Return to Transcripts main page
Former Homeland Security Secretary Jeh Johnson Testifies Before Congress. Aired 10:30-11a ET
Aired June 21, 2017 - 10:30 ET
THIS IS A RUSH TRANSCRIPT. THIS COPY MAY NOT BE IN ITS FINAL FORM AND MAY BE UPDATED.
JEH JOHNSON, FORMER HOMELAND SECURITY SECRETARY: Well, hindsight is brilliant. Hindsight is 20/20.
I'll preface my answer by saying I think it was unprecedented, the scale and the scope of what we saw them doing, and, you know (ph), there had very clearly been intrusions before by a number of state actors, as I'm sure you're aware.
[10:30:10] You know, in retrospect, it would be easy for me to say that I should have bought a sleeping bag and camped out in front of the DNC in late summer -- with the benefit of hindsight.
I can tell you for certain that, in the late summer, fall, I was very concerned about what I was seeing, and this was on my front burner all throughout the pre-election period in August, September, October, and early November -- to encourage the states to come in and seek our assistance. And I'm glad that most of them, red and blue, did.
Hindsight is -- is perfect 20/20. But I'm satisfied that this had my attention. It had the attention of my people, because I pushed them at every step of the way to make sure we were doing everything we could do. But, obviously, there are lessons learned from this experience. And, for the future, there is probably more we can and should do.
REP. TREY GOWDY (R), SOUTH CAROLINA: For the states, if I -- if I remember correctly, you had a conference call, or otherwise communicated with the states to offer them your assistance prior to the election.
GOWDY: And, if I remember your testimony correctly, their response vacillated between neutral and opposed.
JOHNSON: Correct. It was -- it was to the issue of designating them as critical infrastructure.
GOWDY: Do you know, without naming the states, whether any of the states most vocally opposed to that designation were in fact impacted by Russian efforts? JOHNSON: I'd have to look at both lists. If you're saying impacted, were they -- were those states states that had their voter registration databases scanned and perhaps infiltrated, I'd have to look at both lists, sir. I don't have that information off the top of my head.
GOWDY: What I'm wondering is if any of the states most vocal in rejecting your help actually needed it the most.
JOHNSON: Well, again, they didn't reject our help -- 36 of them accepted our help. But they were resisting the idea of a designation to be critical infrastructure, which I went ahead and did anyway.
GOWDY: What would that designation have done in November or -- or in October? What would that designation have accomplished, had you done it in the fall of 2016, instead of January?
JOHNSON: Well, as I outlined -- I outlined earlier the advantages of that declaration. But in the short term, my assessment was that we needed to get them in. We needed to bring the horses to water to seek our cybersecurity help.
And so making the designation would have, in my assessment, driven them in the opposite direction. And my number-one priority pre- election was to get them to seek our cybersecurity help. And, for the most part, they did.
GOWDY: Thank you, Mr. Secretary.
REP. MICHAEL CONAWAY (R), TEXAS: Gentleman's time has expired.
Mr. Himes, seven minutes.
REP. JIM HIMES (D), CONNECTICUT: Thank you, Mr. Chairman.
I'll begin by yielding a moment to the ranking member.
REP. ADAM SCHIFF (D), CALIFORNIA: Thank you, Mr. Himes.
Just a quick follow-up. You've been asked, Mr. Secretary, about whether the vote tallies were impacted. Some have suggested that, because the actual counting of the votes by the machines wasn't impacted, that therefore you're testifying, and others have testified, there was no effect on the election. These are two quite different things.
In your written statement, you state, "I'm not in a position to know whether the successful Russian government-directed hacks of the DNC and elsewhere did in fact alter public opinion, and thereby alter the outcome of the presidential election."
SCHIFF: Do you stand by that?
JOHNSON: Yes, and thank you for the clarification. SCHIFF: And it's not really the job of the intelligence agencies to determine whether the information that was dumped had a determinative effect on the outcome -- only whether machines were impacted, not people.
JOHNSON: Correct. You'd need a social scientist or a pollster (ph) to do that.
SCHIFF: I also wanted to ask you about the information concerning potential coordination with the Russians.
Are you aware of the basis -- because we've heard testimony that the FBI investigation was somewhat compartmentalized, and even Director Clapper wasn't fully aware of what went into the FBI counterintelligence investigation.
Are you aware of the information that form the basis for Director Comey opening a counterintelligence investigation, as he testified in July of last year?
JOHNSON: No, not as I sit here. And if I did, I'm not sure I could talk about it in open session. But I do not.
SCHIFF: And I'm not going to ask you to. But do you believe that Director Comey would've opened a counterintelligence investigation on a presidential campaign lightly, or on mere hunch?
JOHNSON: I -- No.
SCHIFF: He would need some evidentiary information basis to do so?
JOHNSON: Based on every thing I know about Jim Comey and the FBI, yes.
SCHIFF: I yield back to Mr. Himes.
HIMES: Thank you. And good morning, Mr. Johnson.
I want to start by asking you -- Mr. Gowdy's questions and your responses establish that this is not a new thing, this sort of meddling in our election. We've seen it before, and I want to come back to that.
But you also stated, and we've heard from others, that the meddling in the 2016 election was unprecedented in its scope and reach. So I wonder if you might take a minute or two and just help us better understand why it was unprecedented. What was different about this particular array of meddling versus what we've seen in the past?
JOHNSON: Well, we've seen a history of various different types of bad cyber actors intruding into, infiltrating political organizations, political campaigns, and that's what I was referring to.
When I say that this effort was unprecedented, what I mean is that we not only saw infiltrations, but we saw efforts to dump information into the public space for the purpose of influencing the ongoing political campaign. And it was widespread, and in that respect -- and we knew it was happening. So in that respect, it was very much unprecedented.
HIMES: So can I -- just distilling your testimony, we had seen scanning, queries, what we might sort of generally considered espionage, trying to...
HIMES: ... gather information.
HIMES: But we had never seen the -- what the Russians call "active measures" -- that is to say, actually, the insertion of information designed to alter an outcome. That's what makes this unprecedented?
HIMES: Thank you.
So let's step back a little bit, away from how this is unprecedented. We have seen this before: 2008, Chinese hackers targeted then Candidate Barack Obama and John McCain. We saw it again in 2012.
So my question is, as you assumed your duties at homeland security, how were we thinking about this? Were we thinking about this issue in a -- in a constructive way prior to the last election?
JOHNSON: Good question.
It became a front-burner item for me in summer 2016, and I began discussions with my staff about what should we be proactively doing to help state election officials prepare.
I was pleasantly surprised to know that there was an election assistance commission, and that DHS had collaborated with that, and that there had been an ongoing dialogue through the EAC, through state secretaries of state, going back to election cycles past.
But this had -- this was now becoming a matter for me as the secretary of homeland security, so it was becoming front-burner for me in the summer of 2016. But there had been that ongoing dialogue.
HIMES: So, summer 2016, this becomes front-burner, implying that, prior to summer of 2016, this had been back-burner. What was the catalyzing event that moved it from back-burner to front-burner?
JOHNSON: For me personally, it was the -- the -- the reports we were receiving about efforts to intrude into the DNC and the emerging intelligence picture.
HIMES: OK. Let's get a little more granular here. Becomes a front- burner issue -- were there certain parts of the process at the time -- the voting machines, the political party databases, the politically associated organizations that we understand may have been probed -- that you thought were particularly vulnerable at the time?
JOHNSON: Voter registration databases -- in the course of learning about this issue myself, I took a look, along with my staff, at the practices at -- in the different states. They tend to vary, but, for the most part, there are redundancies in the system, and most of it exists off the internet in terms of collecting votes, reporting votes. There are a few states where it does not.
But the states with some DOJ, Election Assistance Commission help have been engaging in some best practices, but they tend to -- to vary all over the lot. But what we were most concerned about, what we were seeing, were efforts at compromising voter registration databases.
You said something that, in my very limited time, I don't want to let drop. You said you thought that there is more that we could and should do to address this issue.
HIMES: Can you just elaborate on -- if you were still secretary of homeland security...
JOHNSON: Yeah (ph).
JOHNSON: A number of things. One, I would, as a Congress, think about whether -- I would think about grants to state election officials to help them harden their cybersecurity.
[10:40:10] I would raise awareness amongst state election officials, as well as, you know, public in general, employees of state governments -- raise awareness about the evils and the hazards of spear phishing.
I think, at a national level, there should be, in this current administration, somebody who really does take the mantle of cybersecurity on full-time, to highlight this issue, to lead the charge on this issue. My preference would be it's somebody within DHS, but we really need -- need a national leader to -- to take charge of this issue.
But first and foremost, on the ground, we need to encourage state governments, state election officials to engage in best practices when it comes to vote tallies and so forth, and through grants -- we ought to consider grants -- I hear that from state election officials themselves.
HIMES: Thank you. Thank you, Mr. Chairman. I yield back (ph).
CONAWAY: The gentleman's time has expired. Mr. King, seven minutes.
REP. PETER KING (R), NEW YORK: Thank you (ph), Mr. Chairman.
Secretary, it's good to see you again, I had the privilege of working with you closely as a (ph) homeland security committee when you were secretary, and I commend you for your service. Truly outstanding job, and -- in your career of public service -- Defense Department, assistant U.S. attorney and now as a successful lawyer, I'm sure.
Just a few points before I yield to Mr. Gowdy. Can you elaborate more on what the DHS's connection with the DNC was, or -- consultation with the DNC was after it became aware of the hacking and they became aware of the hacking, as to what was offered them, what they accepted? Was there any level of cooperation at all?
JOHNSON: To my disappointment, not to my knowledge, sir. And this is a question I asked repeatedly when I first learned of it. You know, what are we doing? Are we in there? Are we helping them discover the vulnerabilities? Because this was fresh off the OPM experience. And there was a point at which DHS cybersecurity experts did get into OPM and actually help them discover the bad actors, and patch some of the exfiltrations, or at least minimize some of the damage. And so I was anxious to know whether or not our folks were in there.
And the response I got was, FBI had spoken to them, they don't want our help. They have CrowdStrike, the cybersecurity firm. And that was the answer I got after I asked the question a number of times, over the progression of time.
KING: Now, that was, I assume, totally different from the reaction you got from OPM.
JOHNSON: The OPM effort, we were actually in there, on site, helping them find the bad actors.
KING: Do you know who it was at the DNC who made that decision, or who was making (ph)...
JOHNSON: I don't.
KING: ... that resistance?
KING: Do you know if the FBI continued to try to help, try to assist?
JOHNSON: I have -- I've read in the New York Times about those efforts sometime earlier this year.
KING: I move to strike all references to the New York Times.
I would just say, maybe it's editorializing on my part -- that really is, to me, an unusual response by the DNC.
I mean, if you're talking about -- presidential election, you have an unprecedented matter of cyber hacking by a foreign power -- an adversary, from my point of view -- and that they would not accept all help that could possibly be given, especially, I mean, it's not as if -- not that you would be partisan or anyone else, but it's not even like it was a Republican administration trying to intrude into the DNC.
This was an impartial governmental entity, FBI, DHS, and they didn't accept. I just find that very hard to -- you know, to comprehend.
JOHNSON: Well, my interest in helping them was definitely a nonpartisan interest.
KING: Yeah. I know that, yeah.
JOHNSON: And I recall very clearly that I was not pleased that we were not in there, helping them patch this vulnerability. The nature of -- the nature of -- when you're dealing with private actors and even political organizations, we don't -- we -- DHS does not have the power to issue a search warrant, or get a search warrant and go in and patch their vulnerabilities over their objections.
KING: I understand that (ph).
Moving ahead, was there any significant intelligence or information that came about after the election that was not available before the election? In other words, if there was so much out there, if the administration was so concerned, why was it that, suddenly, after the election -- seemed so much serious action was taken: the sanctions -- well, the sanctions in particular.
And also the public statements by the president, by the intelligence community, coming out, really coming on strong -- and yet I didn't see what was present after the election that wasn't there before the election.
JOHNSON: Well, I'm going to disagree with your premise, sir. We did, before the election -- one month before the election, formally and very publicly accuse the Russian government of doing this in pretty blunt terms -- uncommon for the intelligence community.
That statement was pretty blunt in saying we know the Russian government is doing this, based on the picture we saw at the time.
The picture continued to build upon itself as time progressed. There was more we knew about the Russian government's efforts at scanning voter registration databases.
You'll recall the October 7th statement says we were not then in a position to attribute that to the Russian government, but the picture got clearer as time progressed. But on October 7th, we issued a very clear declaration, based upon what we knew at the time, that the Russian government was behind the hacks of the DNC.
KING: I'm not at all being critical of you. I'm just saying that it seemed, if the administration...
JOHNSON: It didn't get the attention that I would have preferred it get, because we're in the midst of a campaign, we're -- the press and the voters are focused on lots of other things, like eleven-year- old videos.
KING: I'm thinking more about the administration (ph) -- all the power they have, all -- because in December, we had this drumbeat of stories coming out one after the other, some open, some being leaked.
And then you had your sanctions being issued. Seemed that all the power and mobilization of the administration to get that story out came after the election, into December and early January, and between October 7th and Election Day, there was very little.
As you say, the October 7th statement was overshadowed by the other incidents that were occurring at the time. So I think you did what you had to do, but I'm just saying -- I'm just so concerned -- not concerned, but...
JOHNSON: Well, the -- very definitely...
KING: ... the administration didn't...
JOHNSON: The October 7th statement was an administration statement that was the result of an intelligence community assessment. The president approved the statement. I know he wanted us to make the statement. So that was very definitely a statement by the United States government, not just Jim Clapper and me.
KING: But in the reality, though, most of the American people were not fully aware of it. In view of all else -- was going on, I just would've thought, during that 32 days -- if they had done as much during that 32 days from October 7th to November 8th as they did in December and January, I think the American people would have been a lot better informed when they went to the polls.
And I'm just...
JOHNSON: Well, I can tell you I issued statements...
KING: ... why they didn't do it.
JOHNSON: ... on September 16th, October 1, October 7 and October 10 about what we saw...
KING: You did your job.
JOHNSON: ... specifically directed to state election...
(CROSSTALK) KING: I'm not -- I'm not questioning you in any way about that. I'm really asking about the administration overall.
And, with 30 seconds, Trey?
GOWDY: Just real quickly, if I could get you to put on your old hat for a second, hacking into someone's server strikes me as a crime.
GOWDY: So the DNC was the victim of a crime. I'm trying to understand why the victim of a crime would not turn over evidence to you and Jim Comey, who were both apolitical and come from apolitical backgrounds.
JOHNSON: Well, I'm quite sure that, at some point in the timeline, they did do that. My point earlier was that, in the initial period, I was not satisfied that we were able to get in there ourselves, DHS, to help them identify the bad actor and patch the vulnerabilities.
I'm quite sure that, at some point, the FBI and the DNC had a dialogue. But you'd have to ask them.
CONAWAY: Gentleman's time is expired.
Ms. Sewell, five minutes.
REP. TERRI SEWELL (D), ALABAMA: Thank you, Mr. Chairman.
I'd like to yield a minute to the ranking member to ask a question.
SCHIFF: I -- and I thank the gentlewoman.
I just want to follow up on Mr. King's comments and question, because I really agreed quite completely with Mr. King. And I'm not saying this as a matter of hindsight. Senator Feinstein and I were saying this in real time, as it was going on.
Why didn't the president of the United States -- and, Secretary, you did what you could do. But why didn't the president of the United States, at the time you were making your attribution or thereafter, speak to the American people and say, "a foreign power is interfering in our affairs. This isn't a Democratic thing. This isn't a Republican thing. This is an American thing, and they need to be rejected and they need to stop"?
Why wasn't that done? Was there thought given to that? Why was that course rejected?
JOHNSON: Well, again, Congressman Schiff, we did make the statement. And we were very concerned that we not be perceived as taking sides in the election, injecting ourself into a very heated campaign, and so -- or taking steps to themselves delegitimize the -- the election process and undermine the integrity of the election process.
[10:50:00] And so we considered all those things, and the decision was made that the director of national intelligence and the secretary of homeland security should together make this statement. And there were public statements made by various administration officials, including myself, all through the campaign season pre-election, to the same effect.
SCHIFF: I yield back to Ms. Sewell.
SEWELL: Secretary Johnson, welcome. Again, thank you for your years of service to this great nation.
I'd like to talk about attribution. And by now it's well-known that the Russians hacked, stole and then strategically dumped e-mails from the DNC in order to affect the outcome of the -- of the 2016 election.
What I'd like to understand better is how the United States government came to reach that conclusion, and how DHS and the rest the government were able to attribute it directly to the Russians.
So, according to the declassified intelligence community assessment released in January of 2017, we noted that Russian intelligence assessed -- quote, "assessed elements of multiple state and local electoral (ph) boards," and that seems pretty clear.
How do you -- how does one go about attributing that to the Russians? What kinds of information, signatures or cyber activity would you be looking for in order to make that attribution? And how do you go about validating that information?
JOHNSON: Congresswoman, you'd probably have to have that discussion in closed session, because it's sources and methods and it's probably better to have a discussion with someone in the intelligence community.
I do recall that, looking at the intelligence, it was a pretty clear case, perhaps beyond a reasonable doubt, Mr. Gowdy, that the Russian government was behind the hacks into the DNC, based on everything I was seeing.
In terms of attribution, there are normal considerations about when one makes public attribution to a state actor who's engaged in some type of cyber attack. My personal opinion was that -- and is that -- those normal considerations were out the window, and that we had an independent, overriding need to inform the voting public of what we saw going on.
And the way I looked at it, as a corporate lawyer, was, if I'm the issuer of a public stock and I see a very powerful actor in the market trying to manipulate the price of my public stock, I have a duty to tell the investing public what I know.
SEWELL: Now, how did you go about alerting the states -- DHS go about alerting the states and local communities about -- about what was going on? And I -- I know that you did the designation for critical infrastructure.
My -- what I'm trying to get at is, given your background and your recommendation that we do something more, now, to really alert the state and local governments, how does -- how we do it now? And what would you suggest would be a better way to -- to go about alerting them of cyber...
JOHNSON: Well, we did have an ongoing dialogue, all throughout the fall, with state election officials, at the law enforcement level, with DHS. There was, of course, the public October 7 statement, but the conversation didn't stop there.
JOHNSON: I continued to issue public statements, and we continued to have a dialogue with state officials as they came in to seek our cyber assistance at the staff level. In answer to your question...
SEWELL: But only if they came -- but only if they came to get your assistance would you -- would the DHS be more helpful in that sense? So you really left it up to the states and the local governments to actually request?
JOHNSON: I think it's the case that we had a dialogue with just about every single of the 50 states. Eventually, ultimately, we had a dialogue with, I think, all but maybe one or two of the states, and they actually signed up for our cybersecurity assistance.
There were 36, along with a whole lot of counties and cities, that actually signed up for our assistance. But we were pushing information out the door to everybody as often as we could.
But in answer to your question, I think that the states are -- one thing I discovered in this conversation -- state election officials are very sensitive about what they perceive to be federal intrusion into their process. I heard that firsthand, over and over. "This is our process, it's our sovereign responsibility, we're not interested in a federal takeover." And they were very...
SEWELL: But doesn't the federal government have an interest in the integrity of these elections?
[10:55:00] JOHNSON: I think the American public, the nation, has an interest in the integrity of the election, and I think you federally elected officials have an interest in the integrity of the elections that result in you sitting here, yes.
But I think that we need to continue, now that the campaign's over, maybe in odd years, if we could find a way, to raise awareness when the temperature's down, maybe through grants -- encourage best practices at the state level, and maybe encourage a uniform set of minimum standards for cybersecurity when it comes to state election systems and voter registration databases.
SEWELL: Thank you.
CONAWAY: Gentlelady's time has expired.
Mr. Lobo (ph) -- LoBiondo, five minutes.
REP. FRANK LOBIONDO (R), NEW JERSEY: Thank you, Mr. Chairman.
Mr. Secretary, thank you for being here, thank you for your service.
Some of this may be a little bit redundant, but I'm trying to really better understand how all the different entities have come together. Can you briefly summarize DHS's role in cyber -- cyber defense?
JOHNSON: To summarize it, we are the agency of the U.S. government responsible for asset response, so responsible for working with other federal agencies and the private sector in identifying vulnerabilities, patching vulnerabilities, raising awareness, and, because of the help we got from Congress, we are the principal portal through which information from the private sector should pass to the U.S. government.
So that's it in a summary.
LOBIONDO: And, with that in mind, can you briefly tell us DHS's role in sharing cyber threat indicators -- how that works?
JOHNSON: On my watch, it was the -- and this is an acronym -- the NCCIC. The National Cyber Communications Integration Center is the place designated to receive cyber threat indicators and report them.
Switching gears a little bit, based on what you know now, what would you have done more or differently in response to the Russian cyber attack of the 2016 election?
JOHNSON: Well, with the benefit of hindsight, there is always more things you can say to yourself, "I should have done." Like I said earlier, you know, with the benefit of hindsight, perhaps I should have camped out at the front door of the headquarters of the DNC.
But at the time, knowing what we knew, and wrestling with all of the considerations we had, I can tell you that this was a -- very much a top priority for me, because none of us knew how this was going to come out and how far the Russians were going to go in their efforts. And so I can tell you, with the benefit of hindsight, that this was a top priority for me.
And, virtually every day during the campaign season, I was questioning my own staff about are we mobilized, are we energized enough to do what we need to do? Have we set up a crisis response center on election night -- which we did. At one point, and I said this in my prepared statement, I picked up the phone and called the CEO of Associated Press, that has, and has had for years, the responsibility for election-night reporting, to make sure that their systems were satisfactory. And I was satisfied that they have enough redundancies in their system as well. So this was something that was, you know, very much uppermost on our minds in the -- in the run-up to the election.
So, thinking ahead to 2018 and 2020, what scenarios -- two-part question. What scenarios most concern you? And what recommendations do you have for us that we should -- that we should do, that maybe is something that's not in place now?
JOHNSON: Well, the scenarios that most concern me about the integrity of elections are not necessarily cybersecurity related. But, in the cybersecurity realm, what I do worry about are the vulnerabilities around state voter registration databases.
And we saw those vulnerabilities last fall. And so I think there needs to be more done to secure voter registration databases so that that information doesn't get out in the open.
LOBIONDO: So, from a congressional approach, somehow -- grants to states for databases, or anything specific you recommend?
JOHNSON: I know that the states -- state election officials are very sensitive to -- and would oppose, likely -- federal standards for how they should run their elections.
[11:00:03] It was very hard to bring about -- I now remember the debate about HAVA in 2002.