[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
[H.A.S.C. No. 113-87]
INFORMATION TECHNOLOGY AND CYBER
OPERATIONS: MODERNIZATION AND
POLICY ISSUES IN A CHANGING NATIONAL SECURITY ENVIRONMENT
__________
HEARING
BEFORE THE
SUBCOMMITTEE ON INTELLIGENCE, EMERGING THREATS AND CAPABILITIES
OF THE
COMMITTEE ON ARMED SERVICES
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
__________
HEARING HELD
MARCH 12, 2014
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PRINTING OFFICE
87-619 WASHINGTON : 2014
___________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer
Contact Center, U.S. Government Printing Office. Phone 202-512-1800, or
866-512-1800 (toll-free). E-mail, [email protected].
SUBCOMMITTEE ON INTELLIGENCE, EMERGING THREATS AND CAPABILITIES
MAC THORNBERRY, Texas, Chairman
JEFF MILLER, Florida JAMES R. LANGEVIN, Rhode Island
JOHN KLINE, Minnesota SUSAN A. DAVIS, California
BILL SHUSTER, Pennsylvania HENRY C. ``HANK'' JOHNSON, Jr.,
RICHARD B. NUGENT, Florida Georgia
TRENT FRANKS, Arizona ANDRE CARSON, Indiana
DUNCAN HUNTER, California DANIEL B. MAFFEI, New York
CHRISTOPHER P. GIBSON, New York DEREK KILMER, Washington
VICKY HARTZLER, Missouri JOAQUIN CASTRO, Texas
JOSEPH J. HECK, Nevada SCOTT H. PETERS, California
Kevin Gates, Professional Staff Member
Mark Lewis, Professional Staff Member
Julie Herbert, Clerk
C O N T E N T S
----------
CHRONOLOGICAL LIST OF HEARINGS
2014
Page
Hearing:
Wednesday, March 12, 2014, Information Technology and Cyber
Operations: Modernization and Policy Issues in a Changing
National Security Environment.................................. 1
Appendix:
Wednesday, March 12, 2014........................................ 23
----------
WEDNESDAY, MARCH 12, 2014
INFORMATION TECHNOLOGY AND CYBER OPERATIONS: MODERNIZATION AND POLICY
ISSUES IN A CHANGING NATIONAL SECURITY ENVIRONMENT
STATEMENTS PRESENTED BY MEMBERS OF CONGRESS
Langevin, Hon. James R., a Representative from Rhode Island,
Ranking Member, Subcommittee on Intelligence, Emerging Threats
and Capabilities............................................... 2
Thornberry, Hon. Mac, a Representative from Texas, Chairman,
Subcommittee on Intelligence, Emerging Threats and Capabilities 1
WITNESSES
Alexander, GEN Keith B., USA, Commander, United States Cyber
Command........................................................ 5
Takai, Hon. Teresa M., Chief Information Officer, U.S. Department
of Defense..................................................... 3
APPENDIX
Prepared Statements:
Alexander, GEN Keith B....................................... 39
Takai, Hon. Teresa M......................................... 27
Documents Submitted for the Record:
[There were no Documents submitted.]
Witness Responses to Questions Asked During the Hearing:
[There were no Questions submitted during the hearing.]
Questions Submitted by Members Post Hearing:
Mr. Carson................................................... 55
Mr. Kilmer................................................... 56
Mr. Peters................................................... 61
Mr. Thornberry............................................... 53
INFORMATION TECHNOLOGY AND CYBER OPERATIONS: MODERNIZATION AND POLICY
ISSUES IN A CHANGING NATIONAL SECURITY ENVIRONMENT
----------
House of Representatives,
Committee on Armed Services,
Subcommittee on Intelligence, Emerging
Threats and Capabilities,
Washington, DC, Wednesday, March 12, 2014.
The subcommittee met, pursuant to call, at 3:30 p.m., in
room 2118, Rayburn House Office Building, Hon. Mac Thornberry
(chairman of the subcommittee) presiding.
OPENING STATEMENT OF HON. MAC THORNBERRY, A REPRESENTATIVE FROM
TEXAS, CHAIRMAN, SUBCOMMITTEE ON INTELLIGENCE, EMERGING THREATS
AND CAPABILITIES
Mr. Thornberry. The subcommittee will come to order.
The subcommittee meets today to examine issues related to
information technology [IT] and cyber operations, both from a
policy and budget perspective.
We are glad to have both General Alexander and Ms. Takai
back with us again this year.
These two issues are among the most challenging we face in
national security.
On the first, the full committee and all subcommittees have
undertaken a 2-year effort to improve the acquisition practices
of the Department of Defense [DOD]. While there are
improvements to be made in all areas of contracting and
acquisition, there is particular concern about how the
Department can put up-to-date technology in the hands of the
warfighter in a timely and cost-effective manner.
This subcommittee has tried to keep a close watch on these
issues over the years, but this broader reform effort, which we
are pursuing cooperatively with the Senate and the Pentagon and
industry, may give us opportunities to make improvements that
have not been seriously pursued before, and we should take
advantage of it.
The second issue, of course, is cyber operations. This
subcommittee has viewed as one of its primary responsibilities
helping ensure that the military is as prepared as it can be to
defend the Nation in cyberspace. It is one of the few areas of
the budget where there is widespread agreement that we need to
spend more. But we also want to see that all taxpayer funds are
spent carefully and effectively, and we want to help develop
policies and, frankly, the public education required to protect
the Nation in this new domain of warfare.
Finally, I want to offer, on behalf of the people I
represent and especially on behalf of the service men and women
I represent, our tremendous gratitude to General Alexander for
his service to the Nation. He retires at the end of this month,
and this may well be his last or one of his last hearings.
General Alexander has led the National Security Agency [NSA]
since 2005 and then also Cyber Command [CYBERCOM] since its
creation in 2010.
These have been turbulent, challenging years, with a
constant yet evolving terrorist threat and an explosion of
cyber threats, as well as other national security challenges.
Through it all, through terrorist plots, cyber intrusions of
every description, not to mention intentional illegal
disclosures of important national security information, he and
the folks at NSA made sure that support for our troops in the
field was a top priority. And we will never know how many of
their lives were saved because of the professionalism,
commitment, and focus of the people at NSA and CYBERCOM--
qualities reflected in their commander.
So, General, for all your service that has meant so much to
the Nation and for all your openness and candor with this and
other committees in the Congress, we thank you.
I yield to the ranking member, Mr. Langevin.
STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM
RHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON INTELLIGENCE,
EMERGING THREATS AND CAPABILITIES
Mr. Langevin. Thank you, Mr. Chairman.
Ms. Takai, it is a pleasure to welcome you back before the
subcommittee.
And, General Alexander, it is my duty to inform you that
you have to endure one last go-round through the wringer before
your well-earned retirement.
But we are grateful that you are both here today.
Information systems are obviously the lynchpin of
everything that we do as a Nation, and the military is
certainly no exception. IT continues to be a massive portion of
our defense enterprise investment, and cyber operations are one
of the only growth areas in the DOD budget. In today's fiscal
environment, there can be no higher validation of the
importance of these missions.
There is no shortage of critical discussion, of course,
that we need to have this afternoon, so I am going to keep my
comments pretty brief, but there are a few points I would
like--that I would appreciate both of you addressing to the
extent possible in your opening remarks and possibly at greater
length in a classified session.
The first is the adjustments that you have made in your
respective jurisdiction with regard to the gravely damaging
leaks of highly classified information by Edward Snowden. To
the extent possible, I know all of us would appreciate hearing
how the Department has shifted to protect and prevent such
insider threats in the future and especially how we are
spreading those lessons learned.
And speaking of lessons learned, our recent unfortunate
news about a particular IT program that was unsecured for
months as a result of contract confusion raises again the
complexities of contracting for IT and related services.
Understanding that this is a continuing saga, I would
appreciate knowing what sort of lessons are being drawn from
this event and how you are working to prevent similar problems.
Also, I think the committee could also benefit from an
update on the creation of the mission teams and how both of you
are handling the challenges of personnel retention and growth.
In particular, General, how you are using the capabilities of
the Reserve Component and, Ms. Takai, how you are dealing with
the increased needs and challenges stemming from the Joint
Information Environment [JIE] and the cloud security model.
Given the proliferation of polymorphic malware and other
advanced methodologies aimed at defeating traditional cyber
defenses, I think we would be interested to know more about how
the Department is defending against these threats until the
Joint Information Environment comes on line.
And, as both of you know, also I am very concerned about
the security of the information systems underpinning of our
critical infrastructure, especially those enterprises which
support the Department of Defense. I would appreciate an update
on what the Department is doing to work with and better secure
those networks.
And, finally, before we go into your statements and Member
questions, I would just like to note for the record what an
extraordinary career you have had, General Alexander. In your
40 years of service, going back to West Point, class of 1974,
you have shown true dedication and commitment to America's men
and women in harm's way. You have been a partner to this
committee for the last 9 years, and I found your testimony
always to be very candid and forthcoming.
And I am sure that certainly there were times when it would
have been much easier just simply to probably just call it a
career and move on to retirement, but you have persisted and
accomplished truly remarkable things when it comes to
investments in our cryptologic platform, standing up the
Nation's first sub-unified command for cyber while fighting for
the means to build our Nation's cyber force and the
development--and developing the capability for our Nation to
defend itself in cyberspace, all done during very turbulent and
transformational times.
So, General, with that, a grateful Nation salutes you for
your inspired service. I echo the comments of the chairman. And
I personally wish you the very best in your retirement, in this
next chapter in your life, and I hope that we will stay in
touch. Thank you.
I yield back, Mr. Chairman.
Mr. Thornberry. Thank you.
Ms. Takai, if you would like to summarize your opening
statement. And, without objection, your full statements will be
made part of the record.
STATEMENT OF HON. TERESA M. TAKAI, CHIEF INFORMATION OFFICER,
U.S. DEPARTMENT OF DEFENSE
Ms. Takai. Thank you very much. I appreciate it.
Well, first of all, Mr. Chairman and members of the
subcommittee, thank you for the opportunity to be here today.
It is a great honor to be here with my cyber team member. And
General Alexander and I have worked very closely, and I very
much have appreciated all the support that he has provided to
me and to my organization.
I would like to just touch on a few things, and I would
like to perhaps answer at least some subset of the questions
that were raised. I would like to give you an overview of where
we are on JIE and then certainly can address a couple of the
items that were discussed there. And I know we are going to
talk about those more.
I would just, as an opening, mention that we are submitting
and you have our fiscal year 2014 IT budget request, which is
$37.7 billion. With that, we are holding our cyber investment,
and our cyber investment will be $5.2 billion of that. And I
think, as you know, that is a variety of both infrastructure
and defense as well as other areas.
So let me just talk a minute about JIE. I think all of you
know that it is really an ambitious effort to realign and
restructure the way our networks are constructed, operated, and
defended. And it really is there to enable U.S. Cyber Command
to be able to operate and defend on our networks.
The challenge is, it is an alignment of an existing vast
set of networks. It is going to change the way we assemble,
configure, and use new and legacy information technologies. It
is actually going to change also our operations. It will
consist of enterprise-level network operation centers that will
reduce the complexity and ambiguity of being able to actually
see our networks. Our core data centers--as you know, we are
reducing our data centers over the FYDP [Future Years Defense
Program] to almost half of what we have today, and all of that
within a standard single security architecture that will reduce
the plethora of tools and configurations that we have.
And the ultimate beneficiary of JIE is really the commander
in the field. It is also going to allow for more innovative
integration of information technologies and, as a part of that,
will actually help, we believe, in the question that you raised
on the fit with the acquisition strategies. It will actually
lay an infrastructure in place that we believe will actually
help the speed of acquisition without necessarily meaning that
we have to change acquisition processes per se.
Again, all of this in light of our cybersecurity program. I
would just highlight a couple of other things. We are working
with our defense industrial base partners on a cybersecurity
information-sharing program. I highlight that because I think
it is an example of what is possible from an information-
sharing perspective. And General Alexander has been a continued
advocate for it, and I think it does pave the way for other
areas that we want to work on.
As it relates to the insider-threat question, we work very
closely with USD(I) [Under Secretary of Defense for
Intelligence], the intelligence organization, they're really
the lead on insider threat. But I think as you have seen from
some of our actions, one of my roles has been to work with them
to put out policy, very closely then followed by U.S. Cyber
Command putting out specific direction, in terms of reinforcing
some areas, you know, like the removable media, but also
reinforcing policies in terms of who is on our network.
But, ultimately, for insider threat, it is really going to
be our Joint Information Environment and really tightening
down, being able to see on our network but also being able to
see who is there and, if in fact we have an issue, being able
to catch it and contain it very quickly. So we are looking at a
set of steps that is not only a single action but steps that
will take place over time.
Another item that I wanted to mention is that I think there
is a perception that JIE is something that is out there in the
future. In fact, we are implementing elements of JIE as we go.
And we will certainly talk more about our data center
consolidation, our implementation of many elements of our
single security architecture. And while this is going to take a
period of time, I wouldn't want to leave the impression that
this is all in the future and that we are not working with it
and working to that right now.
A couple of other items that I would mention if, in fact,
we have time to talk about them: I do have responsibility for a
position navigation and timing strategy, which I think is
becoming critically important, particularly as we look at it in
light of potential cybersecurity threats to that area of
technology. And then, finally, I think as you know, we are
responsible for the Department's spectrum strategy, and there
may be some questions.
So, with that, I will leave you with that summary. And,
again, we appreciate the opportunity to be here.
[The prepared statement of Ms. Takai can be found in the
Appendix on page 27.]
Mr. Thornberry. Great. Thank you.
General.
STATEMENT OF GEN KEITH B. ALEXANDER, USA, COMMANDER, UNITED
STATES CYBER COMMAND
General Alexander. Chairman, Ranking Member, distinguished
members of the committee, it is an honor and privilege to be
here for what we hope, or at least one of us hopes, is our last
appearance before the committee in uniform.
I thought I would talk about two things: first, a little
bit about the threat. Because I think it is important to couch
what our country will face in a construct of the threat that we
are going to face.
The target, exploitation, and theft of our personal data
highlights some of the threats that go on in industry every
day. But our Defense Department systems are scanned by
adversaries about 250,000 times an hour, on average, for
vulnerabilities.
And when you look at it, look at the amount of disruptive
attacks, exploitations, and now destructive attacks that have
hit the world. In August of 2012, Saudi Aramco was hit with one
of the first destructive attacks, where the data on over 30,000
systems was destroyed. Since then, our financial networks have
been hit with hundreds of disruptive distributed denial-of-
service attacks, we have seen South Korea hit with destructive
attacks where data was wiped off their banks, and I believe
there are worse things to come.
It was interesting, out in RSA [annual cybersecurity
conference], over the last couple weeks--we briefly talked
about it. How bad can cyber attacks get? How about burning the
internal components of a machine, whether PC or Mac, to a
crisp, setting it on fire? So they actually demonstrated that
out there. So that you can go all the way from disrupting to
destroying the data to destroying the equipment itself.
From our perspective, there are a number of things that we
have to put in place to stop this. So we came up with five key
things to address this threat. And I believe we are going to
have to move on on that as a Nation. And this is where,
Chairman, I would really push the committee to help the
Department and the rest of the government to move forward.
First, we have to get a defensible architecture. The
architecture that we have, our dependence on something we call
Joint Information Environment, really gets us a step in that
direction.
And the reason that is so important, when you look at DOD's
networks, we have 15,000 enclaves. It is very difficult to
ensure that one of those doesn't get penetrated. And if they
get into one, they are free to roam around all of them, and
that creates a problem. Oftentimes, adversaries will get into a
network and be there for a while, on the civilian side up to 9
months, before they are detected. We can't afford to have that
happen in our government networks. More importantly, that is
the road in for more disruptive and destructive attacks.
Because once they get in, they can then do things to the
network, like disrupt and destroy it.
So, a defensible architecture.
Trained and ready force. One of the good parts about Cyber
Command being at NSA, I think the training of our forces is
going extremely well. We have trained almost 900 people. We
have 900 more, roughly, in training right now. By the end of
this year, that means we will have 1,800 trained and ready
personnel in teams that cover from our Cyber Protection Teams
all the way up to the National Mission Force.
And those personnel from across all the services are being
trained to the same standards that we set at NSA. It is
important that people who operate in these networks are trained
to that same standard; it is extremely important. And it is the
same for the Guard and the Reserve.
So just to take that off for a minute, so the exercises
that we do, CYBER FLAG and CYBER GUARD, are ways that we can
hone our command and control and ensure that our teams, both in
the Active and Reserve, are being trained to those standards.
So one of the things we set up with the Reserve and the
National Guard is to train them to just that standard and then
try to set your teams up to match what the Active Component is
doing.
Authorities. Here is where we need your help. We need cyber
legislation. We need the ability to reach out and hear from
industry when they are being attacked at network speed--the
government, not just NSA and Cyber Command, but FBI [Federal
Bureau of Investigation] and DHS [Department of Homeland
Security]. So we have to have cyber legislation that goes
beyond where the Electronic Communications Privacy Act, ECPA,
and the Stored Communications Act prevent some of those
sharings from going on, and we have to have that.
Command and control. We have to have the right command and
control structure, seamless command and control, from the
President all the way down through the SecDef [Secretary of
Defense], DNI [Director of National Intelligence]; everybody
understands how we are going to do this in time of crisis. That
has to be set up ahead of time.
And, finally, you have to be able to see what is going on
in cyberspace. If you are going to use forces to defend this
Nation, they have to have a common picture of how they are
going to do it. If you ask anybody to draw a diagram of what
the attack looks like, get four different people, have them sit
at different desks, you will get four different pictures. That
means you have no coherent defense. We have to have a common
picture that people can see to defend it.
Finally, I would just end by saying it has been a privilege
and honor to work with Ms. Teri Takai as the DOD CIO [Chief
Information Officer]. She has been a great partner, always
there to help us and always helpful.
So, Chairman, thank you very much.
Thanks, Teri.
[The prepared statement of General Alexander can be found
in the Appendix on page 39.]
Mr. Thornberry. Thank you. I appreciate the comments that
both of you made.
We will go as far as we can with the questions until the
votes are called. And we will do everybody on the 5-minute
rule, starting now.
General Alexander, I think this is the fourth time that you
have testified before this subcommittee, because we rearranged
jurisdiction and concentrated cyber in one subcommittee in
2011. So just give me a rough comparison between now and 4
years ago, how the threat has changed and how our capabilities
have changed. You know, which has grown the fastest--you know,
just kind of a rough, for the American people, what has changed
in the last 4 years on the threat and our capability.
General Alexander. Chairman, I think the----
Mr. Thornberry. Get the microphone a little closer. Thank
you.
General Alexander. Or I could move up.
I think the capabilities that have changed the most are the
technical capabilities for the threat to attack and for us to
defend. What is lagging is the authorities.
So, to be specific, back in 2011, we pushed a memo up that
said, here is what we think is going to happen, and, in fact,
that did happen. So we actually were pretty close in defining
the disruptive attacks that were to come. And we went to
Secretary Panetta and said, here is what we think we need to do
to defend against these.
I now think we need to be ready for destructive attacks.
And we have tools that can be used to defend against it, but we
don't have the authorities to see it, which means those tools
would be useless.
Think of this as a radar system. What we have is missiles
that are coming in, cyber missiles that are coming in, and no
way to see where they are going, so you have no way to shoot
them down. You can see them land in civilian infrastructure and
say, well, we could have stopped that one if we had only seen
it.
So we have to have a way of seeing so that the Defense
Department, FBI, and Homeland Security can act in the interest
of the Nation. That is where I think that the biggest gap is.
There are some tools and training that we are doing, but,
actually, I think that is going pretty good. I think they are
up--they are up where we would want them to be, in terms of
being prepared to respond if authorized to do so.
Mr. Thornberry. Okay.
And just to be clear, when you say ``destructive attack,''
you mean data gets destroyed or the computer literally melts
down, like happened at RSA?
General Alexander. Both.
Mr. Thornberry. Yeah. Okay.
Briefly, Ms. Takai, you talked a lot, which I appreciate,
about the Joint Information Environment. One of my questions
is, it has all the characteristics of a major program, yet it
is a little vague on who is in charge. Who is in charge?
Ms. Takai. Well, sir, I can answer that. I am in charge.
The Secretary has signed out two memos actually directing me to
implement JIE.
Now, as part of that, though, clearly, our requirements in
terms of what is necessary from JIE come from Cyber Command and
the component cyber commanders to ensure that we are meeting
their needs. We are taking it through our processes in the
building, so it does have--and go through the Joint Staff
processes to ensure that we have what we call validated
requirements.
And so, while it may not be a program of record, per se--
and I will come back to that--it very much is using all of the
processes in the building to make sure that, again, whether it
is the size and scope of DOD, we have to make sure that we have
a sustained program that isn't dependent upon one person but,
again, is a part of all the programs.
Let me come back to why it is not a program of record. It
is not a program of record because we are not seeking to look
at a funding for the program, per se. Because, largely, today,
about 50 percent of our overall IT spend is in sustainment
dollars, effectively in our infrastructure and what it takes
for that infrastructure to move forward.
It is important that we take those moneys and direct those
to the Joint Information Environment. And so, by doing that, we
can ensure that we are not just adding technology, we are
actually changing the underlying infrastructure.
Second thing is that it is a long-term program. It involves
not only the services but all the components. And each of them
has to do it within their existing architecture. They have to
come up with their own implementation plans. And, in fact, that
is what they have submitted to me as of this month.
Mr. Thornberry. Can you order a service to make a change? I
mean, if you are in charge, do you have that authority?
Ms. Takai. Yes, sir.
Mr. Thornberry. If you have a validated requirement from
the Joint--you can say, Air Force, Army, whoever, you do that.
Ms. Takai. Yes, sir.
Mr. Thornberry. Okay.
I want to go back to some of those legacy issues in a
minute, but, at this point, I would yield back to Mr. Langevin.
Mr. Langevin. Thank you, Mr. Chairman.
Along that same line, I guess, you know, I do have some
concerns there, because, you know, how is the Congress and the
Department, how are we expected to really have oversight
visibility across this massive undertaking and, you know, the
JIE, how will it interface with other ongoing initiatives?
So I want to know, will the Department provide standard
programmatic guidance, such as baselines, capabilities
documents, cost estimates, and schedules?
Ms. Takai. Yes, sir. We certainly can provide all of the
underlying architecture documents, for instance, just to give
you an example of the kinds of direction that we are giving to
the services and the components in terms of the technical
actions they are expected to take, number one.
Number two, we do have an overall plan that takes us to the
point that we are today. But by about the middle of next month,
I will be taking the implementation plans that are coming in
from the services and creating an overall master plan. And we
are more than happy to share that with the subcommittee so that
you can see what our direction is. And then, on a periodic
basis, we can certainly come back in and show you the status of
each of the components in terms of the progress that they are
making.
Mr. Langevin. Okay. I think that would be important so this
doesn't get away from us and we are providing the level of
support that you need, as well, to make it effective.
So as the areas like electronic warfare [EW] and cyber
converge, are you satisfied with your level of coordination
with the EW community in the Department? And how does that
coordination take place?
Ms. Takai. Well, sir, I am satisfied with the level of
coordination, but I am--I do feel we are challenged to really
keep up with being able to think through and meet the threat.
That is something that we are continuing to work on.
And from an EW standpoint, I think there are a number of
areas that are going to converge, in terms of what we are doing
from a cybersecurity standpoint and what we are doing from a
JIE perspective.
One of the things that we have just done, the Secretary has
really directed me to set up a much stronger IT governance
process that includes not only JIE but it includes all of the
areas of technology. And one of things that we have recently
done in our governance process is to restructure it. And in
that restructuring, we have combined C2 [command and control]
and cyber into a single governance process to try to drive the
convergence that you are speaking of much closer than it is
today.
Mr. Langevin. Thank you.
General, do you have any thoughts on that?
General Alexander. Congressman, I think the one key thing
is we do see electronic warfare and cyber coming closer
together technically. You can see this because of the--our
wireless environment is very much akin to what you have in
terms of the early-warning radars, radio direction and ranging
capabilities, going digital with that, the ability to go over
one link or the other, the jamming that goes on. You can
actually jam, now, a distributed denial-of-service attack. You
can do that in cyberspace; you can do that in EW. And I think
we are going to have to push those together, because those
effects are overlapping already, and we see that.
And in dealing with the services, it was our assessment in
2010 that you would start to bring all of these together into
one domain. And I think we actually are going towards that and
need to do that.
Mr. Langevin. Probably a good segue, then, to my next
question. Giving the increasing role of cyber, are you still
satisfied with CYBERCOM as a sub-unified command? And what
would be the benefits and drawbacks of elevation as a full
combatant command, as you see them?
General Alexander. So I think, as we have added on more
teams, the requirement to go from sub-unified to unified is
growing. And I think over the next year we have reached a
tipping point where we are going to need to shift to a unified
command.
In 2007, we set out a framework of four options for the
Secretary of what you should/could do for building a cyber
command of some sorts. It started out with a sub-unified
command, went to a unified command with two options: a SOCOM
[Special Operations Command]-like model or a generic COCOM
[combatant command]. We believe that the SOCOM-like model is
where you need to go, which gives you the training and some of
the acquisition authorities over the cyber lane specifics. So
it is a SOCOM-like.
And the fourth option was going to a service itself. I
think it would be premature to consider doing that. I think you
would really want to stop at a unified command and then say, so
where to go?
Why a unified command? Command and control from the
President and the Secretary directly to that commander. In
cyberspace, that speed is going to be absolutely important. And
I think, as we add more teams and more complexity, STRATCOM's
[Strategic Command's] ability to actually play in this will
continue to go down.
Now, to be completely candid, General Bob Kehler and now
Admiral Haney, Cecil Haney, have been wonderful to work with.
So there is no difference between us, and we both actually said
the same thing at the Armed Services--the Senate Armed Services
Committee hearing, as well.
Mr. Langevin. Very good.
So, with that, I would yield back. I know I at least have a
few seconds left.
Thank you both.
And again, General, thank you for your service, and wish
you well. Thank you.
Mr. Thornberry. Ms. Davis.
Mrs. Davis. Thank you, Mr. Chairman.
And to you, General Alexander, we wish you the very best.
Thank you so much for your extraordinary service.
And, Ms. Takai, thank you for being here, as well.
You know, you talked about the need for legislation and
authorities. And some of that relates, of course, to the
private sector and the willingness of the private sector to
work together.
What problems do you see in relation to that? We obviously
know there is already a history that we need to deal with. You
know, what does this look like, in your estimation? What do we
need to do?
General Alexander. So the issue that we are wrestling with,
I think, with the private sector is on two parts: How do we
share data? I think that one we can actually resolve. And the
next question is liability protection. And I think this is
really the hard part. How do you set up the right liability
protection framework? I know the Senate is actually working
that one issue.
I believe you are going to have to set up some liability
protection for when the government and others share, in good
faith, signatures that people employ that perhaps don't act as
they should have. So if I make a mistake giving industry a
signature to protect them from malicious software and it also
stops some other flow of traffic for a small period of time,
the company that did what we asked them in good faith shouldn't
be sued for that. So I think those kinds of things have to be
thought through.
We have to have, though, a way for understanding when Wall
Street, for example, is under attack. Right now, we get it
after the fact or we get called up; it is not realtime. And, as
a consequence, we can't defend them. So that is the operational
requirement, from my perspective.
Mrs. Davis. Uh-huh. Will it take a major educational effort
to do this? I guess I am trying to figure out how we get from A
to B.
General Alexander. Well, I think the--my understanding is
the House has pushed forward a bill on that already, at least
did last year, and now----
Mrs. Davis. Yeah.
General Alexander [continuing]. The Senate needs to do the
same. And I think the Senate has stated their intent to try to
do that. So both the Intelligence Committee and the Armed
Services Committee both have said that they want to do this. We
had discussions with both of them, and all the Members say
there is an imperative and a reason for doing this, we just
have to go do it. They don't want to wait for something bad to
happen to say, I wish we had done that last week.
Mrs. Davis. Right. Yeah. Okay, well, we are certainly going
to be working on it, but I wondered if there is--if you have
any more thoughts about, you know, really, how--I think there
is so much concern in the public sector today that it makes it
a little more difficult to move forward, and we all have to
work on that.
Did you have a comment, Ms. Takai?
Ms. Takai. Yes. The one thing I would add is, again, back
to some experience levels--and perhaps we can provide, you
know, as this continues to unfold. I think one of the things,
for instance, that we have been asked to do, in fact, as part
of last year's NDAA [National Defense Authorization Act], was
to begin to collect information from all of the defense
industrial base, not only those that are participating in our
information-sharing program.
I think that is going to start to help. I mean, we are
getting a lot of concern from the defense industrial base
companies today, but I think, as we roll that out, as they
understand how this information is going to be used, that they
see the benefit. If it is anything like the program that we are
running today, we are finding that the companies, once they get
into it, are very enthusiastic about it. They see what they can
gain by talking to each other, not necessarily just by talking
to us.
And so I know it is a small number, but, by the same token,
our industrial base is fairly large. And, you know, perhaps we
can use some of that information to sort of ease some of the
concerns.
Mrs. Davis. General Alexander.
General Alexander. Could I add? We have the technical
ability today to apply signatures that defend the Department's
networks through our systems right now that we can push out in
essentially realtime. That defends us at the gateway and
provides us incredible defense against evolving threats.
We see those evolving threats, we are protected. And we
look over, and industry is not, and they get hit with that same
threat. So by the time we get it to them, it is too late; they
have already been impacted by it.
Mrs. Davis. Uh-huh. Yeah.
General Alexander. So we have to have a way of sharing that
at network speed. I think that is critical, especially when
they go from exploit to disruptive attacks. We are going to
have to have something like that.
Mrs. Davis. Thank you.
I was pleased to hear you say that the teams seem to be at
least coming together in terms of the kind of training that is
required. Because one of the concerns that we certainly have
had in the last few years is how we really bring that kind of
training to the front.
And when we look at the Guard and Reserve, how do you see
that? Because we know that budget constraints are going to mean
that we may not be tapping the Guard and Reserve in the same
way, certainly not in terms of ground troops, perhaps. But is
this an area that--really, the States can be very helpful in
the Guard and Reserve, as well, but it depends on the way it
moves forward. How do you see that?
General Alexander. So we have sat down with NORTHCOM
[Northern Command] Commander General Jacoby, with the head of
the Reserves and National Guard, General Grass, Frank Grass,
myself, and a number of the TAGs [The Adjutants General] and
said, here is what we need to do as a starting. We have Cyber
Protection Teams; here is the starting point and here is what
you need for training.
We do need to leverage the Guard and Reserve, form them in
the same way we are so that we can use them as we need that and
train them to that same standard. The reason I think it is
important is many of these have tremendous skills that we
should leverage----
Mrs. Davis. Absolutely.
General Alexander [continuing]. Especially when you look
out around the country. Places like Washington and California
have people with tremendous skills--and Texas, of course, and
Rhode Island. I didn't want to miss those. Whew, that was
close.
Mr. Langevin. I am listening.
Mrs. Davis. Thank you.
Mr. Thornberry. I thank the gentlewoman. And, actually, I
think we may have some further discussion on that.
Ms. Hartzler, do you have something right quick, or would
you rather come back? We are down--let's see. Only about 60
people have voted, but the clock shows 4 minutes, so we can--do
you want to come back?
Mrs. Hartzler. If that is okay.
Mr. Thornberry. Okay.
Mrs. Hartzler. Can I just ask----
Mr. Thornberry. Oh, yeah. Yeah, sure. Recognize the
gentlelady.
Mrs. Hartzler. I just came from reading the Edward Snowden
report, and I am sorry I was a little late, but I wanted to
finish it.
Are we going to have, are you aware of, a classified
briefing just on that where I could ask specific questions
following up, if you are aware?
Mr. Thornberry. If I could respond, this hearing is focused
on Cyber Command. This subcommittee will have an intelligence
briefing that will have a closed portion, where we can go
deeply into the damage done to our national security, having
nothing to do with NSA, that Mr. Snowden has done. So we will
definitely go into more detail on that.
Mrs. Hartzler. Yeah. I will hold my questions.
Mr. Thornberry. Okay, great. Thank you.
With that, if you all will excuse us, we have to run and
vote. If you all will come with me, we will look for a place
for you to at least try to use the phone and computer so you
can make use of the time when we are away.
And, with that, the subcommittee stands in recess.
[Recess.]
Mr. Thornberry. The subcommittee will come back to order.
And, again, let me thank everybody for their patience during
that long series of votes.
Let me ask a few questions as other Members are coming
back.
General Alexander, I was interested in your answer to Mr.
Langevin's question about elevating Cyber Command. Admiral Jim
Stavridis, retired, who is now the dean at the Fletcher School,
somebody I respect a great deal, has written an article that
says cyber is at a place where the Air Force was in 1947; it
needs to be its own service. It is similar to SOCOM, but it is
different, in that it all takes place in one domain, whereas
SOCOM draws from different domains and, therefore, has to have
elements from all the other services.
And so his argument is this is the new domain of warfare
and we need to treat it as such, with the seriousness, with the
promotion, with the dedication that we decided to do with the
Air Force in 1947. What do you say to that?
General Alexander. Well, I think that is one of the options
that we actually looked at. I think, for the current period,
for now, for the next several years, that we need to have an
integrated cyber capability that goes into the services.
And the reason that I am not yet where he, Petraeus, and a
couple others are is I think that, in places like Iraq, if we
were to imbed cyber capabilities at the brigade level, which we
will need to do, you need to have service participation in
that, not a separate service as an external person coming in,
but an imbedded, organic capability to that brigade itself.
So I think, as we go forward--but they need to be trained
to a standard. They need to know how that force works. So it is
analogous to the way the cryptologic system works. We have
cryptologists who go down to the brigade who are trained to a
certain level. We have them in the air, and we have them at
sea. All of them are trained together and they act as one
system, but they have them by service.
So I think the next correct step would be go to a unified,
pause, and then see if it makes sense to take the step beyond
there. And I think that kind of a deliberate approach, make
sure we don't go too far and then have to collapse back.
Mr. Thornberry. Okay. I appreciate it.
Ms. Takai, I want to go back to some discussions you were
having, I think, with Mr. Langevin. One of the things I hear
from folks who are IT providers to the Department of Defense is
they have to take into account all these legacy systems. And
nobody else in the world, you know, has some of the systems DOD
still operates, but they have to make sure that whatever they
provide to DOD is compatible with or works with these legacy
systems.
Everybody agrees, someday you move beyond that. But, to me,
the hard question is, when do you force moving beyond the
legacy systems and when do you, kind of, Band-Aid and incur the
extra cost to deal with the legacy systems? How do you deal
with that?
Ms. Takai. Well, there are two answers to that question,
one of which is about the actual operation of the legacy
systems, and the second, which is about the data-sharing
implications of the legacy systems.
Well, one of the things that we are doing is each of the
services, just by virtue of their efficiencies effort, is going
through to eliminate some of these redundant legacy systems.
And they have, in fact, made significant progress in cutting
the number down.
But one of the things that we will be continuing to do,
particularly with some of the new direction that the
Secretaries directed out, in terms of my role with business
systems, is to continue to reduce the number of redundant
legacy systems so that we cut the complexity down.
The second piece, however, which is particularly a
challenge for anyone needing to come in, is the interfaces and
the need to be able to use data that is in the legacy systems,
and it means you have to deal with the old technology. And one
of the things that we are looking at is how to get the data
from the legacy systems in a way that you can, in fact,
information-share and yet not have to deal with all the old
technology.
So the solution is really a combination of those two--
really, those two steps forward.
Mr. Thornberry. Let me ask you the same question I asked
you before. Can you make those things happen? If the services
are dragging their feet and they say, oh, we are comfortable
with this system, it is what we have always used, we don't want
to go through retraining our people, can you make it happen?
Ms. Takai. Well, yes, sir. I have to impose some fairly
draconian measures, in some cases. And we have not had to go to
that point; the services are actually moving in that direction.
Because, as I say, they have a challenge right now with being
able to, from an IT perspective, maintain all of that
technology going forward.
So, fortunately, we haven't had to go to those kinds of
measures. By basically organizing and also putting the
authority in the hands of all of the CIOs, including the
service CIOs, we have been able to make progress.
Mr. Thornberry. Okay. Thank you.
Mr. Kilmer.
Mr. Kilmer. Thank you, Mr. Chairman.
And thank you both for being here.
General Alexander, thanks for your service.
And, Ms. Takai, thank you and your staff. We have been in
touch about a number of issues, and I sure appreciate your
staff's hard work in answering our questions.
I thought I would start by asking a little bit about cloud
computing. In the President's budget, he includes investments
that are focused on transforming the government IT portfolio
through cloud computing.
I was hoping you could speak a little bit about what DOD is
doing and what NSA is doing today to expand the use of
commercial cloud computing. And how are commercial cloud
service providers, who are giving the ability to agencies to
purchase IT services in more of a utility-based model and,
thus, cutting costs significantly, being leveraged?
General Alexander. Sure. So, a few years ago, NSA leveraged
Google's Hadoop, MapReduce, BigTable cloud architecture and
added to it a security layer and a realtime tipping and queuing
capability, which is now in the openware Accumulo. So, given
that, we actually have implemented that throughout much of NSA.
I think that is a huge step forward.
And the reason I go to those two key points is you have to
have the security layer for us to encrypt data, ensure that you
protect it. All the things that we are going to talk about,
insider threats and securing your data, all depend on that.
And, as we go forward, it is the heart of what we would do
under the Joint Information Environment. You have to have that
as a security kernel, if you will, to start off.
Over to you.
Ms. Takai. So let me pick up from General Alexander's
comments and talk about how those comments are really
applicable across DOD.
First of all, we have an aggressive process to move forward
on utilization of commercial cloud services. It is a part of
JIE. And one of the things we are working at now is
understanding how, in fact, we use commercial cloud services.
So let me talk about that.
What General Alexander was talking about is the importance
of ensuring that, as we move to commercial cloud providers,
that they have both the ability to be secure and meet what our
security requirements are; secondly, that we can operationalize
them in a way that we don't lose those clouds from Cyber
Command's visibility because they will be on our networks; and
then, again, that from a contractual perspective, all of that
is built in.
So, right now, we have four cloud providers that have been,
if you will, through our security clearance. We have nine that
are pending that we believe will pass that. And, I think as you
know, one of the things that we work with is the Federal
program, so that some of these providers will be through the
Federal program; some of them will be us pushing them through
the Federal program. And then we have another nine pilots of
different types of services, where before we put them through
the process we really want to see how they are going to operate
in our environment.
The other thing that we are doing is, to General
Alexander's point, is to put a model in place around security.
So, for instance, in unclassified information, the bar isn't as
high, if you will, to pass from a security perspective. And
then when you get into classified information and then,
obviously, into higher levels of classification, the bar will
be a little higher. The service providers will need to actually
look at the way that their cloud offering would fit within our
architecture. But then they would be certified to come in and
could be used by any component in DOD.
Mr. Kilmer. I was hoping to ask also about cyber ranges.
And, General Alexander, I was hoping you could speak to what
sort of capabilities do we need to invest in for cyber ranges.
And then, also, if you could speak to, you know, is there
currently a coordinating entity within the DOD to coordinate
the use and policy of IT cyber ranges and test beds and
systems? And if so, who is it, and how are they doing it? And
if there is not, do you think that is a mission that would be
best suited for CYBERCOM?
General Alexander. So, if I could answer the last part of
that----
Mr. Kilmer. Sure.
General Alexander [continuing]. First, I agree with the way
you pushed that. I do think, as we get more teams, we want
these teams to be trained in a joint environment. And so I do
think at some point you are going to need to transition that.
We have it under four different places right now. Bring them
all together. And you are going to have to build the capacity
to handle the number of teams that we have in an interactive
way, dynamically.
So I think consolidation, going to a single provider, and
growing the capacity so that you can do this in a full-up set
of war games that will keep people trained. The best training,
from my perspective, is really doing this on the network,
actually doing it. So there is a combination of both.
I don't know if you had a chance to go out to the CYBER
FLAG exercise. They actually ran a very large exercise in
cyber, and I think it might be worth your while to see that so
you can see where we are actually trying to take the ranges in
the future.
But I do agree with the thrust of what you are saying; we
need to consolidate. I actually would push it under the J-7 of
Cyber Command, as they are doing all the training, they are
doing the exercises. And I think, in this case, they could also
run those ranges. We just need to make sure that they are
resourced for that.
Mr. Kilmer. Thanks, Mr. Chairman. I yield back.
Mr. Thornberry. Mr. Langevin.
Mr. Langevin. Thanks.
What is the average time it has taken for cloud providers
to be granted approval to operate?
Ms. Takai. I don't know that we have an average time, but
the time right now is actually in several months.
And part of the challenge there has been that, when we talk
about cloud providers, they generally have a broad range of
offerings. And so, even for the Federal program, in order to
meet our security requirements, for instance, they have to
continually monitor their cloud in order to ensure that they
have all the security provisions.
They end up--that time is not so much in the approval
process, but it is in the actual companies setting up to meet
the security requirements that the Federal Government requires.
And then, once that happens, they can be quickly certified.
Mr. Langevin. Okay. Thank you.
Let me turn to another area. Are you both satisfied with
your current authorities to identify, recruit, and retain
qualified cyber personnel?
And, General, could you provide your assessment of how the
Department is leveraging the unique ability of the Guard and
Reserve to attract personnel who might otherwise be
inaccessible to the Department?
I know you have talked about the Guard and Reserve and
training them to the same standards and such, but being able to
leverage the unique ability of the Guard and Reserve to, again,
attract personnel that perhaps, you know, we wouldn't be able
to afford, per se, on a long-term basis, which is obviously a
challenge, I know, for us to be able to attract and retain and
recruit the best and the brightest. Yet we recognize, in the
Guard and Reserve, these folks are doing their day job at some
very well-known and high-level IT companies, and yet they are
doing their Guard and Reserve duty, and we have the ability to
leverage their talents.
So if you could talk about those areas.
General Alexander. So, Congressman, first, with respect to
personnel, I think we need to come up with a personnel system
that puts all of our cyber team in one personnel construct,
especially for the NSA-CYBERCOM team.
Right now, we have the CCP [Consolidated Cryptologic
Program], which covers about 85 percent; ISSP [Information
System Security Program], which covers another 12, roughly,
percent; then you have the MIP [Military Intelligence Program]
and Air Force personnel, with another 3 percent. What this
means is, when personnel actions come, you deal with four
different folks. And for promotions and for raises and for
everything you are dealing with, you are dealing on four
different programs. You don't have an equal setting and an
equal footing.
So, step one, we need to do that. That is something I have
to push back to the Department, and we are doing that. I just
think, as that comes forward, we would need your support on it.
Because I do think, either as a test or something, it gets us
to where we want to be, to have one cyber team.
This really came through on the furloughs. It was a big
issue, because half the force is in, or 85 percent is in, the
rest are out. Nobody wants to then go over to one of those
other billets feeling they will be at risk. That is not a way
to set up a team. So I think we need to fix that.
With respect to Reserve personnel, you have hit the key
things. Actually, we are getting good participation, from my
perspective, into the Reserves. They want to be in this area,
and they are very good and very helpful. And they come from
some of the best and brightest amongst industry.
The key will be getting them the training so that they have
those same level of skills that the rest of the team--so if
they operate in the network we don't make mistakes. And that is
important, and I think we can do that.
So we are headed in the right direction. I think General
Grass and others have agreed that we need to do this. I think
we need to organize them the same. States will have similar
requirements, so you can have them working for State things,
and then when you need the Federal, we know we can employ these
as teams, not as individuals. I think that will be very
helpful.
Ms. Takai. Sir, I would just add on to speak to the
civilian side, and I think General Alexander has spoken to the
military side.
One of the challenges that we have on the civilian side is
actually to the point--the next level of detail is really
classifications and standardization of classifications for
civilian employees, as well as the way that we are able to
actually move them through the promotional opportunities such
that they stay in the area of expertise and, you know, can
continue to progress.
We are always going to have the problem with challenges of
people moving outside into industry and some of the challenges
with pay, but one of the things I think we need to do is to
really work--DHS has put a framework together, and we are all
working to it. But one of the things we need to do is to really
get not only the job classifications solidified and through OPM
[Office of Personnel Management], but then also to make sure
that we have the right career path and we are moving people
along.
Mr. Langevin. Thank you.
Do you anticipate right now the additional authorities that
you need to make that more seamless?
Ms. Takai. Well, we are pursuing that right now, sir. I
couldn't tell you that we have or we have not. We are putting
proposals together, certainly within DOD, for what we feel we
need. And then I think both on--we are working on the civilian
side, we are working with General Alexander on the military
side to get that standardization. So I think that is something
that we will watch it and then, if it looks like we have an
issue, come back and give you an update.
Mr. Langevin. And, Chairman, I had one last question if you
are okay with that.
So where are your research and development [R&D] priorities
over the FYDP and beyond? And what is your role in setting
requirements for R&D?
General Alexander. Within Cyber Command, it is on building
out our infrastructure and our tools. Those are the two things
that we are really doing our research and development on.
So when we say ``tools,'' there are some sensitive things
that we do, and to fully answer that I would like to show you a
classified briefing, perhaps sometime when you come up, so you
can see, because they have done some great things there. I
think it is important to see what those tools are and what that
means. It actually goes back to some of your earlier questions,
and I think it would be well worth your time to see some.
Mr. Langevin. Fair enough. Will do. Thank you.
Ms. Takai. Just to add on to what General Alexander is
saying, our main priorities are not only in the defense of the
network but also looking at tools around the detection of
insider threat. I think that is a big area.
We actually work with AT&L [Acquisition, Technology and
Logistics] on their S&T [science and technology] budget, and we
co-chair the group that works with both the AT&L S&T budget but
also the Investment Review Board that Mr. Kendall chairs that
looks at the overall investment. Cyber Command is a part of
that so that we are sure that the investment is aligned with
what their priorities are.
Mr. Langevin. Very good.
Well, I thank you for your answers. I thank you for the
work that you all are doing.
And, General, again, congratulations. Job well done. And
thank you.
I yield back.
Mr. Thornberry. General, I want to just go back and make
sure, as we look at the administration's budget request for
this year on information assurance, in the cyber environment
you described--threats increasing, complexity increasing, talk
about destructive, et cetera--are we spending enough money and
money the right way to assure that our own networks are secure?
General Alexander. This is an area that I have put forward
to the Department and others that I have some concerns that we
don't have adequate funding over the years, especially as we go
forward in securing the networks. And there are two sets of
issues that come up with that.
When we look at it, we have had to cut back across all
parts of the Department, but in this area, especially, it is
difficult because there aren't any service champions. The two
champions happen to be Ms. Takai and I. And so the real issue
comes down to, that is something that is very difficult to push
forward and very hard to explain what you are buying with it.
What you are buying is additional security.
So I am concerned that we don't have enough funds in those
areas, and we are pushing that back to the Department. We have
worked that with the USD(I), with the Department, and also to
the DNI so they understand our concerns there.
Going forward, I think investment is going to have to
increase in that area because of the complexity of encryption
and the systems that are coming that our adversaries will have,
without going into classified.
Mr. Thornberry. Yeah.
Ms. Takai, do you share the same concerns, at least about
future years?
Ms. Takai. Yes, sir, I do.
I think the other item that I would add to what General
Alexander is saying is that, as we are moving to the Joint
Information Environment, back to your point about what do you
do about legacy systems----
Mr. Thornberry. Uh-huh.
Ms. Takai [continuing]. There are times where, in fact, you
can actually get more efficiency, but there are times where you
need an upfront investment to do that.
So the challenge is, when we do an annual budget, it
doesn't really give us an opportunity to have upfront funding
in order to be able to get not only the security aspects but to
be able to get the efficiencies in the later years. It is a
challenge with the budgeting process, and it makes it very
difficult, again, because for he and I, you know, we are
pushing into the budgeting process, which is service by service
today.
Mr. Thornberry. Yeah. Well, I would just say, for me
personally, I think that is an area we want to help you with as
we can. I mean, we are all constrained by these tight budgets,
but it makes sense to me that sometimes you are going to have
to spend more money up front to make this transition to a more
secure and efficient place. But protecting our networks has got
to be near the top of our list.
Okay. It wouldn't be a hearing without asking spectrum.
Tell me where we are. I would hate to rob you of the
opportunity to not talk about spectrum.
Ms. Takai. Well, sir, thank you for the opportunity.
We actually think that we are making good progress on
spectrum. I think as you know, we have submitted our transition
plans for the 1695 to 1710 and then also the very controversial
1755 to 1780.
I hope that the committee has been informed that we really
pushed very hard for what we believe are some very innovative
sharing solutions in the 1755 to 1780 in order to move it
forward. And we believe that our transition plans, you know,
are in discussion right now, but we believe that they will go
through, so there will be that opportunity.
Going forward, thank you for the question, because I
actually did bring a copy of our just newly released
electromagnetic spectrum strategy that really addresses where
we believe DOD needs to go in the longer term, because this
isn't something that we can do in the short term.
But, lastly, we appreciate all of your support. And the
last thing is, I think the challenge for us is to really figure
out how to balance our growing needs for spectrum with,
clearly, what the Nation's growing need is for spectrum. And I
think that is going to require innovative solutions, not only
on the government side, but it is also going to require
innovative solutions on industry's side. And, you know, I think
between the two is what is really going to bring it together.
So thank you for the question.
Mr. Thornberry. Yeah. Well, I hope your new long-term
strategy is useful, because I do--I get the feeling a lot of
times we make these decisions ad hoc, and we do need that long-
term vision, because we have these competing demands from the
Department and the rest of the country, and it is not a good
situation to be able to just, kind of, take them one at a time.
On the spectrum you mentioned, can you meet the auction
deadlines?
Ms. Takai. Yes, sir. They are accelerated deadlines, but we
have--the team has worked very hard, and we will be able to
meet the timing.
Mr. Thornberry. Okay.
I just had one other thing right quick.
General Alexander, in your five things, number three was
authorization. And I just want to be sure I understand what
sort of legal authorization you were talking about when it
comes to cyber, because that is in our bailiwick.
General Alexander. So the authorities----
Mr. Thornberry. Authorities, yeah.
General Alexander. Yeah. And so the authorities really
dealt with--the principal there is cyber legislation, the
ability for us to deal with industry. The rest----
Mr. Thornberry. So you are talking about the information
sharing----
General Alexander. That is right.
Mr. Thornberry. Okay. And that is the sort of authorities.
As far as authorities related to Cyber Command's ability to
defend the country in cyberspace, you feel comfortable where
the legal authorities are, even though you mentioned command
and control and a variety of other challenges?
General Alexander. I do. I think we have the authorities
within the administration, within the Department, to do what we
need. Now, the question is, okay, where do we set the limits
and stuff? But they are working their way through that.
Mr. Thornberry. Yeah. Okay. I just wanted to clarify.
Okay, great. Again, thank you all for your patience, for
your work in these very important areas. And we will look
forward to seeing you both again in one capacity or another.
With that, the hearing stands adjourned.
[Whereupon, at 5:35 p.m., the subcommittee was adjourned.]
=======================================================================
A P P E N D I X
March 12, 2014
=======================================================================
PREPARED STATEMENTS SUBMITTED FOR THE RECORD
March 12, 2014
=======================================================================
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
=======================================================================
QUESTIONS SUBMITTED BY MEMBERS POST HEARING
March 12, 2014
=======================================================================
QUESTIONS SUBMITTED BY MR. THORNBERRY
Mr. Thornberry. Can you describe how the recommendations from the
review by former Secretary of the Air Force Donley affect the
governance and acquisition of IT and cyber systems for DOD? What
actions have been taken to date to implement those recommendations?
Ms. Takai. I am working closely with the Deputy Chief Management
Officer and the Under Secretary of Defense for Acquisition, Technology
and Logistics on the recommendations of former Secretary Donley. As
part of this effort, we are reviewing existing IT governance processes
to ensure they enable more rapid delivery and sustainment of
information technology and cyber capabilities. We will ensure that
Congress is kept apprised of our efforts throughout this process.
Mr. Thornberry. How are we instrumenting and architecting our
infrastructure so as to better detect, mitigate, and recover from deep
insider threats? How are you ensuring that such investments are
efficient (effective and economical)?
Ms. Takai. The cybersecurity of our networks is one of our top
missions and we are giving it the serious attention it deserves. Our
Insider Threat efforts are in alignment with guidance from the White
House's Senior Information Sharing and Safeguarding Steering Committee
and the President's National Insider Threat Policy and Minimum
Standards. The Department has made good progress in implementing the
Steering Committee's priority efforts.
There are two examples of specific architectural efforts we have
implemented to better detect, mitigate and recover from insider
threats. First, we have completed deployment of the Host Based Security
System (HBSS) which enables monitoring of networks for suspicious user
behavior. Second, we are also near 90% complete in implementing use of
Public Key Infrastructure (PKI) hard-token certificates for our Secret
network user authentication. PKI use is the cornerstone to eliminating
anonymity, so that user actions can be monitored and irrefutably
attributed to the individual users, thus helping to detect and deter
malicious insiders.
Based on the most recent unauthorized disclosures of classified
information, in July 2013, the Undersecretary of Defense for
Intelligence and I issued a memorandum directing stronger mitigations
for insider threat, including: two-person controls over use of
removable media and the requirement to revalidate the need for
privileged users, such as system administrators, in order to reduce the
potential risk these users may pose. We are about to issue additional
guidance which includes oversight of privileged users and stronger
access controls over our most sensitive information to restrict access
to those with a ``need to know''.
In order to ensure that our IT investments to counter insider
threats are efficient (effective and economical), all our investments
are vetted and validated through our existing governance processes.
This is especially true now due to our constrained budget environment.
Mr. Thornberry. What activities does DOD have underway, or is
contemplating beginning this year, related to making its systems more
spectrum efficient?
Ms. Takai. Successful implementation of the DOD Alternative
Proposal for the 1755-1780 MHz band is based on making systems more
spectrum efficient. As such, a number of the proposals in the 1755-1780
MHz band Transition Plans are planned to do exactly that.
In addition, DOD recently released an Electromagnetic Spectrum
Strategy that identifies goals to improve spectrum access
opportunities, including developing systems that are efficient,
flexible, and adaptable in their spectrum use and increasing our
operational agility in use of the spectrum. To implement the Strategy,
DOD is developing a roadmap and action plan over the next six months
that will lay out near- to long-term milestones, including those
related to sharing opportunities.
Mr. Thornberry. What opportunities do you see for the commercial
sector to be more spectrally efficient with the spectrum bands it
already has?
Ms. Takai. The Department of Defense is working closely with the
National Telecommunications and Information Administration, Federal
Communications Commission, Office of Science and Technology Policy and
wireless industry stakeholders to evaluate and identify ways to share
spectrum with commercial users, when possible. At the same time, the
commercial sector could equally be more efficient in its use of non-
Federal bands by providing opportunities for Department of Defense and
other Federal government users to share spectrum, when possible, to
meet growing mission requirements.
Specifically as a first step to facilitate the opportunity for bi-
direction sharing, the Department of Defense, National
Telecommunications and Information Administration, and the National
Science Foundation are working together to pursue an Other Transaction
Agreement with an eligible entity to develop and mature technologies
and related policy changes to enable advanced approaches to spectrum
use. The intent is to explore the creation of a forum that facilitates
collaboration across government, industry and academia on spectrum
technology development, including for shared uses between Federal and
private sector operations. Industry support of this and similar efforts
is critical in order to support the nation's growing economic and
national security demands on spectrum.
Mr. Thornberry. How are we instrumenting and architecting our
infrastructure so as to better detect, mitigate, and recover from deep
insider threats? How are you ensuring that such investments are
efficient (effective and economical)?
General Alexander. In July 2013 the Commander, USCYBERCOM,
organized a working group dedicated to insider threat mitigation. The
working group comprised representatives from USCYBERCOM, NSA, DISA, DOD
CIO, DIA, DSS, and the Service Cyber components. The team synchronized
its efforts with the release of the USD(I) and DOD CIO memorandum
``Insider Threat Mitigation'' on 12 July 2013, which provided the
opportunity to further operationalize current policies and expand
guidance in accordance with USCYBERCOM's authorities. Understanding
that there is no ``silver bullet'' to mitigate the insider threat, the
mitigation strategy depended on a combination of technical solutions,
policy, legal and cultural adjustments. A constant throughout all
efforts is eventual alignment with the security architecture under the
Joint Information Environment (JIE). The initial quick look study,
which was presented to the DepSecDef, leveraged several previous
assessments, studies and policies to identify ``best of breed''
tactics, techniques and procedures for immediate implementation with
follow on development to institutionalize mid-term and long-term tasks.
The study resulted in an order from USCYBERCOM to the DOD enterprise to
mitigate common vulnerabilities associated with insider threat.
Compliance with this order was achieved by 30 October 2013. CYBERCOM
briefed the OpsDepsTank and the Chairman's Tank in December 2013. As a
result, a SecDef memo, Task Force to Review Compromise of Classified
Information, was signed out on 7 March 2014. Based on that memo four
distinct lines of effort are under development:
a. Two-person integrity controls for the SIPRNET
b. A tiered non-compliance consequence matrix, which is being written
and tested by the Marine Corps
c. Patch and Security Technical Implementation Guidance (STIG) for
Programs of Record
d. An order to the DOD enterprise directing a number of technical
changes, which will include tasks directed by the 11 Feb 14
White House memo, Near Term Measures to Reduce the Risk of
High Impact Unauthorized Disclosures, and mid-term
mitigations that will take a longer period of time to
implement.
Among the tasks to be directed, the following concepts will be
operationalized:
a. Increased scrutiny on the separation of duties among privileged
users
b. Isolation of logged privileged user activities, storing logs out
of reach of privileged users
c. Privileged user log review conducted by an Insider Threat team or
other external entity
d. Reduced reliance on removable media by requiring use of cross
domain solutions when practicable
e. Continued fine tuning of the Host Based Security System to
identify unauthorized attempts to use removable media
Other pending efforts include a planned brief to CAPE,
incorporating the new efforts into inspection programs and continued
support to the Mitigation Oversight Task Force (MOTF), which is run by
the Joint Staff.
Since these new requirements are unfunded, the timeliness of
compliance may be an issue and implementation will most likely occur
during regularly scheduled upgrades or as part of an overarching
program implementation such as JIE.
Mr. Thornberry. To what extent has U.S. Cyber Command collected
measures of performance or measures of effectiveness to demonstrate
that the dual-hatted position is the most effective and most efficient
approach to both agencies missions?
General Alexander. While measures of performance and measures of
effectiveness have utility in specific operations and processes we
carry out at the tactical level, none have yet been defined for the
Commander, USCYBERCOM and Director, National Security Agency dual hat
relationship. The dual hat relationship is prompted not just by a drive
for efficiencies but also by operational necessity and the need for
unity of effort in cyberspace. The lack of historical data on
alternative relationships for command in cyberspace and the difficulty
of empirically measuring concepts like ``unity of command'' would make
deriving and evaluating measures of performance or effectiveness for
the dual hat problematic.
Mr. Thornberry. Could you please describe the command and control
relationships between U.S. Cyber Command and the other combatant
commands and the degree to which the new rules of engagement have had
any impact on this.
General Alexander. [The information is for official use only and
retained in the committee files.]
______
QUESTIONS SUBMITTED BY MR. CARSON
Mr. Carson. How has the NSA/DHS Centers of Academic Excellence in
Information Assurance program impacted your access to qualified
candidates for cybersecurity positions? What lessons have been learned
from this program? And are there opportunities to share these lessons,
either in curriculum recommendations or some other format, with
universities and colleges that are not Centers of Excellence so they
can provide consistent education?
Ms. Takai. The NSA/DHS Centers of Academic Excellence in
Information Assurance program has facilitated development of the
pipeline of educated candidates for cybersecurity positions. Since 2001
the National Centers of Academic Excellence (CAE) in Information
Assurance have employed 593 Information Assurance Scholarship Program
(IASP)/CAE graduates (a 97% completion rate from the 608 scholarships
awarded) and sponsored 216 capacity building grants with CAEs. The IASP
provides DOD both new hires upon graduation (recruiting) and
opportunities for current DOD IA Workforce members to advance their
education (retention).
With the publication of the National Initiative for Cybersecurity
Education (NICE) workforce framework and the evolutionary nature of the
cyberspace workforce, now is the time to evaluate the CAE program. My
office is currently leading a study and analysis of the CAE process, on
behalf of DOD, in response to the FY14 National Defense Authorization
Act direction. As part of this analysis, an assessment of lessons
learned is being conducted. A report with the overall assessment of the
CAE program and our recommendations will be generated and shared.
Additionally, there are public venues (e.g., Colloquium for
Information Systems Security Education (CISSE) and the National
Initiative for Cybersecurity Education (NICE) conference) which allow
participants to partner and mentor fellow CAE institutions and those
aspiring to become CAEs. Workshops are held on mapping courses,
partnership and scholarship opportunities, ultimately discussing what's
working and not working; and collecting feedback on improvement of CAE
processes.
Mr. Carson. How has the NSA/DHS Centers of Academic Excellence in
Information Assurance program impacted your access to qualified
candidates for cybersecurity positions? What lessons have been learned
from this program? And are there opportunities to share these lessons,
either in curriculum recommendations or some other format, with
universities and colleges that are not Centers of Excellence so they
can provide consistent education?
General Alexander. The National Centers of Academic Excellence in
Information Assurance (CAE) have provided outstanding and highly sought
candidates for DOD Information Assurance/Cybersecurity positions. NSA
Recruiters actively recruit from the 181 National Centers of Academic
Excellence (CAE) to hire qualified candidates into our IA/Cyber
positions. In addition, our Components actively seek students from CAEs
applying for the DOD Information Assurance Scholarship Program (IASP).
The IASP provides both new DOD hires upon graduation (recruiting) and
opportunities for current DOD IA Workforce members to advance their
education (retention). Some specific advantages of the IASP are:
Scholarships are tied to a DOD position and are awarded
to students attending CAEs
Continuous flow of top IA talent meeting DOD requirements
Students participate in internship programs during
academic breaks within the community to learn DOD systems and
procedures
Graduates have a commitment to serve in the DOD for a
specified time after graduation (dependent on length of scholarship)
Since 2001, DOD has employed 503 IASP/CAE graduates with a 97%
completion rate (a total of 608 scholarships have been awarded) and
sponsored 216 capacity building grants with CAEs. DOD works with CAEs
to award grants to conduct curriculum development and research of
interest to both the schools and DOD. CAE students and faculty
participate in these grant projects. Through these grants, CAEs are
encouraged to share their results with other CAEs, minority
institutions, and institutions that may be seeking CAE designation.
Many CAEs have held train-the-trainer and faculty development sessions
at various conferences and events. NSA and DHS will conduct further
research to determine the direct relationship between CAE alumni hiring
and employment partnerships. Studies will also be conducted to
determine whether CAE alumni are hired by government at a greater rate
than non-CAE-graduates. NSA and DHS work with government, industry and
academia throughout the year to identify skill gaps between education
and job qualification/skills to ensure that CAE graduates are prepared
to perform technical mission-critical Cybersecurity jobs. These gaps
are then communicated to the CAEs with recommendations. NSA and DHS
also utilize lessons learned to update the CAE program as required to
meet the changing IA/Cybersecurity standards and the national demands
in cyber defense. As a result of the most recent study, the CAE program
was updated in 2013 and now includes Cyber Defense (CD) education.
Academic institutions are now required to meet Core Knowledge Units
(KU) and can apply for optional Focus Areas (FAs). Government, industry
and the CAEs were involved in the update of the CAE program and will
continue to evolve the program as national IA/Cybersecurity needs
change. In the future, a NSA/DHS Advisory Council consisting of CAEs,
industry and government partners will discuss potential changes to the
CASE requirements. Updates to the requirements will allow the schools
to keep up-to-date on curriculum and teaching methods within the
Cybersecurity field. Under the 2014 National Defense Authorization Act
(NDAA), DOD/CIO in partnership with NSA and DHS, is conducting an
assessment of the NSA/DHS CAE program. The assessment will identify the
CAE Program's strengths and weaknesses; processes and criteria;
maturity of IA as an academic discipline; the government's role in the
future development of the CAE curricula and criteria; advantages and
disadvantages of broadening the governance structure of CAEs; and the
alignment of CAE curricula/criteria to the National Initiative for
Cybersecurity Education (NICE). NSA and DHS along with other government
agencies, industry and academia speak at several venues during the year
to brief the CAE program, lessons learned and to convey the national
IA/Cybersecurity requirements. Annually, NSA and DHS attend the
Colloquium for Information Systems Security Education (CISSE), the NICE
conference and the CAE Principal's meeting. These venues allow
participants to partner and mentor fellow CAE institutions and those
aspiring to become CAEs. Workshops are held for aspirants on mapping
courses to the CAE Criteria, along with partnership and scholarship
opportunities. The National Science Foundation (NSF) Advanced
Technological Education (ATE) centers reach out to potential 2-year
institutions through curriculum sharing and mentoring by 4-year
schools. For example, one of the STE centers--CyberWatch--has hosted
several webinars to educate interested CAEs and non-CAEs on the new
Information Assurance/Cyber Defense criteria. Webinars were selected
for the collaboration amongst attendees.
______
QUESTIONS SUBMITTED BY MR. KILMER
Mr. Kilmer. The Department is looking to consolidate into a one
size fits all desktop solution in the cloud run through DISA, known as
virtual desktop infrastructure. Currently, each Service is running on
various desktop solutions. Can you explain how the Department is
incorporating the unique needs of the user from each Service into this
infrastructure?
Ms. Takai. The Defense Information Systems Agency (DISA) recently
concluded a virtual desktop infrastructure (VDI) proof-of-concept that
examined the value of VDI for DISA's desktop computing requirements.
DISA is currently analyzing the outcomes of this initial proof-of-
concept to inform decisions on the future approach to desktop computing
within the DISA organization, but no decision has been made to
consolidate into a one size fits all desktop solution in the cloud.
Similar efforts are underway across the DOD Components, but each is
looking at the specific desktop computing needs within that Component.
While the Department will look into the feasibility and
effectiveness of providing a VDI solution, currently, there are no
enterprise efforts underway. Such an effort, if undertaken, would need
to address the challenge of supporting any unique user or organization
needs.
Mr. Kilmer. Defense Information Systems Agency (DISA) appears to be
leading IT centralization efforts in the Department. A cornerstone of
this effort is the highly publicized but not widely understood Joint
Information Environment (JIE). Can you discuss JIE's and DISA's role in
the future of IT in DOD?
Ms. Takai. My office is overseeing the implementation of JIE, which
is being implemented by and through the DOD Components, including DISA
as a key player. The primary goals of the JIE are to make the
Department more effective and more secure against cyber threats, to
reduce cost associated with the Department's overall information
technology infrastructure by simplifying, standardizing, centralizing,
and automating infrastructure at the enterprise level.
The JIE will improve mission effectiveness by ensuring timely and
secure access to data and services regardless of location or device;
maintaining access to information/services in the face of network
disruption, degradation, or damage; and enabling rapid and dynamic
capability evolution to meet mission needs across all operational
scenarios. JIE will enhance the Department's cybersecurity by providing
a consistent IT architecture that improves network resiliency and
defensibility, and network operators and defenders with shared
situation awareness. Finally, JIE enables more efficient use of
resources by reducing duplication of effort across Components, reducing
total IT operating costs, and supporting more rapid fielding of new IT
capabilities within a standardized IT architecture.
DISA is a key player in the development, implementation and
operation of the IT infrastructure that enables JIE for the Department.
They specifically support the JIE effort by developing technical
architectures; developing, implementing and operating many of the JIE
related capabilities such as networking, security, computing services,
enterprise services, and network operations centers; and providing
engineering expertise needed to enable the Department to leverage
commercial technologies and to integrate new technologies into the JIE
architecture.
Mr. Kilmer. The Department of Defense has entered into numerous
cross-Service contracts and has increased the utilization of enterprise
license agreements. Can you outline the future of these contracts, how
the offices responsible for negotiating these contracts are designated,
and how these offices gather regular input from the Services for their
unique requirements?
Ms. Takai. The Department of Defense is conducting a DOD-wide
inventory of selected software licenses inventory in accordance with
fiscal year 2013 National Defense Authorization Act direction. The
selected software list was established from an analysis of acquisition
data that identified publishers with high IT spend across DOD. The
selected inventory will help identify future targets for enterprise
license agreements.
The DOD Enterprise Software Initiative (ESI) Working Group is the
primary method of setting the strategic sourcing opportunities for the
Department. DOD ESI coordinates and manages enterprise software
agreements to leverage DOD spend for volume discounts and optimize
license use and contract terms and conditions. My office, with support
from the Defense Information Systems Agency (DISA) and DOD Components,
is pursuing Department-wide Enterprise License Agreements (ELA's) that
will improve operational efficiencies and enhance cybersecurity and
interoperability across DOD while lowering the total cost of ownership
for software. Currently we are pursuing ELA's with CISCO and VMware
while working the business case analysis with Components.
Given their expertise and role in contracting and procurement of
information technology, DISA is leading the Department's efforts for
coordinating and negotiating DOD-wide ELAs, with the Components
providing their specific requirements and funding. DISA works with the
Components to establish licensing models and associated transition
plans to achieve effective DOD-wide ELAs for software that is selected
based on sound business case analyses (BCAs) which document the cost
savings, cost efficiencies and other benefits and risks of establishing
DOD-wide ELAs.
In addition, several Components have created large Joint Enterprise
License Agreements (JELAs) that we plan to leverage and incorporate
into DOD-wide ELAs in the future.
Mr. Kilmer. The Department of Defense is looking to adopt more
cloud computing capabilities but also has a unique set of security
requirements that not all vendors will be able to comply. How do you
drive competition into the cloud market and ensure a level playing
field for competitors so the Department can ensure best value for the
service?
Ms. Takai. The Department gains significant benefit from commercial
innovations and ongoing competition. To ensure a level playing field
and increased completion, the Department is making significant
investments to promote the use of commercial cloud services, categorize
our cybersecurity requirements, and speed-up our assessment and
approval processes.
My office designated the Defense Information Systems Agency (DISA)
as the Enterprise Cloud Service Broker (ECSB) to promote the access and
use of cloud service providers (CSPs), to consolidate enterprise demand
to maximize the Department's buying power, and facilitate and optimize
the DOD's access and use of commercial cloud services that can meet our
security and interoperability requirements.
The DOD has developed a Cloud Security Model that defines six
security impact levels (public release through and including Secret)
and the requirements the CSP needs to meet (at each level) in order to
integrate with the Department's cybersecurity processes and
architecture without requiring each prospective CSP to operate at the
highest level. The Federal Risk and Authorization Management Program
(FedRAMP) is a government-wide program providing a standardized
approach to security assessment, authorization, and continuous
monitoring for cloud services and uses a ``do once, use many times''
assessment process to reduce cost, time, and staff for both the CSP and
the government. OMB policy requires Federal departments and agencies to
comply with FedRAMP guidelines by June 2014.
The ECSB leverages FedRAMP packages and considers commercial
equivalencies to DOD-specific security requirements throughout its
assessment process. In this way, a CSP can work towards FedRAMP
compliance and target a specific DOD Cloud Security Model security
impact level for their service knowing that other CSPs need to meet the
same set of requirements. The CSP is then free to compete, on a level
playing field, for DOD business in a manner that meets the Department's
security requirements and provides best overall value.
Mr. Kilmer. The FBI issued a consumer alter this summer regarding
the growing threat of malware in pirated software. What is the
Department of Defense doing to with its contractors and subcontractors
to ensure its supply chain does not procure pirated software, thereby
opening up a potential side door cyber security threat for the
Department of Defense?
Ms. Takai. DOD is actively working to improve its software
assurance practices internally through a Software Assurance Community
of Practice (SwA COP), as well as working on standards and best
practices in concert with public-private groups (e.g., The Open Group,
Consortium of IT Software Quality. DOD is incorporating best practices,
such as buying from authorized channels whenever possible and
identifying purchase options for sustainment procurements to ensure
product authenticity and identification of trusted sources. There are
also on-going efforts within DOD and across the inter-agency and
commercial communities to develop standardized contract language for
product integrity expectations and associated liabilities, as well as
mutually recognized product or organizational certifications. DOD and
the National Security Agency are monitoring development of the Software
Identification Tag Standard (ISO/IEC 19770). Though not fully adopted
by the private sector or government, there is growing interest and
support to adopt this standard, and it could be very useful in securing
the software supply chain.
Additionally, DOD is working with General Services Administration
(GSA) and other interagency partners on ways to implement
recommendations in the DOD and GSA Report, ``Improving Cybersecurity
and Resilience through the Acquisition Process,'' (January 23, 2014).
Mr. Kilmer. In the past year, the Department of Defense has
initiated several rulemakings focused on stronger procurement policies
and supply chain controls [DFARS 2012-D055, DFARS 2012-D050, etc].
Given the growing body of data demonstrating that counterfeit software
often comes bundled with malware that can cause cybersecurity risks,
this is a growing area of concern for the Department. What is the path
forward on these policies and how else is the Department considering
explicitly addressing the risks associated with contractors' use of
counterfeit software?
Ms. Takai. As part of DOD's larger Cybersecurity and Trusted
Systems and Networks strategies, the Department recognizes the
importance of purchasing information technology with adequate
cybersecurity built in. As such, DOD is updating its procurement policy
to reflect the global, commercial marketplace from which DOD procures
technology to implement critical missions. These procurement policies
represent one set of mitigation tools in the cybersecurity toolbox.
DFARS Case 2012-D055, Requirements Relating to Supply
Chain Risk, implements Section 806 of the National Defense
Authorization Act of 2011. Defense Procurement and Acquisition Policy
and the DOD CIO are in the process of modifying the interim rule based
on comments received from industry and Congress. In addition, DOD is
identifying pilot programs to exercise the new policy, once revised.
DFARS Case 2012-D055, Detection and Avoidance of
Counterfeit Electronic Parts. The draft final rule is at the Office of
Management and Budget's Office of Information and Regulatory Affairs
for clearance to be published in the Federal Register.
DFARS Case 2014-D005, Detection and Avoidance of
Counterfeit Electronic Parts--Further Implementation. The draft
proposed rule is in the initial drafting phase.
DOD continues to work with GSA and other interagency
partners to develop an implementation plan supporting the final report
of the Department of Defense (DOD) and General Services Administration
(GSA) Joint Working Group on Improving Cybersecurity and Resilience
through Acquisition, signed by the Secretary of Defense and the
Administrator of General Services on January 23, 2014.
My office is also leading or co-leading several internal efforts to
share information and develop best practices in this area. A few
examples are:
The DOD Software Assurance (SwA) Community of Practice, a
group of DOD SwA practitioners, share information on software assurance
best practices to be leveraged in improving guidance to the
Department's Program Protection processes.
DOD is also involved in industry-government information
sharing effort to flag potential counterfeit issues through the
Government-Industry Data Exchange Program (GIDEP).
DOD is exploring ``track and trace'' technologies that
may afford manufacturers, distributors, and acquirers the capability to
better validate authenticity of parts and components.
Mr. Kilmer. The current DOD Certification and Accreditation (C&A)
of software is a fragmented process between DOD Service components and
is often not standardized for all vendors. This often results in
delayed and inconsistent certification and accreditation of IT
products, as well as delays the customers' deployment and subsequent
time to value for software acquisition. In the past, this process has
taken over a year which has fostered inefficient deployment of systems
procured and incentivizes DOD organizations to procure redundant
systems. What is the Department doing to streamline and standardize the
C&A process?
Ms. Takai. My office recently published DODI 8500.01
``Cybersecurity,'' and DODI 8510.01 ``Risk Management Framework for DOD
IT'' which transitions the Department from the DOD-specific Defense
Information Assurance Certification and Accreditation Process (DIACAP)
to the National Institute of Standards and Technology (NIST) Risk
Management Framework (RMF) and the NIST security controls, which are
already in use by the rest of the Federal Government. Vendors may now
build products once according to NIST guidelines and then more readily
deploy them government-wide.
DOD's alignment with the Civil and Intelligence Community on NIST
guidelines creates one standard that will streamline interagency
information system interconnectivity and promote information sharing.
The policies also stress incorporation of cybersecurity early and
robustly in the acquisition and system development lifecycle, reducing
time and money spent bolting security on late in system development,
and producing material with cyber security that can keep up with an
evolving threat. The policies also establish NIST's concept of ``common
controls,'' allowing information systems to inherit existing controls
from hosting organizations, reducing the number of controls that must
be implemented by individual information systems. Additionally,
individual software ``products'' are not subject to the full RMF
process an information system undergoes. Products are securely
configured in accordance with security controls applicable to that
particular product, and then undergo assessment prior to incorporation
into an information system. With the adoption of the common NIST
guidelines, product vendors will be able to better understand
cybersecurity requirements before they begin development, ensuring
streamlined approval by DOD.
Mr. Kilmer. The DNI and CIA recognized that they could not afford
to build a community, multi-tenant cloud with the innovations, scale
and capabilities that already exist via the leading commercial cloud
providers, and that is was faster, cheaper, and better to leverage
industry. My understanding is DISA is attempting to build their own
cloud solution called milCloud which would likely be directly
competitive to Commercial Cloud Providers (CSPs)? How much are you
spending to build this solution, and more importantly, why are you not
following the same logic the intelligence community is using, even for
classified data?
Ms. Takai. Under the Intelligence Community Information Technology
Enterprise (IC ITE) effort, DNI is pursuing both commercially provided
and Government provided private cloud capabilities. While the large
public cloud vendors have certainly captured everyone's attention,
other commercial companies have made significant investments to provide
products that enable organizations to implement their own private cloud
environments. These products have matured to a point where establishing
a private cloud environment is no longer the difficult undertaking that
it once was. In fact, many of these products build on an organizations
existing infrastructure to provide cloud capabilities.
The genesis of milCloud stemmed from actions to drive efficiencies
and automation into an enterprise computing service. Today, milCloud's
IaaS capability is implemented using commercial products that build on
DISA's existing, commercially-provided and competitively acquired
computing infrastructure, and enabled DISA to achieve an initial
capability with minimal risk. The lessons learned in providing this
initial capability are providing valuable information that is informing
the Department's long term approach to achieving cloud capabilities.
The approach taken by the CIA is one of the models under
consideration by the Department. One of the most interesting aspects of
the CIA cloud is that they were able to attract a large public cloud
vendor to provide a private cloud capability for the IC. Prior to this
contract, Amazon had never provided this type of private cloud. The
scope of the CIA contract created enough incentive to convince Amazon
to entertain a new business model that they previously had not
supported. Compared with the CIA's $80.6 million investment, DOD has
invested approximately $4.7 million to establish the initial milCloud's
IaaS capability.
Today, the Department is making small investments that are
improving our understanding of which of the cloud acquisition models
will deliver best value solutions to the Department's IT requirements.
These investments are enabling us to develop a standard approach for
integrating CSPs with our wide area network defenses and for conducting
coordinated responses to cyber attacks. With these procedures and
technologies, the Department will be able to scale to multiple
commercial providers and gain efficiencies through competition and
commercial innovation.
As we learn from our initial cloud efforts, define the appropriate
cybersecurity constructs, and continue our collaboration with industry,
the Department will be able to effectively expand our use of both
public clouds and commercially-hosted private clouds.
Mr. Kilmer. Why is DOD classifying all sensitive data/workloads
that would run in a Commercial CSP as National Security Systems (NSS)
and be subject to additional security controls, when very few of them
are actually classified as NSS by definition?
Ms. Takai. The Department is not classifying all sensitive data and
workloads as NSS. In our cybersecurity policies we do not differentiate
between NSS and non-NSS. Rather, we have a single set of cybersecurity
controls that is then tailored to a particular system based on the
effect that system has on the Department's ability to perform its
assigned mission, protect its assets, and fulfill its responsibilities.
The Department uses the standard cybersecurity controls defined in
NIST Special Publication 800-53, Security and Privacy Controls for
Federal Information Systems and Organizations. Building on the NIST
standards, the Department worked with the Intelligence Community and
DHS to develop additional guidance on control selection for evaluating
IT systems within the NIST Risk Management Framework. This guidance was
published through the Committee for National Security Systems, but it
is used for all DOD systems not just NSS.
Mr. Kilmer. The Office of the CIO recently issued Supplemental
Guidance for the Department of Defense's Acquisition and Secure Use of
Commercial Cloud Services. This Guidance adds additional security
controls and processes that Commercial CSPs have to go through in order
to provide cloud services to DOD components. Will DOD data centers run
by DISA be put through the same level of third party scrutiny and
accreditation as commercial CSPs are required to complete? If not, why?
Ms. Takai. DOD data centers are evaluated using the same
cybersecurity controls, but are held to a higher standard than is being
used by the DOD Enterprise Cloud Service Broker (ECSB). Currently, the
ECSB is using the standard profiles for hosting systems that processes
unclassified information and whose loss would not have a significant
effect on the Department's mission. DOD data centers are evaluated
against the requirements for hosting all DOD workloads, including
classified systems, and systems whose loss would have a catastrophic
impact on the Department's mission. In addition, the DOD data centers
are required to follow additional cybersecurity guidance defined in the
DISA Security Technical Implementation Guides (STIG).
The additional requirements that are identified in the DOD Cloud
Security Model address the need and approach for integrating Commercial
CSPs with the Department's cybersecurity defenses and cybersecurity
operations. DOD data centers are fully integrated with these network
protections and operations.
Mr. Kilmer. The CIA is moving swiftly to field the Commercial Cloud
Solution (C2S) to take advantage of the rapid agility and innovation of
commercial cloud. My understanding is this community cloud will service
the entire intelligence community and significantly reduce the costs of
computing and infrastructure as well as enhance security and
operational effectiveness. What are your plans to begin transitioning
your investment from the NSA IC cloud to C2S to further reduce costs
and take advantage of the investment the DNI/CIA is making in this
community cloud based on commercial cloud services?
General Alexander. Having an IC Cloud with two diverse, but
complementary, implementations--one commercial and one government--is
part of the IC ITE architecture established by the ODNI. NSA is working
with CIA bi-weekly to ensure that NSA's IC-GOVCLOUD and CIA's C2S
maximize all resources available for IC ITE users. With C2S becoming
available in the later summer of 2014, we will have more opportunity to
meet a customer's needs. NSA and CIA have developed the Joint Store
Front which is the front door for an agency to request cloud services.
The Joint Store Front will align the requests with resources to ensure
that a customer's needs are validated and met. NSA and CIA have agreed
to assess the right mix of cloud services provided by both GOVCLOUD and
C2S after C2S has been operational for 6 months. This would give us
better metrics to make an informed decision of the roadmaps ahead and
capacity needed for both. The assessment is due to ODNI February 2015.
For its part as a consumer of the IC Cloud, NSA will be a consumer of
C2S capabilities where the economies so indicate. We expect that the
primary focus of the IC-GOVCLOUD will remain data access, integration,
and analytics, and our roadmap includes converging the functionality of
the internal NSA Major System Acquisition clouds (MDR1 and MDR2) with
the IC-GOVCLOUD to maximize the potential for integrating data across
the IC.
______
QUESTIONS SUBMITTED BY MR. PETERS
Mr. Peters. The Federal Information Technology Acquisition Reform
Act of 2014 (FITARA) (HR 1232) passed the House on February 25 and has
been referred to both the Senate Armed Services Committee and the
Senate Homeland Security and Governmental Affairs Committee, With or
without FITARA, how will the DOD ensure that solicitations are based on
open standards, technical requirements, and without brand name
references? What is the DOD doing to ensure that fair and open
practices are being followed to avoid the ``lock-in'' of a single
vendor?
Ms. Takai. Independent of the Federal Information Technology
Acquisition Reform Act, the Department has recently issued the Interim
DOD Instruction 5000.02, acquisition policy, that establishes a policy
framework by which DOD will acquire IT. The updated policy includes
guidance on creating and sustaining a competitive environment that
encourages improved performance and cost control for DOD systems. The
policy also addresses the issue of the government maintaining rights to
data associated with a delivered capability to ensure that proprietary
data formats and exchanges do not lead to ``lock-in''.
In addition to the updated acquisition policy mentioned above, the
Department has promoted the use of open systems and open systems
architecture by issuing guidance, such as the ``DOD Open Systems
Architecture Contract Guidebook for Program Managers'', and
``Clarifying Guidance Regarding Open Source Software (OSS)''.
Furthermore, these guidelines for open systems architecture have been
incorporated into the curriculum of the Defense Acquisition University.
With regard to open standards, the Department has had a long-
standing requirement for programs to follow IT standards that are
listed in the DOD IT Standards Registry (DISR). The standards listed in
the DISR are managed through a rigorous governance process in which
open commercial standards are considered for adoption first and
foremost. My office will continue to work closely with the office of
the Under Secretary of Defense for Acquisition, Technology and
Logistics to ensure IT investments are based on performance and value
while meeting the Department's mission and business requirements.
Mr. Peters. Many industry stakeholders believe that DOD sole source
justifications are provided without adequate market research or include
arguments favoring the need to maintain a single vendor network. Are
you aware of instances where sole source justification was provided
without adequate market research or in favor of a single vendor? Please
describe the steps DOD is taking to introduce alternative network
vendors into DOD network infrastructure environment.
Ms. Takai. I am not aware of any instance where a sole source
justification was provided without adequate market research.
DOD procurement officials are required to follow the procedures
outlined in the Federal Acquisition Regulation (FAR) and the Defense
FAR Supplement (DFARS), Part 10--Market Research, which requires market
research for all procurement levels but the level of detail will vary
based on the dollar amount and complexity of the procurement. In
accordance with FAR Subpart 10.002, acquisitions begin with a
description of the Government's needs stated in terms sufficient to
allow conduct of market research. Market research is then conducted to
determine if commercial items or nondevelopmental items are available
to meet the Government's needs or could be modified to meet the
Government's needs.
In accordance with FAR Subpart 6.302-1(c)--Only One Responsible
Source and No Other Supplies or Services Will Satisfy Agency
Requirements--Application for brand name descriptions, there may be
cases where the use of a particular brand-name, product, or feature of
a product, peculiar to one manufacturer is essential to the
Government's requirements, thereby precluding consideration of a
product manufactured by another company. In these cases, a
justification and approval must be executed and posted with the
solicitation.
[all]
�