panic and chaos. [background noises]

exit selectivity it will come to order. this is a short hearing we've never had this combination of witnesses. a collection of expertise to help us make sense of what the chinese, and his party's doing in cyberspace and i can better defend ourselves. our hats off -- we spent a lot of time on this committee debating or thinking about the question of whether xi jinping will make a move militarily against taiwan. and what would be a timeline for such a move? obviously this is a nun on noble question people continue to debate it. in some meaningful sense i wonder if such an invasion or a preparation which would be incredibly costly if the ranking member very eloquently pointed out yesterday has already begun. the intelligence preparation of

the battle space has already begun. put differently for over 20 years they have been attacking us the government, defense contractors technology firms in cyberspace that is a fact. for a long time the attacks rubbing a valuable technology that was then used to drive the military modernization. but another focus of attack has been gathering sensitive information on hundreds of millions of americans with attacks on companies the office of personnel management i am sure anyone else who served in the military got a nice letter after our military records have been compromised mind is framed in my office in my basement. according to the fbi vast hacking program is the largest they have stolen a more americans a personal business data than every other nation combined. but that was not enough of the ccp in the past few years our intelligence and cybersecurity

agencies are hacked into american critical infrastructure for the sole purpose of disabling and destroying our critical infrastructure in the event of a conflict over taiwan. this is the cyberspace equivalent of placing bombs on american bridges. water treatment facilities and power plants. there is no economic benefit for these actions. there is no pure intelligence gathering rest rationale the sole purpose is to be ready to destroy american infrastructure which would inevitably be insults and confusion and mass casualties. it is outrageous. it's an active direct threat to her homeland, our military our ability to surge forward forward and it is not a hypothetical as our witnesses will testify today the chinese government has already done it. for cyber warriors are doing everything they can to stop it.

for dealing with malware and water utilities power grids and other utilities in our westernmost territories and across the american homeland the damage that could be done by this is almost hard to imagine. we need to step up and defend our critical infrastructure. defend ourselves it is a critical parts of deterrence it will take on precedent a collaboration between the public and private sectors to create the kind of layered cyber deterrence we need to prevent disaster it's not just a government problem it is a whole of society problem. our committee is called the select committee on strategic competition between the united states the chinese common is parted that is a long title. but in a very real way it the name of our committee vastly understates the problem. it's not just strategic competition but a strategic threat.

p we do not address this threat will turn off the lights for everyday americans to shut down cities and cause massive loss of american lives that is unacceptable. i believe men and women of good faith and both parties can come together to prevent that from happening that is what today's hearing is all about i not recognize the rink member for his opening statement brickwork think it was richard thank you to the witnesses are coming today. i understand today is a change of command you made time to come and see us. i expect this will be unplugged. and so we really look forward to today's testimony. look folks, today it we will talk but ugly gorilla and candy gave these are not my kids instagram handles. in fact these are alias used by hackers working for the people's liberation army otherwise known as pla. specifically this one ted poster shows and members of unit 61398

whom we indicted in 2014 for hacking into companies instilling intellectual properties. this is the first time we have ever indicted p seat nationals r computer hacking in the u.s. for years the ccp carefully set cited how they ran cyber operations. to develop its own concept for cyber warfare. xi jinping himself called for the prc to become a quote cyber superpower and to dominate the world their information warfare. in the last dozen years the ccp has you cyber operations resealing ip from companies, clutching private citizen data, hacking into government e-mails, even potentially gathering personal data from apps like tiktok. however today we will be discussing an even darker side of the ccp cyber warfare tactics. activities that go far beyond merely stealing information.

damage the infrastructure. you might ask why.

very simple. potentially harmless any time of conflict. they talk about missile strikes with cyber attack as part of the offense of operation to protect power in asia or to cause societal chaos inside the united states. this means targeting americans. this means we could suffer large scale blackouts in major american cities and lose access to our cell towers and the internet, access to clean water and food. so how do we respond? we must be clear eyed about the threat. the objective for the cyber attack or not just to impede military readiness. they seek to target civilian infrastructure that because political economic and social chaos and in their own words,

quote, shake the enemies will. second, we must hunt and destroy malware and discover and destroy all malicious codes they are attempting to hide within our network and critical infrastructure. in fact less than 48 hours ago, they reported the justice department and the fbi were authorized to remotely disable aspects of the ccp hacking campaign underway now to protect the network's devices. this is exactly the type of proactive action that we need to take and we need to work with our partners and allies to do the same. i look forward to hopefully learning more from the witnesses about this particular counter campaign. we must do to are our adversaries. while malicious code hasn't yet disrupted any of our networks, any cyber attack that results in physical damage or loss of life would grant the united states

the inherent right to self-defense. if the ccp were to activate code that could cause harm, we need to make sure that we have the capability to respond and respond decisively. i look forward to hearing from the witnesses today and yield back the balance of my time. >> we are privileged to have a great panel of witnesses. the second confirmed national cyber director. i don't want to play favorites on the panel but when i called you to try to convince, i felt a little guilty because the fact that you were willing to do this i think is the ultimate

testament of more to the type of public servant that you are. willing to do this and what are your changing command is usually to drop a week ago. my experience working with you are forthcoming at generous times. thank you for an exceptional career of public service. [applause]

i asked the witnesses to stand and raise your right hand and i will spare you in. do you swear or affirm under penalty or perjury the testimony you're about to give is true and correct to the best of your knowledge and belief, so help you god? let the record to show the witnesses answered in the affirmative. thank you all and to the national cyber director. director ray will begin with his opening remarks, which i think will include a major announcement. you may proceed. thank you, chairman gallagher, the members of the select committee for inviting me here to testify today to discuss the fbi's ongoing efforts to protect our nation from actions taken by the chinese government that threatens americans safety and

prosperity. my comments today are not of chinese people were chinese americans who contribute much to the country and frankly are often the victims chinese communist party aggression themselves. rather, when i talk about the threat posed by china, i mean, the government of china particularly led by the ccp. the ccp's dangerous actions, the multipronged assault on the national and economic security make it a threat of our generation. when i described the ccp as a threat to american safety a moment ago, i meant that quite literally. there has been far too little public focus on the fact drc hackers are targeting our critical infrastructures, water treatment plants, electrical

grid, oil and natural gas pipelines, transportation systems, and the risk that poses to every american requires our attention now. china's hackers are positioning on american infrastructure in preparation to wreak havoc and cause real-world harm to american citizens and communities if and when china decides the time has come to strike. they are not focused just on political or military targets. we can see from where they position themselves across civilian infrastructure that low blows are just a possibility in the conflict, they are part of china's plan. but the cyber onslaught goes way beyond pre- positioning for future conflict. today and literally every day they are actively attacking our economic security, engaging in

wholesale theft of our innovation and personal and corporate data, nor is cyber the only threat we face. the prc cyber threat is made vastly more dangerous by the way they knit cyber into a whole of government campaign against us. human sources to target our businesses using insiders to steal the same kinds of innovation and data that hackers are targeting while engaging in corporate deception hiding their hand in transactions, joint ventures and investments to do the same. and they don't just hit the security and economy. they target our freedoms, reaching inside our borders across america to silence, coerce and threaten some of our citizens and residents. but i can assure you the fbi is laser focused on the threat

posed by beijing. we've got cyber, counterintelligence, criminals and wmd experts just to name a few defending against this and we are working in partnership with the private sector, with our allies abroad and at all levels of the u.s. government, especially the nso cyber command and whose leaders i'm honored to be here with today. in fact just this morning we announced an operation where wee and our partners identified hundreds of routers that have been taken over by the prc state-sponsored hacking group. the typhoon malware enabled china to hide among other things preoperational reconnaissance and network exploitation against critical infrastructures like

our communications, energy, transportation and water sectors steps china was taking in other words to find and prepare or degrade the civilian critical infrastructure that keeps us safe and prosperous. let's be clear, cyber threats to the critical infrastructure represent real-world threats to the physical safety. so, working with our partners, the fbi ran and court authorized on the network operations to shut down typhoon and the access that it enabled. the celebration was an important step, but there is a lot more to do and we need your help to do it. to quantify what we are up against, the prc has a hacking program than that of every major nation combined. in fact, if you took every single one of the cyber agents and intelligence analysts and

focused them exclusively on the china threat, they would still outnumber the cyber personnel by at least 521. so as we sit here while important budget discussions are underway, i will note that this is a time to be keeping ahead of the threat by investing in the capabilities rather than cutting them. we need to ensure that we sustain and build on the gains that we have made that have enabled us to take actions like the typhoon operation i just mentioned. the budgets that emerged from discussions underway now will dictate what kind of resources we have ready in 2027. a year this committee knows all too well the ccp has circled on its calendar.

and as i've described, it is already today putting their pieces in place. i don't want those watching to think we don't protect ourselves but i want the american people to know we cannot afford to sleep on this danger. the threat that beijing poses otherwise china has shown it will make us pay. thank you. >> director, you are recognized. >> chairman gallagher, ranking member and distinguished members of the select committee, thank you for the opportunity to testify. i've been honored to lead the office of the national cyber director in the white house for a little over a month now and i'm grateful to congress and

their leadership for creating this office and mr. ranking member i appreciate the conversation yesterday and your interest in the workforce. established by congress to advise the president on cybersecurity policy and threats and in particular to coordinate many agencies with cyber missions across the government to ensure federal coherence on cybersecurity policies. we have budgetary responsibilities to ensure the government is making appropriate investments in the cyber defense and resilience and we focus on implementation to ensure the strategy to successfully and transparently execute. coordination and collaboration are central. the security remains a team effort and i'm proud to be testifying some of the nation's finest leaders.

this hearing is timely because the american public needs to be aware of the threat to the critical infrastructure. our intelligence community has noted that the prc threat actor is pre- positioning to the event of conflict conduct disruptive and potentially destructive attacks. the threat actor as it has been named by the private sector partner has conducted cyber operations focused not on financial gain or espionage but deep access and a critical critl infrastructure systems that put the systems at risk. their aim is clear in the early stages of the conflict, they want to disrupt our military stability to mobilize and impact the systems that allow us to thrive in the increasingly

digital world. we have the initiative from adversaries to defend the american people. last year president biden assumed the national security cyber strategy that outlines a bold vision for prosperous connected future and calls for us to build a future that is a foundation of deep and enduring collaboration among stakeholders in the digital ecosystem. the national cybersecurity strategy has technology agnostic and is built on two fundamental shifts that we must rebalance the responsibility to defend cyberspace and realign the long-term investments. today users of technology the individuals, small businesses and critical infrastructure makes up the constituencies in the district there's too much responsibility to keep the nations secure. we must command more from the capable actors in cyberspace

including the government. we must build future systems to be more inherently defensible and resilient. this means market forces and public programs alike must reward security and resilience. this leads directly to the first pillar of the strategy that is simple and concepts with daunting scope to send the critical infrastructure as we can see from the targeting the critical infrastructure systems are on the train on which the adversaries must engage us and critical infrastructure owners and operators the majority of whom are private entities, not governments on the front line. part of our success will come from scaling public-private partnerships and collaboration. beyond the scale of these mechanisms into setting clear cyber security requirements, the government must also be a good

partner when an incident has occurred and federal assistance is required. even as we shored up the defense we must also look to change the dynamics in cyberspace. that means for example in addressing the research problem of software measurability that makes it difficult to understand the quality of code and topic they are working to elevate. we are also working to address the over half a million open jobs cyber fields. it's vital that we invest in workforce programs and improve the pipeline of talent, expand opportunities for all citizens to learn digital skills and open these good paying jobs and careers to all segments of society including those who've never seen themselves in cyber. the implementation of the national cyber workforce and education strategy the

administration's focus on cybersecurity has put us on a firm strategic footing to counter threats from the prc actors and others. we will only see the initiative by leveraging the foundational partners that we rely on including congress. ultimately, the unity of effort know one entity can achieve our shared goals alone. a sitting here today with our close partners, i hope you will see how the u.s. teams have enhanced the thoughtful patriotic cyber practitioners in all levels of government from across the industry working together for the digital ecosystem. again thank you for the opportunity to testify today and i look forward to your questions. >> director, you are recognized. >> chairman gallagher, members of the committee, thank you for the opportunity to testify on the efforts to protect the

nation from the preeminent cyber threat from the people's republic of china and america's civilians cyber defense agency in the national coordinator critical infrastructure resilience into security we've long been focused on the cyber threat from china. but as you've heard in recent years we have seen a deeply concerning evolution in chinese targeting of u.s. critical infrastructure. in particular, we have seen the chinese cyber actors including those known as typhoons burrowing deep into the critical infrastructure to enable constructive attacks in the event of a major crisis for conflict. this is a world where a major crisis halfway across the planet could endanger the lives of americans here at home through the disruption of the pipeline, the suffering of the telecommunications, the pollution of the water facility, the crippling of the transportation modes. all to ensure that they could inside societal panic and chaos

and to detour the ability to marshal military might and civilian will. the threat is not theoretical. leveraged information from the government industry partners the teams have found and eradicated the chinese intrusions and chinese intrusions and multiple critical infrastructure sectors including aviation, water, energy, transportation. now based on this information, this is likely just the tip of the iceberg. first authorities from the congress based on the recommendations from the commission. robust operational collaboration

and chinese malicious activities to develop ways to more rapidly detect it. we are also using our free services and resources in providing intelligence to critical infrastructure, owners and operators across the country so that they can detect and prevent chinese malicious activities, and we are using now hundreds of subject matter experts and advisors across the nation to work directly with businesses to help them improve the security and resiliency of the critical services that americans rely on every hour of every day it's all necessary but it's not sufficient. the chinese cyber actors have taken advantage of very basic flaws in the technology.

it is inherently insecure because of decades of software developers are not being held liable for this technology. that has led to incentives that have been prioritized against security leaving the nations vulnerable to cyber invasion. that has to stop. technology manufacturers must ensure that china and other cyber actors cannot exploit the weaknesses in the technology to go through the open doors of the critical infrastructure to destroy it. it has to change. we are in a critical juncture for national security. it should serve as an urgent call to action, specifically, every victim of the cyber incident should report it to fbi every time, knowing that a threat to one is a threat to all data cybersecurity is national security. every critical infrastructure entity should establish the

relationship with their local team and take advantage of the services including vulnerability scanning to ensure they can identify and prevent vulnerabilities the chinese cyber actors are using every critical infrastructure entity to use the services in the cybersecurity performance goals as well as the advisories that we publish with nso and fbi and international partners to do the necessary investments in cyber hygiene to ensure to protect the networks including throughout the supply chains. to prepare for and expect an attack and test and prepare for an exercise the critical systems so that they can continue to operate through the disruption and recover rapidly to provide services to the american people.

a future where cyber actors cannot take advantage of technology defects to break into the critical infrastructure. this is a future underpinned by the software liability regime based on a measurable standard of care and safe haven for the software developers that responsibly innovate by prioritizing security first. none of this is possible unless every ceo and business leader and a board member or critical infrastructure company which is business risk and managing it is a matter of both good governance and fundamental national security. thank you for the opportunity and i look forward to questions. >> members of the select

committee, i'm honored to represent the men and women of the u.s. cyber command and security agency as my time as the commander and director draws to a close. thank you for the opportunity to reflect on the changes i witnessed and the technological and operational environments for my nearly six-year tenure and to hear your concerns. the people's republic of china poses a challenge unlike any in the nation and allies have ever faced, fiercely and the information domain. the prc cyber actors are pre- positioning in the critical infrastructure and it is not acceptable. defending against this activity is our top priority. the men and women of the cyber command and national security continue to maintain the strategic advantage by contesting the threats posed by the prc into cyberspace by using the full scope of the authorities and the full spectrum of the capabilities. we will continue to strengthen

partnerships across the u.s. government partners and private industries so we may operate anywhere we are needed. we are ready for the activities at home and abroad they are stronger and more capable for these efforts and to systematically eradicate intrusions. one a significant contribution the ability to counter these threats is our relationship with the private sector. the cyber command into security agency partnerships have underpinned the u.s. government's ability to track, detect and mitigate the prc's activities against u.s. infrastructure and scale. one example of the impact of the strong relationships was demonstrated with of the cybersecurity advisory which was the first documented a prc

activity against the critical infrastructure lastly i would like to reiterate my appreciation for the opportunity to speak with you this afternoon and recognize the continued efforts to bring attention to this critically important issue that impacts the national security, the lives and livelihoods of the american people. it really kind of teases out the implications of an attack on the critical infrastructure. i'm left with the implication china is pursuing a strategy to either hold us hostage in the

event of an international incident such that we would be afraid to respond or to actually cause casualties on the homeland. is that an accurate assessment i can take from your testimony? >> absolutely. so, as i mentioned, as i eat eluded to it is the chinese military doctrine in the aftermath of the ransom where attack on colonial pipeline may of 2021 to the eastern seaboard for several days americans couldn't get to work, they couldn't take their kids to school, couldn't get folks to the hospital. it caused a bit of panic. imagine that on a massive scale. imagine not one but many.

trains get derailed, systems are malfunctioning. everywhere, all at once scenario this is a scenario that we can and indeed must prevent through the robust practices, and i mentioned in my statement that amounts to the deterrence by denial and resilience, but also through the deterrence and escalation of punishment, credible threat and then perhaps most importantly american strength and unity and the power of our values. >> assuming they are targeting the critical infrastructure and other territories in the pacific, what would an attack look like in the event of a crisis? >> it could have a very

significant impact on what we need to do to provide a series of different options the region would want to respond with communications and the ability to be able to leverage these are all areas that we are relying on. >> what was stunning in your opening statement if you focus all of the fbi cyber professionals on the china threat, we would still be out what sort of disadvantage with respect to kissing on america? >> a disadvantage of at least 50-1. >> and part of the reason i say at least is because one of the reasons we have seen from the chinese government with massive resources to the biggest hacking program in the world by a mile is they work with cyber criminals which is a force

multiplier. >> it is the biggest chunk of our counterintelligence program by far and the biggest chunk of the cyber program by far that of course we have other divisions. it's really a threat that purveyors and permeates the programs. >> you previously testified when it comes to tiktok at the screams of national security concerns, why? what is the risk? >> the most important starting point is the role of the chinese

government. the parent company is effectively beholden to the chinese government, and that is what in turn creates the series of national security concerns in the government's ability to leverage that access or authority so first the data it gives them the ability to control data collection on millions of users which can be used for all sorts of intelligence operations. a second the recommendation algorithm. it enhances all of that with of their ability to collect the data and feed it into those operations makes it exponentially more dangerous to americans and then 30 and finally, it gives them the ability should they so choose to control the software on millions

of devices which means the opportunity to compromise millions of devices. as you put all those things together it is a threat that i think is very significant and all starts back with the starting point which is the chinese government itself and their role and ability to control these different aspects. >> my time is expired. i'm excited to recognize the ranking member. >> first i want to discuss the impact of cyber attacks. at the behest of russia recently they cut off internet actions of tens of millions of ukrainians of cyber attacks alone and they cut off power for hundreds of thousands of ukrainians.

i have a general question it could look somewhere like this. in a complex situation they could aim to attack the american infrastructure the same way the russians are attacking ukraine. a general, so far we've discovered malware and infrastructure but they haven't been activated yet in the event the malware were activated you would be able to attribute it back to the ccp like typhoon, right? >> general, in 2018 you were at the asn security forum and here's picture of you five years ago. yosaid this caught my eye. if a nation state decided to

attack the critical infrastructure, that's above the threshold of war. >> i do recall appearing there, yes and i probably would have said it differently today, ranking member. >> and then the next part of that also caught my eye. you continued by saying and we would certainly respond. in the written statement you talk about imposing costs on potential adversaries. so i just want you to say very clearly, here cyber, has the capability to respond decisively. >> it does. and this is a really important point. we cannot be empathetic and working at this threat. we need to be persistently engaged every single day with a series of different capabilities working with a series of different partners to both enable and act. what we have done the past five years have been able to look at imposing costs on a much broader fashion. whether or not it is publishing

an unclassified manner with the adversary is doing whether it's working with the bureau or worked closely with justice and treasury this is the idea of consistently being able to persistently be engaged with your adversary. i just want to send that message to anybody that is paying attention. whether it is the ccp or anyone else that would intended to put malware into the critical infrastructure. if it is activated secondly, that could be an act of war. and third, we will respond decisively. let me move to another topic and i would like to touch on tiktok as well, director. the ceo came to capitol hill and to set a couple things i would like to get your response on. one he said our data privacy concerns with regards to tiktok are not unique compared to other companies like facebook and x otherwise known as twitter. i personally agree that other social media apps have various

data privacy concerns, but the key difference is that unlike tiktok, they are not owned by a company beholden. you would agree tiktok -- >> it is by western companies which by their very natures are not beholden to western government. and what makes tiktok so challenging is and therefore so risky from national security perspective is that we are talking about a government in the chinese government that has over and over again demonstrated contempt for the rule of law and international norms and alliance that we consider very important in the u.s. into the west between private sector and the government. those are lines that are at last blurry if not nonexistent.

>> i want to ask about in the news that you broke during your testimony, thank you for your proactive action with regards to disrupting, remotely disabling this whole typhoon campaign. a couple questions, one is in this year of elections, obviously the foreign minister recently told jake sullivan sure him the ccp is not going to interfere this year. how do we prevent that from happening? >> they promised a lot of things over the years so i will believe it when i see it would be the starting point. second, we work very hard across the inner agency, all the agencies represented here plus a whole host of other partners to try to anticipate and prevent any efforts to interfere in our

elections. there've been in enormous strides made over the years not just all three of our agencies, but between our agencies and state and local election officials, secretaries of state et cetera to prevent cyber interference for example in our system and of course also the pervasive problem of malign foreign influence in terms of disinformation campaigns and things like that. in the more discerning and media literate populace because they have a role to play. >> how many states where they located in? >> i don't have the number of states with me. i know that it was hundreds of routers and it's a good example of the point that the director was making in her opening

statement. these small home office routers were very outdated to make them easy targets for the chinese government, and of these were not themselves the intended targets. the targets of course were the critical infrastructure. but with the chinese were doing is using these easy targets to hide and obfuscate the role in the hacking of the critical infrastructure so that's why the point that was made about making sure we are not creating an easier surface for them is important. >> i would like to thank the witnesses for joining us today. thanks again for your service and thanks for your 37 years of service to the nation. i'd like to begin with you. there are some that would assert that other nations conduct cyber operations. some are entities like hospitals and water systems and power grids and other civilian

targets. what makes the activities like malware the systems, what makes it unique in relation to other responsible cyber factors? >> cyber actors of democracies like our own do not target the civilian infrastructure. if there's [inaudible] >> the ranking member talked about determining exactly who was behind the cyber attacks and then making sure and never get out in front of the insidious nest that happens with cyber attacks and those folks that dream up but one thing we can do very effectively is have a

robust offensive capability as a deterrent so that folks understand like china if there is a cyber attack on the nation what will be coming back their way and orders of magnitude later first to be have the capability to do that and if so, do we communicate that in various ways so china knows what the consequences will be if they take such an action? >> we have the capability and we are very -- from our policymakers who have these discussions to the exercises that we conduct to the real world examples that we do with a series of different partners. the other thing i would tell you first of all we've discovered what they are doing and we have exposed it. second of the partnerships that exist between our agencies and commands, something that concerns the chinese and finally, it is the work with the private sector that gives us

scale. they may have 50-1 but when we have the private sector, we outnumber them. >> i am also very concerned about the ccp pre- positioning within our critical infrastructure like oil and gas pipelines. do we have a reason someone would be positioned as critical infrastructures and what conclusion should we reach as congress and the american people from these reports? >> as the director talked about, this is the attempt to provide the chinese options in crisis or conflict when we have discovered them in these critical infrastructure, the first thing we need to do is make sure we get them out. this is not in episodic threat. this is a generational piece that the director talked about. we have to operate every day, we have to have all offensive and defensive capabilities.

>> especially the electric grid. give your perspective on how we would most effectively do that in a timely way to make sure that it's a done in two ways to make sure any future software that's written is held liable for its vulnerabilities and how do we retroactively then address software that's already there that exposes those liabilities? >> thank you for the question. as you pointed out, this is both a current problem and a legacy issue. what is critical is that we start now to develop a regime and is part of the national cyber strategy that can actually hold software makers liable for creating effective technology because frankly i do believe if we had something like that and that was put in place at the dawn of the internet with software developed, we would not be in a world where it is full of malware and software is ripe

with vulnerabilities. so we need a software liability regime that's based on a standard of care but also safe harbor for the developers that do responsibly innovate by prioritizing security and not a speed to market or pull features so that's important in a place where congress can be incredibly helpful. we've also been working with industry as the general pointed out, the force multiplier of having their presence in all of these industries to put a priority on the secretary by design software and the well of international partners. the last thing that i would say is we need to ensure that individual consumers are also aware that they need to be asking for products that are secured by design and not effective. we are making things too easy for the adversaries. >> thank you.

i will yield back. as the national coordinator we work with what is called sector committees essentially that have representation from critical infrastructure and operators. one of the things i found most impressive since i came into this role is the energy sector the people at the table are ceos, and you do not see that across every sector and that really shows that ceos in the energy sector understand this

issue. to ensure energy companies understand the threat with the invasion but importantly understand the steps they needed to take to reduce risk to the energy grid. there is a lot of innovation going on. a lot of new clean energy sources coming online. there's innovation a distributed system that didn't go off grid

and they had a backup power. are you thinking ahead working with the department of energy on how to build those more resilient systems where you're not as dependent on the fuel sources, you're thinking about the cyber attacks and also long term resiliency. how is that working and do you have any recommendations? >> absolutely. in fact, that is the key word. we are living in a highly digitized, highly vulnerable and highly connected world where frankly it is impossible to prevent all bad things. it's impossible. there will be disruption and we will be able to continue to operate through the disruption.

it sort of goes back to the congressman's question about legacy infrastructure. we also have to ensure that we are investing in building resilience into the legacy infrastructure. it's a difficult thing to do. i'm encouraged there may be use of artificial intelligence to help us rewrite some of the code bases at least in the technology world where you have very sketchy code that is creating vulnerabilities. we could actually help to shore them. >> do you want to say anything about these that the director referred to and how are they targeting americans? >> thanks to the question. to help folks understand and my teammates can weigh in as well when we talk about malware, it's

been mentioned several times. this is actually not a malware issue. and that's why the name of the cyber security advisory was living off the land. with the chinese cyber actors are doing is essentially finding a vulnerability, and then finding ways to live within computers operating system so they are actually very hard to detect because they look like any other person who is operating on it and they've elevated their ability to act like a system administrator so you can't help that it's a chinese actor. that is what they are doing on these routers so that they can build these large essentially botnets for command-and-control to allow them to have a launching pad on the critical infrastructure where they take advantage of yet another vulnerability. so the routers themselves may not be aging. they just essentially were created to be terribly insecure.

they don't update their software. they allow for very insecure interfaces with the internet and i think just today at some point in time they will publish what we call a secure by design alert specifically for the manufacturers of routers and a small office home office capabilities that the director talked about. the very basic things that needed to be done to shut off the chinese cyber actors from using these routers as launch points. >> mr. newhouse. >> thank you mr. chairman. let me express my thanks to each and every one of you for your dedication to keeping our country as safe as possible. as you all know there's an election coming up this year. the ranking member approached the subject. i want to delve a little deeper into this. this notion of election integrity.

over the past year, we as a committee have heard from a lot of different experts. it's good to see you again, doctor easterly. on many of the emerging trend us i think that seeing the advanced technologies that are being used and the misinformation campaigns, deep fakes, ai, all kinds of social media and algorithmic types of warfare. certainly the four countries, china, russia, iran, north korea. i've got several questions if we have time to weigh in. given what i would call the ever expanding nature of the advanced technologies in these non-state actors capabilities what concerns you most about u.s. election integrity and the possibility of future election

interference? importantly for us to hear also to adapt to these kind of changing conditions what policies should we consider amending and which programs do you rely on in particular for resources? the general mentioned this. should the government expand its role on the public-private partnerships, and how does all of this occur without infringing on the first amendment, the right to free speech and also each state's constitutional equal elections clause and for people listening to this hearing, what gives you confidence and faith in our ability to ensure free and fair elections? i will start with you, general. >> let me start with the last stop part of the question which is we have done this before and we've done it successfully before 2018, 2022 all of the

agencies at this table have been working together. this is our fourth effort in terms of election security and i'm very confident in terms of what we will be able to deliver. that is based upon the fact not only has the methodology gotten better, but our partnerships have expanded. it's not just the partners at the table, but its understanding internationally where we needed to be able to partner and see what adversaries are doing and do that very effectively. >> it's a really important question. thank you. >> with the risk management agency we lead the federal efforts to support a state and election officials who are on the front lines of managing, administering and defending the infrastructure. i have confidence because of the enormous amount of time that i've spent with secretaries of state chief election officials,

state directors who worked every day to ensure that they can effectively defend from a full range of threats from cyber threats to physical threats to operational risks and foreign maligned influence. i think what is incredibly important is for the american people to understand the enormous amount of work that's been done with our partners in the federal government but at the state and local level and industry to improve the security and the resilience of our election infrastructure. one thing to note it is the diversity and centralization that has managed by state by 8,800 separate jurisdictions around the country that gives it resilience and others also enormous amounts of control, physical, technological, procedural that keeps the

infrastructure resilient so the american people should have confidence in the integrity of the infrastructure and every american if they have any questions about it served as an observer, talk to your local election officials and ask them questions. it's a transparent process that everybody should support their election officials who are working hard to ensure the integrity of the most foundational democratic process. >> i would second the remarks of both of my colleagues and i would add in terms of things we are concerned about and you eat eluded to the rule, ai well and enhance some of the same information warfare. we are also concerned about the ways in which misinformation and disinformation warfare from the foreign adversary and cyber attacks can work in tandem and i think for example about the

iranians effort in the fall of 2020. they had built a disinformation campaign on top of it we were able to expose it and largely render it an effective working with all of our partners appear but that's the kind of thing we will see more of. adversaries are getting more and more sophisticated and there are more and more adversaries to get in on this game. >> they may be carrying out a

genocidal campaign more than any other country in the world and they may steal secrets from the military and private businesses every single day. but the testimony makes it clear every american and ways we wouldn't expect to take control of our phones and personal data most of the critical infrastructure and water and rail systems are run by state and local governments or the private sector how do i convince

a small town in the district in the town of 20,000 where i grew up to invest in cybersecurity to stop the chinese military? i'm all for holding software makers accountable. but that may be too late so how do we protect ourselves today? >> it's a great question. we have to attack both of them at the software developer level but of course the software user level. as we know many of the public utilities and even smaller critical infrastructure entities are target rich but cyber poor. ..

can make it easy on these entities to actually ensure their security and resilience. so very basic things. >> a lot of entities probably do not know those exists. it's a place we would love to work with you on the committee. >> that will be fantastic. all of our free stuff. the other thing, basic, basic, basic cyber hygiene is not rocket science. if they do the basics they can stay safe too. >> you explained which can access users private personal data, influence their feed. earlier this month reported taiwan experienced 3000% increase in denial of service cyber attacks last quarter for 3000%.

i imagine that with the election. the chinese communist party shown a willingness to influence the elections. protecting the integrity of election system. to one candidate or the other at upcoming presidential election, with a be able to do so? >> my understanding is that under chinese law something to be permitted to do requests we already knew the influence chinese children to study science and math. would they be able to suggest to american kids these were drugs? >> again that my understanding is the chinese communist party if it wants to exercise that authority can easily exercise that authority. >> general, china discovered site cyber electric offense and defense deterrence, how do they

think about deterrence? how do we think about deterrence and respond? >> in terms of the way we see we think about deterrence by denial and deterrence by cost. we are discussing a publishing being able to expose with the chinese are doing in an unclassified manner parade this is the difference for this is a challenge china now faces. we have uncovered what they are doing what they are continuing to do that. >> i'm running out of time want to comment on one other thing. it is clear from all we have heard included that workforce challenges director wray described we need more cyber experts to serve our country. given the threat you have a message for young americans who might want to do something about this? >> the future of our nation. the future of our economy is tied so closely to the future of our ability to operate in cyberspace. if you are looking for a challenge, if you are looking

for it fulfill but, i would cite any of the agencies you see here provided mission and a responsibility the door if you're imaginable expectations. i truly believe in national service encourage all americans and think about that brickwork think it mr. chairman. take advantage of that. ask mr. chairman thank you all for being here today. director wray, i wanted to follow up with you in some the comments you had made in addition to the cybersecurity issues. you talked about the human resources, the insiders, corporate deception, beijing hiding their hand incorporate joint ventures. when you appeared in october on

60 minutes you mentioned you had seen a variety of efforts by chinese businesses attempting to acquire businesses, land and infrastructure in the united states in a way that present prevents national security concerns i saw that that's a very powerful statements. i followed up with a letter to you outlining some concerns about an investment in my own district there is a company which is a ccp affiliated company it works with the pla and many of its top leaders including the leader of its north american operations have ties to the ccp. goshen are wanting to build an electric vehicle battery factory in my district it's been given hundreds of millions of dollars in federal, state, local tax dollars to do so. to build and operate its factory in my district plans to bring 2o

michigan. if that happens how confident are you it will not be as for espionage? in other words you believe there is a risk these individuals will be spies working in the united states? >> i would have to drill in deeper on a specific example to weigh in on that. but what i can tell you is a lot of this ultimately traces it back to blurry if not nonexistent line between the chinese government the government's ability to choose to leverage that authority, that reach, that access that undermines national security. which is why acquisitions buying land, buying businesses and so forth. in raising national security concerns that provides a vehicle

for them if they want to leverage that access to conduct other operations that undermine our national security. we have seen time and time again we have used that access to leverage that access to do that. in a way it ties into the operation we are here talking about this morning which is leveraging a different sense the access is the problem don't await until they've currently stolen whatever the information is. when he to try to get in the counterterrorism contexts left of it. >> how confident are you in the state department's vetting process when it comes to chinese nationals in this country. i am not the expert on state department processes. and i want to be clear as i said in my opening so the chinese

communist party and the chinese government the chinese government has shown a willingness to insiders it's not sufficient in its own right. >> your concern is the leverage of the chinese nationals they could use it with other individuals as well? what kind of a leverage are you seeing right now from the chinese communist party in this country? >> it covers the waterfront. i will give you one example that is public. so ge aviation a major public very sophisticated company entered into a joint venture. it was not a chinese company. but the chinese were able to recruit an insider at the joint

venture of the joint venture was then able to get access to sensitive information which event it used, he used to help the chinese intelligence officers back and try to hack ge systems. so you had the ge venture which enabled the cyber hacking and then for extra credit the guy was able to cover the tracks because of the insider access. there is a happy end to that story because ge did what we want all business to do. have a good relationship with the fbi or local field office. we were able to essentially run a sting operation back against the chinese, prevent millions and millions and millions and millions of dollar to be fleeced by the chinese and lure and officer who was involved to brussels where he was arrested and we extradited him he is now in federal prison. that is what we need to happen

more often. it also shows if a company is sophisticated and as big as ge can fall prey to this what company couldn't? >> ge did the right thing. if the company was a ccp affiliated company with lived on the same thing? >> i would not count on it, thank you. i guess i want to build on something congress and was talking about. you talked about the importance of being on the tectum with ofdifferent communities across r nation. i was very interested in what you said about making people aware and organization aware of services being provided. a lot of the conversation stays statesman talking about how can we prevent some of this type of situation where we have the vulnerabilities with critical infrastructure. but directorate you framed it, that is a very poignant way to frame it. talking about some of the concern of societal panic was

the phrase you used. something that could be done against us. that can bury it much damage our ability to operate, create the kind of concern among the american people. that could sway political decision-making and weighing in that way. i guess i wanted to ask before you yes, we put everything we could to try to prevent something from happening. what kind of active planning and a whole of government way? are the four of you brought into that type of coordinated effort of the zero hour day after type of planning? i want to have some sort of assurance or understanding of what kind of work you are all are doing in the response of way. not the preventative way to tackle the issue and prevent that societal panic that you all

were worrying about. wherever you want to start. >> i am happy to start. and really it's not my phrase of societal panic it is the chinese and part of their doctrine it's a pretty scary phrase. we are working very closely with fema, our partners in the department they will lead a whole of nation planning efforts to ensure we can't respond to significant national security events. this is of course a building on years and years of national readiness plans and national response plans with respect to cyber in particular we were asked by the cyber director to update the national cyber incident response plan. dealing with the massive attacks across the country. we are working on that very closely with their government partners as well as with our industry partners because as you have heard, industry plays a

critical role in this. often times they have the best information on what's happening a private infrastructure that conductivity will be incredibly important for us to have an effective response of theirs in the major attack on our nation pretty. >> i just wanted turn to you. how do you feel about our readiness and preparation? are we doing everything we need to do with the federal, state, local level? >> thank you for the question and they concern. while i am very confident we are taking the steps that we need to for example i think you heard about some of the exercises we worked on it to prepare our sector risk management agencies for these types of situations. i am concerned that we continue to work with the state, local and territorial. several times today they are on the front lines these type of actions and i viewed them as

being a combatant commander if you will within many of us being supporting commanders. they are the ones who need our support. part of our shift in the national cybersecurity strategies to shift the burden at the responsibility to those who are most capable. in this instance the sea federal government that's most capable to lead the resilience in a case of an instance like this. >> i would love to keep up with this. look, and new jersey we have a lot of readiness and responding to hurricanes and other storms. i don't really feel like there's a lot of muscle memory and understanding how to deal some do somethese other types of app. i will end with or talk about the readiness we need. i have a real concern about funding discussions or having her in capitol hill last september house republicans voted on a budget that would cut 22% i guess i wanted to get a sense from you with that would

do in terms of our impact of readiness. >> would have a catastrophic impact on our ability to protect and defend critical infrastructure that americans rely on every hour of every day. >> thank you and i yield back. correct think it mr. chairman want to thank all of our witnesses today for your valuable testimony and the work you do to help protect americans on a daily basis. in particular general nakasone i want to wish you success in a well-deserved retirement. i want to focus my remarks on the importance of reauthorizing section 702 fis of the foreign intelligence surveillance act. and as we know section 702 of pfizer is set to expire here in congress we failed to reauthorize that program on april 19 of this year. i would argue it is of existential importance of this

country from a national security standpoint 702 is a crucial tool for providing the u.s. with the ability to target foreign people overseas to gather information that allows us to protect our citizens both abroad and here at home. when you think about today's topic the ccp cyber threat the american homeland and national security want to direct my question to director wray and general nakasone. can you talk or explain how the information derived from section 702 as we specifically focus on her topic today, aids in protecting our troops from china's malign activities in the pacific and the u.s. effort to counter china's cyber espionage here on u.s. soil and our efforts to prevent transnational repression? ask someone to strongly second your comments about section 702 and its indispensability to our national defense from foreign threats. in the context of today's

hearing 702 is the greatest tool the fbi has to combat hacking groups. just to give a concrete example just last year thanks to fbi information we were able to identify prc state sponsored state-sponsoredcyber actors takl steps to access particular u.s. transportation hub we were able to quickly notify the entity ensure technical details which enabled them to be able to pick the chinese off the networks before harm could be done. before some of the more apocalyptic areas we've been wen talking about your could transpire. but as he kind of things that happens not infrequently in our work with at 702 enabling us to identify prc malicious cyber activity targeting americans. targeting american critical infrastructure. enable us to warn victims to notify them of details that

enable them to take effective defensive action. and so in my view failure to reauthorize section 702 or for that matter reauthorizing it in a way that restricted our ability to use it on the chinese comments party i can assure the american people the chinese government is not tying his hands. >> thank you. general nakasone. >> congressman section 702 is 702 ofthe most important authore national security needs to use every single day to keep americans safe and to secure our nation. as someone who is at the pentagon on 911, to consider it what we would return to the days before section 702 or we could not connect the dots it's almost inexplicable to me. the other piece i would add to your question is 702 is so agile that it provides us an ability

to see the chinese precursor chemicals are being used for feed of fentanyl which is a scourge of our nation wondered thousand americans lost her lives in 2022. 702 allows us to identify those precursors that saves lives. the final point i would offer as of the surveillance authorities that are out there today the most transparent, the most effective, the most important is 702 imbalances civil liberties and privacy and the requirements of our national security. thank you i yield back. >> i think the judgment for his incredible work on that issue as well. mr. torres. >> thank you. general nakasone of the nine states as a cyber superpower you consider china comparable cyber superpower? >> congressman aiken's consider them an adversary yes regrets with the likelihood of trying out competing the united states in cyberspace?

>> given the attention were putting out today the realization are issued much chance to change the strategic environment our national defense strategy, national security strategy, i think we will maintain that superiority. >> a reassuring answer. during world war ii the united states was concerned nazi germany would be the first to develop an atomic bomb. today we are concerned china capable director easterly who was wending the quantum computing arms race? >> i would probably ask general nakasone to weigh in on that specifically. you point out where the critical things we are moving towards right now. our agency creates the keys, codes, cryptography that ensures into an encryption of our nation. we are developing this keys, codes, cryptography to ensure

were safe from quantum computing which you describe a national security at memorandum 10 talks about this we are well on the way to be on the way to do that defeat in a quantum capability they have in the future for. >> were running the race? >> artificial intelligence is a real risk anyone anywhere to carry out a cyber attack on critical infrastructure. what can be done to prepare ourselves for a or old of widely distributed cyber weapons of mass destruction? this is an area i have significant concerns because ai is moving faster. it is moving at a speed that's three times the speed it is unpredictable. we'll probably be the most powerful weapon of our generation. the most powerful weapon of the last generation is opened and operated by eight nations were dis- incentivize to use it

they're generally owned and operated and produced by private sector companies who are driven by profit motive. we need to be very, very specific about the guard rails and old to me the regulations will help prevent the use of these capabilities for nefarious purposes by rogue nations by terrorists we need to move incredibly quickly to do that. this in china are the two generational issues we need to be riveted on to protect our nation. >> and as you noted ai development is largely unfolding among a small number of companies. they are out of the loop i'm sure companies will keep you abreast of the latest advances in ai and the implications those have a cyber security? >> one of the good news story

the inherent risk by congress by the administration industry has had to come to the table and work anymore transparent way which we greatly appreciate. but we need to see more of that and frankly we need to have secure guidelines in place. there needs to be secure by design for ai which is why it were work with the big generative ai companies and international partners to ensure that when these capabilities are created security is a top priority. >> or multiple leaders the national cyber director, the deputy national security advisor from cyber and emerging technology the head of cyber calm and play a role in setting policy. there are multiple law enforcement agencies fbi, secret service, home and security investigation that play a role in combating cybercrime like ransom her. who is in charge of coordinate the various moving parts of cyber policymaking and law

enforcement? work statutorily at the office of the national cyber director who serves that purpose. >> how does your role differ from the director what's the difference between the two roles? what essential security council at large yields all mechanisms of national power cyber is just one. the advice the president our domain is on her box it's a deputy nsa specifically for cyber so how does that world differ from yours? >> we are really closer together but the big differences there's more of an operational flavor to that role then my role. again our office is providing strategic and policy guidance not operational guidance which is what the national security council does with our policy. again more broader then cyber but more operational the nash.

went to be clear we were very closely together. literally weekly we have a single leader to leader our staffs working together daily. >> a judgment time has expired, mr. johnson. >> to restrict easterly, directory want to have a conversation with the two of you. larger rug maritime the port situation. it seems to me our ports are more reliance on equipment, technology, infrastructure from prc affiliated firms. i find that concerning is that a legitimate threat? >> yes. >> that is a good example of the theme we have been talking about in this hearing in other contexts as well. if you are talking about chinese businesses there is the potential it can be leveraged by the chinese government for all manner of concern.

who combine that with the cyber security concerns that are discussed in the context of maritime security it sort of a double whammy. >> the supply chains are interconnected and heavily reliant upstream and downstream does not take much hitch in a giddy up to start to strangle our ability to engage in international trade. how do you assess the awareness of our maritime partners shippers carriers about this? one of the issues you may be alluding to this 80% of cranes and our ports pretty ghostly point about chinese control infrastructure in our critical infrastructure. we work very closely with the coast guard with the maritime transportation system.

when you have such a monopoly and a manufacturer it's very hard to rip and replace the same concerns with the communication structure. what we do is providing with the coast guard threat and provide what they can do to mitigate the impact of that threat there are things that can be done to lessen that risk. but of course we should work to be able to not have to depend on this type of chinese infrastructure which is ultimately controlled by the ccp. >> are exactly right. and that's worth double underlining 80% of the ship to shore cranes art manufactured by prc affiliated firms. it does seem that it's quite a liability all things being considered. director wray more to add on that front? >> i would agree to your comments and director easterly's. i would add it's more ports and

the cranes. maritime sector more broadly something we know the chinese have targeted that's part of why together with others we have tried to put out information about best practices, mitigation, guidance, et cetera to reduce the risk but ultimately if we are going to be a more secure posture were going to be mindful of chinese governments ability to leverage his business. >> also assume you all are doing everything right you've done a good job educating private sector partners because so much of the infrastructure we talked about whether it's electricity, water, never talk about ports is owned it upward by the private sector let's assume did a perfect job of educating them. what do you assess they need to do better over the course of the next three -- five years to minimize the dangers of this threat? >> i'm happy to start. they put out some specific about

chinese manufactured drones. which is another area we have significant concerns. in terms of what they need to do it goes back to ensuring they have an awareness of the threat environment and they are taking those measures to invest in basic cyber hygiene. some of this is taking the basic to understand your infrastructure. to know with the vulnerabilities are so you can drive remediation. it's so important i made the point in the opening statement but it is worth doubling down every ceo. every board member every business leader has to see cyber risk as a core business risk. they have to manage it as a matter of good governance and national security. that's an important message to anyone leading an organization in this nation for. >> i would add shows very good

points as much as director easterly referred to in her opening statement same thing with the sports and maritime security more broadly. we need victims to reach out to us immediately. because the victim who reaches out to us immediately if someone is going to supply the information that will enable us not to just share information with them to better mitigate and prevent their attack from becoming wars but more importantly prevented the attack from metastasizing to other sectors and businesses. the first victim that gets contacted, that victims information is what protects the other organizations and victims that are potentially out there. and so we see all the time whatn it is done right businesses reachi out to the local field office. we are able to be there often within an hour. showing technical indicators they would not have to not get

connected. other ports let's say in this case from being victims getting further left. >> mr. chair out close by noting that hyper optimize the supply chains for efficiency. we will not leave resilience behind. thanks i yield. x thank you chairman for today, bringing together witnesses with such credibility and commitment to defending our democracy. i appreciate it. this hearing brings to mind my favorite anecdote from the civil war. it was 1864 grant just took command of the army of the potomac surrounded by his senior staff.

they're preparing for their march into northern virginia and kept on saying lee is going to do this simply is going to do that. what is sleep think about this? he snapped and says stop boring about what generally is going to do. i think about that allotment comes a cyber. we have to do all the things mr. about making ourselves resilient we have make them more about what they're going to do to them. the ability to hit their critical infrastructure but i know we can do that we are in the clear right now on i'm not going to ask all the details. but that is to be there. determine the domestic population on those. to allow their own people to deliver it to ask themselves whether they like three year covered lockdowns.

whether they like invading another sovereign nation. on that star link in the last several years has proven it can open up those channels about civic discourse that are so corrosive authoritarian regime. >> 's question is for it and if you want to tackle it. what can we, and the u.s. government to turbocharge our ability to turn on the civic discourse entered to, make sure that decision is u.s. government decision not elon musk decision. >> like to start congressman. i think the key piece you've just talked about is what we have all realized. what we do is not change a lot national security we do singles intelligence we do cybersecurity, cybercrime, cyberspace operations as the how. how is changing so rapidly. this is where we have an impact

against trident much of the semi grant the woman's campaign decided were going to focus on our strengths not worry about adversaries. it's a sin think we have here we have our strengths our strengths been with our partner should begin with the fact that we are able to talk with our private sector be able to understand broadly what is going on. the fact we are now publishing these type of insights and a classified manner hanging them on our website must and will. >> do we have a plan general may beat this note for mr. coker or ms. easterly but do we have a plan for internet freedom in iran, and russia, and china that their populations can engage question the ayatollahs 84 years old he has a prostate cancer there's going to be a secession soon. are we short the iranian people have as much voice as possible make their discontent known the same thing of course in china. that is what really keeps up at

night is not u.s. politics chinese politics. >> i will come at it from the fbi's end. much of what you are talking better operations that will take place in those countries. maxwell mccullough transnational repression by all the governments you've listed off that is so important. those repressive techniques you are talking about are not just doing them in their home countries are exploiting onto u.s. soil they are victims their intended victims are primarily the aspirate of those countries. dissidents and critics here who have the audacity in their view to criticize those regimes the chinese, the iranians, the russians, et cetera. so when we take action through exercise of the rule of law here to protect those victims and call out that behavior those families are in contact with their family members back in those countries which help create the dynamic you're talking about for. >> i agree with you we've had excellent hearings on transnational repression i understand the feedback groups

we need a whole of government strategy for these authoritarian regimes. my last 30 seconds director wray, going to complement or the work you've done since october 7 improve public safety in the united states has been a focus for yours. and in december you testified some blinken lights but you were especially concerned about how s inspire domestic terrorism. and we know the chinese are without frankly. my home state rejected $13 million of federal terrorism funds that would help empower a cybersecurity. what would be your message for municipalities on the couch about the importance of regional preparation as well as kinetic?

>> we are, since october 7, and a heightened threat environment. from various forms of terrorist risk. inspired attack by the conflict in the middle east but an attack that aspiring some individual here under horribly misguided way to commit an attack. that's more likely to be lone actor which is facilities, houses of worship, schools, places of people every day in america go included municipalities like the ones you're talking about. and so to defend the public we all serve we need to be mindful of that heightened terrorist risk. >> and so to defend the public we all serve we need to be mindful of that heightened terrorist risk. good afternoon troy distinguished guests and give her appearing before our

committee to discuss these oblates into threats the prc poses not just her cybersecurity but torn national security and many, many many levels. director wray, i wrote it down you gave your opening statement you talked about they want to wreak havoc in a world word harm on us. we need to be ready if and when it's very clear today from our discussion is not if but it is already happening. our answer was resiliency as is prevention and accountability. i'm pleased here about the work you are doing enter agency should counter these threats back in september of the charm right and i wrote a letter to director wray is well as austin requested they brief members specifically on gatecrasher's many of our facilities. the critical infrastructure. it is unacceptable the prc was able to gain access to these sensitive sites they scuba dived around sensitive military equipment they were able to infiltrate our army test sites

and missile sites and the most egregious example were spy balloons going across our country it's a blatant attack on our country to undermine the national security and breach our military and technical innovation. viper should prompt response to our letter out to ensure this conversation that they are prioritizing at the highest level. i would be curious what the fbi is doing to further secure the critical areas to ensure we are stopping these threats to the american people before they happen. >> we are tackling it through a complicated combination investigations, intelligence sharing and engagement. under break that down a little further we have in all 56 of our field offices counterintelligence taskforces that are fbi led but have representatives serving on them from the relevant military agencies that are in that area as well as many cases local law

enforcement that are very important part of a giving additional multiplier checkout counter these threats. the threats but it's any number of investigations of different kinds of efforts by actors associated to spy on if you will board otherwise target our military installations. intelligence sharing things we learn though they can't use that to be even savvier and engagement to make short lines of communication are wide open between us that whatever military facility. when i visited an fbi field office i'm on my third round now. it never fails to inspire me the close relationship that exists in the military presence in that state. >> ensure there are many, many of those partnerships have been

very successful in stopping many of these threats we cannot rest on our laurels and continuing this conversation is going to be critical. look for it may be further conversations in a classified setting about what more we can be doing. which quickly followed by the remaining time i have about rip and replace that is a huge huge concern recently introduced a bill with many members of this committee including the chairman and the ranking member representative to help breach the critical funding gap on that rip and replace. it is certainly concerning would hear about the routers and all the different equipment that exists within our telecoms some summer very, very small organizations that do not have the resources. and so we want to repurpose of the covid funds and put them toward ripping out the chinese telecom equipment that's a huge vulnerability. so director is to relay this question is for your can you address the importance of a rip and replace program? not just for this level but do we need to look at expanding it

further? what are the consequences of us not taking action here? >> yes it is incredibly complex supply chain as you know. but when it comes down to some basic fundamentals i think you pointed out around the bill itself 24000 pieces of chinese software and the supply chain. and so it is imperative we help the owners of some of these leslie resource entities to make the important changes to things i would add his weak co- lead the information communication technology supply chain risk management task force. i am not even sure they know there may be capabilities with funding to do rip and replace that education is incredibly important. the other thing we need to be aware of the fcc has a covered

list with a variety of different chinese equipment what we do ass we make critical infrastructure aware they exists in their system so they can also be aware of the threat, mitigated or replace of the whole effort is incredibly important and i commend you. >> certainly have a lot of vulnerability we are working to get -- i rose him almost every time mr. german were working to get a true accounting of what vulnerability still exists. thank you for all of you appearing before our committee i yield back mr. chair. >> thank you ms. brown? >> thank you, mr. chairman out to thank each of our witnesses for leading extraordinary agencies at a time of great turbulence and instability in the world. our cybersecurity capabilities are perhaps one of our greatest threats and opportunities in the 21st century. we must do more to deter threats to our systems coming from the

hostile actors across the world including north korea, russia, and iran. we know the chinese communist party has incredibly sophisticated cyber infrastructure and it happed as been discussed today at one of our fiercest competitors on this front. one of our greatest assets, something which the ccp overlooked is our diversity. as speaker to nancy pelosi and vice president kamala harris have both said our diversity is our power. one aspect which we can and must do so is to build and rely on a diverse pool of talent in the field of cybersecurity but i know this is a top priority for the biden-harris administration and for all of you as leaders of your respective agencies. turning to you director coker i know this topic is something important to you you have spoken about it before. can you speak on the administration's broad efforts during crease by sourcing

talents from diverse places in the benefit it brings to our ability to combat efforts? ask thank you so much for that question in the important topic. diversity is all about achieving positive mission outcomes. that message cannot be misunderstood about positive mission outcomes. and we do that by having the strongest teams possible. i talked to 500,000 open cyber jobs. whatever we have been doing lately has not been working. what do we need to do to fix that? with the national cyber workforce education strategy that are most relevant to your question at americas at large.

we need to do that by number one having people realize the impact of national security talk about national service and think americans want to serve our nation. i need to be clear about cybersecurity is serving our nation. growing up about the only national service we had by a large was wearing a uniform from voting, paying taxes let us change today. all of the critical infrastructure seconds we have is national security we need to make sure there is an opportunity to serve our nation in cyber. number two that used to be a misnomer cybersecurity in cyber in general was a technical endeavor that is not the case folks thanks cybersecurity spot critical thinking. it is about agility. it's about being open minded one need not be an engineer or scientist to make a contribution to cybersecurity.

i also want to add their communities across the country not exposed to these opportunities i am a rural kid from kansas i did not know i could serve until her happened to be a recruiter that came from the naval academy i had not even heard of the naval academy we need to go places where we have not gone before. and leaders know we need to take opportunities for people there is a level of risk. need not lower standards at all but sometimes qualifications are not valid. people can learn we find the right people, we develop them, we retain them and we turn them loose. so the administration perspective is find the right people, looking in places we have not necessarily look before and why? because we need more, better, different people to achieve positive mission outcomes.

>> thank you so very much. i now want to turn to another important topic which weighs on all of our minds at the 2024 national election. as we frequently remind everyone the 2020 presidential election was the safest most secure election in our nation's history. however the 2016 election proceeding it was scarred by russian packing and broad disinformation campaigns severely compromise the integrity of the election. anyone on the panel if you would be willing to answer the question or address this. and it unclassified setting is there any evidence at this time the ccp is using artificial intelligence to interfere in the u.s. elections and how do we ensure this election is free from ccp influence? and i only have eight seconds left. [laughter] >> i refer to my intel colleagues on whether it ccp iss actively using artificial

intelligence. based on dni report in december about the activity in the 2022 midterms which talks about the aggregate scope and scale of foreign activity and influence and interference, being more than we saw in 2018 and specifically chinese attempts to influence we should expect it. we should absolutely expect foreign actors will attempt to influence than they will interfere. but to be very clear americans should have confidence in the integrity of our election infrastructure because of the enormous amount of work that has been done by state and local election officials by the federal government, by vendors by the private sector since 2016 since election infrastructure was designated as critical infrastructure. it's that work that should make the american people confident the security, resilience and integrity of the american election. click search enjoys time is

expired. correct think it mr. chairman. i actually share the thoughts of my colleague on the other side about the need to provide technology so the people that live in repression of regimes like russia, china, iran, we start a second front without shedding any blood so the people inside they are all seeking freedom we need to help them achieve freedom. and throw the shackles of this regime so hopefully we can have that kind of technology allow them to communicate with themselves so that can happen. one of things that happen very interestingly there's hundreds of thousands of people took to the streets of cuba a couple years ago in july. the first in the cuban government did was shut down the internet. identify the leaders and took them out. if we can find technology that allows people to communicate with themselves we can help the

cause of freedom around the world. i'll be at work with my colleague seeing how we can make that happen. i actually believe the cyber war are conducting right now is a battle. the race is really the race to ai. you agree with that? >> i think ai will play a tremendous role in the battlefield to come both on private sector as well. >> how important is the accumulation of data in this race to ai? >> it is all about data at the end of the day. >> here's where i am going. this one or 50 million users of tiktok. in the united states. how valuable is that dated to the ccp? >> enormously valuable. >> and mr. ray, knowing that it

is critical for the united states to win the race to ai and tiktok is a huge source of data in a language that they need ibelieve the chinese language is a disadvantage they need more western languages to win that race. how critical to our security tiktok is providing all this data into the ccp. do you think that security threat to the united states? >> a very significant security concerns about tiktok it is a combination of the ability of the chinese government would have if they should choose to exercise it, to control the collection of the data. to control the recommendation algorithm and if they wanted to, controlling compromise devices. and if you layer ai is you are sitting right on top of all of that it just amplifies those

concerns because the ability to collect u.s. a person data and feed that into the ai while it magnifies the problem we look at ai as a concern in the wrong hands but we also know american ai innovation is the envy of the world the chinese are trying to steal it so the big concern is they will not only steal american data and feed it into their ai while they will steal american ai innovation and make the theft more effective all you have to do is look at the echo effect act from several years ago they were able to steal personally identifiable information from one or 50 million american people. >> direct i'm running out of time and need to ask a direct question is a tough one probably i don't have an answer. would you ban tiktok in the united states? it's a yes or no. looks well, that's a decision

that making progress but let me try to answer this way. as long as the chinese government has the ability to control all these aspects of the business i do not see how you get your way clear to mitigating those concerns. >> fair enough. i also share the concerns of my colleague mr. johnson over the past eight months i worked with chairman gallagher and members of the committee on homeland security led by my transportation a maritime security subcommittee conducted joint investigation examining cybersecurity and supply chain threats at u.s. maritime ports posed by the people's republic of china and dissipate sharing our joint investigative report soon. rouse the mayor of miami-dade county we operated one of the biggest ports in the united states. a low and behold when i look at our cranes they all had chinese writing on it. so they all came from china. 80% of the world's cranes are

manufactured in china. but what is worse i thought we were okay with software it may y software developed in western countries was okay operating these cranes. but we also find out in a lot of instances these shop software is shipped to china, stays there over a year it's installed in china we don't know what happens to it. and so operating that software either reporting back to china or somehow it can be turned off at any time think about it 80% of the world's commerce is controlled by those cranes. thank you and i am away over so thank you for indulging me for. >> apparently the lights are also controlled by somebody. we climbed up in one of those cranes in miami i did know is afraid of heights until then. ms. stevens. >> i'm always learning about our chairman. this is a real honor to be with

all of you. this is another top-notch hearing. certainly we are not the homeland security committee or even armed services. and so getting into these points about the entanglements of cybersecurity threats and its reality i which i would love to ask you about. i want to start from a more elevated place and maybe this is a question for mr. ray and mr. coker. what is the ccp motivation as far as you know and can share with cybersecurity threats and actions? we have been hearing colleagues and everyone talking about these examples and the tools of this and that. but what is the goal here? is it to chip away at our economy? is it to make us look weak?

even some of what today is perpetuating this position of weakness rather than strength much of the technologies technology we have created but that's another point. i am more interested in the why. >> my starting point would be as with the most questions about the chinese government tactics and strategy when one asks if it's a, b, or see the answer is usually deed, all of the above and in the context of cyber threats they are using the biggest hacking program in the world to try to steal our intellectual property. to advance their own economic while. they are trying to steal our personally identifiable information to feed into the influence operation and other tactics we talked about here already in this hearing. they are using tibor's targeting

to suppress the dissidents and critics. and as it's revealed to the operation we talked about and announced here this morning they are using cyber targeting to pre-position or critical infrastructure to be able should they so choose to conduct a destructive or disruptive attack on our critical infrastructure time of conflict. they all feed up ultimately into their goal to supplant the u.s. as the world's greatest superpower. >> i am in agreement that we are in a competition with china and frankly they are the only nation that has the memes to reshape the international water means being diplomatic, economic, military. we are in a competition we have to acknowledge that. we will not lose sight of it. we also need to manage that competition to avoid the

confrontation and conflict. we can do that by continuing to operate with confidence not yielding the initiative. not staying on the defensive about being the strong as united states has always been look at the national security strategy fits us to invest at home to maintain our strength. >> we should not consider cyber security warfare? i note general nakasone -- what are they doing over there? do they have a department vest that'sjust focus on cyber attac? this is sort of in some respects hard to wrap our heads around. i know rate you've got your whole caboodle you can talk about and can't talk about. i am more or less interested in terms of how are we choosing to respond to these things?

what do we know about how they are actually putting all the stuff together? >> we know a lot about what they are doing. we also know who is doing it. we know how they are structured we know their version of the national security agency in u.s. cyber commands. we also know they have very, very specific organizations that are targeting different parts of the world to include the united states of america. i now i think the important thing is now that we know that, what are we doing about it? this is to the point of the department strategy is we defend for the operate outside the united states to be able to impose costs on her adversaries adversarieseither by enabling os are acting. that is the important piece. >> i'm just out of time but this easterly is someone who founded the women and stem caucus or bipartisan caucus in the congress it is such a treat to hear expertise you have been phenomenal, all of you have thank you and i yield back. >> think it mr. chairman.

what we do interagency coordination on cyber-attacks and vulnerability at ports around the world with u.s. military and commercial present because i think anybody can answer because you are talking about what your agency has been doing and how you are protecting, you know, from the cyber-attacks but how we working together with all these different agencies. >> so i will start saying a couple of things.

so with respect to ports specifically, it was built by congress in 2018 to serve the role of the national coordinator for critical infrastructure and we work with all of the risk management agencies to ensure that we can work with industry to help them understand the risk so that they can manage that risk and reduce that risk and we have a phenomenal partnership with the u.s. coast guard where we workday in and day out to do cyber assessments, to help with vulnerability scanning, to ensure that all of the maritime transportation sector has what they need and the strength of the cyber of capabilities in the united states of america is we operate as a team. all of us work closely together

and we know that our strength is our unity as we work together. >> how about other allies because like maritime system, like japan, south korea, portugal, they are using it and they know what is going in and out. how are we going to work with other countries too? >> so we almost invariable almost all of the things that we have talked about working can partners are also being targeted by the ccp and especially in the context of cyber our focus is conducting joint sequence operations which almost

invariably involve u.s. partners but sometimes as many as 10 or 20 partners all working together in tandem to have some of the parts. we talk thed a lot about the numbers, disadvantage that we are at relative to the ccp but as general said, one thing that we have is true partnerships which allow us to have our too, the u.s. with some other countries, japan to have an equal five, to get synergies from working together and that's ultimately our best defense against the ccp. >> so china is ready to attack by 2027 taiwan and we heard and we had a great meeting with former defense secretary and he was the one actually talking about, it's not going to be the war but more of the commercial stuff. means that they are going to

stop all going in and out. that's the way they are going to isolate taiwan but when the other countries still using those systems and especially in the united states planes were made by china and you were talking about the gas line that we got into trouble but when they stopped all those cranes that we are using in the united states ports, we are in the trouble and then we cannot -- we can communicate maybe but we cannot bring anything to taiwan since that island. we have a big problem and go inside ccp and find out what they are going and congresswoman stevens is talking about that. do they have their own department? i think they do and only do

cyber-attacks, so how much we know that in china that what they are doing to us and to other countries. >> this is one of the things that the national security spend tremendous amount of time the on and we have insight on what their intent is. >> thank you. thank you very much for all witnesses today and i had to get out because committee meetings but thank you so much, chairman. >> two more, i think. i just jinxed it. >> thank you, mr. chairman. director wray, could you assure the american public today that no nonviolent protestor about a ceasefire of the middle east will be investigated or surveilled by the fbi? >> we are not going to be

nonviolent first amendment activity. >> and could you just assure whatever the position is of the middle east of the 2024 election if there's an american who is out there engaged in expressing their view whether that is for a ceasefire or whatever that is, the fbi, is that going to be investigating them or surveilling them? >> our mission is to protect the american people and uphold the constitution and we intend to do both we embrace both parts and doesn't matter who you're ticked off at and there's a right and we will help protect that and there's a wrong way to exercise those views and that's violent and threat and we are going to investigate that. >> i appreciate you saying that because i think i share your view that the fist amendment and peaceful protest is at the heart of our democracy. i also have appreciated some of your views on making sure that

as we appropriately investigate chinese threats to infrastructure and the chinese communist party's threats and deal with kind ore security you have been very clear that you do not think that that should involve the profiling of chinese americans and i think you've been sensitive in some arguments that you've made in the university of michigan how in the past that has happened. can you speak to some of the past history of profiling of asian americans and how under your leadership you're going to make sure that that doesn't happen as we appropriately investigate chinese communist party threats to the united states. >> we are going to aggressively pursue the threat posed by the ccp with investigations that are predicated on the facts and the law and our policies and they are not going to be raised of race, ethnicity and origin and they haven't been. now it is the case that the chinese government aggressively

targets individuals here to enlist them in their efforts but they also aggressively suppress and coerce and harass chinese americans and we view as part of our role to help protect those people and part of the key is drawing the distinction in between the chinese government, the chinese communist party and the malicious actor and chinese americans, chinese dissidents, the victims. >> as you do, like i said, i think under your leadership from your public comments you've been quite good about throwing that distinction but you bring to it a historical awareness that asian americans of this country have been profiled in our history just like i'm sure role of the fbi's movement. >> certainly there's been abuses in the past and make sure those

don't happen again. i do want to make clear that our work at least since i've been director focused on chinese aggression is based on the facts and the law and proper ped occasion. for assure chinese americans that they are being profiled or targeted in any way based on their ethnicity and race? >> we will not open people based on race, ethnicity national origin. >> thank you, finally a special guest. the esteemed chairman of the infrastructure protection. i have to ask unanimous consent. unanimous consent. the gentleman is recognized.

ccp cyber threat. first director wray i took an international trip with some other colleagues and we know what some of your -- some of your employees men and women in some other countries and they are doing a phenomenal job in the cyber threat. great job at that. director, good to see you. can you please provide an update on the work of what's being completed in the last six months and what do you have, what plans for the remainder of the year? >> great thanks so much. great to see you, chairman. we decide today stand up a whole element under the associate director for china operations

and so we hired a terrific subject matter andrew scott to lead to make sure we had a deep understanding of the threat and that we could work effectively with our partners across the interagency at the state and local level and, of course, the industry to be able to build the security and the resilience that we need to defend the nation from these -- from these threats. since that period of time, we, of course, as we have been talking about in the hearing, we have affirmatively found and eradicated chinese intrusions in our critical infrastructure, a whole variety of sectors that we believe are being used to preposition and prepare for destructive

>> is the j cdc, you're talking about those collaborations? >> this was great innovation but we've had that set up for two and a half years now.

it has been the platform that we use which is rooted in 3 fundamental things. a threat to one business can be a threat to many. why? informing, letting fbi know about cyber threat incident is so critical. second, it's really the reciprocal responsibilities of government and industry to make sure we share information realtime that has to be transparent. the government has to add value and be responsible in terms of how we protect data and then finally what the j cdc offers a scalable way, again we are

grateful to the congress for helping to fund it and authorize it into the cyberspace. >> congratulations on the new position. as you understand sec finalize cyber incident rule that was goes i believe -- so does the department of homeland security and many sectors have said that with this new rule cyber employees will spend half of the time instead with threats. we are going the try to pass it in the house. what is the administration doing harmonize between agencies? >> thank you for your kind words and raising this important

topic. as part of the national cybersecurity strategy has been to do regulatory harmonization is to reduce the burden of compliance and the way we are going about that we have issued a request for information and received more than 80 responses from the private sector and public sector. right now we are going through the process of better understanding those, again, with the gel of reducing the burden of compliance. so that's our goal right there. we understand that. >> i appreciate that. i'm out of time. somebody should tell the sec, though. >> i thank the gentleman and pleasure to have you here. two comments and then we will close and i will recognize the ranking member. one of the first things that i said in the first hearing was stake of the competition were

existential. a got a lot of blowback for that. i don't think after the testimony we've heard today there could be any doubt. i mean, there was one path where we stumbled into a war for which we were ill prepared and even victory might have existential consequences in a sense that it would transform american in garrison state or another path which we slowly succumb and the rest of the world is looking to us to stand for it. while the hearing has revealed many things we need to do and while the competition in cyber with china is one that will outlast my time in congress, i'm confident of that. there are things that we must do now urgently and in my opinion in light of the testimony we heard from mr. wray, ban or force the sale of tiktok. it's bordering on national suicide if we continue.

the time is now to do something about this. if you're invested in bite dance you will not take tick to be public in america under ownership structure. we have to find a way to force a separation. the time is now to the act. okay, i will transition to recognizing the hard work of the democrat staff director who is departing the committee this week after 25 years of service on the hill. almost as long as general has been in uniform. i will confess, john, we've worked together for a year. you have aged me personally 3 years in that time. there have been moments where i'm wide awake and thinking life would be easier if you did leave but now i'm sad now that it's happening and one thing that i learned working with john and particularly working in the

human rights community he's been doing this since before it was cool and he's truly a hero in the human rights community and cool to be able to see that and i will give you the highest complement i could give you, john, if i had to negotiate with xi ginning pipping with the fate of the free world on the line, i would want you on my team because i know you would drive them crazy. [laughter] it's been a pleasure working with you. >> thank you so much, chairman. this has been truly important hear. call to action more than anything else. thank you for your service. thank you for everything that you have done for our nation and for coming today as well as all of you and i will remember

sisa.gov. our civilian partners, cyber defense, employ what you call cyber hygiene which i love and then i would also like to recognize our staff director john who is departing today. might cover the highlights but he's also had other very distinguished rules in government. he was an assistant administrator for asia at usaid and he was senior adviser to leader pelosi and now he's off to other -- other -- the next chapter. the next 25 years and so i lack forward to continuing to collaborate between us and you in your next roles and i just want to give him a round of

applause for his service. [applause] >> i'm not done. i yield back, thank you. >> without objection the committee hearing is adjourned. [inaudible conversations]