[House Hearing, 111 Congress]
[From the U.S. Government Printing Office]
[H.A.S.C. No. 111-51]
CYBERSPACE AS A WARFIGHTING DOMAIN: POLICY, MANAGEMENT AND TECHNICAL
CHALLENGES TO MISSION ASSURANCE
__________
HEARING
BEFORE THE
TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES SUBCOMMITTEE
OF THE
COMMITTEE ON ARMED SERVICES
HOUSE OF REPRESENTATIVES
ONE HUNDRED ELEVENTH CONGRESS
FIRST SESSION
__________
HEARING HELD
MAY 5, 2009
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13
U.S. GOVERNMENT PRINTING OFFICE
57-218 WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office, http://bookstore.gpo.gov. For more information, contact the
GPO Customer Contact Center, U.S. Government Printing Office.
Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, gpo@custhelp.com.
TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES SUBCOMMITTEE
ADAM SMITH, Washington, Chairman
MIKE McINTYRE, North Carolina JEFF MILLER, Florida
ROBERT ANDREWS, New Jersey FRANK A. LoBIONDO, New Jersey
JAMES R. LANGEVIN, Rhode Island JOHN KLINE, Minnesota
JIM COOPER, Tennessee BILL SHUSTER, Pennsylvania
JIM MARSHALL, Georgia K. MICHAEL CONAWAY, Texas
BRAD ELLSWORTH, Indiana THOMAS J. ROONEY, Florida
PATRICK J. MURPHY, Pennsylvania MAC THORNBERRY, Texas
BOBBY BRIGHT, Alabama
Kevin Gates, Professional Staff Member
Alex Kugajevsky, Professional Staff Member
Andrew Tabler, Staff Assistant
C O N T E N T S
----------
CHRONOLOGICAL LIST OF HEARINGS
2009
Page
Hearing:
Tuesday, May 5, 2009, Cyberspace as a Warfighting Domain: Policy,
Management and Technical Challenges to Mission Assurance....... 1
Appendix:
Tuesday, May 5, 2009............................................. 27
----------
TUESDAY, MAY 5, 2009
CYBERSPACE AS A WARFIGHTING DOMAIN: POLICY, MANAGEMENT AND TECHNICAL
CHALLENGES TO MISSION ASSURANCE
STATEMENTS PRESENTED BY MEMBERS OF CONGRESS
Miller, Hon. Jeff, a Representative from Florida, Ranking Member,
Terrorism, Unconventional Threats and Capabilities Subcommittee 1
Smith, Hon. Adam, a Representative from Washington, Chairman,
Terrorism, Unconventional Threats and Capabilities Subcommittee 1
WITNESSES
Alexander, Lt. Gen. Keith, USA, Commander, Joint Functional
Component Command Network Warfare, Director, National Security
Agency, Department of Defense.................................. 6
Carey, Robert J., Chief Information Officer (DONCIO), Department
of the Navy.................................................... 3
Krieger, Mike, Deputy Chief Information Officer/G-6, Department
of the Army.................................................... 2
Lentz, Robert, Deputy Assistant Secretary of Defense for Cyber,
Identity Management, and Information Assurance, and Senior
Information Assurance Official, Department of Defense.......... 5
Shelton, Lt. Gen. William L., USAF, Chief of Warfighting
Integration, Chief Information Officer, Office of the Secretary
of the Air Force............................................... 4
APPENDIX
Prepared Statements:
Alexander, Lt. Gen. Keith.................................... 94
Carey, Robert J.............................................. 44
Krieger, Mike................................................ 34
Lentz, Robert................................................ 66
Miller, Hon. Jeff............................................ 32
Shelton, Lt. Gen. William L.................................. 54
Smith, Hon. Adam............................................. 31
Documents Submitted for the Record:
[There were no Documents submitted.]
Witness Responses to Questions Asked During the Hearing:
[There were no Questions submitted during the hearing.]
Questions Submitted by Members Post Hearing:
Mr. Murphy................................................... 121
Mr. Smith.................................................... 101
Mr. Thornberry............................................... 109
CYBERSPACE AS A WARFIGHTING DOMAIN: POLICY, MANAGEMENT AND TECHNICAL
CHALLENGES TO MISSION ASSURANCE
House of Representatives,
Committee on Armed Services,
Terrorism, Unconventional Threats and Capabilities
Subcommittee,
Washington, DC, Tuesday, May 5, 2009.
The subcommittee met, pursuant to call, at 3:58 p.m., in
room 2212, Rayburn House Office Building, Hon. Adam Smith
(chairman of the subcommittee) presiding.
OPENING STATEMENT OF HON. ADAM SMITH, A REPRESENTATIVE FROM
WASHINGTON, CHAIRMAN, TERRORISM, UNCONVENTIONAL THREATS AND
CAPABILITIES SUBCOMMITTEE
Mr. Smith. Good afternoon. Call the meeting to order. Sorry
about the delay. Votes came at a bad time, and then I got
waylaid by a conversation on my way over here, but I do want to
thank all of you for being here today. Appreciate your presence
on this very important topic and look forward to hearing from
all of you.
I will keep my opening statement very, very brief except to
say that cyber security is an incredibly important element of
our national security with many, many complex pieces to it.
Obviously it involves a multi-agency process; also it involves
the private sector and a variety of different challenges that
are very complicated and complex.
And our goal in this committee is to help work with the new
administration and all the appropriate agencies to try to
develop a comprehensive strategy to approach our network
security needs and our broader cyber security interests--try to
get us to the point where we have at least some idea of what
the plan is and are working closely together on how to
implement that with all the different pieces of it. And I look
forward to the testimony. We have a very, very distinguished
panel that will help shed some light on this issue and help let
us know what the pathway forward is.
And with that, I will yield to our ranking member, Mr.
Miller, for any opening statement that he might have.
[The prepared statement of Mr. Smith can be found in the
Appendix on page 31.]
STATEMENT OF HON. JEFF MILLER, A REPRESENTATIVE FROM FLORIDA,
RANKING MEMBER, TERRORISM, UNCONVENTIONAL THREATS AND
CAPABILITIES SUBCOMMITTEE
Mr. Miller. Thank you very much, Mr. Chairman. I have a
full statement that I would like submitted into the record.
[The prepared statement of Mr. Miller can be found in the
Appendix on page 32.]
Mr. Miller. I associate myself with your remarks, and as we
all know, breaches in our security have taken place time and
time again. The Joint Strike Fighter [JSF] Program highlights
the vulnerability that currently exists today. Our charge is to
help you get the job done, and that is what we are here for, so
thank you.
Mr. Smith. Thank you.
Just in connection, I had one further thought. It is not
just a matter of cyber security preventing attacks. We need to
look at our entire system's--our entire IT [information
technology] infrastructure in terms of what we need to get out
of it and how to best make that system work on a variety of
different needs including, of course, making sure that it is
protected from our adversaries or those who wish to do us harm.
With that I will introduce the panel. I will go--introduce
all of you, and then we will just start with Mr. Krieger and
work our way across the panel.
As you have noticed, there is five of you, and try to keep
your testimony between five and ten minutes at the most. We
don't want to go on too long before we get into the
interaction. I know that is very difficult on a subject this
complex, but appreciate your cooperation so we can get into the
questions from the members.
So I will introduce the panel. First we have Mr. Mike
Krieger, who is the deputy chief information officer for the
U.S. Army; Mr. Rob Carey, who is the chief information officer
for the U.S. Navy; we have Lieutenant General William Shelton,
United States Air Force, chief of warfighting integration,
chief information officer, Office of the Secretary of the Air
Force; we have Mr. Robert Lentz, who is the deputy assistant
secretary of defense for cyber, identity management, and
information assurance--that sounds like a complicated job, and
it is; and lastly, we have Lieutenant General Keith Alexander,
who is the director of the National Security Agency.
We appreciate all of you being here. We look forward to
your testimony and to the Q & A that follows.
Mr. Krieger.
STATEMENT OF MIKE KRIEGER, DEPUTY CHIEF INFORMATION OFFICER/G-
6, DEPARTMENT OF THE ARMY
Mr. Krieger. Good afternoon, Chairman Smith, Congressman
Miller, and distinguished members of the subcommittee. As the
United States Army's deputy chief information officer and
deputy G-6, I am pleased to appear before the subcommittee this
afternoon to discuss the Army's activities to address the
challenges to enhance mission assurance in cyberspace as a
warfighting domain.
The Army believes that our enterprise network, known as
LandWarNet, must be viewed as a critical enabler for the
warfighter. This requires a change in our culture for which the
Army is revising policies, management of people in the network,
and enhancing technical capabilities to better detect, assess,
and respond to cyberspace attacks.
The Army is transitioning to a continental U.S.-based
expeditionary force. To support this force the Army is adapting
our institutions and LandWarNet. General Casey recently signed
a memorandum to transform LandWarNet to a new Global Network
Enterprise Construct, or GNEC, that is more secure, economical,
and seamless. General Casey also designated the Network
Enterprise Technology Command, reporting to the chief
information officer, as the single command for network
operations of the Army's generating force networks.
The Army is implementing many new policies to improve cyber
security. These policies concentrate on protecting information,
defending systems, and creating an empowered workforce.
Addressing the management challenges of training our cyber
warriors and protecting our network remain top priorities in
the Army. The Army is reviewing the development and tracking of
its overall workforce and looking to update the career
management fields for conducting cyberspace operations.
Successfully mitigating cyberspace attacks and
vulnerabilities requires unity of command and effort not only
between the Army, other services, and the combatant commands,
but within the Army staff. We have realigned organizations to
streamline the command and control over the network and are
creating an Army Cyber Task Force to better define and oversee
cyberspace operations.
To meet the many technical challenges the Army faces, we
have taken many initiatives, which include a data-at-rest
encryption solution, a secure two-way wireless capability, and
we are working with the defense industrial base to protect
technologies used to build our future networks and major
weapons systems.
In conclusion, the Army is taking action to mitigate
persistent cyberspace threats. Using GNEC, the Army is
addressing the challenge of changing the culture to view the
network as a critical enabler for the warfighter. The Army's
commitment to transforming LandWarNet will ensure commanders
have the ability to control, defend, and fight the network as
one enterprise.
I thank the subcommittee for affording me the opportunity
to share the Army's activities to operate and enhance missions
assurance in cyberspace as a warfighting domain. This concludes
my remarks and I look forward to answering your questions.
[The prepared statement of Mr. Krieger can be found in the
Appendix on page 34.]
Mr. Smith. Thank you very much.
Mr. Carey.
STATEMENT OF ROBERT J. CAREY, CHIEF INFORMATION OFFICER
(DONCIO), DEPARTMENT OF THE NAVY
Mr. Carey. Thank you, Mr. Chairman.
Chairman Smith, Congressman Miller, distinguished
subcommittee members, thank you for the opportunity to appear
before you today. I provided a written statement and request
that it be entered into the record.
I would like to use this time to briefly highlight some of
our key initiatives that will ensure the Department of Navy's
success in the cyberspace domain. It is a time of great change,
and as the Department of the Navy chief information officer, I
have the honor to work across the entire Navy-Marine Corps
team, harnessing the power of information technology for our
sailors, Marines, and civilians.
Our efforts in the cyberspace domain span our mission sets
and mandate that we defend the information for the warfighters
as well as protect the privacy of our naval team. The
cyberspace domain is one in which we must prevail. The
department remains on a course for interoperable, net-centric
operations that will link warriors, sensors, networks, command
and control platforms, weapons, and commanders, into a
networked, distributed combat force.
Key to our success will be the ability to balance the
polarity between the need to share information and our
requirement to protect it against cyber threats. We have made
great strides in the areas of policy, management, and technical
challenges that are enabling us to achieve this balance.
Together with our industry partners, we have created an
enterprise network structure comprised of the Navy/Marine Corps
Intranet [NMCI], the department's shore-based network;
Information Technology-21, for our float forces; ONE-NET
[OCONUS Navy Enterprise Network], for our Navy outside of CONUS
[continental U.S.] forces; and the Marine Corps Enterprise
Network; as our contribution to the DOD [Department of Defense]
vision of a trusted, dependable, ubiquitous network.
We have seen the power of a singe enterprise network
improving access, control, interoperability, and information
security, and as we move toward the Naval Network Environment
2016, our continued consolidation using the Next Generation
Enterprise Network and a defense-in-depth and breadth, will
further enable our ability to serve the warfighters with
assured information.
Our computer network defense efforts are comprised of a
broad array of initiatives to ensure a defense-in-depth, and
while we are making progress, much work remains. We leverage
industry best practices and standards, such as public key
infrastructure encryption, data-at-rest encryption, and host-
based security systems, to strengthen our cyber security.
Our brave sailors and Marines deployed far from home in
harm's way are the heart and soul of our organization. What
they know and how they translate that knowledge through sound
decisions into action will define how successful we are. And so
we are committed to providing them the information and tools
they need to stay current and defend the cyberspace domain in
an increasingly complex technology-based environment.
Thank you for your support of our information technology
initiatives and our efforts to achieve net-centric operations
and decision superiority. I am happy to answer any questions
that you may have.
[The prepared statement of Mr. Carey can be found in the
Appendix on page 44.]
Mr. Smith. Thank you very much.
General Shelton.
STATEMENT OF LT. GEN. WILLIAM L. SHELTON, USAF, CHIEF OF
WARFIGHTING INTEGRATION, CHIEF INFORMATION OFFICER, OFFICE OF
THE SECRETARY OF THE AIR FORCE
General Shelton. Good afternoon, Chairman Smith,
Congressman Miller, distinguished members of the subcommittee.
I am pleased to be here today, along with members of the DOD's
cyber leadership team, to appear before you and address our
efforts to meet the challenges in the cyberspace domain.
Several years ago the U.S. Air Force recognized the growing
importance of cyberspace. On December 7, 2005, we took the
unprecedented step of adding cyberspace to our mission
statement and placed that domain on an equal footing with our
more traditional operating environments of air and space.
Since that time, we have been moving forward to organize,
train, and equip our Air Force for both defensive and offensive
capabilities in cyberspace or joint operations. As we have
continued our study of cyberspace, we are finding that the most
significant challenge we face is the constantly evolving nature
of the threat in cyberspace. Threats in cyberspace move at the
speed of light, and we are literally under attack every day as
our networks are constantly probed and our adversaries seek to
exploit vulnerabilities in our network enterprise.
I would like to thank the committee for its support and for
this opportunity to highlight the outstanding efforts that the
dedicated men and women of the United States Air Force [USAF]
to help secure the nation and cyberspace. This domain is both
highly complex and extremely challenging, but it is one that
the Air Force is fully embracing.
Thank you again, and I look forward to your questions.
[The prepared statement of General Shelton can be found in
the Appendix on page 54.]
Mr. Smith. Thank you, General.
Mr. Lentz.
STATEMENT OF ROBERT LENTZ, DEPUTY ASSISTANT SECRETARY OF
DEFENSE FOR CYBER, IDENTITY MANAGEMENT, AND INFORMATION
ASSURANCE, AND SENIOR INFORMATION ASSURANCE OFFICIAL,
DEPARTMENT OF DEFENSE
Mr. Lentz. Good afternoon, Chairman Smith, Congressman
Miller, and members of the subcommittee. I am pleased to appear
before the subcommittee to discuss initiatives to enhance the
department's and the nation's information assurance cyber
security posture.
This is a critical priority in the Department of Defense.
With information and information technology assets distributed
over a vast enterprise and with diverse domestic and
international partners, we know that we can not execute
operations without the GIG, Global Information Grid, or the DOD
network.
The GIG is where business goods and services are
coordinated, where medical information resides, where
intelligence data is fused, where weapons platforms are
designed, built, and maintained, where commanders plan
operations and control forces, and where training, readiness,
morale, and welfare are sustained. Maintaining freedom of
action in cyberspace is critical to the department and to the
nation.
Therefore, the department is focused on building and
operating the GIG as a joint global enterprise. This enterprise
network approach, coupled with skilled users, defenders, and
first responders, and in partnership with the intelligence and
homeland security communities, will allow us to more readily
identify and respond to cyber attacks.
The DOD information assurance cyber security program is
thus aimed at ensuring that DOD missions and operations
continue under any cyber situation or condition, and the cyber
components of DOD weapons systems perform as expected. There
are many examples of current initiatives in my statement for
the record. I will quickly highlight a few today.
To protect sensitive data on mobile and portable devices
like laptops, we help make discounted encryption products
available to all federal, state, local, and tribal government
agencies and to NATO [North Atlantic Treaty Organization].
Since July of 2007, the resulting U.S. government cost
avoidance has exceeded $98 million.
To address cyber security risks to the defense industrial
base we have put in place a multi-faceted pilot for threat and
vulnerability sharing, incident reporting, and damage
assessment. For the global supply chain, the department has
launched a program to protect mission-critical systems.
This year we are establishing four centers of excellence to
support program executive offices and supply chain risk
mitigation throughout the system lifecycle. Additionally, we
are executing vulnerability assessments in accordance with the
2009 National Defense Appropriations Act.
We continue to rely on the national centers of academic
excellence and IA [information assurance] education for
critical cyber security skills. There are currently 94 centers
in 38 states and the District of Columbia. One of the centers--
the University of Nebraska at Omaha--cosponsored and hosted
last year's fifth annual International Cyber Defense Workshop.
In 2008, the department helped bring cyber security to the
Wounded Warrior Program. Wounded, disabled, and transitioning
veterans are receiving no-cost vocational training in digital
forensics, a critical technical shortfall for the nation and
for the department. The program started at Walter Reed and is
being expanded to other DOD and VA hospitals.
In conclusion, the DOD's CIO [Chief Information Officer] is
working towards a resilient and defendable core network for the
department and for the nation in the face of the daunting
security challenges. We are preparing the GIG [Global
Information Grid] and the GIG-dependent missions to operate
under duress, and we are doing so under conditions of rising
hostilities.
I am happy to take questions. Thank you.
[The prepared statement of Mr. Lentz can be found in the
Appendix on page 66.]
Mr. Smith. Thank you very much.
General Alexander.
STATEMENT OF LT. GEN. KEITH ALEXANDER, USA, COMMANDER, JOINT
FUNCTIONAL COMPONENT COMMAND NETWORK WARFARE, DIRECTOR,
NATIONAL SECURITY AGENCY, DEPARTMENT OF DEFENSE
General Alexander. Well, that was quick, Mr. Chairman----
Mr. Smith [continuing]. Astonished. We moved very, very
quickly through that.
General Alexander. I won't slow it down.
Mr. Smith. No----
General Alexander. Mr. Chairman, Ranking Member----
Mr. Smith. We are ahead of schedule at this point.
General Alexander. Well, I don't know enough to fill it up,
so I will talk briefly here.
I would like to just give you a little bit of background
about what NSA, the National Security Agency, but more
importantly, what the Joint Functional Component Command [JFCC]
for Network Warfare is doing in network operations--where we
are, where we are going, and the way ahead, because I think it
leverages off of what my colleagues have already brought up. It
has to be a team to work this across the services, within DOD,
to set up the right apparatus. So I will end on that.
Let me go back to the beginning, and if I could, just hit
briefly on World War II, and in World War II, just hitting on
some of the key things that happened in World War II,
specifically Enigma and Red and Purple, the Japanese encryption
systems and the German encryption systems. The reason I bring
those up, as you may recall, the Germans had Enigma; we broke
it--actually the Poles and the Brits broke it; and in 1941
Admiral Donitz understood that it was broken and added a fourth
rotor to make the decrypting of those communications more
difficult.
From January to March of 1942 the United States lost 216
ships off the cost--off the East Coast, and our efforts in
Europe were going down rapidly. We were able to break that
collectively, with industry, Army, Navy, working together with
our allies, and it changed the balance of that war.
And if you think about it, we broke their encryption, we
broke the Japanese encryption, and they didn't break ours. And
that was huge for warfighting.
The network that we have today has taken what was an analog
network to a digital network, and a consequence of that change,
going from analog to packets, is huge. It allows us to leverage
things like iPhones, the iTouch--I have 11 grandchildren, and
they have these little iPod Shuffles; they are hooked to the
networks. They can do things at seven years old--they are
googling on the network. They are linked--the same network. One
network.
Great things are possible. Our military leverages that
today for great good--for command and control, for integration
of our intelligence with operations, with logistics, with
everything we have on the battlefield. Great opportunities,
great vulnerabilities.
And with those vulnerabilities comes the reason we really
have to focus as a team on cyber security. The way we are
approaching it today does not work.
Recently, commander of STRATCOM [Strategic Command]
delegated to myself under net warfare [JFCC-NW], the
responsibility for directing the defense and operations of the
GIG as well as our current role for net warfare, so that we
have all those missions together so that we could put the
defense and the offense together for the good of the Defense
Department.
As you saw in my written statement for the record, the
Defense Department is considering an option to stand up a sub-
unified command that would allow us to leverage the defense and
the offense for the good of our forces around the world to
ensure that we have the communications availability, the
integrity of our communications, and the reliability that we
need to conduct our missions abroad. In order to do that, the
services and the joint community has to work together to
support our regional combatant commands.
So I think what each of the services has said and where we
are is now we are looking at the steps of what we have to put
together in the sub-unified command as an option, or in a Joint
Functional Component Command--how will we put these
capabilities together to ensure our networks are secure and
provide us freedom of maneuver in cyberspace?
So with that, a lot of work to be done is ahead of us. I
think where the Defense Department is today is in a good place
and moving up. We understand the problem; it doesn't mean that
there aren't issues with training, with equipping, and with the
tactics, techniques, and procedures that we have to do, but I
do think that we have come up with a way of working together to
face these and to come up with a good plan for the future.
So with that, Mr. Chairman, I turn it back over to you.
[The prepared statement of General Alexander can be found
in the Appendix on page 94.]
Mr. Smith. Thank you.
And we will--in questions we will observe the five-minute
rule. Hopefully--we got great very brief statements by our
witnesses--we will have time to go around more than once. But
just to keep it flowing we will make sure we keep everybody to
five minutes, including me.
My first question is just sort of a follow up on that last
point about how coordinated the effort is in the Joint
Functional Component Command. So when you look out across DOD,
and certainly we have many of the key components here--Army,
Navy, Air Force--and if you are in your position, or STRATCOM's
position, or even a higher up, and you are going, ``How secure
is my network?''
How compartmentalized is that and how coordinated is that?
You know, how much do you guys get together on a regular basis
so that you, as the person in charge of that, or the Secretary
of Defense, or somebody higher up can say with confidence,
``Our network is secure and we are paying attention to the
different pieces of it.''
Or, I guess the better question is, to know the
vulnerabilities--to know in a coordinated fashion so that it is
not stovepiped, because as you know, in this situation, in many
cases, you are only as strong as your weakest link into the
network. How do you do that coordination within DOD?
And then I have a follow-on question about how you handle
the interagency piece. But just starting in DOD, and you
touched on that a little bit, but if you would get more
specific about how coordinated that effort is.
General Alexander. I will hit the first part and then I
will let Bob and some of the others----
Mr. Smith. Okay.
General Alexander [continuing]. Pick up on that. We direct
the defense of the network to the Joint Task Force-Global
Network Operations. Lieutenant General Carroll Pollett, from
the Defense Information Systems Agency [DISA], is the commander
of the Joint Task Force-Global Network Operations and works for
me in that regard, and his day-to-day guy is Brigadier General
John Davis. They put out written guidance of how to defend the
network--the unclassified and the classified networks.
I would like to say that our networks are secure, but that
would not be correct. We do have vulnerabilities.
And the issue, and one of the things that we have wrestled
with over the last six months, is a strategy for closing those
vulnerabilities very quickly. I think we are making good
progress on that, because the level of problems that we have
had with things like Conficker and others have been greatly
diminished because of the great steps that have been taken by
Global Network Operations but implemented by the services.
Mr. Smith. And what were some of those steps, if you could
walk through the specifics here?
General Alexander. Well, let us see. In an unclassified
forum that becomes very difficult. It would be the way that you
use removable media, would be a great case in point--how you
have to use removable media or not use it in a network, what
the restraints are, dictating those restraints, how you have
your Information Assurance Vulnerability Analysis IAVA
compliance out there, which means, do you have your McAfee or
Symantec antivirus software up to date? Are you using the
latest update? Have you scanned your system for these things?
And ensuring that those kinds of things are done.
How do we tell that at a global scale? Others' mission is
to look on the periphery and see if we see problems on the
network.
I would like to give you one key element here I think is
crucial to it. If we try to defend our networks like we do a
castle--the moat--we will never be successful. We have to
defend it on the network globally, because that is how it
exists on the network.
And so that means we and our allies in industry and
government have to work together in this enterprise. That is
going to be key to our success.
Bob, and----
Mr. Lentz. I will give you two examples, Mr. Chairman, to
your question. First of all, one unclassified example of the
cooperation at a technical level is the Federal Desktop Core
Configuration.
The fact that we locked down the computers so tightly at
our endpoint within the DOD network working with the services--
in fact, the Air Force led that effort--and Microsoft, which is
our most ubiquitous product throughout the Department of
Defense, is locked down in terms of the stable configuration,
and that has allowed us to defend the network much more
effectively. I think that is a technical example.
To your first question regarding the cooperation within the
Department of Defense, one of the things that--we have a DOD
CIO policy that has been fully implemented is, we align every
single service and agency within the Department of Defense to
what we call a computer network defense service provider, or a
Computer Emergency Response Team [CERT]. So every entity in the
Department of Defense, from our schools to our main military
operations, are aligned to certified CND [computer network
defense] service providers, and those CND service providers
work together under the leadership of STRATCOM and the JTF-GNO
[Joint Task Force-Global Network Operations] working in
partnership with NSA and the law enforcement community part of
our infrastructure to work on these cyber events. So I think
that is an example of the cooperation that goes on within the
DOD.
Mr. Smith. Okay.
I will yield back the point and yield to Mr. Miller.
Mr. Miller. Thank you, Mr. Chairman.
Could you talk about the role that you think the federal
government should play in securing the networks of our defense
industry partners?
Mr. Lentz.
Mr. Lentz. Clearly, it is absolutely essential, in terms of
having a robust capability in the face of the cyber attack, is,
we need a partnership in every tier, from our international
partners--we have found on one cyber event after another cyber
event that they have insights that are very critical for us.
Plus, just because of the nature of the geography, our
international partners oftentimes will have an advanced warning
to give us insight into cyber events.
At the domestic level, we team with the major centers
across the cyber landscape, to include the counter-
intelligence, the law enforcement communities, and of course,
all the CERTs [Computer Emergency Response Teams]. And at the
industry level, it is absolutely essential we team with the
ISPs [Internet service providers], we team with Carnegie
Mellon, we team with all the industry leaders in this area to
gain insight into cyber events, particularly when it comes to
vulnerabilities in which we have to have advanced notice in
today's cyber environment.
Mr. Miller. General? Would you like to answer?
General Alexander. So the role that--just to take up where
Bob left off--so one of the roles that the intelligence
community and the Defense Department is going to have is, how
do you make those identifications of the vulnerabilities and
the signatures and how do we work those with industry and other
government entities so that they know how to defend their
system?
I think if you take the analogy that I was talking about,
this--we are defending a castle today, but we want to defend
our network and perhaps our allies' networks, then you are
going to have to have an early warning capability that exists
between networks to tip and cue on problems that are coming. I
think that is going to be key for future problems that we
face--for example, some of these robot networks, or botnets,
that are out there, and things like that.
How do you defend against them? It is going to take our
country and our allies to work together and tip and cue at
network speed to defeat them.
Mr. Miller. How does the DOD ensure that we--you had
mentioned the word ``robust''--have a robust computer network
defense and information assurance structure in place but we
don't replicate across the service lines?
Mr. Lentz. Well, I think we actually do have a very robust
capability working with the services. As I mentioned, early the
CND [Computer Network Defense] service provider program that we
have--we have 23 different CND service providers across the
Department of Defense, of which the services make up a good
share of those. And each one of those CND service providers
coordinate constantly in real time what is going on in cyber
events.
Mr. Smith. Mr. Marshall for five minutes.
Mr. Marshall. Thank you, Mr. Chairman.
I wonder what the limits of the effective partnership
between DOD, or the nation generally, and business might be--
the private sector might be. I was involved in an enterprise at
one point that decided it was going to acquire a bunch of
laptops that each individual employee would then use to enter
data while they were out. We had a range of possible laptops
that we could pick, and some of the more expensive laptops were
less vulnerable to damage if they were dropped, if, you know,
they were exposed to water, to heat, et cetera, and then there
was the question of weight, and typically the ones that were
less vulnerable were also heavier, and so we ultimately decided
we were going to go with the lightweight one because we could,
in our circumstances, not have to worry too much about things
being dropped or subjected to water or heat.
I assume that for some of the applications that we might
use laptops for where the Army is concerned and the services
are concerned, going to go with the heavier version that can
handle them. And I wonder if those--I am sure that those same
kinds of decision-making differences between the private sector
and the public sector exist with regard to the issues that you
all deal with that are way above my pay grade. And I am
wondering if you can describe where it is that your interests
diverge or your objectives diverge in ways that will make the
partnership more difficult.
General Alexander. I will take a first whack at that, sir.
Let me just give you my thought, and that is, where they
converge are where it is in our nation's interest to ensure
those networks exist and can function and they are reliable--
our power grid, our critical infrastructure at large. We have,
I think, there a responsibility to partner with industry to
assure that our nation can operate in a time of crisis, and the
government has some kind of role there and I think we have got
to determine--and I think some of the stuff coming out of the
60-day review and other studies will look at, so how do we
partner with industry to do that?
Our partnership might be giving them early warning, sharing
with them threat data, and helping them secure their networks
with some of the standards that Bob talked about, in terms of
how you would set up your desktop configuration to active
tipping and cuing to defend their networks. One of the key
things that industry has done on the network is their
intellectual secrets, their financial--wealth, all that is
stored on the networks, their personal data. Much of that is an
industry, I think, responsibility to secure, and government
would support in some way.
So I think that is where it starts to diverge, as you get
industry that is out there on its own--there are some things--
you know, our own personal communications from my wife to
myself--that doesn't need government, and if that goes down,
well then I won't buy the milk and bread tonight. I will be
good.
But, you know, our personal communications aren't a
national priority, so I think you are going to have that range
from those things that are, how do we ensure the security of
our nation, so that if a network attack blossoms into a warfare
we know where that line is.
Mr. Marshall. There is no question a tremendous opportunity
exists for synergy here and for taking advantage of the private
sector's obvious interest in protecting data. I mean, literally
billions or trillions of dollars are at stake, you know,
besides personal private information.
And so the private sector is paying top dollar to the best
possible minds to protect the infrastructure that holds access
to those kinds of money flows, to that kind of private
information. I am wondering where it diverges in any
substantial way.
General Alexander. Well, I think part of the divergence is
that, you know, they are going to harden like a shell for
theirs, but the government is going to operate across a global
thing with our allies, so we have a global responsibility. You
can harden a network for an industry within a network and
almost sever it completely and have that almost ensured
security.
Where we have to have an Army in the field, or an Air Force
in the field, or a Navy out there, they are going to have
communications that are both wireless and wired, and as a
consequence they are going to have vulnerabilities that are far
different than what industry might have. Now, having said that,
it doesn't necessarily mean that there aren't things that we
couldn't work together with or should work together with; I
think there will be.
So I think you will have all the way from the far you know,
all the way over here on the far right, those things that we
are not worried about and even if somebody loses them, to those
things that we are worried about as the national interest; and
then take the other axis that you were doing, the economic
access, from those things you don't worry about somebody
hitting over here, perhaps, in one level of industry all the
way over to the banking industry and security of those. And
both of those at the far end of that--the banking industry and
our national military command authority--both have to be
secured with the best that we have. And I think there is great
synergy here and great divergence at the other end.
Mr. Smith. Thank you. If you have something quick, I want
to make sure we keep moving to the other members. Mr.
Thornberry.
Mr. Thornberry. Thank you, Mr. Chairman. If we are
literally under attack every day and are to treat cyber as a
domain of warfare, like we have treated others, it seems to me
we have to have the legal, policy, and doctrine discussions as
well as funding, training, equipping, and all the things that
go with domains of warfare that we are serious about.
General Shelton, you mentioned the Air Force has been in
front on this. Does the Air Force have a specific plan to
implement what Secretary Gates talked about in quadrupling the
number of people trained in cyber warfare?
General Shelton. Yes, sir. We are moving out on adapting
courses--adopting courses. There are joint courses we are
pursuing that are already in place. There are new ones that are
standing up.
We are changing the way we train at our training centers,
both officer and enlisted, and also creating training
opportunities for our civilians. So the answer is, absolutely.
We are trying to expand our universe in terms of trained people
in this area.
Mr. Thornberry. But is that down to the point where there
is a piece of paper that shows, we are going to ramp up our
training to meet this specific number that he talked about that
has been signed off on?
General Shelton. We aren't there yet, sir, to the actual
numbers, but we do have a way ahead in terms of concept. But is
it numerically in place? It is not.
Mr. Thornberry. I am just trying to understand how far we
have gotten towards being serious--and I am not picking on you,
particularly--but just how far we have gone to being serious
about some of these tough issues.
General Alexander, to pick on you a little bit--not really
pick on you, but----
General Alexander. Thank you.
Mr. Thornberry [continuing]. But what are the policy and
legal issues that we need to be thinking about? I mean, a lot
of this is the stuff that is in you all's bailiwick, and we
have got to oversee the funding and so forth, but it seems to
me there are some legal policy issues that are our
responsibility. What are they?
General Alexander. I think one of the clear ones--what you
would expect us to do is to defend our networks, and we have
the right to defend our networks and to keep adversaries from
getting into our networks, to secure our classified networks
and all of that. And I think there is inherent right, and we
have the legal framework to go ahead and do that.
Here is where it starts to break down and where I think
you, with the administration and others--the discussion that we
are now going to enter into. I think once the 60-day review has
come up, and so now going back to the earlier question, so what
is that role and responsibility primarily with DHS [Department
of Homeland Security], because they will have to lead for the
rest of the dot-gov networks and for that partnership with
industry, so what is the legal framework for sharing threat
signatures with industry that are classified? How do we do it
at network speed so that it is defensible? And what is that
legal framework and what is that operational framework?
And those are areas that technically are easier to do than
they are to set the legal framework up, because you have
industries--for example, your antivirus community. If we give
them a classified signature, how do we ensure it is not given
out so widely that our adversaries have it when they are a
global antivirus community? Things like that we are going to
have do look at. There is a whole series of issues, I think, in
those realms.
Mr. Thornberry. Well, for example, when the Constitution
says Congress has the responsibility to declare war, what does
that mean when we are under attack every day? How do we deal
with warfare in cyberspace?
General Alexander. Well, I think the loose use of the word
``under attack'' and ``warfare'' is probably more accurately
described as people probing our network. We call that, I
think--others loosely call that an attack on your network, but
it falls short of what I think we would legally look at, and I
have got the head lawyer back there right behind me, so he will
raise his hand and make sure I say this right, but----
Mr. Smith. He was nodding his head. Let the record reflect
it.
General Alexander. This way, or this way?
Mr. Thornberry. Well, was Estonia or Georgia under attack,
and was their infrastructure under attack in a way that, you
know, gets closer to that declaration of war?
General Alexander. No, I think you are starting to--on
those you are starting to get close to what would be. The
problem that you have there is who. The attribution. And so I
think what you have is the inherent right to defend first, and
attribute, and preferably to do those at network speed. So what
we just agreed on, I think, if you agree with those two
statements to do those both at network speed, is the reason
that we need the defense, the exploit, and the attack to work
synonymously as a team at network speed to do just that.
Because if we don't--if we leave the defend, to defend
itself and they are getting hit over here and somebody says,
``Hey, did you know they are getting hammered? The Air Force is
getting hit on the network,'' we would say no, we didn't. It
has happened to our industry players. And so if you are not
aware of it you can't help mitigate it, you can't help
attribute it.
So that partnership has to come in. I think in the legal
framework it starts to go up to, when is it going from exploit
to damage? And in that change is where you go from what I will
call spying operations into warfare.
And there is, I think, a more specific set of terms that
would define those, and--did I get all that right, Bill?
Mr. Smith. Mr. Langevin.
Mr. Langevin. Thank you, Mr. Chairman.
Gentlemen, thank you for your testimony here today.
To continue on that line, General Alexander, clearly the
tools available to us in cyberspace are very powerful. I know
the NSA, in particular, is very good at what we do. How far
down the road are we in really setting the rules of engagement,
and who and when do those decisions get made?
Clearly modern warfare has forever changed; we will never
have a conflict in the future that doesn't have a cyber
component to it. And where are we on that stage, you know, in
terms of where we escalate to the fact--to where we would
attack and cause great damage in response to an attack on our
own networks? Where are the rules of engagement at this point,
and who is going to make those decisions along the way?
General Alexander. Well, I think if you start out within
the defense community, those rules for defending, exploiting,
and attacking on the networks as part of war fall within the
Defense Department. I think we can easily envision--there was a
Chinese PLA [People's Liberation Army] statement in 1996 that
said something to the effect, ``If you want to attack the
United States, attack its banking system.''
Now, the issue--this complicates it and it puts us into
answering your question more accurately. It gives you a
understanding that it may not be the Defense Department that is
attacked.
But if we assume symmetrically that they would attack us,
the Defense Department, and the Defense Department would
respond back, you are now into one form. The issue, I think,
that realistically faces us, though, is that it would be
asymmetrical. It would go against our industry, and it might be
our critical infrastructure.
And then the question of the partnership between the
Defense Department, Homeland Security, and the intel community
has to be clear. We have to have laid out those rules and
walked through that. We are walking our way down that; we are
not far enough.
I think within the DOD we have laid out the legal framework
for what constitutes an attack, how we defend our networks,
what we do in that--specific to the Defense Department for DOD
operations, for example, on the war on terror.
But that is a very limited and a very focused set. I think
to really get to the heart of your question, you have to have
that partnership and we have to operate seamlessly across all
of those if we are going to be successful. And that is going to
take some work.
Mr. Langevin. In the CSIS [Center for Strategic and
International Studies] report, the commission that I co-chaired
and worked on with a number of others, one of the things--the
conclusions--that we came up with was that the president should
make clear that cyberspace and our cyber assets are a national
asset and that we will use full assets of national power to
protect it. Do you agree that it is time that we have, perhaps,
a cyber Monroe document that lays out clearly what our response
would be in terms of protecting our cyber assets?
General Alexander. I do.
Mr. Langevin. Let me add----
General Alexander. There is four others that--you want to--
I do. I think they do, too, but I don't----
Mr. Langevin. Anybody else?
General Alexander. But, I don't want to speak for
everybody.
Mr. Smith. I guess the follow up to that, what would be
involved in making sure that that is clear? Is there an
executive order that is needed? And following up a little bit
on what Mr. Thornberry was asking about in terms of your
authority to act--is that understood, or is there more action
that is needed to allow you to have that authority?
General Alexander. Well, I think what the 60-day review is
looking at is taken right from your study and others and
saying, ``So how do we start that at the top? What is the White
House role in doing that?'' And I think they are going to set
that up and say, ``Here is the White House role,'' and lay that
out.
So that is yet to be fully disclosed, and I think they have
got a couple more steps to complete that. But my gut reaction
is that they will do essentially where you are, so we have to
set up a national leadership for it at the White House. Roles
and responsibility to the Defense Department, DHS, our
partnership with industry, and our partnership with allies
needs to be clearly documented. And I think we have to start
walking down that road.
The follow-on question is, okay, so you have these--you
have the legal framework that we talked about, that has got to
come up. You have to have the operational framework. And I
would submit that first we have got to lay out operational
frameworks that will work.
There are operational frameworks that people can put on the
table that just don't make technical sense, so that is where
our partnership with industry really has to come to the
forefront. What technically can we do to secure those networks
with the Defense Department, the intelligence community, and
DHS, and industry, and then how do we take that--what do we
need legally to make that work? And I think we have yet to walk
through those, and I think the first step will be when the
White House puts out that 60-day study.
Mr. Smith. Ask a little bit about acquisition issues, and
maybe have the three individual services speak to their ability
to acquire what they need technologically, because there is the
challenge in the IT world that basically Moore's Law runs
headlong into the acquisition process. You know, things update
very rapidly, and yet it takes a couple of years to go through
the ability to acquire systems.
Now, I know reforms have been made to a certain extent
within IT to give greater flexibility to enable you to purchase
more equipment more quickly. How well is that working, and what
more do we need to do to make sure you are able to buy the
equipment that you need? And just if each one of you could sort
of give a little vignette from your experiences within your
individual service.
General Shelton.
General Shelton. Glad to start. You are exactly right. We
have a real challenge of what I would call an industrial age
acquisition process trying to operate in IT space, which is not
adequate. We have vehicles that we can use to acquire IT
solutions, and in many cases those are commercial off-the-shelf
products or commercial off-the-shelf products that we slightly
modify and adapt to our purposes. In some cases, the question
is scalability, but beyond that those solutions are there.
So I think we are in reasonably good shape from the overall
capability to acquire. It is that we don't often exercise that
capability the way we should, so----
Mr. Smith. Why not?
General Shelton. We sometimes revert to the way we have
always acquired. So we are forcing that inside the Air Force.
We are forcing that toward much different solutions, and we are
forcing an architecture that will allow much different
solutions----
Mr. Smith. Well, Mr. Carey, if you could talk a little bit
about Navy's experience with the Navy-Marine Corps Intranet,
which was a big transition system in terms of the software
being put in place--how difficult was that to acquire? Or just
more broadly within the same acquisition area, what challenges
are you facing? What do you think needs to be done to overcome
them?
Mr. Carey. NMCI [Navy Marine Corps Intranet], sir, was a
huge culture change to the department in the IT space. To move
from a system of lots and lots of networks controlled by
individual unit commanders or organizational commands through a
homogeneous, centrally-controlled network apparatus was just a
huge culture change, so it took some time to get there.
The acquisition process allowed us to get there----
Mr. Smith. Okay.
Mr. Carey [continuing]. In a reasonable amount of time, but
imagine that it is now the largest intranet in the world, so
grew from having hundreds of networks--we are not subsumed by
one--using the process.
Mr. Smith. Okay.
Do you have anything you want to add?
Mr. Krieger. Sir, I think your discussion on the
acquisition process not being agile is really a cultural issue.
Mr. Smith. Okay.
Mr. Krieger. So I think within the acquisition process,
both legislatively and regulatorily, the agility is there. This
is a cultural change for the department. Can we deliver spiral
capabilities--not a full capability--quicker and spiral it out,
versus the culture has been to deliver a completed product over
time?
Mr. Smith. Well, does that also feed into sort of how
personnel are rewarded and/or punished depending on how they do
things? That basically there is a culture that says, ``Hey, as
long as I am following the process, as long as I am going
through the acquisition process there I am good. If I step
outside of it I am in real danger''?
Because it strikes me that it would really take, you know,
creative personnel who understand IT to say, ``Hey, I need this
solution now. I am going to go do it, not go through the normal
process as empowered.''
And I can see where you might be limited within the
military concept, people saying, ``Look, if I do this, you
know, I am not going to be rewarded for it if it goes well and
I am sure as hell going to be punished for it if it doesn't go
well.'' Is there a problem with that in terms of changing how
we promote and reward behavior?
Mr. Krieger. Sir, I know within the Army in the current
global war on terrorism, we are at the point in the Army now
that when we generate a requirement from the field of JUONS
[joint urgent operational needs statement], and we document it,
we are delivering capability real quick now. And so I think
that culture is changing, and we certainly have soldiers, and
sailors, and airmen in need now, but we are discovering,
culturally, that it is possible to deliver IT quicker and
outside--within the system but not the traditional way that we
build airplanes and ships and things. And certainly there is
lots of examples in the current war where we have identified a
problem, we have documented the requirement, and we have
delivered spiraled-out capability.
Mr. Smith. Thank you. I very much appreciate it.
I will go to Mr. Miller and then I will go to Mr. Conaway,
who walked in right at the end of the questioning there, but we
don't want to get you out of the loop there, so we will go to
Miller, Conaway, and then back to the other.
Mr. Miller. Thank you, Mr. Chairman.
One brief question to General Alexander, if you would, in
reference to the new idea of the new sub-unified four-star:
Will DISA and NSA be rolled into the command and how will the
relationship between DISA and ODNI [Office of the Director of
National Intelligence] be affected?
General Alexander. It is not clear, in my mind, that it
would--it will not be rolled in, per say. I think that part--it
will be leveraged in the foundation for it. I think we have to
have the synergy between what NSA does for the intel community,
for what NSA does for the cyber community, and those are
inextricably linked.
So, specifically today, we have JFCC-NW at NSA, and as a
consequence of having them there at NSA they can leverage the
different offices that look globally to do their mission. I see
that--we growing that connective tissue between what NSA is
doing and what this command is doing.
I think there are some things that will be in common that
we are going to have to put in both in the concept that is
being looked at, and that is, how do we see cyberspace? An
integrated cyber operations facility. What is it that you see
for your defense? How do you see your network boundaries?
What do you see globally? What do our allies see? What is
going on on the network? And how do you mitigate and attribute,
going back to the question?
Because if you can't see it you are not doing it in real
time. So how are you doing that in real time? How are you
bouncing those back and forth?
So what I imagine will happen is, we will put the pieces
together at Fort Meade, at least in the recommendations and the
thing that is under consideration, and then look at how you
build the command to specifically do cyber operations,
leveraging what NSA brings in network exploitation. And I think
that is the key part, is to have them coexist.
In that respect, the DNI [Director of National
Intelligence] is comfortable and a proponent for it, because it
does both. I think it is good for both of us and we can do
both, in that regard.
The second question--the logical question that stems out of
that, and what is your relationship with DHS because they need
some of the same support? We see that that is a foundation that
DHS can lean on--a technical foundation--while DHS takes on its
missions to operate and defend the rest of the dot-gov
networks.
Mr. Smith. Thank you. Mr. Conaway.
Mr. Conaway. Thank you, Mr. Chairman. Since I just got here
I will not replow----
Mr. Smith. Thank you. Mr. Marshall.
Mr. Marshall. Thank you, Mr. Chairman. I would like to
return to the line of questioning that I had when I was--just a
minute ago, and it is again, where is it that you perceive the
private sector's interests, motivation diverging from ours?
And General Alexander, you described, you know, a private
sector company that might be able to--that had a similar
interest because billions of dollars are at stake, or very,
very sensitive information was at stake so they wanted to
protect that information. And being able to harden itself, and
its use probably more so than we could, practically speaking,
given the cost associated and given the kind of uses that we
have to make of information technology across the military.
But can you give other examples that would help me
understand how they diverge, and would--this is a question to
all members of the panel, not just General Alexander.
I know, Mr. Lentz, you were about to say something and I
had run out of time.
Mr. Lentz. Well, I can give you a couple examples of that.
I think the biggest challenge we are going to have--and I think
the laptop example that you alluded to in the beginning is a
good example of that--when we did our data-at-rest encryption
policy, we went out to industry, established a standard, we
worked with industry to figure out where that bar for security
needs to be and where they can meet that bar at the cost and
operational effectiveness that meets both entities' standards,
for them to make a profit, but also for us to be able to get
the most secure capability out in the field.
We did that very quickly over the course of several months.
We developed the standard, and we have 12 companies that bid
competitively for that process.
The cost for a data-at-rest piece of software license would
normally cost you $200 if you went and got it yourself. Because
of this competitive standard-based process, we dropped the cost
to less than $10 per software license. Now, that is an example
where we had convergence.
Now, as the bar goes higher in cyberspace because the cyber
threat is increasing exponentially, we have to work with
industry to build in much more robust capability. And that is
not just dealing with encryption, but all the aspects that go
around hardware and software.
And that is where industry is going to have a more
difficult time, because as that bar gets raised, their profits
start to decrease. And that is where we have to look at the
government-private sector partnership to figure out how we can
get that bar raised in a cooperative way, at the same time
maintain the competitive acquisition process.
General Alexander. My experience with industry, though, is
there is more convergence than there is divergence. They see
the obvious rationale for securing the networks just like we
do.
More importantly, they also see that they, in part--many of
the industry folks that I have talked to said, ``We need
government support here.'' I don't think they want government
compelling them to do things on the network, but I think they
need government support in securing it and developing a
framework--a technical framework--that is securable.
That is probably going to be impossible, so how do we get
as close to that as we can? I think industry is absolutely
looking for partnership with government and with our allies
setting up some solution like that.
So my experience has been almost completely convergent in
that regard. I have not seen--I asked one industry, I said,
``Why don't we give you this problem?''
They said, ``We can't afford to do it without government
support.'' That was the only divergence.
We said, ``Well, this would be one that we would throw
over. Critical infrastructure--that is an industry thing. Why
don't you take care of it?'' And they said----
Mr. Marshall. So, industry interest is not broad enough to
justify the cost, is in essence what you are saying, and so to
the extent that we have got to have a certain level of security
or capability, industry is not necessarily going to generate
for us because either there are too many defeatist characters
competing with one another with different products, and
consequently different companies looking at those different
products, or there are just not enough companies that are that
interested in that level of security or capability?
General Alexander. Banking industry clearly has a
compelling need to create that existing secure infrastructure,
and they are working hard to do that. There are things that
government and industry--and that industry--could work together
to make it even better. Your electrical power grid and some of
your other ones are low cost when you look at the network.
So the power companies that are going to have to go out and
change the configuration of their networks, that is a cost that
if you take what Bob was saying, one further step, now to
upgrade their networks to make sure they are secure is a jump
in cost for them, and now you are going to have to work through
their committees, through the regulatory committees to get the
rate increases so that they can actually secure their networks.
So when you talk to the power industry, as an example, that
is one where you are not going to look at, so how does
government--because we are interested in perhaps having
reliable power--how do we ensure that that happens as a
critical infrastructure? So DHS and that critical
infrastructure have to work together to walk through that.
Mr. Smith. Thank you.
Mr. Thornberry----
Mr. Thornberry. Let me give the Army and Navy a chance to
answer what you all's services are doing to train, equip,
develop career paths for cyber warfare. Do you have cultural
difficulties there, too, particularly in whether you see cyber
as an enabler for the things that you are already doing or a
domain of warfare on its own.
Mr. Krieger. Sir, you raised a very good issue, and the
Army is trying to come to grips with that right now and
studying it, and we have got a study going on by TRADOC
[Training and Doctrine Command] to figure out what we want to
do, both at the officer level and the warrant officer level and
the soldier and NCO level.
The question is exactly on target. I don't have an answer
yet, but that is what we are trying to figure out.
Mr. Carey. We believe that everyone that engages the
network becomes a cyber warrior at some point. If you are going
to touch the network, you are involved in something that is
greater than you might have actually thought. So changing that
culture, as my colleagues have said, is something that we are
working on very diligently right now as we move into our next
generation network environment, and that we are bringing on
more people to operate in this domain, both in the uniform side
and the civilian side, to allow ourselves that span of control
that we don't have right now inside the department.
Mr. Smith. Thank you.
I had one more line of questioning, but Mr. Conaway, go
ahead.
Mr. Conaway. Well, thank you, Mr. Chairman.
A few of us are working on an acquisitions panel issues,
and I was just wondering, Mr. Lentz, can we use the acquisition
regulations and practices to incent defense contractors to be--
their cyber warfare posture, to make sure they are compliant or
that they are protected as they need to be to handle our data
and handle our work? Is that an appropriate use of those?
Mr. Lentz. Yes. We are working with AT&L [Acquisition,
Technology, and Logistics] to look at the----
Mr. Conaway. AT&L?
Mr. Lentz. I am sorry. The acquisition organization in DOD.
Mr. Conaway. Okay.
Mr. Lentz [continuing]. To look at modifying the defense
acquisition regs and the federal acquisition regs for including
stronger language in there regarding meeting certain security
benchmark standards in terms of protecting information that
resides on their networks. That is something we are doing right
now.
Mr. Conaway. And you think you will get pushback from the
contractors on this deal?
Mr. Lentz. No, we are not. In fact, they are asking for
that language. No problem.
Mr. Conaway. All right.
And then, General Shelton, when you guys set up your cyber
command, can you walk us through the rationale between why that
was a numbered air force versus a four-star command?
General Shelton. Sure. As we first started to look into
this, we said a major command seemed appropriate because that
is how we organize, train, and equip in the Air Force. But then
as we thought more about it, we said, we are really about how
do we operate? And the way we operate in the Air Force and
present forces in the Air Force is through numbered air forces.
So if we are really all about trying to provide cyber
operations for joint employment, it is more appropriate for a
numbered air force. And then the organize, train, and equip
aspects can be subsumed by Air Force Space Command. So that was
the rationale.
Mr. Conaway. Okay. And you are comfortable with--the Air
Force is comfortable, so far, that that was the right decision?
General Shelton. Absolutely. Very comfortable.
Mr. Conaway. Thank you, Mr. Chairman.
Mr. Smith. Just quickly--in terms of personnel, we talk in
this committee each year about the challenges of making sure
that you have the best and the brightest folks who understand
the IT infrastructure, because it is a constantly evolving
thing. Whatever the systems, it really comes down to people and
their ability to adapt.
Just, you know, if anyone has initial thoughts. I don't
know who would be best to comment on this, so I will throw it
open to all of you. You know, how are you doing in terms of
recruiting the personnel that you need to do the IT work that
you need to get done?
Mr. Lentz. I can start out, and then----
First of all, and I know, Congressman Thornberry, your
interest is on target regarding the fact that within the
Department of Defense we have over 90,000 personnel that we
have identified working with the services and agencies that are
deemed to be cyber warrior-type individuals. Now, these are sys
admin, that manage the system, and network administrators that
have part-time jobs both to defend the network as well as to
administer, and you can't separate those functions.
Ninety thousand. We have a plan that we are 2 years into to
certify all 90,000, and we right now have a goal by the end of
this year to be at 45 percent. And so that is a major goal.
The other thing we are doing is we are adding highly
specialized skills on top of them, in light of the cyber events
that we have talked about, and that will add another layer of
more highly skilled cyber warriors that will go to schools,
like in Pensacola and Maxwell and Fort Gordon, possibly, to be
able to get more in-depth training working with the National
Cryptologic School at NSA and other institutions.
The fill rate overall--I will let the services comment on
that--but what we are seeing right now is, the fill rate for
those cyber warriors is a fairly good rate. We are seeing over
90 percent, in terms of those positions that we are talking
about right now, which, by the way, are contractors, civilians,
and military personnel.
Mr. Smith. All right.
I guess just in general, in any----
Go ahead, General. Sorry.
General Shelton. Sir, I was just going to say, in terms of
technical expertise we have, certainly, a concern, along with
everyone else in the nation, that there is just not that many
people coming out of our schools that are prepared for the
technical-type work. They don't have the educational
background, haven't studied math, engineering science, those
sorts of things. So we join the course of many--this is a real
problem for us.
Mr. Smith. Yes.
Gentlemen, do you have anything to add to that?
Mr. Carey. All I would add is that we are all competing for
that limited resource----
Mr. Smith. Right.
Mr. Carey [continuing]. Whether it is industry, Army, Navy,
Air Force, Marines, we are all competing for that. And so there
has not been a challenge that we have seen yet, but we will be
ramping up for the coming months so we will have more
information somewhere in the fall.
Mr. Smith. Okay. Thanks.
And General Alexander, I just want to follow up quickly on
the interagency aspect of cyber security. And I think from this
panel we have got a pretty good idea what the DOD is doing. How
do you interact--you touched on it a little bit--I mean,
Homeland Security theoretically is the lead agency for the
interagency piece of cyber security.
Does DOD sort of, you know, exist in their own world and
work on their own systems while Homeland Security is dealing
with the other aspects of it? What is the integration? How is
that working?
General Alexander. Well, for offensive operations we have a
joint task force--joint interagency task force--which brings in
all the players. We have great partnerships with FBI, CIA, and
others, DHS. They sit on these panels--State Department--and
look at the options and where we are, and I think that is well
run.
Where I think there is work to be done, the U.S. CERT is
growing rapidly, which is the DHS element that would actually
do the computer emergency response team's job for the rest of
the dot-gov, is taking that on in a way analogous to what the
Joint Task Force-Global Network Ops and the CERTs under it does
with the services. So there is some room to grow in the rest of
the dot-gov to catch up where I think the Defense Department is
today.
Within the intel community, I think they have a strong
network security program so that that is running pretty good.
What is lacking today is a integrated defense where you can tip
and cue between the different government entities and agencies
at network speed to defend elements of it, and that is one of
the things we are going to have to grow, which I think DHS
would leverage what the intel community and the DOD has today,
both technically and the real time alerting and cuing. Think of
that as a radar system for cyber security.
Mr. Smith. I had one more question, but I wanted to see if
any of my colleagues had anything further.
Mr. Marshall. I do.
Mr. Smith. Go ahead, Jim.
Mr. Marshall. Thank you.
I am continuing the same line. So, different possibilities
here--we have got a requirement that needs to be met that we
have identified. Industry has already met that requirement, so
we go out and we acquire either the software or the hardware
and that takes care of that.
We have a requirement that has not been met by industry as
well, and it is the banking industry. And the banking industry
recognizes this need to secure billions and billions and
billions of dollars of exposure that it would otherwise have.
Or it is the up--you know, hardening the defense of the
electrical grid, which has all these collateral public and
private possible consequences if, in fact, there is a failure,
that an attack is successful.
Could you describe--is there a difference in the way we go
about trying to figure out the partnership and who carries what
load in--here is the banking system. It is going to get there,
and you know it is going to get there because there is just too
much at stake. It is the brightest people in the world they are
able to hire, and they are going to pay them big bucks, and
they are going to get there.
But they would love to have us step up to the plate and pay
for it. You know, that just makes more money for them. So there
is obviously a give and take as we discuss with the banking
system or banking industry who is going to do this.
And then, where the electrical grid is concerned, they kind
of go, ``Well, you know, we don't need that kind of level of
security. That requirement is not one that we want to meet. We
will take a chance on the grid going down and we will just send
our guys out there and fix it. You know, actually, they might
make some money. It might be better for us, in a sense, if the
grid goes down.''
Could you describe how you deal with those two different
kinds of circumstances in order to figure out who carries the
load? Well, at this--where we are talking about electrical
grid, who winds up paying the freight, okay?
General Alexander. I think DHS would have the lead in
orchestrating that with the Critical Infrastructure Protection
Advisory Committees that they have, the CIPACs, that go across
each of those. And in the banking industry, it would be a DHS-
Treasury partnership to look at how we do it with other players
in the community. So I think you have got DHS in the lead.
The interesting part that you have put on the table is that
there may be things that the government technically knows that
would be useful to industry to secure their networks a degree
beyond where they are today. How do we do that without risking
some of our nation's crown jewels, but ensuring their
protection?
And that is one of the things where I think the partnership
between DHS and DOD is going to have to be laid out, and I
think it is being worked. So there is, right now--DHS has set
up a good framework for critical infrastructure protection, and
they have a framework for cyber throughout that.
They work and they actually partner with DOD and the intel
community in those regards, and I think they would draw on
that. I don't know that anybody has come down clearly and said
the different roles--I don't think they are at that point where
they could define specifically the roles.
I will pass it over to Bob.
Mr. Lentz. Well, I think that is exactly the answer. I
think where DHS has set the framework up under their National
Infrastructure Protection Plan, and they are working and we are
supporting, as an example with the financial sector, we work
through Treasury and we compare technologies and techniques and
procedures that we are using, and trying to raise that bar.
And then as you work some of these other sectors, the
interesting challenge is going to be, like you addressed, is
going to be at some point they may say, ``That is enough. I
can't subsidize this level of protection any longer, especially
against a nation state.''
And therefore, we have to have a mutual dialogue at the
highest levels of the government with industry to determine,
how are we going to get that bar to a level we are all
comfortable with? And that is going to be the interesting
discussion in the future.
Mr. Marshall. Thank you, Mr. Chairman.
Mr. Smith. Thank you.
Just one final question. Mr. Thornberry had mentioned the
attacks on Estonia and Georgia, which really sort of got
everyone's attention about what can go beyond, you know, some
of the more basic stuff that we face. And obviously, you know,
our main concern right now is data-mining--people accessing our
network and pulling out information out of it as opposed to
affirmatively attacking the network.
But in looking at what happened in those two countries, how
vulnerable are our DOD networks to similar attacks? How
confident are you that we have the, you know, system set up to
withstand that type of an attack?
General Alexander. I think a distributed denial-of-service
attack from botnets, like you saw in Estonia, if large enough,
would really hamper any network today, including the defense--
--
And the issue is, how do we grow a defense in depth to
ensure that we don't have that? So that is where our allies and
partnerships with our allies is going to become crucial.
If you try to defend it at your gateway, you surely will
lose on that. And so you are going to have to have a defense in
depth for that type of attack specifically.
Mr. Smith. Forgive me. Walk me through a defense in depth,
what that means exactly, in terms of what you try to do to
prepare.
General Alexander. So you would have--if you just look
globally at the global network, instead of trying to stop all
the stuff here, you might want to shut them down at the point
of origin or somewhere in between, and that means that your
offense and your defense are going to have to be partnered
together to do that.
Mr. Smith. Okay.
General Alexander. I think that is the only way you are
ever going to--I think we are going to be forced into operating
like that in the future, and the consequences of that jump--the
intellectual jump--is developing the tactics and techniques and
procedures that I briefly discussed earlier.
Mr. Smith. Gentlemen, anybody else want to comment on that,
in terms of the security of your systems?
General.
General Shelton. Yes, sir. Just one comment. What we are
trying to do is implement some tight security on our networks,
so when somebody comes onto the network we make them put a card
in, we make them enter a code, and in the future probably have
some sort of biometric so we know exactly who that is and we
know exactly what permissions they have got, what data they
have got access to, and somebody outside that realm can't have
that access.
Mr. Smith. Right.
General Shelton. So you are defending inside as opposed to
defending at the wall. That is the architecture----
Mr. Smith. Right. And how, I mean--that is really hard with
all the different people on the network. There are so many
different access points to the network. But I guess that is
more of a statement than a question, but you are working on it.
Anybody else?
Well, thank you very much. That was very, very informative.
Look forward to working with you on this issue going forward.
Thank you all for your testimony and for answering our
questions. Thanks.
We are adjourned.
[Whereupon, at 5:12 p.m., the subcommittee was adjourned.]
?
=======================================================================
A P P E N D I X
May 5, 2009
=======================================================================
?
=======================================================================
PREPARED STATEMENTS SUBMITTED FOR THE RECORD
May 5, 2009
=======================================================================
[GRAPHIC] [TIFF OMITTED] T7218.001
[GRAPHIC] [TIFF OMITTED] T7218.002
[GRAPHIC] [TIFF OMITTED] T7218.003
[GRAPHIC] [TIFF OMITTED] T7218.004
[GRAPHIC] [TIFF OMITTED] T7218.005
[GRAPHIC] [TIFF OMITTED] T7218.006
[GRAPHIC] [TIFF OMITTED] T7218.007
[GRAPHIC] [TIFF OMITTED] T7218.008
[GRAPHIC] [TIFF OMITTED] T7218.009
[GRAPHIC] [TIFF OMITTED] T7218.010
[GRAPHIC] [TIFF OMITTED] T7218.011
[GRAPHIC] [TIFF OMITTED] T7218.012
[GRAPHIC] [TIFF OMITTED] T7218.013
[GRAPHIC] [TIFF OMITTED] T7218.014
[GRAPHIC] [TIFF OMITTED] T7218.015
[GRAPHIC] [TIFF OMITTED] T7218.016
[GRAPHIC] [TIFF OMITTED] T7218.017
[GRAPHIC] [TIFF OMITTED] T7218.018
[GRAPHIC] [TIFF OMITTED] T7218.019
[GRAPHIC] [TIFF OMITTED] T7218.020
[GRAPHIC] [TIFF OMITTED] T7218.021
[GRAPHIC] [TIFF OMITTED] T7218.022
[GRAPHIC] [TIFF OMITTED] T7218.023
[GRAPHIC] [TIFF OMITTED] T7218.024
[GRAPHIC] [TIFF OMITTED] T7218.025
[GRAPHIC] [TIFF OMITTED] T7218.026
[GRAPHIC] [TIFF OMITTED] T7218.027
[GRAPHIC] [TIFF OMITTED] T7218.028
[GRAPHIC] [TIFF OMITTED] T7218.029
[GRAPHIC] [TIFF OMITTED] T7218.030
[GRAPHIC] [TIFF OMITTED] T7218.031
[GRAPHIC] [TIFF OMITTED] T7218.032
[GRAPHIC] [TIFF OMITTED] T7218.033
[GRAPHIC] [TIFF OMITTED] T7218.034
[GRAPHIC] [TIFF OMITTED] T7218.035
[GRAPHIC] [TIFF OMITTED] T7218.036
[GRAPHIC] [TIFF OMITTED] T7218.037
[GRAPHIC] [TIFF OMITTED] T7218.038
[GRAPHIC] [TIFF OMITTED] T7218.039
[GRAPHIC] [TIFF OMITTED] T7218.040
[GRAPHIC] [TIFF OMITTED] T7218.041
[GRAPHIC] [TIFF OMITTED] T7218.042
[GRAPHIC] [TIFF OMITTED] T7218.043
[GRAPHIC] [TIFF OMITTED] T7218.044
[GRAPHIC] [TIFF OMITTED] T7218.045
[GRAPHIC] [TIFF OMITTED] T7218.046
[GRAPHIC] [TIFF OMITTED] T7218.047
[GRAPHIC] [TIFF OMITTED] T7218.048
[GRAPHIC] [TIFF OMITTED] T7218.049
[GRAPHIC] [TIFF OMITTED] T7218.050
[GRAPHIC] [TIFF OMITTED] T7218.051
[GRAPHIC] [TIFF OMITTED] T7218.052
[GRAPHIC] [TIFF OMITTED] T7218.053
[GRAPHIC] [TIFF OMITTED] T7218.054
[GRAPHIC] [TIFF OMITTED] T7218.055
[GRAPHIC] [TIFF OMITTED] T7218.056
[GRAPHIC] [TIFF OMITTED] T7218.057
[GRAPHIC] [TIFF OMITTED] T7218.058
[GRAPHIC] [TIFF OMITTED] T7218.059
[GRAPHIC] [TIFF OMITTED] T7218.060
[GRAPHIC] [TIFF OMITTED] T7218.061
[GRAPHIC] [TIFF OMITTED] T7218.062
[GRAPHIC] [TIFF OMITTED] T7218.063
[GRAPHIC] [TIFF OMITTED] T7218.064
[GRAPHIC] [TIFF OMITTED] T7218.065
[GRAPHIC] [TIFF OMITTED] T7218.066
[GRAPHIC] [TIFF OMITTED] T7218.067
[GRAPHIC] [TIFF OMITTED] T7218.068
?
=======================================================================
QUESTIONS SUBMITTED BY MEMBERS POST HEARING
May 5, 2009
=======================================================================
QUESTIONS SUBMITTED BY MR. SMITH
Mr. Smith. Knowing that our IT adversaries are becoming more
complex, what steps is the Army taking to protect our wireless
communications?
Mr. Krieger. The Army places tremendous focus on Transmission
Security (TRANSEC) in order to protect our wireless communications from
detection and interception. To mitigate this increasingly adept and
complex threat we maintain rigorous Certification and Accreditation
programs for our IP based networks; including routine network scanning
for unauthorized wireless access points and systems. Technical
mitigation strategies are used to reduce the probability of detection
and interception of our FM tactical communications systems. Encryption
is used on our FM and IP networks using NSA approved type 1 encryption
while traversing the wireless spectrum. Additionally, the Army is
leveraging OSD's cooperative program with major defense contractors to
identify and remediate efforts to exploit wireless communications
network vulnerabilities.
Mr. Smith. What is the process for remediating a hardware or
software vulnerability identified during an information assurance
vulnerability assessment? Are there institutional processes and funds
available, or are you forced to ``take this out of hide.''
Mr. Krieger. The Army participates in the DOD Information Assurance
Vulnerability Management (IAVM) program which identifies and resolves
discovered vulnerabilities in systems and platforms. It requires the
completion of four distinct phases to ensure compliance. These phases
are: (1) vulnerability identification, dissemination, and
acknowledgement; (2) application of measures to affected systems to
make them compliant; (3) compliance reporting; and (4) compliance
verification. This program includes Information Assurance Vulnerability
Alerts (IAVAs), Information Assurance Vulnerability Bulletins (IAVBs),
and technical advisories. The Army Global Network Operations & Security
Center (A-GNOSC) is the Army's focal point for coordinating the
mitigation efforts for identified vulnerabilities across the Army.
While institutional processes are used and some centralized support is
available, the Army still is required to ``take out of hide'' resources
in order to mitigate information assurance risks.
Mr. Smith. What are you doing in the Services and OSD to develop a
career cyber force?
Mr. Krieger. The Army is evaluating the current force and comparing
it to the requirements of the proposed cyber force. Once the analysis
is completed, the Army will develop a management program to meet the
requirement.
Mr. Smith. What incentives are available to recruit and retain the
types of individuals you would like to attract to the military cyber
corps? Are there other incentives that you would like to be able to
offer, but do not currently have the authority to provide?
Mr. Krieger. The Army continually reviews its incentives for
recruiting and retaining individuals who have critical skills. The Army
manages its resources to achieve the best possible outcome. If given
additional resources the Army could increase its ability to offer more
incentives to achieve better outcome.
Mr. Smith. What kinds of leap-ahead technologies do you believe we
need to be investing in?
Mr. Krieger. Technologies which can provide the Army with a
superior advantage to prevent, detect, analyze, and respond to threat
events at network speed.
Mr. Smith. The outsourcing of NMCI resulted in an outsourcing of
much of the brains of the Navy, especially with regards to technical
and architectural designs and senior-level technology management. What
is the Navy doing to rectify that situation?
Mr. Carey. Although NMCI caused a shift in responsibility for core
network operations to industry, the Navy and Marine Corps retained a
significant amount of technical, architectural and technology expertise
supporting other networks, including afloat, overseas, in-garrison,
medical, educational, and research and development networks. One of the
principal concepts of the Next Generation Enterprise Network (NGEN)
program is to restore the decision-making, design control and oversight
to the DON. A modest recruiting campaign for network talent will
commence in Fiscal Year 2010, and we have established a comprehensive
training and education strategy embodied in our IT of the Future
program. As the DON implements the concepts of the Naval Networks
Environment 2016, prioritized decision making, design control and
oversight positions will be filled by members of the government
workforce.
The DON will also partner with other organizations, including the
Defense Information Systems Agency (DISA), the Defense Advance Research
Projects Agency (DARPA), and other DOD Services and Agencies for
analysis, best practices and lessons learned. Finally, private sector
design development and technological expertise will continue to support
government workforce decision making and oversight.
Mr. Smith. What is the process for remediating a hardware or
software vulnerability identified during an information assurance
vulnerability assessment? Are there institutional processes and funds
available, or are you forced to ``take this out of hide.''
Mr. Carey. The DON fully supports the IAVA process and a tool by
which we can improve our network security posture. Institutional
processes are in place if vulnerabilities are found during a
vulnerability assessment. This guidance can be found on the DISA
Information Assurance Support Environment page located at http://
iase.disa.mil/index2.html. Specific actions are provided in the DISA
IAVM Handbook. The DON provides additional guidance within our IA
Policy document and our IA Manual.
When a vulnerability notice has been issued by the JTF-GNO/
NetDefense, the DOD Vulnerability Management System (VMS) sends email
notices through command channels to the individuals responsible for the
affected assets. Notices are also sent to all IA Managers and
organizational oversight users. The VMS notice directs users to access
the JTF-GNO/NetDefense Web Page to obtain detailed information on the
specific vulnerability.
Funding for routine hardware/software support is part of the annual
IT support budget for most programs. If an upgrade is required that is
outside the scope of the support contract, then funding for these
``previously unknown'' vulnerabilities must be found using the DON
process for conducting budget trade analyses.
Mr. Smith. What are you doing in the Services and OSD to develop a
career cyber force?
Mr. Carey. DON is working closely with DOD leadership and the other
Services to determine the scope, missions, functions and tasks relevant
to the cyber workforce. We are working with operational organizations
including the National Security Agency (NSA) and the new U.S. Cyber
Command to determine DON roles and responsibilities and to implement
the DON command and control necessary to support cyber operations. We
are also exchanging information on manpower, personnel, training and
education requirements and solutions development with DOD and the other
Services to leverage work done by others as we determine the best means
of meeting DON cyber missions.
The Secretary of the Navy has issued policy that designates the
Under Secretary of the Navy as the DON Chief Cyberspace Officer, with
the DON CIO and the DUSN as his chief advisors for CND/CandA/CNE. The
document also directs the Chief of Naval Operations and the Commandant
of the Marine Corps to establish organizational constructs for cyber
operations and to maximize training and education efficiency in
cyberspace career fields. Additionally, the policy directs DON CIO to
work directly with DOD and DON cyberspace leadership to develop
workforce policy and guidance and to work with the Assistant Secretary
of the Navy for Manpower and Reserve Affairs to track and measure the
effectiveness of cyberspace manpower, personnel, training and education
efforts.
Both the Navy and Marine Corps headquarters staffs are working to
document cyber manpower, personnel, and training and education
requirements. This team includes professionals from each of the
communities that supports cyber operations and reports to the Chief of
Naval Operations or the Commandant of the Marine Corps.
The Navy is the executive agent for the Joint Cyber Analysis Course
attended by personnel from all Services. Additionally, the DON
participates in the DOD Information Workforce Improvement Program which
provides Joint opportunities for Information Assurance training and
certification.
Mr. Smith. What incentives are available to recruit and retain the
types of individuals you would like to attract to the military cyber
corps? Are there other incentives that you would like to be able to
offer, but do not currently have the authority to provide?
Mr. Carey. The Navy has the authorities available to recruit and
retain cyber professionals. In the execution of attracting and
retaining cyber professionals we will leverage accession and retention
incentives where appropriate. Accession bonuses, critical skills
retention bonuses, scholarship for service, fellowships and post-
graduate education all remain important tools that can be utilized to
recruit and retain our cyber corps.
Mr. Smith. What kinds of leap-ahead technologies do you believe we
need to be investing in?
Mr. Carey. The DON will seek to invest in and deploy emerging
technologies that enable collaboration and increase the security of our
networks. New technologies and capabilities, such as IPv6, self-forming
wireless mobile networking (for people on-the-move, IP sensor networks,
etc.), and Web 2.0 tools present opportunities worthy of investigation.
The DON must also explore the use of virtualization and cloud
computing. Many organizations both within and outside the DOD are
examining the use of ``private clouds'' to reduce costs, increase
security and lessen the environmental impact of IT. Additionally, we
must focus on Identity Management and Attribute Based Access Control as
they increase security and enhance information sharing.
New technologies are becoming available at a rapid pace, and while
our unique position requires that we be selective in which tools we
implement, we continuously look for ways to increase security, promote
collaboration and improve the mission effectiveness of our operating
forces.
Mr. Smith. What is the process for remediating a hardware or
software vulnerability identified during an information assurance
vulnerability assessment? Are there institutional processes and funds
available, or are you forced to ``take this out of hide.''
General Shelton. Remediation of hardware or software
vulnerabilities is dependent upon type and severity of the
vulnerability identified. Every organization conducting an information
assurance vulnerability assessment requires local operating
instructions governing remediation steps for that particular
organization and for specific vulnerability levels. Institutional
processes for remediating discovered vulnerabilities are defined in
United States Strategic Command's Secure Configuration Compliance
Validation Initiative and are inherent in the assessment tool used. No
additional funds are needed because on-site vulnerability assessment
personnel and system owners work together to remediate identified
vulnerabilities.
Mr. Smith. What are you doing in the Services and OSD to develop a
career cyber force?
General Shelton. The Air Force is establishing dedicated officer,
enlisted and civilian cyber operations career fields to meet Joint and
Service cyber missions. Additionally, we continue to participate in
robust inter-Service dialogue and OSD efforts to develop DOD-wide cyber
career force guidance.
Mr. Smith. What incentives are available to recruit and retain the
types of individuals you would like to attract to the military cyber
corps? Are there other incentives that you would like to be able to
offer, but do not currently have the authority to provide?
General Shelton. The Air Force has many incentives available to
support recruiting and retention, to include enlistment and
reenlistment bonuses, undergraduate and graduate education benefits,
and education with industry opportunities. At this time, we believe
existing authorities and incentive programs are flexible enough to
support cyber recruiting and retention efforts.
Mr. Smith. What kinds of leap-ahead technologies do you believe we
need to be investing in?
General Shelton. Cyber technologies are a pervasive set of
technologies that cannot be developed in isolation from the entire
national enterprise. Communication is the foundation of effective
national governance and current and future warfighting capabilities. As
a result, cyber leap-ahead technology development is not being done in
isolation by the Air Force. Future technologies could include self-
generating communication networks that adapt to network attacks,
advanced computing including quantum computer architectures and optical
networks for its ability to transmit very large volumes of data over
long distances. Additionally, information fusion and multi-level
security could enable early detection of cyber attacks.
Mr. Smith. In an age of increasing outsourcing and globalization,
can you describe the threat to the software and hardware supply chain?
What are we doing to mitigate the risks to the global supply chain?
Mr. Lentz. While globalization has many economic benefits, it also
provides increased access and opportunity for malicious actors to
manipulate information and communications technology (ICT) products and
services to gain unauthorized access to otherwise closed-off
technologies and services. The multi-tiered, global nature of our ICT
supply chain means that the government has suppliers that it may not
know and may never see. With less insight into their security practices
and less control over how they conduct their business, the global
supply chain may make the U.S. Government (USG) more vulnerable to a
sophisticated adversary who can use security gaps in the global supply
chain to alter or steal data, disrupt operations, or interrupt
communications.
Threats to the ICT supply chain can affect both software and
hardware products. Software is growing exponentially in size and
complexity, which creates assurance challenges. In addition, software
design, development, testing, distribution, and maintenance can also be
done more inexpensively offshore in easier reach of malicious actors.
Security of the ICT supply chain can also be compromised by
untrustworthy or counterfeit microelectronic components. The
semiconductor industry has increasingly moved toward offshore or
foreign-owned semiconductor component production. This trend creates an
increasing threat to the U.S. as the potential for unauthorized design
inclusions to appear on integrated circuits used in military
applications increases. Furthermore, counterfeit ICT products have the
potential to fail unexpectedly and prematurely, which may cause the
mission critical systems in which they are used to malfunction.
The national security concern regarding the global marketplace is
that software or microelectronic circuitry may include deliberately-
inserted malicious logic or ``malware'' that an adversary might slip
into a computer system to steal or corrupt data or disrupt the system.
The malware might act immediately, or it may be designed to lie dormant
until it is activated by a future signal. Buried in the millions of
lines of code that comprise the modern computer application, such
malware is difficult to detect with malware protection applications,
and no one may be aware of its existence until after the damage is
done.
DOD approaches supply chain risk management (SCRM) through a
defense-in-breadth strategy--a multi-faceted risk mitigation strategy
that seeks to identify, manage, mitigate, and monitor risk at every
stage of the system or network lifecycle, from product design to system
retirement. DOD is actively working to ensure that policies and
processes are put in place to raise awareness of the risk, empower
acquirers to make informed decisions when they procure and integrate
ICT products and services, and arm acquirers with practices and tools
necessary to mitigate risk when ICT products are used across the
government.
DOD is incrementally implementing SCRM through pilots in fiscal
year (FY) 2009 and FY 2010 and will be fully executing SCRM by FY 2016.
In addition, the Department is analyzing existing regulatory and
legislative authorities to provide guidance on the use of SCRM in
procurement planning and decision making, and to recommend proposed
clarification of DOD authorities to reduce litigation risks associated
with managing supply chain risk during acquisition. DOD is also
collaborating with industry to develop standards and best practices
that recognize security challenges in commercial global sourcing.
Finally, under the Comprehensive National Cybersecurity Initiative, DOD
is working with other federal agencies to develop a multi-pronged, USG-
wide approach to global supply chain risk management where best
practices, risk mitigation techniques, and lessons learned are shared
and the overall risk posture of the USG is enhanced.
Mr. Smith. How might we better utilize acquisition regulations and
contracting clauses to better enforce the cybersecurity posture of our
defense contractors?
Mr. Lentz. DOD plans to publish an Advance Notice of Proposed
Rulemaking (ANPR) in the near future to obtain public input on needed
changes to the Defense Federal acquisition Regulation Supplement with
regard to safeguarding and cyber intrusion reporting of unclassified
DOD information within industry. The establishment of minimum
safeguarding requirements for unclassified DOD Program Information on
defense Industrial Base (DIB) partner networks will identify cyber
security as a standard practice, and address vulnerability to
compromise, loss, or exfiltration of unclassified DOD Information.
Mr. Smith. What is the process for remediating a hardware or
software vulnerability identified during an information assurance
vulnerability assessment? Are there institutional processes and funds
available, or are you forced to ``take this out of hide.''
Mr. Lentz. The Department's Information Assurance Vulnerability
Management (IAVM) Program is specified in Chairman of the Joint Chiefs
of Staff Manual (CJCSM) 6510.01 Change 2, dated 26 Jan 2006. This
policy provides reporting and compliance guidance for publishing
Information Assurance Vulnerability Alerts (IAVAs) for all Combatant
Commands, Services, Agencies, and Activities (CC/S/As). IAVAs address
immediate threats to the Departments Global Information Grid. IA
vulnerabilities, whether they be in the form of IAVAs or found during
routine evaluations, are tracked in a Vulnerability Management System
(VMS) managed by the Defense Information Systems Agency. In support of
this policy, each CC/S/A must report acknowledgment, mitigation, and
expected correction date to the VMS database. All systems must either
be patched or have an approved Plan of Action and milestones (POA&M),
for mitigations to be implemented. Vulnerability assessments not only
address cyber vulnerabilities, but also identify out of date software,
physical security problems, and system configuration issues, etc.
In addition, DOD Instruction 8510.01, ``DOD Information Assurance
Certification and Accreditation Process (DIACAP),'' dated 27 November
2007, identifies detailed life cycle support requirements for
information systems and addresses high-level procedures related to the
Protect; Monitor, Analyze, and Detect; and Respond phases of the
computer network defense lifecycle. In support of this policy, the
Program Manager or System Manager for DOD information systems is
responsible to plan and budget for IA controls implementation,
validation, and sustainment throughout the system life cycle, including
timely and effective configuration and vulnerability management.
While there is generally no separate funding set aside for
vulnerability mitigation and related actions by CC/S/As, system
mitigation efforts are considered and funded as a normal part of the
CC/S/A network defense operations resources and budgeting process.
Ensuring adequate life cycle sustainment resources are available is a
planning, programming, budgeting, and execution process role of the CC/
S/A as identified in the DIACAP. In order to facilitate standardization
of vulnerability mitigation capabilities and to leverage the use of
common tools, DOD currently has an enterprise software license
providing tools that enable automated vulnerability scanning and
remediation.
Mr. Smith. What are you doing in the Services and OSD to develop a
career cyber force?
Mr. Lentz. The DOD is currently working with the Services,
Agencies, Joint Staff, and STRATCOM to develop baseline cyber workforce
standards. The current model for these standards is the DOD 8570.01-M
``Information Assurance Workforce Improvement Program''. The basic
requirements for developing a career cyber force include:
Defining baseline position descriptions based on functions
Identifying positions in manpower databases
Specifying baseline training and or certification
requirements aligned to the functions performed by the positions
Continuous education, training, and participation in
exercises to maintain and expand skills
Mr. Smith. What incentives are available to recruit and retain the
types of individuals you would like to attract to the military cyber
corps? Are there other incentives that you would like to be able to
offer, but do not currently have the authority to provide?
Mr. Lentz. Current incentive authorities available to provide cyber
qualified members:
Enlistment and reenlistment bonuses
Accelerated promotion opportunities
Recognition programs such as special patches or badges
for Cyber qualified personnel
Specialized training and education opportunities
The DOD IA Scholarship Program is a proven retention tool for Cyber
security military personnel. Since the program's inception in 2001, DOD
military personnel have pursued master's or PhD degrees in IA related
disciplines. Graduates are working full time in strategic positions
across the Department. All of the Services have participated to some
capacity.
Other potential incentive authorities for consideration:
Authorize specialty pay for cybersecurity certified
personnel
Authorize specialty pay for cyber warfare qualified
personnel (once defined)
Mr. Smith. What kinds of leap-ahead technologies do you believe we
need to be investing in?
Mr. Lentz. The philosophy explored by leap-ahead is that, while
some progress on cybersecurity will be made by researching better
solutions to today's problems, some of those problems may be too hard
to solve; we need rather to leap over them by finding a way to make
them irrelevant. This latter approach we call changing the game, as in
``if you are playing a game you can't win, change the game!'' Most of
today's research, development, technology and engineering (RDT&E)
efforts are focused on ``playing today's game better.'' But, since our
adversaries have an advantage in today's cyber ``game,'' we advocate
investment in RDT&E that moves us away from having to play that game,
in other words, moves us towards a cyber environment where our security
does not depend on the solution of today's intractable problems. To
understand this paradigm shift, we can look at three areas which can
yield game change in a reasonable time frame and which would be very
useful to the DOD.
1) Today's game: eliminate vulnerabilities which enable
penetration;
Tomorrow's game: reduce consequences of penetration
Today users and their applications are our front line of defense
against adversaries. Malware enters our systems through vulnerabilities
in the applications with which we access the Internet, or is invited in
by users who unwittingly download malicious attachments onto enterprise
systems. Though we struggle to keep browsers patched and users aware of
the latest spear phishing attacks, it is impossible to keep up, so in
the new game we worry less about eliminating every vulnerability, but
place an emphasis on technologies which mitigate the effects of the
attacks which vulnerabilities enable. For example, using the technique
of virtualization, we can create a temporary or ``non-persistent''
computer-within-a-computer for our risky browsing and email sessions.
User mistakes don't hurt us because attacks which enter through the
virtual computer never touch our mission network. Other ideas in this
vein include advanced key management techniques to enable ubiquitous
encryption of mission data and prevention of exfiltration of
intellectual property (adversaries may get in, but they can't see
anything); also a network operating system to instantiate access policy
at any level of the architecture and prevent adversaries from
escalating privileges (adversaries may get in, but they can't do
anything).
2) Today's game: check for maliciousness;
Tomorrow's game: know what to trust
Today we spend a lot of energy testing digital content to determine
whether it is trustworthy. Virus-checkers and content filters attempt
to ascertain by inspection whether applications and data are safe to
place on our systems. Root-kit detection tools try to tell us if our
computers have themselves been compromised. All of these tools are
generally only as good as the catalog of attacks they have seen before.
Again, it is impossible to keep up, so in the new game the emphasis is
on roots of trust, or what it is that we can know for sure about our IT
assets. Using new hardware constructs like the Trusted Platform Module
and techniques of measurement and attestation, we can begin to have a
means to monitor and restore the integrity of computers throughout
their deployment life. Other useful avenues along these lines include
provenance technologies for associating integrity and authenticity
proofs with all types of digital content and events; also unspoofable
identity authentication to eliminate masquerades. These approaches
allow us to trust our assets because we know they are good, rather than
because we haven't proven that they are bad.
3) Today's game: avoid damage;
Tomorrow's game: fight through and recover quickly from damage
Today we have a large investment in perimeter defense not only to
keep adversaries from learning our secrets, but also to prevent their
tampering with our data and command and control systems. We have COOPs
and mirrored data centers designed for recovery from physical damage.
We have learned, though, that perimeter defense does not always work,
and that attacks on the integrity or available of our assets look very
different from flood damage or electrical blackouts, so in the new game
we emphasize the ability to maintain operations in the face of attack.
Virtualization can help us again here. Virtualization obviates the
necessity for coupling together specific logical and physical assets.
For example, each user's environment (data and computing tools) can be
stored and maintained as a digital file or image in a central control
area. Should those environments be lost or compromised, they can easily
be ``reincarnated'' into any compatible physical platform. We may also
choose to prophylactically refresh stored images periodically just in
case. Other promising paths include ``battle mode'' where assets are
stripped down to an easier-to-guarantee austere functionality, and
self-healing to bootstrap back up.
The new paradigms described above take us to a future where we are
not so vulnerable to the asymmetric advantage enjoyed today by the
remote network attacker. Each of the new games takes advantage of
technology which seems to be emerging on the near horizon to mitigate
our need to depend on things that are too hard for us to do.
Mr. Smith. The Secretary of Defense recently placed the Joint Task
Force for Global Network Operations under the operational control of
JFCC-NW. Why was that important and how does it make our DOD systems
more secure?
General Alexander. Earlier, the Department of Defense established
two separate military cyber component commands under U.S. Strategic
Command--one dedicated to defensive cyber operations (JTF-GNO), the
other to building an offensive capability (JFCC-NW). However, neither
of these entities was fully resourced and their separation inherently
precluded the type of dynamic defense and agile, fluid maneuvering
needed to secure our equities in cyberspace. In recognition of this,
the decision was made in November of 2008 to consolidate these two
components. The contested cyber environment clearly demands an ability
to seamlessly integrate and synchronize cyber offense with cyber
defense--at network speed. Further, it requires a unifying construct
with the focus, scope of responsibility and authority to succeed in
this mission space. Unifying command and control along the full range
of capabilities will streamline operations, improve situational
awareness and ultimately provide a much more robustly and reliably
defended Global Information Grid.
Mr. Smith. What are the pros and cons of establishing a sub-unified
Cyber Command under STRATCOM? How would this be different from the
current structure?
General Alexander. The decision to establish a sub-unified Cyber
Command was made in the Office of the Secretary of Defense (OSD) and is
best answered by OSD.
Mr. Smith. What role do you have in helping define the S&T
requirements for cyberoperations?
General Alexander. Joint Task Force-Global Network Operations (JTF-
GNO) and Joint Functional Component Command for Network Warfare (JFCC-
NW) have a cadre of military, government, and contractor personnel who
directly support cyber operations planning, define cyber capabilities
requirements, prototype and/or manage funding, on behalf of U.S.
Strategic Command, related to cyber capabilities, technical assurance
and risk assessment. Collection of Combatant Command requirements is a
proactive endeavor, conducted and maintained via a JWICS-based
intellipedia wiki website known as the Collaborative Environment (CE).
In general, these requirements require long term solutions and
extensive intelligence efforts software and hardware research
development, as well as test and operational fielding. Emergent
operational needs or enabling requirements are also identified by cyber
operators, crisis planners and Combatant Commands, sometimes in ``real
time.'' Emergent requirements may drive more future S&T efforts but the
standing Combatant Command requirements are the primary drivers for the
ongoing S&T efforts which are funded through a Call for Proposals
process. This also provides a direct linkage to the Service and Agency
research laboratories, which are the primary developers of
capabilities. The National Security Agency (NSA), JFCC-NW and JTF-GNO
provide collaborative operational and technical inputs to U.S.
Strategic Command's Integrated Priority List gap analysis effort to
ensure both budgetary and S&T awareness of areas requiring attention.
Mr. Smith. What is the process for remediating a hardware or
software vulnerability identified during an information assurance
vulnerability assessment? Are there institutional processes and funds
available, or are you forced to ``take this out of hide.''
General Alexander. As a routine matter, the remediation process for
hardware and software vulnerabilities that are identified during an
inspection are usually mitigated by the associated vendor. Each vendor
provides fixes for products with active support for lifecycles. These
fixes are provided to the users of those products at no additional
costs to the user as long as they are within the supported lifecycle.
In many instances Agencies will purchase an additional support
agreement for specific products for technical guidance or warranties
for newly purchased products. During the purchase of those products,
vendors will recommend a support agreement for their product for an
additional fee or on an as required basis (hourly rate). This agreement
will normally provide the user with an account or support contact to
access the required update or technical support information
Most large software companies (i.e. Microsoft, Cisco and Oracle
etc.) will provide fixes for vulnerable software Operating Systems and
applications that are still supported by the vendor at no additional
cost to the user. Open source applications are usually updated/upgraded
as vulnerabilities are identified by any associated developer that has
technical knowledge of the affected code and is normally provided at no
additional charge. At any given time a vendor patch has the ability to
break something. In this case the vendor will try to provide an
appropriate fix for their product however; if this is a special case
you may need a Technical Support Agreement with the vendor to
troubleshoot your problem which may incur an additional cost.
However, there are other significant costs associated with
investigation, analysis and remediation of compromised systems outside
of the normal life-cycle arrangements. This question is best answered
by the individual services and agencies as they are in the best
position to discuss the budgetary impact of those activities.
Mr. Smith. What are you doing in the Services and OSD to develop a
career cyber force?
General Alexander. Developing cyber forces is a Service organize,
train, and equip responsibility, and they are best positioned to
address individual Service career field development efforts.
A lot of planning work is being done within all the Services,
regarding identification of new skills needed to perform emerging
missions. We must also leverage the unique contributions of
universities and research institutions as well as private enterprise to
ensure U.S. forces are always on the cutting edge.
The Secretary of Defense has directed all the Services to maximize
the facility at the Center for Information Dominance in Corry Station,
Pensacola (the Executive Agent for Cryptologic Computer Network
Exploitation and Defense training) to acquire the technical skills
required for cybersecurity missions. (Those with more analytic work
roles receive their training at Goodfellow Air Force Base.) It is
expected that graduates of both programs will be assigned to places
where they can practice what they learned, gain mission experience in
several sectors of Computer Network Operations, and participate in more
advanced training fielded by the Services and the Crytologic Training
System.
Mr. Smith. What incentives are available to recruit and retain the
types of individuals you would like to attract to the military cyber
corps? Are there other incentives that you would like to be able to
offer, but do not currently have the authority to provide?
General Alexander. Recruiting will be one of our top priorities.
Unfortunately, very little is available today as the Services do not
currently recruit specifically for cyberspace forces. However, as we
move forward, there are a number of recruitment and retention
incentives we would recommend.
We will encourage Service ``cyberspace branches'' to operate
independent of recruiting operations within their Service, with subject
matter experts interviewing and testing candidates from within the
ranks. We should provide recruiters with sufficient knowledge of the
cyberspace career opportunities in DOD to address basic questions of
potential recruits. We should enhance recruiting organizations with
cyber mentors, test materials, and military cyberspace points of
contact. And just as importantly, we must use DOD and Service public
affairs resources to aggressively promote a professional cyberspace
field. In addition, we should also consider the implications of total
force recruitment, leveraging our Reserve and National Guard
components, to identify colleagues as potential members of the DOD
workforce while also identifying and considering the cyber-related
talents they may bring from their civilian employment.
Once we've begun to recruit highly motivated candidates with the
potential to succeed in the cyberspace workforce, we will continue to
seek and leverage a wide variety of incentives and career options to
retain them. Individual services should seek to introduce incentives
based on their ability to attract and retain personnel can develop
monetary and other incentives that are widely used across DOD.
Incentives such as additional skills pay, performance and re-enlistment
bonuses, special schooling and certifications, as well as advancement
in specialized fields (e.g., nuclear power incentive pays) will have to
be considered. We should seek to recruit DOD civilian cyber specialists
from our military personnel and allow them to benefit from military
retirement benefits while continue to advance their careers as
government civilians. We should consider a ``cyber branch'' model that
allows us to affect assignment tempo for exceptionally talented
performers, thus allow cyber specialists to continue to work their
specialties. To keep our world-class force, we need to provide non-
traditional means to routinely update cyber skills and develop inter-
and intra-Service competitions to identify and reward the best of the
best. Finally, we should continually emphasize the uniqueness of the
work, access to some of the world's most advanced cyber technologies,
and the critical importance of this mission to both DOD and the nation.
Mr. Smith. What kinds of leap-ahead technologies do you believe we
need to be investing in?
General Alexander. The following are examples of current
investments:
Knowledge Management Systems (KMS). An integrated and
automated requirements database; a tools and tactics repository; and an
Analyst Workcenter interface with an information warfare planning
system.
Common Cyber Operational Picture (COP): Automated
combination/deconfliction of germane real-time exploitation and attack
warning and characterization along with real-time situational awareness
of defense measures; functionally tailorable to facilitate information
sharing with different U.S. agencies and allies.
Attribution Science: Anti-anonymizer technologies (how to
both create them and defeat them); hardware and software signatures;
and tactics techniques and procedures (TTP) for operational uses.
Internet Governance. Thorough research of: 1) the next
generation Internet Protocol version 6 (IPv6), which is prevalent in
many universities and R&D environments and is quickly emerging in many
foreign sectors. 2) the ``.tel'' internet domain, the online equivalent
to the phone directory, which is the most significant innovation in the
domain name system since the advent of .com.
Network Traffic Interdiction Capabilities: Capabilities
facilitating interdiction of targeted traffic in transit across the
global network.
Automated network re-configuration and Computer Network
Defense applications. Requires all of the above technologies to be
applied and integrated in real-time.
______
QUESTIONS SUBMITTED BY MR. THORNBERRY
Mr. Thornberry. Define a cyber warfighter, or cyber warfare
professional as he exists today.
Mr. Krieger. ``Cyber warfigher'' and ``Cyber Warfare Professional''
are still fluid terms; however, the terms can include professionals who
perform duties under three categories: Computer Network Attack (CNA),
Computer Network Exploit (CNE), or Computer Network Defense (CND)/
Network Operations (NETOPS).
Mr. Thornberry. Describe what you envision for the cyber warfighter
of the future in terms of education (undergraduate/graduate or high
school only, too), training, career path, rank structure, capability,
mission, responsibilities, organization, etc.
Mr. Krieger. Army's education, career path and management of future
cyber warfighters is being developed using standard paths through our
personnel management system for officers, enlisted and Department of
the Army Civilians to ensure that our workforce meets the Army's needs
in the Cyberspace field. The Army follows the Federal Information
Security Management Act (FISMA) and Department of Defense Training and
Certification mandates which require Information Security
Certifications and all levels of our Information Security Professional
Corp.
Mr. Thornberry. Given the limited pool of individuals with the
necessary technical skills, as stated recently by Gen Shelton, and the
growing cyber personnel requirements articulated by Secretary Gates,
what is the plan to recruit, organize, train, and equip prospective and
current cyber warfare professionals? Is it joint or by service? Please
explain.
Mr. Krieger. The Army conducts ongoing reviews to ensure it is
manned, trained and equipped to meet the Army's operational missions
and increase the pool of eligible candidates that meet the standards
for occupational skills which are deemed critical. The Army works
diligently with Joint Staff and other services to combine its training
and other efforts wherever possible to make sure that the needs of the
Department of Defense are integrated wherever possible to increase
efficiency and effectiveness.
Mr. Thornberry. In your opinion should the cyber warfighter be
trained by service branch, jointly, jointly with service specific
trailer courses, or somehow else? Why?
Mr. Krieger. The Army fights as a Joint/Coalition force and
therefore supports Joint training to the maximum extent possible, but
recognizes the peculiarities of each individual service. Joint training
allows services to train to a single standard and leverages the one-
time investment in infrastructure, training curriculum and reduces
duplication. The Land, Air, Sea, and Space domains each have unique
characteristics and challenges while working in and through the
cyberspace domain. Functioning effectively in each of these domains
require different equipment sets/characteristics, training/education
and operational principles. As standardized and/or unique joint mission
requirements are identified, specific joint trailer courses will allow
the services to focus the skill sets of the personnel to satisfy that
particular mission.
Mr. Thornberry. In the current overseas contingencies, please
describe to what extent, if any, has U.S. Strategic Command
(USSTRATCOM) taken an active role supporting U.S. Central Command?
Mr. Krieger. USSTRATCOM along with the Army Service Component
Command has played a very active role in the development of Computer
Network Operations tools supporting USCENTCOM. USSTRATCOM was integral
in mitigating Computer Network Defense/Information Assurance issues in
support of Operation Iraqi Freedom and Operation Enduring Freedom.
USSTRATCOM recently marshaled resources to mitigate capacity
degradation stemming from breaks in undersea cables, restoring service
with no significant operational impact. USSTRATCOM's main focus over
the past year has been on establishing common standards, procedures,
and discipline to better secure military networks. This benefits all
warfighters, to include USCENTCOM, who are dependent on Cyberspace to
conduct operations.
Mr. Thornberry. Irrespective of service branch, does USSTRATCOM's
cyber warfighters possess the skills necessary to ensure all secure
battlefield communications? Please explain.
Mr. Krieger. Gen Chilton, Commander USSTRATCOM, stated in
Congressional Testimony to the Senate Committee on Armed Services, on
19 March 2009:
``The provisioning of adequate cyber forces to execute our assigned
missions remains our greatest need in this mission area.''
The Army is aware of this requirement, and has been very proactive
in training, equipping and manning USSTRATCOM and its Functional
Components with requested cyber warfighters to secure the internet and
battlefield communications. Consistent with the National Military
Strategy for Cyberspace Operations, the Army has made progress toward
defining Service level requirements and advocating for Service
cyberspace workforces. We understand the demands, and have moved
aggressively to grow our cyber expertise; organize and orient against
threats; and improve the technical and manpower capabilities our Joint
Warfighters and interagency partners require for the cyberspace fight.
Mr. Thornberry. How is responsibility between USSTRATCOM, NSA, and
DISA clearly defined in theater?
Mr. Krieger. Currently, USSTRATCOM operates through two subordinate
component commands: Joint Functional Component Command for Network
Warfare (JFCC NW) and Joint Task Force for Global Network Operations
(JTF-GNO). Both commands have implemented a more responsive command and
control structure reliant on centralized orders and decentralized
execution. Tightening the relationship between JFCC NW and JTF-GNO this
past year has led to a better, more responsive capability to defend our
military networks. But, we have found the need for closer coordination
and clearer delineation of responsibilities at the national and theater
levels, and are moving to form USCYBERCOM. This new organizational
structure will enable DOD-wide leadership to address computer security
incidents and network compromises enhancing timely threat
identification and mitigation through unity of effort, both within
theater and globally.
Mr. Thornberry. Should the Department of Defense establish a
``Cyber Agency'' at the same level of the National Security Agency
(NSA) and Defense Information Services Agency (DISA)? Why or why not?
Mr. Krieger. Army stands ready to support the strategy defined by
Department of Defense leadership.
Mr. Thornberry. To what extent is the cyber domain being integrated
into other domain and domain awareness initiatives (i.e. battlespace,
maritime, air, space)? Please describe.
Mr. Krieger. The U.S. Army Training and Doctrine Command
established an Integrated Capabilities Development Team (ICDT)
chartered to integrate cyberspace operations into full spectrum land
domain operations. This ICDT is developing a Cyberspace Operations
Concept of Operations (CONOPS) which will articulate how the Army
intends to fight in the Cyberspace domain which incorporates lessons
learned from Operation Iraqi Freedom (OIF), Operation Enduring Freedom
(OEF) and our National Training Centers which stresses integration. The
CONOPS describes how the Army will use the other domains to support
land component Battle command in terms of cyberspace awareness. This
CONOPS will form the basis for future Army analysis and capability
development efforts.
Mr. Thornberry. Define a cyber warfighter, or cyber warfare
professional as he exists today.
Mr. Carey. While all who engage the network to perform their
missions are members of the cyber workforce, we consider a cyber
warfare professional as an officer, enlisted member or civilian trained
to work in an interdisciplinary domain including networks, computer
applications and services. These professionals work in information
operations, computer network defense, attack, and exploitation aspects
of network operations, which must be aligned from end to end with the
Intelligence Community. They will work as a cohesive unit, combining
Intelligence and Operations to perform information assurance in
protecting, monitoring, analyzing, detecting and responding to threats
on the network, and manage information by retrieving, caching,
compiling, cataloging and distributing it. The management mission also
includes information technology system acquisition and architecture
development and compliance.
Mr. Thornberry. Describe what you envision for the cyber warfighter
of the future in terms of education (undergraduate/graduate or high
school only, too), training, career path, rank structure, capability,
mission, responsibilities, organization, etc.
Mr. Carey. The DON will recruit cyber workforce personnel from
multiple educational levels, hiring experienced personnel and
developing the cyber skills of others through career path education and
training. The DON will recruit from high school, vocational school,
junior college, undergraduate and graduate programs. DON cyber
personnel will be educated and trained through a blended approach of
traditional schoolhouse instruction, on line, and commercial vendor
instruction including cyber and information assurance certification and
licensing programs, joint education, on-the-job training and
qualification, and team and unit tactical training. A key element of
this program will be standardized training (applicable to positions
regardless of the military or civilian status of the person performing
the work in the position) and education curricula to support a core
capability that is fungible across the contractor/civilian/military
workforces.
Rank and grade structures for military and civilian personnel will
follow current structures, and it is expected that cyber workforce
personnel will be required at all rank and grade levels. Career path
development is still in progress as the missions, functions and tasks
of the DON cyber structure are developed, but it is expected that there
will be military career paths leading to the most senior enlisted and
officer ranks. Civilian personnel will be able to follow paths leading
to, and including Senior Executive Service positions.
The DON cyber workforce will be capable of supporting all DON
missions. Within the cyber arena they will provide Computer Network
Defense (CND), Network Operations (NETOPs), Information Assurance (IA),
Computer Network Attack (CNA), Computer Network Exploitation (CNE), and
All-Source Intelligence support; telecommunications, and management
functions including design and development, strategic planning and
investment, policy and planning, and acquisition.
Cyber workforce responsibilities will be split among military,
government civilian and contractor support personnel as required.
Decisions on workforce structure, the number of inherently governmental
activities, and the scope of in-sourcing and outsourcing will be
finalized following the establishment of the Department of Defense and
the DON Cyber Command structures, missions, functions and tasks.
Mr. Thornberry. Given the limited pool of individuals with the
necessary technical skills, as stated recently by Gen Shelton, and the
growing cyber personnel requirements articulated by Secretary Gates,
what is the plan to recruit, organize, train, and equip prospective and
current cyber warfare professionals? Is it joint or by service? Please
explain.
Mr. Carey. The Department of the Navy (DON) is developing plans to
recruit, organize, train, and equip military and civilian cyber warfare
professionals. The first step being taken is to determine the specific
skill sets needed for cyber warfare. The DON will also develop career
options to support recruitment, retention, and development of personnel
with the needed skill sets. The DON is looking at ways to modify career
paths and improve training to prepare the current workforce to meet the
cyber challenge. The Navy along with the other services will continue
to leverage training and educational opportunities by sharing resources
at the Center for Information Dominance, Joint/National-sponsored
schools, and post-graduate schools. The task of equipping this force
will follow closely the training model for the near term, primarily
leveraging Joint/National capabilities.
Mr. Thornberry. In your opinion should the cyber warfighter be
trained by service branch, jointly, jointly with service specific
trailer courses, or somehow else? Why?
Mr. Carey. Cyber warfighters must be thoroughly trained, employing
both formal education and on-the-job training tracks within both their
respective Services and the Joint environment. This is essential, due
to the nature of cyber warfare and the need to be able to defend the
Global Information Grid and its Service components. Foundational
education and training should take place within the Service framework,
and experienced personnel should take that knowledge into the Joint
operational and training environments, facilitating DOD-wide synergies.
When possible, DON cyber workforce development plans should include
participation in forums including not only DOD, but also other Federal
and private industry workers. Increased familiarity with non-
governmental and inter/intra-agency organizations' tactics, techniques,
and procedures will increase the overall efficiency and effectiveness
of cyber operations supporting national security objectives.
Mr. Thornberry. In the current overseas contingencies, please
describe to what extent, if any, has U.S. Strategic Command
(USSTRATCOM) taken an active role supporting U.S. Central Command?
Mr. Carey. The Department of the Navy Chief Information Officer
respects the direction and authority of the Secretary of Defense and
his assignment of Title 10 and UCP authority to CDR USSTRATCOM.
Service network operations centers (NOSCs) are under CDR
USSTRATCOM's operational control. JTF-GNO orders Service NOSCs to
perform network operations and defense. USSTRATCOM, through the CENTCOM
AOR DON Network Operation Centers' direct reporting relationship to the
Joint Task Force-Global Network Operations, is very active in providing
direction on network operations and defense and ensuring computer
devices and networks are compliant with published IA Vulnerability
Alerts (IAVAs), Communications Tasking Orders (CTOs), Operations
Directive Messages (ODMs), etc. These efforts mitigate vulnerabilities
and eliminate (or reduce) the instance of infections. This work is a
major challenge in the forward tactical environment where forces
frequently rotate every six months to one year, bringing with them
personnel who have various (often limited) levels of network
administration skills. Additionally, the Commander, USSTRATCOM and his
staff have traveled to the CENTCOM AOR, visiting the Defense
Information Systems Agency and Service NOSCs in search of ways in which
U.S. Strategic Command can better support the current overseas
contingencies.
Mr. Thornberry. Irrespective of service branch, does USSTRATCOM's
cyber warfighters possess the skills necessary to ensure all secure
battlefield communications? Please explain.
Mr. Carey. The Department of the Navy Chief Information Officer
respects the direction and authority of the Secretary of Defense and
his assignment of responsibilities to USSTRATCOM. However, it should be
noted that most technical work in the battlefield/AOR is performed by
Service-specific personnel/organizations, and not USSTRATCOM personnel.
Mr. Thornberry. How is responsibility between USSTRATCOM, NSA, and
DISA clearly defined in theater?
Mr. Carey. The Department of the Navy Chief Information Officer
respects the direction and authority of the Secretary of Defense and
his assignment of Title 10/50 and UCP authorities to CDR USSTRATCOM,
NSA, and DISA. The in-theater responsibilities of USSTRATCOM, NSA, and
DISA are outlined in Chairman, Joint Chiefs of Staff Directives and
Instructions, including interactions with COCOMs and the Services. NSA
responsibilities are also found in U.S. Signals Intelligence Directives
(USSIDs).
Mr. Thornberry. Should the Department of Defense establish a
``Cyber Agency'' at the same level of the National Security Agency
(NSA) and Defense Information Services Agency (DISA)? Why or why not?
Mr. Carey. The Department of the Navy Chief Information Officer
respects the direction and authority of the Secretary of Defense in his
establishment of the USCYBERCOM. The SECDEF memo of 23 June 09 stated
it best when it said that the ``Department of Defense requires a
command that possesses the required technical capability and remains
focused on the integration of cyberspace operations. Further, this
command must be capable of synchronizing warfighting effects across the
global security environment as well as providing support to civil
authorities and international partners.'' The DON supports the
establishment of U. S. Cyber Command, which presently appoints the
Director, National Security Agency the Commander, U.S. Cyber Command,
making the integration of activities easier. The Director of the
Defense Information Systems Agency (DISA) is tasked to provide network
and information assurance technical assistance to USCYBERCOM as
required. The Joint Task Force-Global Network Operations (JTF-GNO) and
the Joint Functional Component Command for Network Warfare are merged
into the new Cyber Command, bringing together the strengths of both of
these commands. The DON believes that functional reporting
relationships between the cyber operating forces, USCYBERCOM and the
Military Departments and Services must be established to ensure
efficient and effective command and control of these vital assets.
Mr. Thornberry. To what extent is the cyber domain being integrated
into other domain and domain awareness initiatives (i.e. battlespace,
maritime, air, space)? Please describe.
Mr. Carey. In May 2008, the Department of Defense published the
following definition of cyberspace: ``A global domain within the
information environment consisting of the interdependent network of
information technology infrastructures, including the Internet,
telecommunications networks, computer systems, and embedded processors
and controllers.'' This definition is almost identical to that which
was developed by the Department of Homeland Security and the National
Institute of Standards and Technology.
The Information Technology Reform Act of 1996 (Clinger Cohen Act)
defines IT as: ``Any equipment or interconnected system or subsystem of
equipment that is used in the automatic acquisition, storage,
manipulation, management, movement, control, display, switching,
interchange, transmission, or reception of data or information.'' The
term information technology includes computers, ancillary equipment,
software, firmware and similar procedures, services (including support
services), and related resources.
Given these terms of reference, Cyberspace (IM/IT) is present in
all domains. The ability to operate within cyberspace is vital to the
DON's mission. Achieving an appropriate balance between the need to
collaborate and share information and the need to protect information
will be key to our success.
The DON has established a DON Enterprise Architecture framework or
``blueprint'' to enable the exchange of information, integration of
systems and management of resources to support cyberspace domain
capabilities across all mission areas (surface (sea and ground), sub-
surface, air and space). Further, to support system development and
integration, the DON mandates use of the Defense Information System
Registry (DISR) as its authoritative standards source. The DON
established a governance structure to ensure adherence to the DON EA
framework and standards in system development supporting the cyberspace
domain.
Mr. Thornberry. Define a cyber warfighter, or cyber warfare
professional as he exists today.
General Shelton. Cyber warfighters are skilled professionals
working to deter and prevent cyberspace attacks against vital U.S.
interests, ensure our freedom of action in cyberspace, respond to
attacks and reconstitute operations, develop persistent cyberspace
situational awareness and defeat adversaries operating through
cyberspace.
Today, these personnel are drawn primarily from communications,
intelligence and engineering specialties, often returning after a
single assignment. While initially adequate, cyberspace has emerged as
a dynamic and technically demanding warfighting domain of strategic
national importance. The Air Force recognizes this and has committed to
establishing dedicated officer, enlisted and civilian career fields to
meet emerging demand and address recruiting, training, retention and
force development challenges.
Mr. Thornberry. Describe what you envision for the cyber warfighter
of the future in terms of education (undergraduate/graduate or high
school only, too), training, career path, rank structure, capability,
mission, responsibilities, organization, etc.
General Shelton. Cyber warfighters are skilled professionals
working to deter and prevent cyberspace attacks against vital U.S.
interests, ensure our freedom of action in cyberspace, respond to
attacks and reconstitute operations, develop persistent cyberspace
situational awareness and defeat adversaries operating through
cyberspace.
Today, these personnel are drawn primarily from communications,
intelligence and engineering specialties, often returning after a
single assignment. While initially adequate, cyberspace has emerged as
a dynamic and technically demanding warfighting domain of strategic
national importance. The Air Force recognizes this and has committed to
establishing dedicated officer, enlisted and civilian career fields to
meet emerging demand and address recruiting, training, retention and
force development challenges.
Mr. Thornberry. Given the limited pool of individuals with the
necessary technical skills, as stated recently by Gen Shelton, and the
growing cyber personnel requirements articulated by Secretary Gates,
what is the plan to recruit, organize, train, and equip prospective and
current cyber warfare professionals? Is it joint or by service? Please
explain.
General Shelton. Growing and developing cyber forces is a DOD-wide
challenge. Recognizing this, the Services are cooperating with each
other, Joint Staff and OSD to develop new approaches and more effective
solutions for recruiting, acquisitions, training and retention.
Mr. Thornberry. In your opinion should the cyber warfighter be
trained by service branch, jointly, jointly with service specific
trailer courses, or somehow else? Why?
General Shelton. Initial training of cyber forces should be
conducted by the Services, with joint post graduate training reserved
for specialized tasks.
Mr. Thornberry. In the current overseas contingencies, please
describe to what extent, if any, has U.S. Strategic Command
(USSTRATCOM) taken an active role supporting U.S. Central Command?
General Shelton. Congressman, I would respectfully ask that this
question be directed to the Commander of U.S. Strategic Command,
General Chilton, who can provide you with the most up-to-date and
accurate information regarding his command's support to U.S. Central
Command.
Mr. Thornberry. Irrespective of service branch, does USSTRATCOM's
cyber warfighters possess the skills necessary to ensure all secure
battlefield communications? Please explain.
General Shelton. Congressman, I would respectfully ask that this
question be directed to the Commander of U.S. Strategic Command,
General Chilton, who can provide you with the most up-to-date and
accurate information regarding his command's ability to secure
battlefield communications.
Mr. Thornberry. How is responsibility between USSTRATCOM, NSA, and
DISA clearly defined in theater?
General Shelton. Congressman, I would respectfully ask that this
question be directed to the Commander of U.S. Strategic Command,
General Chilton, the Director of NSA, Lieutenant General Alexander, and
Lieutenant General Pollet, the Director of DISA, who can provide you
with the most up-to-date and accurate information regarding the
division of their responsibilities in theater.
Mr. Thornberry. Should the Department of Defense establish a
``Cyber Agency'' at the same level of the National Security Agency
(NSA) and Defense Information Services Agency (DISA)? Why or why not?
General Shelton. Currently, it is the Secretary of Defense's intent
to establish a U.S. Cyber Command as a sub-unified command under U.S.
Strategic Command. The Air Force is standing up the 24th Air Force in
order to present Air Force cyber forces to this command. The Air Force
stands ready to respond to any cyber-related requirements from the
Department.
Mr. Thornberry. To what extent is the cyber domain being integrated
into other domain and domain awareness initiatives (i.e. battlespace,
maritime, air, space)? Please describe.
General Shelton. Secretary Gates' decision to stand-up USCYBERCOM
indicates the importance the Department of Defense places on this
domain. The Air Force also recognizes the criticality of cyberspace to
Joint and AF operations and is standing up 24th Air Force to focus on
this key area. The integration of cyberspace operations with other
operations happens at Joint and Service levels. For the Air Force, this
integration will occur at 24 AF with USSTRATCOM/USCYBERCOM and at Air
Operations Centers (AOC) supporting Combatant Commanders (CCDR). When
CCDRs rely on reach-back cyberspace operations, Airmen in the 24 AF and
AOCs will facilitate integration of applicable AF capabilities.
Mr. Thornberry. Define a cyber warfighter, or cyber warfare
professional as he exists today.
Mr. Lentz. The Cyber warfighter is evolving from a variety of
military specialties such as Intelligence, Communications, Information
Technology, and Information Assurance. The primary roles currently
identified for Cyberspace Operations include military, civilian, and
contractors performing:
Computer Network Operations (CNO) Execution, consisting
of:
Computer Network Attack (CNA)
Computer Network Exploitation (CNE)
Computer Network Defense (CND)
Network Operations (NetOps)
Information Assurance (IA) Computer Network Defense
Service-Providers
The ``Cyber-warfighter'' is a relatively new concept. The
Department is developing the concept of operations. This includes the
structure, missions, career progression and general responsibilities of
the developing Cyber workforce. The diagram below suggests notional
thoughts on the integration of the various components of the Cyber
workforce.
[GRAPHIC] [TIFF OMITTED] T7218.069
Mr. Thornberry. Describe what you envision for the cyber warfighter
of the future in terms of education (undergraduate/graduate or high
school only, too), training, career path, rank structure, capability,
mission, responsibilities, organization, etc.
Mr. Lentz. Cyber Warfighter Education and Training will depend on
how the position/person supports cyber warfighting. We anticipate the
cyber warfighter of the future to reflect the following basic education
and training qualifications:
Military Officers: Receive professional military education in
conjunction with cyber specific training so that they can conduct cyber
warfare in their role as leaders and managers.
Education:
Bachelor or advanced degree preferably in information
systems related program
Service officer basic professional education
Service intermediate professional education
Service/Joint Warfare Command and Staff College
Training:
Common foundational cyber warfare skills at career start
Functional mission specific cyber warfare skills at mid-
career
Senior strategic leadership training across the cyber
warfare domain
Baseline IA/IT commercial certification
Government Civilian Cyber Warfare Managers: May receive DOD
education in conjunction with cyber training so that they can apply
cyber to their role as managers.
Education:
Bachelor or advanced degree preferably in information
systems related program
National Defense University (NDU) Information Resource
Management College (IRMC) professional development programs or
certificates.
Training:
Component-specific policy, processes, and requirements
Cyber related continuous training
Component-specific/sponsored cyber courses
Baseline IA/IT commercial certification
Contractors performing cyber warfare management roles should meet
the same/equivalent education and training as their government
counterparts. DOD unique training or equivalent should be available to
contractors.
Military Operators (hands-on/technical): We anticipate these
individuals will receive cyber warfare training along with their
military and technical education for their role as operators.
Education:
High school/community college
Rank/Grade appropriate professional education
Training:
Basic and advanced cyber related occupational specialty
training
NetOps/IA certification depending on position
requirements
Operational and exercise training
Government Civilian Operators (hands-on/technical): Receive cyber
training, which they apply along with their technical education to
their role as operators.
Education:
Community college/baccalaureate degree in information
technology field
Training:
NetOps/IA certification depending on position
requirements
Operational and exercise training
Contractors performing cyber warfare technical roles should meet
the same/equivalent education and training as their government
counterparts. DOD unique training or equivalent should be available to
contractors.
Mr. Thornberry. Given the limited pool of individuals with the
necessary technical skills, as stated recently by Gen Shelton, and the
growing cyber personnel requirements articulated by Secretary Gates,
what is the plan to recruit, organize, train, and equip prospective and
current cyber warfare professionals? Is it joint or by service? Please
explain.
Mr. Lentz. There are several steps required to recruit and train
personnel into the cyber workforce. The Services and Agencies are
specifically responsible for accomplishing these tasks in compliance
with DOD policy (which is still evolving for cyber warfare and its
workforce). Based on current processes, the following actions must be
accomplished by the Services and Agencies to develop a Cyber Workforce:
Define their cyber workforce (what are the position
requirements)
Identify their position requirements
Document manning requirements/table of organization
Program and budget to fill the documented positions.
Develop recruiting requirements/quotas
Identify recruitment incentives to attract potential
cyber warriors
Recruit personnel with qualifications/potential to learn
required skills
Provide baseline training for specific job/positions
skills
Provide Continuous training via on-line, classroom, or
exercises
The DOD is currently working with the Services, Agencies, Joint
Staff, and STRATCOM to develop baseline cyber workforce standards. The
current model for these standards is the current DOD 8570.01-M
``Information Assurance Workforce Improvement Program''.
Organizing and equipping the cyber warfare professionals is a
function of mission capability requirements defined by the Chairman of
Joint Chiefs of Staff and executed by the Services and Agencies.
Mr. Thornberry. In your opinion should the cyber warfighter be
trained by service branch, jointly, jointly with service specific
trailer courses, or somehow else? Why?
Mr. Lentz. The cyber warfighter should be primarily trained to meet
DOD and service level baseline requirements established by the Services
under Title 10 authorities. Such training should be augmented by
applicable joint specialized training.
Efforts are underway by the Joint Staff to finalize the cyber joint
mission task list and to develop a joint learning continuum for cyber
training. This should form the basis for joint specialized training.
At both the DOD and joint level, there is a significant emphasis on
joint training exercises for the cybersecurity workforce. Exercises are
focused on attack detection, diagnosis, and reaction at military
speeds.
Mr. Thornberry. In the current overseas contingencies, please
describe to what extent, if any, has U.S. Strategic Command
(USSTRATCOM) taken an active role supporting U.S. Central Command?
Mr. Lentz. Joint Functional Component Command for Network Warfare
(JFCC-NW) and Joint Task Force-Global Network Operations (JTF-GNO),
which are two USSTRATCOM components, are actively engaged in support of
U.S. forces in the USCENTCOM area of responsibility.
In today's battlefield, our networks are a critical force
multiplier. Both JTF-GNO and JFCC-NW work closely with USCENTCOM
leaders and staff, in Tampa as well as forward in theater, to ensure
vital warfighting networks are robust and defended.
Mr. Thornberry. Irrespective of service branch, does USSTRATCOM's
cyber warfighters possess the skills necessary to ensure all secure
battlefield communications? Please explain.
Mr. Lentz. Commander, USSTRATCOM met the DOD's 2008 Information
Assurance (IA) workforce certification goal to certify 40% of their
Information Assurance/Cybersecurity workforce by December 31, 2008.
Overall, the Department's information assurance workforce personnel
certification rate as of December 31, 2008, was 23% (for its
approximately 84,000 IA positions), with a target date of December 31,
2010, for certification of the remaining IA workforce.
Commander, USSTRATCOM has ``cyber-warfighters'' from a variety of
military specialties such as Intelligence, Communications, Information
Technology, and Information Assurance with the skills necessary to
direct the DOD's Global Information Grid operations and defense.
USSTRATCOM provides direction to the Services and organizations to
secure their portions of the defense information environment including
battlefield communications. The ``cyber-warfighter'' skill requirements
are evolving and DOD is developing the structure, missions, career
progression and general responsibilities of the cyber workforce.
Mr. Thornberry. How is responsibility between USSTRATCOM, NSA, and
DISA clearly defined in theater?
Mr. Lentz. Joint Functional Component Command for Network Warfare
(JFCC-NW) and Joint Task Force-Global Network Operations (JTF-GNO), the
two USSTRATCOM components for which I am responsible, maintain a close
and collaborative partnership with NSA and DISA. NSA maintains a robust
forward presence in Iraq and Afghanistan to provide both cryptologic
and information assurance support to deployed forces. These
capabilities support both JFCC-NW and JTF-GNO in their respective
missions of providing support for offensive and defensive cyber
operations. DISA's mission to build, provision and engineer the
backbone of the military networks also serves as a key enabler for JTF-
GNO's ability to direct the operations and defense of these networks.
We use liaison officers and support elements embedded within each
organization to help ensure our activities are mutually supporting and
to avoid conflicting objectives. While each organization has distinct
responsibilities, functions and authorities as defined by law and DOD
regulations, connective tissue between these organizations is naturally
bolstered by the relationships which exist between the Director, DISA
dual-hatted as Commander, JTF-GNO, my role as both Director, NSA and
Commander, JFCC-NW and since November 08, the relationship established
by the SECDEF's decision to place JTF-GNO under the operational control
of JFCCNW. It is critical that we continue to maintain and strengthen
this connective tissue between our organizations in order to optimize
agile cyber support for combatant commanders and DOD as a whole.
Mr. Thornberry. Should the Department of Defense establish a
``Cyber Agency'' at the same level of the National Security Agency
(NSA) and Defense Information Services Agency (DISA)? Why or why not?
Mr. Lentz. Cyberspace is critical to joint military operations, and
we must protect it. To do this, the Department of Defense needs to
ensure it has the right balance of integrated cyber capabilities. Our
increasing dependency on cyberspace, alongside a growing array of cyber
threats and vulnerabilities, adds a new element of risk to national
security. To effectively address this risk and secure freedom of access
in cyberspace, the DOD requires a command possessing the required
technical capability and which remains focused on streamlining
cyberspace operations. The Secretary of Defense has recently
recommended the officer serving as Director of the National Security
Agency be nominated as Commander of USCYBERCOM. In his role as the
commander of USCYBERCOM, he will report to the Commander of USSTRATCOM.
Mr. Thornberry. To what extent is the cyber domain being integrated
into other domain and domain awareness initiatives (i.e. battlespace,
maritime, air, space)? Please describe.
Mr. Lentz. The cyber domain is integrated with the other domains
and provides supporting capabilities that enable command, control,
communications, computing, and information (C4I) processes. The cyber
domain is an essential enabler for virtually all functions, including
mission operations, information sharing and mission-related data
processing.
Domain awareness for the cyber domain is a difficult challenge. At
this time, cyber domain awareness capabilities are not completely
integrated with domain awareness capabilities for the other operational
domains. Cyber domain awareness is routinely included in daily status
briefs to commanders, providing a rough awareness of key cyber issues
to warfighting commanders. However, cyber operations and incidents are
difficult to model and present in visual form, and they are generally
not depicted in warfighting common operational pictures.
Mr. Thornberry. Define a cyber warfighter, or cyber warfare
professional as he exists today.
General Alexander. Cyber professionals are a cross-disciplinary
team of highly-trained individuals that bring together diverse skill
sets to conduct cyberspace operations. Their mission includes operation
and defense of Department of Defense Global Information Grid. Technical
expertise and roles cover the span of traditional military planning,
intelligence preparation, command and control, operational assessment,
requirements development, and operationalization of capabilities; all
done in an ever-changing mission space. Cyber warfighters are directly
supported by experienced intelligence analysts familiar with the larger
cultural and operational contexts, expert language analysts, network
analysts, cryptologists and operational planners, to name a few. These
experts, be they military or civilian, work together in real time to
effectively operate in cyberspace.
Mr. Thornberry. Describe what you envision for the cyber warfighter
of the future in terms of education (undergraduate/graduate or high
school only, too), training, career path, rank structure, capability,
mission, responsibilities, organization, etc.
General Alexander. DOD's Cyber force must be continuously educated
and mentored, sharpened by experience and drilled to operate in a
dynamic environment. I envision a total force solution, active and
reserve components, military and civilian, appropriately supported by
contractors to build the cyber warfighters of the future. They will
arrive with high school diplomas, undergraduate, and graduate degrees.
Our training and education programs will fill the skill gaps to create
increasingly skilled and adaptable personnel who will either specialize
in specific cyberspace capabilities or develop broad-based experience
to lead and manage future cyberspace operations. Continual specialized
training will be necessary because the mission space encompasses an
enormous number of different systems and software and is constantly
being updated and reconfigured. Mentoring and growing leaders must be
done as we do in other specialized fields to ensure experience is
distilled to the next generation of planners and operators; a challenge
for the nation as well as the military. On the learning continuum, a
cyber warfighter will progress from the most basic of tasks through the
most complex, by attending formal training, having work assignments
that provide the opportunity to perform various missions, and
participating in formal education programs.
The Secretary of Defense has directed all the Services to maximize
the facility at the Center for Information Dominance in Corry Station,
Pensacola (the Executive Agent for Cryptologic Computer Network
Exploitation and Defense training) to acquire the technical skills
required for cybersecurity missions. (Those with more analytic roles
receive their training at Goodfellow Air Force Base.) It is expected
that graduates of both programs will be assigned to places where they
can practice what they learned, gain mission experience in several
sectors of Computer Network Operations, and participate in more
advanced training fielded by the Services and the Crytologic Training
System.
Specific plans regarding rank structure, responsibilities, and
organizations are all under development. The future cyberspace warrior
must be adaptive and flexible with the ability to fulfill multiple
roles that quickly adjust to changing conditions within the cyberspace
domain and the joint warfighter's requirements. Of special importance
will be the ability to shift though all missions required for steady
state and surge requirements. It is important that individuals be
assigned to organizations that are flexible enough to meet the complex
challenges of the environment in which they will operate. While a
specific organizational construct remains in development, the
capabilities should be centered on cyberspace operations that support
joint warfighter requirements.
Mr. Thornberry. Given the limited pool of individuals with the
necessary technical skills, as stated recently by Gen Shelton, and the
growing cyber personnel requirements articulated by Secretary Gates,
what is the plan to recruit, organize, train, and equip prospective and
current cyber warfare professionals? Is it joint or by service? Please
explain.
General Alexander. In anticipation of this need, we have been hard
at work over the past year identifying the necessary individual
technical skills for future cyberspace missions and the training
required for those skills.
We currently conduct this training at both Corry Station in
Pensacola, Florida and Fort Meade, Maryland and are working through
resource requirements to meet future demand for trained and ready
cyberspace forces.
While we were developing training, we've also worked closely with
the Services and national community to determine future force number
requirements for the Department that included initial estimates for the
expected end strength in a ``total force'' approach.
We envision that the future cyberspace forces will be a total force
approach of both Service and joint--the Services will organize, train,
and equip cyberspace forces that will be presented to joint
warfighters. Additionally, there will be a joint force that provides
day-to-day support to USCYBERCOM missions as directed by Commander,
USSTRATCOM. Using common force training and skills baseline, the
services will generate forces that will rotate back and forth between
the joint community and Service unit assignments.
We must also leverage the unique contributions of universities and
research institutions as well as private enterprise to ensure U.S.
forces are always on the cutting edge.
Mr. Thornberry. In your opinion should the cyber warfighter be
trained by service branch, jointly, jointly with service specific
trailer courses, or somehow else? Why?
General Alexander. There is clearly a need for Service and Joint
training for the cyber warfighter as well as more robust leveraging of
the scientific and technical expertise found in our universities,
research institutions and private enterprise. The complex and dynamic
nature of the operational environment should dissuade us from adopting
a one-size-fits-all approach. As in other military disciplines, we must
train individuals with the basic skills they will need to operate and
adapt in this domain: technology, analytics, cryptanalysis, languages,
intelligence, operational planning and effective command and control.
The Services play an enormous role here. There is a great deal of work
being done by the Services to determine how they can best organize,
train and equip forces for the combatant commanders. The Services, of
course, also need much of this same expertise to effectively operate,
secure and defend their networks and communication systems.
Joint training is also critical; we must train how we fight. Part
of the reason Secretary Perry first created the Joint Task Force-
Computer Defense Network in the late 1990s was because he realized
then, as we do now, that unity of command and unity of effort is as
essential in cyberspace as it is in the physical domains of air, sea,
land and space. All we have learned in the intervening years led
Secretary Gates to direct the creation of U.S. Cyber Command. It is
only by focusing the talent and resources of the Services and forging
and training Joint teams with interoperable equipment and unifying
doctrine that we will be as effective in this domain as we are in the
physical domains.
Mr. Thornberry. In the current overseas contingencies, please
describe to what extent, if any, has U.S. Strategic Command
(USSTRATCOM) taken an active role supporting U.S. Central Command?
General Alexander. Joint Functional Component Command for Network
Warfare (JFCC-NW) and Joint Task Force-Global Network Operations (JTF-
GNO), the two USSSTRATCOM components for which I am responsible, are
actively engaged in support of U.S. forces in the USCENTCOM area of
responsibility.
In today's battlefield, our networks are a critical force
multiplier. Both JTF-GNO and JFCC-NW work closely with USCENTCOM
leaders and staff, in Tampa as well as forward in theater, to ensure
vital warfighting networks are robust and defended. We also plan,
synchronize and execute cyberspace operations to deny a widely
disbursed adversary the ability to easily use the Internet to
orchestrate complex operations that target our forces, friends and
allies. Of course, these commands also engage in deliberate planning in
support of other long-term USCENTCOM priorities.
The bright, energetic people assigned to these organizations are
committed to this mission. They work to build the relationships with
USCENTCOM that are so vital to the kinds of sophisticated, synchronized
operations conducted by U.S. forces and Coalition partners. We must
build the same kind of robust relationship with the other Combatant
Commanders and ensure our operational planning and activities are well
integrated with the other global missions for which USSTRATCOM is
responsible.
Mr. Thornberry. Irrespective of service branch, does USSTRATCOM's
cyber warfighters possess the skills necessary to ensure all secure
battlefield communications? Please explain.
General Alexander. Let me begin by saying that no commander can
guarantee battlefield communications will always get through or that
they won't be intercepted by an adversary. The military, by definition,
must be able to operate in a degraded environment. Yet, it is
imperative that we ensure availability and security of communications.
The Department of Defense has come a long way since the President first
assigned U.S. Strategic Command the mission to defend DOD networks in
2002. In Joint Task Force-Global Network Operations and Joint
Functional Component Command for Network Warfare, U.S. Strategic
Command has highly-motivated, well-trained personnel engaged in the 24/
7/365 defense of our vital networks. But we must do more.
Over the years, the Secretary of Defense has provided U.S.
Strategic Command with the authority to direct the operations and
defense of defense networks, known as the ``Global Information Grid''
or ``GIG.'' We have established command and control that begins to
enable the coordinated security configuration and defense of globally
dispersed military networks. We also established baseline standards for
network configuration, readiness standards and incident response.
Service and Joint training are based on these collaboratively developed
standards.
However, even with well-trained and engaged personnel, the
challenges are great. The Internet's open architecture is one of its
principal strengths, but it is also its principal vulnerability. To
defend national interests, DOD's GIG must be reliable, resilient and
its individual components and date must be secured. We must be able to
operate at ``network speed'' to be effective. Without greater machine-
to-machine interfaces, we cannot hope to dynamically configure systems
to contain and defeat the threat of malicious traffic on a real-time
basis--a necessity in this era's battlefield environments. Achieving
much greater unity of effort throughout the Department as well as
information sharing and collaboration with our Intelligence Community,
Law Enforcement and Homeland Security partners as well as leveraging
the expertise of universities, research institutions and private
enterprise is also essential. We must continue to evolve training and
operational exercises to ensure all personnel can appropriately and
quickly leverage the diverse skill-sets needed to secure and defend
military networks in this dynamic domain.
Mr. Thornberry. How is responsibility between USSTRATCOM, NSA, and
DISA clearly defined in theater?
General Alexander. Joint Functional Component Command for Network
Warfare (JFCC-NW) and Joint Task Force-Global Network Operations (JTF-
GNO), the two USSTRATCOM components for which I am responsible,
maintain a close and collaborative partnership with NSA and DISA. NSA
maintains a robust forward presence in Iraq and Afghanistan to provide
both cryptologic and information assurance support to deployed forces.
These capabilities support both JFCC-NW and JTF-GNO in their respective
missions of providing support for offensive and defensive cyber
operations. DISA's mission to build, provision and engineer the
backbone of the military networks also serves as a key enabler for JTF-
GNO's ability to direct the operations and defense of these networks.
We use liaison officers and support elements embedded within each
organization to help ensure our activities are mutually supporting and
to avoid conflicting objectives. While each organization has distinct
responsibilities, functions and authorities as defined by law and DOD
regulations, connective tissue between these organizations is naturally
bolstered by the relationships which exist between the Director, DISA
dual-hatted as Commander, JTF-GNO, my role as both Director, NSA and
Commander, JFCC-NW and since November 08, the relationship established
by the SECDEF's decision to place JTF-GNO under the operational control
of JFCC-NW. It is critical that we continue to maintain and strengthen
this connective tissue between our organizations in order to optimize
agile cyber support for combatant commanders and DOD as a whole.
Mr. Thornberry. Should the Department of Defense establish a
``Cyber Agency'' at the same level of the National Security Agency
(NSA) and Defense Information Services Agency (DISA)? Why or why not?
General Alexander. On 23 June 2009, Secretary of Defense Gates
directed the Commander of U.S. Strategic Command (USSTRATCOM) to
establish a subunified U.S. Cyber Command (USCYBERCOM). Since that
time, a STRATCOM-chartered CYBERCOM Implementation Team, with
membership from NSA, DISA, JFCC-NW and JTF-GNO, have been working to
produce a plan which would outline the mission and operating framework
for this command. Both DISA and NSA will play critical roles in the
Command's ability to successfully operate and defend our military
networks.
Mr. Thornberry. To what extent is the cyber domain being integrated
into other domain and domain awareness initiatives (i.e. battlespace,
maritime, air, space)? Please describe.
General Alexander. Cyberspace operations are being integrated with
operations in other domains through a myriad of efforts. These include
developing joint doctrine to inform warfighters of extant capabilities,
tactics, techniques, and procedures; developing cyber force constructs
and associated training; integrating cyberspace operations within joint
force exercises; ensuring cyberspace operations are included in
combatant command plans; and developing initiatives which inform cyber
users by examining culture, conduct, and capabilities. Although still
in initial stages, initiatives to provide decision-makers with holistic
views of the cyberspace domain, similar to the Maritime Awareness
Initiative, are being addressed. Much remains to be done; however, the
increasing national focus on cybersecurity is encouraging and will
provide impetus to DOD and interagency efforts to increase awareness of
this critical domain.
______
QUESTIONS SUBMITTED BY MR. MURPHY
Mr. Murphy. We have heard a lot about how our government's
resources are organized to address the threat posed by cyber hackers,
but if we want to direct our efforts most effectively, it's also
important to know how the hacker community is organized. What do we
know about the culture of hackers, what motivates their actions, and
what political, economic and social forces shape their behavior? It
would seem that the answers to these questions should inform some of
our decisions on how best to organize ourselves.
General Alexander, I understand that a small office at the NSA--the
Institute for Analysis--has done some innovative work to address these
questions about the culture of hackers. Can you briefly describe, in an
unclassified manner, this work and how it is contributing to our cyber
security efforts?
General Alexander.
Background
The Institute for Analysis (IFA) is an NSA-sponsored program
launched in October 2004 with the intent of 1) reaching out to and
engaging external world-class experts in addressing internal
intelligence analytic problems in an unclassified setting and 2)
learning from and applying new or unique analytic processes,
methodologies, techniques, and associated tools developed in the ``real
world'' to improve the overall health of analytic tradecraft at NSA.
The primary vehicle used by the IFA is a ``challenge problem'' which is
essentially an unclassified ``analog'' problem that stands in for/
represents the actual classified analytic problem identified by mission
elements. IFA also facilitates networking between external experts and
analysts and also develops and offers new analytic methodology training
courses to analysts. Since 2008, IFA has been able to increasingly
share these opportunities with other Intelligence Community partners.
The Challenge
In early 2008, an analyst from the NSA/VCSS Threat Operations
Center (NTOC) brought the issue of understanding hacker cultures to the
IFA as a potential challenge problem. The analyst understood that
hacker scenes evolve and continue to evolve. In an effort to best focus
his time and resources, the analyst wanted to know if there was a way
to better understand the culture of hacker groups and therefore better
understand the potential for a group of hackers to pose a significant
national security threat. Specifically, he wanted to know the answers
to the following questions:
What motivates hackers?
How do they learn, team up, and execute attacks?
How do their strategies and operations differ from
country to country?
NTOC analysts have a solid understanding of the technical elements
associated with hacking, but they wanted to know more about the
sociological and ``cultural'' aspects. The challenge therefore was to
strengthen analysts' understandings of the human side of hacking: what
motivates hackers; where do they go to learn new techniques; how do
they find out about new technologies; what self-identified hacker
communities have emerged; and finally, what the relationship was, if
any, between relatively benign ``tinkering networks'' and truly
malicious hackers?
What makes this a difficult problem was that virtually all hacker
scenes are animated by a culture of secrecy and anonymity. Many
hackers, and especially those who are likely to be of most interest to
the USG, do not wish to have their activities and habits documented.
Project Scope
There were three specific goals built into this challenge question,
as follows:
1) Systematically identify subcultures within the global hacker
scene, and the key traits that distinguish them from other hacker
subcultures, with a focus on teaming/interaction, learning, technology
use, and motivations with the intent of developing the ability to
``strategically segment'' these subcultures to identify other hackers
of potential interest;
2) Identify how these scenes vary from region to region (or
along other lines, e.g., by generation, motivation, etc.) with
potential concentrations on Russia, China, and/or the Middle East. This
would allow analysts to differentiate the threat matrix by region or
other factors;
3) Research and analyze how these scenes have changed over the
past decade and may continue to change going forward. This will enable
analysts to better anticipate strategic or tactical surprises that may
emerge from the hacker scene.
Two substantive limits were also identified, as follows:
1) This project focused on the culture of hackers and the
hacking scene, not on the wider issue of cybercrime, writ large. That
is to say, the analysts were interested in understanding the habits of
those who like to break into secured computer systems, whatever their
motives, rather than on criminality which just happens to take place on
or via the Internet. Clearly criminals of one sort and another may well
adopt innovations and techniques that emerge from the hacker scene for
their own purposes but that was not the main focus of the challenge
problem;
2) Open source research would focus on the dimensions of the
hacking scene that are most pertinent to national security: penetration
of government systems, disruption of critical infrastructure,
significant intellectual property theft, etc. This scoping excluded,
for example, spambots, the hacking of consumer electronics, defacement
of websites, etc., except insofar as such activities connected in some
tangible way to national security.
Challenge Results
Specific results of this challenge problem provided detailed
descriptions of hacker cultures in two areas of interest to NTOC as
well as a framework that allowed NTOC analysts to rapidly identify,
characterize, and categorize hacking activities based on potential
threats to national security. The framework in particular has already
been integrated into NTOC operations and has resulted in a quantitative
increase in reporting on adversarial capabilities, including
capabilities previously undiscovered using more conventional
techniques. According to NTIOC management, this framework has also
resulted in a significant savings of time, measured in man-years, in
the ``discovery'' process.
|
NEWSLETTER
|
|
Join the GlobalSecurity.org mailing list
|
|
|
