(As this is lengthy, I want to insert near the top a reference to Frank Vyan Walton’s “The Russian troll army that helped swing the election for Trump”.
The following transcript is from https://www.c-span.org/video/?426227-101/senator-rubio-confirms-campaign-staff-targeted-russian-hackers, Senate Intelligence Committee hearing on Russian Interference in 2016 Election, Part 2 (afternoon session). The first third (approximately) is moderately edited/corrected. I highlight a few passages.
Panel of experts:
· Keith B. Alexander Commander (Former) U.S. Cyber Command
· Kevin Mandia Chief Executive Officer FireEye
· Thomas Rid Professor King's College (London, England)->Department of War Studies
Mr. Mandia: thank you for allowing me to speak. What i'm going to speak about today is the cybercapabilities and techniques attributed to russian hackers, specifically a threat group we refer to as APT 28. I want to talk also about recommendations to prevent or mitigate the impact of these folks as they compromise us. I want to give you a little of my background and the background of my company. As i sit here right now we have hundreds of employees responding to computer security breaches. We think it's critical to own that moment of responding to a breach, collecting the trace evidence, analyzing that evidence.
So as i give you my narrative today it's based on three things. One, what we are learning as we respond to hundreds of breaches a year. We're cataloging that trace evidence and putting it into a linked database, and we have over 150 threat analysts who speak 32 languages, 19 countries, and they're trying to marry up what we're seeing in cyberspace to what we're seeing in the geopolitical world out there today. Then the third source of my dialogue, third source of evidence, is in fact we have 5,000 plus customers relying on our technology to protect them on a daily basis. Let me first speak to the methodologies being used by APT group 28. We attribute many intrusions to these folks. You might have heard about the worldwide anti-doping agency, the DNC breach, the DCC breach, the ukrainian central election commission, and i can keep going on. I believe the doctor will mention some more of these victims.
But all the breaches that we attribute to APT 28 in the last two years involved the theft of internal data as well as the leaking of this data by some other party, potentially APT28, potentially some other arm of the organization into the public. During the course of our APT-28 investigations we've had a significant amount of evidence. We've looked at 550 pieces of custom malware. We don't see this malware publicly available. It's not available to you to down load and use tomorrow. It's being crafted in a building, shared by people in a closed loop, it's not widespread or available to anybody. We have identified over 500 domains or IP addresses used by this group when they attack. Almost every modern nation that develops an operational capability in cyberspace, the first thing they need to do is get an infrastructure they use to then attack their -- the real site of their attacks. The real intent. The real target.
So there's a huge infrastructure of compromised machines or false fronts or organizations that are used for these attacks. We found over 500 of those. We have analyzed over 70 lure documents written in many languages, these are the document you receive during a spearfishing. They're armed documents if you open and peruse them. When you assess the lure documents, they're related to the subjects and interests of the people receiving these documents. A lot of work is going into the backdrop or background of the people being spearfished. I can go on and on. I've got 40, 50 more pages of what they do but i'll focus on a couple of things that also help us attribute APT-28's activities to the russian government.
In 2015 alone, we saw APT-28 leverage five zero days, and a zero day is an attack that does not have a patch available for it, it will work if received and you execute the file. And the best way to liken the value of a zero day is the minute it's used and it's been weaponized its value goes down incredibly fast. And so when you see these things, mostly in the -- they're mostly in the toolbox of a nation's data at this point. Over the last 10 years, the security industry has done a great job making the cost of zero days go up, and we're seeing APT-28 deploy them as needed. They're hard to detect once they're in your network, because they rely on the tools your system administrators rely on. I always say they turn to ghosts almost. The minute they're in, your likelihood of detecting them if you don't detect the initial breach go downs exponentially. They exert a capability, operate using your tools and operate very hard to detect. I want to share with you three observations i saw emerge in 2014 that i did not see prior to responding to these state actors. I had the privilege of responding to them when i was in the air force. Probably a different group but a group we attributed to the russian government. And every time i responded to them on the front lines, if they knew we were watching them, they would evaporate. We never got to observe the tools, tactics and procedures of russian state sponsored intrusions in the late 1990's and early 2000's. They didn't let us do it.
For some reason in august of 2014, we were responding to a breach at a government organization and during our response, our frontline responder said, they know we're there. They know we're observing them. And they're still doing their activities. I actually flew in, sat on the front lines, it’s the first i've seen it. To me that was big news because i had a 20-year run from 1993 to about 2014 where they never changed the rules of engagement. They changed in august or september of 2014. Second thing they did is started operating at a scale and scope where you could easily detect them. We were observing and orienting on them. They were letting us do it. But their scale and scope became widely known to many security organizations and we all started work together to get better visibility and fidelity into their tools, tactics, and procedures.
Lastly, something i wouldn't have predicted but we also witnessed for the first time in 2014, is a group we attribute to the russian government compromising organizations and then suddenly the documents are being leaked out in a public forum through hacktivist personas which we have not seen. In conclusion, today and in the foreseeable future, it's our view that united states will continue to see these happen. While many organizations are actively trying to counter these attacks, there's such an asymmetry between offense and defense in cyberspace that it's hard for any organization to modernize and prevent these intrusions from occurring when you have a state sponsored attacker. Therefore we're going to need to explore ways both within and outside of the cyberdomain to help deter these attacks. Lastly i always say if i had five minutes to talk to the senate, what would i say? Well, here it is. I think we have to first start with, we’ve got to get attribution right. We’ve got to know who is hacking us so we can establish a deterrent. This gives us a great opportunity to make sure we have the tools necessary and the international cooperation necessary to have attribution. When you have attribution right, then you can consider the proportional response and the other tools at your disposal as diplomats to make sure we have the deterrents we need. Thank you very much for this opportunity.
General alexander: i want to pick up from where kevin left off. I had the opportunity to see on news, you and the ranking member talk about approaching this in a bipartisan way. Approaching the solution in a bipartisan way. And when you look that the problem and what we're facing, it's not a republican problem. It's not a democratic problem. This is an american problem. And we all have to come together to solve it. I think that's very important. If we step back and look at this, i want to cover several key areas to give my perspective on what's going on. First with respect to technology. The communications is doubling every year. We're get manager devices attached to the network. This network is growing like crazy. And so are the vulnerabilities. Our wealth, our future, our country is stored in these devices. We've got to figure out how to secure them. With those vulnerabilities, we've seen since 2007 attacks on countries like estonia. Georgia. Ukraine. Saudi arabia. A whole series of attacks and then crimea and others. And then attacks on the power grid in the ukraine. And what's clear is this network and these tools have going from interesting exploitation for governments and crime to elements of national power.
And i think from my perspective when we consider that this is now an element of national power, we have to step back and say, what's their objective? Sun Tzu said, know yourself, know your enemy, and you'll be successful in a thousand campaigns. What's russia trying to do and why are they trying to do it? From my perspective as i look at it with my background, it's clear it's not just trying to go after the democratic national convention or others. This is widespread, and a campaign they're looking at doing that will drive wedges between our own political parties and between our country and nato and within nato and within the european union. Why? I believe when you look at russia, and if you were to play out on a map what's happened over the last 25 or 30 years, they see the fall of the soviet union and the impacts on their near border and all these as impacts on them.
I bring all this up because one of the questions that's out in the press is, do we engage the russians? Or do we not? Every administration that i'm familiar with, including the obama administration, started out with, we're going to engage them. In fact it was called the reset button. Well, that didn't go far, i believe this administration should do the same. When i look at what's going on here, there's another opportunity that we have. When you look at the characteristics of leaders in this administration, we have people with great business experience, the president and secretary of state and great national security experience. In addressing the problem that we're now dealing with, this is a new area. We're seeing cyber, as an element of national power, how do we now engage russia and other countries and set the right framework?
I believe we have to engage and confront. Engage them in those areas that we can, set up the right path, reach out, and cool this down. I really do. We've got to fix that. At the same time, we've got to let them know what things they can't do and why they cannot do those. Set those standards. And i think what this group can do and what you are doing, chairman and vice chairman is make this a bipartisan approach. Solve this for the good of the nation. When we look at cybersecurity and what kevin gave you in terms of what industry sees, and what government sees, over the last decade, we have jointly worked on coming up with cyberlegislation, how industry and government works together. If we're going to address attribution and other issues we also have to set up the way for our industry and sectors to work with the government so that that attribution and things that the government knows and those things that industry knows can be used for the common good. It's interesting that sitting on the presidential commission, one of the things that came out when we looked at what's going on was “what's our strategy?” And at times, people looked at this as a government issue and it's an industry issue. It's not. This is something that we need to look at as a common issue. For the common defense. For the common defense. It's in the preamble of the constitution. It's something we should all look at. Then we should see how do we extend that to our allies? I would step back and encourage, encourage you to step back and look at the strategy. What's russia trying to do? Why are they trying to do it? And how do we engage them? At the same time, we need to address our cybersecurity issues and go fix those. And get on with that. Thank you very much, mr. Chairman.
Dr. Rid: thank you for the -- for giving me the opportunity to speak today about active measures. Understanding cyber operations in the 21st century is impossible without first understanding intelligence operations in the 20th century. Attributing and countering this information today is therefore also impossible without first understanding how the united states and its allies attributed and countered hundreds of active measures throughout the cold war.
Nobody summarized this dark art of disinformation better than colonel ... from the Stasi who headed the department x there. He said, and I quote, a powerful adversary can only be defeated through a sophisticated, methodical, careful, and shrewd effort to exploit even the smallest cracks within our enemies and within their elites.
The tried and tested way of active measures is to use an adversary's existing weaknesses against himself, to drive wedges into pre-existing cracks. The more polarized a society, the more vulnerable it is and america in 2016, of course, was highly polarized. With lots of cracks to drive wedges into. But not old wedges. Improved, high tech wedges that allowed the kremlin's operatives to attack their targets faster, more reactively and on a far larger scale than ever before. But the russian operatives also left behind more clues and more traces than ever before. And assessing these clues and operations requires context.
First in the past 60 years, we have talked about this already this morning, active measures became the norm. The cold war saw more than 10,000 active measures across the world and this is a remarkable figure. The lull in the 1990's and 2000's i think was an exception. Second, in the past 20 years, aggressive russian digital espionage campaigns became the norm. The first was major state-on-state campaign was called moon light maze and it started in 1996.
In 2000 the shift in tactics became apparent especially in moscow's military intelligence agency, GRU. A once-careful, risk-averse, and shrewd and stealthy espionage action became more careless, risk-taking and error prone. One particularly revealing slipup resulted in a highly granular view of just one slice of GRU targeting between march 2015 and may 2016 in the leadup to the election. That slice contained more than 19,000 malicious links, targetting nearly 7,000 individuals across the world. Third, in the past two years now, coming closer to the present, russian intelligence operations began to combine those two things, hacking and leaking.
By early 2015, military intelligence was targeting defense and diplomatic entities at high tempo. Among the targets were the private accounts, for example, of the current chairman of the joint chiefs of staff, general dunford, or current assistant secretary of the air force, daniel ginsburg. Or the current u.s. ambassador to russia, john test, and his predecessor, michael mcfall. A large number of diplomatic and military officials in ukraine, georgia, turkey, saudi arabia, afghanistan, and many countries bordering russia, especially their defense attaches. All, i add, are legitimate and predictable targets for a military intelligence agency. Russian intelligence curiously also targeted inside russia -- critics inside russia, for example, the hacker group Shaltay Boltay. In early 2015, GRU breached successfully not just the german parliament but also the italian military and saudi foreign ministry. Between june 2015 and november 2016 at least six different front organizations appeared, very much cold war style, to spread some of the stolen information to the public in a targeted way.
Finally, in the past year, the timeline here in the u.s. election campaign began to align. Between march 10 and april 7, GRU targeted at least 109 full-time clinton campaign staffers. These are only full-time core staffers, not volunteers -- these are not even counted here. Russian intelligence targeted clinton's senior advisor jay sullivan in at least 14 different attempts beginning on 19 march. GRU targeted even secretary clinton's personal email account but the data showed she did not fall for the trick and didn't actually reveal her password. Military intelligence agency GRU also targeted DNC staffers between march 15 and april 11, the timing lines up nearly perfectly. About one week later after the events i just mentioned, the DC leaks website was registered getting ready to spread data publicly. The overlap between individuals hacked by GRU and leaked on DC leaks is nearly perfect. Out of 13 named leak victims, the available forensic evidence identifies 12 as targeted by GRU , with the exception of george soros, by the way.
But a narrow technical analysis would miss the main political and ethical challenge. Soviet bloc disinformation specialists preferred the art of exploiting what was then called unwitting agents. There is no contradiction in their reading between being an honest american patriot and at the same time furthering the cause of russia. In the peace movement in the 1980's, for example, we saw people genuinely protesting, say, the nato double track decision, but at the same time advancing russian goals; there is no contradiction. Three types of unwitting agents, wikileaks, twitter -- the company itself -- and i'm happy to expand later, and over-eager journalists aggressively covering the political leaks while neglecting or ignoring their provenance.
In 1965, the KGB's grand master of disinformation, general ivan agayons inspected his active measures outpost in prague, a particularly effective and aggressive one, and he said, quote, sometimes i am amazed how easy it is to play these games. If they did not press freedom we would have to invent it for them. Later, the czech operative he was speaking with at that very moment defected to the united states and testified in congress. And i quote him to close. He said, the press should be more cautious with anonymous leaks. Anonymity is a signal indicating that the big russian bear might be involved. Thank you.
Sen. Burr: i want to thank all three of you for your testimony and i think it's safe to say that this is probably a foundational hearing for our investigation to have three people with the knowledge that you do, and i hope when you do get that second call or third call that you -- you'll sit down with us as we have peeled back the onion a little bit and we have technical questions. We've got some expertise on the committee, you can look at a lot of gray hair and realize that my technology capabilities are very shallow and that many of us struggle to understand not just what they can do but even the lingo that's used and the dark side of the web and the open side of the web, these things are amazing and would be shocking to most people. I'll turn to the vice chairman for his questions.
Sen. Warner: based on your expertise and knowledge, do any of you have any doubt that it was russia and russian agents that perpetrated during the 2016 presidential campaign the hacks of the DNC and the Podesta emails and the misinformation and disinformation campaign that took place during the election. A short answer will do. Do any of you have any doubt that it was russia?
Mr. Mandia: Basically from the observables we get at the victim sites, you can’t always connect the dots, we can't show you a picture of a building, we can’t give you a list of names of people who did it, we have to look at a lot of other factors, some of which is incredible amounts of detail. But we've got 10 years of observation here, we've seen similar behaviors in the past, my best answer is it absolutely stretches credulity to think they were not involved.
General alexander: i believe they were involved.
Dr. Rid: i believe they were involved as well.
THE FOLLOWING PORTION IS ENTIRELY UNEDITED/UNCORRECTED.
Sen. Warner
Sen. Warner: it's been reported that some of the techniques, i say with my good friend richard burr, i used to be technologically savvy up until 2000, 2001, which still puts me a decade ahead of some of my colleagues, but it's been reported in the press an elsewhere that by using the botnets and that exponential ability to flood the zone that in the misinformation and disinformation campaign, they were, the russians were able to flood the zone, actually not in a broad-base -- in a broad base across the wheel country but targeted down to precinct levels in certain states. Is that capable to do? If you could have a botnet network that would in effect put out misinformation or disinformation and all the other sites that would then gang up on that and target that down to geographic locations?
00:27:51
Mr. Mandia
Mr. Mandia: i think it's technically possible. I don't think i have enough information to say that was done at each location. I think it's technically possible, if you put enough people on it, yes you could do it.
00:28:05
Dr. Rid
Dr. Rid: it's technically possible. Let me make a distinction between a bot it is net, which is usually controlling somebody's machines, and botts, which is a twitter account that's automated.
00:28:25
Sen. Warner
Sen. Warner: but they have the effect, whether it's botnets or botts, they have the ability to push something high thorne news feed. Dr. Rid spast mostly -- dr.
00:28:42
Rid that's
Rid: that's mostly done by botts. Botnets are a different purpose.
00:28:47
Mr. Mandia
Mr. Mandia: i think you can get perceptions to go different ways based on google searches and automate ways to uplevel people's attention to things with all the social media. The good news is during the election a lot of states had the foresights, let's do shields up, watch all the cybertraffic we can, and we didn't see any evidence, at least in the ddot site or distributed denial of sites, we didn't see anything that harmed the actual election.
00:29:18
Sen. Warner
Sen. Warner: but the question of targeting -- here's the last question, and it just -- i've heard and it's been reported that part of the misinformation, disinformation campaign that was launched was launched in three key states, wisconsin, michigan, and pennsylvania, and it was launched interestingly enough not -- not to reinforce trump voters to go out but actually targeted at potential clinton voters, with misinformation in the last week where they were not suddenly reading, if they got their news from facebook and twitter, but stories about clinton being sick and other things. My final point here, this may be beyond anybody's expertise, my understanding is the russians, they're very good at some of this technology, they might not have been so good at being able to target to a precinct level american political turnout. That would mean they might be actually receiving some, you know, information or alliance from some american political expertise to be able to figure out where to focus these efforts.
00:30:38
Dr. Rid
Dr. Rid: i haven't seen a detailed analysis of precinct level target bug that would be good enough to sub stain shate this assumption but this relates to a more fundamental problem. One -- separate, an entire group of actors in some -- and some completely he jate mat within the campaign were taking advantage of social media. It's difficult to distinguish for researchers after the fact what actually is a fake account and what is a real account. Ultimately we need the cooperation of some of the media, social media companies to give us heuristics and visibility into the data that only they have.
00:31:23
General alexander
General alexander: i would take it a step higher, senator. I think what they were trying to do is drive a wedge within the democratic party between the clinton group and the sanders group and then within our nation between republicans and democrats. And i think what that does is it drives us further apart. It's in their best interest. We see that elsewhere. I'm not sure i can zone it down to a specific precinct but we expect them to create divisions within a framework and destroy our unity. You can see we're actually if you look back over the last year, we didn't need a lot of help in some of those areas. So now the question is, and where i think you have the opportunity, is how do we build that
00:32:09
Sen. Burr
Back? Sen. Burr: i want to clarify what i said about sen. Warner's business, my reference -- about senator warner's business, my reference meant it was about 14 years ago, 15 years ago. Someone said, in the future people won't file technological patents because technology will change so quickly that you won't have a year and a half to go through the patent approval process before your patent is obsolete. I think we have reached that point of technological explosion that what we're talking about today, we could have a hearing six months from now and probably talk about something different.
00:32:56
Sen. Warner
Sen. Warner: the cell phones i was involved with in the early 1980's have now become ubiquitous.
00:33:07
Sen. Burr
Sen. Burr: senator rubio?
00:33:10
Sen. Rubio
Sen. Rubio: one of the people who appeared before us earlier mentioned the 2016 presidential primary, i'm not prepared to comment on that, hopefully information on that will be reflected in our report, if any. I do think it's important to divulge to the committee because this has taken a partisan tone, not in the committee. But in july of 2016, shortly after i announced i would seek re-election to the united states senate former members of think presidential campaign team who had access to the internal information of my presidential campaign were targeted by IPaddresses with an unknown location within russia that effort was unsuccessful. I'd also inform the committee that within the last 24 hours, at 10:45 a.m. yesterday, a second attempt was made again against former members of my presidential campaign team who had access to our internal information, again targeted from an IPaddress from an unknown location in russia. And that effort was also unsuccessful. My question to all the panelists , i have heard a lot on the radio and on television and advertisement for a firm in the united states actively marketed in best buy and other places by kapersky labs. There have been open source reports that say that it has a long history connecting them to the KGB's successor. I have a bloomberg article here and others. I would ask the panelists in your capacity as experts in information technology, would any of you ever put kaspersky labs on any device you use and do you think any of us here in this room should ever put kaspersky labs products on any of our devices or computers or i.t.
00:35:12
Mr. Mandia
Material? Mr. Mandia: the way i'd address that is generally people's products are better based on where they're most located and what attacks they defend against. Mcafee and my company or other companies, we are prominently used in the u.s. we get to see the best attacks from china, cyberespionage campaigns in russia. I think what we're starting to see, there's an alignment where japan won't let a u.s. -- will let a u.s. company secure japan. The middle east will let a u.s. company defend it but you almost see lines being drawn. There's no doubt the efficacy of kaspersky's product that i probably see different things than we see being this relevant.
00:36:01
Sen. Rubio
Sen. Rubio: my question isn't whether it's effective, but whether you'd put it in onyour computer.
00:36:09
Mr. Mandia
Mr. Mandia: plst better software to -- there's better software for you here.
00:36:20
General alexander
General alexander: i wouldn't, you shouldn't either, there are other u.s. firms that answer and solve problems that will face you for the issues you described earlier, that i think would be better at blocking
00:36:37
Dr. Rid
Them. Dr. Rid: i would, i would also use a competing program at the same time. A bit of redundancy never harms. Kaspersky is not an arm of the russian government. Kasp rembings sky has published information about russian cyberattack campaigns, digital espionage, about several different russian campaigns. Name any american company that publishes information about american digitalest pee naubling?
00:37:12
Sen. Rubio
Sen. Rubio: my second question to the panel is, my concern in our debate here is we're so focused on the hacking and the emails that we've lost, and i think others have used the terminology, we're focused on the trees and lost sight of the forest. This -- the hacking is a tactic to gather information for the broader goal of introducing information into the political environment, into the public discourse, to achieve an aim and a goal. And it is the combination of information leaked to the media which of course is always very interested in salacious things, as is their right in a free society. The public wants to read about that too sometimes. But it's also part of the effort of misinformation, fake news and the like. Would you not advise the panel to look beyond the emails to the broader effort of which the emails and the strategic placement of information into the press is one aspect of a much broader campaign?
00:38:14
Unidentified speaker
>> that was part of my point about bringing this up to a broader level.
00:38:20
General alexander
General alexander: to say what's russia trying to accomplish and driving a wedge between those and creating tensions between those countries and ours. If you were to go back and welcome at what's happened to russia over the last 30 years and play that forward and see what they're now doing, you can see a logic to their strategy. I think that's something that we now need to address. I do think we ought to address this with the russians and get the administration to do that. It's not something that we want to go to war on. It's something that we want to address by engagement and confrontation.
00:38:57
Dr. Rid
Dr. Rid: how active measures today differ from the cold war, this is an answer to your question. In cold war, active measures were artis anal. -- artisal. They require -- required a lot of work. They add value to these active measures and this is important because if we look at the operations in hindsight they appear a lot more sophisticated than they actually were. We run the risk of overestimating russian capabilities here. Sen.
00:39:43
Burr sen.
Burr: sen. Feinstein.
00:39:47
Sen. Feinstein
Sen. Feinstein: i want you to know how much your china report was appreciated. I think everybody very much appreciated it. I think it had some good results. So thank you very much. General alexander, this is the first time i've seen you out of uniform. Civilian clothing is becoming. And i'd like to personally welcome you, i don't know, our -- i don't know our third gentleman but -- i want to address this to general alexander. You were cyber command for a number of years. You spoke about the fact that the time has come for us to get tough. And we had talked about that before. We have wikileaks and stream after stream after stream of release of classified information. Which has done substantial harm to this nation. And yet we do nothing. And everybody says, well, we'd like to do something but we don't quite know what it is. I never thought we would be in a situation where a country like russia would use this kind of active measure in a presidential campaign the side of this, the enormity of it, is just eclipsing everything else in my mind. And yet there is no response. As you have left now and you've put the cyber command on your desk, what would you do? What would you recommend to this government?
00:41:25
General alexander
General alexander: i think there are two broad on thives we ought to do. We ought to fix the defense. Between the public and private sector. Between government and industry.
00:41:36
Sen. Feinstein
Sen. Feinstein: you said that.
00:41:39
General alexander
General alexander: we have to fix that because much of what we're seing is impacting the commercial or private sector. Yet the government can't really see that. So the government is not going to be able to help out and the ability to take action is to actively mitigate it, therefore -- the about to take actions to mitigate it are therefore nonexistent or after the fact. If you think about sony as an example, imagine that as the attack coming in, the government couldn't see that network's feed and so the government came in and did incident response. Everything happened to sony. What you want the government to do is stop a nation state like north korea or russia from attacking us. But the government can't do that if it can't see it. We have to put this together. We have to come up with a way of share, threaten network intelligence at speed and practice what our government and industry do together and work that with our allies. I believe we can do this and protect civil liberties and privacy. I think we often combine those two but we can separate and show you can do both.
00:42:48
Sen. Feinstein
Sen. Feinstein: how?
00:42:50
General alexander
General alexander: first, the information we're talking about doesn't involve personally identify -- identifying information. Think about it like radars looking at airplanes. They're not reading eastbound in the airplane. They're seeing an airplane and passing it on to another controller who sees a comprehensive picture. What we see is a what ray car sees today. And so we don't actually -- we're not talking about reading threat information. We want to know what's that pact of information doing? Why is it coming here? Can i or should i share the fact that a threat is coming to us.
00:43:28
Sen. Feinstein
Sen. Feinstein: i understand what you're saying but what i'm asking you for is different. It is your expertise based on this, based on the fact that the russian government, including two intelligence services, made a major cyberattack on a presidential election in this country. With a view of influencing the outcome. What would you recommend?
00:43:55
General alexander
General alexander: the first step is picture defense. If you take offense and don't have a defense then the second step of going after the power or other sectors puts us at greater risk. So from a national security council perspective, what i would expect any administration to do is look at the consequences of the action this is they take. So when i said engage and confront , in this regard what i would do, what i would recommend is first and foremost a quiet engagement with the russian government about what we know and why we know it, without giving away our secrets. And say that's got to stop. We need an engagement here. If we're going to confront them, it would be we know you're doing this right now. Stop that. And we had a channel in the cold war for doing it. We need a channel to do that and build up the ability to put a stop to things, from my perspective. I would be against using cyberonly as a tool against rumb when we have these vulnerabilities we haven't addressed in our own country. I think it would be a mistake until we fix that. So that's why i say we have to do both. And i actually -- it's interesting. We were talking before hand and thomas can add to this. One of the things that as you look at this, i don't believe russia understood the impact their decisions would have in this area. It's far -- with all the discussions going on in our country today, i'm sure people in russia are saying, oops, we overdid this. Now is the time for taos say, not only did you overdo it, we need to set a framework for how we're going to work in the future and we need to set that now. That can only be done by engaging them. Face-to-face. And i think that's what has to be
00:45:44
Sen. Feinstein
Done. Sen. Feinstein: thank you, very
00:45:47
Sen. Burr
Helpful. Sen. Burr: senator
00:45:50
Sen. Blunt
Blunt. Sen. Blunt: let's start with general alexander, i asked a question this morning which was after all the discussion of the long history of russian involvement in european elections of things that have happened for a long time and really in a significant way in the last 15 years, why do you think that we were not better prepared for this? General alexander, you just said we need to have a defense. Why wouldn't we have had a defense? What was this about this particular thing that should have been so anticipated that the intedges community, the u.s. government, even the media appears not to have had the defense you just mentioned we should have now?
00:46:38
General alexander
General alexander: senator, this has been a great discussion that you and the other house of congress have talked about and that's how do we put together our country's cyber legislation. Right now, we do not have a way for industry and government to work together. So if you think about the DNC or the r.n.c. or the electricity sector and others. When they're being attacked, the ability for the government to see and do something on that doesn't exist. Everybody recognizes that we need to do it. We talk about it. In fact, we had the -- at the armed services committee a discussion on it. But we haven't take then steps to bind that together. We allow it but haven't created it. I believe that's the most important thing that we can do on that one vector that senator feinstein brought up. Fix the defense. The reason is the government's not tracking the r.n.c. and the DNC now, industry sees it and kevin brought autosome key points of what was going on, what they were seeing from an industry perfect i. But the reality is, we hadn't brought these two great capabilities together. And the other part, it's my personal experience the government can help an attribution several times greater than what we see in industry. If you put those two together we could act a lot better.
00:47:59
Sen. Blunt
Sen. Blunt: so mr. Rid, was there nothing we could have done here? Were we not paying the level of attention we should have paid? Or we just aren't ready because our structure doesn't allow us to anticipate what we know was happening in elections all over the world before 2015 and 2016 here? Particularly in europe. Maybe all over the world might be a stretch, but all over europe, not a stretch.
00:48:27
Dr. Rid
Dr. Rid: there's a lot we can do in order to increase defenses here as well as minimize measures taking place. Let me name an example. Let's make this concrete. You as members of the legislature are, and the same as true in europe, the belly of the government of the wider administration and government. Because the -- this is true for all parliaments. The i.t. security is notoriously bad. I mean the chip card that many of your staff members carry around their neck, the cox card, here in congress, doesn't actually have a proper chip. It has a picture of a chip. Try to feel the chip with your fingernail, it's not a real chip. It's only to prevent chip envy. That tells you there's a serious i.t. security problem. It should be mandatory and potentially this is something to think about as we move forward. It should be mandatory for all campaigns, just like you have to disclose financial records, should be mandatory by default to have two factor authentication. Not just a password but actually a second thing. A number that is generated by an app or a specific --
00:49:55
Sen. Blunt
Sen. Blunt: we had somebody to say it should be mandatory to have a state department say what's true and what wasn't true. There's certain levels beyond what you can require people to do that really don't make that kind of sense. Mr. Man dia, and i don't mean -- your comment didn't but there are levels now. I also say that soft underbelly is one of the nicer things the legislative branch would be called these days. But your thoughts on what we -- why we didn't see this coming? The earlier panel had a more robust sense of where we should have been understanding what was going on than this one. Mr. Man dia --
00:50:45
Mr. Mandia
Mr. Mandia: when we say fix the problem, we've known about cancer for 4,000 years and haven't cured it yet. When we fix the problem here, we'll still have incidents. People get serious about cybersecurity when they have two things, either a, a compliance driver and take it seriously or b they have the oh, crap, moment, and they've been breached. We published reports in -- my company did in 2014 that had a lot of allusions to what just happened. But sometimes you have to have it happen before you recognize, wow, that was really on the table. I doubt it will happen again. But now we're having the dialogue to make sure that it doesn't.
Comments are closed on this story.