams possible. I talked to 500,000 open cyber jobs, so whatever we’ve been doing lately hasn’t been working. So what do we need to do to fix that? We have the national cyber workforce and education strategy that has its pillar. The two that are most relevant to your question are expanding the federal cyber workforce, and then America’s writ large. We need to do that by number one, having people realize the impact to national security. You talked about national service. I think Americans want to serve our nation and need to be clear about cybersecurity is serving our nation. Growing up about the only national service we had by and large was wearing a uniform, voting and paying taxes. That’s changed today. All those critical infrastructure segments that we have, that’s national security. So we need to make sure there’s an opportunity to serve our nation in cyber.

(01:50:57)
Number two, it used to be a misnomer that cybersecurity and cyber in general was a technical endeavor. That’s not the case. Folks think they have to be STEM. Cybersecurity is about critical thinking. It’s about agility. It’s about being open-minded, so one need not be an engineer or a scientist to make contributions in cybersecurity. Also want to add that there are communities across the country that aren’t exposed to these opportunities. I’m a rural kid from Kansas. I didn’t know I could serve until there happened to be a recruiter that came from the Naval Academy. I hadn’t even heard of the Naval Academy. You can expand that to cybersecurity. So we need to go places where we haven’t gone before.

(01:51:44)
And leaders know that we need to take opportunities for people. There’s a level of risk, need not lower standards at all, but sometimes qualifications that are listed are not valid. People can learn. We find the right people, we develop them, we retain them, and we turn them loose. So the administration’s perspective is let’s find the right people, looking in places we haven’t necessarily looked before and why, because we need more, better, different people to achieve positive mission outcomes.

Thank you so very much. I now want to turn to another important topic which weighs on all of our minds, and that’s the 2024 national election. As we frequently remind everyone, the 2020 presidential election was the safest, most secure election in our nation’s history. However, the 2016 election proceeding it was scarred by Russian hacking and broad disinformation campaigns, which severely compromised the integrity of the election. Anyone on the panel, if you would be willing to answer the question or address this? In an unclassified setting, is there any evidence at this time the CCP is using artificial intelligence to interfere in the US elections and how do we ensure this election is free from CCP influence? And I only have eight seconds, so sorry.

Negative. 11 seconds.

Probably defer to my intel colleagues on whether the CCP is actively using artificial intelligence, but based on the DNI’s report in December about the activity in the 2022 midterms, which talked about the aggregate scope and scale of foreign activity and influence and interference being more than we saw in 2018, and specifically Chinese attempts at influence, we should expect it. We should absolutely expect that foreign actors will attempt to influence and that they will interfere. But to be very clear, Americans should have confidence in the integrity of our election infrastructure because of the enormous amount of work that’s been done by state and local election officials, by the federal government, by vendors, by the private sector since 2016, since election infrastructure was designated as critical infrastructure. It’s that work that should make the American people confident in the security, resilience and integrity of the American election system.

The gently lady’s time has expired. Mr. Gimenez.

Thank you, Mr. Chairman. I actually share the thoughts of my colleague on the other side, Mr. Auchincloss, about the need to provide technology so that the people that live in repressive regimes like Russia, China, Iran, we actually start a second front without shedding any blood so that the people inside can actually, they’re all seeking freedom and we need to help them achieve freedom and throw the shackles of this regime. So hopefully we can have that kind of technology to allow them to communicate with themselves so that can happen.

(01:55:01)
One of the things that happened, very interesting, there were hundreds of thousands of people took to the streets of Cuba back in a couple of years ago in July. And the first thing that the Cuban government did was shut down the internet, identified the leaders, and then took them out. If we can find a technology that allows the people to communicate with themselves, I think we can actually help the cause of freedom around the world. And so I’ll be working with my colleague there to see how we can make that happen. I actually believe that the cyber war that we’re conducting right now is a battle. And I think actually the race is really the race to AI. Do you agree with that, Ms. Easterly?

I think AI will play a tremendous role in the battlefield to come, but both on private sector as well.

How important is the accumulation of data in this race to AI?

Well, it’s all about data at the end of the day. So data is the gold.

Good. So here’s where I’m going.

It is the oil.

Okay, there’s 150 million users of TikTok in the United States. How valuable is that data to the CCP?

Enormously valuable.

Okay. So Mr. Wray, knowing that it is critical for the United States to win the race to AI and TikTok is a huge source of data actually in a language that they need, because I believe that the Chinese language is actually a disadvantage in that they need more Western languages in order to win that race. How critical to our security is… Well, TikTok is providing all this data to the CCP. Do you think that’s a security threat to the United States?

I have very significant security concerns about TikTok. And it’s a combination of the ability that the Chinese government would have to, if they choose to exercise it, to control the collection of the data, to control the recommendation algorithm and if they wanted to, to be able to control and compromise devices. And if you layer AI as you’re saying, right on top of all that, it just amplifies those concerns because the ability to collect US person data and feed that into their AI engine, it just magnifies the problem. We look at AI as a concern in the wrong hands, but we also know that American AI innovation is the envy of the world and the Chinese are trying to steal it. So the big concern, of course, is that they will not only steal American data and feed it into their AI engine, but that they’ll steal American AI innovation and make their theft even more effective. And all you have to do is look at the Equifax hack from several years ago where they were able to steal the personally identifiable information from 150 million American people.

Director, I’m running out of time. I need to ask you a question. It’s a direct question. It’s a tough one, probably. I don’t know how you’re going to answer it. Would you ban TikTok in the United States? It’s a yes or no.

Well, there’s a decision-making process that’s outside my lane, but let me try to answer it this way. As long as the Chinese government has the ability to control all these aspects of the business, I don’t see how you get your way clear to mitigating those concerns.

Fair enough. I also share the concerns of my colleague, Mr. Johnson. Over the past eight months, I’ve worked with the Chairman Gallagher and members of the Committee on Homeland Security, led by my transportation and maritime security subcommittee, conduct a joint investigation examining cybersecurity and supply chain threats at US maritime ports posed by the People’s Republic of China. I anticipate sharing our joint investigative report soon. When I was the mayor of Miami-Dade County, we operate one of the biggest ports in the United States. And lo and behold, when I look at our cranes, they all had Chinese writing on it. So they all came from China. 80% of the world’s cranes are actually manufactured in China.

(01:59:23)
But what’s worse, I thought that we were okay with software, maybe software developed in western countries, was okay operating these cranes. But we also found out that in a lot of instances, the software is shipped to China, stays there for over a year, and then it’s installed in China and we don’t know what happens to it in that time. And so operating that software, knowing that that software either reporting back to China or that somehow it can be turned off at any time, think about it. 80% of the world’s commerce is controlled

… controlled by those cranes. So thank you, and I’m way over, so thank you very much for indulging me, Mr. Chairman.

Apparently the lights are also controlled by somebody. Carlos and I climbed up in one of those cranes, in Miami. I didn’t know that I was afraid of heights until that moment, but it was illuminating. Ms. Stevens?

I’m always learning about our chairman. This is a real honor to be with all of you. This is another just top-notch hearing. And certainly we’re not the Homeland Security Committee or even Armed Services. And so yes, getting into these points about the entanglements of cybersecurity threats and its realities, of which I’d love to ask you about.

(02:00:44)
I just wanted to start from a more elevated place. And maybe this is a question for Mr. Wray and Mr. Coker. What is the CCP’s motivation, as far as you know and can share, with cybersecurity threats and actions? Because we’ve been hearing colleagues and everyone talking about all these little examples and all the tools and this and that. But what’s the goal here? Is it to chip away at our economy? Is it to make us look weak?

(02:01:20)
And in fact, I think even just some of what we’re positing today is perpetuating, I think, some of this position of weakness rather than strength, because much of this technology is technology we’ve created. But that’s another point. I’m more interested in the why.

Well, my starting point would be that as with most questions about the Chinese government’s tactics and strategy, when one asks, is it A, B or C, the answer is usually D, all the above. And in the context of cyber threats, they are using their biggest hacking program in the world to try to steal our intellectual property, to advance their own economic engine. They’re trying to steal our personally identifiable information to feed into the influence operations and other tactics that we’ve talked about here already in this hearing. They’re using their cyber targeting to suppress dissidents and critics.

(02:02:23)
And, as is revealed through the operation we’ve talked about and announced here this morning, they’re using their cyber targeting to pre-position on our critical infrastructure to be able, should they so choose, to conduct a destructive or disruptive attack on our critical infrastructure at the time of a conflict. So they’re doing all those things. They all feed up ultimately into their goal to supplant the U.S. as the world’s greatest superpower.

I’m in agreement in that the goal is to supplant the U.S. We are in a competition with China and frankly, they’re the only nation that has the means to reshape the international order, and means being diplomatic, economic, military. We are in a competition. We have to acknowledge that, will not lose sight of it. We also need to manage that competition responsibly to avoid the confrontation and conflict. And we can do that by continuing to operate with confidence, not yielding the initiative, not merely staying on the defensive, but being as strong as the United States has always been. We look at the national security strategy, it says to invest at home to maintain our strength.

So we shouldn’t consider cybersecurity attacks, warfare? I mean, I know, General Nakasone, you’re here. And what are they doing over there? I mean, do they have a department that is just focused on cyber attacks? Because this is sort of, in some respects, hard to wrap our heads around, right? I mean, I know, Wray, you’ve got your whole kit caboodle that you can talk about and then can’t talk about. But I’m just more or less interested, in terms of how are we choosing to respond to these things, what’s our perch, and what do we know about how they’re actually putting all this stuff together?

Well, we know a lot about what they’re doing, as we’ve talked about today. We also know who’s doing it. We know how they’re structured. We know their version of the National Security Agency and U.S. Cyber Command. We also know that they have very, very specific organizations that are targeting different parts of the world to include the United States of America. And now I think the important thing is, now that we know that, what are we doing about it? And this is to the point of the department’s strategy is that we defend forward. We operate outside the United States to be able to impose costs on our adversaries either by enabling our partners or acting. And that’s the important piece.

I’m just out of time, but Ms. Easterly, as someone who founded the Women in STEM Caucus here, bipartisan caucus in the Congress, it is such a treat to hear your expertise. You’ve been phenomenal. All of you have. Thank you and I yield back.

Ms. Steel?

Thank you, Mr. Chairman. Critical infrastructure and intellectual property across California are at risk of being attacked by the CCP and other adversaries. This could have serious consequences for my constituents. In May, the LA Times wrote about threats of cyber attacks on our water infrastructures. And then I’m seeing all these directors and the new head of cyber attacks, or cyber security, head of all these departments. What we do, interagency coordination on cyber attacks and vulnerability at ports around the world with U.S. military and commercial present? I think anybody can answer because you are talking about what your agency has been doing and how you are protecting from the cyber attacks. But how we working together with all these different agencies?

I’ll start saying a couple things. So with respect to ports, specifically, CISA was built by Congress in 2018 to serve the role as the national coordinator for critical infrastructure security and resilience. So we work with all of the sector risk management agencies to ensure that we can work with industry to help them understand the risk so that they can manage that risk and reduce that risk. And we have a phenomenal partnership with the U.S. Coast Guard where we work with them day in and day out to do cyber assessments to help with vulnerability scanning, to ensure that all of the maritime transportation sector has what they need to reduce risk.

(02:07:03)
The other point I’d make, particularly if the CCP is watching this hearing, and I assume that they are, is the strength of our cyber capabilities in the United States of America is that we operate as a team. There may be different people doing different things, but all of us work incredibly closely together and we know that our strength is our unity as we work together.

How about other allies? Because like a [inaudible 02:07:32], maritime tracking system. We are not using, unfortunately, here in this country, but you know what? Our allies, like Japan, South Korea, Portugal, Spain, they’re using it. And China, CCP knows exactly what’s going in and out, and even that our naval ships are going into those countries. How we protect that and how are we going to work with other countries too?

So we, almost invariably on almost all the things we’ve been talking about here today, especially in cyber, are working with foreign partners, our closest foreign partners, who are themselves, as you say, also being targeted by the CCP. And especially in the context of cyber, our focus is on conducting joint sequenced operations, which almost invariably involve not just U.S. partners, but sometimes as many as 10 or 20 foreign partners all working together in tandem to try to have the whole be greater than the sum of the parts.

(02:08:33)
We’ve talked a lot about numbers, the disadvantage that we’re at relative to the CCP. But as General Nakasone said, one thing we have is partnerships, true partnerships, which allow us to have our two, the U.S.’s two, together with some other countries, say it’s Japan’s two, have it equal five, to get synergies when working together. And that’s ultimately our best defense against the CCP.

So China is ready to attack by 2027, Taiwan. And we heard and we had a great meeting with former Defense Secretary Gates. And he was the one actually talking about more of… It’s not going to be the war, but more of the commercial stops means that they’re going to just stop all these ships going in and out. That’s the way they’re going to isolate Taiwan. But when the other countries are still using those systems, and especially in the United States, our cranes were made by China and they’re actually controlling it. You were talking about that, just a little gas line that we got into trouble. But when they stop all those cranes that what we are using in the United States ports, we are in big trouble, and then we cannot communicate. Or we can communicate, maybe, don’t know. But you know what? We cannot really bring anything to Taiwan since that’s islands.

(02:10:01)
So we really have a big problem. So what kind of thing that we are really preparing, that how we are going to really go inside of the CCP and find out exactly what they’re doing? And I think Congresswoman Stevens was talking about that. Do they have their own department? I think they do and just only do cyber attacks. So how much we know that inside of China that what they are doing to us and to other countries?

We have a tremendous amount of insight in terms of how they’re organized, what their plans are and what they’re doing. This is one of the things that the National Security Agency spends a tremendous amount of time at, and we have a very, very good insight in terms of what their intent is.

The gentlelady… Oh, anyone else want to comment?

Thank you. Thank you very much for all witnesses today and learned a lot. I had to get out because Ways and Means Committee meetings, but thank you so much, Chairman.

Thank you. Homestretch. Two more, I think. I just jinxed it. Someone may come back. Mr. Khanna?

Thank you, Mr. Chairman. Director Wray, could you assure the American public today that no nonviolent protester about a ceasefire of the Middle East will be investigated or surveilled by the FBI?

We are not going to be investigating nonviolent First Amendment activity.

And could you just assure, whatever their position is on the Middle East or the 2024 election, if there is an American who’s out there engaged in expressing their view, whether that is for a ceasefire or whatever that is, the FBI is not going to be investigating them or surveilling them?

Correct. Our mission is to protect the American people and uphold the Constitution. And we intend to do both. We embrace both parts of that mission. In our view, it doesn’t matter what you’re ticked off about or who you’re ticked off at, there’s a right way under the First Amendment to exercise those views and we’re going to help protect that. And there’s a wrong way to exercise those views and that’s violence and threats and we are going to investigate that.

I appreciate you’re saying that because I share your view that the First Amendment and peaceful protest is at the heart of our democracy. I also have appreciated some of your views on making sure that as we appropriately investigate Chinese threats to infrastructure and the Chinese Communist Party’s threats and deal with cybersecurity, you’ve been very clear that you do not think that that should involve the profiling of Chinese Americans.

(02:12:39)
And I think you’ve been sensitive in some remarks you made at University of Michigan about how in the past that has happened. Can you speak to some of the past history of profiling of Asian Americans and how under your leadership you’re going to make sure that that doesn’t happen as we appropriately investigate Chinese Communist Party threats to the United States?

We are going to aggressively pursue the threat posed by the CCP with investigations that are predicated on the facts and the law and our policies. And they’re not going to be based on race, ethnicity or national origin, and they haven’t been. Now, it is the case that the Chinese government aggressively targets individuals here to enlist them in their efforts. But they also aggressively suppress and coerce and harass Chinese Americans and Chinese visitors here. And so we view as part of our role to help protect those people. And so part of the key is drawing the distinction in between the Chinese government, the Chinese Communist Party; the malicious actor, and Chinese Americans, Chinese dissidents; the victims.

And as you do this, Director, and like I said, I think under your leadership from your public comments, you’ve been quite good about drawing that distinction. But do you bring to it a historical awareness that Asian Americans in this country have been profiled in our history? Just like I’m sure you have a historical awareness of the FBI’s role during the civil rights movement.

Certainly there have been abuses or mistakes in the past, and we’re determined to make sure that those things don’t happen again. But I do want to make clear that our work, at least since I’ve been director, focused on Chinese aggression, is based on the facts and the law and proper predication.

And you can assure Chinese Americans that they aren’t being profiled or targeted in any way based on their ethnicity or race?

We are not going to open investigations based on profiling people for race, ethnicity or national origin or anything of that sort.

Thank you. I’m done with my questions.

Thank you. And finally, a special guest, the esteemed Chairman of the Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, Representative Garbarino. I have to ask unanimous consent for the gentleman to participate and ask questions at this hearing. Unanimous consent, ominus dominus. The gentleman is recognized.

Thank you, Chairman, thank you Ranking Member, for allowing me to visit today as a special guest. And I look forward to continuing work with you all on building resilience to our CCP cyber threat. First, Director Wray, I’d like to say I took an international trip with some other colleagues and we met with some of your men and women in some other countries and they’re doing a phenomenal job, especially on the cyber threat level. So I’m saying, great job with that.

(02:15:43)
Director Easterly, it’s good to see you. I wanted to ask you a question. The intelligence community has been warning for years that China has the ability to launch cyber attacks to disrupt U.S. critical infrastructure. In response to the persistence of this threat, I understand CISA has hired a new associate director to lead China operations. Can you please provide an update on the work of what’s been complete over the last six months and what plans for the remainder of the year?

Great. Thanks so much. Great to see you, Chairman. Early last year we decided to stand up a whole element under the Associate Director for China Operations. And so we hired a terrific subject matter expert, Andrew Scott, to lead that effort really across agency effort to ensure we had a deep understanding of the threat to critical infrastructure, and that we could work effectively with our partners across the entire agency at the state and local level, and of course, with industry, to be able to build the security and the resilience that we need to defend the nation from these threats. Since that period of time, we, of course, as we’ve been talking about in this hearing, we have affirmatively found and eradicated Chinese intrusions in our critical infrastructure, a whole variety of sectors, that we believe are being used to preposition and prepare for destructive cyber attacks.

(02:17:12)
So we have many lines of effort. One is about evicting cyber actors. One is about providing our free services to all of our stakeholders across the country so they have the vulnerability capabilities to identify and drive remediation of these vulnerabilities and exploits taken advantage of by the Chinese cyber actors. And then as we’ve been talking about here, really catalyzing that operational collaboration, those public-private partnerships. Because between government and the intelligence community, we really need industry to help build that mosaic so we have a deep understanding of the threat so that we can together reduce risk to the American people.

Is the JCDC, you talk about those collaborations, the JCDC, Joint Cyber Defense Collaborative. What value is that adding to your China operations?

Yeah, this was of course, the great innovation brought to us by the Cyberspace Solarium Commission, started out as the CHICPO. We turned it into the JCDC because I like rock and roll. But we’ve had that stood up for over two and a half years now. We went from 10 companies that we’re working with to over 200. And it really has been the platform that we’ve used to catalyze that operational collaboration, which is rooted in three fundamental things: a recognition that a threat to one business could be a threat to many. Why informing, why letting FBI and CISA know about a cyber threat incident is so critical.

(02:18:42)
Second, it’s really the reciprocal responsibilities of government and industry to recognize that we have to share information in real time. That has to be transparent. The government has to add value. The government has to be responsible in terms of how we protect data. And then finally, what the JCDC offers is a scalable way for us to share information. Not just with the private sector, but very important partners across the government, like the National Security Agency’s Cyber Collaboration Cell and FBI’s NCIJTF so it really does help to put operational collaboration across the cyber ecosystem on steroids. And again, we’re very grateful to the Congress for helping to fund it and authorize it and to the Cyberspace Solarium Commission for coming up with that great idea.

Thank you, Director. Director Coker, congratulations on the new position. In your opening testimony, you mentioned administration’s focusing on harmonizing cyber regulation in furtherance of the national cyber strategy. As you understand, the SEC recently finalized a cyber incident rule that goes what I believe is against their CN. Also, so does the Department of Homeland Security. And many sectors have said that with this new rule, their cyber employees are going to be spending half their time on compliance instead of facing the threats from CCP, cyber threats. As we pursue a CRA this week — the Senate might pass it and we’re going to try to pass in the House — what is the administration doing to harmonize between agencies and departments?

Thank you for your kind words and for raising this important topic to us. Part of the National Cybersecurity Strategy has been to do regulatory harmonization. And the point of that regulatory harmonization is to reduce the burden of compliance. And the way we’re going about that, we have issued a request for information and received more than 80 responses from the private sector and public sector. Right now we are going through the process of better understanding those, again with the goal of reducing the burden of compliance. So that’s our goal right there. We understand that-

I appreciate that. I’m out of time. But someone should tell the SEC that, though. Okay?

I thank the gentleman, and pleasure to have you here. You’re welcome back anytime. Well, maybe not anytime. Two comments and then we’ll close, and I’ll recognize the ranking member. One of the first things I said in our first hearing was that the stakes of this competition were existential. Now, I got a lot of blowback for that, but I don’t think after the testimony we’ve heard today, there could be any doubt. I mean, there is one path where we stumble into a war for which we’re ill-prepared, and even victory might have existential consequences in the sense that it would transform American into a garrison state. Or there’s another path in which we slowly succumb to the sedation of TikTok and we surrender. And we no longer stand for the ideals and values that America stands for, that the rest of the world is looking to us to stand for.

(02:21:58)
And so while this hearing has revealed many things we need to do, and while the competition in cyber with China is one that’s going to outlast my time in Congress, I’m confident of that, there are things that we must do now urgently. Foremost among them in my opinion, particularly in light of the testimony we heard from Director Wray, either ban or force the sale of TikTok. I mean, this is bordering on national suicide if we continue down this road. And I get that TikTok has hired an army of lobbyists, including former members of Congress who are collecting a paycheck. But the time is now to do something about this. And by the way, if you’re invested in ByteDance, you’re not going to take TikTok public in America under the current ownership structure. So if only in your own financial interest, we have to find a way to force a separation. The time is now to act.

(02:22:46)
Okay. On that happy note, I will transition to recognizing the hard work of the Democrat Staff Director John Stivers, who is departing the committee this week after 25 years of service on the Hill, almost as long as General Nakasone has been in uniform. I will confess, John, we’ve worked together for a year. You have aged me personally three years in that time. There have been moments when I have lied awake in bed, thinking, life would be easier if you did leave. But now I’m sad now that it’s happening.

(02:23:18)
And one thing I’ve learned in working with John and particularly working in the human rights community, he’s been doing this since before it was cool and he’s truly a hero in the human rights community. And it’s been very cool to be able to see that. And I’ll give you the highest compliment I could give you, John, which is that if I had to negotiate with Xi Jinping with the fate of the free world on the line, I would want you on my team because I know you would drive him crazy. So it’s been a pleasure to work with you. And with that, I recognize the ranking member.

Thank you. Thank you so much, Chairman. And thank you to all the witnesses. This has truly been a really important hearing, a call to action more than anything else. And I think that we, Mike and I, were talking during the hearing about several ideas that you folks generated that we need to follow up on. And we’ll do so on a partisan basis. And thank you for your service. Thank you, General Nakasone, for everything that you’ve done for our nation and for coming today, as well as all of you.

(02:24:21)
And I will remember CISA.gov from Ms. Easterly so thank you so much. As we try to enlist our civilian partners in our collective defense, collective cyber defense, and employ what you call cyber hygiene, which I love. And then I would also like to recognize our staff director, John, who’s departing today. Mike covered the highlights, but he’s also had other very distinguished roles in government. He was an assistant administrator for Asia USAID. He was a commissioner to the US-China Economic Security Review. He was a senior advisor to Leader Pelosi. And now he’s off to the next chapter, the next 25 years. And so I look forward to continuing to collaborate between us and you in your next roles. And I just want to give him a big round of applause for his service. I’m not done. I am done. I yield back. Thank you.

Wait. Questions for the record are due one week from today. Without objection, the committee hearing is adjourned.