GENERAL JOSEPH K. KELLOGG, USA
COMMAND, CONTROL, COMMUNICATIONS,
AND COMPUTER SYSTEMS
MAY 17, 2001
Thank you Mr. Chairman and members of the Subcommittee - I welcome the opportunity to come before you today and talk about the challenge of defending the Defense Department networks and the role the Joint Staff plays in executing this mission. I am Lieutenant General Keith Kellogg, the Director Command, Control, Communications and Computer Systems Directorate, the Joint Staff. I will address the overall strategy we are implementing to ensure the protection and availability of our warfighting networks and also speak to some of the areas in which we still need to improve. The rapid proliferation of advanced technologies throughout the global environment demands that we be flexible, proactive and vigilant. Before I discuss the specifics, I would like to present an overview of the environment in which we are conducting our operations.
At the advent of the 21st century we find ourselves to be a military that has fully embraced information technology - it has been incorporated into all our mission areas. Along with increasing our efficiency to conduct a myriad of missions - it has also increased our connectivity both within the military community and outside it as we do increasing amounts of business in the commercial sector. The result of this is the unquestioned need for Information Assurance. Without reliable information; information that the warfighter has complete confidence in its accuracy, authenticity, and integrity then today's commander will be unable to achieve Information Superiority.
Information Superiority is a central tenet for the Joint Vision 2020 and a fundamental enabler of warfare. Information Superiority ensures the right information reaches the right warfighter at the right time. It is manifested in the Global Information Grid the Joint Staff effort to provide a globally interconnected, end-to-end set of information capabilities, associated processes and personnel necessary to provide information on demand to the warfighter. The Global Information Grid is to the Department of Defense what the Internet is to the Commercial sector. With our increased reliance on networks, their availability to the warfighter is critical. Malicious incidents, such as the Melissa and ILOVEYOU viruses have demonstrated what can happen when access to information networks is impeded. There is no silver bullet to defend our networks from attack. Rather, a strategy that involves defense at different levels throughout the network provides the best opportunity to ensure the availability and integrity of our systems. This approach is codified in our approach to Information Assurance known as Defense in Depth. Defense in Depth takes information assurance to the warfighter enabling them to protect, defend and react to attacks on the network.
The three components of Defense in Depth are People, Operations and Technology. I would like to elaborate on each of these topics.
People, using technologies to conduct operations are the central element of Defense in Depth. It takes people to design, build, install, operate, evaluate and maintain protection mechanisms. To gain and maintain the knowledge and expertise to perform these vital tasks, a comprehensive program of education, training, practical experience and awareness is needed. The trained and aware individual, whom we call the system administrator, working on his or her job is the first and most vital line of defense protecting DOD information and information systems. These system administrators are the cornerstone of our information network defense, our front line cyber warriors of the 21st century. They are the network infantrymen, manning the virtual foxholes using technical weapons to defend the integrity of our networks. We have an obligation to train them in fighting on the cyber battlefield much as we do with the mud and boots infantryman. Properly trained system administrators are the primary key to protecting our information systems. Undersecretary of Defense, Personnel and Readiness (USD (P&R)) and Assistant Secretary of Defense, Command, Control, Communications and Intelligence (ASD (C3I)) recently established the requirement for U.S. Government departments and agencies to implement training programs for system administrators to achieve specific skills. At the Joint Staff, we are in the process of standardizing cyber skill sets against experience and levels of responsibility.
Information Assurance Operations are driven by IA policy that establishes goals, actions, procedures and standards. Current Joint Staff guidance targets the issue of information assurance procedures and standards. The recently published Chairman's instruction "Information Assurance through Defense in Depth" and it's follow-on implementation manual, provides joint policy, component responsibilities and a minimum set of network protection requirements that outlines a common protection baseline throughout DoD along with detailed guidance to commanders on how to satisfy these requirements. Efforts to quantify "how much information assurance is enough" resulted in IA metrics guidance - measurable standards that allow commanders to evaluate their current situation, providing a current "as is" picture. Through a coordinated effort, DOD now has a policy in place that mitigates the risk to defense networks presented by malicious mobile code. As the Director J6, I am one of the 4 Designated Approval Authorities (DAAs) for the Defense Information Systems Network (DISN) - the DoD's primary communications backbone. My central responsibility in this role, as designated by the Director Joint Staff, is to ensure network security. Acting in coordination with the other DISN DAAs (Directors of National Security Agency, Defense Information Systems Agency and Defense Intelligence Agency), we ensure this security with a standardized certification and accreditation process. Codified in a DoD instruction (Defense Information Technology Certification and Accreditation Process), its objective is to optimize network security through the establishment of a standard infrastructure-centric approach. Standardizing the process minimizes risk associated with nonstandard security implementations. This is a dynamic process that is involved in all phases of technology development and provides the Designated Approval Authority (operating at various levels) information with which to make educated decisions concerning the connection of information systems to their networks.
Stressing process improvement, another initiative currently underway is an extensive review of the policies and procedures detailing connection criteria to the Secret Internet Protocol Router Network (SIPRnet). This effort will further strengthen the stringent standards that are required to be met prior to being connected to our primary warfighting network.
A means to ensure timely, community wide notification and dissemination of network vulnerability information exists in the form of the Information Vulnerability Assessment Alert (IAVA) process. Administered by the Defense Information Systems Agency and under the oversight of United States Space Command (USSPACECOM), the IAVA process is used to notify the military services and Defense Agencies about significant computer security vulnerabilities that pose an immediate threat to the networks and require timely corrective action. Components are required to report on the status of their compliance- providing a snapshot update on the integrity of DoD networks.
DOD has implemented the Information Condition (INFOCON) system, which allows us to raise the awareness and information assurance standards of affected or threatened commands to an appropriate level of readiness to meet expected cyber threats and/or attacks. This system provides a hierarchy of protection profiles that Commands implement to defend their networks. It is a warning system that raises situational IA awareness.
The interconnectivity of our networks makes this an extremely important and challenging endeavor. Based upon lessons learned from our operations in Kosovo and some timeliness issues with the DoD response to recent denial of service attack a review is underway to identify ways to improve this system.
Finally, through the consolidated efforts of the Defense-wide Information Assurance Program and the Joint Staff, the Information Assurance Panel is actively working various IA community issues. This panel, which reports to the Military Communications Electronics Board, has significantly heightened DoD-wide awareness to information assurance issues and challenges. It is a powerful forum where the IA community can meet to discuss, evaluate and reach agreement on ideas and suggestions. It allows discussion among the services and agencies of Information Assurance issues that have a commonality within DoD.
In order for Information Assurance through Defense in Depth to be fully realized, the technology component must be aggressively pursued. To conduct an effective cyber defense we must have a well-stocked arsenal of technological weapons and the skills to use them. Increasingly, the use of commercial off the shelf technology (COTS) is the means by which new capabilities are introduced in the field. The importance of the integrity of these solutions cannot be overstated. Evaluation efforts such as those underway by the National Information Assurance Partnership (NIAP) are critical to ensure that the warfighter has confidence in the equipment they employ to help them defend the network. Partnership with industry is paramount to ensure the COTS tools and equipment DoD procures do the things we need them to do. This requirement is highlighted and codified in the National Policy Governing the Acquisition of Information Assurance (IA) and IA-enabled Information Technology (IT) products. This guidance, issued by the National Security Telecommunication and Information System Security Committee, mandates that all IA and IA-enabled IT COTS products used in national security systems be evaluated and certified in accordance with accepted IA standards. As technology continues to advance - new and progressive means must be employed to ensure the availability and integrity of our networks. The Defense Department-wide efforts in the fielding of Public Key Infrastructure, a means to ensure the authenticity of network traffic will significantly strengthen the networks.
Further, the advancement of biometrics technology, an effort being lead by the U.S. Army, holds the promise of increasing both information and network security.
We have made significant progress in the last year in our ability to protect, defend, and react to attacks on our networks - but there is still work to be done.
The Vulnerability Alert process, while effective in disseminating alerts and vulnerability solutions, lacks an effective mechanism to ensure consistent and complete reporting across the Department. Vulnerability Alert status is now briefed on a monthly basis to the Information Assurance Panel and to the Chairman, Joint Chiefs of Staff as needed. General Shelton has listed this as a priority item and the increased visibility has resulted in favorable results. The process is being revised in a Chairman's manual 6510.01, currently in final draft, placing greater emphasis on operational commander participation and tightening the standards by which a compliance extension can be granted.
Further refinements contained in the draft manual include the incorporation of Joint Monthly Readiness Reporting-like (JMRR) metrics that operational commander's can use to report their IAVA status. This operationalizing of Information Assurance in the well-understood and highly visible Joint Monthly Readiness Reporting (JMRR) - a system that identifies warfighting shortfalls, discrepancies and provides a means for highlighting IA deficiencies that impact combat/mission readiness increases the visibility of IA shortfalls provided to senior leadership.
In closing, let me stress that as we travel down the Information Assurance highway, we must realize that it has no end point, only many curves, potholes and dangerous drivers that require us to be vigilant and watchful - else we will be unable to navigate it safely. We have made a lot of progress on our journey but there is much more that can and must be done. As technology and threats mature - we must refine and improve our training, techniques and procedures in order to protect our networks. The challenges are many but our men and women are up to the task - it is our job to give them the proper resources and leadership support to do their jobs.
2120 Rayburn House Office Building
Washington, D.C. 20515
|Join the GlobalSecurity.org mailing list|