[House Hearing, 112 Congress]
[From the U.S. Government Printing Office]
[H.A.S.C. No. 112-26]
HEARING
ON
NATIONAL DEFENSE AUTHORIZATION ACT
FOR FISCAL YEAR 2012
AND
OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS
BEFORE THE
COMMITTEE ON ARMED SERVICES
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
__________
SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES HEARING
ON
BUDGET REQUEST FOR U.S. CYBER COMMAND
__________
HEARING HELD
MARCH 16, 2011
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13
U.S. GOVERNMENT PRINTING OFFICE
65-593 WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office, http://bookstore.gpo.gov. For more information, contact the
GPO Customer Contact Center, U.S. Government Printing Office.
Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, gpo@custhelp.com.
SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES
MAC THORNBERRY, Texas, Chairman
JEFF MILLER, Florida JAMES R. LANGEVIN, Rhode Island
JOHN KLINE, Minnesota LORETTA SANCHEZ, California
BILL SHUSTER, Pennsylvania ROBERT ANDREWS, New Jersey
K. MICHAEL CONAWAY, Texas SUSAN A. DAVIS, California
CHRIS GIBSON, New York TIM RYAN, Ohio
BOBBY SCHILLING, Illinois C.A. DUTCH RUPPERSBERGER, Maryland
ALLEN B. WEST, Florida HANK JOHNSON, Georgia
TRENT FRANKS, Arizona KATHY CASTOR, Florida
DUNCAN HUNTER, California
Kevin Gates, Professional Staff Member
Mark Lewis, Professional Staff Member
Jeff Cullen, Staff Assistant
C O N T E N T S
----------
CHRONOLOGICAL LIST OF HEARINGS
2011
Page
Hearing:
Wednesday, March 16, 2011, Fiscal Year 2012 National Defense
Authorization Budget Request for U.S. Cyber Command............ 1
Appendix:
Wednesday, March 16, 2011........................................ 27
----------
WEDNESDAY, MARCH 16, 2011
FISCAL YEAR 2012 NATIONAL DEFENSE AUTHORIZATION BUDGET REQUEST FOR U.S.
CYBER COMMAND
STATEMENTS PRESENTED BY MEMBERS OF CONGRESS
Langevin, Hon. James R., a Representative from Rhode Island,
Ranking Member, Subcommittee on Emerging Threats and
Capabilities................................................... 6
Thornberry, Hon. Mac, a Representative from Texas, Chairman,
Subcommittee on Emerging Threats and Capabilities.............. 1
WITNESSES
Alexander, GEN Keith B., USA, Commander, U.S. Cyber Command...... 4
Miller, Dr. James N., Principal Deputy Under Secretary of Defense
for Policy, U.S. Department of Defense......................... 2
APPENDIX
Prepared Statements:
Alexander, GEN Keith B....................................... 48
Langevin, Hon. James R....................................... 33
Miller, Dr. James N.......................................... 35
Thornberry, Hon. Mac......................................... 31
Documents Submitted for the Record:
[There were no Documents submitted.]
Witness Responses to Questions Asked During the Hearing:
Mr. Johnson.................................................. 71
Mr. Thornberry............................................... 71
Questions Submitted by Members Post Hearing:
Mr. Ruppersberger............................................ 76
Mr. Thornberry............................................... 75
FISCAL YEAR 2012 NATIONAL DEFENSE AUTHORIZATION BUDGET REQUEST FOR U.S.
CYBER COMMAND
----------
House of Representatives,
Committee on Armed Services,
Subcommittee on Emerging Threats and Capabilities,
Washington, DC, Wednesday, March 16, 2011.
The subcommittee met, pursuant to call, at 3:50 p.m. in
room 2212, Rayburn House Office Building, Hon. Mac Thornberry
(chairman of the subcommittee) presiding.
OPENING STATEMENT OF HON. MAC THORNBERRY, A REPRESENTATIVE FROM
TEXAS, CHAIRMAN, SUBCOMMITTEE ON EMERGING THREATS AND
CAPABILITIES
Mr. Thornberry. As you all can tell, the votes have
discombobulated the schedule. I think we are going to go ahead
and get started in the interest of time.
We appreciate both of our witnesses and all our guests
being here.
The first hearing of this subcommittee posed the question,
What should be the role of the Department of Defense to defend
the country in cyberspace? Today, we ask the same question.
The example we used at our previous hearing was, if a
formation of planes or hostile-acting ships came barreling
towards the Houston ship channel, I think we would have some
sort of idea of what we would expect the Government to do in
protecting those facilities and the Americans in them. But it
is a harder question to say, if a bunch of packets come
barreling through the Internet toward the same facilities, what
would we expect the Government to do to defend them? Is the
Government capable of doing what we expect, and is the
Government authorized to do what we expect?
There seems to be virtually unanimous agreement that the
threat to our country in cyberspace is growing. DNI [Director
of National Intelligence] Clapper testified a few weeks ago
during the worldwide threat hearing that ``the threat is
increasing in scope and scale, and its impact is difficult to
overstate.'' He made a number of other statements in his
testimony, something like two-thirds of U.S. firms report they
have been the victim of cyberspace incidents or information
breaches. Almost half of U.S. computers have been compromised,
according to another survey.
Today, General Alexander--in addition to the questions I
posed, today General Alexander will also give us an update on
Cyber Command and its budget request for 2012 and how it is
doing in accomplishing its mission of defending DOD [Department
of Defense] networks.
But, as Deputy Secretary Lynn wrote in Foreign Affairs,
``The best-laid plans for defending military networks will
matter little if civilian infrastructure--which could be
greatly targeted in a military conflict or held hostage and
used as a bargaining chip against the U.S. Government--is not
secure.''
In sum, I believe that our Government and our country have
not yet come to grips with the unique national security
challenges that cyber poses. The changes in technology have
simply outpaced the modernization of our laws, regulations, and
policies. A great deal of work has been done in this area from,
among others, our witnesses and the distinguished ranking
member of this subcommittee, but yet we still haven't really
grappled with these key issues.
For the last 8 months, Congress has waited to receive the
White House's proposals on cybersecurity. We continue to hear
that they may come soon. But I do note that in his July 1
letter asking for the White House proposals, Majority Leader
Reid and six committee chairmen from the Senate wrote, ``Each
day, the threat to cyberspace--and to the American citizens,
businesses, service members, critical infrastructure, and
Government agencies that depend on it--only increases.''
And they also said, ``Securing the vast digital
infrastructure of our Nation's communications networks and
information systems--our cyberspace--is essential to the future
of our Government, our economy, and the security of our
Nation.'' I would submit, gentlemen, that that is the reason we
are here today.
When Mr. Langevin comes, I will give him the opportunity to
make whatever opening comments he would like to make. But until
then, let me go ahead and yield to our distinguished witnesses
for a summary of their opening statement.
Without objection, your complete statements will be made
part of the record.
Today we have with us General Keith Alexander, Commander of
U.S. Cyber Command and Director of the National Security
Agency, and Dr. James Miller, Principal Deputy Under Secretary
of Defense for Policy.
Thank you both for being with us.
And I presume, Dr. Miller, you will go first.
[The prepared statement of Mr. Thornberry can be found in
the Appendix on page 31.]
Dr. Miller. Thank you, Chairman Thornberry, members of the
subcommittee, thank you for inviting me to testify.
Mr. Thornberry. There is a problem with our sound. We all
may have to really speak up. I worry about the court reporter,
whose job it is to take down every word you say. Jeff will
continue to work on this problem, but if you would like to go
ahead with raised voice.
STATEMENT OF DR. JAMES N. MILLER, PRINCIPAL DEPUTY UNDER
SECRETARY OF DEFENSE FOR POLICY, U.S. DEPARTMENT OF DEFENSE
Dr. Miller. Mr. Chairman and members of the subcommittee,
thank you for inviting me to testify this afternoon. I am very
pleased to join the CYBERCOM [U.S. Cyber Command] Commander and
National Security Agency Director, General Keith Alexander.
As you know, the Department of Defense is investing heavily
in information technology, with $38.4 billion proposed for
fiscal year 2012. We are making that investment because IT
[information technology] is an enormous force multiplier for
military, intelligence, and business operations. Given DOD's
reliance on IT, our proposal to spend $3.2 billion for
cybersecurity in fiscal year 2012, including $159 million for
USCYBERCOM, makes good sense.
As I describe in my prepared statement and as the chairman
alluded to, the threat to DOD and other critical networks is
large and it is increasing. DOD is undertaking five key
cyberspace initiatives to improve our posture, and I would like
to say just a few words about each.
First, in order to properly train, organize, and equip our
forces, DOD recognizes cyberspace as a domain for military
activities, analogous to the maritime, air, land, and space
domains. CYBERCOM, headed by General Alexander, is a key step
in improving our posture.
Because we realize that cyber defense will not always
succeed, all combatant commands and the services must be
prepared to operate in a degraded cyber environment in which
data networks are not fully reliable and access may be
disrupted.
DOD's second strategic initiative is to employ new
operating concepts both for cyberspace hygiene and for active
cyber defenses. DOD's active cyber defenses include a perimeter
defense of the dot-mil Internet domain that screens incoming
traffic for malicious code and malware. And because no
perimeter defense is fail-proof, DOD also hunts for intrusions
on our own networks as well. We look for anomalies like
viruses, worms, and other software that could cause damage to
our networks and systems.
DOD's third initiative is to work closely with other U.S.
Government departments and the private sector to create a
national approach to cybersecurity. On September 27, 2010,
Secretary Gates and Secretary of Homeland Security Napolitano
signed a memorandum of agreement to allow the DHS [Department
of Homeland Security] to draw on the cybersecurity capabilities
already established by the National Security Agency and
USCYBERCOM. A Joint Coordination Element, headed by DHS, now
resides at Fort Meade and at NSA [the National Security Agency]
headquarters.
A great deal of sensitive but unclassified information
resides on the networks of the 2,600-plus cleared defense
contractors that work with our military, and DOD is requesting
$113 million over the Future Years Defense Program to upgrade
this pilot to a full program. We are also exploring other pilot
projects with industry that would allow DOD to further extend
its suite of cybersecurity capabilities to companies in the
defense industrial base.
Our fourth strategic cyberspace initiative is to build
robust relationships with U.S. allies and international
partners. We have already worked particularly closely with
Australia, Canada, New Zealand, and the United Kingdom. And,
over the last year, we have significantly expanded
collaboration with NATO [the North Atlantic Treaty
Organization] to implement the Alliance's emphasis on cyber
defense as agreed in its new Strategic Concept.
Finally, DOD is working to ensure that we stay on the
cutting edge with respect to both people and technology for
cyberspace. We are taking a number of steps to recruit and
retain talented civilian and military cyber personnel,
including better utilizing the incredible expertise resident in
the National Guard and Reserve.
On the acquisition side, it currently takes the DOD's
acquisition processes 81 months, on average, to make new
computing systems operational. That means by the time they are
fielded, they are already three to four generations behind the
state of the art. We are working to get cycles of 12 to 36
months as opposed to 7 or 8 years.
In conclusion, I want to thank the subcommittee for its
focus on cyberspace. As a department, I believe we have made a
lot of progress in developing our approach and in improving
cybersecurity, but we have a lot of work left to do. I look
forward to working with Congress and the subcommittee to
improve our Nation's cyberspace posture as well.
And I look forward to your questions.
[The prepared statement of Dr. Miller can be found in the
Appendix on page 35.]
Mr. Thornberry. I think they are trying to reset the
system, and so they are all off--a fascinating thing to have
happen on a cyberspace hearing. I appreciate everybody's
indulgence.
General Alexander, please proceed.
STATEMENT OF GEN KEITH B. ALEXANDER, USA, COMMANDER, U.S. CYBER
COMMAND
General Alexander. Chairman Thornberry, Ranking Member
Langevin, distinguished members of the committee, it is an
honor and a privilege to be here to testify with Dr. Miller.
Chairman Thornberry, the key points that you made, first,
on where we are and where we are going, I absolutely agree 100
percent. I think you hit that correct.
Thanks for helping us build Cyber Command. I want to hit a
few key points on what we have done, where we are, where we are
going, and why we are at where we are today.
If you recall, a few years ago we looked at the threat.
What Director Clapper said to you was absolutely right: The
threat is growing every day. It is something that we have to
look at from a military perspective. It is the reason we put
Cyber Command at NSA, to leverage our Nation's capability in
cyberspace.
You are seeing what is happening in the commercial sector,
where we are having exploits going on all the time. Seventy-
five percent of the population's computers have been exploited
for criminal purposes. If you look at the amount of activity
that is going on with new devices, the amount of e-mail and
stuff, this area is exploding rapidly--tremendous opportunities
and tremendous vulnerabilities.
In 2008, we had some malware, malicious software, come into
our networks. When that malware hit our networks, it is what
started U.S. Cyber Command, because the Secretary of Defense
realized that we need to bring our defense together with other
capabilities in the Nation, do that at NSA, leverage that
platform.
NSA was one of the initial ones that found the problem,
came up with a solution for it. And when we looked at that,
that is what we need in our Nation, and that is what the
military needs.
We have moved quickly in putting together Cyber Command.
May 2010, we had our initial operating capability. October
2010, full operational capability for the staff. We have stood
up the four components under that, and we are growing capacity.
That will take some time, to build that capacity, but every day
is an improvement.
We are building plans with the other combatant commands to
help in cyberspace. And we are defending and operating the
military networks today--a huge step forward. And we are doing
that by bringing the full capability of the Defense Department
and the intel community together under one roof. I can't tell
you how important that is. It is huge in our capabilities.
So when you look at that, the Defense Department has a
tremendous jump forward in what we are doing and how we are
doing it. And the ability and agility to move quickly between
operations in defense when events like what has happened in
Japan to our networks, we can quickly accommodate, whether it
is a natural disaster or a manmade disaster. I think that is a
huge step forward.
So I wanted to leave time for questions, and I know we have
been asked to go quickly. But there are a few things I would
like to hit that Secretary Lynn hit in the article that you
referenced. He mentioned five key areas about cyberspace; it is
a domain analogous to air, land, sea, and space. He talked
about the active defense, he talked about critical
infrastructure, he talked about partnering with our allies, and
he talked about leveraging technology.
Two of those are key--they are all key, of course--but two
of those are key for this discussion, and that is, how are we
going to defend? And the active defense is what we did in
leveraging what NSA can do with what the Defense Department is
doing.
And, from my perspective, that is key. How are we going to
hunt in our networks? How do we provide a capability that goes
beyond what you can commercially buy, by leveraging our
intelligence community and our military capabilities to help
expand our defense? How do you leverage that global cryptologic
platform as an early warning capability? It is those kinds of
things that we have to look at.
And, finally, when we prove that that is good for the
military networks, I think he made a great point that resonates
with what you said: How do we then extend that, lawfully, while
protecting civil liberties and security, to the rest of
Government and critical infrastructure? And, of course, doing
that right, that is what is taking time, that is what everyone
is working on. I think that is a huge step forward.
I will tell you that one of the things that, from my
perspective, is so important in this area--you know, our Nation
built the Internet. We are the ones that developed this, the
iPad and many of the devices that we have. We are an innovation
nation; we are the ones who came up with that. It seems to me,
we are the ones that ought to solve this security problem. And
we can. And it is going to take a partnership between us and
industry. It is something that we ought to work together. And
we can do this; we just need to drive through it.
Mr. Chairman, that is all I have.
[The prepared statement of General Alexander can be found
in the Appendix on page 48.]
Mr. Thornberry. Thank you. I appreciate your comments.
Let me yield to the ranking member for any comments he
would like to make. And if he wants to go ahead and do his
questions right after that. I yield to him.
STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM
RHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON EMERGING THREATS
AND CAPABILITIES
Mr. Langevin. Thank you, Mr. Chairman, first of all, for
calling this very important subcommittee hearing.
I want to thank Dr. Miller and General Alexander for being
here today. I want to welcome you.
And, in particular, General, I want to just take a moment
to commend you on the successful stand-up of your new command
over the past months.
And I want to thank you both for appearing today to discuss
what I believe is one of the most important missions and
national security issues facing our Nation today.
It is difficult to fully appreciate the importance of
cybersecurity issues to our national security. From day-to-day
tasks to critical operations, our warfighters depend on the
integrity of our networks.
At the same time, cyberspace itself has become weaponized.
The STUXNET virus as well as massive denial-of-service attacks
successfully targeting our allies in Georgia and Estonia have
given us a glimpse of the damage cyber-weapons can cause.
In some ways, thinking about conflict in cyberspace reminds
us of some warfighting basics. The principles of offense and
defense appear to remain largely the same, but the speed of
information is so fast that complexity increases exponentially.
Also, unlike the land, sea, or air, this virtual, manmade
domain is limitless.
I believe that we must better understand how the United
States should safeguard our critical networks, while at the
same time developing the full spectrum of cyber tools to deal
with conflict in a new environment.
General Alexander, last September, when you appeared before
the Armed Services Committee, I asked you about your role in
defending critical infrastructure from cyber attack that may
reside in other parts of the Government or in private hands.
You noted that your role as head of USCYBERCOM was to protect
only military networks. And that is within your authority, and
it, for the most part, is limited there.
At an Emerging Threats Subcommittee hearing later that day
with the chiefs of our Services' cyber components, I revisited
your answer and asked what they were doing to protect military
bases that solely rely on civilian critical infrastructure.
Their answers, unfortunately, were grim but not unexpected. For
example, Vice Admiral Barry McCullough, head of the Navy's 10th
Fleet, testified that, and I quote, ``These systems are very
vulnerable to attack,'' end quote, noting that much of the
power and water systems for our military bases are served by
single sources that have only very limited backup capabilities.
With an attack like the one demonstrated by Idaho National
Labs in their Aurora experiment on a power station, potentially
requiring weeks or months to recover from, our bases could face
serious problems maintaining operational status. Beyond even
the massive damage to our economy and civilian institutions
that a major attack on our critical infrastructure could have,
clearly this is a vital military concern, as well.
Today, I reintroduced language, which the House passed in
our National Defense Authorization Act last year, which would
enable the White House to better coordinate our Federal cyber
defenses and secure our critical infrastructure. I believe it
is essential that we continue to make progress in managing this
threat.
Although we have not yet faced a catastrophic cyber
attack--and that is very fortunate--I do recognize that every
day we see lower-level intrusions and thefts of everything from
sensitive defense information to information on our financial
system and critical infrastructure, as suggested in numerous
press reports. While I am certainly thankful that we have so
far been spared a major attack, the low level of these
incidents has in some ways hindered our ability to move forward
on solving this issue.
As the commander of CYBERCOM and the director of the
National Security Agency, General, you direct our Nation's most
powerful capabilities in the cyber realm. And I know, from
speaking with you, that you also share my concerns that we have
not yet fully seen the extent of the damage that cyber-weapons
can wreak.
I know that defending against a collapse of our financial
system or a meltdown of our power grid is outside the scope of
the Department of Defense's responsibilities, in many ways, but
if done intentionally, it would still amount to an act of war.
Today, I look forward to discussing and hearing further
about how Cyber Command is growing and how your component
commands are coming on line. I also look forward to hearing how
the Administration is developing an overarching approach to
cybersecurity and how DOD's role may need to evolve.
Most of all, I hope to understand what the Administration
plans to do to fill the gap between these growing threats and
our ability in the public and private sectors to manage them.
What authorities should we examine and what tools can the
Government develop to increase our ability on a national level
to meet these challenges?
Again, I want to thank you both for being here today. I
appreciate your testimony, and I look forward to our question-
and-answer period. Thank you.
Mr. Chairman, with that, I will yield back to you, unless
you want me to go into my questions.
[The prepared statement of Mr. Langevin can be found in the
Appendix on page 33.]
Mr. Thornberry. I think if the gentleman wants to proceed
with his questions, we will operate under the 5-minute rule.
Mr. Langevin. Thank you, Mr. Chairman.
General, if I could, perhaps I would begin with you.
It is clear that if enemy bombers were heading to the
United States and we had actionable intelligence that they were
clearly targeting critical infrastructure within our Nation,
that the Air Force and other components of the military would
take them down. And it is clearly the responsibility of DOD to
stop that attack.
If there were an attack in cyberspace, an attack on the
SCADA [Supervisory Control and Data Acquisition] system, with
the clear intention of taking down sectors of our electric
grid, do you have the authority to stop that attack? And, if
not, who does?
General Alexander. We do not have the authority to stop
that attack. And on the critical infrastructure, I think that
would fall to DHS. DHS has some of the authority, and I think
extending that to critical infrastructure is something that the
Government is addressing in the White House-led legislative
proposals to ensure that we encompass that.
Right?
Dr. Miller. That is right.
Mr. Langevin. General, then, let me ask you this: How do
you think CYBERCOM should work with other Government agencies
and the private sector to leverage the powerful capabilities
that you possess for the protection of networks and
infrastructure not specifically within the dot-mil domain? In
particular--well, let me stop there, and I will come back if I
need to.
General Alexander. To answer that question, I am going to
give you two, Congressman, two pieces of that, break it out
into components.
First, for Cyber Command, technically there are two things
that we can do, the Defense Department and the intel community,
Cyber Command. It is, we can provide malicious software
signatures to help protect that, and early warning. So those
are the two capabilities.
The issue that you raise is, so how do we go about doing
that, the roles and responsibilities between the Defense
Department, DHS, and the intel community? And I think that is
where the partnership that Secretary Gates and Secretary
Napolitano addressed, and their initial memorandum of agreement
in September 2010 is focused on addressing that. We have to
bring those two departments together. I think both Secretaries
see that.
And the intent of that memorandum of agreement is a first
step in how we leverage the capabilities that NSA has to help
DHS. So I think that is a step in the right direction.
Mr. Langevin. General, we know that the Tutelage program is
designed to provide perimeter defense to the dot-mil network.
What is the best way to extend similar protection to the dot-
gov network? And who does that? How do we do it?
General Alexander. I believe the best way is to take that
capability and work with industry to do that in a manner
similar to what we are trying in the Defense Industrial Base
Pilot with DHS and the Defense Department.
In that pilot, the Department of Homeland Security and the
Defense Department are working with the Tier 1 Internet service
providers to provide that technical capability to them, along
with some of the signatures and stuff, to defend a couple of
defense industrial base companies. About 30 of them I think is
what it will end up being. And it is showing that you can do
that, that it scales across that level. We will demonstrate
that with a few of the capabilities that we have.
I think concurrent with that, as we are doing that, we have
to look at the authorities and legislation to do the rest: What
is required, and how do we quickly move to do that?
Technically, we can do that very quickly. We want to make sure
that we then have the authorities to do that, as well. And the
pilot would show that we can do that.
Mr. Langevin. And so then you have touched on, perhaps,
taking the next step. Then, also, what is the best way to
defend the dot-com network, particularly on critical
infrastructure? So much of it is owned and operated in private
hands. How do we then take that to the next step? And where do
those responsibilities and authorities lie?
General Alexander. From a technical perspective, the
easiest way to do that is to partner with the Tier 1 Internet
service providers. Government traffic and critical
infrastructure traffic can be segregated in those areas and
protected by those companies easiest. And our ability to work
with them in a classified environment to ensure they have the
signatures and stuff is probably the technically quickest way
to go and the best way to go. It scales, and it shows it. And
that is what the pilot would do.
If we can do it for the Government, the way the Government
is spread out, that would scale also to critical infrastructure
if we deemed it necessary to do those, as well.
Mr. Langevin. Very good.
I see my time has expired. I have other questions, but
thank you for your answers. And I will yield back at this time.
Mr. Thornberry. I thank the gentleman.
Dr. Miller, let me, just to be clear, ask you: Do you agree
with Secretary Lynn's comments that the best-laid plans for
defending military networks will matter little if civilian
infrastructure is not secure?
Dr. Miller. Yes, sir, I do.
Mr. Thornberry. And my understanding, from the exchange
from Mr. Langevin and General Alexander, is that, currently,
Cyber Command does not have authority to make civilian networks
secure.
Dr. Miller. That is correct. CYBERCOM's mission is to
provide the connectivity and oversight of our networks and to
protect them and to be prepared to conduct full-spectrum
cyberspace operations as directed by the President and
Secretary of Defense.
The National Security Agency, as you know, has provided
technical assistance to our interagency partners, in particular
working with the Department of Homeland Security. And the cyber
pilot program that General Alexander talked about is a great
example of that. We think we need to do more of that and to
move forward as quickly as possible.
Mr. Thornberry. Well, that gets me to the next question. In
the same article, Deputy Secretary Lynn said that the Pentagon
was working with Homeland Security and the private sector to
look for innovative ways to use the military's cyber defense
capabilities to protect the defense industry, as a start.
So what are some of those innovative ways?
Dr. Miller. Sir, the principal one that we are focused on
now in bringing the innovation and new technologies to them is
to look at the application of the systems that you referred to
earlier and that General Alexander spoke about to help on
perimeter defense. That is working with the ISPs [Internet
service providers], as General Alexander noted.
The other side of it, just like for DOD, we need to think
about the cyber hygiene and what we can do internally. We need
to think about how to hunt on our own networks and look for the
problems that may already exist. And we need to work on that
perimeter defense. I think all of those apply, as well, to dot-
gov, to the rest of the Government. And all those principles
apply, as well, to the critical infrastructure in particular,
the 18 designated areas of critical infrastructure.
And so, as we look at what can be done to improve the
posture from where we are today, the legislative proposals that
the Administration is considering could span all of those: What
are the incentives and assistance that can be provided for
cyber hygiene, for example, as well as for the active defense?
Mr. Thornberry. Yeah. Well, as I say, we are anxiously
awaiting those.
Last question: General Alexander, are you convinced that
you can share some of this sensitive information to help
provide greater perimeter defense and protect national security
at the same time?
General Alexander. Mr. Chairman, I am convinced that the
Internet service providers can protect sensitive information.
Mr. Thornberry. Okay.
Let me yield at this point to Mr. Kline.
Mr. Kline. Thank you. Thank you, Mr. Chairman.
And thank you, gentlemen, for being here, for your
testimony.
I find myself still scratching my head over the same issues
that we have heard discussed here, and that is, how do you even
make a distinction between an attack on defense and keep it
separate from an attack on something that is directly related
to defense? A critical infrastructure question. Clearly, if you
shut down the financial system in the United States, it would
affect defense, it would affect everything.
So I want to make sure I am clear on two things. One, I
understand we are all anticipating this prospective
legislation--although I must say, we have way too much
experience in this committee with legislation, putting things
into law, directing the Department of Defense to do stuff, and
then the Department of Defense just deciding not to do it,
frankly.
We have put in law, for example, Mr. Thornberry and I
worked very hard a couple of years ago on the NDAA [National
Defense Authorization Act] directing the Secretary of Defense
and the DNI to come up with a charter for the National
Reconnaissance Office. It is a year and a half late now. It has
been in law, but we haven't seen the results. And I know people
are working. In fact, we have had interim reports.
So while I am delighted that there is prospective
legislation, I am just suggesting that might not be the whole
answer. I trust, General and Mr. Secretary, that you are
working on how to fight this in any case, despite the
legislation.
I want to see if I understand this. I am looking at the
mission of USCYBERCOM as stated here in front of me: Plan,
coordinate, and so forth. And it says, ``and when directed,
conduct full-spectrum military cyberspace operations in order
to enable actions in all domains, ensure U.S./Allied freedom of
action in cyberspace, and deny the same to our adversaries.''
So, if directed, then you would step in and provide
defense, active or passive, in the event of an attack on
infrastructure? Is that correct or not correct?
General Alexander. Well, that is correct as you stated. Let
me just give you, if I could, Congressman, a couple points on
that.
What that really drives to is--as part of my confirmation
hearing, Senator Levin asked a very similar question, which
was, so what does that mean? And the specifics of it are: If we
are overseas in an area of hostilities, Cyber Command would be
operating under Title 10 authorities----
Mr. Kline. Uh-huh.
General Alexander [continuing]. And we would be taking on
the adversary, and we would have the authority to operate in
cyberspace in that case.
The issue becomes a little bit more difficult when you
start looking at cyberspace as a global capability and bouncing
through neutral countries. Now what are the authorities of land
warfare? What are the laws and what are the policies on it? You
have the inherent right of self-defense, but what can you do to
stop somebody in a neutral country? And in cyberspace it is
easy to jump through neutral countries to attack someone. And
the third and the most difficult is what happens if they use
the United States infrastructure to attack the United States?
How do you do that? All of those are key things.
For us to operate overseas, it is an execute order from the
Secretary of Defense and the President. And that is what that
specifically lays out. And that execute order gives us the
authority to operate under those conditions and defines those
conditions for us.
Mr. Kline. What about if it is not overseas, which is kind
of an antiquated, bizarre concept when we are talking about
cyberspace, but what if it is not overseas? Is there a ``when
directed'' still possible here?
General Alexander. That is correct. There is a ``when
directed.'' And that is----
Mr. Kline. And by whom?
General Alexander. It would be by the Secretary of Defense
and the President.
Mr. Kline. Okay.
I have just about run out of time, but very quickly, there
are a number of issues about getting adequately trained
personnel in high-technical areas. It is true in space, and I
would think it would be true in cyberspace.
And so, are you having difficulties or is there anything we
could do that would help you recruit and retain people who can
actually take on this task?
General Alexander. There are some things, Congressman, that
I think we will need to work jointly. And that is, like we do,
proficiency pay for linguists and others, what is it that we
need for our cyber personnel? We are going out to hire, the
services are. Right now, that is not an issue. But the services
are discussing that type of pay for those to get it. We do want
to create a force.
I think the other thing that we are looking at is how do we
collapse some of our military occupational specialties down
into a few that allow us to look at the full spectrum: Defend,
operate, all the way through. I think we need to do that, and
the Services have been wonderful in setting that up. And the
way that we would define that is by looking at how we are going
to operate in those foreign areas, how do we need our forces to
be developed.
This is a very technical area. There is discussion, and we
will evolve how this command works, I think, over the next few
years. We have had great success, on the NSA side, of hiring a
highly talented workforce and keeping them. Our retention is
amongst the best in Government. So I think we can do the same
in cyberspace. And I think we will get a lot of people that
want to take this mission on.
Mr. Kline. Okay. Thank you. I trust you will let us know if
you need legislative assistance.
I yield back. Thank you.
Mr. Thornberry. Mr. Gibson.
Mr. Gibson. Thanks, Mr. Chairman.
And I thank the distinguished panelists here today. I thank
them not only for their testimony, which has been illuminating,
but also for their leadership in this key area. And as we
proceed, you know, given classification issues, if we start to
move into an area, I assume that you will make it clear to me.
But I am interested in probing a little bit further the
issue of unity of effort. And I have a question both on the
governmental side, the whole Government side, and then also on
the private side. I think I will start with the private side;
it looks to be simpler.
Do we have a list of instructions for individuals, what to
do if they sense they are under some kind of cyber attack,
similar to our SAEDA [Subversion and Espionage Directed Against
the Army] instructions of how to report, that we pass out to
infrastructure or proliferate in any way?
Dr. Miller. This is outside the scope of the Department of
Defense responsibilities. What we have is a--as a Government,
working together on a National Cyber Incident Response Plan,
part of that is to clarify what those activities and responses
would be. I think it is fair to say we have some more work to
do there. And I would be happy to respond for the record with
more details.
[The information referred to can be found in the Appendix
on page 71.]
General Alexander. Could I add, Congressman, a couple
things on that? And I did throw that over on Dr. Miller,
because I think the first part is, it is really, how do we
train our teams to hunt and operate within our systems? So
system administrators today need to evolve to people who can
police networks tomorrow.
And when they do that, part of the training that we give
our red, our blue, and some of our what we call green teams is
just what you are talking about. That has to be a continuous
process, not something that happens once every 2 years. So how
do we evolve that force will be a key part of the defense, and
that is part of that active defense that I referred to.
Mr. Gibson. Yeah. Very good. And I think you would
appreciate that standardized reporting format would probably be
helpful as we go forward.
And then, related--now we are in the governmental realm--I
am trying to get a sense of--and I can imagine the challenge
that you have, trying to coordinate this effort toward unity of
effort.
So is this event-driven, or is it battle rhythm-driven? Is
there a working group that meets across the intelligence
communities, the DHS and the DOD? How do you go about
coordinating your effort now, given the challenges that you
have?
General Alexander. Sir, we do have meetings, especially in
the area--let me focus just a little bit more into looking at
malicious software, tactics, techniques, and procedures, people
that are trying to get into the networks. We do have meetings
both within the Government that looks at this--so the Computer
Emergency Response Teams at DHS, within DOD and across the
Government work that.
Private industry, selected parts of those, also participate
in that at times, because they have some expertise. And going
back and forth on those is key. And the reason private industry
is brought in is, some of the signatures for the antivirus
community that private industry creates helps protect
Government systems. And we want to ensure that that is done
right and that they have the full advantage of that.
Mr. Gibson. Thanks very much.
Chairman, I yield back.
Mr. Thornberry. Mr. West.
Mr. West. Thank you, Mr. Chairman and Mr. Ranking Member.
And, sirs, it is a pleasure and honor to see you all here
today.
Four elements of national power, the DIME [Diplomatic,
Information, Military and Economic] theory, and, of course, the
``I'' stands for ``information.'' So I think it is very
important that we recognize that aspect here on this modern
battlefield. And we, you know, congratulate you on standing up
the CYBERCOM.
But this is one of my big concerns: You know, what can we
do to combat the proliferation of Islamic terrorism propaganda
on the Internet? Because I see this as just another weapon on
this modern-day battlefield. And if we are serious about this
global war on terror, this propaganda is truly a tool or a
weapon that they are levying against us.
Now, does that fall under CYBERCOM's purview? And, if not,
who is contending or dealing with that?
General Alexander. I think that is a policy issue, in terms
of whether we choose to stem the flow of radical propaganda and
how. Technically, Cyber Command could be one of the agencies
given that mission to go do. We have not been given that
mission, under either a CT [counterterrorism] or a CYBERCOM
authority.
So I think the question is, one, has a decision been made
to do just that? And, to my knowledge, there is no decision to
block the radical propaganda on the networks. If it was, then
it could technically go to either Cyber Command or one of the
other agencies.
Mr. West. So who makes the decision?
General Alexander. That would be the White House and the
Principals Committee.
Dr. Miller. That would be a decision at the level of the
President and, as the general said, of the Cabinet, as well.
There is no question that this Administration, as past
administrations, are working to counter the ideology that you
spoke about. The Internet has an important role in that, in
terms of how we get our message out. And, obviously, it is part
of how these groups have used--you know, it is something that
these groups have used, as well.
But you have put your finger on a central policy question
that remains, essentially, open.
Mr. West. Well, my fear is that the longer it remains open,
the more we get exploited and the more we get infiltrated
across this country. So at what point in time are we going to
tackle this question?
Dr. Miller. The authorities for dealing with that are not
principally Department of Defense authorities.
General Alexander. And there is one other thing,
Congressman, if I could, on this, just to add on that.
If we see this on U.S. infrastructure and it is wrong, we
can reach out, through the FBI [Federal Bureau of
Investigation], and ask that that be removed. And we have a
high success rate in getting that done. So when we see things
that are particularly wrong, we reach out. And all the
companies, when they see that, they take it off, both here and
global.
Mr. West. Okay.
General Alexander. And so, there is a way of doing that
when we see those. So I didn't want you to think--the way I
answered it is, we are not reaching out and causing it to be
removed globally. We can reach out and ask that it be removed
globally. And we are having a pretty good success at doing
that.
Dr. Miller. And if I could just add very briefly, the ``D''
in your DIME model, sir, the diplomatic effort is absolutely
important.
Mr. West. Absolutely.
Dr. Miller. And that is something that this Administration
has obviously pursued.
Mr. West. Okay. I got it, but, you know, we are getting our
butts handed to us on that means. And when I think about Major
Hasan and some of the things that he was able to utilize the
Internet for, you know, I don't want to see a repeat of those
type of circumstances.
So thank you very much, and I yield back.
Mr. Thornberry. I thank the gentleman. And as I am sure he
knows, there is a number of folks who have served in-theater
who share his frustration, who think there is a lot more we
could be doing but are not doing. And I am very sympathetic
with that view, as well.
General Alexander, let me follow up on what Mr. Kline was
asking about on people. And I know you said you would get back
to us on additional authorities. And you said you have a great
record of retaining people at NSA. But those are not
necessarily military folks who may go through basic training
and all the rest.
Can you get and keep the kind of people you need for
CYBERCOM with the military requirements? Or does there have to
be some greater flexibility than we are used to?
General Alexander. Well, I am an optimist, Chairman. I
think we can, one, get them. I do think it may require more
authorities, but we have to look at that.
And, more importantly, I would like to put forward this
thought: We want NSA to have one certain level, technical level
of expertise that Cyber Command can use. And we want Cyber
Command to have a breadth and a deployment capability.
And so, these two have to work together. And I think we can
do both. I think we can get the service people on one side.
That may require some additional authorities. We have to look
at it and come back to you. And I think we want the NSA
infrastructure to have this technical depth that we can rely on
back and forth. I think that is absolutely vital.
Dr. Miller. I would just briefly add that we owe a report
on this issue, Section, I think, 934 of the National Defense
Authorization Act.
And in addition to the factors that the general talked
about, I think we need to look hard at what we can do under
existing authorities, including making better use of the Guard
and Reserve. That is an essential part of what we need to do.
The type of people that we are looking for will span a
wider range than the profile of people that we--the type of
people that we are looking for with the skills for cyber will
span a wider range than the standard profile for military
service. And we need to have a higher degree of flexibility and
continue to look to target those groups and to work on some of
the pilot programs we have under way now, to work with them and
to have outreach, so they see what DOD can provide for their
education and see that they can make a contribution to national
security, as well.
Mr. Thornberry. Well, we want to work with you. You made an
impression on me in your written statement, General, where you
said this was the thing you were most concerned about, or
however you phrased it.
But, please, go ahead.
General Alexander. I was going to add that--I hate to give
the Navy all the credit here, with him sitting right behind
me--but the Navy Postgraduate School has also started a
master's degree course in January that will produce a master's
in cyber that is a technical degree, either in computer science
or EE [electrical engineering], with the majority of the
courses being in cyber- and cybersecurity-related things.
So that is a step in the right direction and some of the
things that we need to do more of.
Mr. Thornberry. Okay.
Dr. Miller, one hears--and maybe one of you all mentioned
it in your written testimony, back to the authorities issues--
about the military's ability to provide support to civilian
authorities when called upon to do so. How does that fit in a
cyber context?
Dr. Miller. Sir, let me talk about both sides of that, if I
can.
The first, as we were discussing earlier, is that the
Department does recognize that we are dependent on both our
partners in Government, so the dot-gov, and our partners in the
industry to be able to conduct just military operations and to
succeed in those operations so that we have a stake, in
addition to the stake we have in the broader security of the
Nation, we have a stake in just our ability to operate, itself.
The Department of Defense, as you alluded to, has
authorities to provide defense support to civilian authorities
under existing law. And the challenge associated with that in
this area is that it gives a good set of authorities for
responding to an incident. And what is not so clear is that it
gives the appropriate set of authorities to assist in
prevention of attack in the first place.
And as we have looked at possible legislation, we are
looking at what additional authorities may be required for the
Department of Homeland Security so that it can provide that
degree of protection, and then what set of authorities may be
necessary or changes may be necessary for the Department of
Defense to assist in providing that prevention, as opposed to
solely focusing on response.
You have asked exactly the right question. We intend to
address it in legislation. And we understand that there are
legitimate concerns about imposing costs on private industry,
and we need to think through that. But we also understand that,
as we have discussed earlier, that we have a lot of catching up
to do.
Mr. Thornberry. Yeah. Well, and as your answer recognizes,
response after the fact to a cyber event is not really a very
good answer to the challenges we face there.
So, let me just ask about a couple more things, and then I
will yield to the ranking member and Mr. Gibson, if they have
other questions.
Again, I can't remember exactly which of you talked about
this. But there were two efforts under way: One is the Enduring
Security Framework, and the other is the Defense Industrial
Base Pilot.
Could either or both of you all expand a little on what
those are and where we are with them?
General Alexander. The Enduring Security Framework is a
partnership between Government with DHS, DOD, the DNI, and
industry to look at critical cybersecurity issues throughout
the different components from communications devices,
computers, and others.
I think that is a great partnership between the Government
and industry in identifying problems and solutions to those
problems. If we can identify those problems, it has been our
experience that industry, in developing much of that equipment,
will go solve those, free to the Government.
That is a huge step forward, and we have made some
tremendous jumps in that area. I think industry has more than
done their share. It has been a privilege and honor to work on
that. That has been great.
The Defense Industrial Base Pilot takes the technology that
we have within the Department and uses some of that with some
of the Tier 1 Internet service providers to test and ensure
that that would work under the concept that I discussed
earlier, where the Tier 1 Internet providers ensure that we can
do what we are doing now for the Defense Department for these
defense industrial base companies.
Once we have done that, the key is now identifying the
authorities and ensure that we have the authorities to do the
rest of it. So we are only going to do a few narrow things
under the DIB [Defense Industrial Base] Pilot, a few narrow
activities. Once we have shown that we can do those, the rest
of those activities will be added.
We will have to ensure that we have the legal framework for
that and everybody agrees with that for the rest of those. And
that may be parts of the stuff that come forward from the White
House on the legislative proposals that we have.
Dr. Miller. And, sir, if I could add very briefly, the
Enduring Security Framework, we have found that the industry
that participate help both on helping us understand the problem
and working the solution. And that is, as the general said,
very important.
I want to distinguish, as we talk about the DIB Pilot,
there are really two things under way. One is a broad Defense
Industrial Base Pilot, in which we are sharing information
about potential threats and looking at how to do that more
effectively. It has been a two-way street. It has been very
effective. And we are looking to continue that and grow that.
It has been focused primarily on the cyber-hygiene side, if
you will, on defending the networks better. The new element
that the general has been referring to has been added to that,
and we are currently examining how to implement that. We have
called that, for shorthand, the Opt-In Pilot because companies
would opt in to participate on that. And as the general said,
we are working with a number of defense industrial base
companies and several Internet service providers. That has not
yet kicked off. It is something that I hope that we are very
close to initiating.
And by way of analog, it is looking for part of the dot-com
to bring what Einstein 3 is supposed to bring to that dot-gov.
And, as General Alexander said, it is not the full suite, but
we are looking at a way to get started and show that we can do
this and to make it work.
Mr. Thornberry. And about how long would it take, do you
think, to prove that it can work?
Dr. Miller. About 90 days we are looking at to execute this
pilot.
Mr. Thornberry. Okay, good. Thank you.
Mr. Langevin.
Mr. Langevin. Thank you, Mr. Chairman.
General Alexander, CYBERCOM has maybe two, maybe, primary
missions among several, but two primary missions: First, to
ensure that our military networks stay online, and, also, to
support our warfighters in their missions around the world.
We talked before about the network defense side of the
issue, but I would like to turn to the second side, if I could,
of support to the warfighter. You rightly recognize that
cyberspace is a new domain, similar to land, air, sea, and
space. How do you make sure that cyber is treated equally and
not just as a supporting entity?
Can you outline the command structure for integrating
nonkinetic cyber effects into both tactical and operational
levels of a conflict? And beyond the use of cyber domain, how
are cyber mission areas different from the electronic warfare
mission areas?
General Alexander. Well, let me start with the first one,
and then I will come back to electronic warfare, if I could.
On the first one, our staff is organized like the rest of
the COCOM staffs, the combatant commander staffs, with the J3,
J5, J2, J6, et cetera. Our planning folks reach out to the
combatant commands, and we are working with those combatant
commands on their plans to integrate cyber into those plans
from both a defense and a full-spectrum capability.
My experience to date is that the commands have jumped on
this. Every one of them has been eager and helpful to do that.
I am extremely pleased that they are rolling this into the full
spectrum. They realize the importance of it, both to defending
our capabilities and extending those out.
If you were to make bubbles on the role of cyber and
electronic warfare, they are going to touch together,
electronic warfare predominantly being looked at primarily
today, if you will, for jamming radars back and forth. I mean,
that is the way we look at it, in physical space by radio
waves. In cyber, we are acting within networks.
You can picture a time in the future where those two may
come together, and it may be that the Department begins to
bring some of that together, from both a technical perspective
and an operational perspective. We are not there today because
the way we build our EW [electronic warfare] capabilities is
separate and apart, as part of the defensive systems of
aircraft and other things like that.
I did go to school in some of that, so I do understand
those parts. And I think you can see them coming together as
the digital technology matures.
Mr. Langevin. Thank you. Anything else in the area of
electronic warfare that you want to get into?
General Alexander. Not that I can think of, Congressman.
Mr. Langevin. Okay.
Dr. Miller, and also to you, General, in addition to the
$159 million provided in the President's fiscal year 2012
budget to support CYBERCOM, what other costs are associated
with cyber operations across the Department for fiscal year
2012? To what extent will DOD's current efficiency and cost-
saving efforts impact CYBERCOM's current and future
cybersecurity funding, if at all? And to what extent is DOD
taking steps to ensure that CYBERCOM and associated military
components are organizing in a manner that prevents or
minimizes duplication?
Dr. Miller. Sir, let me first say, glad to provide for the
record the breakdown of the costs in more detail than I did in
my prepared statement. What I could do is refer to a $3.2
billion total for cybersecurity and the $159 million associated
with USCYBERCOM.
The other--the largest single category is information
assurance, which includes our public key infrastructure and key
management initiative. That is at a little over $2 billion for
fiscal year 2012.
Rather than go through each of the other categories, I
would just, I guess, add, we have noted the importance of
science and technology, and about $258 million of that is in
the S&T realm. We will provide the rest of those, if you like,
for the record.
As we look at the work on efficiencies and the importance
of both saving money and improving security--I will turn it
over to General Alexander--one of the most innovative and
interesting ideas and concepts for how to pursue those in
tandem is to look at how we can move to a cloud-based
architecture in a way that improves security.
If we do it the wrong way, it could increase our
cybersecurity challenges. If we do it appropriately over time
and move to virtualization of some of the, if you will,
interior of the architecture, we will have the ability to
present a much more challenging target to those who want to
attack us.
I think General Alexander can speak in much more detail
than I can to that issue.
General Alexander. Congressman, let me answer two parts of
that, taking off from what Dr. Miller said.
First, on the IT efficiencies, one of the things that we
looked at: What was the best way that we could help secure the
Defense Department's networks, given the vast topology of those
networks? And it was our opinion that the best way was to go to
a thin cloud, virtual cloud environment, analogous to the way
that Google, AT&T, and others are doing, but do that for the
Defense Department.
As we looked at that, we also believe that we can do that
more efficiently in terms of manpower and moneys. That is yet
to be proven, but it does give us a much more defensible way.
So the IT efficiencies is something that Secretary Gates
has pushed out that we are looking at how can we now help do
that. And what our intent is, if we can do this right, we can
now take part of the workforce that we have in IT and train
them to be full-spectrum cyber capability. That is something
that, working with the service, will help build the capacity
quicker, that I mentioned is that shortfall.
So I think that is one of the things that we are looking
at. We have discussed it with the service chiefs. That is
something that we have to walk through. The service components
are looking at it. That is a huge step. Now, to get there, NSA
is actually testing out parts of that right now in our
infrastructure, and we will prove that that is right.
The other thing, that duplication of effort, I would just
tell you that that is one of the things, as a CYBERCOM
commander, that I take very seriously. How do we ensure that
the services are doing this as a joint team versus each one of
them doing the same tool four times?
We have great cooperation with the services in doing that.
Our components said, we are bringing all of that together. Our
J3 and J5 will take that on. Our suite of tools will be looked
at and scrubbed in that way. And we have already started that
with our planning process.
Mr. Langevin. Very good.
With that, gentlemen, thank you very much for your
testimony. I know that this is an enormous challenge that we
all face in cyberspace, and I just appreciate your dedication
and the work you are doing.
Thank you.
Mr. Thornberry. Mr. Gibson.
Mr. Gibson. Thanks, Mr. Chairman.
And, really, just a summary of what I am taking away from
the hearing and from also reviewing the written testimony, I
think Cyber Command is doing a tremendous job in gaining
situational awareness, getting organized, trying to get their
arms around the threat and to take concerted action.
But, to a degree, our country is hampered, the effort
toward unity of effort--that we need mission clarity,
authorities, legal framework, and organizational design. And
what strikes me is that these are similar findings to the QDR
[Quadrennial Defense Review] independent panel and the need
towards looking at both congressional, organizational reform so
that we can facilitate better, legislate better, and provide
better oversight, and then also executive reform, executive
branch reform, so that the DOD can get the guidance it needs to
move forward.
So these are areas of interest to me, Mr. Chairman. And I
look forward to--I appreciate you calling this hearing and the
testimony from our expert witnesses here. And I look forward to
working with you as we go forward.
I yield back.
Mr. Thornberry. I thank the gentleman.
The areas he identified are also of interest to me, as he
knows, so I want to pursue it along with the gentleman.
General Alexander, following up on your conversation with
Mr. Langevin, do you have the authority you need, as CYBERCOM
commander, to eliminate duplication in the services?
General Alexander. I believe I have all the authority I
need to eliminate duplication with the services. More
importantly, I have their support in doing it. They want to do
this. It makes sense. Nobody is pushing back. The key is
finding all of that for all of us, because there is a lot of
ingenuity that goes on.
To date, I have not found anyone that has pushed back on
that. I believe that, through both the Joint Staff and the JROC
[Joint Requirements Oversight Council] process, we can push
that. And through the Deputy Secretary and the policy level, we
will get all the support we need. I don't see any issues with
that. It is more of just making sure that they surface.
Mr. Thornberry. I am always concerned when something
becomes a very, you know, high-priority issue, then all sorts
of programs have that label put on them to take advantage of
the budgetary things that go with it. And ferreting out what is
real and needed versus what may be an effort to gain more of
the defense pie is an important capability, I think, for you to
have.
Can you talk a little more generally, though, about budget?
Obviously, we are going to be in a limited budget for the
Government, for the Defense Department for some years to come.
As we think about cyber and spending money, you know, it
doesn't cost very much money to send an electron through a
fiberglass pipe. But where is our money going to have to go in
order to defend the country properly? I mean, I assume people
has got to be number one.
But can you elaborate, not just on this year's budget, but
on those trends over the next several years and what you see
the most growth in when it comes to cyber?
General Alexander. Chairman, I think you hit it on the
head. People is the big thing here in cyber and for our future.
Investing in people is key.
We are building capacity. And, as you correctly noted, that
is one of the key things that we have to go build and go work,
and the Services are helping us do that. In my budget, both the
military and the civilian side, that is the biggest portion of
the budget--
people.
The next is facilities to operate in, the IT infrastructure
that we need to operate. That accounts for another 25 percent
of the budget. And operations is the last part. So, if you
break it out, people is the biggest share of the budget.
One of the things that I would just highlight is we did
look at building an integrated cyber center that brings
together all the different elements that we have within the
Department, all the different centers within our Department and
potentially across the Government into one facility that allows
us to operate seamlessly from peace time to crisis, back and
forth. I think that is huge, and in this budget here is the
planning and development of that
facility.
Dr. Miller. Sir, if I could add very briefly, for overall
IT, the request for fiscal year 2011 was $36.6 billion, for
2012 was $38.4 billion. We actually hope that that number will
come down over time, as we move to a different architecture and
be able to make some savings there.
For overall expenditures relating to cybersecurity, the
numbers, in fiscal year 2010 the number was about $2.96
billion, 2011 request was $3.2 billion or a little under, and
for 2012 we are a little over $3.2 billion.
So we have increased somewhat. Particularly, I think, we
are focusing those resources better, as we look to, for
example, increase substantially how much we hunt on our own
networks and so forth. But we would be happy to provide the
next level of granularity, if you like. I am afraid that if I
did it real-time, you would, you know----
Mr. Thornberry. Yeah. The staff could take it, but I am not
sure that I could. But it is, I think, helpful for us to see
the longer-term trends, because I think we are all going to be
challenged in that regard.
Dr. Miller, one thing we really haven't touched on too much
today is the whole subject of international cooperation in
getting any of this done. We have talked about how geography
doesn't matter very much in cyber, but can you just briefly
touch on the international aspect of this?
Dr. Miller. Sir, I would be very glad to.
As I had talked about before, working with our
international allies and partners is one of the key five
initiatives that we have under way as part of our strategy. So
we recognize its importance. And we recognize that, because we
operate in fighting the coalition, that the security of our
information, the security of our operations is also going to be
dependent on the security of our partners' and allies'
networks, as well.
As we have begun really pushing out on cybersecurity
efforts internationally, the first focus--I should put that
differently--a very significant focus has been on working with
our allies, Great Britain, Australia, New Zealand, and Canada.
We have long-standing relationships with them on intelligence
issues, and that has been a good foundation for what we do in
cyber, as well.
A very significant effort over the last year with NATO. And
having cybersecurity being one of the key thrusts of the NATO
Strategic Concept that was brought forward at the Lisbon
summit, I think, is a good accomplishment. The cybersecurity
center that has been established has begun to operate, and we
have a lot more work to do there in NATO, in terms of
implementing that effort.
We have also worked with other partners and allies around
the globe, including, for example, the Republic of Korea and
Japan, and are beginning to have, I think, useful conversations
there.
One of the other areas, sir, that I just want to add is
that we need also to have conversations about cyber and other
strategic issues with Russia and with China. I think we have
made some headway with respect to Russia and having the initial
conversations on cybersecurity. Our lead on this for the
national security staff, Howard Schmidt, took a team there just
a little over a month ago to have this--to begin this
conversation. And so far, with China, we have not yet really
been able to have the same level of conversation.
I think transparency and understanding about how each of us
approaches this challenge is very important to avoid any
misunderstandings or miscalculations.
Mr. Thornberry. Finally, for me, I think, General
Alexander, if you had to grade our ability to defend DOD
networks, what sort of grade would you give us at this stage,
like, A through F?
General Alexander. I would give us today probably a C,
going up. And the reason I say a C is, we are working extremely
hard on building the hardening part of our networks. We have
done an awful lot of work to bring in the host-based security
system and made tremendous movements. And we are moving in that
range and building that up and training the force and hardening
that. And it has made tremendous progress over the last 2
years. When you looked at the problems we had on our networks a
few years ago to where we are today, it is a huge improvement.
I would like to say an A, but I think it is going to take
some time to get us to an A. And an A is where I believe nobody
could penetrate that network. But we have made it extremely
difficult for adversaries to get in, and every day we improve
that.
And that has the visibility and support of the Joint Staff
and the Secretary. They have personally gotten involved. I had
to take the reports up to both of them. And they are looking at
that across all of the services. And each of the services are
working it hard. We do that by network, by service, by COCOM,
by agency. And we are looking at it in a very detailed way on
our network operations and network security.
But I would say a C today and going up.
Mr. Thornberry. Well, and the ``going up'' was really my
follow-up question. In earlier hearings, we have heard
testimony that the advantage is with the attacker, and not only
that, but the gap is growing so that the attacker has more
advantage, if you look at the Internet as a whole, and versus
the attempts to defend.
But I take it from what you have said that that gap, when
it comes to defending military networks, is closing, that our
ability to defend is--well, as I say, the gap is closing versus
the attackers. Is that right?
General Alexander. That is correct.
Mr. Thornberry. A significant difference from what we have
heard from the civilian infrastructure, I would say.
I understand Mr. Johnson has a question.
Mr. Johnson. Yes, I do. Thank you, Mr. Chairman, for
holding this very important hearing.
And we certainly need to be attuned to the fact that, for
us to get on the dean's list, General Alexander, we are going
to have to spend a lot more money than we are spending, and we
will have to spend in accordance with long-term budgets, as
opposed to short-term continuing resolutions. And it is the
welfare of the people that is at stake.
Dr. Miller, you are, no doubt, familiar with the firm
Palantir Technologies, are you not?
Dr. Miller. I am not deeply familiar. I know the name, sir.
Mr. Johnson. And what about Berico Technologies?
Dr. Miller. I also know the name.
Mr. Johnson. All right.
General Alexander, have you worked with Palantir in any of
your official capacities?
General Alexander. I am familiar with it. We have seen some
of their technology, and they have demonstrated that. I am not
sure of the number of contracts that we have with Palantir, to
be honest.
Mr. Johnson. What about Berico?
General Alexander. The same. I know the name. I would have
to go back and look and see exactly what the contracts are with
Berico.
Mr. Johnson. General, can you explain what services and
capabilities those two firms offer to the Department of Defense
and the intelligence community?
General Alexander. My recollection of Palantir was a way of
visualizing what is going on in the networks. One of the
problems that we have is, how do you see what is going on in
cyberspace? How do you actually see a network in a way that is
meaningful to help defend and operate that? Especially if you
have a network that has 15,000 different enclaves and all these
different pieces, how do you make that meaningful?
And my recollection, working with Palantir, was, here is an
idea that we could use for how to look at networks and how to
secure it. We are looking at multiple options for how you
actually see that. That is one of the things I think I put in
my statement, you know, situational awareness, how do you
actually see? I think that is an important step for us to all
have that common situational awareness.
Mr. Johnson. Are those tools that are developed for use by
the defense and intelligence communities by those contractors,
do those contractors have the ability to use those tools, or
the authority, actually, to use those tools in the private
sector? Can they market those tools, in other words, to the
private sector?
General Alexander. I think every contract is written
differently that gives you authorities to do things, and I
would have to go look at how those contracts were written. I am
not personally familiar with the contracts, so I would have to
go look at that. And I don't know who those contracts are with
specifically, so I would have to check that out.
But, generally speaking, in the development of a tool or a
capability, in the contract it specifies whether that can be
used broadly or whether it can be used only for the Government.
And it depends on where it is being developed, for whom, and
how.
Mr. Johnson. Dr. Miller, anything you want to add on that?
Dr. Miller. Sir, General Alexander has it exactly right.
And I can't provide any more details. We would have to go back
and look at the individual contracts to answer those questions.
Mr. Johnson. Dr. Miller, would you be so kind as to provide
my office with the DOD contracts with Palantir Technologies,
Berico Technologies, and the firm HBGary Federal as soon as
possible?
Dr. Miller. Sir, I will do everything possible to do so.
What I will need to do is, frankly, talk to our general counsel
and make sure that the provision of that type of information is
allowed contractually. And, in any case, we will get back to
you as quickly as possible with as much information as
possible.
Mr. Johnson. The contract could bar the executive branch
from providing information to the legislative branch?
Dr. Miller. No. No, sir. I guess I would like to be able to
provide that information to you, and without knowing all the
organizations within the Department that have the contracts, I
am going to have to go back and--it will take a bit of time to
be able to map that out.
And I also need--I need to have an assessment of whether or
not--not of whether or not to provide the information, but in
what form to provide the information to you. If you are asking
for just the stack of contracts, I will say I will take that
back to the Department and----
Mr. Thornberry. Yeah, Dr. Miller, if you would take the
request back, get the lawyers to look at it, see what is
possible. If it is not possible to provide the information the
gentleman is asking, if you would ask the appropriate folks at
the Department to let us know why. And, also, any information
provided, of course, we would ask that it be provided to the
whole subcommittee, so that all members can have it.
[The information referred to can be found in the Appendix
on page 71.]
Mr. Thornberry. Does that sound good?
Mr. Johnson. Yes. Thank you, Mr. Chairman. And that will
conclude my questions.
Mr. Thornberry. I thank the gentleman.
And I thank the witnesses very much for being here to
testify, for your patience with our delays and other problems,
which were rapidly solved.
Dr. Miller. Mr. Chairman, if I might, in response to an
earlier question about what the Government is doing with
respect to radical groups' propaganda, I said it was an open
policy issue. If I could have just a moment, I would like to
clarify?
Mr. Thornberry. Sure.
Dr. Miller. What I should have said is that it is a
recurring, ongoing policy issue; that these issues need to be
dealt with on a case-by-case basis; that, as the Congressman
said, it is all the tools available to us, including diplomatic
tools; and that, on a case-by-case basis, there will be a
question about our desire to promote free speech and our real,
not just desire, but requirement to protect our forces and our
people.
And so I just wanted to--it is not a question of whether
the issue is addressed. It is a question of how, in each case.
And one would have to get down to the ``eaches'' to respond
effectively.
I appreciate the opportunity to clarify that, sir.
Mr. Thornberry. No, I appreciate you bringing that. And I
will also talk to Mr. West about my Smith-Mundt Repeal Act. It
may be of interest to him as we pursue those issues.
So, again, we thank you all very much for being here, for
the work you are doing in this area. And we anxiously await the
Administration proposals so that we can all get to work on
specific things.
With that, the hearing is adjourned.
[Whereupon, at 5:07 p.m., the subcommittee was adjourned.]
?
=======================================================================
A P P E N D I X
March 16, 2011
=======================================================================
?
=======================================================================
PREPARED STATEMENTS SUBMITTED FOR THE RECORD
March 16, 2011
=======================================================================
[GRAPHIC] [TIFF OMITTED] T5593.001
[GRAPHIC] [TIFF OMITTED] T5593.002
[GRAPHIC] [TIFF OMITTED] T5593.036
[GRAPHIC] [TIFF OMITTED] T5593.037
[GRAPHIC] [TIFF OMITTED] T5593.023
[GRAPHIC] [TIFF OMITTED] T5593.024
[GRAPHIC] [TIFF OMITTED] T5593.025
[GRAPHIC] [TIFF OMITTED] T5593.026
[GRAPHIC] [TIFF OMITTED] T5593.027
[GRAPHIC] [TIFF OMITTED] T5593.028
[GRAPHIC] [TIFF OMITTED] T5593.029
[GRAPHIC] [TIFF OMITTED] T5593.030
[GRAPHIC] [TIFF OMITTED] T5593.031
[GRAPHIC] [TIFF OMITTED] T5593.032
[GRAPHIC] [TIFF OMITTED] T5593.033
[GRAPHIC] [TIFF OMITTED] T5593.034
[GRAPHIC] [TIFF OMITTED] T5593.035
[GRAPHIC] [TIFF OMITTED] T5593.003
[GRAPHIC] [TIFF OMITTED] T5593.004
[GRAPHIC] [TIFF OMITTED] T5593.005
[GRAPHIC] [TIFF OMITTED] T5593.006
[GRAPHIC] [TIFF OMITTED] T5593.007
[GRAPHIC] [TIFF OMITTED] T5593.008
[GRAPHIC] [TIFF OMITTED] T5593.009
[GRAPHIC] [TIFF OMITTED] T5593.010
[GRAPHIC] [TIFF OMITTED] T5593.011
[GRAPHIC] [TIFF OMITTED] T5593.012
[GRAPHIC] [TIFF OMITTED] T5593.013
[GRAPHIC] [TIFF OMITTED] T5593.014
[GRAPHIC] [TIFF OMITTED] T5593.015
[GRAPHIC] [TIFF OMITTED] T5593.016
[GRAPHIC] [TIFF OMITTED] T5593.017
[GRAPHIC] [TIFF OMITTED] T5593.018
[GRAPHIC] [TIFF OMITTED] T5593.019
[GRAPHIC] [TIFF OMITTED] T5593.020
[GRAPHIC] [TIFF OMITTED] T5593.021
[GRAPHIC] [TIFF OMITTED] T5593.022
?
=======================================================================
WITNESS RESPONSES TO QUESTIONS ASKED DURING
THE HEARING
March 16, 2011
=======================================================================
RESPONSE TO QUESTION SUBMITTED BY MR. THORNBERRY
General Alexander. In accordance with the requirements of Section
934, of the FY11 National Defense Authorization Act, the Office of the
Secretary of Defense is drafting a report to Congress on the Cyber
Warfare Policy of the Department of Defense. The department is
currently coordinating the response to that reporting requirement to
meet the extended July 1, 2011 report due date. [See page 12.]
______
RESPONSE TO QUESTION SUBMITTED BY MR. JOHNSON
Dr. Miller. [The information referred to is classified and retained
in the subcommittee files.] [See page 24.]
?
=======================================================================
QUESTIONS SUBMITTED BY MEMBERS POST HEARING
March 16, 2011
=======================================================================
QUESTIONS SUBMITTED BY MR. THORNBERRY
Mr. Thornberry. What is the average cost of a breach in the
Department of Defense for mission critical systems as measured in
either dollars or degraded mission capability?
Dr. Miller. [The information was not available at the time of
printing.]
Mr. Thornberry. What do you estimate the overall loss for breaches
is in the DoD or by Military Service element?
Dr. Miller. [The information was not available at the time of
printing.]
Mr. Thornberry. As outlined by the DOD's Strategic Management Plan,
the DOD currently has a strategic performance goal to protect its IT
infrastructure. The key measure of performance to meet that goal is the
percentage of IT systems that are compliant with certification and
accreditation processes. Considering the importance of this mission,
shouldn't we have a more robust set of performance measures related to
cyber? If so, what do you think those additional metrics should be.
Dr. Miller. [The information was not available at the time of
printing.]
Mr. Thornberry. How do Defense Support to Civil Authorities (DSCA)
authorities in the DOD work in the realm of cyber?
Dr. Miller. [The information was not available at the time of
printing.]
Mr. Thornberry. What progress has U.S. Cyber Command and/or DOD
made in developing a lexicon for cyberspace-related terms that can be
used throughout DOD and across the federal government?
General Alexander. Within the DoD, lexicons are strongly linked to
doctrine. The Joint Staff J-7 authorized the development of cyberspace
operations test doctrine, including a proposed cyber lexicon, in
December of 2009. By April 2010, the J-7 published a draft of Joint
Test Publication (JTP) 3-12, Cyberspace Operations. After an initial
round of coordination, the Evaluation Draft of JTP 3-12 was released in
September 2010 to be evaluated for effectiveness by use in exercises
and operations.
Mr. Thornberry. How is U.S. Cyber Command working with the services
and DOD to ensure that they have the right mix of military, civilian,
and contractor personnel to conduct cyberspace operations?
General Alexander. United States Cyber Command (USCYBERCOM) is a
key contributor along with the Office of the Under Secretary of
Defense, Policy, the Office of the Assistant Secretary of Defense
(Network and Information Integration) and the Department of Defense
(DoD) Chief Information Officer, the Services, and other partners
within the DoD Cyber Community of Interest to finalize the Cyber
Workforce Development Study in response to the Defense Planning
Programming Guidance. The goal of this study is to assess the current
and future DoD cyber workforce requirements (including DoD civilians,
contractors, and active and reserve components). USCYBERCOM's focus in
this effort is providing information on cyber work roles and training
requirements. USCYBERCOM will continue engagement and provide
recommendations for recruiting, training, and retaining the cyberspace
workforce and associated resourcing requirements for implementation.
Mr. Thornberry. How do Defense Support to Civil Authorities (DSCA)
authorities in the DOD work in the realm of cyber?
General Alexander. Consistent with the authorities granted in
Department of Defense (DoD) Directive 3025.dd, United States Cyber
Command (USCYBERCOM) may provide Defense Support to Civil Authorities
(DSCA) assistance as directed by the President or Secretary of Defense
(SECDEF).
USCYBERCOM works closely with US Strategic Command and US Northern
Command to answer any routine Requests for Assistance (RFA) from the
Department of Homeland Security (DHS). A 26 Sept 2010 memorandum signed
jointly by the Secretaries of Homeland Security and Defense solidified
the support relationship between DoD and DHS making collaboration
between the two departments official policy. It encourages information
sharing and mutual support.
USCYBERCOM assistance may be technical assistance or
recommendations for immediate defensive actions; similarly, they might
entail recommendations for more systemic mitigation, such as
improvements in network configurations and improvements in information
assurance measures or best practices. Additionally, USCYBERCOM
continually assesses the cyber threat to DoD's military networks and
information systems to ensure we are prepared to provide support to
civil authorities in the event of a cyber threat to the nation's
critical infrastructure. If a major cyber event struck the nation,
however, SECDEF would determine the most appropriate combatant command
to lead the DSCA effort.
Mr. Thornberry. DHS recently tested something called the National
Cyber Incident Response Plan as part of CyberStorm III. Do you have any
insight into how effective that plan was during the exercise? What
should the interagency community, including DOD and the Intelligence
Community, take from that plan?
General Alexander. [The information referred to is classified and
retained in the subcommittee files.]
Mr. Thornberry. What transition pathway courses of action do you
envision for the DARPA National Cyber Range (NCR)? What role do you
envision for CYBERCOM in that transition process?
General Alexander. United States Cyber Command (USCYBERCOM)
considers the National Cyber Range (NCR) as the prototype development
portion to the larger Cyber Range Environment (CRE) initiative. DARPA
is the NCR lead with prototype completion projected for mid-/late-FY12.
Transition funding for FY13 and out-year sustainment are undetermined
at this time.
Currently, there are three possible courses of action:
1) Once NCR prototype development is completed in FY12, provide
adequate transition and sustainment funding and advocate integration
into the larger CRE ``whole of government'' range that Department of
Homeland Security (DHS), Industry and Department of Defense (DoD) could
use for operational training and experimentation and testing of future
technical architectures.
2) Complete NCR prototype development as scheduled in FY12, and
operate as a stand-alone range for specific/limited DHS, Industry and
DoD use for experimentation and testing.
3) Complete NCR prototype development, and offer technology/
software tools to other existing DoD/Federal government ranges for
reuse/integration without a transition or any sustainment program
considerations.
USCYBERCOM's sees potential in this prototype effort, and envisions
our role as providing support/operational expertise to DARPA with
potential use cases, lessons learned, and possibly assist with
technology transition under whichever course of action is chosen.
______
QUESTION SUBMITTED BY MR. RUPPERSBERGER
Mr. Ruppersberger. U.S. Cyber Command was stood up at Fort Meade
and reached full operational capability in the Fall of 2010. What do
you expect to be the final footprint of CYBERCOM will be?
General Alexander. With regard to the United States Cyber Command
(USCYBERCOM) personnel footprint, the current planning projections for
FY11 are approximately 1,404 military, civilian, and contractor
personnel. The demographic for the personnel footprint includes 260
Officers, 204 Enlisted, 467 Civilians, 237 Contractors and 236
Augmentees. The USCYBERCOM footprint planning projections include space
to support a ten percent increase in the staffing to support Combatant
Commands, other government agency liaisons and integrated personnel as
well as military reserve support. The National Security Agency (NSA)
provides current facility support through existing owned and leased
facilities. FY13 begins the military construction (MILCON) of the
Integrated Cyber Center (ICC). This FY13 MILCON establishes
USCYBERCOM's Joint Operations Center (JOC) and will accommodate the
command's most critical cyber warriors.
|
NEWSLETTER
|
|
Join the GlobalSecurity.org mailing list
|
|
|
