b'<html>\n<title> - [H.A.S.C. No. 111-51]CYBERSPACE AS A WARFIGHTING DOMAIN: POLICY, MANAGEMENT AND TECHNICAL CHALLENGES TO MISSION ASSURANCE</title>\n<body><pre>[House Hearing, 111 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n\n                         [H.A.S.C. No. 111-51]\n \n CYBERSPACE AS A WARFIGHTING DOMAIN: POLICY, MANAGEMENT AND TECHNICAL \n                    CHALLENGES TO MISSION ASSURANCE\n\n                               __________\n\n                                HEARING\n\n                               BEFORE THE\n\n    TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES SUBCOMMITTEE\n\n                                 OF THE\n\n                      COMMITTEE ON ARMED SERVICES\n\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED ELEVENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              HEARING HELD\n\n                              MAY 5, 2009\n\n                                     \n[GRAPHIC] [TIFF OMITTED] TONGRESS.#13\n\n                                     \n\n                  U.S. GOVERNMENT PRINTING OFFICE\n57-218                    WASHINGTON : 2010\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202\xef\xbf\xbd09512\xef\xbf\xbd091800, or 866\xef\xbf\xbd09512\xef\xbf\xbd091800 (toll-free). E-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="096e7966496a7c7a7d616c6579276a666427">[email&#160;protected]</a>  \n                                     \n  \n\n\n    TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES SUBCOMMITTEE\n\n                    ADAM SMITH, Washington, Chairman\nMIKE McINTYRE, North Carolina        JEFF MILLER, Florida\nROBERT ANDREWS, New Jersey           FRANK A. LoBIONDO, New Jersey\nJAMES R. LANGEVIN, Rhode Island      JOHN KLINE, Minnesota\nJIM COOPER, Tennessee                BILL SHUSTER, Pennsylvania\nJIM MARSHALL, Georgia                K. MICHAEL CONAWAY, Texas\nBRAD ELLSWORTH, Indiana              THOMAS J. ROONEY, Florida\nPATRICK J. MURPHY, Pennsylvania      MAC THORNBERRY, Texas\nBOBBY BRIGHT, Alabama\n                 Kevin Gates, Professional Staff Member\n               Alex Kugajevsky, Professional Staff Member\n                     Andrew Tabler, Staff Assistant\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                     CHRONOLOGICAL LIST OF HEARINGS\n                                  2009\n\n                                                                   Page\n\nHearing:\n\nTuesday, May 5, 2009, Cyberspace as a Warfighting Domain: Policy, \n  Management and Technical Challenges to Mission Assurance.......     1\n\nAppendix:\n\nTuesday, May 5, 2009.............................................    27\n                              ----------                              \n\n                          TUESDAY, MAY 5, 2009\n CYBERSPACE AS A WARFIGHTING DOMAIN: POLICY, MANAGEMENT AND TECHNICAL \n                    CHALLENGES TO MISSION ASSURANCE\n              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS\n\nMiller, Hon. Jeff, a Representative from Florida, Ranking Member, \n  Terrorism, Unconventional Threats and Capabilities Subcommittee     1\nSmith, Hon. Adam, a Representative from Washington, Chairman, \n  Terrorism, Unconventional Threats and Capabilities Subcommittee     1\n\n                               WITNESSES\n\nAlexander, Lt. Gen. Keith, USA, Commander, Joint Functional \n  Component Command Network Warfare, Director, National Security \n  Agency, Department of Defense..................................     6\nCarey, Robert J., Chief Information Officer (DONCIO), Department \n  of the Navy....................................................     3\nKrieger, Mike, Deputy Chief Information Officer/G-6, Department \n  of the Army....................................................     2\nLentz, Robert, Deputy Assistant Secretary of Defense for Cyber, \n  Identity Management, and Information Assurance, and Senior \n  Information Assurance Official, Department of Defense..........     5\nShelton, Lt. Gen. William L., USAF, Chief of Warfighting \n  Integration, Chief Information Officer, Office of the Secretary \n  of the Air Force...............................................     4\n\n                                APPENDIX\n\nPrepared Statements:\n\n    Alexander, Lt. Gen. Keith....................................    94\n    Carey, Robert J..............................................    44\n    Krieger, Mike................................................    34\n    Lentz, Robert................................................    66\n    Miller, Hon. Jeff............................................    32\n    Shelton, Lt. Gen. William L..................................    54\n    Smith, Hon. Adam.............................................    31\n\nDocuments Submitted for the Record:\n\n    [There were no Documents submitted.]\n\nWitness Responses to Questions Asked During the Hearing:\n\n    [There were no Questions submitted during the hearing.]\n\nQuestions Submitted by Members Post Hearing:\n\n    Mr. Murphy...................................................   121\n    Mr. Smith....................................................   101\n    Mr. Thornberry...............................................   109\n\n CYBERSPACE AS A WARFIGHTING DOMAIN: POLICY, MANAGEMENT AND TECHNICAL \n                    CHALLENGES TO MISSION ASSURANCE\n\n                  House of Representatives,\n                       Committee on Armed Services,\n        Terrorism, Unconventional Threats and Capabilities \n                                              Subcommittee,\n                              Washington, DC, Tuesday, May 5, 2009.\n    The subcommittee met, pursuant to call, at 3:58 p.m., in \nroom 2212, Rayburn House Office Building, Hon. Adam Smith \n(chairman of the subcommittee) presiding.\n\n  OPENING STATEMENT OF HON. ADAM SMITH, A REPRESENTATIVE FROM \n  WASHINGTON, CHAIRMAN, TERRORISM, UNCONVENTIONAL THREATS AND \n                   CAPABILITIES SUBCOMMITTEE\n\n    Mr. Smith. Good afternoon. Call the meeting to order. Sorry \nabout the delay. Votes came at a bad time, and then I got \nwaylaid by a conversation on my way over here, but I do want to \nthank all of you for being here today. Appreciate your presence \non this very important topic and look forward to hearing from \nall of you.\n    I will keep my opening statement very, very brief except to \nsay that cyber security is an incredibly important element of \nour national security with many, many complex pieces to it. \nObviously it involves a multi-agency process; also it involves \nthe private sector and a variety of different challenges that \nare very complicated and complex.\n    And our goal in this committee is to help work with the new \nadministration and all the appropriate agencies to try to \ndevelop a comprehensive strategy to approach our network \nsecurity needs and our broader cyber security interests--try to \nget us to the point where we have at least some idea of what \nthe plan is and are working closely together on how to \nimplement that with all the different pieces of it. And I look \nforward to the testimony. We have a very, very distinguished \npanel that will help shed some light on this issue and help let \nus know what the pathway forward is.\n    And with that, I will yield to our ranking member, Mr. \nMiller, for any opening statement that he might have.\n    [The prepared statement of Mr. Smith can be found in the \nAppendix on page 31.]\n\n STATEMENT OF HON. JEFF MILLER, A REPRESENTATIVE FROM FLORIDA, \n     RANKING MEMBER, TERRORISM, UNCONVENTIONAL THREATS AND \n                   CAPABILITIES SUBCOMMITTEE\n\n    Mr. Miller. Thank you very much, Mr. Chairman. I have a \nfull statement that I would like submitted into the record.\n    [The prepared statement of Mr. Miller can be found in the \nAppendix on page 32.]\n    Mr. Miller. I associate myself with your remarks, and as we \nall know, breaches in our security have taken place time and \ntime again. The Joint Strike Fighter [JSF] Program highlights \nthe vulnerability that currently exists today. Our charge is to \nhelp you get the job done, and that is what we are here for, so \nthank you.\n    Mr. Smith. Thank you.\n    Just in connection, I had one further thought. It is not \njust a matter of cyber security preventing attacks. We need to \nlook at our entire system\'s--our entire IT [information \ntechnology] infrastructure in terms of what we need to get out \nof it and how to best make that system work on a variety of \ndifferent needs including, of course, making sure that it is \nprotected from our adversaries or those who wish to do us harm.\n    With that I will introduce the panel. I will go--introduce \nall of you, and then we will just start with Mr. Krieger and \nwork our way across the panel.\n    As you have noticed, there is five of you, and try to keep \nyour testimony between five and ten minutes at the most. We \ndon\'t want to go on too long before we get into the \ninteraction. I know that is very difficult on a subject this \ncomplex, but appreciate your cooperation so we can get into the \nquestions from the members.\n    So I will introduce the panel. First we have Mr. Mike \nKrieger, who is the deputy chief information officer for the \nU.S. Army; Mr. Rob Carey, who is the chief information officer \nfor the U.S. Navy; we have Lieutenant General William Shelton, \nUnited States Air Force, chief of warfighting integration, \nchief information officer, Office of the Secretary of the Air \nForce; we have Mr. Robert Lentz, who is the deputy assistant \nsecretary of defense for cyber, identity management, and \ninformation assurance--that sounds like a complicated job, and \nit is; and lastly, we have Lieutenant General Keith Alexander, \nwho is the director of the National Security Agency.\n    We appreciate all of you being here. We look forward to \nyour testimony and to the Q & A that follows.\n    Mr. Krieger.\n\n STATEMENT OF MIKE KRIEGER, DEPUTY CHIEF INFORMATION OFFICER/G-\n                   6, DEPARTMENT OF THE ARMY\n\n    Mr. Krieger. Good afternoon, Chairman Smith, Congressman \nMiller, and distinguished members of the subcommittee. As the \nUnited States Army\'s deputy chief information officer and \ndeputy G-6, I am pleased to appear before the subcommittee this \nafternoon to discuss the Army\'s activities to address the \nchallenges to enhance mission assurance in cyberspace as a \nwarfighting domain.\n    The Army believes that our enterprise network, known as \nLandWarNet, must be viewed as a critical enabler for the \nwarfighter. This requires a change in our culture for which the \nArmy is revising policies, management of people in the network, \nand enhancing technical capabilities to better detect, assess, \nand respond to cyberspace attacks.\n    The Army is transitioning to a continental U.S.-based \nexpeditionary force. To support this force the Army is adapting \nour institutions and LandWarNet. General Casey recently signed \na memorandum to transform LandWarNet to a new Global Network \nEnterprise Construct, or GNEC, that is more secure, economical, \nand seamless. General Casey also designated the Network \nEnterprise Technology Command, reporting to the chief \ninformation officer, as the single command for network \noperations of the Army\'s generating force networks.\n    The Army is implementing many new policies to improve cyber \nsecurity. These policies concentrate on protecting information, \ndefending systems, and creating an empowered workforce.\n    Addressing the management challenges of training our cyber \nwarriors and protecting our network remain top priorities in \nthe Army. The Army is reviewing the development and tracking of \nits overall workforce and looking to update the career \nmanagement fields for conducting cyberspace operations.\n    Successfully mitigating cyberspace attacks and \nvulnerabilities requires unity of command and effort not only \nbetween the Army, other services, and the combatant commands, \nbut within the Army staff. We have realigned organizations to \nstreamline the command and control over the network and are \ncreating an Army Cyber Task Force to better define and oversee \ncyberspace operations.\n    To meet the many technical challenges the Army faces, we \nhave taken many initiatives, which include a data-at-rest \nencryption solution, a secure two-way wireless capability, and \nwe are working with the defense industrial base to protect \ntechnologies used to build our future networks and major \nweapons systems.\n    In conclusion, the Army is taking action to mitigate \npersistent cyberspace threats. Using GNEC, the Army is \naddressing the challenge of changing the culture to view the \nnetwork as a critical enabler for the warfighter. The Army\'s \ncommitment to transforming LandWarNet will ensure commanders \nhave the ability to control, defend, and fight the network as \none enterprise.\n    I thank the subcommittee for affording me the opportunity \nto share the Army\'s activities to operate and enhance missions \nassurance in cyberspace as a warfighting domain. This concludes \nmy remarks and I look forward to answering your questions.\n    [The prepared statement of Mr. Krieger can be found in the \nAppendix on page 34.]\n    Mr. Smith. Thank you very much.\n    Mr. Carey.\n\n    STATEMENT OF ROBERT J. CAREY, CHIEF INFORMATION OFFICER \n                (DONCIO), DEPARTMENT OF THE NAVY\n\n    Mr. Carey. Thank you, Mr. Chairman.\n    Chairman Smith, Congressman Miller, distinguished \nsubcommittee members, thank you for the opportunity to appear \nbefore you today. I provided a written statement and request \nthat it be entered into the record.\n    I would like to use this time to briefly highlight some of \nour key initiatives that will ensure the Department of Navy\'s \nsuccess in the cyberspace domain. It is a time of great change, \nand as the Department of the Navy chief information officer, I \nhave the honor to work across the entire Navy-Marine Corps \nteam, harnessing the power of information technology for our \nsailors, Marines, and civilians.\n    Our efforts in the cyberspace domain span our mission sets \nand mandate that we defend the information for the warfighters \nas well as protect the privacy of our naval team. The \ncyberspace domain is one in which we must prevail. The \ndepartment remains on a course for interoperable, net-centric \noperations that will link warriors, sensors, networks, command \nand control platforms, weapons, and commanders, into a \nnetworked, distributed combat force.\n    Key to our success will be the ability to balance the \npolarity between the need to share information and our \nrequirement to protect it against cyber threats. We have made \ngreat strides in the areas of policy, management, and technical \nchallenges that are enabling us to achieve this balance.\n    Together with our industry partners, we have created an \nenterprise network structure comprised of the Navy/Marine Corps \nIntranet [NMCI], the department\'s shore-based network; \nInformation Technology-21, for our float forces; ONE-NET \n[OCONUS Navy Enterprise Network], for our Navy outside of CONUS \n[continental U.S.] forces; and the Marine Corps Enterprise \nNetwork; as our contribution to the DOD [Department of Defense] \nvision of a trusted, dependable, ubiquitous network.\n    We have seen the power of a singe enterprise network \nimproving access, control, interoperability, and information \nsecurity, and as we move toward the Naval Network Environment \n2016, our continued consolidation using the Next Generation \nEnterprise Network and a defense-in-depth and breadth, will \nfurther enable our ability to serve the warfighters with \nassured information.\n    Our computer network defense efforts are comprised of a \nbroad array of initiatives to ensure a defense-in-depth, and \nwhile we are making progress, much work remains. We leverage \nindustry best practices and standards, such as public key \ninfrastructure encryption, data-at-rest encryption, and host-\nbased security systems, to strengthen our cyber security.\n    Our brave sailors and Marines deployed far from home in \nharm\'s way are the heart and soul of our organization. What \nthey know and how they translate that knowledge through sound \ndecisions into action will define how successful we are. And so \nwe are committed to providing them the information and tools \nthey need to stay current and defend the cyberspace domain in \nan increasingly complex technology-based environment.\n    Thank you for your support of our information technology \ninitiatives and our efforts to achieve net-centric operations \nand decision superiority. I am happy to answer any questions \nthat you may have.\n    [The prepared statement of Mr. Carey can be found in the \nAppendix on page 44.]\n    Mr. Smith. Thank you very much.\n    General Shelton.\n\n   STATEMENT OF LT. GEN. WILLIAM L. SHELTON, USAF, CHIEF OF \n WARFIGHTING INTEGRATION, CHIEF INFORMATION OFFICER, OFFICE OF \n                 THE SECRETARY OF THE AIR FORCE\n\n    General Shelton. Good afternoon, Chairman Smith, \nCongressman Miller, distinguished members of the subcommittee. \nI am pleased to be here today, along with members of the DOD\'s \ncyber leadership team, to appear before you and address our \nefforts to meet the challenges in the cyberspace domain.\n    Several years ago the U.S. Air Force recognized the growing \nimportance of cyberspace. On December 7, 2005, we took the \nunprecedented step of adding cyberspace to our mission \nstatement and placed that domain on an equal footing with our \nmore traditional operating environments of air and space.\n    Since that time, we have been moving forward to organize, \ntrain, and equip our Air Force for both defensive and offensive \ncapabilities in cyberspace or joint operations. As we have \ncontinued our study of cyberspace, we are finding that the most \nsignificant challenge we face is the constantly evolving nature \nof the threat in cyberspace. Threats in cyberspace move at the \nspeed of light, and we are literally under attack every day as \nour networks are constantly probed and our adversaries seek to \nexploit vulnerabilities in our network enterprise.\n    I would like to thank the committee for its support and for \nthis opportunity to highlight the outstanding efforts that the \ndedicated men and women of the United States Air Force [USAF] \nto help secure the nation and cyberspace. This domain is both \nhighly complex and extremely challenging, but it is one that \nthe Air Force is fully embracing.\n    Thank you again, and I look forward to your questions.\n    [The prepared statement of General Shelton can be found in \nthe Appendix on page 54.]\n    Mr. Smith. Thank you, General.\n    Mr. Lentz.\n\n   STATEMENT OF ROBERT LENTZ, DEPUTY ASSISTANT SECRETARY OF \n    DEFENSE FOR CYBER, IDENTITY MANAGEMENT, AND INFORMATION \n     ASSURANCE, AND SENIOR INFORMATION ASSURANCE OFFICIAL, \n                     DEPARTMENT OF DEFENSE\n\n    Mr. Lentz. Good afternoon, Chairman Smith, Congressman \nMiller, and members of the subcommittee. I am pleased to appear \nbefore the subcommittee to discuss initiatives to enhance the \ndepartment\'s and the nation\'s information assurance cyber \nsecurity posture.\n    This is a critical priority in the Department of Defense. \nWith information and information technology assets distributed \nover a vast enterprise and with diverse domestic and \ninternational partners, we know that we can not execute \noperations without the GIG, Global Information Grid, or the DOD \nnetwork.\n    The GIG is where business goods and services are \ncoordinated, where medical information resides, where \nintelligence data is fused, where weapons platforms are \ndesigned, built, and maintained, where commanders plan \noperations and control forces, and where training, readiness, \nmorale, and welfare are sustained. Maintaining freedom of \naction in cyberspace is critical to the department and to the \nnation.\n    Therefore, the department is focused on building and \noperating the GIG as a joint global enterprise. This enterprise \nnetwork approach, coupled with skilled users, defenders, and \nfirst responders, and in partnership with the intelligence and \nhomeland security communities, will allow us to more readily \nidentify and respond to cyber attacks.\n    The DOD information assurance cyber security program is \nthus aimed at ensuring that DOD missions and operations \ncontinue under any cyber situation or condition, and the cyber \ncomponents of DOD weapons systems perform as expected. There \nare many examples of current initiatives in my statement for \nthe record. I will quickly highlight a few today.\n    To protect sensitive data on mobile and portable devices \nlike laptops, we help make discounted encryption products \navailable to all federal, state, local, and tribal government \nagencies and to NATO [North Atlantic Treaty Organization]. \nSince July of 2007, the resulting U.S. government cost \navoidance has exceeded $98 million.\n    To address cyber security risks to the defense industrial \nbase we have put in place a multi-faceted pilot for threat and \nvulnerability sharing, incident reporting, and damage \nassessment. For the global supply chain, the department has \nlaunched a program to protect mission-critical systems.\n    This year we are establishing four centers of excellence to \nsupport program executive offices and supply chain risk \nmitigation throughout the system lifecycle. Additionally, we \nare executing vulnerability assessments in accordance with the \n2009 National Defense Appropriations Act.\n    We continue to rely on the national centers of academic \nexcellence and IA [information assurance] education for \ncritical cyber security skills. There are currently 94 centers \nin 38 states and the District of Columbia. One of the centers--\nthe University of Nebraska at Omaha--cosponsored and hosted \nlast year\'s fifth annual International Cyber Defense Workshop.\n    In 2008, the department helped bring cyber security to the \nWounded Warrior Program. Wounded, disabled, and transitioning \nveterans are receiving no-cost vocational training in digital \nforensics, a critical technical shortfall for the nation and \nfor the department. The program started at Walter Reed and is \nbeing expanded to other DOD and VA hospitals.\n    In conclusion, the DOD\'s CIO [Chief Information Officer] is \nworking towards a resilient and defendable core network for the \ndepartment and for the nation in the face of the daunting \nsecurity challenges. We are preparing the GIG [Global \nInformation Grid] and the GIG-dependent missions to operate \nunder duress, and we are doing so under conditions of rising \nhostilities.\n    I am happy to take questions. Thank you.\n    [The prepared statement of Mr. Lentz can be found in the \nAppendix on page 66.]\n    Mr. Smith. Thank you very much.\n    General Alexander.\n\n STATEMENT OF LT. GEN. KEITH ALEXANDER, USA, COMMANDER, JOINT \n    FUNCTIONAL COMPONENT COMMAND NETWORK WARFARE, DIRECTOR, \n        NATIONAL SECURITY AGENCY, DEPARTMENT OF DEFENSE\n\n    General Alexander. Well, that was quick, Mr. Chairman----\n    Mr. Smith [continuing]. Astonished. We moved very, very \nquickly through that.\n    General Alexander. I won\'t slow it down.\n    Mr. Smith. No----\n    General Alexander. Mr. Chairman, Ranking Member----\n    Mr. Smith. We are ahead of schedule at this point.\n    General Alexander. Well, I don\'t know enough to fill it up, \nso I will talk briefly here.\n    I would like to just give you a little bit of background \nabout what NSA, the National Security Agency, but more \nimportantly, what the Joint Functional Component Command [JFCC] \nfor Network Warfare is doing in network operations--where we \nare, where we are going, and the way ahead, because I think it \nleverages off of what my colleagues have already brought up. It \nhas to be a team to work this across the services, within DOD, \nto set up the right apparatus. So I will end on that.\n    Let me go back to the beginning, and if I could, just hit \nbriefly on World War II, and in World War II, just hitting on \nsome of the key things that happened in World War II, \nspecifically Enigma and Red and Purple, the Japanese encryption \nsystems and the German encryption systems. The reason I bring \nthose up, as you may recall, the Germans had Enigma; we broke \nit--actually the Poles and the Brits broke it; and in 1941 \nAdmiral Donitz understood that it was broken and added a fourth \nrotor to make the decrypting of those communications more \ndifficult.\n    From January to March of 1942 the United States lost 216 \nships off the cost--off the East Coast, and our efforts in \nEurope were going down rapidly. We were able to break that \ncollectively, with industry, Army, Navy, working together with \nour allies, and it changed the balance of that war.\n    And if you think about it, we broke their encryption, we \nbroke the Japanese encryption, and they didn\'t break ours. And \nthat was huge for warfighting.\n    The network that we have today has taken what was an analog \nnetwork to a digital network, and a consequence of that change, \ngoing from analog to packets, is huge. It allows us to leverage \nthings like iPhones, the iTouch--I have 11 grandchildren, and \nthey have these little iPod Shuffles; they are hooked to the \nnetworks. They can do things at seven years old--they are \ngoogling on the network. They are linked--the same network. One \nnetwork.\n    Great things are possible. Our military leverages that \ntoday for great good--for command and control, for integration \nof our intelligence with operations, with logistics, with \neverything we have on the battlefield. Great opportunities, \ngreat vulnerabilities.\n    And with those vulnerabilities comes the reason we really \nhave to focus as a team on cyber security. The way we are \napproaching it today does not work.\n    Recently, commander of STRATCOM [Strategic Command] \ndelegated to myself under net warfare [JFCC-NW], the \nresponsibility for directing the defense and operations of the \nGIG as well as our current role for net warfare, so that we \nhave all those missions together so that we could put the \ndefense and the offense together for the good of the Defense \nDepartment.\n    As you saw in my written statement for the record, the \nDefense Department is considering an option to stand up a sub-\nunified command that would allow us to leverage the defense and \nthe offense for the good of our forces around the world to \nensure that we have the communications availability, the \nintegrity of our communications, and the reliability that we \nneed to conduct our missions abroad. In order to do that, the \nservices and the joint community has to work together to \nsupport our regional combatant commands.\n    So I think what each of the services has said and where we \nare is now we are looking at the steps of what we have to put \ntogether in the sub-unified command as an option, or in a Joint \nFunctional Component Command--how will we put these \ncapabilities together to ensure our networks are secure and \nprovide us freedom of maneuver in cyberspace?\n    So with that, a lot of work to be done is ahead of us. I \nthink where the Defense Department is today is in a good place \nand moving up. We understand the problem; it doesn\'t mean that \nthere aren\'t issues with training, with equipping, and with the \ntactics, techniques, and procedures that we have to do, but I \ndo think that we have come up with a way of working together to \nface these and to come up with a good plan for the future.\n    So with that, Mr. Chairman, I turn it back over to you.\n    [The prepared statement of General Alexander can be found \nin the Appendix on page 94.]\n    Mr. Smith. Thank you.\n    And we will--in questions we will observe the five-minute \nrule. Hopefully--we got great very brief statements by our \nwitnesses--we will have time to go around more than once. But \njust to keep it flowing we will make sure we keep everybody to \nfive minutes, including me.\n    My first question is just sort of a follow up on that last \npoint about how coordinated the effort is in the Joint \nFunctional Component Command. So when you look out across DOD, \nand certainly we have many of the key components here--Army, \nNavy, Air Force--and if you are in your position, or STRATCOM\'s \nposition, or even a higher up, and you are going, ``How secure \nis my network?\'\'\n    How compartmentalized is that and how coordinated is that? \nYou know, how much do you guys get together on a regular basis \nso that you, as the person in charge of that, or the Secretary \nof Defense, or somebody higher up can say with confidence, \n``Our network is secure and we are paying attention to the \ndifferent pieces of it.\'\'\n    Or, I guess the better question is, to know the \nvulnerabilities--to know in a coordinated fashion so that it is \nnot stovepiped, because as you know, in this situation, in many \ncases, you are only as strong as your weakest link into the \nnetwork. How do you do that coordination within DOD?\n    And then I have a follow-on question about how you handle \nthe interagency piece. But just starting in DOD, and you \ntouched on that a little bit, but if you would get more \nspecific about how coordinated that effort is.\n    General Alexander. I will hit the first part and then I \nwill let Bob and some of the others----\n    Mr. Smith. Okay.\n    General Alexander [continuing]. Pick up on that. We direct \nthe defense of the network to the Joint Task Force-Global \nNetwork Operations. Lieutenant General Carroll Pollett, from \nthe Defense Information Systems Agency [DISA], is the commander \nof the Joint Task Force-Global Network Operations and works for \nme in that regard, and his day-to-day guy is Brigadier General \nJohn Davis. They put out written guidance of how to defend the \nnetwork--the unclassified and the classified networks.\n    I would like to say that our networks are secure, but that \nwould not be correct. We do have vulnerabilities.\n    And the issue, and one of the things that we have wrestled \nwith over the last six months, is a strategy for closing those \nvulnerabilities very quickly. I think we are making good \nprogress on that, because the level of problems that we have \nhad with things like Conficker and others have been greatly \ndiminished because of the great steps that have been taken by \nGlobal Network Operations but implemented by the services.\n    Mr. Smith. And what were some of those steps, if you could \nwalk through the specifics here?\n    General Alexander. Well, let us see. In an unclassified \nforum that becomes very difficult. It would be the way that you \nuse removable media, would be a great case in point--how you \nhave to use removable media or not use it in a network, what \nthe restraints are, dictating those restraints, how you have \nyour Information Assurance Vulnerability Analysis IAVA \ncompliance out there, which means, do you have your McAfee or \nSymantec antivirus software up to date? Are you using the \nlatest update? Have you scanned your system for these things? \nAnd ensuring that those kinds of things are done.\n    How do we tell that at a global scale? Others\' mission is \nto look on the periphery and see if we see problems on the \nnetwork.\n    I would like to give you one key element here I think is \ncrucial to it. If we try to defend our networks like we do a \ncastle--the moat--we will never be successful. We have to \ndefend it on the network globally, because that is how it \nexists on the network.\n    And so that means we and our allies in industry and \ngovernment have to work together in this enterprise. That is \ngoing to be key to our success.\n    Bob, and----\n    Mr. Lentz. I will give you two examples, Mr. Chairman, to \nyour question. First of all, one unclassified example of the \ncooperation at a technical level is the Federal Desktop Core \nConfiguration.\n    The fact that we locked down the computers so tightly at \nour endpoint within the DOD network working with the services--\nin fact, the Air Force led that effort--and Microsoft, which is \nour most ubiquitous product throughout the Department of \nDefense, is locked down in terms of the stable configuration, \nand that has allowed us to defend the network much more \neffectively. I think that is a technical example.\n    To your first question regarding the cooperation within the \nDepartment of Defense, one of the things that--we have a DOD \nCIO policy that has been fully implemented is, we align every \nsingle service and agency within the Department of Defense to \nwhat we call a computer network defense service provider, or a \nComputer Emergency Response Team [CERT]. So every entity in the \nDepartment of Defense, from our schools to our main military \noperations, are aligned to certified CND [computer network \ndefense] service providers, and those CND service providers \nwork together under the leadership of STRATCOM and the JTF-GNO \n[Joint Task Force-Global Network Operations] working in \npartnership with NSA and the law enforcement community part of \nour infrastructure to work on these cyber events. So I think \nthat is an example of the cooperation that goes on within the \nDOD.\n    Mr. Smith. Okay.\n    I will yield back the point and yield to Mr. Miller.\n    Mr. Miller. Thank you, Mr. Chairman.\n    Could you talk about the role that you think the federal \ngovernment should play in securing the networks of our defense \nindustry partners?\n    Mr. Lentz.\n    Mr. Lentz. Clearly, it is absolutely essential, in terms of \nhaving a robust capability in the face of the cyber attack, is, \nwe need a partnership in every tier, from our international \npartners--we have found on one cyber event after another cyber \nevent that they have insights that are very critical for us. \nPlus, just because of the nature of the geography, our \ninternational partners oftentimes will have an advanced warning \nto give us insight into cyber events.\n    At the domestic level, we team with the major centers \nacross the cyber landscape, to include the counter-\nintelligence, the law enforcement communities, and of course, \nall the CERTs [Computer Emergency Response Teams]. And at the \nindustry level, it is absolutely essential we team with the \nISPs [Internet service providers], we team with Carnegie \nMellon, we team with all the industry leaders in this area to \ngain insight into cyber events, particularly when it comes to \nvulnerabilities in which we have to have advanced notice in \ntoday\'s cyber environment.\n    Mr. Miller. General? Would you like to answer?\n    General Alexander. So the role that--just to take up where \nBob left off--so one of the roles that the intelligence \ncommunity and the Defense Department is going to have is, how \ndo you make those identifications of the vulnerabilities and \nthe signatures and how do we work those with industry and other \ngovernment entities so that they know how to defend their \nsystem?\n    I think if you take the analogy that I was talking about, \nthis--we are defending a castle today, but we want to defend \nour network and perhaps our allies\' networks, then you are \ngoing to have to have an early warning capability that exists \nbetween networks to tip and cue on problems that are coming. I \nthink that is going to be key for future problems that we \nface--for example, some of these robot networks, or botnets, \nthat are out there, and things like that.\n    How do you defend against them? It is going to take our \ncountry and our allies to work together and tip and cue at \nnetwork speed to defeat them.\n    Mr. Miller. How does the DOD ensure that we--you had \nmentioned the word ``robust\'\'--have a robust computer network \ndefense and information assurance structure in place but we \ndon\'t replicate across the service lines?\n    Mr. Lentz. Well, I think we actually do have a very robust \ncapability working with the services. As I mentioned, early the \nCND [Computer Network Defense] service provider program that we \nhave--we have 23 different CND service providers across the \nDepartment of Defense, of which the services make up a good \nshare of those. And each one of those CND service providers \ncoordinate constantly in real time what is going on in cyber \nevents.\n    Mr. Smith. Mr. Marshall for five minutes.\n    Mr. Marshall. Thank you, Mr. Chairman.\n    I wonder what the limits of the effective partnership \nbetween DOD, or the nation generally, and business might be--\nthe private sector might be. I was involved in an enterprise at \none point that decided it was going to acquire a bunch of \nlaptops that each individual employee would then use to enter \ndata while they were out. We had a range of possible laptops \nthat we could pick, and some of the more expensive laptops were \nless vulnerable to damage if they were dropped, if, you know, \nthey were exposed to water, to heat, et cetera, and then there \nwas the question of weight, and typically the ones that were \nless vulnerable were also heavier, and so we ultimately decided \nwe were going to go with the lightweight one because we could, \nin our circumstances, not have to worry too much about things \nbeing dropped or subjected to water or heat.\n    I assume that for some of the applications that we might \nuse laptops for where the Army is concerned and the services \nare concerned, going to go with the heavier version that can \nhandle them. And I wonder if those--I am sure that those same \nkinds of decision-making differences between the private sector \nand the public sector exist with regard to the issues that you \nall deal with that are way above my pay grade. And I am \nwondering if you can describe where it is that your interests \ndiverge or your objectives diverge in ways that will make the \npartnership more difficult.\n    General Alexander. I will take a first whack at that, sir. \nLet me just give you my thought, and that is, where they \nconverge are where it is in our nation\'s interest to ensure \nthose networks exist and can function and they are reliable--\nour power grid, our critical infrastructure at large. We have, \nI think, there a responsibility to partner with industry to \nassure that our nation can operate in a time of crisis, and the \ngovernment has some kind of role there and I think we have got \nto determine--and I think some of the stuff coming out of the \n60-day review and other studies will look at, so how do we \npartner with industry to do that?\n    Our partnership might be giving them early warning, sharing \nwith them threat data, and helping them secure their networks \nwith some of the standards that Bob talked about, in terms of \nhow you would set up your desktop configuration to active \ntipping and cuing to defend their networks. One of the key \nthings that industry has done on the network is their \nintellectual secrets, their financial--wealth, all that is \nstored on the networks, their personal data. Much of that is an \nindustry, I think, responsibility to secure, and government \nwould support in some way.\n    So I think that is where it starts to diverge, as you get \nindustry that is out there on its own--there are some things--\nyou know, our own personal communications from my wife to \nmyself--that doesn\'t need government, and if that goes down, \nwell then I won\'t buy the milk and bread tonight. I will be \ngood.\n    But, you know, our personal communications aren\'t a \nnational priority, so I think you are going to have that range \nfrom those things that are, how do we ensure the security of \nour nation, so that if a network attack blossoms into a warfare \nwe know where that line is.\n    Mr. Marshall. There is no question a tremendous opportunity \nexists for synergy here and for taking advantage of the private \nsector\'s obvious interest in protecting data. I mean, literally \nbillions or trillions of dollars are at stake, you know, \nbesides personal private information.\n    And so the private sector is paying top dollar to the best \npossible minds to protect the infrastructure that holds access \nto those kinds of money flows, to that kind of private \ninformation. I am wondering where it diverges in any \nsubstantial way.\n    General Alexander. Well, I think part of the divergence is \nthat, you know, they are going to harden like a shell for \ntheirs, but the government is going to operate across a global \nthing with our allies, so we have a global responsibility. You \ncan harden a network for an industry within a network and \nalmost sever it completely and have that almost ensured \nsecurity.\n    Where we have to have an Army in the field, or an Air Force \nin the field, or a Navy out there, they are going to have \ncommunications that are both wireless and wired, and as a \nconsequence they are going to have vulnerabilities that are far \ndifferent than what industry might have. Now, having said that, \nit doesn\'t necessarily mean that there aren\'t things that we \ncouldn\'t work together with or should work together with; I \nthink there will be.\n    So I think you will have all the way from the far you know, \nall the way over here on the far right, those things that we \nare not worried about and even if somebody loses them, to those \nthings that we are worried about as the national interest; and \nthen take the other axis that you were doing, the economic \naccess, from those things you don\'t worry about somebody \nhitting over here, perhaps, in one level of industry all the \nway over to the banking industry and security of those. And \nboth of those at the far end of that--the banking industry and \nour national military command authority--both have to be \nsecured with the best that we have. And I think there is great \nsynergy here and great divergence at the other end.\n    Mr. Smith. Thank you. If you have something quick, I want \nto make sure we keep moving to the other members. Mr. \nThornberry.\n    Mr. Thornberry. Thank you, Mr. Chairman. If we are \nliterally under attack every day and are to treat cyber as a \ndomain of warfare, like we have treated others, it seems to me \nwe have to have the legal, policy, and doctrine discussions as \nwell as funding, training, equipping, and all the things that \ngo with domains of warfare that we are serious about.\n    General Shelton, you mentioned the Air Force has been in \nfront on this. Does the Air Force have a specific plan to \nimplement what Secretary Gates talked about in quadrupling the \nnumber of people trained in cyber warfare?\n    General Shelton. Yes, sir. We are moving out on adapting \ncourses--adopting courses. There are joint courses we are \npursuing that are already in place. There are new ones that are \nstanding up.\n    We are changing the way we train at our training centers, \nboth officer and enlisted, and also creating training \nopportunities for our civilians. So the answer is, absolutely. \nWe are trying to expand our universe in terms of trained people \nin this area.\n    Mr. Thornberry. But is that down to the point where there \nis a piece of paper that shows, we are going to ramp up our \ntraining to meet this specific number that he talked about that \nhas been signed off on?\n    General Shelton. We aren\'t there yet, sir, to the actual \nnumbers, but we do have a way ahead in terms of concept. But is \nit numerically in place? It is not.\n    Mr. Thornberry. I am just trying to understand how far we \nhave gotten towards being serious--and I am not picking on you, \nparticularly--but just how far we have gone to being serious \nabout some of these tough issues.\n    General Alexander, to pick on you a little bit--not really \npick on you, but----\n    General Alexander. Thank you.\n    Mr. Thornberry [continuing]. But what are the policy and \nlegal issues that we need to be thinking about? I mean, a lot \nof this is the stuff that is in you all\'s bailiwick, and we \nhave got to oversee the funding and so forth, but it seems to \nme there are some legal policy issues that are our \nresponsibility. What are they?\n    General Alexander. I think one of the clear ones--what you \nwould expect us to do is to defend our networks, and we have \nthe right to defend our networks and to keep adversaries from \ngetting into our networks, to secure our classified networks \nand all of that. And I think there is inherent right, and we \nhave the legal framework to go ahead and do that.\n    Here is where it starts to break down and where I think \nyou, with the administration and others--the discussion that we \nare now going to enter into. I think once the 60-day review has \ncome up, and so now going back to the earlier question, so what \nis that role and responsibility primarily with DHS [Department \nof Homeland Security], because they will have to lead for the \nrest of the dot-gov networks and for that partnership with \nindustry, so what is the legal framework for sharing threat \nsignatures with industry that are classified? How do we do it \nat network speed so that it is defensible? And what is that \nlegal framework and what is that operational framework?\n    And those are areas that technically are easier to do than \nthey are to set the legal framework up, because you have \nindustries--for example, your antivirus community. If we give \nthem a classified signature, how do we ensure it is not given \nout so widely that our adversaries have it when they are a \nglobal antivirus community? Things like that we are going to \nhave do look at. There is a whole series of issues, I think, in \nthose realms.\n    Mr. Thornberry. Well, for example, when the Constitution \nsays Congress has the responsibility to declare war, what does \nthat mean when we are under attack every day? How do we deal \nwith warfare in cyberspace?\n    General Alexander. Well, I think the loose use of the word \n``under attack\'\' and ``warfare\'\' is probably more accurately \ndescribed as people probing our network. We call that, I \nthink--others loosely call that an attack on your network, but \nit falls short of what I think we would legally look at, and I \nhave got the head lawyer back there right behind me, so he will \nraise his hand and make sure I say this right, but----\n    Mr. Smith. He was nodding his head. Let the record reflect \nit.\n    General Alexander. This way, or this way?\n    Mr. Thornberry. Well, was Estonia or Georgia under attack, \nand was their infrastructure under attack in a way that, you \nknow, gets closer to that declaration of war?\n    General Alexander. No, I think you are starting to--on \nthose you are starting to get close to what would be. The \nproblem that you have there is who. The attribution. And so I \nthink what you have is the inherent right to defend first, and \nattribute, and preferably to do those at network speed. So what \nwe just agreed on, I think, if you agree with those two \nstatements to do those both at network speed, is the reason \nthat we need the defense, the exploit, and the attack to work \nsynonymously as a team at network speed to do just that.\n    Because if we don\'t--if we leave the defend, to defend \nitself and they are getting hit over here and somebody says, \n``Hey, did you know they are getting hammered? The Air Force is \ngetting hit on the network,\'\' we would say no, we didn\'t. It \nhas happened to our industry players. And so if you are not \naware of it you can\'t help mitigate it, you can\'t help \nattribute it.\n    So that partnership has to come in. I think in the legal \nframework it starts to go up to, when is it going from exploit \nto damage? And in that change is where you go from what I will \ncall spying operations into warfare.\n    And there is, I think, a more specific set of terms that \nwould define those, and--did I get all that right, Bill?\n    Mr. Smith. Mr. Langevin.\n    Mr. Langevin. Thank you, Mr. Chairman.\n    Gentlemen, thank you for your testimony here today.\n    To continue on that line, General Alexander, clearly the \ntools available to us in cyberspace are very powerful. I know \nthe NSA, in particular, is very good at what we do. How far \ndown the road are we in really setting the rules of engagement, \nand who and when do those decisions get made?\n    Clearly modern warfare has forever changed; we will never \nhave a conflict in the future that doesn\'t have a cyber \ncomponent to it. And where are we on that stage, you know, in \nterms of where we escalate to the fact--to where we would \nattack and cause great damage in response to an attack on our \nown networks? Where are the rules of engagement at this point, \nand who is going to make those decisions along the way?\n    General Alexander. Well, I think if you start out within \nthe defense community, those rules for defending, exploiting, \nand attacking on the networks as part of war fall within the \nDefense Department. I think we can easily envision--there was a \nChinese PLA [People\'s Liberation Army] statement in 1996 that \nsaid something to the effect, ``If you want to attack the \nUnited States, attack its banking system.\'\'\n    Now, the issue--this complicates it and it puts us into \nanswering your question more accurately. It gives you a \nunderstanding that it may not be the Defense Department that is \nattacked.\n    But if we assume symmetrically that they would attack us, \nthe Defense Department, and the Defense Department would \nrespond back, you are now into one form. The issue, I think, \nthat realistically faces us, though, is that it would be \nasymmetrical. It would go against our industry, and it might be \nour critical infrastructure.\n    And then the question of the partnership between the \nDefense Department, Homeland Security, and the intel community \nhas to be clear. We have to have laid out those rules and \nwalked through that. We are walking our way down that; we are \nnot far enough.\n    I think within the DOD we have laid out the legal framework \nfor what constitutes an attack, how we defend our networks, \nwhat we do in that--specific to the Defense Department for DOD \noperations, for example, on the war on terror.\n    But that is a very limited and a very focused set. I think \nto really get to the heart of your question, you have to have \nthat partnership and we have to operate seamlessly across all \nof those if we are going to be successful. And that is going to \ntake some work.\n    Mr. Langevin. In the CSIS [Center for Strategic and \nInternational Studies] report, the commission that I co-chaired \nand worked on with a number of others, one of the things--the \nconclusions--that we came up with was that the president should \nmake clear that cyberspace and our cyber assets are a national \nasset and that we will use full assets of national power to \nprotect it. Do you agree that it is time that we have, perhaps, \na cyber Monroe document that lays out clearly what our response \nwould be in terms of protecting our cyber assets?\n    General Alexander. I do.\n    Mr. Langevin. Let me add----\n    General Alexander. There is four others that--you want to--\nI do. I think they do, too, but I don\'t----\n    Mr. Langevin. Anybody else?\n    General Alexander. But, I don\'t want to speak for \neverybody.\n    Mr. Smith. I guess the follow up to that, what would be \ninvolved in making sure that that is clear? Is there an \nexecutive order that is needed? And following up a little bit \non what Mr. Thornberry was asking about in terms of your \nauthority to act--is that understood, or is there more action \nthat is needed to allow you to have that authority?\n    General Alexander. Well, I think what the 60-day review is \nlooking at is taken right from your study and others and \nsaying, ``So how do we start that at the top? What is the White \nHouse role in doing that?\'\' And I think they are going to set \nthat up and say, ``Here is the White House role,\'\' and lay that \nout.\n    So that is yet to be fully disclosed, and I think they have \ngot a couple more steps to complete that. But my gut reaction \nis that they will do essentially where you are, so we have to \nset up a national leadership for it at the White House. Roles \nand responsibility to the Defense Department, DHS, our \npartnership with industry, and our partnership with allies \nneeds to be clearly documented. And I think we have to start \nwalking down that road.\n    The follow-on question is, okay, so you have these--you \nhave the legal framework that we talked about, that has got to \ncome up. You have to have the operational framework. And I \nwould submit that first we have got to lay out operational \nframeworks that will work.\n    There are operational frameworks that people can put on the \ntable that just don\'t make technical sense, so that is where \nour partnership with industry really has to come to the \nforefront. What technically can we do to secure those networks \nwith the Defense Department, the intelligence community, and \nDHS, and industry, and then how do we take that--what do we \nneed legally to make that work? And I think we have yet to walk \nthrough those, and I think the first step will be when the \nWhite House puts out that 60-day study.\n    Mr. Smith. Ask a little bit about acquisition issues, and \nmaybe have the three individual services speak to their ability \nto acquire what they need technologically, because there is the \nchallenge in the IT world that basically Moore\'s Law runs \nheadlong into the acquisition process. You know, things update \nvery rapidly, and yet it takes a couple of years to go through \nthe ability to acquire systems.\n    Now, I know reforms have been made to a certain extent \nwithin IT to give greater flexibility to enable you to purchase \nmore equipment more quickly. How well is that working, and what \nmore do we need to do to make sure you are able to buy the \nequipment that you need? And just if each one of you could sort \nof give a little vignette from your experiences within your \nindividual service.\n    General Shelton.\n    General Shelton. Glad to start. You are exactly right. We \nhave a real challenge of what I would call an industrial age \nacquisition process trying to operate in IT space, which is not \nadequate. We have vehicles that we can use to acquire IT \nsolutions, and in many cases those are commercial off-the-shelf \nproducts or commercial off-the-shelf products that we slightly \nmodify and adapt to our purposes. In some cases, the question \nis scalability, but beyond that those solutions are there.\n    So I think we are in reasonably good shape from the overall \ncapability to acquire. It is that we don\'t often exercise that \ncapability the way we should, so----\n    Mr. Smith. Why not?\n    General Shelton. We sometimes revert to the way we have \nalways acquired. So we are forcing that inside the Air Force. \nWe are forcing that toward much different solutions, and we are \nforcing an architecture that will allow much different \nsolutions----\n    Mr. Smith. Well, Mr. Carey, if you could talk a little bit \nabout Navy\'s experience with the Navy-Marine Corps Intranet, \nwhich was a big transition system in terms of the software \nbeing put in place--how difficult was that to acquire? Or just \nmore broadly within the same acquisition area, what challenges \nare you facing? What do you think needs to be done to overcome \nthem?\n    Mr. Carey. NMCI [Navy Marine Corps Intranet], sir, was a \nhuge culture change to the department in the IT space. To move \nfrom a system of lots and lots of networks controlled by \nindividual unit commanders or organizational commands through a \nhomogeneous, centrally-controlled network apparatus was just a \nhuge culture change, so it took some time to get there.\n    The acquisition process allowed us to get there----\n    Mr. Smith. Okay.\n    Mr. Carey [continuing]. In a reasonable amount of time, but \nimagine that it is now the largest intranet in the world, so \ngrew from having hundreds of networks--we are not subsumed by \none--using the process.\n    Mr. Smith. Okay.\n    Do you have anything you want to add?\n    Mr. Krieger. Sir, I think your discussion on the \nacquisition process not being agile is really a cultural issue.\n    Mr. Smith. Okay.\n    Mr. Krieger. So I think within the acquisition process, \nboth legislatively and regulatorily, the agility is there. This \nis a cultural change for the department. Can we deliver spiral \ncapabilities--not a full capability--quicker and spiral it out, \nversus the culture has been to deliver a completed product over \ntime?\n    Mr. Smith. Well, does that also feed into sort of how \npersonnel are rewarded and/or punished depending on how they do \nthings? That basically there is a culture that says, ``Hey, as \nlong as I am following the process, as long as I am going \nthrough the acquisition process there I am good. If I step \noutside of it I am in real danger\'\'?\n    Because it strikes me that it would really take, you know, \ncreative personnel who understand IT to say, ``Hey, I need this \nsolution now. I am going to go do it, not go through the normal \nprocess as empowered.\'\'\n    And I can see where you might be limited within the \nmilitary concept, people saying, ``Look, if I do this, you \nknow, I am not going to be rewarded for it if it goes well and \nI am sure as hell going to be punished for it if it doesn\'t go \nwell.\'\' Is there a problem with that in terms of changing how \nwe promote and reward behavior?\n    Mr. Krieger. Sir, I know within the Army in the current \nglobal war on terrorism, we are at the point in the Army now \nthat when we generate a requirement from the field of JUONS \n[joint urgent operational needs statement], and we document it, \nwe are delivering capability real quick now. And so I think \nthat culture is changing, and we certainly have soldiers, and \nsailors, and airmen in need now, but we are discovering, \nculturally, that it is possible to deliver IT quicker and \noutside--within the system but not the traditional way that we \nbuild airplanes and ships and things. And certainly there is \nlots of examples in the current war where we have identified a \nproblem, we have documented the requirement, and we have \ndelivered spiraled-out capability.\n    Mr. Smith. Thank you. I very much appreciate it.\n    I will go to Mr. Miller and then I will go to Mr. Conaway, \nwho walked in right at the end of the questioning there, but we \ndon\'t want to get you out of the loop there, so we will go to \nMiller, Conaway, and then back to the other.\n    Mr. Miller. Thank you, Mr. Chairman.\n    One brief question to General Alexander, if you would, in \nreference to the new idea of the new sub-unified four-star: \nWill DISA and NSA be rolled into the command and how will the \nrelationship between DISA and ODNI [Office of the Director of \nNational Intelligence] be affected?\n    General Alexander. It is not clear, in my mind, that it \nwould--it will not be rolled in, per say. I think that part--it \nwill be leveraged in the foundation for it. I think we have to \nhave the synergy between what NSA does for the intel community, \nfor what NSA does for the cyber community, and those are \ninextricably linked.\n    So, specifically today, we have JFCC-NW at NSA, and as a \nconsequence of having them there at NSA they can leverage the \ndifferent offices that look globally to do their mission. I see \nthat--we growing that connective tissue between what NSA is \ndoing and what this command is doing.\n    I think there are some things that will be in common that \nwe are going to have to put in both in the concept that is \nbeing looked at, and that is, how do we see cyberspace? An \nintegrated cyber operations facility. What is it that you see \nfor your defense? How do you see your network boundaries?\n    What do you see globally? What do our allies see? What is \ngoing on on the network? And how do you mitigate and attribute, \ngoing back to the question?\n    Because if you can\'t see it you are not doing it in real \ntime. So how are you doing that in real time? How are you \nbouncing those back and forth?\n    So what I imagine will happen is, we will put the pieces \ntogether at Fort Meade, at least in the recommendations and the \nthing that is under consideration, and then look at how you \nbuild the command to specifically do cyber operations, \nleveraging what NSA brings in network exploitation. And I think \nthat is the key part, is to have them coexist.\n    In that respect, the DNI [Director of National \nIntelligence] is comfortable and a proponent for it, because it \ndoes both. I think it is good for both of us and we can do \nboth, in that regard.\n    The second question--the logical question that stems out of \nthat, and what is your relationship with DHS because they need \nsome of the same support? We see that that is a foundation that \nDHS can lean on--a technical foundation--while DHS takes on its \nmissions to operate and defend the rest of the dot-gov \nnetworks.\n    Mr. Smith. Thank you. Mr. Conaway.\n    Mr. Conaway. Thank you, Mr. Chairman. Since I just got here \nI will not replow----\n    Mr. Smith. Thank you. Mr. Marshall.\n    Mr. Marshall. Thank you, Mr. Chairman. I would like to \nreturn to the line of questioning that I had when I was--just a \nminute ago, and it is again, where is it that you perceive the \nprivate sector\'s interests, motivation diverging from ours?\n    And General Alexander, you described, you know, a private \nsector company that might be able to--that had a similar \ninterest because billions of dollars are at stake, or very, \nvery sensitive information was at stake so they wanted to \nprotect that information. And being able to harden itself, and \nits use probably more so than we could, practically speaking, \ngiven the cost associated and given the kind of uses that we \nhave to make of information technology across the military.\n    But can you give other examples that would help me \nunderstand how they diverge, and would--this is a question to \nall members of the panel, not just General Alexander.\n    I know, Mr. Lentz, you were about to say something and I \nhad run out of time.\n    Mr. Lentz. Well, I can give you a couple examples of that. \nI think the biggest challenge we are going to have--and I think \nthe laptop example that you alluded to in the beginning is a \ngood example of that--when we did our data-at-rest encryption \npolicy, we went out to industry, established a standard, we \nworked with industry to figure out where that bar for security \nneeds to be and where they can meet that bar at the cost and \noperational effectiveness that meets both entities\' standards, \nfor them to make a profit, but also for us to be able to get \nthe most secure capability out in the field.\n    We did that very quickly over the course of several months. \nWe developed the standard, and we have 12 companies that bid \ncompetitively for that process.\n    The cost for a data-at-rest piece of software license would \nnormally cost you $200 if you went and got it yourself. Because \nof this competitive standard-based process, we dropped the cost \nto less than $10 per software license. Now, that is an example \nwhere we had convergence.\n    Now, as the bar goes higher in cyberspace because the cyber \nthreat is increasing exponentially, we have to work with \nindustry to build in much more robust capability. And that is \nnot just dealing with encryption, but all the aspects that go \naround hardware and software.\n    And that is where industry is going to have a more \ndifficult time, because as that bar gets raised, their profits \nstart to decrease. And that is where we have to look at the \ngovernment-private sector partnership to figure out how we can \nget that bar raised in a cooperative way, at the same time \nmaintain the competitive acquisition process.\n    General Alexander. My experience with industry, though, is \nthere is more convergence than there is divergence. They see \nthe obvious rationale for securing the networks just like we \ndo.\n    More importantly, they also see that they, in part--many of \nthe industry folks that I have talked to said, ``We need \ngovernment support here.\'\' I don\'t think they want government \ncompelling them to do things on the network, but I think they \nneed government support in securing it and developing a \nframework--a technical framework--that is securable.\n    That is probably going to be impossible, so how do we get \nas close to that as we can? I think industry is absolutely \nlooking for partnership with government and with our allies \nsetting up some solution like that.\n    So my experience has been almost completely convergent in \nthat regard. I have not seen--I asked one industry, I said, \n``Why don\'t we give you this problem?\'\'\n    They said, ``We can\'t afford to do it without government \nsupport.\'\' That was the only divergence.\n    We said, ``Well, this would be one that we would throw \nover. Critical infrastructure--that is an industry thing. Why \ndon\'t you take care of it?\'\' And they said----\n    Mr. Marshall. So, industry interest is not broad enough to \njustify the cost, is in essence what you are saying, and so to \nthe extent that we have got to have a certain level of security \nor capability, industry is not necessarily going to generate \nfor us because either there are too many defeatist characters \ncompeting with one another with different products, and \nconsequently different companies looking at those different \nproducts, or there are just not enough companies that are that \ninterested in that level of security or capability?\n    General Alexander. Banking industry clearly has a \ncompelling need to create that existing secure infrastructure, \nand they are working hard to do that. There are things that \ngovernment and industry--and that industry--could work together \nto make it even better. Your electrical power grid and some of \nyour other ones are low cost when you look at the network.\n    So the power companies that are going to have to go out and \nchange the configuration of their networks, that is a cost that \nif you take what Bob was saying, one further step, now to \nupgrade their networks to make sure they are secure is a jump \nin cost for them, and now you are going to have to work through \ntheir committees, through the regulatory committees to get the \nrate increases so that they can actually secure their networks.\n    So when you talk to the power industry, as an example, that \nis one where you are not going to look at, so how does \ngovernment--because we are interested in perhaps having \nreliable power--how do we ensure that that happens as a \ncritical infrastructure? So DHS and that critical \ninfrastructure have to work together to walk through that.\n    Mr. Smith. Thank you.\n    Mr. Thornberry----\n    Mr. Thornberry. Let me give the Army and Navy a chance to \nanswer what you all\'s services are doing to train, equip, \ndevelop career paths for cyber warfare. Do you have cultural \ndifficulties there, too, particularly in whether you see cyber \nas an enabler for the things that you are already doing or a \ndomain of warfare on its own.\n    Mr. Krieger. Sir, you raised a very good issue, and the \nArmy is trying to come to grips with that right now and \nstudying it, and we have got a study going on by TRADOC \n[Training and Doctrine Command] to figure out what we want to \ndo, both at the officer level and the warrant officer level and \nthe soldier and NCO level.\n    The question is exactly on target. I don\'t have an answer \nyet, but that is what we are trying to figure out.\n    Mr. Carey. We believe that everyone that engages the \nnetwork becomes a cyber warrior at some point. If you are going \nto touch the network, you are involved in something that is \ngreater than you might have actually thought. So changing that \nculture, as my colleagues have said, is something that we are \nworking on very diligently right now as we move into our next \ngeneration network environment, and that we are bringing on \nmore people to operate in this domain, both in the uniform side \nand the civilian side, to allow ourselves that span of control \nthat we don\'t have right now inside the department.\n    Mr. Smith. Thank you.\n    I had one more line of questioning, but Mr. Conaway, go \nahead.\n    Mr. Conaway. Well, thank you, Mr. Chairman.\n    A few of us are working on an acquisitions panel issues, \nand I was just wondering, Mr. Lentz, can we use the acquisition \nregulations and practices to incent defense contractors to be--\ntheir cyber warfare posture, to make sure they are compliant or \nthat they are protected as they need to be to handle our data \nand handle our work? Is that an appropriate use of those?\n    Mr. Lentz. Yes. We are working with AT&L [Acquisition, \nTechnology, and Logistics] to look at the----\n    Mr. Conaway. AT&L?\n    Mr. Lentz. I am sorry. The acquisition organization in DOD.\n    Mr. Conaway. Okay.\n    Mr. Lentz [continuing]. To look at modifying the defense \nacquisition regs and the federal acquisition regs for including \nstronger language in there regarding meeting certain security \nbenchmark standards in terms of protecting information that \nresides on their networks. That is something we are doing right \nnow.\n    Mr. Conaway. And you think you will get pushback from the \ncontractors on this deal?\n    Mr. Lentz. No, we are not. In fact, they are asking for \nthat language. No problem.\n    Mr. Conaway. All right.\n    And then, General Shelton, when you guys set up your cyber \ncommand, can you walk us through the rationale between why that \nwas a numbered air force versus a four-star command?\n    General Shelton. Sure. As we first started to look into \nthis, we said a major command seemed appropriate because that \nis how we organize, train, and equip in the Air Force. But then \nas we thought more about it, we said, we are really about how \ndo we operate? And the way we operate in the Air Force and \npresent forces in the Air Force is through numbered air forces.\n    So if we are really all about trying to provide cyber \noperations for joint employment, it is more appropriate for a \nnumbered air force. And then the organize, train, and equip \naspects can be subsumed by Air Force Space Command. So that was \nthe rationale.\n    Mr. Conaway. Okay. And you are comfortable with--the Air \nForce is comfortable, so far, that that was the right decision?\n    General Shelton. Absolutely. Very comfortable.\n    Mr. Conaway. Thank you, Mr. Chairman.\n    Mr. Smith. Just quickly--in terms of personnel, we talk in \nthis committee each year about the challenges of making sure \nthat you have the best and the brightest folks who understand \nthe IT infrastructure, because it is a constantly evolving \nthing. Whatever the systems, it really comes down to people and \ntheir ability to adapt.\n    Just, you know, if anyone has initial thoughts. I don\'t \nknow who would be best to comment on this, so I will throw it \nopen to all of you. You know, how are you doing in terms of \nrecruiting the personnel that you need to do the IT work that \nyou need to get done?\n    Mr. Lentz. I can start out, and then----\n    First of all, and I know, Congressman Thornberry, your \ninterest is on target regarding the fact that within the \nDepartment of Defense we have over 90,000 personnel that we \nhave identified working with the services and agencies that are \ndeemed to be cyber warrior-type individuals. Now, these are sys \nadmin, that manage the system, and network administrators that \nhave part-time jobs both to defend the network as well as to \nadminister, and you can\'t separate those functions.\n    Ninety thousand. We have a plan that we are 2 years into to \ncertify all 90,000, and we right now have a goal by the end of \nthis year to be at 45 percent. And so that is a major goal.\n    The other thing we are doing is we are adding highly \nspecialized skills on top of them, in light of the cyber events \nthat we have talked about, and that will add another layer of \nmore highly skilled cyber warriors that will go to schools, \nlike in Pensacola and Maxwell and Fort Gordon, possibly, to be \nable to get more in-depth training working with the National \nCryptologic School at NSA and other institutions.\n    The fill rate overall--I will let the services comment on \nthat--but what we are seeing right now is, the fill rate for \nthose cyber warriors is a fairly good rate. We are seeing over \n90 percent, in terms of those positions that we are talking \nabout right now, which, by the way, are contractors, civilians, \nand military personnel.\n    Mr. Smith. All right.\n    I guess just in general, in any----\n    Go ahead, General. Sorry.\n    General Shelton. Sir, I was just going to say, in terms of \ntechnical expertise we have, certainly, a concern, along with \neveryone else in the nation, that there is just not that many \npeople coming out of our schools that are prepared for the \ntechnical-type work. They don\'t have the educational \nbackground, haven\'t studied math, engineering science, those \nsorts of things. So we join the course of many--this is a real \nproblem for us.\n    Mr. Smith. Yes.\n    Gentlemen, do you have anything to add to that?\n    Mr. Carey. All I would add is that we are all competing for \nthat limited resource----\n    Mr. Smith. Right.\n    Mr. Carey [continuing]. Whether it is industry, Army, Navy, \nAir Force, Marines, we are all competing for that. And so there \nhas not been a challenge that we have seen yet, but we will be \nramping up for the coming months so we will have more \ninformation somewhere in the fall.\n    Mr. Smith. Okay. Thanks.\n    And General Alexander, I just want to follow up quickly on \nthe interagency aspect of cyber security. And I think from this \npanel we have got a pretty good idea what the DOD is doing. How \ndo you interact--you touched on it a little bit--I mean, \nHomeland Security theoretically is the lead agency for the \ninteragency piece of cyber security.\n    Does DOD sort of, you know, exist in their own world and \nwork on their own systems while Homeland Security is dealing \nwith the other aspects of it? What is the integration? How is \nthat working?\n    General Alexander. Well, for offensive operations we have a \njoint task force--joint interagency task force--which brings in \nall the players. We have great partnerships with FBI, CIA, and \nothers, DHS. They sit on these panels--State Department--and \nlook at the options and where we are, and I think that is well \nrun.\n    Where I think there is work to be done, the U.S. CERT is \ngrowing rapidly, which is the DHS element that would actually \ndo the computer emergency response team\'s job for the rest of \nthe dot-gov, is taking that on in a way analogous to what the \nJoint Task Force-Global Network Ops and the CERTs under it does \nwith the services. So there is some room to grow in the rest of \nthe dot-gov to catch up where I think the Defense Department is \ntoday.\n    Within the intel community, I think they have a strong \nnetwork security program so that that is running pretty good. \nWhat is lacking today is a integrated defense where you can tip \nand cue between the different government entities and agencies \nat network speed to defend elements of it, and that is one of \nthe things we are going to have to grow, which I think DHS \nwould leverage what the intel community and the DOD has today, \nboth technically and the real time alerting and cuing. Think of \nthat as a radar system for cyber security.\n    Mr. Smith. I had one more question, but I wanted to see if \nany of my colleagues had anything further.\n    Mr. Marshall. I do.\n    Mr. Smith. Go ahead, Jim.\n    Mr. Marshall. Thank you.\n    I am continuing the same line. So, different possibilities \nhere--we have got a requirement that needs to be met that we \nhave identified. Industry has already met that requirement, so \nwe go out and we acquire either the software or the hardware \nand that takes care of that.\n    We have a requirement that has not been met by industry as \nwell, and it is the banking industry. And the banking industry \nrecognizes this need to secure billions and billions and \nbillions of dollars of exposure that it would otherwise have. \nOr it is the up--you know, hardening the defense of the \nelectrical grid, which has all these collateral public and \nprivate possible consequences if, in fact, there is a failure, \nthat an attack is successful.\n    Could you describe--is there a difference in the way we go \nabout trying to figure out the partnership and who carries what \nload in--here is the banking system. It is going to get there, \nand you know it is going to get there because there is just too \nmuch at stake. It is the brightest people in the world they are \nable to hire, and they are going to pay them big bucks, and \nthey are going to get there.\n    But they would love to have us step up to the plate and pay \nfor it. You know, that just makes more money for them. So there \nis obviously a give and take as we discuss with the banking \nsystem or banking industry who is going to do this.\n    And then, where the electrical grid is concerned, they kind \nof go, ``Well, you know, we don\'t need that kind of level of \nsecurity. That requirement is not one that we want to meet. We \nwill take a chance on the grid going down and we will just send \nour guys out there and fix it. You know, actually, they might \nmake some money. It might be better for us, in a sense, if the \ngrid goes down.\'\'\n    Could you describe how you deal with those two different \nkinds of circumstances in order to figure out who carries the \nload? Well, at this--where we are talking about electrical \ngrid, who winds up paying the freight, okay?\n    General Alexander. I think DHS would have the lead in \norchestrating that with the Critical Infrastructure Protection \nAdvisory Committees that they have, the CIPACs, that go across \neach of those. And in the banking industry, it would be a DHS-\nTreasury partnership to look at how we do it with other players \nin the community. So I think you have got DHS in the lead.\n    The interesting part that you have put on the table is that \nthere may be things that the government technically knows that \nwould be useful to industry to secure their networks a degree \nbeyond where they are today. How do we do that without risking \nsome of our nation\'s crown jewels, but ensuring their \nprotection?\n    And that is one of the things where I think the partnership \nbetween DHS and DOD is going to have to be laid out, and I \nthink it is being worked. So there is, right now--DHS has set \nup a good framework for critical infrastructure protection, and \nthey have a framework for cyber throughout that.\n    They work and they actually partner with DOD and the intel \ncommunity in those regards, and I think they would draw on \nthat. I don\'t know that anybody has come down clearly and said \nthe different roles--I don\'t think they are at that point where \nthey could define specifically the roles.\n    I will pass it over to Bob.\n    Mr. Lentz. Well, I think that is exactly the answer. I \nthink where DHS has set the framework up under their National \nInfrastructure Protection Plan, and they are working and we are \nsupporting, as an example with the financial sector, we work \nthrough Treasury and we compare technologies and techniques and \nprocedures that we are using, and trying to raise that bar.\n    And then as you work some of these other sectors, the \ninteresting challenge is going to be, like you addressed, is \ngoing to be at some point they may say, ``That is enough. I \ncan\'t subsidize this level of protection any longer, especially \nagainst a nation state.\'\'\n    And therefore, we have to have a mutual dialogue at the \nhighest levels of the government with industry to determine, \nhow are we going to get that bar to a level we are all \ncomfortable with? And that is going to be the interesting \ndiscussion in the future.\n    Mr. Marshall. Thank you, Mr. Chairman.\n    Mr. Smith. Thank you.\n    Just one final question. Mr. Thornberry had mentioned the \nattacks on Estonia and Georgia, which really sort of got \neveryone\'s attention about what can go beyond, you know, some \nof the more basic stuff that we face. And obviously, you know, \nour main concern right now is data-mining--people accessing our \nnetwork and pulling out information out of it as opposed to \naffirmatively attacking the network.\n    But in looking at what happened in those two countries, how \nvulnerable are our DOD networks to similar attacks? How \nconfident are you that we have the, you know, system set up to \nwithstand that type of an attack?\n    General Alexander. I think a distributed denial-of-service \nattack from botnets, like you saw in Estonia, if large enough, \nwould really hamper any network today, including the defense--\n--\n    And the issue is, how do we grow a defense in depth to \nensure that we don\'t have that? So that is where our allies and \npartnerships with our allies is going to become crucial.\n    If you try to defend it at your gateway, you surely will \nlose on that. And so you are going to have to have a defense in \ndepth for that type of attack specifically.\n    Mr. Smith. Forgive me. Walk me through a defense in depth, \nwhat that means exactly, in terms of what you try to do to \nprepare.\n    General Alexander. So you would have--if you just look \nglobally at the global network, instead of trying to stop all \nthe stuff here, you might want to shut them down at the point \nof origin or somewhere in between, and that means that your \noffense and your defense are going to have to be partnered \ntogether to do that.\n    Mr. Smith. Okay.\n    General Alexander. I think that is the only way you are \never going to--I think we are going to be forced into operating \nlike that in the future, and the consequences of that jump--the \nintellectual jump--is developing the tactics and techniques and \nprocedures that I briefly discussed earlier.\n    Mr. Smith. Gentlemen, anybody else want to comment on that, \nin terms of the security of your systems?\n    General.\n    General Shelton. Yes, sir. Just one comment. What we are \ntrying to do is implement some tight security on our networks, \nso when somebody comes onto the network we make them put a card \nin, we make them enter a code, and in the future probably have \nsome sort of biometric so we know exactly who that is and we \nknow exactly what permissions they have got, what data they \nhave got access to, and somebody outside that realm can\'t have \nthat access.\n    Mr. Smith. Right.\n    General Shelton. So you are defending inside as opposed to \ndefending at the wall. That is the architecture----\n    Mr. Smith. Right. And how, I mean--that is really hard with \nall the different people on the network. There are so many \ndifferent access points to the network. But I guess that is \nmore of a statement than a question, but you are working on it.\n    Anybody else?\n    Well, thank you very much. That was very, very informative. \nLook forward to working with you on this issue going forward.\n    Thank you all for your testimony and for answering our \nquestions. Thanks.\n    We are adjourned.\n    [Whereupon, at 5:12 p.m., the subcommittee was adjourned.]\n?\n\n      \n=======================================================================\n\n\n\n\n                            A P P E N D I X\n\n                              May 5, 2009\n\n=======================================================================\n\n      \n?\n\n      \n=======================================================================\n\n\n              PREPARED STATEMENTS SUBMITTED FOR THE RECORD\n\n                              May 5, 2009\n\n=======================================================================\n\n      \n      \n    [GRAPHIC] [TIFF OMITTED] T7218.001\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.002\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.003\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.004\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.005\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.006\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.007\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.008\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.009\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.010\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.011\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.012\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.013\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.014\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.015\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.016\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.017\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.018\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.019\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.020\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.021\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.022\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.023\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.024\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.025\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.026\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.027\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.028\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.029\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.030\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.031\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.032\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.033\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.034\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.035\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.036\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.037\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.038\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.039\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.040\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.041\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.042\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.043\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.044\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.045\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.046\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.047\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.048\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.049\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.050\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.051\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.052\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.053\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.054\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.055\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.056\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.057\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.058\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.059\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.060\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.061\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.062\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.063\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.064\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.065\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.066\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.067\n    \n    [GRAPHIC] [TIFF OMITTED] T7218.068\n    \n?\n\n      \n=======================================================================\n\n\n              QUESTIONS SUBMITTED BY MEMBERS POST HEARING\n\n                              May 5, 2009\n\n=======================================================================\n\n      \n                    QUESTIONS SUBMITTED BY MR. SMITH\n\n    Mr. Smith. Knowing that our IT adversaries are becoming more \ncomplex, what steps is the Army taking to protect our wireless \ncommunications?\n    Mr. Krieger. The Army places tremendous focus on Transmission \nSecurity (TRANSEC) in order to protect our wireless communications from \ndetection and interception. To mitigate this increasingly adept and \ncomplex threat we maintain rigorous Certification and Accreditation \nprograms for our IP based networks; including routine network scanning \nfor unauthorized wireless access points and systems. Technical \nmitigation strategies are used to reduce the probability of detection \nand interception of our FM tactical communications systems. Encryption \nis used on our FM and IP networks using NSA approved type 1 encryption \nwhile traversing the wireless spectrum. Additionally, the Army is \nleveraging OSD\'s cooperative program with major defense contractors to \nidentify and remediate efforts to exploit wireless communications \nnetwork vulnerabilities.\n    Mr. Smith. What is the process for remediating a hardware or \nsoftware vulnerability identified during an information assurance \nvulnerability assessment? Are there institutional processes and funds \navailable, or are you forced to ``take this out of hide.\'\'\n    Mr. Krieger. The Army participates in the DOD Information Assurance \nVulnerability Management (IAVM) program which identifies and resolves \ndiscovered vulnerabilities in systems and platforms. It requires the \ncompletion of four distinct phases to ensure compliance. These phases \nare: (1) vulnerability identification, dissemination, and \nacknowledgement; (2) application of measures to affected systems to \nmake them compliant; (3) compliance reporting; and (4) compliance \nverification. This program includes Information Assurance Vulnerability \nAlerts (IAVAs), Information Assurance Vulnerability Bulletins (IAVBs), \nand technical advisories. The Army Global Network Operations & Security \nCenter (A-GNOSC) is the Army\'s focal point for coordinating the \nmitigation efforts for identified vulnerabilities across the Army. \nWhile institutional processes are used and some centralized support is \navailable, the Army still is required to ``take out of hide\'\' resources \nin order to mitigate information assurance risks.\n    Mr. Smith. What are you doing in the Services and OSD to develop a \ncareer cyber force?\n    Mr. Krieger. The Army is evaluating the current force and comparing \nit to the requirements of the proposed cyber force. Once the analysis \nis completed, the Army will develop a management program to meet the \nrequirement.\n    Mr. Smith. What incentives are available to recruit and retain the \ntypes of individuals you would like to attract to the military cyber \ncorps? Are there other incentives that you would like to be able to \noffer, but do not currently have the authority to provide?\n    Mr. Krieger. The Army continually reviews its incentives for \nrecruiting and retaining individuals who have critical skills. The Army \nmanages its resources to achieve the best possible outcome. If given \nadditional resources the Army could increase its ability to offer more \nincentives to achieve better outcome.\n    Mr. Smith. What kinds of leap-ahead technologies do you believe we \nneed to be investing in?\n    Mr. Krieger. Technologies which can provide the Army with a \nsuperior advantage to prevent, detect, analyze, and respond to threat \nevents at network speed.\n    Mr. Smith. The outsourcing of NMCI resulted in an outsourcing of \nmuch of the brains of the Navy, especially with regards to technical \nand architectural designs and senior-level technology management. What \nis the Navy doing to rectify that situation?\n    Mr. Carey. Although NMCI caused a shift in responsibility for core \nnetwork operations to industry, the Navy and Marine Corps retained a \nsignificant amount of technical, architectural and technology expertise \nsupporting other networks, including afloat, overseas, in-garrison, \nmedical, educational, and research and development networks. One of the \nprincipal concepts of the Next Generation Enterprise Network (NGEN) \nprogram is to restore the decision-making, design control and oversight \nto the DON. A modest recruiting campaign for network talent will \ncommence in Fiscal Year 2010, and we have established a comprehensive \ntraining and education strategy embodied in our IT of the Future \nprogram. As the DON implements the concepts of the Naval Networks \nEnvironment 2016, prioritized decision making, design control and \noversight positions will be filled by members of the government \nworkforce.\n    The DON will also partner with other organizations, including the \nDefense Information Systems Agency (DISA), the Defense Advance Research \nProjects Agency (DARPA), and other DOD Services and Agencies for \nanalysis, best practices and lessons learned. Finally, private sector \ndesign development and technological expertise will continue to support \ngovernment workforce decision making and oversight.\n    Mr. Smith. What is the process for remediating a hardware or \nsoftware vulnerability identified during an information assurance \nvulnerability assessment? Are there institutional processes and funds \navailable, or are you forced to ``take this out of hide.\'\'\n    Mr. Carey. The DON fully supports the IAVA process and a tool by \nwhich we can improve our network security posture. Institutional \nprocesses are in place if vulnerabilities are found during a \nvulnerability assessment. This guidance can be found on the DISA \nInformation Assurance Support Environment page located at http://\niase.disa.mil/index2.html. Specific actions are provided in the DISA \nIAVM Handbook. The DON provides additional guidance within our IA \nPolicy document and our IA Manual.\n    When a vulnerability notice has been issued by the JTF-GNO/\nNetDefense, the DOD Vulnerability Management System (VMS) sends email \nnotices through command channels to the individuals responsible for the \naffected assets. Notices are also sent to all IA Managers and \norganizational oversight users. The VMS notice directs users to access \nthe JTF-GNO/NetDefense Web Page to obtain detailed information on the \nspecific vulnerability.\n    Funding for routine hardware/software support is part of the annual \nIT support budget for most programs. If an upgrade is required that is \noutside the scope of the support contract, then funding for these \n``previously unknown\'\' vulnerabilities must be found using the DON \nprocess for conducting budget trade analyses.\n    Mr. Smith. What are you doing in the Services and OSD to develop a \ncareer cyber force?\n    Mr. Carey. DON is working closely with DOD leadership and the other \nServices to determine the scope, missions, functions and tasks relevant \nto the cyber workforce. We are working with operational organizations \nincluding the National Security Agency (NSA) and the new U.S. Cyber \nCommand to determine DON roles and responsibilities and to implement \nthe DON command and control necessary to support cyber operations. We \nare also exchanging information on manpower, personnel, training and \neducation requirements and solutions development with DOD and the other \nServices to leverage work done by others as we determine the best means \nof meeting DON cyber missions.\n    The Secretary of the Navy has issued policy that designates the \nUnder Secretary of the Navy as the DON Chief Cyberspace Officer, with \nthe DON CIO and the DUSN as his chief advisors for CND/CandA/CNE. The \ndocument also directs the Chief of Naval Operations and the Commandant \nof the Marine Corps to establish organizational constructs for cyber \noperations and to maximize training and education efficiency in \ncyberspace career fields. Additionally, the policy directs DON CIO to \nwork directly with DOD and DON cyberspace leadership to develop \nworkforce policy and guidance and to work with the Assistant Secretary \nof the Navy for Manpower and Reserve Affairs to track and measure the \neffectiveness of cyberspace manpower, personnel, training and education \nefforts.\n    Both the Navy and Marine Corps headquarters staffs are working to \ndocument cyber manpower, personnel, and training and education \nrequirements. This team includes professionals from each of the \ncommunities that supports cyber operations and reports to the Chief of \nNaval Operations or the Commandant of the Marine Corps.\n    The Navy is the executive agent for the Joint Cyber Analysis Course \nattended by personnel from all Services. Additionally, the DON \nparticipates in the DOD Information Workforce Improvement Program which \nprovides Joint opportunities for Information Assurance training and \ncertification.\n    Mr. Smith. What incentives are available to recruit and retain the \ntypes of individuals you would like to attract to the military cyber \ncorps? Are there other incentives that you would like to be able to \noffer, but do not currently have the authority to provide?\n    Mr. Carey. The Navy has the authorities available to recruit and \nretain cyber professionals. In the execution of attracting and \nretaining cyber professionals we will leverage accession and retention \nincentives where appropriate. Accession bonuses, critical skills \nretention bonuses, scholarship for service, fellowships and post-\ngraduate education all remain important tools that can be utilized to \nrecruit and retain our cyber corps.\n    Mr. Smith. What kinds of leap-ahead technologies do you believe we \nneed to be investing in?\n    Mr. Carey. The DON will seek to invest in and deploy emerging \ntechnologies that enable collaboration and increase the security of our \nnetworks. New technologies and capabilities, such as IPv6, self-forming \nwireless mobile networking (for people on-the-move, IP sensor networks, \netc.), and Web 2.0 tools present opportunities worthy of investigation.\n    The DON must also explore the use of virtualization and cloud \ncomputing. Many organizations both within and outside the DOD are \nexamining the use of ``private clouds\'\' to reduce costs, increase \nsecurity and lessen the environmental impact of IT. Additionally, we \nmust focus on Identity Management and Attribute Based Access Control as \nthey increase security and enhance information sharing.\n    New technologies are becoming available at a rapid pace, and while \nour unique position requires that we be selective in which tools we \nimplement, we continuously look for ways to increase security, promote \ncollaboration and improve the mission effectiveness of our operating \nforces.\n    Mr. Smith. What is the process for remediating a hardware or \nsoftware vulnerability identified during an information assurance \nvulnerability assessment? Are there institutional processes and funds \navailable, or are you forced to ``take this out of hide.\'\'\n    General Shelton. Remediation of hardware or software \nvulnerabilities is dependent upon type and severity of the \nvulnerability identified. Every organization conducting an information \nassurance vulnerability assessment requires local operating \ninstructions governing remediation steps for that particular \norganization and for specific vulnerability levels. Institutional \nprocesses for remediating discovered vulnerabilities are defined in \nUnited States Strategic Command\'s Secure Configuration Compliance \nValidation Initiative and are inherent in the assessment tool used. No \nadditional funds are needed because on-site vulnerability assessment \npersonnel and system owners work together to remediate identified \nvulnerabilities.\n    Mr. Smith. What are you doing in the Services and OSD to develop a \ncareer cyber force?\n    General Shelton. The Air Force is establishing dedicated officer, \nenlisted and civilian cyber operations career fields to meet Joint and \nService cyber missions. Additionally, we continue to participate in \nrobust inter-Service dialogue and OSD efforts to develop DOD-wide cyber \ncareer force guidance.\n    Mr. Smith. What incentives are available to recruit and retain the \ntypes of individuals you would like to attract to the military cyber \ncorps? Are there other incentives that you would like to be able to \noffer, but do not currently have the authority to provide?\n    General Shelton. The Air Force has many incentives available to \nsupport recruiting and retention, to include enlistment and \nreenlistment bonuses, undergraduate and graduate education benefits, \nand education with industry opportunities. At this time, we believe \nexisting authorities and incentive programs are flexible enough to \nsupport cyber recruiting and retention efforts.\n    Mr. Smith. What kinds of leap-ahead technologies do you believe we \nneed to be investing in?\n    General Shelton. Cyber technologies are a pervasive set of \ntechnologies that cannot be developed in isolation from the entire \nnational enterprise. Communication is the foundation of effective \nnational governance and current and future warfighting capabilities. As \na result, cyber leap-ahead technology development is not being done in \nisolation by the Air Force. Future technologies could include self-\ngenerating communication networks that adapt to network attacks, \nadvanced computing including quantum computer architectures and optical \nnetworks for its ability to transmit very large volumes of data over \nlong distances. Additionally, information fusion and multi-level \nsecurity could enable early detection of cyber attacks.\n    Mr. Smith. In an age of increasing outsourcing and globalization, \ncan you describe the threat to the software and hardware supply chain? \nWhat are we doing to mitigate the risks to the global supply chain?\n    Mr. Lentz. While globalization has many economic benefits, it also \nprovides increased access and opportunity for malicious actors to \nmanipulate information and communications technology (ICT) products and \nservices to gain unauthorized access to otherwise closed-off \ntechnologies and services. The multi-tiered, global nature of our ICT \nsupply chain means that the government has suppliers that it may not \nknow and may never see. With less insight into their security practices \nand less control over how they conduct their business, the global \nsupply chain may make the U.S. Government (USG) more vulnerable to a \nsophisticated adversary who can use security gaps in the global supply \nchain to alter or steal data, disrupt operations, or interrupt \ncommunications.\n    Threats to the ICT supply chain can affect both software and \nhardware products. Software is growing exponentially in size and \ncomplexity, which creates assurance challenges. In addition, software \ndesign, development, testing, distribution, and maintenance can also be \ndone more inexpensively offshore in easier reach of malicious actors. \nSecurity of the ICT supply chain can also be compromised by \nuntrustworthy or counterfeit microelectronic components. The \nsemiconductor industry has increasingly moved toward offshore or \nforeign-owned semiconductor component production. This trend creates an \nincreasing threat to the U.S. as the potential for unauthorized design \ninclusions to appear on integrated circuits used in military \napplications increases. Furthermore, counterfeit ICT products have the \npotential to fail unexpectedly and prematurely, which may cause the \nmission critical systems in which they are used to malfunction.\n    The national security concern regarding the global marketplace is \nthat software or microelectronic circuitry may include deliberately-\ninserted malicious logic or ``malware\'\' that an adversary might slip \ninto a computer system to steal or corrupt data or disrupt the system. \nThe malware might act immediately, or it may be designed to lie dormant \nuntil it is activated by a future signal. Buried in the millions of \nlines of code that comprise the modern computer application, such \nmalware is difficult to detect with malware protection applications, \nand no one may be aware of its existence until after the damage is \ndone.\n    DOD approaches supply chain risk management (SCRM) through a \ndefense-in-breadth strategy--a multi-faceted risk mitigation strategy \nthat seeks to identify, manage, mitigate, and monitor risk at every \nstage of the system or network lifecycle, from product design to system \nretirement. DOD is actively working to ensure that policies and \nprocesses are put in place to raise awareness of the risk, empower \nacquirers to make informed decisions when they procure and integrate \nICT products and services, and arm acquirers with practices and tools \nnecessary to mitigate risk when ICT products are used across the \ngovernment.\n    DOD is incrementally implementing SCRM through pilots in fiscal \nyear (FY) 2009 and FY 2010 and will be fully executing SCRM by FY 2016. \nIn addition, the Department is analyzing existing regulatory and \nlegislative authorities to provide guidance on the use of SCRM in \nprocurement planning and decision making, and to recommend proposed \nclarification of DOD authorities to reduce litigation risks associated \nwith managing supply chain risk during acquisition. DOD is also \ncollaborating with industry to develop standards and best practices \nthat recognize security challenges in commercial global sourcing. \nFinally, under the Comprehensive National Cybersecurity Initiative, DOD \nis working with other federal agencies to develop a multi-pronged, USG-\nwide approach to global supply chain risk management where best \npractices, risk mitigation techniques, and lessons learned are shared \nand the overall risk posture of the USG is enhanced.\n    Mr. Smith. How might we better utilize acquisition regulations and \ncontracting clauses to better enforce the cybersecurity posture of our \ndefense contractors?\n    Mr. Lentz. DOD plans to publish an Advance Notice of Proposed \nRulemaking (ANPR) in the near future to obtain public input on needed \nchanges to the Defense Federal acquisition Regulation Supplement with \nregard to safeguarding and cyber intrusion reporting of unclassified \nDOD information within industry. The establishment of minimum \nsafeguarding requirements for unclassified DOD Program Information on \ndefense Industrial Base (DIB) partner networks will identify cyber \nsecurity as a standard practice, and address vulnerability to \ncompromise, loss, or exfiltration of unclassified DOD Information.\n    Mr. Smith. What is the process for remediating a hardware or \nsoftware vulnerability identified during an information assurance \nvulnerability assessment? Are there institutional processes and funds \navailable, or are you forced to ``take this out of hide.\'\'\n    Mr. Lentz. The Department\'s Information Assurance Vulnerability \nManagement (IAVM) Program is specified in Chairman of the Joint Chiefs \nof Staff Manual (CJCSM) 6510.01 Change 2, dated 26 Jan 2006. This \npolicy provides reporting and compliance guidance for publishing \nInformation Assurance Vulnerability Alerts (IAVAs) for all Combatant \nCommands, Services, Agencies, and Activities (CC/S/As). IAVAs address \nimmediate threats to the Departments Global Information Grid. IA \nvulnerabilities, whether they be in the form of IAVAs or found during \nroutine evaluations, are tracked in a Vulnerability Management System \n(VMS) managed by the Defense Information Systems Agency. In support of \nthis policy, each CC/S/A must report acknowledgment, mitigation, and \nexpected correction date to the VMS database. All systems must either \nbe patched or have an approved Plan of Action and milestones (POA&M), \nfor mitigations to be implemented. Vulnerability assessments not only \naddress cyber vulnerabilities, but also identify out of date software, \nphysical security problems, and system configuration issues, etc.\n    In addition, DOD Instruction 8510.01, ``DOD Information Assurance \nCertification and Accreditation Process (DIACAP),\'\' dated 27 November \n2007, identifies detailed life cycle support requirements for \ninformation systems and addresses high-level procedures related to the \nProtect; Monitor, Analyze, and Detect; and Respond phases of the \ncomputer network defense lifecycle. In support of this policy, the \nProgram Manager or System Manager for DOD information systems is \nresponsible to plan and budget for IA controls implementation, \nvalidation, and sustainment throughout the system life cycle, including \ntimely and effective configuration and vulnerability management.\n    While there is generally no separate funding set aside for \nvulnerability mitigation and related actions by CC/S/As, system \nmitigation efforts are considered and funded as a normal part of the \nCC/S/A network defense operations resources and budgeting process. \nEnsuring adequate life cycle sustainment resources are available is a \nplanning, programming, budgeting, and execution process role of the CC/\nS/A as identified in the DIACAP. In order to facilitate standardization \nof vulnerability mitigation capabilities and to leverage the use of \ncommon tools, DOD currently has an enterprise software license \nproviding tools that enable automated vulnerability scanning and \nremediation.\n    Mr. Smith. What are you doing in the Services and OSD to develop a \ncareer cyber force?\n    Mr. Lentz. The DOD is currently working with the Services, \nAgencies, Joint Staff, and STRATCOM to develop baseline cyber workforce \nstandards. The current model for these standards is the DOD 8570.01-M \n``Information Assurance Workforce Improvement Program\'\'. The basic \nrequirements for developing a career cyber force include:\n\n    <all>  Defining baseline position descriptions based on functions\n    <all>  Identifying positions in manpower databases\n    <all>  Specifying baseline training and or certification \nrequirements aligned to the functions performed by the positions\n    <all>  Continuous education, training, and participation in \nexercises to maintain and expand skills\n\n    Mr. Smith. What incentives are available to recruit and retain the \ntypes of individuals you would like to attract to the military cyber \ncorps? Are there other incentives that you would like to be able to \noffer, but do not currently have the authority to provide?\n    Mr. Lentz. Current incentive authorities available to provide cyber \nqualified members:\n\n    <bullet>  Enlistment and reenlistment bonuses\n    <bullet>  Accelerated promotion opportunities\n    <bullet>  Recognition programs such as special patches or badges \nfor Cyber qualified personnel\n    <bullet>  Specialized training and education opportunities\n\n    The DOD IA Scholarship Program is a proven retention tool for Cyber \nsecurity military personnel. Since the program\'s inception in 2001, DOD \nmilitary personnel have pursued master\'s or PhD degrees in IA related \ndisciplines. Graduates are working full time in strategic positions \nacross the Department. All of the Services have participated to some \ncapacity.\n    Other potential incentive authorities for consideration:\n\n    <bullet>  Authorize specialty pay for cybersecurity certified \npersonnel\n    <bullet>  Authorize specialty pay for cyber warfare qualified \npersonnel (once defined)\n\n    Mr. Smith. What kinds of leap-ahead technologies do you believe we \nneed to be investing in?\n    Mr. Lentz. The philosophy explored by leap-ahead is that, while \nsome progress on cybersecurity will be made by researching better \nsolutions to today\'s problems, some of those problems may be too hard \nto solve; we need rather to leap over them by finding a way to make \nthem irrelevant. This latter approach we call changing the game, as in \n``if you are playing a game you can\'t win, change the game!\'\' Most of \ntoday\'s research, development, technology and engineering (RDT&E) \nefforts are focused on ``playing today\'s game better.\'\' But, since our \nadversaries have an advantage in today\'s cyber ``game,\'\' we advocate \ninvestment in RDT&E that moves us away from having to play that game, \nin other words, moves us towards a cyber environment where our security \ndoes not depend on the solution of today\'s intractable problems. To \nunderstand this paradigm shift, we can look at three areas which can \nyield game change in a reasonable time frame and which would be very \nuseful to the DOD.\n\n    1) Today\'s game: eliminate vulnerabilities which enable \npenetration;\n    Tomorrow\'s game: reduce consequences of penetration\n\n    Today users and their applications are our front line of defense \nagainst adversaries. Malware enters our systems through vulnerabilities \nin the applications with which we access the Internet, or is invited in \nby users who unwittingly download malicious attachments onto enterprise \nsystems. Though we struggle to keep browsers patched and users aware of \nthe latest spear phishing attacks, it is impossible to keep up, so in \nthe new game we worry less about eliminating every vulnerability, but \nplace an emphasis on technologies which mitigate the effects of the \nattacks which vulnerabilities enable. For example, using the technique \nof virtualization, we can create a temporary or ``non-persistent\'\' \ncomputer-within-a-computer for our risky browsing and email sessions. \nUser mistakes don\'t hurt us because attacks which enter through the \nvirtual computer never touch our mission network. Other ideas in this \nvein include advanced key management techniques to enable ubiquitous \nencryption of mission data and prevention of exfiltration of \nintellectual property (adversaries may get in, but they can\'t see \nanything); also a network operating system to instantiate access policy \nat any level of the architecture and prevent adversaries from \nescalating privileges (adversaries may get in, but they can\'t do \nanything).\n\n    2) Today\'s game: check for maliciousness;\n    Tomorrow\'s game: know what to trust\n\n    Today we spend a lot of energy testing digital content to determine \nwhether it is trustworthy. Virus-checkers and content filters attempt \nto ascertain by inspection whether applications and data are safe to \nplace on our systems. Root-kit detection tools try to tell us if our \ncomputers have themselves been compromised. All of these tools are \ngenerally only as good as the catalog of attacks they have seen before. \nAgain, it is impossible to keep up, so in the new game the emphasis is \non roots of trust, or what it is that we can know for sure about our IT \nassets. Using new hardware constructs like the Trusted Platform Module \nand techniques of measurement and attestation, we can begin to have a \nmeans to monitor and restore the integrity of computers throughout \ntheir deployment life. Other useful avenues along these lines include \nprovenance technologies for associating integrity and authenticity \nproofs with all types of digital content and events; also unspoofable \nidentity authentication to eliminate masquerades. These approaches \nallow us to trust our assets because we know they are good, rather than \nbecause we haven\'t proven that they are bad.\n\n    3) Today\'s game: avoid damage;\n    Tomorrow\'s game: fight through and recover quickly from damage\n\n    Today we have a large investment in perimeter defense not only to \nkeep adversaries from learning our secrets, but also to prevent their \ntampering with our data and command and control systems. We have COOPs \nand mirrored data centers designed for recovery from physical damage. \nWe have learned, though, that perimeter defense does not always work, \nand that attacks on the integrity or available of our assets look very \ndifferent from flood damage or electrical blackouts, so in the new game \nwe emphasize the ability to maintain operations in the face of attack. \nVirtualization can help us again here. Virtualization obviates the \nnecessity for coupling together specific logical and physical assets. \nFor example, each user\'s environment (data and computing tools) can be \nstored and maintained as a digital file or image in a central control \narea. Should those environments be lost or compromised, they can easily \nbe ``reincarnated\'\' into any compatible physical platform. We may also \nchoose to prophylactically refresh stored images periodically just in \ncase. Other promising paths include ``battle mode\'\' where assets are \nstripped down to an easier-to-guarantee austere functionality, and \nself-healing to bootstrap back up.\n    The new paradigms described above take us to a future where we are \nnot so vulnerable to the asymmetric advantage enjoyed today by the \nremote network attacker. Each of the new games takes advantage of \ntechnology which seems to be emerging on the near horizon to mitigate \nour need to depend on things that are too hard for us to do.\n    Mr. Smith. The Secretary of Defense recently placed the Joint Task \nForce for Global Network Operations under the operational control of \nJFCC-NW. Why was that important and how does it make our DOD systems \nmore secure?\n    General Alexander. Earlier, the Department of Defense established \ntwo separate military cyber component commands under U.S. Strategic \nCommand--one dedicated to defensive cyber operations (JTF-GNO), the \nother to building an offensive capability (JFCC-NW). However, neither \nof these entities was fully resourced and their separation inherently \nprecluded the type of dynamic defense and agile, fluid maneuvering \nneeded to secure our equities in cyberspace. In recognition of this, \nthe decision was made in November of 2008 to consolidate these two \ncomponents. The contested cyber environment clearly demands an ability \nto seamlessly integrate and synchronize cyber offense with cyber \ndefense--at network speed. Further, it requires a unifying construct \nwith the focus, scope of responsibility and authority to succeed in \nthis mission space. Unifying command and control along the full range \nof capabilities will streamline operations, improve situational \nawareness and ultimately provide a much more robustly and reliably \ndefended Global Information Grid.\n    Mr. Smith. What are the pros and cons of establishing a sub-unified \nCyber Command under STRATCOM? How would this be different from the \ncurrent structure?\n    General Alexander. The decision to establish a sub-unified Cyber \nCommand was made in the Office of the Secretary of Defense (OSD) and is \nbest answered by OSD.\n    Mr. Smith. What role do you have in helping define the S&T \nrequirements for cyberoperations?\n    General Alexander. Joint Task Force-Global Network Operations (JTF-\nGNO) and Joint Functional Component Command for Network Warfare (JFCC-\nNW) have a cadre of military, government, and contractor personnel who \ndirectly support cyber operations planning, define cyber capabilities \nrequirements, prototype and/or manage funding, on behalf of U.S. \nStrategic Command, related to cyber capabilities, technical assurance \nand risk assessment. Collection of Combatant Command requirements is a \nproactive endeavor, conducted and maintained via a JWICS-based \nintellipedia wiki website known as the Collaborative Environment (CE).\n    In general, these requirements require long term solutions and \nextensive intelligence efforts software and hardware research \ndevelopment, as well as test and operational fielding. Emergent \noperational needs or enabling requirements are also identified by cyber \noperators, crisis planners and Combatant Commands, sometimes in ``real \ntime.\'\' Emergent requirements may drive more future S&T efforts but the \nstanding Combatant Command requirements are the primary drivers for the \nongoing S&T efforts which are funded through a Call for Proposals \nprocess. This also provides a direct linkage to the Service and Agency \nresearch laboratories, which are the primary developers of \ncapabilities. The National Security Agency (NSA), JFCC-NW and JTF-GNO \nprovide collaborative operational and technical inputs to U.S. \nStrategic Command\'s Integrated Priority List gap analysis effort to \nensure both budgetary and S&T awareness of areas requiring attention.\n    Mr. Smith. What is the process for remediating a hardware or \nsoftware vulnerability identified during an information assurance \nvulnerability assessment? Are there institutional processes and funds \navailable, or are you forced to ``take this out of hide.\'\'\n    General Alexander. As a routine matter, the remediation process for \nhardware and software vulnerabilities that are identified during an \ninspection are usually mitigated by the associated vendor. Each vendor \nprovides fixes for products with active support for lifecycles. These \nfixes are provided to the users of those products at no additional \ncosts to the user as long as they are within the supported lifecycle. \nIn many instances Agencies will purchase an additional support \nagreement for specific products for technical guidance or warranties \nfor newly purchased products. During the purchase of those products, \nvendors will recommend a support agreement for their product for an \nadditional fee or on an as required basis (hourly rate). This agreement \nwill normally provide the user with an account or support contact to \naccess the required update or technical support information\n    Most large software companies (i.e. Microsoft, Cisco and Oracle \netc.) will provide fixes for vulnerable software Operating Systems and \napplications that are still supported by the vendor at no additional \ncost to the user. Open source applications are usually updated/upgraded \nas vulnerabilities are identified by any associated developer that has \ntechnical knowledge of the affected code and is normally provided at no \nadditional charge. At any given time a vendor patch has the ability to \nbreak something. In this case the vendor will try to provide an \nappropriate fix for their product however; if this is a special case \nyou may need a Technical Support Agreement with the vendor to \ntroubleshoot your problem which may incur an additional cost.\n    However, there are other significant costs associated with \ninvestigation, analysis and remediation of compromised systems outside \nof the normal life-cycle arrangements. This question is best answered \nby the individual services and agencies as they are in the best \nposition to discuss the budgetary impact of those activities.\n    Mr. Smith. What are you doing in the Services and OSD to develop a \ncareer cyber force?\n    General Alexander. Developing cyber forces is a Service organize, \ntrain, and equip responsibility, and they are best positioned to \naddress individual Service career field development efforts.\n    A lot of planning work is being done within all the Services, \nregarding identification of new skills needed to perform emerging \nmissions. We must also leverage the unique contributions of \nuniversities and research institutions as well as private enterprise to \nensure U.S. forces are always on the cutting edge.\n    The Secretary of Defense has directed all the Services to maximize \nthe facility at the Center for Information Dominance in Corry Station, \nPensacola (the Executive Agent for Cryptologic Computer Network \nExploitation and Defense training) to acquire the technical skills \nrequired for cybersecurity missions. (Those with more analytic work \nroles receive their training at Goodfellow Air Force Base.) It is \nexpected that graduates of both programs will be assigned to places \nwhere they can practice what they learned, gain mission experience in \nseveral sectors of Computer Network Operations, and participate in more \nadvanced training fielded by the Services and the Crytologic Training \nSystem.\n    Mr. Smith. What incentives are available to recruit and retain the \ntypes of individuals you would like to attract to the military cyber \ncorps? Are there other incentives that you would like to be able to \noffer, but do not currently have the authority to provide?\n    General Alexander. Recruiting will be one of our top priorities. \nUnfortunately, very little is available today as the Services do not \ncurrently recruit specifically for cyberspace forces. However, as we \nmove forward, there are a number of recruitment and retention \nincentives we would recommend.\n    We will encourage Service ``cyberspace branches\'\' to operate \nindependent of recruiting operations within their Service, with subject \nmatter experts interviewing and testing candidates from within the \nranks. We should provide recruiters with sufficient knowledge of the \ncyberspace career opportunities in DOD to address basic questions of \npotential recruits. We should enhance recruiting organizations with \ncyber mentors, test materials, and military cyberspace points of \ncontact. And just as importantly, we must use DOD and Service public \naffairs resources to aggressively promote a professional cyberspace \nfield. In addition, we should also consider the implications of total \nforce recruitment, leveraging our Reserve and National Guard \ncomponents, to identify colleagues as potential members of the DOD \nworkforce while also identifying and considering the cyber-related \ntalents they may bring from their civilian employment.\n    Once we\'ve begun to recruit highly motivated candidates with the \npotential to succeed in the cyberspace workforce, we will continue to \nseek and leverage a wide variety of incentives and career options to \nretain them. Individual services should seek to introduce incentives \nbased on their ability to attract and retain personnel can develop \nmonetary and other incentives that are widely used across DOD. \nIncentives such as additional skills pay, performance and re-enlistment \nbonuses, special schooling and certifications, as well as advancement \nin specialized fields (e.g., nuclear power incentive pays) will have to \nbe considered. We should seek to recruit DOD civilian cyber specialists \nfrom our military personnel and allow them to benefit from military \nretirement benefits while continue to advance their careers as \ngovernment civilians. We should consider a ``cyber branch\'\' model that \nallows us to affect assignment tempo for exceptionally talented \nperformers, thus allow cyber specialists to continue to work their \nspecialties. To keep our world-class force, we need to provide non-\ntraditional means to routinely update cyber skills and develop inter- \nand intra-Service competitions to identify and reward the best of the \nbest. Finally, we should continually emphasize the uniqueness of the \nwork, access to some of the world\'s most advanced cyber technologies, \nand the critical importance of this mission to both DOD and the nation.\n    Mr. Smith. What kinds of leap-ahead technologies do you believe we \nneed to be investing in?\n    General Alexander. The following are examples of current \ninvestments:\n\n    <bullet>  Knowledge Management Systems (KMS). An integrated and \nautomated requirements database; a tools and tactics repository; and an \nAnalyst Workcenter interface with an information warfare planning \nsystem.\n    <bullet>  Common Cyber Operational Picture (COP): Automated \ncombination/deconfliction of germane real-time exploitation and attack \nwarning and characterization along with real-time situational awareness \nof defense measures; functionally tailorable to facilitate information \nsharing with different U.S. agencies and allies.\n    <bullet>  Attribution Science: Anti-anonymizer technologies (how to \nboth create them and defeat them); hardware and software signatures; \nand tactics techniques and procedures (TTP) for operational uses.\n    <bullet>  Internet Governance. Thorough research of: 1) the next \ngeneration Internet Protocol version 6 (IPv6), which is prevalent in \nmany universities and R&D environments and is quickly emerging in many \nforeign sectors. 2) the ``.tel\'\' internet domain, the online equivalent \nto the phone directory, which is the most significant innovation in the \ndomain name system since the advent of .com.\n    <bullet>  Network Traffic Interdiction Capabilities: Capabilities \nfacilitating interdiction of targeted traffic in transit across the \nglobal network.\n    <bullet>  Automated network re-configuration and Computer Network \nDefense applications. Requires all of the above technologies to be \napplied and integrated in real-time.\n                                 ______\n                                 \n                 QUESTIONS SUBMITTED BY MR. THORNBERRY\n\n    Mr. Thornberry. Define a cyber warfighter, or cyber warfare \nprofessional as he exists today.\n    Mr. Krieger. ``Cyber warfigher\'\' and ``Cyber Warfare Professional\'\' \nare still fluid terms; however, the terms can include professionals who \nperform duties under three categories: Computer Network Attack (CNA), \nComputer Network Exploit (CNE), or Computer Network Defense (CND)/\nNetwork Operations (NETOPS).\n    Mr. Thornberry. Describe what you envision for the cyber warfighter \nof the future in terms of education (undergraduate/graduate or high \nschool only, too), training, career path, rank structure, capability, \nmission, responsibilities, organization, etc.\n    Mr. Krieger. Army\'s education, career path and management of future \ncyber warfighters is being developed using standard paths through our \npersonnel management system for officers, enlisted and Department of \nthe Army Civilians to ensure that our workforce meets the Army\'s needs \nin the Cyberspace field. The Army follows the Federal Information \nSecurity Management Act (FISMA) and Department of Defense Training and \nCertification mandates which require Information Security \nCertifications and all levels of our Information Security Professional \nCorp.\n    Mr. Thornberry. Given the limited pool of individuals with the \nnecessary technical skills, as stated recently by Gen Shelton, and the \ngrowing cyber personnel requirements articulated by Secretary Gates, \nwhat is the plan to recruit, organize, train, and equip prospective and \ncurrent cyber warfare professionals? Is it joint or by service? Please \nexplain.\n    Mr. Krieger. The Army conducts ongoing reviews to ensure it is \nmanned, trained and equipped to meet the Army\'s operational missions \nand increase the pool of eligible candidates that meet the standards \nfor occupational skills which are deemed critical. The Army works \ndiligently with Joint Staff and other services to combine its training \nand other efforts wherever possible to make sure that the needs of the \nDepartment of Defense are integrated wherever possible to increase \nefficiency and effectiveness.\n    Mr. Thornberry. In your opinion should the cyber warfighter be \ntrained by service branch, jointly, jointly with service specific \ntrailer courses, or somehow else? Why?\n    Mr. Krieger. The Army fights as a Joint/Coalition force and \ntherefore supports Joint training to the maximum extent possible, but \nrecognizes the peculiarities of each individual service. Joint training \nallows services to train to a single standard and leverages the one-\ntime investment in infrastructure, training curriculum and reduces \nduplication. The Land, Air, Sea, and Space domains each have unique \ncharacteristics and challenges while working in and through the \ncyberspace domain. Functioning effectively in each of these domains \nrequire different equipment sets/characteristics, training/education \nand operational principles. As standardized and/or unique joint mission \nrequirements are identified, specific joint trailer courses will allow \nthe services to focus the skill sets of the personnel to satisfy that \nparticular mission.\n    Mr. Thornberry. In the current overseas contingencies, please \ndescribe to what extent, if any, has U.S. Strategic Command \n(USSTRATCOM) taken an active role supporting U.S. Central Command?\n    Mr. Krieger. USSTRATCOM along with the Army Service Component \nCommand has played a very active role in the development of Computer \nNetwork Operations tools supporting USCENTCOM. USSTRATCOM was integral \nin mitigating Computer Network Defense/Information Assurance issues in \nsupport of Operation Iraqi Freedom and Operation Enduring Freedom. \nUSSTRATCOM recently marshaled resources to mitigate capacity \ndegradation stemming from breaks in undersea cables, restoring service \nwith no significant operational impact. USSTRATCOM\'s main focus over \nthe past year has been on establishing common standards, procedures, \nand discipline to better secure military networks. This benefits all \nwarfighters, to include USCENTCOM, who are dependent on Cyberspace to \nconduct operations.\n    Mr. Thornberry. Irrespective of service branch, does USSTRATCOM\'s \ncyber warfighters possess the skills necessary to ensure all secure \nbattlefield communications? Please explain.\n    Mr. Krieger. Gen Chilton, Commander USSTRATCOM, stated in \nCongressional Testimony to the Senate Committee on Armed Services, on \n19 March 2009:\n    ``The provisioning of adequate cyber forces to execute our assigned \nmissions remains our greatest need in this mission area.\'\'\n    The Army is aware of this requirement, and has been very proactive \nin training, equipping and manning USSTRATCOM and its Functional \nComponents with requested cyber warfighters to secure the internet and \nbattlefield communications. Consistent with the National Military \nStrategy for Cyberspace Operations, the Army has made progress toward \ndefining Service level requirements and advocating for Service \ncyberspace workforces. We understand the demands, and have moved \naggressively to grow our cyber expertise; organize and orient against \nthreats; and improve the technical and manpower capabilities our Joint \nWarfighters and interagency partners require for the cyberspace fight.\n    Mr. Thornberry. How is responsibility between USSTRATCOM, NSA, and \nDISA clearly defined in theater?\n    Mr. Krieger. Currently, USSTRATCOM operates through two subordinate \ncomponent commands: Joint Functional Component Command for Network \nWarfare (JFCC NW) and Joint Task Force for Global Network Operations \n(JTF-GNO). Both commands have implemented a more responsive command and \ncontrol structure reliant on centralized orders and decentralized \nexecution. Tightening the relationship between JFCC NW and JTF-GNO this \npast year has led to a better, more responsive capability to defend our \nmilitary networks. But, we have found the need for closer coordination \nand clearer delineation of responsibilities at the national and theater \nlevels, and are moving to form USCYBERCOM. This new organizational \nstructure will enable DOD-wide leadership to address computer security \nincidents and network compromises enhancing timely threat \nidentification and mitigation through unity of effort, both within \ntheater and globally.\n    Mr. Thornberry. Should the Department of Defense establish a \n``Cyber Agency\'\' at the same level of the National Security Agency \n(NSA) and Defense Information Services Agency (DISA)? Why or why not?\n    Mr. Krieger. Army stands ready to support the strategy defined by \nDepartment of Defense leadership.\n    Mr. Thornberry. To what extent is the cyber domain being integrated \ninto other domain and domain awareness initiatives (i.e. battlespace, \nmaritime, air, space)? Please describe.\n    Mr. Krieger. The U.S. Army Training and Doctrine Command \nestablished an Integrated Capabilities Development Team (ICDT) \nchartered to integrate cyberspace operations into full spectrum land \ndomain operations. This ICDT is developing a Cyberspace Operations \nConcept of Operations (CONOPS) which will articulate how the Army \nintends to fight in the Cyberspace domain which incorporates lessons \nlearned from Operation Iraqi Freedom (OIF), Operation Enduring Freedom \n(OEF) and our National Training Centers which stresses integration. The \nCONOPS describes how the Army will use the other domains to support \nland component Battle command in terms of cyberspace awareness. This \nCONOPS will form the basis for future Army analysis and capability \ndevelopment efforts.\n    Mr. Thornberry. Define a cyber warfighter, or cyber warfare \nprofessional as he exists today.\n    Mr. Carey. While all who engage the network to perform their \nmissions are members of the cyber workforce, we consider a cyber \nwarfare professional as an officer, enlisted member or civilian trained \nto work in an interdisciplinary domain including networks, computer \napplications and services. These professionals work in information \noperations, computer network defense, attack, and exploitation aspects \nof network operations, which must be aligned from end to end with the \nIntelligence Community. They will work as a cohesive unit, combining \nIntelligence and Operations to perform information assurance in \nprotecting, monitoring, analyzing, detecting and responding to threats \non the network, and manage information by retrieving, caching, \ncompiling, cataloging and distributing it. The management mission also \nincludes information technology system acquisition and architecture \ndevelopment and compliance.\n    Mr. Thornberry. Describe what you envision for the cyber warfighter \nof the future in terms of education (undergraduate/graduate or high \nschool only, too), training, career path, rank structure, capability, \nmission, responsibilities, organization, etc.\n    Mr. Carey. The DON will recruit cyber workforce personnel from \nmultiple educational levels, hiring experienced personnel and \ndeveloping the cyber skills of others through career path education and \ntraining. The DON will recruit from high school, vocational school, \njunior college, undergraduate and graduate programs. DON cyber \npersonnel will be educated and trained through a blended approach of \ntraditional schoolhouse instruction, on line, and commercial vendor \ninstruction including cyber and information assurance certification and \nlicensing programs, joint education, on-the-job training and \nqualification, and team and unit tactical training. A key element of \nthis program will be standardized training (applicable to positions \nregardless of the military or civilian status of the person performing \nthe work in the position) and education curricula to support a core \ncapability that is fungible across the contractor/civilian/military \nworkforces.\n    Rank and grade structures for military and civilian personnel will \nfollow current structures, and it is expected that cyber workforce \npersonnel will be required at all rank and grade levels. Career path \ndevelopment is still in progress as the missions, functions and tasks \nof the DON cyber structure are developed, but it is expected that there \nwill be military career paths leading to the most senior enlisted and \nofficer ranks. Civilian personnel will be able to follow paths leading \nto, and including Senior Executive Service positions.\n    The DON cyber workforce will be capable of supporting all DON \nmissions. Within the cyber arena they will provide Computer Network \nDefense (CND), Network Operations (NETOPs), Information Assurance (IA), \nComputer Network Attack (CNA), Computer Network Exploitation (CNE), and \nAll-Source Intelligence support; telecommunications, and management \nfunctions including design and development, strategic planning and \ninvestment, policy and planning, and acquisition.\n    Cyber workforce responsibilities will be split among military, \ngovernment civilian and contractor support personnel as required. \nDecisions on workforce structure, the number of inherently governmental \nactivities, and the scope of in-sourcing and outsourcing will be \nfinalized following the establishment of the Department of Defense and \nthe DON Cyber Command structures, missions, functions and tasks.\n    Mr. Thornberry. Given the limited pool of individuals with the \nnecessary technical skills, as stated recently by Gen Shelton, and the \ngrowing cyber personnel requirements articulated by Secretary Gates, \nwhat is the plan to recruit, organize, train, and equip prospective and \ncurrent cyber warfare professionals? Is it joint or by service? Please \nexplain.\n    Mr. Carey. The Department of the Navy (DON) is developing plans to \nrecruit, organize, train, and equip military and civilian cyber warfare \nprofessionals. The first step being taken is to determine the specific \nskill sets needed for cyber warfare. The DON will also develop career \noptions to support recruitment, retention, and development of personnel \nwith the needed skill sets. The DON is looking at ways to modify career \npaths and improve training to prepare the current workforce to meet the \ncyber challenge. The Navy along with the other services will continue \nto leverage training and educational opportunities by sharing resources \nat the Center for Information Dominance, Joint/National-sponsored \nschools, and post-graduate schools. The task of equipping this force \nwill follow closely the training model for the near term, primarily \nleveraging Joint/National capabilities.\n    Mr. Thornberry. In your opinion should the cyber warfighter be \ntrained by service branch, jointly, jointly with service specific \ntrailer courses, or somehow else? Why?\n    Mr. Carey. Cyber warfighters must be thoroughly trained, employing \nboth formal education and on-the-job training tracks within both their \nrespective Services and the Joint environment. This is essential, due \nto the nature of cyber warfare and the need to be able to defend the \nGlobal Information Grid and its Service components. Foundational \neducation and training should take place within the Service framework, \nand experienced personnel should take that knowledge into the Joint \noperational and training environments, facilitating DOD-wide synergies. \nWhen possible, DON cyber workforce development plans should include \nparticipation in forums including not only DOD, but also other Federal \nand private industry workers. Increased familiarity with non-\ngovernmental and inter/intra-agency organizations\' tactics, techniques, \nand procedures will increase the overall efficiency and effectiveness \nof cyber operations supporting national security objectives.\n    Mr. Thornberry. In the current overseas contingencies, please \ndescribe to what extent, if any, has U.S. Strategic Command \n(USSTRATCOM) taken an active role supporting U.S. Central Command?\n    Mr. Carey. The Department of the Navy Chief Information Officer \nrespects the direction and authority of the Secretary of Defense and \nhis assignment of Title 10 and UCP authority to CDR USSTRATCOM.\n    Service network operations centers (NOSCs) are under CDR \nUSSTRATCOM\'s operational control. JTF-GNO orders Service NOSCs to \nperform network operations and defense. USSTRATCOM, through the CENTCOM \nAOR DON Network Operation Centers\' direct reporting relationship to the \nJoint Task Force-Global Network Operations, is very active in providing \ndirection on network operations and defense and ensuring computer \ndevices and networks are compliant with published IA Vulnerability \nAlerts (IAVAs), Communications Tasking Orders (CTOs), Operations \nDirective Messages (ODMs), etc. These efforts mitigate vulnerabilities \nand eliminate (or reduce) the instance of infections. This work is a \nmajor challenge in the forward tactical environment where forces \nfrequently rotate every six months to one year, bringing with them \npersonnel who have various (often limited) levels of network \nadministration skills. Additionally, the Commander, USSTRATCOM and his \nstaff have traveled to the CENTCOM AOR, visiting the Defense \nInformation Systems Agency and Service NOSCs in search of ways in which \nU.S. Strategic Command can better support the current overseas \ncontingencies.\n    Mr. Thornberry. Irrespective of service branch, does USSTRATCOM\'s \ncyber warfighters possess the skills necessary to ensure all secure \nbattlefield communications? Please explain.\n    Mr. Carey. The Department of the Navy Chief Information Officer \nrespects the direction and authority of the Secretary of Defense and \nhis assignment of responsibilities to USSTRATCOM. However, it should be \nnoted that most technical work in the battlefield/AOR is performed by \nService-specific personnel/organizations, and not USSTRATCOM personnel.\n    Mr. Thornberry. How is responsibility between USSTRATCOM, NSA, and \nDISA clearly defined in theater?\n    Mr. Carey. The Department of the Navy Chief Information Officer \nrespects the direction and authority of the Secretary of Defense and \nhis assignment of Title 10/50 and UCP authorities to CDR USSTRATCOM, \nNSA, and DISA. The in-theater responsibilities of USSTRATCOM, NSA, and \nDISA are outlined in Chairman, Joint Chiefs of Staff Directives and \nInstructions, including interactions with COCOMs and the Services. NSA \nresponsibilities are also found in U.S. Signals Intelligence Directives \n(USSIDs).\n    Mr. Thornberry. Should the Department of Defense establish a \n``Cyber Agency\'\' at the same level of the National Security Agency \n(NSA) and Defense Information Services Agency (DISA)? Why or why not?\n    Mr. Carey. The Department of the Navy Chief Information Officer \nrespects the direction and authority of the Secretary of Defense in his \nestablishment of the USCYBERCOM. The SECDEF memo of 23 June 09 stated \nit best when it said that the ``Department of Defense requires a \ncommand that possesses the required technical capability and remains \nfocused on the integration of cyberspace operations. Further, this \ncommand must be capable of synchronizing warfighting effects across the \nglobal security environment as well as providing support to civil \nauthorities and international partners.\'\' The DON supports the \nestablishment of U. S. Cyber Command, which presently appoints the \nDirector, National Security Agency the Commander, U.S. Cyber Command, \nmaking the integration of activities easier. The Director of the \nDefense Information Systems Agency (DISA) is tasked to provide network \nand information assurance technical assistance to USCYBERCOM as \nrequired. The Joint Task Force-Global Network Operations (JTF-GNO) and \nthe Joint Functional Component Command for Network Warfare are merged \ninto the new Cyber Command, bringing together the strengths of both of \nthese commands. The DON believes that functional reporting \nrelationships between the cyber operating forces, USCYBERCOM and the \nMilitary Departments and Services must be established to ensure \nefficient and effective command and control of these vital assets.\n    Mr. Thornberry. To what extent is the cyber domain being integrated \ninto other domain and domain awareness initiatives (i.e. battlespace, \nmaritime, air, space)? Please describe.\n    Mr. Carey. In May 2008, the Department of Defense published the \nfollowing definition of cyberspace: ``A global domain within the \ninformation environment consisting of the interdependent network of \ninformation technology infrastructures, including the Internet, \ntelecommunications networks, computer systems, and embedded processors \nand controllers.\'\' This definition is almost identical to that which \nwas developed by the Department of Homeland Security and the National \nInstitute of Standards and Technology.\n    The Information Technology Reform Act of 1996 (Clinger Cohen Act) \ndefines IT as: ``Any equipment or interconnected system or subsystem of \nequipment that is used in the automatic acquisition, storage, \nmanipulation, management, movement, control, display, switching, \ninterchange, transmission, or reception of data or information.\'\' The \nterm information technology includes computers, ancillary equipment, \nsoftware, firmware and similar procedures, services (including support \nservices), and related resources.\n    Given these terms of reference, Cyberspace (IM/IT) is present in \nall domains. The ability to operate within cyberspace is vital to the \nDON\'s mission. Achieving an appropriate balance between the need to \ncollaborate and share information and the need to protect information \nwill be key to our success.\n    The DON has established a DON Enterprise Architecture framework or \n``blueprint\'\' to enable the exchange of information, integration of \nsystems and management of resources to support cyberspace domain \ncapabilities across all mission areas (surface (sea and ground), sub-\nsurface, air and space). Further, to support system development and \nintegration, the DON mandates use of the Defense Information System \nRegistry (DISR) as its authoritative standards source. The DON \nestablished a governance structure to ensure adherence to the DON EA \nframework and standards in system development supporting the cyberspace \ndomain.\n    Mr. Thornberry. Define a cyber warfighter, or cyber warfare \nprofessional as he exists today.\n    General Shelton. Cyber warfighters are skilled professionals \nworking to deter and prevent cyberspace attacks against vital U.S. \ninterests, ensure our freedom of action in cyberspace, respond to \nattacks and reconstitute operations, develop persistent cyberspace \nsituational awareness and defeat adversaries operating through \ncyberspace.\n    Today, these personnel are drawn primarily from communications, \nintelligence and engineering specialties, often returning after a \nsingle assignment. While initially adequate, cyberspace has emerged as \na dynamic and technically demanding warfighting domain of strategic \nnational importance. The Air Force recognizes this and has committed to \nestablishing dedicated officer, enlisted and civilian career fields to \nmeet emerging demand and address recruiting, training, retention and \nforce development challenges.\n    Mr. Thornberry. Describe what you envision for the cyber warfighter \nof the future in terms of education (undergraduate/graduate or high \nschool only, too), training, career path, rank structure, capability, \nmission, responsibilities, organization, etc.\n    General Shelton. Cyber warfighters are skilled professionals \nworking to deter and prevent cyberspace attacks against vital U.S. \ninterests, ensure our freedom of action in cyberspace, respond to \nattacks and reconstitute operations, develop persistent cyberspace \nsituational awareness and defeat adversaries operating through \ncyberspace.\n    Today, these personnel are drawn primarily from communications, \nintelligence and engineering specialties, often returning after a \nsingle assignment. While initially adequate, cyberspace has emerged as \na dynamic and technically demanding warfighting domain of strategic \nnational importance. The Air Force recognizes this and has committed to \nestablishing dedicated officer, enlisted and civilian career fields to \nmeet emerging demand and address recruiting, training, retention and \nforce development challenges.\n    Mr. Thornberry. Given the limited pool of individuals with the \nnecessary technical skills, as stated recently by Gen Shelton, and the \ngrowing cyber personnel requirements articulated by Secretary Gates, \nwhat is the plan to recruit, organize, train, and equip prospective and \ncurrent cyber warfare professionals? Is it joint or by service? Please \nexplain.\n    General Shelton. Growing and developing cyber forces is a DOD-wide \nchallenge. Recognizing this, the Services are cooperating with each \nother, Joint Staff and OSD to develop new approaches and more effective \nsolutions for recruiting, acquisitions, training and retention.\n    Mr. Thornberry. In your opinion should the cyber warfighter be \ntrained by service branch, jointly, jointly with service specific \ntrailer courses, or somehow else? Why?\n    General Shelton. Initial training of cyber forces should be \nconducted by the Services, with joint post graduate training reserved \nfor specialized tasks.\n    Mr. Thornberry. In the current overseas contingencies, please \ndescribe to what extent, if any, has U.S. Strategic Command \n(USSTRATCOM) taken an active role supporting U.S. Central Command?\n    General Shelton. Congressman, I would respectfully ask that this \nquestion be directed to the Commander of U.S. Strategic Command, \nGeneral Chilton, who can provide you with the most up-to-date and \naccurate information regarding his command\'s support to U.S. Central \nCommand.\n    Mr. Thornberry. Irrespective of service branch, does USSTRATCOM\'s \ncyber warfighters possess the skills necessary to ensure all secure \nbattlefield communications? Please explain.\n    General Shelton. Congressman, I would respectfully ask that this \nquestion be directed to the Commander of U.S. Strategic Command, \nGeneral Chilton, who can provide you with the most up-to-date and \naccurate information regarding his command\'s ability to secure \nbattlefield communications.\n    Mr. Thornberry. How is responsibility between USSTRATCOM, NSA, and \nDISA clearly defined in theater?\n    General Shelton. Congressman, I would respectfully ask that this \nquestion be directed to the Commander of U.S. Strategic Command, \nGeneral Chilton, the Director of NSA, Lieutenant General Alexander, and \nLieutenant General Pollet, the Director of DISA, who can provide you \nwith the most up-to-date and accurate information regarding the \ndivision of their responsibilities in theater.\n    Mr. Thornberry. Should the Department of Defense establish a \n``Cyber Agency\'\' at the same level of the National Security Agency \n(NSA) and Defense Information Services Agency (DISA)? Why or why not?\n    General Shelton. Currently, it is the Secretary of Defense\'s intent \nto establish a U.S. Cyber Command as a sub-unified command under U.S. \nStrategic Command. The Air Force is standing up the 24th Air Force in \norder to present Air Force cyber forces to this command. The Air Force \nstands ready to respond to any cyber-related requirements from the \nDepartment.\n    Mr. Thornberry. To what extent is the cyber domain being integrated \ninto other domain and domain awareness initiatives (i.e. battlespace, \nmaritime, air, space)? Please describe.\n    General Shelton. Secretary Gates\' decision to stand-up USCYBERCOM \nindicates the importance the Department of Defense places on this \ndomain. The Air Force also recognizes the criticality of cyberspace to \nJoint and AF operations and is standing up 24th Air Force to focus on \nthis key area. The integration of cyberspace operations with other \noperations happens at Joint and Service levels. For the Air Force, this \nintegration will occur at 24 AF with USSTRATCOM/USCYBERCOM and at Air \nOperations Centers (AOC) supporting Combatant Commanders (CCDR). When \nCCDRs rely on reach-back cyberspace operations, Airmen in the 24 AF and \nAOCs will facilitate integration of applicable AF capabilities.\n    Mr. Thornberry. Define a cyber warfighter, or cyber warfare \nprofessional as he exists today.\n    Mr. Lentz. The Cyber warfighter is evolving from a variety of \nmilitary specialties such as Intelligence, Communications, Information \nTechnology, and Information Assurance. The primary roles currently \nidentified for Cyberspace Operations include military, civilian, and \ncontractors performing:\n\n    <bullet>  Computer Network Operations (CNO) Execution, consisting \nof:\n        <bullet>  Computer Network Attack (CNA)\n        <bullet>  Computer Network Exploitation (CNE)\n        <bullet>  Computer Network Defense (CND)\n        <bullet>  Network Operations (NetOps)\n        <bullet>  Information Assurance (IA) Computer Network Defense \n        Service-Providers\n\n    The ``Cyber-warfighter\'\' is a relatively new concept. The \nDepartment is developing the concept of operations. This includes the \nstructure, missions, career progression and general responsibilities of \nthe developing Cyber workforce. The diagram below suggests notional \nthoughts on the integration of the various components of the Cyber \nworkforce.\n\n[GRAPHIC] [TIFF OMITTED] T7218.069\n\n\n    Mr. Thornberry. Describe what you envision for the cyber warfighter \nof the future in terms of education (undergraduate/graduate or high \nschool only, too), training, career path, rank structure, capability, \nmission, responsibilities, organization, etc.\n    Mr. Lentz. Cyber Warfighter Education and Training will depend on \nhow the position/person supports cyber warfighting. We anticipate the \ncyber warfighter of the future to reflect the following basic education \nand training qualifications:\n    Military Officers: Receive professional military education in \nconjunction with cyber specific training so that they can conduct cyber \nwarfare in their role as leaders and managers.\n\n    Education:\n\n        <all>  Bachelor or advanced degree preferably in information \n        systems related program\n        <all>  Service officer basic professional education\n        <all>  Service intermediate professional education\n        <all>  Service/Joint Warfare Command and Staff College\n\n    Training:\n\n        <all>  Common foundational cyber warfare skills at career start\n        <all>  Functional mission specific cyber warfare skills at mid-\n        career\n        <all>  Senior strategic leadership training across the cyber \n        warfare domain\n        <all>  Baseline IA/IT commercial certification\n\n    Government Civilian Cyber Warfare Managers: May receive DOD \neducation in conjunction with cyber training so that they can apply \ncyber to their role as managers.\n\n    Education:\n\n        <all>  Bachelor or advanced degree preferably in information \n        systems related program\n        <all>  National Defense University (NDU) Information Resource \n        Management College (IRMC) professional development programs or \n        certificates.\n\n    Training:\n\n        <all>  Component-specific policy, processes, and requirements\n        <all>  Cyber related continuous training\n        <all>  Component-specific/sponsored cyber courses\n        <all>  Baseline IA/IT commercial certification\n\n    Contractors performing cyber warfare management roles should meet \nthe same/equivalent education and training as their government \ncounterparts. DOD unique training or equivalent should be available to \ncontractors.\n\n    Military Operators (hands-on/technical): We anticipate these \nindividuals will receive cyber warfare training along with their \nmilitary and technical education for their role as operators.\n\n    Education:\n\n        <all>  High school/community college\n        <all>  Rank/Grade appropriate professional education\n\n    Training:\n\n        <all>  Basic and advanced cyber related occupational specialty \n        training\n        <all>  NetOps/IA certification depending on position \n        requirements\n        <all>  Operational and exercise training\n\n    Government Civilian Operators (hands-on/technical): Receive cyber \ntraining, which they apply along with their technical education to \ntheir role as operators.\n\n    Education:\n\n        <all>  Community college/baccalaureate degree in information \n        technology field\n\n    Training:\n\n        <all>  NetOps/IA certification depending on position \n        requirements\n        <all>  Operational and exercise training\n\n    Contractors performing cyber warfare technical roles should meet \nthe same/equivalent education and training as their government \ncounterparts. DOD unique training or equivalent should be available to \ncontractors.\n    Mr. Thornberry. Given the limited pool of individuals with the \nnecessary technical skills, as stated recently by Gen Shelton, and the \ngrowing cyber personnel requirements articulated by Secretary Gates, \nwhat is the plan to recruit, organize, train, and equip prospective and \ncurrent cyber warfare professionals? Is it joint or by service? Please \nexplain.\n    Mr. Lentz. There are several steps required to recruit and train \npersonnel into the cyber workforce. The Services and Agencies are \nspecifically responsible for accomplishing these tasks in compliance \nwith DOD policy (which is still evolving for cyber warfare and its \nworkforce). Based on current processes, the following actions must be \naccomplished by the Services and Agencies to develop a Cyber Workforce:\n\n        <all>  Define their cyber workforce (what are the position \n        requirements)\n        <all>  Identify their position requirements\n        <all>  Document manning requirements/table of organization\n        <all>  Program and budget to fill the documented positions.\n        <all>  Develop recruiting requirements/quotas\n        <all>  Identify recruitment incentives to attract potential \n        cyber warriors\n        <all>  Recruit personnel with qualifications/potential to learn \n        required skills\n        <all>  Provide baseline training for specific job/positions \n        skills\n        <all>  Provide Continuous training via on-line, classroom, or \n        exercises\n\n    The DOD is currently working with the Services, Agencies, Joint \nStaff, and STRATCOM to develop baseline cyber workforce standards. The \ncurrent model for these standards is the current DOD 8570.01-M \n``Information Assurance Workforce Improvement Program\'\'.\n    Organizing and equipping the cyber warfare professionals is a \nfunction of mission capability requirements defined by the Chairman of \nJoint Chiefs of Staff and executed by the Services and Agencies.\n    Mr. Thornberry. In your opinion should the cyber warfighter be \ntrained by service branch, jointly, jointly with service specific \ntrailer courses, or somehow else? Why?\n    Mr. Lentz. The cyber warfighter should be primarily trained to meet \nDOD and service level baseline requirements established by the Services \nunder Title 10 authorities. Such training should be augmented by \napplicable joint specialized training.\n    Efforts are underway by the Joint Staff to finalize the cyber joint \nmission task list and to develop a joint learning continuum for cyber \ntraining. This should form the basis for joint specialized training.\n    At both the DOD and joint level, there is a significant emphasis on \njoint training exercises for the cybersecurity workforce. Exercises are \nfocused on attack detection, diagnosis, and reaction at military \nspeeds.\n    Mr. Thornberry. In the current overseas contingencies, please \ndescribe to what extent, if any, has U.S. Strategic Command \n(USSTRATCOM) taken an active role supporting U.S. Central Command?\n    Mr. Lentz. Joint Functional Component Command for Network Warfare \n(JFCC-NW) and Joint Task Force-Global Network Operations (JTF-GNO), \nwhich are two USSTRATCOM components, are actively engaged in support of \nU.S. forces in the USCENTCOM area of responsibility.\n    In today\'s battlefield, our networks are a critical force \nmultiplier. Both JTF-GNO and JFCC-NW work closely with USCENTCOM \nleaders and staff, in Tampa as well as forward in theater, to ensure \nvital warfighting networks are robust and defended.\n    Mr. Thornberry. Irrespective of service branch, does USSTRATCOM\'s \ncyber warfighters possess the skills necessary to ensure all secure \nbattlefield communications? Please explain.\n    Mr. Lentz. Commander, USSTRATCOM met the DOD\'s 2008 Information \nAssurance (IA) workforce certification goal to certify 40% of their \nInformation Assurance/Cybersecurity workforce by December 31, 2008. \nOverall, the Department\'s information assurance workforce personnel \ncertification rate as of December 31, 2008, was 23% (for its \napproximately 84,000 IA positions), with a target date of December 31, \n2010, for certification of the remaining IA workforce.\n    Commander, USSTRATCOM has ``cyber-warfighters\'\' from a variety of \nmilitary specialties such as Intelligence, Communications, Information \nTechnology, and Information Assurance with the skills necessary to \ndirect the DOD\'s Global Information Grid operations and defense. \nUSSTRATCOM provides direction to the Services and organizations to \nsecure their portions of the defense information environment including \nbattlefield communications. The ``cyber-warfighter\'\' skill requirements \nare evolving and DOD is developing the structure, missions, career \nprogression and general responsibilities of the cyber workforce.\n    Mr. Thornberry. How is responsibility between USSTRATCOM, NSA, and \nDISA clearly defined in theater?\n    Mr. Lentz. Joint Functional Component Command for Network Warfare \n(JFCC-NW) and Joint Task Force-Global Network Operations (JTF-GNO), the \ntwo USSTRATCOM components for which I am responsible, maintain a close \nand collaborative partnership with NSA and DISA. NSA maintains a robust \nforward presence in Iraq and Afghanistan to provide both cryptologic \nand information assurance support to deployed forces. These \ncapabilities support both JFCC-NW and JTF-GNO in their respective \nmissions of providing support for offensive and defensive cyber \noperations. DISA\'s mission to build, provision and engineer the \nbackbone of the military networks also serves as a key enabler for JTF-\nGNO\'s ability to direct the operations and defense of these networks.\n    We use liaison officers and support elements embedded within each \norganization to help ensure our activities are mutually supporting and \nto avoid conflicting objectives. While each organization has distinct \nresponsibilities, functions and authorities as defined by law and DOD \nregulations, connective tissue between these organizations is naturally \nbolstered by the relationships which exist between the Director, DISA \ndual-hatted as Commander, JTF-GNO, my role as both Director, NSA and \nCommander, JFCC-NW and since November 08, the relationship established \nby the SECDEF\'s decision to place JTF-GNO under the operational control \nof JFCCNW. It is critical that we continue to maintain and strengthen \nthis connective tissue between our organizations in order to optimize \nagile cyber support for combatant commanders and DOD as a whole.\n    Mr. Thornberry. Should the Department of Defense establish a \n``Cyber Agency\'\' at the same level of the National Security Agency \n(NSA) and Defense Information Services Agency (DISA)? Why or why not?\n    Mr. Lentz. Cyberspace is critical to joint military operations, and \nwe must protect it. To do this, the Department of Defense needs to \nensure it has the right balance of integrated cyber capabilities. Our \nincreasing dependency on cyberspace, alongside a growing array of cyber \nthreats and vulnerabilities, adds a new element of risk to national \nsecurity. To effectively address this risk and secure freedom of access \nin cyberspace, the DOD requires a command possessing the required \ntechnical capability and which remains focused on streamlining \ncyberspace operations. The Secretary of Defense has recently \nrecommended the officer serving as Director of the National Security \nAgency be nominated as Commander of USCYBERCOM. In his role as the \ncommander of USCYBERCOM, he will report to the Commander of USSTRATCOM.\n    Mr. Thornberry. To what extent is the cyber domain being integrated \ninto other domain and domain awareness initiatives (i.e. battlespace, \nmaritime, air, space)? Please describe.\n    Mr. Lentz. The cyber domain is integrated with the other domains \nand provides supporting capabilities that enable command, control, \ncommunications, computing, and information (C4I) processes. The cyber \ndomain is an essential enabler for virtually all functions, including \nmission operations, information sharing and mission-related data \nprocessing.\n    Domain awareness for the cyber domain is a difficult challenge. At \nthis time, cyber domain awareness capabilities are not completely \nintegrated with domain awareness capabilities for the other operational \ndomains. Cyber domain awareness is routinely included in daily status \nbriefs to commanders, providing a rough awareness of key cyber issues \nto warfighting commanders. However, cyber operations and incidents are \ndifficult to model and present in visual form, and they are generally \nnot depicted in warfighting common operational pictures.\n    Mr. Thornberry. Define a cyber warfighter, or cyber warfare \nprofessional as he exists today.\n    General Alexander. Cyber professionals are a cross-disciplinary \nteam of highly-trained individuals that bring together diverse skill \nsets to conduct cyberspace operations. Their mission includes operation \nand defense of Department of Defense Global Information Grid. Technical \nexpertise and roles cover the span of traditional military planning, \nintelligence preparation, command and control, operational assessment, \nrequirements development, and operationalization of capabilities; all \ndone in an ever-changing mission space. Cyber warfighters are directly \nsupported by experienced intelligence analysts familiar with the larger \ncultural and operational contexts, expert language analysts, network \nanalysts, cryptologists and operational planners, to name a few. These \nexperts, be they military or civilian, work together in real time to \neffectively operate in cyberspace.\n    Mr. Thornberry. Describe what you envision for the cyber warfighter \nof the future in terms of education (undergraduate/graduate or high \nschool only, too), training, career path, rank structure, capability, \nmission, responsibilities, organization, etc.\n    General Alexander. DOD\'s Cyber force must be continuously educated \nand mentored, sharpened by experience and drilled to operate in a \ndynamic environment. I envision a total force solution, active and \nreserve components, military and civilian, appropriately supported by \ncontractors to build the cyber warfighters of the future. They will \narrive with high school diplomas, undergraduate, and graduate degrees. \nOur training and education programs will fill the skill gaps to create \nincreasingly skilled and adaptable personnel who will either specialize \nin specific cyberspace capabilities or develop broad-based experience \nto lead and manage future cyberspace operations. Continual specialized \ntraining will be necessary because the mission space encompasses an \nenormous number of different systems and software and is constantly \nbeing updated and reconfigured. Mentoring and growing leaders must be \ndone as we do in other specialized fields to ensure experience is \ndistilled to the next generation of planners and operators; a challenge \nfor the nation as well as the military. On the learning continuum, a \ncyber warfighter will progress from the most basic of tasks through the \nmost complex, by attending formal training, having work assignments \nthat provide the opportunity to perform various missions, and \nparticipating in formal education programs.\n    The Secretary of Defense has directed all the Services to maximize \nthe facility at the Center for Information Dominance in Corry Station, \nPensacola (the Executive Agent for Cryptologic Computer Network \nExploitation and Defense training) to acquire the technical skills \nrequired for cybersecurity missions. (Those with more analytic roles \nreceive their training at Goodfellow Air Force Base.) It is expected \nthat graduates of both programs will be assigned to places where they \ncan practice what they learned, gain mission experience in several \nsectors of Computer Network Operations, and participate in more \nadvanced training fielded by the Services and the Crytologic Training \nSystem.\n    Specific plans regarding rank structure, responsibilities, and \norganizations are all under development. The future cyberspace warrior \nmust be adaptive and flexible with the ability to fulfill multiple \nroles that quickly adjust to changing conditions within the cyberspace \ndomain and the joint warfighter\'s requirements. Of special importance \nwill be the ability to shift though all missions required for steady \nstate and surge requirements. It is important that individuals be \nassigned to organizations that are flexible enough to meet the complex \nchallenges of the environment in which they will operate. While a \nspecific organizational construct remains in development, the \ncapabilities should be centered on cyberspace operations that support \njoint warfighter requirements.\n    Mr. Thornberry. Given the limited pool of individuals with the \nnecessary technical skills, as stated recently by Gen Shelton, and the \ngrowing cyber personnel requirements articulated by Secretary Gates, \nwhat is the plan to recruit, organize, train, and equip prospective and \ncurrent cyber warfare professionals? Is it joint or by service? Please \nexplain.\n    General Alexander. In anticipation of this need, we have been hard \nat work over the past year identifying the necessary individual \ntechnical skills for future cyberspace missions and the training \nrequired for those skills.\n    We currently conduct this training at both Corry Station in \nPensacola, Florida and Fort Meade, Maryland and are working through \nresource requirements to meet future demand for trained and ready \ncyberspace forces.\n    While we were developing training, we\'ve also worked closely with \nthe Services and national community to determine future force number \nrequirements for the Department that included initial estimates for the \nexpected end strength in a ``total force\'\' approach.\n    We envision that the future cyberspace forces will be a total force \napproach of both Service and joint--the Services will organize, train, \nand equip cyberspace forces that will be presented to joint \nwarfighters. Additionally, there will be a joint force that provides \nday-to-day support to USCYBERCOM missions as directed by Commander, \nUSSTRATCOM. Using common force training and skills baseline, the \nservices will generate forces that will rotate back and forth between \nthe joint community and Service unit assignments.\n    We must also leverage the unique contributions of universities and \nresearch institutions as well as private enterprise to ensure U.S. \nforces are always on the cutting edge.\n    Mr. Thornberry. In your opinion should the cyber warfighter be \ntrained by service branch, jointly, jointly with service specific \ntrailer courses, or somehow else? Why?\n    General Alexander. There is clearly a need for Service and Joint \ntraining for the cyber warfighter as well as more robust leveraging of \nthe scientific and technical expertise found in our universities, \nresearch institutions and private enterprise. The complex and dynamic \nnature of the operational environment should dissuade us from adopting \na one-size-fits-all approach. As in other military disciplines, we must \ntrain individuals with the basic skills they will need to operate and \nadapt in this domain: technology, analytics, cryptanalysis, languages, \nintelligence, operational planning and effective command and control. \nThe Services play an enormous role here. There is a great deal of work \nbeing done by the Services to determine how they can best organize, \ntrain and equip forces for the combatant commanders. The Services, of \ncourse, also need much of this same expertise to effectively operate, \nsecure and defend their networks and communication systems.\n    Joint training is also critical; we must train how we fight. Part \nof the reason Secretary Perry first created the Joint Task Force-\nComputer Defense Network in the late 1990s was because he realized \nthen, as we do now, that unity of command and unity of effort is as \nessential in cyberspace as it is in the physical domains of air, sea, \nland and space. All we have learned in the intervening years led \nSecretary Gates to direct the creation of U.S. Cyber Command. It is \nonly by focusing the talent and resources of the Services and forging \nand training Joint teams with interoperable equipment and unifying \ndoctrine that we will be as effective in this domain as we are in the \nphysical domains.\n    Mr. Thornberry. In the current overseas contingencies, please \ndescribe to what extent, if any, has U.S. Strategic Command \n(USSTRATCOM) taken an active role supporting U.S. Central Command?\n    General Alexander. Joint Functional Component Command for Network \nWarfare (JFCC-NW) and Joint Task Force-Global Network Operations (JTF-\nGNO), the two USSSTRATCOM components for which I am responsible, are \nactively engaged in support of U.S. forces in the USCENTCOM area of \nresponsibility.\n    In today\'s battlefield, our networks are a critical force \nmultiplier. Both JTF-GNO and JFCC-NW work closely with USCENTCOM \nleaders and staff, in Tampa as well as forward in theater, to ensure \nvital warfighting networks are robust and defended. We also plan, \nsynchronize and execute cyberspace operations to deny a widely \ndisbursed adversary the ability to easily use the Internet to \norchestrate complex operations that target our forces, friends and \nallies. Of course, these commands also engage in deliberate planning in \nsupport of other long-term USCENTCOM priorities.\n    The bright, energetic people assigned to these organizations are \ncommitted to this mission. They work to build the relationships with \nUSCENTCOM that are so vital to the kinds of sophisticated, synchronized \noperations conducted by U.S. forces and Coalition partners. We must \nbuild the same kind of robust relationship with the other Combatant \nCommanders and ensure our operational planning and activities are well \nintegrated with the other global missions for which USSTRATCOM is \nresponsible.\n    Mr. Thornberry. Irrespective of service branch, does USSTRATCOM\'s \ncyber warfighters possess the skills necessary to ensure all secure \nbattlefield communications? Please explain.\n    General Alexander. Let me begin by saying that no commander can \nguarantee battlefield communications will always get through or that \nthey won\'t be intercepted by an adversary. The military, by definition, \nmust be able to operate in a degraded environment. Yet, it is \nimperative that we ensure availability and security of communications. \nThe Department of Defense has come a long way since the President first \nassigned U.S. Strategic Command the mission to defend DOD networks in \n2002. In Joint Task Force-Global Network Operations and Joint \nFunctional Component Command for Network Warfare, U.S. Strategic \nCommand has highly-motivated, well-trained personnel engaged in the 24/\n7/365 defense of our vital networks. But we must do more.\n    Over the years, the Secretary of Defense has provided U.S. \nStrategic Command with the authority to direct the operations and \ndefense of defense networks, known as the ``Global Information Grid\'\' \nor ``GIG.\'\' We have established command and control that begins to \nenable the coordinated security configuration and defense of globally \ndispersed military networks. We also established baseline standards for \nnetwork configuration, readiness standards and incident response. \nService and Joint training are based on these collaboratively developed \nstandards.\n    However, even with well-trained and engaged personnel, the \nchallenges are great. The Internet\'s open architecture is one of its \nprincipal strengths, but it is also its principal vulnerability. To \ndefend national interests, DOD\'s GIG must be reliable, resilient and \nits individual components and date must be secured. We must be able to \noperate at ``network speed\'\' to be effective. Without greater machine-\nto-machine interfaces, we cannot hope to dynamically configure systems \nto contain and defeat the threat of malicious traffic on a real-time \nbasis--a necessity in this era\'s battlefield environments. Achieving \nmuch greater unity of effort throughout the Department as well as \ninformation sharing and collaboration with our Intelligence Community, \nLaw Enforcement and Homeland Security partners as well as leveraging \nthe expertise of universities, research institutions and private \nenterprise is also essential. We must continue to evolve training and \noperational exercises to ensure all personnel can appropriately and \nquickly leverage the diverse skill-sets needed to secure and defend \nmilitary networks in this dynamic domain.\n    Mr. Thornberry. How is responsibility between USSTRATCOM, NSA, and \nDISA clearly defined in theater?\n    General Alexander. Joint Functional Component Command for Network \nWarfare (JFCC-NW) and Joint Task Force-Global Network Operations (JTF-\nGNO), the two USSTRATCOM components for which I am responsible, \nmaintain a close and collaborative partnership with NSA and DISA. NSA \nmaintains a robust forward presence in Iraq and Afghanistan to provide \nboth cryptologic and information assurance support to deployed forces. \nThese capabilities support both JFCC-NW and JTF-GNO in their respective \nmissions of providing support for offensive and defensive cyber \noperations. DISA\'s mission to build, provision and engineer the \nbackbone of the military networks also serves as a key enabler for JTF-\nGNO\'s ability to direct the operations and defense of these networks.\n    We use liaison officers and support elements embedded within each \norganization to help ensure our activities are mutually supporting and \nto avoid conflicting objectives. While each organization has distinct \nresponsibilities, functions and authorities as defined by law and DOD \nregulations, connective tissue between these organizations is naturally \nbolstered by the relationships which exist between the Director, DISA \ndual-hatted as Commander, JTF-GNO, my role as both Director, NSA and \nCommander, JFCC-NW and since November 08, the relationship established \nby the SECDEF\'s decision to place JTF-GNO under the operational control \nof JFCC-NW. It is critical that we continue to maintain and strengthen \nthis connective tissue between our organizations in order to optimize \nagile cyber support for combatant commanders and DOD as a whole.\n    Mr. Thornberry. Should the Department of Defense establish a \n``Cyber Agency\'\' at the same level of the National Security Agency \n(NSA) and Defense Information Services Agency (DISA)? Why or why not?\n    General Alexander. On 23 June 2009, Secretary of Defense Gates \ndirected the Commander of U.S. Strategic Command (USSTRATCOM) to \nestablish a subunified U.S. Cyber Command (USCYBERCOM). Since that \ntime, a STRATCOM-chartered CYBERCOM Implementation Team, with \nmembership from NSA, DISA, JFCC-NW and JTF-GNO, have been working to \nproduce a plan which would outline the mission and operating framework \nfor this command. Both DISA and NSA will play critical roles in the \nCommand\'s ability to successfully operate and defend our military \nnetworks.\n    Mr. Thornberry. To what extent is the cyber domain being integrated \ninto other domain and domain awareness initiatives (i.e. battlespace, \nmaritime, air, space)? Please describe.\n    General Alexander. Cyberspace operations are being integrated with \noperations in other domains through a myriad of efforts. These include \ndeveloping joint doctrine to inform warfighters of extant capabilities, \ntactics, techniques, and procedures; developing cyber force constructs \nand associated training; integrating cyberspace operations within joint \nforce exercises; ensuring cyberspace operations are included in \ncombatant command plans; and developing initiatives which inform cyber \nusers by examining culture, conduct, and capabilities. Although still \nin initial stages, initiatives to provide decision-makers with holistic \nviews of the cyberspace domain, similar to the Maritime Awareness \nInitiative, are being addressed. Much remains to be done; however, the \nincreasing national focus on cybersecurity is encouraging and will \nprovide impetus to DOD and interagency efforts to increase awareness of \nthis critical domain.\n                                 ______\n                                 \n                   QUESTIONS SUBMITTED BY MR. MURPHY\n    Mr. Murphy. We have heard a lot about how our government\'s \nresources are organized to address the threat posed by cyber hackers, \nbut if we want to direct our efforts most effectively, it\'s also \nimportant to know how the hacker community is organized. What do we \nknow about the culture of hackers, what motivates their actions, and \nwhat political, economic and social forces shape their behavior? It \nwould seem that the answers to these questions should inform some of \nour decisions on how best to organize ourselves.\n    General Alexander, I understand that a small office at the NSA--the \nInstitute for Analysis--has done some innovative work to address these \nquestions about the culture of hackers. Can you briefly describe, in an \nunclassified manner, this work and how it is contributing to our cyber \nsecurity efforts?\n    General Alexander.\n\n    Background\n    The Institute for Analysis (IFA) is an NSA-sponsored program \nlaunched in October 2004 with the intent of 1) reaching out to and \nengaging external world-class experts in addressing internal \nintelligence analytic problems in an unclassified setting and 2) \nlearning from and applying new or unique analytic processes, \nmethodologies, techniques, and associated tools developed in the ``real \nworld\'\' to improve the overall health of analytic tradecraft at NSA. \nThe primary vehicle used by the IFA is a ``challenge problem\'\' which is \nessentially an unclassified ``analog\'\' problem that stands in for/\nrepresents the actual classified analytic problem identified by mission \nelements. IFA also facilitates networking between external experts and \nanalysts and also develops and offers new analytic methodology training \ncourses to analysts. Since 2008, IFA has been able to increasingly \nshare these opportunities with other Intelligence Community partners.\n\n    The Challenge\n    In early 2008, an analyst from the NSA/VCSS Threat Operations \nCenter (NTOC) brought the issue of understanding hacker cultures to the \nIFA as a potential challenge problem. The analyst understood that \nhacker scenes evolve and continue to evolve. In an effort to best focus \nhis time and resources, the analyst wanted to know if there was a way \nto better understand the culture of hacker groups and therefore better \nunderstand the potential for a group of hackers to pose a significant \nnational security threat. Specifically, he wanted to know the answers \nto the following questions:\n\n    <bullet>  What motivates hackers?\n    <bullet>  How do they learn, team up, and execute attacks?\n    <bullet>  How do their strategies and operations differ from \ncountry to country?\n\n    NTOC analysts have a solid understanding of the technical elements \nassociated with hacking, but they wanted to know more about the \nsociological and ``cultural\'\' aspects. The challenge therefore was to \nstrengthen analysts\' understandings of the human side of hacking: what \nmotivates hackers; where do they go to learn new techniques; how do \nthey find out about new technologies; what self-identified hacker \ncommunities have emerged; and finally, what the relationship was, if \nany, between relatively benign ``tinkering networks\'\' and truly \nmalicious hackers?\n    What makes this a difficult problem was that virtually all hacker \nscenes are animated by a culture of secrecy and anonymity. Many \nhackers, and especially those who are likely to be of most interest to \nthe USG, do not wish to have their activities and habits documented.\n\n    Project Scope\n\n    There were three specific goals built into this challenge question, \nas follows:\n      1)   Systematically identify subcultures within the global hacker \nscene, and the key traits that distinguish them from other hacker \nsubcultures, with a focus on teaming/interaction, learning, technology \nuse, and motivations with the intent of developing the ability to \n``strategically segment\'\' these subcultures to identify other hackers \nof potential interest;\n      2)   Identify how these scenes vary from region to region (or \nalong other lines, e.g., by generation, motivation, etc.) with \npotential concentrations on Russia, China, and/or the Middle East. This \nwould allow analysts to differentiate the threat matrix by region or \nother factors;\n      3)   Research and analyze how these scenes have changed over the \npast decade and may continue to change going forward. This will enable \nanalysts to better anticipate strategic or tactical surprises that may \nemerge from the hacker scene.\n\n    Two substantive limits were also identified, as follows:\n      1)   This project focused on the culture of hackers and the \nhacking scene, not on the wider issue of cybercrime, writ large. That \nis to say, the analysts were interested in understanding the habits of \nthose who like to break into secured computer systems, whatever their \nmotives, rather than on criminality which just happens to take place on \nor via the Internet. Clearly criminals of one sort and another may well \nadopt innovations and techniques that emerge from the hacker scene for \ntheir own purposes but that was not the main focus of the challenge \nproblem;\n      2)   Open source research would focus on the dimensions of the \nhacking scene that are most pertinent to national security: penetration \nof government systems, disruption of critical infrastructure, \nsignificant intellectual property theft, etc. This scoping excluded, \nfor example, spambots, the hacking of consumer electronics, defacement \nof websites, etc., except insofar as such activities connected in some \ntangible way to national security.\n\n    Challenge Results\n    Specific results of this challenge problem provided detailed \ndescriptions of hacker cultures in two areas of interest to NTOC as \nwell as a framework that allowed NTOC analysts to rapidly identify, \ncharacterize, and categorize hacking activities based on potential \nthreats to national security. The framework in particular has already \nbeen integrated into NTOC operations and has resulted in a quantitative \nincrease in reporting on adversarial capabilities, including \ncapabilities previously undiscovered using more conventional \ntechniques. According to NTIOC management, this framework has also \nresulted in a significant savings of time, measured in man-years, in \nthe ``discovery\'\' process.\n\n                                  <all>\n\x1a\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'