Hearing before the
House Armed Services Committee
“Cyber Operations Today: Preparing for 21st Century Challenges in an InformationEnabled Society”
April 11th 2018
The Honorable Michael Chertoff
Former Secretary of Homeland Security 2005-2009
Co-Founder and Executive Chairman, The Chertoff Group
Introduction
Chairman Thornberry, Ranking Member Washington, distinguished Members of the Committee, thank you for the
invitation to discuss the current cybersecurity challenges and threats facing the homeland from Russia, China, and
other nation-state actors and for providing me the opportunity to recommend ways to better prepare the
government to face the challenges posed by advances in the cyber domain. I am pleased to join Secretary Jeh
Johnson and General Keith Alexander who have both been prominent leaders on these issues.
The most recently-released 2018 Worldwide Threat Assessment published by the US Director of National
Intelligence (DNI) warns that: “Competition among countries will increase in the coming year as major powers and
regional aggressors exploit complex global trends while adjusting to new priorities in US foreign policy. The risk of
interstate conflict, including among great powers, is higher than at any time since the end of the Cold War …
Adversaries and malign actors will use all instruments of national power—including information and cyber
means—to shape societies and markets, international rules and institutions, and international hot spots to their
advantage.”1
High-powered offensive tools are increasingly available to threat actors and have contributed to an uptick in cyberattacks. Cyber-attacks are growing both in number and in sophistication and the scale of the theft of data has
dramatically expanded in recent years. Broadly speaking, there are three categories of campaigns we see nationstates, to some degree or another, pushing. One is for intelligence purposes. The second issue is information
operations designed to influence our institutions and societal norms. The third and most concerning dimension
includes attacks that are designed to enable a military action or to threaten or carry out disruptive or destructive
attacks.
Nation-states or state-sponsored actors will continue to use cyber means to gain advantage against the US from
a political, financial, and military perspective. As noted in the World-Wide Threat Assessment, Russia will continue
to attempt disruptive cyber operations with the intent to degrade democratic values as well as global alliances.
Russia’s wide range of operations include disruption of Ukrainian energy distribution networks, hack-and-leak
influence operations, distributed denial-of-service attacks, and false flag operations. In the next year, Russian
intelligence and security services will continue to probe US and allied critical infrastructures, as well as target the
United States, NATO, and allies for insights into US policy. China will continue to view information warfare as
military strategy and leverage cyber espionage to support its national security priorities. Cyber efforts from Russia,
China, and other state-sponsored actors could have a detrimental impact on private companies, critical
infrastructure, and our democratic institutions in the years to come.

1

See https://www.dni.gov/files/documents/Newsroom/Testimonies/2018-ATA---Unclassified-SSCI.pdf

 As I understand it, we have three Agencies responsible for defending against cyber-attacks: The Federal Bureau
of Investigation (FBI) as the lead for law enforcement, the Department of Homeland Security (DHS) as the lead for
critical infrastructure and defending government computer networks, and the Department of Defense (DOD) as
the lead for defending the homeland, defending military computer networks, and developing and employing
military cyber capabilities. There is no doubt that we have the capabilities necessary to counter and respond to
the threats the US government faces from our adversaries. However, we must have a clearly defined strategy and
develop policies to reflect that. In my testimony today, I will recommend ways for the US government to enhance
our defenses through defining a cyber warfare doctrine that determines the level of attribution, simplifying
information sharing programs between the public and private sectors, and incentivizing businesses to develop
cybersecurity solutions to defend the homeland.
Understanding the current threat environment is essential if we are going to craft effective policy and defenses. I
am therefore pleased to see the Committee’s continued focus on this subject and appreciate the opportunity to
provide my insights.

Data Theft for Intelligence Operations
A series of major thefts of personal data — not intellectual property — over recent years could suggest that a
nation-state is trying to build a database of all Americans. This poses a threat to our national security because a
nation-state could leverage this data for intelligence operations or influence campaigns.


OPM Hack: The US Office of Personnel Management hack in 2014 was particularly worrisome. The White
House said in 2015 that more than 21 million Social Security numbers, 1.1 million fingerprint records and
21.5 million forms with data like someone’s mental-health history were stolen.2 With technologies such
as artificial intelligence, a hacker could generate useful information for intelligence operations from large
sets of data. For example, a malicious actor could use the data to determine whether a corporate
individual is really a government employee. The theft of fingerprints, as in the OPM attack, could also
prevent government officials from going undercover in the future.



Yahoo Breach: The recent Yahoo Breach is another example. Yahoo lost over 3 billion user accounts in
two operations – one of which involved the engagement of two Russian Intelligence Officials3. The FSB,
Russia’s primary security service, allegedly hired the hackers to target US and Russian government
officials, diplomats, military personnel, Russian journalists, financial sector employees and activists. The
involvement of Russian spies suggests this was partly designed to aid espionage activities and is further
evidence that the line between nation-states and criminal actors is becoming increasingly blurred.

Data Theft for Influence on Societal Norms
The Russians have weaponized the use of data to enhance and support their influence operations. In 2016, we
saw an attack on the US Presidential election, an operation that the US Intelligence Community (IC) attributed to
Russia. Russia also continued its influence operations in other countries of Europe. Ultimately, Putin's goal is to
diminish the power and influence globally of the US and to shatter or splinter NATO.


2
3

Robert Mueller’s Indictment: A federal grand jury has indicted 13 Russian nationals and three Russian
entities for alleged illegal interference in the 2016 presidential elections. The indictment says that a

See https://www.opm.gov/cybersecurity/faqs/
See http://fortune.com/2017/10/03/yahoo-breach-mail/

 Russian organization called the Internet Research Agency sought to wage "information warfare" against
the United States and to "sow discord" in the American political system by using fictitious American
personas and social media platforms and other Internet-based media. The indictment details an extremely
sophisticated conspiracy in which defendants traveled to the United States to conduct research, employed
specialists to fine-tune social media posts to "ensure they appeared authentic," and stole real people's
identities to purchase online ads.
Russia will continue using propaganda, social media, false flag personas, and sympathetic spokesmen to build on
its wide range of operations and exacerbate social and political issues in the US in 2018 and beyond. DHS and the
IC must define a clear strategy to remedy this vulnerability. In his testimony in March, DNI Coats told Congress
that the United States was “under attack” and yet there seems to be no strategy to combat this threat.4
Deterring a repeat of this conduct must be a priority for the entire US government, and indeed for all nations
whose elections are susceptible to Russian interference. The need to impose costs is clear, but the challenge is to
impose them in ways that matter to the Russian regime—not in ways that are projections of what would matter
to the United States. Last week’s imposition of sanctions on 7 Russian oligarchs and 12 companies under their
control was a good start.5 However, we cannot rely on deterrence alone: we need to ensure the United States has
capabilities on the shelf to prevent and preempt this kind of behavior ahead of the 2018 midterms, and we must
make ourselves harder to hack by improving our defenses and becoming more resilient.


Election Security: One tactical issue that Congress must take responsibility for is securing our electoral
data. Chicago’s Board of Elections reported that names, addresses, dates of birth, and other sensitive
information about the city’s 1.8 million registered voters had been exposed on an Amazon cloud server
for an unknown period of time.6 Worse, it appears that hackers might have gained access to employees’
personal accounts at Election Systems & Software, a major election technology vendor—information that
could be used to hack a future US election. American elections are an increasingly easy target because our
election technologies are antiquated and we have few federal level cybersecurity standards. An estimated
43 states rely on electronic voting or tabulation systems that are at least 10 years old. A survey of 274
election administrators in 28 states found most believed that their systems need upgrades. This is a matter
of national security, and Congress should treat it as such. The $380 million in funding for election security
that was included in the FY18 omnibus spending bill is a step in the right direction. The immediate funding
will help states to replace outdated technology and improve cyber-defenses ahead of the 2018 and 2020
elections. A fair and safe election is one of the hallmarks of our democracy. While funding in the omnibus
is an essential first step, it’s just that – a first step. Congress should take up the full Secure Elections Act
without delay, so we can fully protect the security and integrity of our elections.

Data Theft for Disruption
We have seen the rise of disruption attacks over recent months. This is the most concerning type of attack as they
could be designed to enable a military action or to advance a geopolitical struggle and they could have devastating
impacts on our critical infrastructure.

4

See https://www.usatoday.com/story/news/politics/2018/02/13/intelligence-director-coats-says-u-s-under-attack-putintargeting-2018-elections/332566002/
5
See https://home.treasury.gov/news/press-releases/sm0338
6
See https://www.wsj.com/articles/congress-can-help-prevent-election-hacking-1504652957

 

Ransomware: We’ve seen massive disruptions to business operations and municipalities through
“ransomware,” including episodes involving the WannaCry and NotPetya malwares. The most recent
attack on Atlanta shut down government operations for over a week. The WannaCry attack ravaged
computers at hospitals in England, universities in China, rail systems in Germany, even auto plants in
Japan. Additionally, a large pharmaceutical company had 75,000 machines affected by the malware and
lost critical research. Incidents like Atlanta, WannaCry, and NotPetya caused massive disruptions to
enterprises and municipalities worldwide on an unprecedented scale and indicate a rise in nation-state
actors involved in driving these kinds of attacks.



Ukraine: In Ukraine, in 2016 and 2017, there were attacks on the country’s energy infrastructure that
caused the lights to go out. We’ve seen similar things in other parts of the world. The most concerning
threat to national-security professionals is a devastating attack on critical infrastructure.



Russian malware found in critical infrastructure: Similar to Ukraine, the Trump administration recently
accused Russian government hackers of carrying out a deliberate, ongoing operation to penetrate vital US
industries, including the energy grid — a major ratcheting up of tensions between the two countries over
cybersecurity.7



The Edison Electric Institute reported that its Federal government partners informed energy grid
operators in North America of a threat targeting the energy and critical manufacturing sectors. While this
incident did not have operational impacts, the group worked across the sector and with government
partners to ensure the ongoing protection of the grid from this specific threat and from all cyber and
physical security risks. Following the announcement of sanctions against Russian government cyber
actors, the Electricity Information Sharing and Analysis Center (E-ISAC) provided potential indicators of
compromise and other technical data to ensure electric companies in North America are prepared to
protect and defend their networks. This information sharing is representative of the strong industrygovernment partnership, which exists through the Electricity Subsector Coordinating Council, and is vital
to guarding the grid from all possible threats.



Similarly, following the news of the intrusion, the Department of Energy created a new Office of
Cybersecurity, Energy Security, and Emergency Response (CESER) at the US Department of Energy (DOE).
$96 million in funding for the office was included in President Trump’s FY19 budget request to bolster
DOE's efforts in cybersecurity and energy security.8

Responding to Today’s Threats
Just as the threat environment has evolved, so too must our ability to respond to those threats. This evolution has
been most evident within the intelligence community and military, where the National Security Agency (NSA) and
United States Cyber Command continue to develop new capabilities designed to counter emerging cyber threats.
While this is not the setting in which to focus on these capabilities, I can say that I am confident that the cyber
capabilities of the United States are second-to-none. However, I believe there is still work to be done in other
areas, particularly in regard to cyber strategy and policy outside of the military and intelligence communities. The
two areas of strategy and policy I’d focus on most would be cyber defense and cyber deterrence.

7

See https://www.us-cert.gov/ncas/alerts/TA18-074A
See https://www.energy.gov/articles/secretary-energy-rick-perry-forms-new-office-cybersecurity-energy-security-andemergency
8

 Cyber Defense
The first area of policy that I would address is in cyber defense. How we defend ourselves, and more particularly
our cyber infrastructure and networks, is vital to our security and an area in which progress can have a direct
impact on minimizing the harms of cyber-attacks. As many in the cybersecurity field have observed, an ounce of
prevention is worth a pound of cure.
In order to improve our cyber defenses, it is important to understand how responsibilities for cyber defense are
distributed. Within the Federal government these responsibilities are spread among several organizations, so
there must be coordination and collaboration on cyber issues between agencies and departments. DOD is
responsible for the defense of its networks, while DHS has primary operational responsibility for the defense of
all Federal, unclassified civilian networks. Domestic cyber-attack and cyber-crime investigations are the
responsibility of the FBI. There is certainly work to be done to fully operationalize these concepts and enhance
cybersecurity collaboration within the government so that there is a broader unity of effort within government
that helps to grow and enhance our nation’s security posture.
In contrast, cybersecurity responsibilities within the private sector are far more diffuse. The security of each
network is the responsibility of its owner or operator, meaning that the security of the vast majority of the
country’s cyber infrastructure is in the hands of hundreds of thousands of different entities. Coordination and
information sharing between these entities is often limited, though significant progress has been made in some
sectors through the growth of Information Sharing and Analysis Centers (ISACs) and Information Sharing and
Analysis Organizations (ISAOs). In this diffuse environment, it is critical that the United States government assist
the private sector in their cybersecurity efforts and work diligently to help facilitate critical cybersecurity
information sharing, both among private sector actors and between the government and the private sector.
What makes information sharing so important is the fact that our cyber infrastructure is so diffuse. While one
entity, such as the FBI, Google, or Microsoft, may be aware of a particular vulnerability or threat, it can take days,
weeks, or even months before the relevant information spreads throughout the cyber ecosystem and results in
the deployment of patches, installation of new technologies, changes in network architecture, or the adoption of
new policies that adequately counter the threat. We have, admittedly, made significant progress in cyber threat
information sharing over the past decade. I applaud the efforts of organizations such as the Financial Sector ISAC
(FS-ISAC), the Multi-State ISAC (MS-ISAC), and the hundreds of other ISACs and ISAOs that have helped us get to
where we are today—but the reality is that we can do more.
On the government side, we already have programs in place that provide the private sector with threat
information data and other forms of assistance designed to help private organizations enhance their cybersecurity
posture. These programs have had their successes, but it remains too difficult for those in the private sector to
gain access to the wealth of information and assistance that the government, particularly DHS, could provide.
For example, DHS’s National Protection and Programs Directorate (NPPD) operates the Cyber Information Sharing
and Collaboration Program (CISCP), which can be an invaluable source of threat information data for private
entities, potentially providing them with access to government threat information data, including sensitive,
classified information. However, navigating the process to participate in this program and gain access to classified
information can be daunting for private companies. To join the program, the company must first be aware of its
existence, and in my experience too few companies are aware of CISCP and other assistance programs offered by

 DHS and other government agencies. Once a company is aware of the program, it must then negotiate a
Cooperative Research and Development Agreement (CRADA) with DHS, a type of agreement that was not
originally designed to facilitate this type of information sharing. The negotiation of a CRADA, while relatively
straight forward, can be confusing to companies unfamiliar with government processes or cooperative
agreements and can take months to negotiate.
Further, even with a CRADA in place, a company will only have access to less sensitive types of government threat
data—classified information remains off limits for a variety of reasons. The data companies do have access can
also be incomplete, missing additional, unclassified threat information from agencies outside of DHS, such as the
FBI, meaning that a company may need to receive threat information from multiple government entities to receive
a more complete picture. To review more sensitive, classified threat information the private company will need
to obtain the proper clearances for several of the company’s representatives.
Fortunately, DHS can sponsor at least some company personnel for a clearance when a CRADA is in place, but
here too are obstacles. The process for obtaining a clearance can be confusing and time consuming, especially for
those in the private sector with no previous experience in national security or government service. Further, the
Federal government continues to face a significant clearance process backlog. Last month, the Government
Accountability Office released a report that found that the Office of Personnel Management’s National
Background Investigation Bureau currently has a backlog 710,000 background investigation cases, meaning that
the entire clearance process can take upwards of a year.9 Under these circumstances one can understand why a
private company might choose to forgo access to more sensitive threat information.
In addition to process improvements, there are ways in which the government can make the threat information
data they are already sharing more useful to the private sector. First, threat information sharing is significantly
more efficient when it is automated, relying on standardized feeds and formats to communicate key pieces of
data. DHS and the government writ-large should continue to encourage the automated sharing of threat
information and push for greater interoperability between such initiatives, including the incorporation of
confidence levels in the sharing of cyber threat indicators (such as IP addresses and MD5 hashes).
Second, the government should prioritize the identification and sharing of Tactics, Techniques, and Procedures
(TTPs) as well as exploit targets for sharing with the private sector. Such information is increasingly important as
cyber adversaries rapidly vary traditional signatures used to counter cyber-attacks, such as IP addresses and MD5
hashes. A greater understanding of the TTPs and exploit targets used by an adversary can allow security
professionals to focus network hardening and detection efforts to more surgically address risks relevant to their
environment, allowing them to prioritize internal controls and policies to match likely threat actor TTPs.
Third, the government should encourage further work on the development of a common language for the
exchange of threat information—threat information data is most valuable when all of the organizations involved
use the same terminology to describe various TTPs. Within the cyber field there is a significant focus on the
Structured Threat Information eXpression (STIX) framework, however many practitioners leverage different
frameworks (VERIS, for example) to manage threat TTP and incident information. I would recommend working to
resolve the difference between the these various systems with a focus on defining a common language for sharing.
Fourth, the government should foster the collection and categorization of incident data to identify TTPs and other
relevant information. A key source of TTP information lies in information collected as part of an incident response
9

See https://www.gao.gov/assets/700/690499.pdf

 effort. Thus, there needs to be a greater focus on “reverse engineering” incidents to identify TTPs utilized and
corresponding courses of action that could mitigate such TTPs. DHS is currently sponsoring a Cyber Incident &
Data Analysis Repository (CIDAR) initiative to define the architecture for an incident repository, however the
success of such an initiative will come down to the willingness of organizations to contribute this data. As such,
we must do all that we can to encourage companies, in addition to Federal government entities, to share this
information in the name of enhancing our collective cybersecurity posture.
To that end, the government should also consider expanding the scope of the Support for Anti-Terrorism by
Fostering Effective Technologies (SAFETY) Act to include cybersecurity-related technologies in addition to antiterrorism technologies. The SAFETY Act, first passed as part of the Homeland Security Act of 2002, provides
incentives for the development and deployment of anti-terrorism technologies by creating systems of risk and
litigation management. The act provides some terrorism-related liability limitations for organizations that adopt
DHS-certified anti-terrorism technologies, creating an incentive for companies to invest and deploy these
technologies. Expanding the safety act to include cybersecurity technologies would create a similar incentive for
their development and adoption, ultimately encouraging an enhanced cybersecurity posture across the private
sector. Legislation to expand the scope of the scope of the SAFETY Act, the Cyber SAFETY ACT of 2018, was recently
introduced in the Senate by Senator Steve Daines (R-Montana).
Finally, the private sector has benefited greatly from the National Institute of Standards and Technology’s (NIST’s)
Cybersecurity Framework. This voluntary framework, which consists of standards, guidelines, and best practices
for organizations to manage cybersecurity-related risk, has been well received in both the private and public
sectors. It has helped organizations prioritize and identify areas deserving of additional investment and attention
while promoting the protection and resilience of cyber infrastructure across sectors. That said, NIST can continue
to refine and enhance the framework as it continues to iterate and update the document. I would encourage NIST
to focus on providing more specific, control-related guidance, providing industry with a clearer understanding of
what actions organizations should be taking to implement a control. Such guidance would be in addition to
providing references to other cybersecurity frameworks and control regimes as the current framework does.

Cyber Deterrence
The second area of cyber policy and strategy that I would focus on is cyber deterrence. While having the proper
policies and technologies in place to defend our cyber infrastructure is important, it is equally important that we
have the right tools at our disposal to successfully deter or respond to cyber adversaries from undertaking a cyberattack in the first place. While we will never be able to deter every cyber-attack, we can use those that do take
place to make it clear what responses we have at our disposal and indicate what costs we can inflict on those who
undertake such an attack.
The most important question to address when contemplating cyber deterrence is that of attribution. While others
testifying before this body are far more qualified to speak to the technical questions of attribution, the broader
point remains—attribution of a cyber-attack to a specific actor is vital to providing the United States with the
opportunity to use the full range of deterrent options at its disposal. Unfortunately, in the cyber realm attribution
can be exceedingly difficult. Attackers can be adept at obfuscating their origins, will leverage tools, vulnerabilities,
and TTPs pioneered by others, and leverage the systems of other unsuspecting victims to support and launch their
attacks.
We have, fortunately, made significant progress on attribution, though many of the methods and technologies
underpinning these capabilities remain highly sensitive. But even our advanced capabilities have limitations—

 rarely does a cyber-attack have the sort of indisputable evidence that we have come to expect in the physical
world. There may not be a smoking gun or a bloody knife. There won’t be a satellite image of our adversary
launching their cyber weapon at the United States and rarely is a cyber weapon system something that is exclusive
to a single actor. Sometimes the evidence will ultimately come from signals or human intelligence rather than a
forensic analysis of the attack itself. The reality is that much of the evidence available to us in the cyber realm is
circumstantial, and the confidence level of an attribution can be just as important as the attribution itself.
While not ideal, this is a circumstance that we will ultimately have to come to terms with. We must continue to
make investments in our capabilities but will need to rely upon the judgement of our intelligence agencies and
technical experts. We may not have the time, or the ability, to wait for complete certainty. We may instead need
to identify what level of confidence is needed in what circumstance.
Similarly, we need to ensure that we have a full range of options at our disposal when we respond to a cyberattack to properly deter future attacks. Like in the physical world, those responses must ultimately be calibrated
to the severity of the attack and specifics of the circumstance. As a result, the range of potential responses will
range from diplomatic warnings to a proportional cyber response, from a criminal indictment to a kinetic strike
on a physical battlefield. We must be prepared to leverage all our options and be certain to properly calibrate
their severity to that of the cyber-attack. We must also make it clear that we are willing to use all the options at
our disposal.
The criminal indictments obtained by Special Counsel Mueller for 13 Russian nationals and 3 Russian entities are
examples of how we can leverage the criminal justice system.10 The Department of the Treasury’s recent targeted
sanctions against various Russian national and entities, including 7 Russian oligarchs, similarly demonstrates how
we can leverage targeted sanctions.11 Broader sanctions, including economic and banking sanctions, can also be
leveraged as both a response to a cyber-attack and a deterrent against future attacks. Offensive cyber activities
and even kinetic military strikes may also be justified in certain circumstances. What is important is that the United
States responds in a proportional manner and in one that deters our adversaries from taking similar action in the
future.
We must also consider new ways in which we can cooperate and coordinate with our allies on cybersecurity, not
just in terms sharing intelligence and capabilities, but in deterrence as well. Toomas Hendrik Ilves, the former
President of Estonia and Visiting Fellow at the Hoover Institution at Stanford University, recently proposed what
he termed a new “Cyber NATO,” a coalition of liberal democracies that is better able to meet the ubiquity of cyber
threats and ensure proper, adequate response.12 The President of Microsoft, Brad Smith, has proposed what he
has dubbed a “Digital Geneva Convention,” which outlines the rules of cyberspace and protects civilians and other
bystanders from the offensive cyber activities of nation-states.13 These are the sorts of bigger ideas that we must
also consider as the volume of cyber-attacks grows and our capabilities mature.

Conclusion
The size and scope of state-sponsored threats facing the US may seem daunting and it is important for us to
recognize that we are unable to prevent all attacks. But altering our cyber defense and deterrence strategies will

10

See https://www.justice.gov/file/1035477/download
See https://home.treasury.gov/news/press-releases/sm0312 and https://home.treasury.gov/news/pressreleases/sm0338
12
See https://berlinpolicyjournal.com/a-digital-defense-alliance/
13
See https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/
11

 go a long way toward mitigating the risk. Congress must act to address the shortcomings of the current security
clearance process, consider expanding the scope of the SAFETY Act to include cybersecurity-related technologies
to incentivize private sector companies to create innovative defense technologies, and simplify and standardize
information sharing between the private and public sectors to ensure that it is easier for enterprises to share and
receive threat information from the government in real time. Thank you to the Committee Chairman for inviting
me to testify today. This hearing is a positive step in helping our country better defend against and deter cyberattacks.