[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]
[H.A.S.C. No. 112-118]
HEARING
ON
NATIONAL DEFENSE AUTHORIZATION ACT
FOR FISCAL YEAR 2013
AND
OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS
BEFORE THE
COMMITTEE ON ARMED SERVICES
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
SECOND SESSION
__________
SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES HEARING
ON
BUDGET REQUEST FOR INFORMATION TECHNOLOGY AND CYBER OPERATIONS PROGRAMS
__________
HEARING HELD
MARCH 20, 2012
U.S. GOVERNMENT PRINTING OFFICE
73-790 WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES
MAC THORNBERRY, Texas, Chairman
JEFF MILLER, Florida JAMES R. LANGEVIN, Rhode Island
JOHN KLINE, Minnesota LORETTA SANCHEZ, California
BILL SHUSTER, Pennsylvania ROBERT ANDREWS, New Jersey
K. MICHAEL CONAWAY, Texas SUSAN A. DAVIS, California
CHRIS GIBSON, New York TIM RYAN, Ohio
BOBBY SCHILLING, Illinois C.A. DUTCH RUPPERSBERGER, Maryland
ALLEN B. WEST, Florida HANK JOHNSON, Georgia
TRENT FRANKS, Arizona KATHLEEN C. HOCHUL, New York
DUNCAN HUNTER, California
Kevin Gates, Professional Staff Member
Mark Lewis, Professional Staff Member
James Mazol, Staff Assistant
C O N T E N T S
----------
CHRONOLOGICAL LIST OF HEARINGS
2012
Page
Hearing:
Tuesday, March 20, 2012, Fiscal Year 2013 National Defense
Authorization Budget Request for Information Technology and
Cyber Operations Programs...................................... 1
Appendix:
Tuesday, March 20, 2012.......................................... 29
----------
TUESDAY, MARCH 20, 2012
FISCAL YEAR 2013 NATIONAL DEFENSE AUTHORIZATION BUDGET REQUEST FOR
INFORMATION TECHNOLOGY AND CYBER OPERATIONS PROGRAMS
STATEMENTS PRESENTED BY MEMBERS OF CONGRESS
Langevin, Hon. James R., a Representative from Rhode Island,
Ranking Member, Subcommittee on Emerging Threats and
Capabilities................................................... 2
Thornberry, Hon. Mac, a Representative from Texas, Chairman,
Subcommittee on Emerging Threats and Capabilities.............. 1
WITNESSES
Alexander, GEN Keith, USA, Commander, U.S. Cyber Command, U.S.
Department of Defense.......................................... 5
Creedon, Hon. Madelyn, Assistant Secretary of Defense for Global
Strategic Affairs, U.S. Department of Defense.................. 7
Takai, Hon. Teresa, Chief Information Officer, U.S. Department of
Defense........................................................ 3
APPENDIX
Prepared Statements:
Alexander, GEN Keith......................................... 51
Creedon, Hon. Madelyn........................................ 72
Langevin, Hon. James R....................................... 34
Takai, Hon. Teresa........................................... 36
Thornberry, Hon. Mac......................................... 33
Documents Submitted for the Record:
[There were no Documents submitted.]
Witness Responses to Questions Asked During the Hearing:
[There were no Questions submitted during the hearing.]
Questions Submitted by Members Post Hearing:
Mr. Franks................................................... 89
Mr. Langevin................................................. 83
FISCAL YEAR 2013 NATIONAL DEFENSE AUTHORIZATION BUDGET REQUEST FOR
INFORMATION TECHNOLOGY AND CYBER OPERATIONS PROGRAMS
----------
House of Representatives,
Committee on Armed Services,
Subcommittee on Emerging Threats and Capabilities,
Washington, DC, Tuesday, March 20, 2012.
The subcommittee met, pursuant to call, at 2:22 p.m., in
room 2212, Rayburn House Office Building, Hon. Mac Thornberry
(chairman of the subcommittee) presiding.
OPENING STATEMENT OF HON. MAC THORNBERRY, A REPRESENTATIVE FROM
TEXAS, CHAIRMAN, SUBCOMMITTEE ON EMERGING THREATS AND
CAPABILITIES
Mr. Thornberry. The hearing will come to order. And again,
let me thank our witnesses for your patience as we deal with
the schedule which we cannot control. But I appreciate you all
being here.
Let me welcome our witnesses and guests to this hearing on
the Department of Defense 2013 Budget Request for Information
Technology and Cyber Programs.
I appreciate General Alexander and Ms. Takai being back
with us. And it is good to see Ms. Creedon here in a somewhat
different capacity than we have worked before.
It is striking to me that in the written testimony, General
Alexander says in effect that things have gotten worse in cyber
over the last year.
We talked last year about the growing threat and our
difficulty in catching up. And despite the successes of Cyber
Command over the past year, which I do not discount in any way,
it still seems to me that the dangers to our Nation in
cyberspace are growing faster than our ability to protect the
country.
I think it is significant that the Speaker and Majority
Leader are planning to bring broad cyber legislation to the
House floor next month. And it is also significant that there
continues to be bipartisan support for taking action, an effort
in which the ranking member, Mr. Langevin, has been
instrumental for some years now.
I hope that the Senate will take action on the various
proposals that they have before them. But, in a way, we should
not kid ourselves. The American people expect the Department of
Defense to defend the country in whatever domain it is
attacked.
And that means that Cyber Command must be ready, and
Congress and the administration must find a way to ensure that
it has the legal authorities it needs, and at the same time
ensure that the constitutional rights of Americans are
protected.
Today, I will be interested in hearing how the
administration's 2013 budget request takes us closer to that
goal.
Let me yield to the ranking member for any statement he
would like to make.
[The prepared statement of Mr. Thornberry can be found in
the Appendix on page 33.]
STATEMENT OF HON. JAMES R. LANGEVIN, RANKING MEMBER,
SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES
Mr. Langevin. Thank you, Mr. Chairman. And thanks to our
witnesses for appearing before the subcommittee today.
So much of our national security is dependent upon the
reliable and timely flow of information across secure networks.
To say that our ability to defend those networks and project
power as required into cyberspace is a priority in the area of
growth within the Department [of Defense] is, to put it
lightly, an understatement.
That is why this hearing could not be more timely.
And let me associate myself with the remarks of the
chairman with respect to the threats and the needed attention,
extra attention, we need to focus in on this particular area.
Information technology is pervasive across the entire
Department of Defense [DOD], operating in the background of the
full range of DOD activities from the most mundane
administrative tasks to critical wartime functions. It is easy
to overlook as a natural part of the environment.
But because it is so pervasive, it must work effectively
and efficiently or all of those functions that rely on it grind
to a halt. Moreover, if not properly protected from malignant
actors, it could also be a significant national security
vulnerability and a source of asymmetric advantage to an
adversary.
At over $33 billion, IT [information technology] represents
a sizable investment in the Department's budget. It is a
considerable challenge to stay abreast of all the developing
technologies and growing departmental needs under an
architecture that provides both strategic vision and
appropriate oversight.
Robust, flexible, rapid, and secure are the words not often
found together when describing defense programs. But I look
forward to learning how the DOD looks to achieve savings in IT
expenditures, while still providing the high-quality IT
services that the DOD requires.
However, whatever work and resources we devote to providing
these IT services will be meaningless if the Department cannot
secure them. States, non-state actors, ``hacktivists,'' and
criminals are just some of the security challenges that
threaten the network.
Although our awareness cyber vulnerability has sharpened
over the past few years, I still believe that we don't fully
recognize the potential for damage posed by a breached or
disrupted network.
It is good to see that in the area of fiscal constraint,
therefore the President's budget has preserved our investment
in our cyber defense.
Still, there is much to be done. Much of our critical
infrastructure remains outside the DOD's protective umbrella,
even as DOD relies upon it. The electric grid is but one of
many examples.
While I recognize that other Federal agencies and
departments may have the responsibility for this aspect of our
homeland defense, DOD remains vulnerable as these gaps go un-
or under-addressed.
While we have been assured by senior leaders in hearings
earlier this year that such external dependencies are being
examined, in some cases mitigated, I am interested to know how
for the interagency dialogue--how far the interagency dialogue
has progressed along these lines on discussions on this point
last year.
Fiscal resources are only part of the challenge in the
cyber domain. Questions still remain about how and when the
United States will conduct the full range of military cyber
activities beyond the civil defense of the network.
Some of these questions lie in the development of a robust
cyber policy. And some of them may require legislative action.
With that, I look forward to learning more about this and
further issues in the discussion today. And I again want to
thank our panel for their presence.
Thank you.
And Mr. Chairman, I yield back.
[The prepared statement of Mr. Langevin can be found in the
Appendix on page 34.]
Mr. Thornberry. Thank the gentleman.
We have before us today, the Honorable Teresa Takai, Chief
Information Officer of the Department of Defense; General Keith
Alexander, Commander, U.S. Cyber Command; and the Honorable
Madelyn Creedon, Assistant Secretary of Defense for Global
Strategic Affairs.
Without objection, each of your written statements will be
made part of the record. And if you can summarize your
testimony in about 5 minutes, then we can go to questions.
We are supposed to have another vote here in roughly an
hour or so. And so, hope that will help us move along.
Ms. Takai, please proceed.
STATEMENT OF HON. TERESA TAKAI, CHIEF INFORMATION OFFICER, U.S.
DEPARTMENT OF DEFENSE
Ms. Takai. Thank you.
Well, good afternoon, Chairman Thornberry, Ranking Member
Langevin, and distinguished members of the subcommittee.
Thank you for this opportunity to testify on the
Department's information technology and cybersecurity budget
that has been requested for fiscal year 2013.
I would like to describe for you the highlights of that IT
and cybersecurity budget request, as well as give you an update
on what the Department is doing to modernize IT, that is so
important both from the standpoint of a strong cybersecurity
defense, but also from the standpoint of effectiveness and
efficiency.
The Department's fiscal year 2013 IT budget request of
approximately $37 billion includes funding for a broad range of
information technology investments that support our mission-
critical operations at the tactical edge, on the battlefield,
as well as the business support operations.
Included in the overall IT budget is approximately $3.4
billion for cybersecurity efforts designed to ensure our
information systems and networks are protected against known
cyber vulnerabilities and are resilient to the ever increasing
cyber threats the Department and the Nation face.
Among the Department's efforts to improve its effectiveness
and efficiency is the consolidation of the Department's IT
infrastructure: its networks, computing services, data centers,
application and data services, while simultaneously improving
the ability to defend that infrastructure against growing cyber
threats.
My office is currently leading the implementation of these
initiatives as described in our enterprise strategy and
roadmap. But it is important that we work closely with the
services, Joint Staff, and U.S. Cyber Command to more
aggressively modernize our overall information systems.
One of the central pillars of that modernization and
effectiveness is to move us to a single joint network
architecture. This will allow the Department, and specifically
U.S. Cyber Command, to have better visibility into what is
happening on our networks and to better defend against cyber
attacks.
This will be done in conjunction with our aggressive data
center consolidation. We are currently working to eliminate our
excess capacity and consolidate into fewer data centers.
We are on track to significantly reduce the number of data
centers. And by the end of this year, we will reduce our
current inventory of 772 data centers by more than 115.
In addition to these Department-wide efforts, the services
and defense agencies have individually taken actions to better
position the information enterprise and security posture.
Army has reduced the number of IT applications from 218 to
77 during their BRAC [Base Closure and Realignment] move from
Fort Monmouth, New Jersey, to Aberdeen Proving Ground. And that
is just one example of the challenges that they have faced and
the actions they have taken.
Navy has reduced by 50 percent the number of applications
across its 21 functional areas. The Marine Corps has gone from
1,800 applications to only 700 over the past 18 months. And the
Air Force has taken aggressive action and reduced its fiscal
year 2013 budget request by over $100 million.
As noted above, the $37 billion of the IT budget includes
approximately $3.4 billion for our cybersecurity program. This
includes funding for cyber network defense, cryptographic
systems, communication security, network resiliency, workforce
development, development of cybersecurity standards and
technologies throughout the Department.
It does include Cyber Command's fiscal year 2013 budget
request of $182 million.
I would like to highlight a few areas where I think the
Department has made significant progress.
The Department has currently deployed a modular system
called Host-Based Security System [HBSS], which enhances our
situational awareness of the network and improves our ability
to detect, diagnose, and react to cyber intrusions in a more
timely manner.
We have currently deployed HBSS on our unclassified and
secret networks. Included in our fiscal year 2013 request, are
funds to continue the deployment and sustainment of new HBSS
capability modules to better harden, and to provide an
automated capability to continually monitor the computer's
configuration and to improve the human and device identity
management capabilities.
We have also taken the lead in assessing the risk of the
global supply chain to our critical information and
communications technology by instituting the Trusted Defense
Systems/Supply Chain Risk Management strategies that were
described in a report delivered to Congress in January of 2010.
Another critical success the Department has had is our
Defense Industrial Base Cybersecurity and Information Assurance
Program. This program offers a holistic approach to
cybersecurity to include our classified threat information
sharing by the government, with voluntary sharing of incident
data by industry in our defense industrial base; sharing
mitigation remediation strategies, digital forensic analysis,
and cyber intrusion assessments.
Another area that has become increasingly important to the
Department, our mission, consumers, and the economy is
electromagnetic spectrum. As pressure for access to spectrum
continues, I look forward to working with Congress on future
spectrum legislation proposals that achieve a balance between
expanding our wireless and broadband capabilities for the
Nation and the need for access to spectrum to support critical
warfighting capabilities in support of our national security.
Thank you very much for your interest in our efforts. I am
happy to answer any questions.
[The prepared statement of Ms. Takai can be found in the
Appendix on page 36.]
Mr. Thornberry. Thank you.
General Alexander.
STATEMENT OF GEN KEITH ALEXANDER, USA, COMMANDER, U.S. CYBER
COMMAND, U.S. DEPARTMENT OF DEFENSE
General Alexander. Thank you, Chairman Thornberry, Ranking
Member Langevin, and distinguished members of the committee for
the opportunity to appear before you today.
I am pleased to be here with Honorable Creedon and Ms.
Takai. We have worked closely over the last year on many of
these topics that we are presenting for you today.
And I think you will see that we are making great progress.
But as you stated, the risks are also increasing.
We have to thank the committee for all the things that you
have done to support us in developing Cyber Command and for the
funding that we have received. We really appreciate it.
It is a team sport. And one of the things that I would like
to put on the table is from our perspective it requires the
team of Department of Homeland Security, the Federal Bureau of
Investigation, Department of Justice, as well as the DOD team
that you have before us here today.
From my perspective, as we look at it, that includes each
of the services and the Defense Information Systems Agency; all
key partners in helping us do our cyber mission.
We have worked hard to make some progress. And I wanted to
talk a little bit about that progress over the next 25--no just
kidding--4 minutes.
As you know, the United States relies on access to
cyberspace for our national and economic security. Secretary of
Defense Panetta and Chairman Dempsey both emphasized that cyber
is one of the areas slated for investment in an overall defense
budget that will be leaner in the future.
The task of assuring cyberspace access has drawn the
attention of our Nation's most senior leaders over the last
year. And their decisions have helped to clarify what we can
and must do about developments that greatly concern us.
The U.S. Cyber Command, as I stated, is a component of a
larger U.S. government-wide effort to make cyberspace safer for
all, to keep it a forum for vibrant citizen interaction, and to
preserve our freedom to act in cyberspace in defense of our
vital interests and those of our allies.
Although Cyber Command is specifically charged with
directing the security, operation, and defense of the
Department of Defense's information systems, our work and our
actions are affected by threats well outside DOD networks, as
the ranking member stated; threats the Nation cannot afford to
ignore.
What we see both inside and outside the DOD information
systems underscores the imperative to act now to defend America
in cyberspace.
In my time with you today, I would like to talk a little
bit about the strategic context, the last 2.5 minutes, and give
you the five key areas that we are doing.
First, cyberspace is becoming more dangerous. The
intelligence community's worldwide threat brief to Congress in
January raised cyber threats to just behind terrorism and
proliferation in its list of the biggest challenges facing the
Nation.
Americans have digitized and networked more of their
businesses, activities, and their personal lives, and with good
reason they worry more about their privacy and the integrity of
their data. So has our military.
Dangers are not something new in cyberspace. When I spoke
to you last year, I noted the sort of threats that were once
discussed in theoretical terms were becoming realities, and
actually being deployed in the arsenals of various actors in
cyberspace.
We have long seen cyber capabilities directed by
governments to disrupt the communications and activities of
rival states, and today we are seeing such capabilities
employed by regimes against critics outside and inside their
own countries, for example, in the Arab Spring.
Cybercrime is changing as well. The more sophisticated
cyber criminals are shifting away from botnets towards
stealthier, targeted thefts of sensitive data they can sell.
We saw digital certificate issuers in the U.S. and Europe
hit last year and a penetration of the internal network that
stores RSA's authentication certification led to at least one
U.S. defense contractor being victimized by actors wielding
counterfeit credentials.
Nation-state actors in cyberspace are riding this tide of
criminality. Several nations have turned their resources and
power against us, and foreign businesses and enterprises, even
those that manage critical infrastructure in this country and
others.
There are five key areas that I would like to walk through
that we are working on that I think are important to this
committee.
First, building the enterprise and training the force,
something that we are working closely on. And, I think, as you
think about developing that force and where we need to go in
the future, that should be our number one priority.
As Teri mentioned, I think number two is developing a
defensible architecture. Three, getting the authorities correct
that we need. The teamwork that we have within the government,
setting that teamwork right is number four, and perhaps one of
the biggest areas that we can do. And finally, a concept for
operating in cyberspace, and we have done those things.
In closing, I think we are making progress, as you stated.
But we also note that the risks that face our country are
growing faster than our progress. And we have to work hard to
do that.
Thank you again for inviting me here today.
[The prepared statement of General Alexander can be found
in the Appendix on page 51.]
Mr. Thornberry. Thank you.
Ms. Creedon.
STATEMENT OF HON. MADELYN CREEDON, ASSISTANT SECRETARY OF
DEFENSE FOR GLOBAL STRATEGIC AFFAIRS, U.S. DEPARTMENT OF
DEFENSE
Secretary Creedon. Thank you, Chairman Thornberry and
Ranking Member Langevin, for inviting us to discuss the
Department's strategies for operating in cyberspace.
I too am pleased to appear here today with Ms. Teri Takai,
the DOD Chief Information Officer, and General Keith Alexander,
the Commander of U.S. Cyber Command.
We are all here on behalf of the men and women of the
Department of Defense who commit themselves every day to
ensuring the safety of the United States, both at home and
abroad.
Today, I would like to present a brief overview of the
Department's efforts in cyberspace. This includes an update on
the implementation of the defense strategy for operating in
cyberspace, the progress we have made in meeting the goals of
the 2010 Quadrennial Defense Review, and the recently released
DOD Strategic Guidance for Operating Effectively in Cyberspace.
DOD continues to develop effective strategies for ensuring
that the United States is prepared for all cyber contingencies
along the entire spectrum from peace to crisis to war.
Importantly, during these times of fiscal constraint, DOD
is also taking advantage of the efficiencies that advances in
information technology provide. Almost every feature of modern
life now requires access to information infrastructure, and DOD
is no exception.
We maintain over 15,000 network enclaves and 7 million
computing devices in installations around the globe. These
networks, upon which DOD relies, represent both opportunities
and challenges.
Whereas the threat was once the province of lone-wolf
hackers, today, our Nation, our businesses, and even our
individual citizens are constantly targeted and exploited by an
increasingly sophisticated set of actors.
While it is difficult to get hard data, we believe the cost
of these intrusions run into the billions of dollars annually.
We know they pose a clear threat to our economy and our
security.
We are also increasingly concerned about the threat to our
defense industrial base and the Nation's critical
infrastructure. We have seen the loss of significant amounts of
intellectual property and sensitive defense information that
reside on or transit defense industrial base systems.
The loss of intellectual property has the potential to give
an adversary leap-ahead technology to achieve parity with some
of our most sensitive capabilities.
The Department has been working around the clock, often in
close cooperation with the Department of Homeland Security and
other agencies, to protect the Nation from these threats.
Last July, DOD released the Defense Strategy for Operating
in Cyberspace, the DSOC. This document marked a significant
milestone for the Department because it is the first
comprehensive strategy to address this new operational domain.
The DSOC built upon the President's National Security
Strategy, the International Strategy for Cyberspace, and the
Department's Quadrennial Defense Review.
The DSOC guides DOD's military, business, and intelligence
activities in cyberspace in support of U.S. national interests.
The Department is currently conducting a thorough review of
the existing rules of engagement for cyberspace. We are working
closely with the Joint Staff on the implementation of a
transitional command and control model for cyberspace
operations.
This interim framework will standardize existing
organizational structures and command relationships across the
Department for the application of the full spectrum of
cyberspace capabilities.
Within the U.S. Government, DOD works very closely with our
colleagues in the Departments of Homeland Security, Justice,
State, Treasury, Commerce, as well as a number of other
agencies.
Although DOD maintains robust and unique cyber capabilities
to defend our networks and the Nation, we believe strongly in a
whole-of-government approach to cybersecurity.
As such, we fully support the Department of Homeland
Security's role in coordinating the overall national effort to
enhance the cybersecurity of U.S. critical infrastructure.
We also believe that we have to approach cybersecurity from
a global perspective. As a result, DOD is pursuing both
bilateral and multilateral engagements to enhance our
collective security and develop norms of behavior.
We have to respect and remember, however, the delicate
balance between the need for security and our cherished rights
to privacy and civil liberties.
Make no mistake. DOD is committed to focusing on external
actors while ensuring the privacy and civil liberties of our
citizens.
Thank you again for the opportunity to appear here today.
And I look forward to your questions.
[The prepared statement of Secretary Creedon can be found
in the Appendix on page 72.]
Mr. Thornberry. Thank you.
I would like to pose a question. I guess, a different
question to each of you in this first round.
Ms. Takai, roughly $37 billion is, I think you said, is the
Department's request for information technology.
You know, obviously under current law if something doesn't
change in January 2013, every program, project of the
Department of Defense is going to be cut 8 to 12 percent
because of sequestration. So it seems to me particularly in
information technology, that that could cause some
difficulties.
Can you describe for us, briefly, what that would mean for
the programs that you are responsible for?
Ms. Takai. Well, there will be a variety of impacts.
First of all, one of the biggest challenges is we have a
number of programs underway that will have to take both
reductions and potentially--if in fact we are operating under
continuing resolution--we will have to take a pause.
So for instance, we have several logistics projects
underway in several of the service areas to improve their
capability. And those would obviously be affected.
We have several of the IT modernization efforts that are
being funded from our operations and maintenance budget that
would need to be slowed down.
And then on top of that, of course, those dollars would
impact the dollars that we are spending on cybersecurity.
So some of the programs for instance that I mentioned,
where we are looking to roll out a process that we call
``continuous monitoring'' to give us more capability to
actually be able to, rather than take in periodic checks, be
able to provide the tools to continually look at the network.
So I think what would happen is that many of those
programs, we would slow down. And then we would have to
prioritize to determine--there may be some selected programs
that we would need to prioritize and effectively stop in order
to make sure that we were continuing to fund some of the high
priority items, for instance, in the cybersecurity area.
Mr. Thornberry. Okay, thank you.
Ms. Creedon, last year this subcommittee had several cyber
hearings where we tried to understand what the responsibility
of the Department of Defense was to defend the private sector
in cyberspace.
And really we had a hard time getting an answer.
And I heard in your testimony that we are working through
authorities and rules of engagement and a variety of things.
But when do you think the administration would be able to go to
the private sector and say, ``Okay, here is what we will do for
you in cyberspace. Here is how we will defend you, beyond that
you have got to figure the rest of it out on your own.''
Or when can we make clear what the government's--DOD's
responsibility is versus other responsibilities?
Secretary Creedon. There are probably two pieces to this
question. But the first is it is the Department of Homeland
Security's role. They are the lead Federal agency to ensuring
that there is protection of the ``.gov'' and also working with
the private sector.
So like any other situation where DOD would provide
assistance to civil authorities, DOD would provide assistance
as needed, as requested, as required, by the Department of
Homeland Security [DHS] in the event that there were some sort
of an event where DHS required DOD assets, just like in
responding to a hurricane. So I mean, it would be very similar
to that.
Now the second piece of this is the private sector that is
uniquely connected with DOD, the defense industrial base. And
so within the defense industrial base, the Department in an
effort that is led by the CIO's office, by Ms. Takai, there is
a process where we are getting ready to expand the defense
industrial base which are our contractors that provide the
unique services to DOD.
Now there is a subset of that as well. And that is what has
been referred to as the DIB Pilot, the Defense Industrial Base
Pilot. And that is yet another subset of these defense
industrial base contractors where we are working with them in a
unique way to provide additional capabilities to them.
And that program has been in close collaboration with
CYBERCOM [U.S. Cyber Command] and also with DHS to provide
additional protections to this subset of the defense industrial
base, who will then turn around and provide protections to the
rest of the industrial base.
And that one, we are in the process of expanding as well.
Mr. Thornberry. I hear what you are saying. I am just not
completely convinced if we have a big section of the country
without electricity that people are not going to look to the
Department of Defense and say, ``Why aren't you protecting
us,'' or some other sort of scenario.
I think it continues to provide policy challenges more to
us and legal challenges more than technical challenges, which
is part of the reason I posed the question.
Finally, General Alexander, kind of looking at this from a
broad perspective, as you know, and as I mentioned in my
opening statement, Congress is working on cyber legislation to
try to update some of the laws that had not been updated.
This takes a little beyond maybe Cyber Command, but if you
had to name one thing that Congress could do legislatively,
that would, in your opinion, be of assistance in defending the
country in cyberspace, what one thing or one area do you think
would make the most difference?
General Alexander. I think the key thing from my
perspective is information sharing.
We need to be able to see an attack on the country, which I
think is DOD's domain to defend the country from an attack
versus what DHS is doing to help prevent and protect.
So the resilience that they do in the public face, the DOD
requirement would--if our Nation is attacked by another nation-
state or a non-nation-state actor at a certain point, the
Defense Department would step in.
We can only do that if we can see it.
And I think that goes in line with the standing rules of
engagement that the policy folks are working along with the
criteria that goes with it. So information sharing.
Mr. Thornberry.
Thank you.
Mr. Langevin.
Mr. Langevin. Thank you, Mr. Chairman.
Again, thanks to the panel for your testimony here today.
I guess I would like to press a little further, and the
Chairman was raising this point.
How do you feel the unique and powerful capabilities of
CYBERCOM, that CYBERCOM possesses, can best be leveraged to
protect networks and infrastructure that is outside of
``.mil''?
General Alexander. We will start with you.
General Alexander. I was going to pass that to the
Honorable Ms. Creedon. But, I think the first part is, I think
in extremis the Defense Department would be the natural ones to
defend the country.
I believe within the administration, there is general
agreement that that is correct. The issue is now what are those
circumstances, and how do we do it?
What does the Defense Department do?
Well, the Defense Department is the only one with, not only
the defensive capabilities that we have, that Teri Takai talked
about, and some of the offensive capabilities that the Nation
would need to defend itself.
I think both of those, coupled with the ability for the
Defense Department networks to see globally with the
intelligence community, are going to be key to defending the
Nation.
So that is what needs to be brought to bear. And for us to
be successful, we have to partner with industry to share
information, to know when some of these events are going on.
I think that is key to it in setting up the framework.
I think the President's paper on cybersecurity that came
out in May of 2009, sets the framework for that for the
government. So I do think that is the starting point.
And then add to it what the Department did last year, I
think, is the next step for showing what we would do.
Mr. Langevin. Very good.
Would you like to comment as well?
Secretary Creedon. If the Department, I mean, if the
country were truly attacked, then the President would have the
authority obviously to defend the country however was needed.
And DOD would be ready to do whatever it was that the President
called upon the Department to do in the event of a real attack.
Now, one of the things, I think, that is important is that
in the event of attack, all of the range of options would still
be available to the President. So you wouldn't necessarily
limit a cyber response. It could be a kinetic response. It
could be a diplomatic response. It could be the full range of
options available to the President.
But clearly, if there were a real attack, DOD would be
ready to do whatever it was called upon to do.
So I think if that was an uncertainty in this realm, I
think we believe that the realm of cyberspace is like the realm
of any other attack.
Mr. Langevin. General, let me go back to you.
In many ways we are at a tipping point right now with
respect to the capabilities of cyber offense, cyber defense,
intelligence gathering, if you will, and the degree to which
you can talk about this in this setting--and you and I have
spoken about this often.
In order to be really effective at being able to defend the
country, we have to be as far out from our shores as possible,
and far out forward advanced in cyberspace as possible.
When--and I think you may have used this example before,
certainly others have--if we saw a missile coming to the United
States, the easiest, most effective way to take that down is at
its source in the boost phase, same thing with a potential
attack on the country.
Will we ever get to the point where we are going to have
policy in place that allows Cyber Command to act at the
earliest possible stages before an attack is launched, or when
it is in its first stages of being formulated or that it might
be in fact imminent?
General Alexander. Well, I think the Department is working
on the standing rules of engagement that would give us
authorities. Now the issue will be what set of authorities will
we be given. And what are the conditions under which we could
conduct those authorities still have to be determined and
ironed out within the administration.
I do think that is at the top of the list of the cyber
things that we are working on right now.
I know in USD Policy [Office of the Under Secretary of
Defense for Policy] that is one of the key actions that are
going on. And we talk about it on a daily basis, pushing some
of those forward.
So I am confident that over the next month or two, some of
that will actually go through.
Mr. Langevin. Last question before my time runs out. And I
just want to return back to the part of my opening statement
when I talked about critical infrastructure that resides off
``.mil'' networks such as the power grid, essential to our
military bases, and our ability to conduct full spectrum
operations.
What discussions are underway to address the points of
vulnerability? And how has the dialogue advanced in the past
year?
General Alexander. I take it----
Mr. Langevin. General Alexander.
General Alexander. Yes. I think we are making progress.
As you may know, the Department of Homeland Security and
the Defense Department established a joint collaboration
element at NSA [National Security Agency] to help bring those
two together to actually ensure that we leverage the
capabilities of both departments.
In that respect, I think that is going forward well. I
think we are making progress.
It hasn't solved the specific questions that you have
asked. But it is a starting point for DHS which would be the
public face with industry. And they could leverage the
technical capabilities of both NSA and the FBI [Federal Bureau
of Investigation] in accomplishing their mission.
I think that is useful. And it keeps us from trying to
develop again another NSA or another FBI.
And it is exactly what I think the Nation would want us to
do. So we are making progress in that area.
I think, in my opinion, everybody has great intentions in
doing it correctly. There is a lot of tough issues here on what
is the government's role in this, what is industry's role, and
within the government, making sure that we have each of the
parts right.
But from my perspective, we are getting that set right. And
I am comfortable with the position and the parts that they are
giving us to do.
And those are the things that I think the Nation would
expect the Defense Department and Cyber Command to do.
Mr. Langevin. Very good, thank you all.
And I yield back, Chairman.
Mr. Thornberry. Mr. Conaway.
Mr. Conaway. I thank the gentleman.
Ladies and gentlemen, thank you for being here.
Holding a little bit--Ms. Creedon, you mentioned that the
rules of engagement are under development.
When do you expect to have those done?
Secretary Creedon. It is a collaborative process between
the Joint Staff and the Office of Policy. And we have been
working on these for quite a while.
Mr. Conaway. Right.
Secretary Creedon. And so our hope is, as General Alexander
said, is to have these done in a couple of months.
Mr. Conaway. Okay. Is there a similar effort at Homeland
Security to develop their rules of engagement that you guys
coordinate with those guys on?
I don't like the look of surprise on your face.
Secretary Creedon. I don't know the answer to that question
actually.
Mr. Conaway. I guess for us this gets back a little bit to
what the chairman was talking about, and that is we have got a
bifurcated system. We have got Homeland Security with certain
responsibilities, and the Department of Defense with others.
And in terms of attack, cyber attacks, it is over before
you know what happened. These happen at lightning speed. Even
on the threats from the Soviet Union, we had some warning if
they were to launch something at us.
And in these circumstances, that warning would be over
with, in a cyber-speed. And we wouldn't develop a NORAD [North
American Aerospace Defense Command], and put it under a
civilian umbrella to say, ``alright, you warn them, and then we
will tell the Department of Defense what you need to know to
what to launch.''
And it seems to me that is what we are building here.
And then my question is: is that the best way to defend the
country is to have that bifurcation, because I agree with
General Alexander. We don't need to replicate, nor do I think
we can, because the quality of NSA.
I don't think you replicate it. They have got the best as
it is. And so you can't replicate that at Homeland Security,
nor would anybody suggest that.
So how do we make this work given two different cabinet
agencies?
Secretary Creedon. The Department of Defense supports DHS
in a whole-of-government approach. And this is one of the
things that we have been working on through a variety of
different mechanisms to make sure that, just like in response
to a hurricane, DOD would provide whatever assistance was
necessary to DHS to respond.
You know, in the event of any sort of requirement that DHS
had from DOD, DOD would respond.
Now, one of the things that we have been doing is working
very closely with DHS to make sure that we are tightly
integrated through a variety of mechanisms. So General
Alexander just mentioned the joint cyber element which is a
collaborative effort.
There are other collaborative efforts going on including
the extension of the DIB Pilot.
Mr. Conaway. Okay.
Secretary Creedon. We are working with them very closely to
make sure that we can provide them everything they need.
Mr. Conaway. Okay.
General Alexander. Could I just add to that?
I think if we look at the different roles, the Department
of Homeland Security is the public face for what goes on in the
United States for helping to set up the standards for
resilience, for ensuring the rest of government networks are
set.
And it is forensic in nature. When attack has occurred,
they bring together a team--or an exploit has occurred, they
bring together a team. And we look at that and we figure out
what more we could do to set up the defense.
The FBI's role would be one of law enforcement. Is this a
criminal act? Was this espionage? And they take the lead in
those cases.
Mr. Conaway. Yes.
General Alexander. If it is an attack though, now it shifts
over to, in my mind, the Defense Department. The issue is can
we determine the difference between those.
So----
Mr. Conaway. And I don't disagree. I don't disagree with
that.
But at that point in time, the damage is done. So that is
where--now we are looking back at it, how do we put the
hurricane damage back together?
And I get that part. But this----
General Alexander [continuing]. So----
Mr. Conaway [continuing]. How do you stop it before it
happens?
General Alexander. So we agree that the three centers that
we have, between FBI, DHS and DOD, they have to be connected
and integrated with people from each of those centers at the
other.
So that when an event occurs that is FBI or DHS lead, we
all agree that is it.
But when in extremis, the worst case is if it is an attack
on the Nation. They all see that now it shifts over to a DOD or
whoever the President has determined responsibility.
Mr. Conaway. Okay----
General Alexander. Because that is where the standing rules
of engagement would actually----
Mr. Conaway [continuing]. Are those going to be quick
enough in cyber to make a difference to stop the attack?
General Alexander. Well, that is what we are pushing for.
What I am pushing for is to have those that can actually allow
us to prevent----
Mr. Conaway. Right----
General Alexander [continuing]. And protect.
Mr. Conaway. Okay.
The DIB [Defense Industrial Base Pilot Project], the
enhanced project, pilot project, whatever, how do we know that
everything that we know that the private sector didn't already
know, and that we have over classified or we are protecting
data or information or at times modalities that are already
known to the private sector?
Where in the team do you look at that and say, you know,
this really is a secret that only we know or something that is
broader and we don't have to overlap and duplicate things?
General Alexander. That is a great question. I think it can
be more easily answered in a classified environment.
I think to hit this though, we do have capabilities that we
are able to share the signatures with the companies. And we
know, based on their defenses, whether they have that signature
or not.
Mr. Conaway. Okay.
General Alexander. And so the ability to share that, and we
can also see what companies after the fact did not have that
because they have been exploited by it.
This is an area where information sharing would be
absolutely vital to stopping some of these exploits that are
going on right now.
Mr. Conaway. All right.
Thank you, Mr. Chairman.
Mr. Thornberry. Thank you.
Mr. Andrews. Thank you, Mr. Chairman.
I want to focus on something that you have heard from
several members of the committee and that is this notion that a
huge percentage of our critical assets are in the private
sector, and how we deal with that.
I think you have all done a really good job given the way
we have collectively defined the problem. But I think we have
collectively misdefined the problem.
For years, for a couple of centuries, the way Newton viewed
physics was the right way to view it. And the data he collected
weren't wrong. They were right given his premises. And then
Einstein came along with the theory of relativity and the whole
world changed.
And what I am hearing thread through this discussion, I
think, is two misperceptions. First is that we centered the
jurisdiction to take care of the utility companies, and the
commercial sector, and homeland security because this is a
threat to the homeland.
I think the question should be: where is the threat from,
not what is it to?
And although we have domestic hackers who are criminals, I
think that the principal threat that we face would be
asymmetric warfare or state-to-state warfare, propagated by
enemies outside the country.
So I would question whether that is the right assumption.
And then the second one is that we have had a lot of
discussion here about the rules of engagement once the attack
has occurred. I would chime in what Mr. Conaway just said.
The attack has occurred. It is kind of over in a lot of
ways. And there is not a whole lot to respond to once a system
is corrupted.
I think the premise--the focus ought to be on prevention
rather than engagement once the attack has begun. And it
strikes me that--well, it strikes me that because these
premises are wrong, and this might violate hundreds of years of
tradition of Posse Comitatus.
I think if we are worried about a threat coming from
outside the United States to attack critical infrastructure, to
cripple our economy, our telecommunications systems, our power
grid, that the Defense Department ought to be the focal point
of the effort, number one, because our technology is more
advanced, and because the agency is geared that way.
And number two, I think our focus ought to be hardening our
systems to prevent an attack, number one. And then talk about
responding to it once it occurs.
What is wrong with that analysis?
Secretary Creedon. There is a lot in there. Let me unpack
it just a tiny bit.
Mr. Andrews. All right.
Secretary Creedon. So first, let me just touch briefly on
the international side of it.
So right now, the Department is very much engaged with a
number of our allies, particularly our close allies, Canada,
U.K. [United Kingdom], Australia, and New Zealand. And we are
working with them to enhance our collective security and our
collective awareness.
So we are not in this just alone looking outside from here.
So we really are trying to build an international----
Mr. Andrews. But if I may, if----
Secretary Creedon [continuing]. Provide----
Mr. Andrews [continuing]. The lead agency to defend us
internally is Homeland Security, then it strikes me that an
agency that regularly interacts with other governments ought to
be the lead here, right?
I mean, Homeland Security doesn't really interact all that
much with the intelligence or tech capabilities of Germany or
Brazil or whomever, do they?
Secretary Creedon. Well, they also have through an
organization called the Ottawa Five. DHS, as well as other do
participate in international forums.
DOD is working with the militaries of our close partners to
be prepared and to have the situational awareness.
Now the other thing that helps is information on all the
networks. And so the various forms of cyber legislation that
are pending, would also allow us additional situational
awareness through the information sharing that would be allowed
under the authorities that are provided----
Mr. Andrews. I am glad that is happening----
Secretary Creedon. [Inaudible]----
Mr. Andrews [continuing]. I am also glad this pilot program
is happening.
But I would just suggest to the chairman as the legislation
goes forward, one of the things we ought to really be thinking
about here, the way I look at it, is that how do we assure that
our utility companies, and our banking system, and our power
grid people, and then all the others have the hardest systems
they can possibly have, and have access to the best available
technology on an ongoing basis as they have?
And frankly, my observation would be that we are not there.
And it is not because of the efforts of these outstanding
people, but it is because the way we define and conceptualize
this problem, I don't think is right.
And I would yield back.
Mr. Thornberry. I think the gentleman makes some
interesting and fair points. Part of my reaction is that is why
we need to take this step and a step-by-step, although there is
a lot of urgency to be taking some steps.
And so we will have the opportunity to do that, I think, as
I mentioned, in about a month on the House floor.
We are going to have to recess. We have got two votes. I
apologize for the break.
But we will be back in just a few moments.
And with that, we will stand in recess.
[Recess.]
Mr. Thornberry. The hearing will come to order.
Again, thank you all for your patience.
Ms. Takai, I would like to ask you about a couple of areas.
You mentioned in your opening testimony about what I would
term essentially consolidation of information databases and so
forth.
You know, obviously this is a trend where everybody talks
about the cloud, partly for efficiency, partly for convenience.
I am sure you have looked at these issues.
One side says that if you store your data in a repository,
it is easier to protect. Because you can ensure that the
defenses on that data are adequate.
Other people say if you put it all in one place, once you
get in you have got everything.
So can you just briefly explain to us your reasoning on
protecting the Department's data. And how you think that debate
comes out.
Ms. Takai. Certainly.
Well, there are two ways I think to look at the way we are
approaching moving to a cloud architecture as it relates to our
information and our infrastructure.
One of them is that we truly believe that we will be able
to, in a more uniform way, protect our information by moving to
more standardized platforms and ways of operating from an
infrastructure-protection standpoint.
Now, the thing I think that is important, the one point
there, is that for us that doesn't necessarily mean one cloud
only. With our size and scope, as we are moving to
modernization, as we are moving to consolidation, we will be
doing it in stages.
So we will be looking at what services are going to be
provided by each one of the military services, and the way they
are moving to their own clouds. And then we will be looking at
an enterprise cloud to provide services like identity
management, enterprise e-mail, some of those things that we
need across the Department from an information sharing
standpoint.
The second point then though that is important is that as
we look at the protection of the cloud, while in fact we are
going to be able to better protect as we get more standardized,
the other thing is that we are not looking at just the
protection at the perimeter of the cloud.
We are looking at actually putting mechanisms in place--and
the commercial sector does this in some instances--where in
fact, when we know that there will be instances where we may
have a breach of the external perimeter of that cloud, and we
need to be able to protect at the information level.
And that is why we are focusing very much on identity
management so we know who is in the cloud. And we are also
linking that to what information that particular individual has
access to.
So it is really both of those that really gives us an
assurance that as we move to that kind of an architecture, that
we will be able to better protect our information.
Mr. Thornberry. Okay. Let me change topics completely.
You mentioned spectrum in your opening statement as well.
Again from a very broad perspective, my sense is that as we all
rely more and more on various devices that connect to the
Internet, spectrum becomes a bigger and bigger issue.
Can you just briefly describe for a lay person how you see
that moving ahead for the Department of Defense, and how the
investments we are making now, where they lead us?
You know, so periodically, you know, we will have a bill.
And we will reallocate spectrum in some way or another. But
still there is a finite amount to reallocate----
Ms. Takai. Right.
Mr. Thornberry. And so we are going to have to have a
different approach, aren't we?
Ms. Takai. Yes, sir. One of the things that we are doing
right now is to actually do a spectrum study around our full
use of spectrum. And look at what are the issues going forward.
Now some of the things that we are looking at for instance
is when do we think there will be viability in spectrum
sharing. That is still very much in the early stages. And we
are looking at when that might be a viable option.
The second is to your point. Even though and even with the
commercial need for spectrum, we also are becoming greater
users of spectrum as we move to more unmanned vehicles, as we
move to, you know, many of the ISR [intelligence, surveillance,
and reconnaissance] capabilities. So we are the users of
spectrum as well.
So the other piece is going to be for us to look at how we
better use the spectrum that we have. And then thirdly, how we
look at some of the less crowded bands of spectrum which in
some cases will cost of us more to be able to utilize.
But as we are looking at programs, again to the point you
are making, out in 10 to 25 years, how do we make sure that our
future acquisition programs are recognizing the commercial
demand for spectrum, so that we are pointing those in the
direction of where we believe we will have a greater
opportunity to have dedicated spectrum going forward.
But again, the challenge is in some of those cases it may
mean that there are costs to the programs in order to move
there. But when we balance those against the other economic
issues that I think we are facing as a nation, that that will
be the better way to go.
I think the last thing I would mention is that the
challenge around our utilization of spectrum is now very much
becoming an international issue. We just finished with this
year's World Radio Conference.
And clearly going into the World Radio Conference in 2015,
the issue of the utilization of spectrum not only here in North
America, but now the growing demand coming out of the
developing nations, is also going to make us take a very hard
look at the way that we are using spectrum globally.
So those are some of the issues we have coming at us in the
future.
Mr. Thornberry. I think it is helpful if you and others in
the Department can alert us where we may have higher initial
costs based on future assumptions about spectrum. That kind of
helps explain to us some of the higher initial costs which we
are asked to support.
Mr. Johnson.
Mr. Johnson. Thank you, Mr. Chairman, and thanks to our
witnesses for joining us today.
General Alexander, I have got a number of questions that I
think are structured in such a way so as to easily elicit a yes
or no response. So if I could get your agreement to answer the
questions in that way.
And if you want to explain them after, I will certainly
give you a chance to explain.
But General Alexander, if Dick Cheney were elected
President and wanted to detain and incessantly waterboard every
American who sent an e-mail making fun of his well-known
hunting mishaps, what I would like to know is does the NSA have
the technological capacity to identify those Cheney bashers
based upon the content of their e-mails?
Yes or no?
General Alexander. No. Can I explain it?
Mr. Johnson. Yes.
General Alexander. The question is where are the e-mails,
and where is NSA's coverage?
I assume by your question that those e-mails are in the
United States.
Mr. Johnson. Correct.
General Alexander. NSA does not have the ability to do that
in the United States.
Mr. Johnson. What about if the--when you say the e-mails
are located--let us make sure we are talking about the same
thing.
An American e-mailing another American about Dick Cheney,
does the NSA have capacity to find out who those parties are by
monitoring--by the content of their e-mail?
General Alexander. No. In the United States, we would have
to go through an FBI process, a warrant to get that and serve
it to somebody to actually get it----
Mr. Johnson. If it were----
General Alexander. [Inaudible]----
Mr. Johnson [continuing]. But we do have the capability of
doing----
General Alexander. Not in the United States.
Mr. Johnson. Not without a warrant.
General Alexander. No, no, we don't have the technical
insights in the United States. In other words, you have to have
something to intercept or some way of doing that either by
going to a service provider with a warrant, or you have to be
collecting in that area.
We are not authorized to collect. Nor do we have the
equipment in the United States to actually collect that kind of
information.
Mr. Johnson. I see.
General Alexander. Does that make sense?
Mr. Johnson. Thank you. Yes, it does.
General, an article in Wired Magazine reported this month
that a whistleblower, formerly employed by the NSA, has stated
NSA's signals intercepts include, quote,``eavesdropping on
domestic phone calls and inspection of domestic e-mails.''
Is that true?
General Alexander. No, not in that context. The question
that--or I think what he is trying to raise is: are we
gathering all the information on the United States?
No, that is not correct.
Mr. Johnson. The author of the Wired Magazine article whose
name is James Bashford. He writes that NSA has software that,
quote, ``searches U.S. sources for targeted addresses,
locations, countries, and phone numbers, as well as watchlisted
names, key words, and phrases in e-mail. Any communication that
arouses suspicion, especially those to or from the million or
so people on the agency watchlist, are automatically copied or
recorded and then transmitted to the NSA.''
Is this true?
General Alexander. No, it is not. Is that from James
Bashford?
Mr. Johnson. Yes.
Does the NSA routinely intercept American citizens' e-
mails?
General Alexander. No.
Mr. Johnson. Does the NSA intercept Americans' cell phone
conversations?
General Alexander. No.
Mr. Johnson. Google searches?
General Alexander. No.
Mr. Johnson. Text messages?
General Alexander. No.
Mr. Johnson. Amazon.com orders?
General Alexander. No.
Mr. Johnson. Bank records?
General Alexander. No.
Mr. Johnson. What judicial consent is required for NSA to
intercept communications and information involving American
citizens?
General Alexander. Within the United States that would be
the FBI lead. If it was a foreign actor in the United States,
the FBI would still have the lead and could work that with NSA
or other intelligence agencies as authorized.
But to conduct that kind of collection in the United
States, it would have to go through a court order. And the
court would have to authorize it.
We are not authorized to do it nor do we do it.
Mr. Johnson. Thank you.
General, the NSA is an agency of the Department of Defense.
And you are, in addition to your responsibilities as CYBERCOM
commander, you are a director of the National Security Agency.
What limitations does the Posse Comitatus Act place on the
NSA's legal authority to intercept domestic communications?
General Alexander. Well, I think the intent of the Posse
Comitatus, and the impacts that we have for collecting in the
United States are the same. And the fact is we do not do that
in the United States without a warrant.
Mr. Johnson. Thank you.
And I will yield back.
Mr. Thornberry. I thank the gentleman.
Let me--I am not sure. This may be Ms. Takai and General
Alexander, but in the 2010 Defense Authorization Act, we passed
Section 804, that directed DOD to develop and implement a new
acquisition process for IT systems.
And then in the 2011 Defense Authorization Act, we directed
DOD to develop a strategy to provide for rapid acquisition of
tools, applications, and other capabilities for cyber warfare
for the United States Cyber Command, and cyber operations of
the military departments.
Can either or both of you all give us an update on where
each of those authorities or requirements stand now?
Ms. Takai. Yes, perhaps I can start. And General Alexander
can add on.
Let me start with the acquisition reform which is the 804.
I think that report was delivered. And we are in the
process of implementing those changes.
Those are going--some of those changes that were in the
report are going into the DOD 5000 process which I think all of
you know is our acquisition process.
In addition, we are implementing many of the
recommendations, particularly around what we call ``agile
development methodologies'' that allow us to turn out product
much more quickly, in a much more cyclical fashion, if you
will, and to take large projects and put them into smaller
deliverable chunks.
So there are any number of actions against the 804 that we
are in the process of developing and delivering on. And we are
actually using those in our project delivery.
As it relates to the rapid acquisition from a cybersecurity
perspective, we have all been working with the Acquisition,
Technology, and Logistics organization on the response to
Congress on that which is known as our 933 Report.
We are actually now all coordinating on what we believe is
the final version of that report. In fact, we all saw it over
the weekend with the request that we would get our comments
back in, because I think that Mr. Kendall knows that that needs
to come forward.
It is looking at any number of different areas. It is
looking at actually being able to provide General Alexander
with several different ways of going at acquisition to make
sure that he can turn them more quickly. But also taking
recognition that there will be some large project expenditures
included in that as well.
So I think you can expect to see that report fairly
shortly.
Mr. Thornberry. Well, I will just say for myself, if as you
work through those issues, if you believe additional
authorities are needed, please let us know. Because it makes no
sense at all for us to operate at the speed of the industrial
age in cyberspace, and then basically that is what we are
talking about here.
And so, you know, I will look forward to receiving the 933
Report. But please keep in mind that if you all decide you need
additional authorities, we want to know that.
General Alexander it was kind of an interesting
conversation with Mr. Andrews a while ago. And part of--it
seemed like that conversation was--we know for sure who is
launching an attack or exploitation--just in this setting in a
brief way, can you summarize the threat in cyberspace as you
are seeing it and as Cyber Command has to calibrate its efforts
to deal with?
General Alexander. I characterize the threat, Chairman, in
three ways.
Largely what we see is exploitation and the theft of
intellectual property. That is what is going on in the bulk of
the cyber events that we see in the United States.
In May of 2007, we witnessed a distributed denial-of-
service attack. Think of that as a disruptive attack against
Estonia by unknown folks in the Russian area and around the
world, and then subsequently we have seen in Latvia, Lithuania,
Georgia, Azerbaijan, Kyrgyzstan.
What we are concerned about is shifting from exploitation
to disruptive attacks to destructive attacks.
And what concerns us is that the destructive ones, those
attacks that can destroy equipment, are on the horizon. And we
have to be prepared for them.
I do think the two things--if I could just state two things
more clearly. We talked about the rules of engagement which
would be key on this.
We do have rules of engagement in 2004. What we are talking
about is updating those to meet this evolving threat. So that
is the key that the Department is working on.
The second is we do need DHS in this mix for a couple of
reasons.
The Department of Homeland Security, I think, should be the
public face for all the reasons. And Mr. Johnson brings out a
good one. The American people have to know that what we are
doing is the right thing, that we are protecting civil
liberties and privacy. And that we are doing this in a
transparent manner.
By having DHS working with FBI, NSA, and DOD all together,
there is transparency in that. At least the government and
everybody will know that we are doing it right.
Two, I think they are the ones that need to set the
standards for other government agencies and work with them to
ensure those networks are defensible. If we tried to do that,
it would sap much of our manpower that you really want us
focused on defending the country and going after the
adversaries in foreign space.
That is where we should operate. And I think there is
synergy there in doing that.
Mr. Thornberry. Okay, thank you.
Ms. Creedon, you have, at several times today, mentioned a
variety of efforts underway in the administration to update
authorities, rules of engagement, a whole variety of things.
It seems to me that there are a host of difficult policy
issues involved in cybersecurity, not all of which are DOD-
focused. And yet it has been challenging for me at least, to
try to get my arms around what the questions are, what those
tough issues are.
Are you all--is the DOD policy shop--for lack of a better
way to describe it--compiling a list of the tough policy
decisions that not just the administration, and not just the
government, but the country is going to have to grapple with as
more and more of our lives are dependent upon, and even to some
degree lived in cyberspace.
Secretary Creedon. Well, DOD has certainly been working on
those things that are within DOD's realm. And among those are
some of the issues that we recognize that we share with the
other agencies.
And so, I mean, to go back to the legislation again, some
of the common elements, but certainly in Lieberman-Collins
bill, you know, some of the elements in that bill are the
results of the work that the whole interagency, including DOD,
have done to identify those things where we really do need some
additional input.
So that legislation for instance in terms of coming up with
methodologies to protect critical infrastructure protection, so
the bill would urge the setting of standards--would direct the
setting of standards.
The sharing of information, this again is a very delicate
situation where how do we share the right information to make
sure that we have visibility into what is going in networks,
but are not doing anything to disrupt civil liberties and
privacy protection. So, you know, working that sharing issue,
working the liabilities issue.
So some of the work that has been done within the
interagency that really fleshed out these harder issues where
we really do need a system of legislative assistance. Those are
in the bills.
The other things we are working internally and those are
the things that for the most part DOD believes we can do
internally.
Mr. Thornberry. Okay. Well----
Secretary Creedon. With guidance from the President,
obviously, because----
Mr. Thornberry. Sure.
Secretary Creedon [continuing]. At the end of the day, it
is the President's authority.
Mr. Thornberry. Yes. And I appreciate that. I recognize a
whole host of proposals are in the administration's cyber
legislation draft.
The only thing I would say is that a lot of these issues
that probably are DOD exclusively, or DOD-centered, about what
is war in cyberspace, how do we defend the country--some of the
things that we have talked about already today.
I think that is going to require more than just an internal
administration process.
And I would just say that as the policy office and as the
lawyers grapple with some of these difficult decisions on what
warfare means in cyberspace, that a dialogue between the
administration and Congress, and ultimately between the two of
us and the country, is really going to be essential.
We will not be able to impose an Obama administration
policy on this, or even a government policy on this. It is
going to have to be--it is a little bit--I analogize it to TSA
[Transportation Security Administration].
Sometimes the government tries something and it is really
stupid. And people rebel against it.
And so they rethink. And they find a little smarter way.
And we haven't found a smarter way to do it all yet. But my
point is it is part of a give and take on some of these
difficult issues.
And I think that is especially true when it comes to
Article 1, Section 8, and as it applies to the Congress on
declaring war, and how can you do that at the speed of light.
So I know that is kind of long and philosophical. But my
point is, it is going to take us working together to work
through these issues. And some more dialogue on these tough
issues that don't have easy answers, I think would be helpful
for the country.
I yield to Mr. Langevin for any questions.
Mr. Langevin. Thank you very much. To the panel again,
thank you for your patience today and your testimony and the
great work you are doing.
You know, before I begin, the question that Mr. Johnson had
asked, I think, you know, this certainly to the degree to which
Members have those concerns a question is important to be
asked.
It has just been my experience, General, I just wanted to
say from a personal perspective, having observed you and
interacted with you over the years now, I have always been
impressed with the degree which you and the folks at NSA go to
the nth degree to try to always ``dot the i's'' and ``cross the
t's'' and stay within the confines of the law. And it is
reassuring that you have that dedication and respect for the
other work that you folks are doing, so.
I had a question on the DIB Pilot.
Lessons learned--what lessons have you drawn from the
Defense Industrial Base Pilot? And how have you captured the
recommendations from Carnegie Mellon's evaluation of the
program?
There was some, you know, criticism. Some, you know, didn't
think it worked as well as it was intended. And improvements
still need to be made.
But can you talk to us about lesson learned.
General Alexander. Absolutely, Congressman.
First, we did the DIB Pilot. As you know, it started in
August. And we started the evaluation not too long after.
And so one of the key things that we saw as an issue was
how do we share sensitive signatures with industry?
And when we started the pilot, we had not worked our way
through sharing all those sensitive signatures with industry in
a classified form. And I think the result of that is some of
the early results were not much different than what they
already get from their own means for getting signatures.
I think once we started sharing those signatures, and it
took us a while, so that was our fault. But once we started
doing that, and they saw the value of that in specific cases, I
think that was a way of turning the corner.
The other thing that became clear as we went into this is
industry doesn't always see when somebody is trying to attack
or exploit them. And so having a forum that somebody could say,
``Hey, somebody is trying to get into your network. You need to
know it,'' is useful for industry as much as it is for
government to know when somebody is trying to attack us.
So I think from my perspective, the lessons learned were we
have got to be quicker on sharing. I think we have solved that
problem. And you can see now we are sharing.
In fact the companies that initially were not as favorable,
now have turned that around and have reentered that pilot
program. I think that is a huge plus.
And the other one is the information sharing, which is a
major part of the legislation. All the legislative packages
there which means that we can share with industry, industry can
share with us. And we have the ability to tip in queue, from my
perspective in real time, optional. But I think that is going
to be key to defending ourselves in cyberspace in the future.
Mr. Langevin. Very good.
Anyone else on the panel care to respond to that? Take your
question about lessons learned on DIB or did the General cover
it?
Okay.
What feedback loop do you have to ensure that what is
shared of a classified nature isn't widely known in the
industry and thus shouldn't really be classified?
Is that a fair question?
General Alexander. There are two ways of doing that.
If we see information that is widely used, then we should
declassify it. In other words, widely available, everybody is
seeing it.
If we have sources and methods that are sensitive and
classified and not widely used, then I think we would keep that
classified.
Think of that as the difference between Enigma and other
public forums--if we have an Enigma-like fact in cyberspace,
you would want us to protect that.
And the issue is now in cyberspace, but we are going to
have to share that with some industry so that they too can be
protected from it.
If it is widely known the anti-virus community has it, we
should declassify it and get it out. And I think that is the
approach that we are trying to take on it.
The issue will be trying to identify those at network
speed. And I think we will get better as we exercise in this
area. As we work with industry, I think we will get better in
doing that.
Mr. Langevin. Fair enough.
Does the DIB in its pilot have an industry ombudsman to
help broker the relationship and information sharing exchange
between industry and government?
Or is that something that is planned?
General Alexander. Actually, we used the DIB--we actually
had an existing relationship that Ms. Takai and her folks ran
that we actually used as the forum for starting the sharing
relationship with DIB companies.
So we did have that.
And I think that started off pretty good. And it set the
framework for how we actually put the DIB process together. It
was based on an existing set of relationships that already
occurred between the CIO's office and industry.
So that was the starting point. And I think that was a good
starting point. And it gave us a basis to go ahead.
Ms. Takai. Well, I think it is important to note that out
of the total number of DIB companies involved, we have about
200 companies that are in what we call our information sharing
effort. And 37 of those are included in the DIB Pilot.
And it is our intention--we have a rule, a Federal rule
that is going through now to be able to expand beyond the 200
companies, and be able to roll out to more DIB companies going
forward from the standpoint of actually being able to share,
both from the standpoint of our threat information, but also in
terms of what the companies are experiencing.
And we are seeing a number of areas just based on data
collection from those companies that we are getting information
on threats that we would not have seen otherwise. And they are
getting information from each other as well as from us about
what the threats are and what the mitigation could be.
And I think that complements well then the DIB Pilot
process which was focused very much around the ISPs [Internet
Service Providers] and being able to get some of that
protection piece of the information--or taking the information
sharing and moving it to the protection piece.
So the two programs really go hand-in-hand. And one builds
from the other.
Mr. Langevin. Good.
Secretary Creedon. If I----
Mr. Langevin. Okay, go ahead.
Secretary Creedon. If I can just add one piece to this. So
as we go forward and we make this pilot permanent, and DHS
becomes lead, one of the advantages of having DHS in the lead
is that DHS will also then be able to add additional signatures
to the process that they see.
And the second piece of this is as we work with the ISPs,
the ISPs then can take these capabilities and they can provide
those security services to others who utilize their services as
well.
So through DHS and through this mechanism of making it
permanent, we can actually provide more of an envelope of
protection beyond just the defense industrial base folks
through the use of the ISPs.
Mr. Thornberry. If the gentleman will yield for just a--is
there a--one always hears about limits on scalability here. Is
there--you said 200 companies going to more. Is there a limit?
Ms. Takai. Right now we are going to be limited by the
resources because clearly reaching out, working with each of
the companies, working through the structured memorandums of
understanding that we need to have is going to be our gating
factor in terms of number of companies.
General Alexander. If I could, just to help clarify on
this. That is under the current thing. If we have information
sharing agreements, that greatly simplifies that process.
The technical way essentially allows us to use the power of
the Internet. And so this will scale the approach that we are
taking in the DIB Pilot in terms of the technical capability to
protect all that we need to protect.
Where other solutions that we have put forward do not scale
as easily, and are so cost prohibitive that from our
perspective going to the DIB Pilot, managed security services,
or whatever we call it, is probably the best thing to do for
the country and the cheapest, most efficient way.
I think they addressed that problem though is the
information sharing thing is key to making that work.
Does that make sense?
Mr. Thornberry. Yes, sir. And that is why I wanted to try
to delve down into that just a little bit.
And I appreciate the gentleman yielding.
Mr. Langevin. Yes, no, that is a great question.
And obviously I think we all can agree that the most
effective defense that we can have, or programs we have to
defend our networks is this information sharing aspect. And you
have situation awareness, you can see what is coming at you,
what to defend against. It is a force multiplier and highly
effective.
What about leap-ahead technologies in the R&D realm? Are we
any closer--I find that a fascinating statistic that, or fact
that the lines of code of the attackers as I understand it has,
basing the tax signatures, has stayed relatively constant. And
yet the defense--the lines of code in defending against these
attacks has grown exponentially.
And how are we doing on the R&D front in terms of, you
know, more robust defense?
General Alexander. I have seen, Congressman, those
statistics.
What we are seeing is that, you know, the millions of lines
of codes that people quote for the defense is for much more
elegant defense.
Of course you can come up with a small piece of malicious
software that is only 125 or whatever they stated this small
thing. But the reality is I think they are in balance.
I think the key thing is the offense has the advantage
here. Those exploiting or attacking the system has the
advantage.
What we need to do is move to a system then that leverages
the power of the network to bring this back.
From our perspective, that is using the capabilities of all
the government agencies and industry to bring what we know
about that network and the vulnerabilities that we have to
light so that we can defend against them.
I think the other part that Ms. Takai talked about was the
going to the IT infrastructure of the future, this thin virtual
cloud environment will make it a much more defensible
architecture.
I think that is key to the future. Both of those are some
of the things that we actually have to go through.
Mr. Langevin. Very good. And my last question, if I could,
just going back to the DIB Pilot, in terms of the costs that
was some of the concerns that, you know, companies had. You
know, who is going to bear the cost for all this?
Where are we on that? Has that been worked out or is it
still a work in progress, if you will?
General Alexander. Informally, it looks like the cost per
seat per month would be somewhere between 30 cents and $1 or
$2. And so the costs have come way down which makes this much
more manageable.
So if you had 6,000 seats, you are talking somewhere
between, you know, $1,800 and maybe $6,000 a month for that
level of service. I think the Internet Service Providers are
actually making great progress in this way which would make
this something that people would actually say, that is worth
doing.
Does that make sense?
Mr. Langevin. Yes. And that is news to me. That is very
helpful. I didn't realize that we are moving in the right----
General Alexander. We would like to get it to 30 cents a
seat. I think it is going to be somewhere in that range. And I
think, you know, depending on what they add in, somewhere in
there.
But it is clearly more cost-effective than the way that we
were going.
Mr. Langevin. Excellent. Very good, that is good
information to have.
With that, I want to thank you all again for your patience
today and testimony, the great work you are doing. And look
forward to our continued work together. It is a big issue.
And Mr. Chairman, thank you for the time and attention you
have given to this issue as well.
Thank you.
Mr. Thornberry. Well, thank you. I agree with everything
you just said.
I appreciate you all being here, and your patience, and the
chance for us to continue to work together on these issues.
With that, the hearing stands adjourned.
[Whereupon, at 4:05 p.m., the subcommittee was adjourned.]
=======================================================================
A P P E N D I X
March 20, 2012
=======================================================================
=======================================================================
PREPARED STATEMENTS SUBMITTED FOR THE RECORD
March 20, 2012
=======================================================================
[GRAPHIC] [TIFF OMITTED] 73790.001
[GRAPHIC] [TIFF OMITTED] 73790.002
[GRAPHIC] [TIFF OMITTED] 73790.003
[GRAPHIC] [TIFF OMITTED] 73790.004
[GRAPHIC] [TIFF OMITTED] 73790.005
[GRAPHIC] [TIFF OMITTED] 73790.006
[GRAPHIC] [TIFF OMITTED] 73790.007
[GRAPHIC] [TIFF OMITTED] 73790.008
[GRAPHIC] [TIFF OMITTED] 73790.009
[GRAPHIC] [TIFF OMITTED] 73790.010
[GRAPHIC] [TIFF OMITTED] 73790.011
[GRAPHIC] [TIFF OMITTED] 73790.012
[GRAPHIC] [TIFF OMITTED] 73790.013
[GRAPHIC] [TIFF OMITTED] 73790.014
[GRAPHIC] [TIFF OMITTED] 73790.015
[GRAPHIC] [TIFF OMITTED] 73790.016
[GRAPHIC] [TIFF OMITTED] 73790.017
[GRAPHIC] [TIFF OMITTED] 73790.018
[GRAPHIC] [TIFF OMITTED] 73790.019
[GRAPHIC] [TIFF OMITTED] 73790.020
[GRAPHIC] [TIFF OMITTED] 73790.021
[GRAPHIC] [TIFF OMITTED] 73790.022
[GRAPHIC] [TIFF OMITTED] 73790.023
[GRAPHIC] [TIFF OMITTED] 73790.024
[GRAPHIC] [TIFF OMITTED] 73790.025
[GRAPHIC] [TIFF OMITTED] 73790.026
[GRAPHIC] [TIFF OMITTED] 73790.027
[GRAPHIC] [TIFF OMITTED] 73790.028
[GRAPHIC] [TIFF OMITTED] 73790.029
[GRAPHIC] [TIFF OMITTED] 73790.030
[GRAPHIC] [TIFF OMITTED] 73790.031
[GRAPHIC] [TIFF OMITTED] 73790.032
[GRAPHIC] [TIFF OMITTED] 73790.033
[GRAPHIC] [TIFF OMITTED] 73790.034
[GRAPHIC] [TIFF OMITTED] 73790.035
[GRAPHIC] [TIFF OMITTED] 73790.036
[GRAPHIC] [TIFF OMITTED] 73790.037
[GRAPHIC] [TIFF OMITTED] 73790.038
[GRAPHIC] [TIFF OMITTED] 73790.039
[GRAPHIC] [TIFF OMITTED] 73790.040
[GRAPHIC] [TIFF OMITTED] 73790.041
[GRAPHIC] [TIFF OMITTED] 73790.042
[GRAPHIC] [TIFF OMITTED] 73790.043
[GRAPHIC] [TIFF OMITTED] 73790.044
[GRAPHIC] [TIFF OMITTED] 73790.045
[GRAPHIC] [TIFF OMITTED] 73790.046
[GRAPHIC] [TIFF OMITTED] 73790.047
[GRAPHIC] [TIFF OMITTED] 73790.048
?
=======================================================================
QUESTIONS SUBMITTED BY MEMBERS POST HEARING
March 20, 2012
=======================================================================
QUESTIONS SUBMITTED BY MR. LANGEVIN
Mr. Langevin. Are you confident in the state of the career paths
for cyber professionals, and do you feel that your recruiting,
retention, and career progression needs are being adequately addressed?
Ms. Takai. In light of emerging cyber threats, cyber workforce
roles, responsibilities and skill requirements continue to evolve, not
only in, but across the Federal Government and industry. DOD is working
with the Federal Government through the National Initiative for
Cybersecurity Education (NICE) and Federal CIO Council to identify
current and forthcoming cyber skill requirements, define career paths
for cyber professionals, and to determine the optimal courses of action
to ensure a pipeline of cyber professionals is available to meet
mission mandates. These efforts may result in new requirements and
methodologies in the recruitment, retention and career management of
the Department's cyber workforce.
Currently, several strategies are in place to aid in recruiting and
retaining a skilled cyber workforce. Federal direct-hire authority
provides with flexibility in recruiting and hiring select information
security (cybersecurity) personnel within the civilian IT Management
series. DOD also has Schedule A hiring authority for select
cybersecurity positions for certain IT and non-IT civilian job series;
the Department is working with the Office of Personnel Management (OPM)
to extend and enhance this authority as it expires in December 2012.
DOD uses the Information Assurance Scholarship Program (IASP) to
attract students from top universities and colleges, and to retain
personnel with cyber and information assurance skill sets who wish to
further their education. In addition, CIO oversees the Information
Resources Management College (iCollege) of the National Defense
University, which recently introduced a Cyber Leadership Program. These
authorities and programs, along with military recruiting and retention
bonuses, are currently used to recruit and retain cyber personnel and
are essential to maintaining the health of this community.
Mr. Langevin. How is DOD capturing lessons learned from real-world
cyber events and major exercises?
Ms. Takai. Real world lessons learned are submitted to the Joint
Lessons Learned Information System (JLLIS) database system of record.
JLLIS is the system of record for Lessons Learned. Typically, they are
communicated in the form of Situational Awareness Reports (SARs). For
certain major events, a detailed analysis of the incident is conducted
and with the results published as an SAR, which details the incident,
threat tactics, techniques and procedures, as well as countermeasures/
mitigation options. Lesser events are often documented in quarterly
SARs that show trends, common TTPs, systemic issues, etc. Exercise
lessons learned also are inputted into JLLIS and their capture in the
database has greatly improved over the last 12 to 18 months. Anyone
with SIPR access may request an account to access JLLIS content.
In addition to JLLIS, the Military Departments track major events
via their respective database systems. For example, Army Computer
Network Defense (CND) events are tracked in ACID, the Army CND Incident
Database. The Navy Lessons Learned System (NLLS) is the Navy's process
for collection and dissemination of significant lessons learned,
summary reports and port visit reports from maritime operations,
exercises and other events.
Mr. Langevin. What more can be done to engage our allies,
especially NATO? How can we leverage DOD ``building partnership
capacity'' authorities to train and equip foreign forces to improve our
allies' capabilities related to cyber operations?
Ms. Takai. We are engaging our key allies and partners, including
NATO, through agreements to share unclassified and classified cyber
defense information. We may be able to do more by focusing on producing
more classified cyber defense information which is releasable to these
allies and partners. We are leveraging theater security cooperation
programs in the Geographic Combatant Commands by including ``building
cyber defense capacity'' with focused on treaty allies and priority
partner nations. This effort is led in the CIO by our International
Cyber Security Program and coordinated with the Geographic Combatant
Command, Joint Staff and OSD Policy. Initially this generally consists
of training all levels of cyber leadership and practitioners in cyber
defense best practices. This should establish an incident response
capability (e.g. a CERT) with the appropriate policies in place to
govern network operations and cyber defense. This may evolve into
greater information sharing and potentially exercises once a capability
is developed. Additionally CIO semi-annually hosts an international
cyber defense workshop to provide a week long virtual training workshop
to over twenty nations. We regularly invite more than forty nations to
the workshop and usually have 25 or more participate.
Mr. Langevin. What discussions and actions are going on within NATO
to improve the capabilities of the alliance to deal with cyber threats?
Ms. Takai. NATO developed a new cyber defense concept in March
2011, a new Cyber Defense Policy in June 2011 and from that policy a
cyber defense action plan to improve NATO's internal cyber defense
capability as a priority, additionally providing advice or assistance
to nations that request assistance. The current actions are a recently
awarded contract (58m Euro) to enhance the NATO Computer Incident
Response Capability and ongoing actions to monitor that project.
Ongoing discussions focus on developing a methodology for national
information systems that support NATO missions to be identified and
provided minimum cyber defense standards. Further parts of the enhanced
capability in the cyber defense action plan are the development of
training and exercises for NATO nations, providing minimum standards
for cyber defense for nations, and developing rapid reaction teams to
assist nations when facing significant cyber incidents. Further
possible enhancements are also under discussion but the current main
focus is on ensuring the ongoing project is closely monitored for
adherence to timelines and completing the full package of enhanced
sensors and systems for cyber defense. These ongoing efforts are
regularly reviewed by CIO's International Cyber Security Program.
Mr. Langevin. What is the status of development and delivery of
proposed National Cyber Range capabilities? Are resources adequate to
continue maturing range capabilities?
Ms. Takai. The goal of the DARPA NCR program is to develop the
architecture and software tools for a secure test facility that can
rapidly emulate the complexity of defense and commercial networks,
allowing for cost-effective and timely validation of cyber
technologies.
The program has completed the technical design and all major
software development. The developed architecture and tools are being
demonstrated at scale on a prototype facility. The NCR software
includes extensive experiment design tools, an automated range build-
out capability, real-time data visualization tools, and automated range
sanitization. The demonstration facility is currently accredited for
operation from Unclassified to Top Secret/Special Access Program level
and is capable of supporting simultaneous testing at multiple security
levels. Special Compartmentalized Information accreditation is
currently being pursued.
To date, there have been two completed tests (December 2011 and
January 2012). Both tests showed the ability to setup the range in a
day, test for multiple days (each test was at a different
classification level), and then tear the range down and sanitize it in
a day. Eight additional tests are currently being planned and
scheduled.
The Department is planning a series of events on the NCR with Joint
Information Operations Range (JIOR), and Cyber Range also participating
to stress NCR and other range capabilities, identify what is mature,
what is not, and characterize the magnitude of gaps that will need to
be addressed for adequate testing and evaluation, training and exercise
capability.
Mr. Langevin. What CYBERCOM capabilities are in need of further
development to address our national vulnerabilities in cyberspace?
General Alexander. Our desired end state is to maintain and
preserve the U.S. freedom of access to allow maneuver in cyberspace
while supporting the same for our allies and partners. To do this, it
is essential to:
Develop capabilities to support Indications and Warning
(I&W) of attacks in cyberspace
Develop integrated Command and Control for seamless
transition from defensive to offensive posture
Develop integrated situational awareness capability to
sense, support real time maneuver, and engagement in cyberspace
Develop capability for training, testing, and effects
prediction for cyber capabilities
Enhanced analytic and target development capabilities
Development of integrated architectures and frameworks to
support network resiliency and maneuver in cyberspace especially in
contested and congested networks
Mr. Langevin. Since the signing of the Memorandum of Understanding
between DOD and DHS, what activities have the two organizations been
carrying out under that MOU?
General Alexander. The implementation of the MOU has resulted in
the creation of a Fort Meade-based office for the DHS-DOD Joint
Coordination Element (JCE), co-lead by DHS and DOD seniors. Activated
in December 2010, the JCE now comprises 16 full-time personnel from DHS
and DOD and is focused on achieving cross-departmental ``unity of
effort'' in cyberspace operations. The ultimate goal is to enable the
USG to agilely perform integrated operational response in all areas in
which the adversary pursues malicious activity--with the benefit of
robust shared situational awareness.
The JCE is creating enduring relationships and process improvements
across the two Departments. In its first year, the JCE initiated a
number of major activities designed to enable these goals, by
successfully bridging the gap between policy and operations. A few
examples include:
Congress directed DHS and DOD to draft a Joint
Cybersecurity Pilot Plan. This plan was penned by the JCE, signed by
both Departments, and transmitted to the Committees on Appropriations
in August 2011.
The JCE is defining cross-department command and control/
unity of effort models to enable agile, effective, and timely
operations.
The JCE is defining the discrete and complementary
function of the major DHS and DOD operational organization to achieve
harmonization of major DHS and DOD operational elements.
As an outgrowth of the Defense Industrial Base (DIB)
Cybersecurity ``opt in'' Pilot, Department seniors have agreed on a
framework to create government-enabled Managed Security Services to
address advanced threats targeting the nation. The JCE has drafted
detailed plans to support this effort with an eye toward scalable
solutions.
Mr. Langevin. Are you confident in the state of the career paths
for cyber professionals, and do you feel that your recruiting,
retention, and career progression needs are being adequately addressed?
General Alexander. There has been a great deal of work done in
developing career paths for cyber professionals. The pace at which we
are developing cyber professionals is challenged by the demand for
skilled personnel (in both government and in the private sector) to
keep pace with rapidly advancing technology. At USCYBERCOM we have made
recent, significant strides into defining and advising what those
career paths should include. One of the biggest challenges to
``operationalizing'' activities in this domain is the development of
the cyber workforce. The major cultural shift within the military has
momentum; however, codifying and teaching the required skills in such a
dynamic, ever-evolving domain, is a challenge. We are confident that
our activities have laid a solid foundation for cyber professional
career paths. Examples of our ongoing efforts follow.
Joint Cyberspace Training and Certification Standards (JCT&CS). The
JCT&CS provides an overarching framework for the Services, if they so
choose, for training for the current and future cyberspace workforce
over their careers. JCT&CS advises nearly every aspect of individual
force training and education and follows the Joint Training System
model for methodology. The standards outlined in JCT&CS inform
curriculum, certification, and other standards used to effectively
train forces to meet the ever-evolving warfighter demands of the
cyberspace domain. Based on the current lack of policy on cyber
training, the Services use of these standards is voluntary at this
time.
Assessment and Recruiting. Initial assessment and recruiting to
identify the best candidates possible to support the cyberspace mission
is critical. The JCT&CS provides key insights into the preliminary
knowledge, skills, and abilities needed to ensure success. Service
recruiting efforts will be advised of these standards and special
screening techniques and evaluations will be developed to identify
suitable candidates. In addition, the newness of this command and our
challenging mission appears to be a draw for talented personnel. We
anticipate the competition for cyber talent to become more intense and
we must be enabled to respond rapidly with appropriate DOD recruiting/
retention policies and incentives. Delays in recruiting and retaining
cyber talent could adversely affect the command's operational
capability in the future. Against our current authorizations, our
civilian fill rate is adequate. However, to efficiently operate as a
Sub-Unified Command we estimate an additional need of approximately 500
billets. Moreover, we expect competition for future talent to
intensify, affecting initial hires and retention. To address the
anticipated challenges in the short-term, we are collaborating with
United States Strategic Command and the Office of the Secretary of
Defense to permanently extend the temporary hiring authorities granted
to us (e.g. Schedule A- which is set to expire Dec `12). Long-term, we
are advocating for: special salary rates, tuition reimbursement, access
to specialized training and robust professional development
opportunities as incentives for potential employees and to retain them
once they have been hired. Underlying all of these initiatives, we
support the development of separate cyber operations/planner career
fields for our civilian and military personnel.
Service School Qualification Training. The Services currently
provide for both enlisted and officers, basic entry training for their
respective skills. For many cryptologic skills today that instruction
is provided through Joint Cyber Analysis Course at Corry Station in
Florida. As a backdrop, the JCT&CS will provide guidance through
curriculum advisory messages in curriculum development, advising the
Services on the Knowledge, Skills and Abilities (KSAs) with metrics to
ensure success for those whose assignments require the ability to
perform in one or multiple cyber work roles.
Professional and Continuing Education. Once the basic schooling is
completed, Service military and civilians continue to work to sharpen
skills and capabilities through professional and continuing education.
For the Joint community, this includes Joint Individual training and
for IA professionals, training and certification is completed in
compliance with prevailing DOD policy (DOD Directive 8570.01M). Again,
the JCT&CS provides a broad framework to inform joint and Service
training for cyberspace KSAs. An aggressive and effective retention and
career feedback process is permeated throughout the careers of the
cyberspace workforce. Constant inputs to training value, curriculum
development, and career utilization will be used to advise senior
leadership on job satisfaction and how well training enables the
workforce to be successful in their assignments. Key to the success of
this program is the agility at which the joint training standards can
be modified and those changes permeated through professional and
continuing education to keep the DOD cyberspace workforce in the
forefront globally.
Collective Training. Even with a robust individual training
program, individuals fight as crews, staffs, and organizations. The
training spectrum includes an aggressive collective training program
that trains, certifies, and then exercises the future cyberspace
workforce. Training and certification guidelines are contained in the
JCT&CS. Methods and modes are under development to measure the ability
of crews, staffs, and organizations to meet the demands of fighting and
winning in the cyberspace domain. Ultimately, this training is tested
in cyberspace exercise events that focus on cyberspace operations with
objectives that tie back to Joint Mission Essential Tasks. Today, at
the tactical level, we've developed Cyber Flag, currently an annual
event, that brings together the Service's cyber operators to defend and
fight against a cunning, realistic aggressor. This environment allows
us to understand the ability of our Service component teams and
ultimately, our ability to perform essential missions.
Mr. Langevin. Do you feel that the command structure for
integrating non-kinetic effects from cyber into the battlespace is
adequately defined?
General Alexander. The command structure for integrating non-
kinetic effects into joint operations is adequately defined, but the
Department continues to develop and improve its implementation. Through
the refinement of joint doctrine, planning, and procedures, we have put
in place a number of mechanisms to integrate kinetic and non-kinetic
effects.
We have long recognized the need for cyberspace doctrine that can
address the unique attributes of cyberspace, the interdependencies with
the land, air, sea, and space domains, and provide a model command
structure to build upon.
The cyberspace operational planning process is aligned with joint
doctrine, which has been developed and battle-tested over time as the
preferred way for combatant commanders to plan, synchronize, de-
conflict, and conduct operations. We have successfully adapted this
process for cyberspace and have exercised it a number of times with the
combatant commands to validate its applicability. Likewise, these
exercises have helped us refine our command and control (C2) model to
support the integration of cyberspace operations with other Combatant
Command operations.
Mr. Langevin. Can you briefly describe how CYBERCOM supports joint
training efforts for inter-service missions?
General Alexander. USCYBERCOM works with Service Component, Joint
Staff and Agency training leads to collaborate on processes for
continued development/refinement of DOD cyberspace training and
certification standards. We have developed relationships with
appropriate stakeholders including Service HQ, Combat Support Agencies,
public and private academic institutions, and Joint and Service
training and education activities. We support efforts to draft and
staff policy that identifies roles, responsibilities, and processes as
well as ensures consistency with other policy/guidance documentation in
order to support joint training efforts DOD-wide. The Joint Cyberspace
Training and Certification Standards (JCT&CS) provides an overarching
framework for the Services, if they so choose, for training for the
current and future cyberspace workforce over their careers. JCT&CS
advises nearly every aspect of individual force training and education
and follows the Joint Training System model for methodology. Our intent
is to execute policy within national and military guidance in
coordination with stakeholders and Communities of Interest to
promulgate common training and certification standards.
Additionally, USCYBERCOM supports the Combatant Commands exercise
of their warplans via Tier 1 Exercises. USCYBERCOM and its Service
components provide planning and operations expertise to meet the
exercise/training objectives. For FY12, USCYBERCOM is directly
supporting or involved with 17 joint exercises, and is planning
CYBERFLAG-12. Priority of support resides with National level,
USCENTCOM, USPACOM, and USEUCOM exercises.
Mr. Langevin. What more can be done to engage our allies,
especially NATO? How can we leverage DOD ``building partnership
capacity'' authorities to train and equip foreign forces to improve our
allies' capabilities related to cyber operations?
General Alexander. First, the United States can increase
information and cyber capability sharing by developing and sharing
cyber hygiene ``best practices,'' sharing cyber threat information, and
providing cybersecurity tools. Second, the United States can conduct
tabletop exercises to identify legal and policy constraints and
``live'' exercises to build shared situational awareness and
interoperability. Third, the United States can enhance education and
training through congressional programs to allow foreign military
officers to attend training in the United States and host or co-host
conferences or seminars on cybersecurity. Fourth, the United States can
expand the State Partnership Program to link more National Guard Cyber
Warfare units with partner nations to increase engagement and training
opportunities.
USCYBERCOM has shared portions of the methodology in developing
Joint Cyberspace Training and Certification Standards (JCT&CS) for the
command's cyber workforce and the workforce of the Service Cyber
Components that are under operational control of the Commander.
USCYBERCOM has also developed and manages several training courses that
contribute to the professionalization of the cyber workforce (i.e.
Joint Advanced Cyber Warfare Course-JACWC, Joint Cyberspace Operational
Planners Course Mobile Training Team JCOPC MTT). The USCYBERCOM Joint
Exercises and Training Directorate developed a version of JACWC (Joint
Advanced Cyber Engagement Series-JACES) that is releasable to our
allies, and is currently developing a similarly releasable version of
JCOPC at the request of EUCOM and AFRICOM. The first session of JACES
with 33 key partner nation students concluded 20 April 2012.
USCYBERCOMs intent is to continue to build key partner relationships by
sharing releasable components of its workforce development efforts.
Mr. Langevin. What discussions and actions are going on within NATO
to improve the capabilities of the alliance to deal with cyber threats?
General Alexander. NATO has been actively working to improve the
Alliance's capabilities to deal with cyber threats. A NATO Policy on
cyber defense was recently approved and focuses on preventing cyber
attacks and building resilience. The policy is being implemented via an
action plan, which includes the NATO Computer Incident Response
Capability (NCIRC) achieving full operational capability by the end of
2012. U.S. European Command is a key enabler and provides support to
the NCIRC. Additionally, the United States is encouraging NATO to fully
integrate cyberspace operations into planning, exercises, training, and
education. Lastly, the United States is educating NATO on lessons
learned from the Government's realignment to meet cybersecurity goals
and the organizational and command and control structure of U.S. Cyber
Command and other U.S. Government cyber units to influence NATO's
civilian and military command structure development.
At USCYBERCOM, we have participated in the annual NATO cyber
exercise Cyber Coalition. This is a NATO event facilitating the
improvement and development of coherent procedures and mechanisms for
cyber defense; exercise strategic decision-making procedures, technical
and operational procedures, and collaboration between all participants,
including the private and public sectors.
Several of our NATO allies are participating in the planning for
Cyber Flag 13-1. The eight-day exercise schedule consists of four days
with allies and the remaining four days as U.S. only due to
classification considerations. Coalition partners will be invited to
participate in future Cyber Flag exercises in order to build capacities
and further enable partnership opportunities.
Mr. Langevin. Are you confident in the state of the career paths
for cyber professionals, and do you feel that your recruiting,
retention, and career progression needs are being adequately addressed?
Secretary Creedon. In light of emerging cyber threats, cyber
workforce roles, responsibilities and skill requirements continue to
evolve, not only in DOD, but across the Federal Government and
industry. DOD is working with the Federal Government through the
National Initiative for Cybersecurity Education (NICE) and Federal CIO
Council to identify current and forthcoming cyber skill requirements,
define career paths for cyber professionals, and determine the optimal
courses of action to ensure a pipeline of cyber professionals is
available to meet mission mandates. These efforts may result in new
requirements and methodologies in the recruitment, retention and career
management of the Department's cyber workforce.
Currently, several strategies are in place to aid in recruiting and
retaining a skilled cyber workforce. Federal direct-hire authority
provides with flexibility in recruiting and hiring select information
security (cybersecurity) personnel within the civilian IT Management
series. DOD also has Schedule A hiring authority for select
cybersecurity positions for certain IT and non-IT civilian job series;
the Department is working with the Office of Personnel Management to
extend and enhance this authority as it expires in December 2012. DOD
uses the Information Assurance Scholarship Program (IASP) to attract
students from top universities and colleges, and to retain personnel
with cyber and information assurance skill sets who wish to further
their education. In addition, CIO oversees the Information Resources
Management College (iCollege) of the National Defense University, which
recently introduced a Cyber Leadership Program. These authorities and
programs, along with military recruiting and retention bonuses, are
currently used to recruit and retain cyber personnel and are essential
to maintaining the health of this community.
Mr. Langevin. How is DOD capturing lessons learned from real-world
cyber events and major exercises?
Secretary Creedon. Real-world and exercise cyber lessons learned
are submitted to the Joint Lessons Learned Information System (JLLIS)
database system of record. JLLIS is the system of record for Lessons
Learned. Typically, they are communicated in the form of Situational
Awareness Reports (SARs). For certain major events U.S. Cyber Command
conducts detailed analysis of the incident and then publishes the
result as an SAR, which details the incident; threat tactics,
techniques and procedures; as well as countermeasures/mitigation
options. Lesser events are often documented in quarterly SARs that show
trends, common TTPs, and systemic issues. Exercise lessons learned also
are input to JLLIS and their capture in the database has greatly
improved over the last 12 to 18 months. Anyone with SIPR access may
request an account to access JLLIS content.
In addition to JLLIS, the Services also track major events via
their respective database systems. For example, Army computer network
defense (CND) events are tracked in ACID, the Army CND Incident
Database. The Navy Lessons Learned System (NLLS) is the Navy's process
for collection and dissemination of significant lessons learned,
summary reports and port visit reports from maritime operations,
exercises and other events.
Mr. Langevin. What more can be done to engage our allies,
especially NATO? How can we leverage DOD ``building partnership
capacity'' authorities to train and equip foreign forces to improve our
allies' capabilities related to cyber operations?
Secretary Creedon. The Department's authorities to build the
security capacity of our foreign partners can be useful tools that
contribute significantly to a variety of missions, from
counterterrorism and combating weapons of mass destruction, to
stability and counterinsurgency operations. For cyber operations there
are no current plans to use these specific authorities; rather the
Department works collaboratively with NATO and other allies.
Our NATO allies recognize the increasing importance of cyber
defense, as demonstrated by the 2010 Lisbon Summit Declaration, NATO's
revised Strategic Concept, and the issuance of a revised NATO Policy on
Cyber Defense in June of 2011. We are actively engaged in working with
our NATO allies to ensure their continued commitment to NATO's new
policy and the steps outlined in its Action Plan. More broadly, through
our Geographic Combatant Commands, we are exploring ways in which we
can work more closely with allies and partners to help them improve
their cyber security and ensure that they are investing in enhanced
security for their national networks. This is also an area where we are
working closely with the Departments of State, Homeland Security, and
other key USG stakeholders
Mr. Langevin. What discussions and actions are going on within NATO
to improve the capabilities of the alliance to deal with cyber threats?
Secretary Creedon. Beginning with the 2010 Lisbon Summit
Declaration and followed by NATO's revised Strategic Concept in which
the protection of the Alliance's information systems was made a
priority task, the U.S. Department of Defense has been actively engaged
in working with NATO to improve the Alliance's ability to defend
against the ever growing cyber threats.
In addition, last year NATO Defense Ministers approved a revised
NATO Policy on cyber defense. The policy offers a coordinated approach
to cyber defense across the Alliance and focuses on preventing cyber
attacks and building resilience. The new policy is currently being
implemented through an Action Plan that has a number of elements, but
the most important is achieving NATO Computer Incident Response
Capability (NCIRC) full operational capability by the end of 2012. By
bringing all of NATO organizations' networks under NCIRC authority and
protection, the NCIRC will significantly increase the Alliance's
ability to defend and recover in the event of a cyber attack against
systems of critical importance to the Alliance. Implementation is on
track and the U.S. Department of Defense will continue to strongly
support NATO's efforts in this area.
______
QUESTIONS SUBMITTED BY MR. FRANKS
Mr. Franks. With respect to defense installations within the United
States, how reliant are our IT and cybersecurity systems on the supply
of stable, reliable, and uninterrupted electricity from the civilian
power grid, and how prepared are we to carry out the defense mission if
the power grid or a substantial part of it were to go down for extended
period, for example: two weeks or longer due to severe space weather or
man-made electromagnetic pulse?
General Alexander. Defense installations themselves typically have
means to provide backup power for various durations. Additionally, DOD
typically contracts with multiple vendors for connectivity to minimize
the number of single points of failure. However, a great deal of DOD's
cyberspace is served by and through commercial providers. The degree to
which these commercial providers--and the companies upon which they
rely--can sustain operations in the event of an extended power outage
varies considerably. We are aware that such dependencies exist and are
actively working to identify just those kinds of critical
infrastructures and key resources as part of a larger strategy to
ensure robust cyber defense of the ``.com'' and ``.gov'' portions of
cyberspace that DOD relies upon for mission readiness.
Mr. Franks. How confident are you that the private power industry
is prepared to resist and defeat cyber attacks against its control and
power distribution systems and are there approaches we can take with
industry that don't involve burdening industry with unnecessary
regulation, to assist industry to protect this vital infrastructure and
ensure that defense-related IT and cybersecurity systems are not
degraded or rendered useless by an extended period of time without
electricity?
Secretary Creedon. Commercial power sources continue to be
threatened by a wide array of threats. Commercial electric power
providers rely on Industrial Control Systems (ICS) to control and
operate the power grid and, due to potential vulnerabilities with these
systems, scenarios exist where malicious actors could gain control of
critical components. Today's threat environment is dynamic and, as a
result, organizations must be vigilant and adaptable in monitoring
systems and implementing controls in response to current threats.
DOD conducts ongoing analysis and partners with multiple entities
including the Department of Energy (DOE), Department of Homeland
Security (DHS), the commercial ICS community, and the Federal Energy
Regulatory Commission to stay abreast of the threat and better assess
industry preparedness. DOD, along with its interagency and industry
partners, is moving in a deliberate and aggressive fashion to close the
gaps associated with energy surety.
In addition, DOE, and DHS recently launched the Energy Surety
Public Private Partnership to better understand and improve the surety
of energy infrastructure supporting national security missions. DOD is
also participating in an effort led by DOE to develop a cybersecurity
maturity model focused on managing dynamic threats to the grid and
evaluating cybersecurity capabilities. Finally, there are other efforts
underway focused on awareness and managing the threats to the grid such
as the North American Electric Reliability Corporation cyber attack
task force and a public/private collaborative effort to develop risk
management guidelines. We believe these efforts will accomplish a great
deal in managing the threat to our power sector
�