[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]







                         [H.A.S.C. No. 111-51]
 
 CYBERSPACE AS A WARFIGHTING DOMAIN: POLICY, MANAGEMENT AND TECHNICAL 
                    CHALLENGES TO MISSION ASSURANCE

                               __________

                                HEARING

                               BEFORE THE

    TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES SUBCOMMITTEE

                                 OF THE

                      COMMITTEE ON ARMED SERVICES

                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             FIRST SESSION

                               __________

                              HEARING HELD

                              MAY 5, 2009

                                     
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13

                                     

                  U.S. GOVERNMENT PRINTING OFFICE
57-218                    WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  
                                     
  


    TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES SUBCOMMITTEE

                    ADAM SMITH, Washington, Chairman
MIKE McINTYRE, North Carolina        JEFF MILLER, Florida
ROBERT ANDREWS, New Jersey           FRANK A. LoBIONDO, New Jersey
JAMES R. LANGEVIN, Rhode Island      JOHN KLINE, Minnesota
JIM COOPER, Tennessee                BILL SHUSTER, Pennsylvania
JIM MARSHALL, Georgia                K. MICHAEL CONAWAY, Texas
BRAD ELLSWORTH, Indiana              THOMAS J. ROONEY, Florida
PATRICK J. MURPHY, Pennsylvania      MAC THORNBERRY, Texas
BOBBY BRIGHT, Alabama
                 Kevin Gates, Professional Staff Member
               Alex Kugajevsky, Professional Staff Member
                     Andrew Tabler, Staff Assistant


                            C O N T E N T S

                              ----------                              

                     CHRONOLOGICAL LIST OF HEARINGS
                                  2009

                                                                   Page

Hearing:

Tuesday, May 5, 2009, Cyberspace as a Warfighting Domain: Policy, 
  Management and Technical Challenges to Mission Assurance.......     1

Appendix:

Tuesday, May 5, 2009.............................................    27
                              ----------                              

                          TUESDAY, MAY 5, 2009
 CYBERSPACE AS A WARFIGHTING DOMAIN: POLICY, MANAGEMENT AND TECHNICAL 
                    CHALLENGES TO MISSION ASSURANCE
              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS

Miller, Hon. Jeff, a Representative from Florida, Ranking Member, 
  Terrorism, Unconventional Threats and Capabilities Subcommittee     1
Smith, Hon. Adam, a Representative from Washington, Chairman, 
  Terrorism, Unconventional Threats and Capabilities Subcommittee     1

                               WITNESSES

Alexander, Lt. Gen. Keith, USA, Commander, Joint Functional 
  Component Command Network Warfare, Director, National Security 
  Agency, Department of Defense..................................     6
Carey, Robert J., Chief Information Officer (DONCIO), Department 
  of the Navy....................................................     3
Krieger, Mike, Deputy Chief Information Officer/G-6, Department 
  of the Army....................................................     2
Lentz, Robert, Deputy Assistant Secretary of Defense for Cyber, 
  Identity Management, and Information Assurance, and Senior 
  Information Assurance Official, Department of Defense..........     5
Shelton, Lt. Gen. William L., USAF, Chief of Warfighting 
  Integration, Chief Information Officer, Office of the Secretary 
  of the Air Force...............................................     4

                                APPENDIX

Prepared Statements:

    Alexander, Lt. Gen. Keith....................................    94
    Carey, Robert J..............................................    44
    Krieger, Mike................................................    34
    Lentz, Robert................................................    66
    Miller, Hon. Jeff............................................    32
    Shelton, Lt. Gen. William L..................................    54
    Smith, Hon. Adam.............................................    31

Documents Submitted for the Record:

    [There were no Documents submitted.]

Witness Responses to Questions Asked During the Hearing:

    [There were no Questions submitted during the hearing.]

Questions Submitted by Members Post Hearing:

    Mr. Murphy...................................................   121
    Mr. Smith....................................................   101
    Mr. Thornberry...............................................   109

 CYBERSPACE AS A WARFIGHTING DOMAIN: POLICY, MANAGEMENT AND TECHNICAL 
                    CHALLENGES TO MISSION ASSURANCE

                  House of Representatives,
                       Committee on Armed Services,
        Terrorism, Unconventional Threats and Capabilities 
                                              Subcommittee,
                              Washington, DC, Tuesday, May 5, 2009.
    The subcommittee met, pursuant to call, at 3:58 p.m., in 
room 2212, Rayburn House Office Building, Hon. Adam Smith 
(chairman of the subcommittee) presiding.

  OPENING STATEMENT OF HON. ADAM SMITH, A REPRESENTATIVE FROM 
  WASHINGTON, CHAIRMAN, TERRORISM, UNCONVENTIONAL THREATS AND 
                   CAPABILITIES SUBCOMMITTEE

    Mr. Smith. Good afternoon. Call the meeting to order. Sorry 
about the delay. Votes came at a bad time, and then I got 
waylaid by a conversation on my way over here, but I do want to 
thank all of you for being here today. Appreciate your presence 
on this very important topic and look forward to hearing from 
all of you.
    I will keep my opening statement very, very brief except to 
say that cyber security is an incredibly important element of 
our national security with many, many complex pieces to it. 
Obviously it involves a multi-agency process; also it involves 
the private sector and a variety of different challenges that 
are very complicated and complex.
    And our goal in this committee is to help work with the new 
administration and all the appropriate agencies to try to 
develop a comprehensive strategy to approach our network 
security needs and our broader cyber security interests--try to 
get us to the point where we have at least some idea of what 
the plan is and are working closely together on how to 
implement that with all the different pieces of it. And I look 
forward to the testimony. We have a very, very distinguished 
panel that will help shed some light on this issue and help let 
us know what the pathway forward is.
    And with that, I will yield to our ranking member, Mr. 
Miller, for any opening statement that he might have.
    [The prepared statement of Mr. Smith can be found in the 
Appendix on page 31.]

 STATEMENT OF HON. JEFF MILLER, A REPRESENTATIVE FROM FLORIDA, 
     RANKING MEMBER, TERRORISM, UNCONVENTIONAL THREATS AND 
                   CAPABILITIES SUBCOMMITTEE

    Mr. Miller. Thank you very much, Mr. Chairman. I have a 
full statement that I would like submitted into the record.
    [The prepared statement of Mr. Miller can be found in the 
Appendix on page 32.]
    Mr. Miller. I associate myself with your remarks, and as we 
all know, breaches in our security have taken place time and 
time again. The Joint Strike Fighter [JSF] Program highlights 
the vulnerability that currently exists today. Our charge is to 
help you get the job done, and that is what we are here for, so 
thank you.
    Mr. Smith. Thank you.
    Just in connection, I had one further thought. It is not 
just a matter of cyber security preventing attacks. We need to 
look at our entire system's--our entire IT [information 
technology] infrastructure in terms of what we need to get out 
of it and how to best make that system work on a variety of 
different needs including, of course, making sure that it is 
protected from our adversaries or those who wish to do us harm.
    With that I will introduce the panel. I will go--introduce 
all of you, and then we will just start with Mr. Krieger and 
work our way across the panel.
    As you have noticed, there is five of you, and try to keep 
your testimony between five and ten minutes at the most. We 
don't want to go on too long before we get into the 
interaction. I know that is very difficult on a subject this 
complex, but appreciate your cooperation so we can get into the 
questions from the members.
    So I will introduce the panel. First we have Mr. Mike 
Krieger, who is the deputy chief information officer for the 
U.S. Army; Mr. Rob Carey, who is the chief information officer 
for the U.S. Navy; we have Lieutenant General William Shelton, 
United States Air Force, chief of warfighting integration, 
chief information officer, Office of the Secretary of the Air 
Force; we have Mr. Robert Lentz, who is the deputy assistant 
secretary of defense for cyber, identity management, and 
information assurance--that sounds like a complicated job, and 
it is; and lastly, we have Lieutenant General Keith Alexander, 
who is the director of the National Security Agency.
    We appreciate all of you being here. We look forward to 
your testimony and to the Q & A that follows.
    Mr. Krieger.

 STATEMENT OF MIKE KRIEGER, DEPUTY CHIEF INFORMATION OFFICER/G-
                   6, DEPARTMENT OF THE ARMY

    Mr. Krieger. Good afternoon, Chairman Smith, Congressman 
Miller, and distinguished members of the subcommittee. As the 
United States Army's deputy chief information officer and 
deputy G-6, I am pleased to appear before the subcommittee this 
afternoon to discuss the Army's activities to address the 
challenges to enhance mission assurance in cyberspace as a 
warfighting domain.
    The Army believes that our enterprise network, known as 
LandWarNet, must be viewed as a critical enabler for the 
warfighter. This requires a change in our culture for which the 
Army is revising policies, management of people in the network, 
and enhancing technical capabilities to better detect, assess, 
and respond to cyberspace attacks.
    The Army is transitioning to a continental U.S.-based 
expeditionary force. To support this force the Army is adapting 
our institutions and LandWarNet. General Casey recently signed 
a memorandum to transform LandWarNet to a new Global Network 
Enterprise Construct, or GNEC, that is more secure, economical, 
and seamless. General Casey also designated the Network 
Enterprise Technology Command, reporting to the chief 
information officer, as the single command for network 
operations of the Army's generating force networks.
    The Army is implementing many new policies to improve cyber 
security. These policies concentrate on protecting information, 
defending systems, and creating an empowered workforce.
    Addressing the management challenges of training our cyber 
warriors and protecting our network remain top priorities in 
the Army. The Army is reviewing the development and tracking of 
its overall workforce and looking to update the career 
management fields for conducting cyberspace operations.
    Successfully mitigating cyberspace attacks and 
vulnerabilities requires unity of command and effort not only 
between the Army, other services, and the combatant commands, 
but within the Army staff. We have realigned organizations to 
streamline the command and control over the network and are 
creating an Army Cyber Task Force to better define and oversee 
cyberspace operations.
    To meet the many technical challenges the Army faces, we 
have taken many initiatives, which include a data-at-rest 
encryption solution, a secure two-way wireless capability, and 
we are working with the defense industrial base to protect 
technologies used to build our future networks and major 
weapons systems.
    In conclusion, the Army is taking action to mitigate 
persistent cyberspace threats. Using GNEC, the Army is 
addressing the challenge of changing the culture to view the 
network as a critical enabler for the warfighter. The Army's 
commitment to transforming LandWarNet will ensure commanders 
have the ability to control, defend, and fight the network as 
one enterprise.
    I thank the subcommittee for affording me the opportunity 
to share the Army's activities to operate and enhance missions 
assurance in cyberspace as a warfighting domain. This concludes 
my remarks and I look forward to answering your questions.
    [The prepared statement of Mr. Krieger can be found in the 
Appendix on page 34.]
    Mr. Smith. Thank you very much.
    Mr. Carey.

    STATEMENT OF ROBERT J. CAREY, CHIEF INFORMATION OFFICER 
                (DONCIO), DEPARTMENT OF THE NAVY

    Mr. Carey. Thank you, Mr. Chairman.
    Chairman Smith, Congressman Miller, distinguished 
subcommittee members, thank you for the opportunity to appear 
before you today. I provided a written statement and request 
that it be entered into the record.
    I would like to use this time to briefly highlight some of 
our key initiatives that will ensure the Department of Navy's 
success in the cyberspace domain. It is a time of great change, 
and as the Department of the Navy chief information officer, I 
have the honor to work across the entire Navy-Marine Corps 
team, harnessing the power of information technology for our 
sailors, Marines, and civilians.
    Our efforts in the cyberspace domain span our mission sets 
and mandate that we defend the information for the warfighters 
as well as protect the privacy of our naval team. The 
cyberspace domain is one in which we must prevail. The 
department remains on a course for interoperable, net-centric 
operations that will link warriors, sensors, networks, command 
and control platforms, weapons, and commanders, into a 
networked, distributed combat force.
    Key to our success will be the ability to balance the 
polarity between the need to share information and our 
requirement to protect it against cyber threats. We have made 
great strides in the areas of policy, management, and technical 
challenges that are enabling us to achieve this balance.
    Together with our industry partners, we have created an 
enterprise network structure comprised of the Navy/Marine Corps 
Intranet [NMCI], the department's shore-based network; 
Information Technology-21, for our float forces; ONE-NET 
[OCONUS Navy Enterprise Network], for our Navy outside of CONUS 
[continental U.S.] forces; and the Marine Corps Enterprise 
Network; as our contribution to the DOD [Department of Defense] 
vision of a trusted, dependable, ubiquitous network.
    We have seen the power of a singe enterprise network 
improving access, control, interoperability, and information 
security, and as we move toward the Naval Network Environment 
2016, our continued consolidation using the Next Generation 
Enterprise Network and a defense-in-depth and breadth, will 
further enable our ability to serve the warfighters with 
assured information.
    Our computer network defense efforts are comprised of a 
broad array of initiatives to ensure a defense-in-depth, and 
while we are making progress, much work remains. We leverage 
industry best practices and standards, such as public key 
infrastructure encryption, data-at-rest encryption, and host-
based security systems, to strengthen our cyber security.
    Our brave sailors and Marines deployed far from home in 
harm's way are the heart and soul of our organization. What 
they know and how they translate that knowledge through sound 
decisions into action will define how successful we are. And so 
we are committed to providing them the information and tools 
they need to stay current and defend the cyberspace domain in 
an increasingly complex technology-based environment.
    Thank you for your support of our information technology 
initiatives and our efforts to achieve net-centric operations 
and decision superiority. I am happy to answer any questions 
that you may have.
    [The prepared statement of Mr. Carey can be found in the 
Appendix on page 44.]
    Mr. Smith. Thank you very much.
    General Shelton.

   STATEMENT OF LT. GEN. WILLIAM L. SHELTON, USAF, CHIEF OF 
 WARFIGHTING INTEGRATION, CHIEF INFORMATION OFFICER, OFFICE OF 
                 THE SECRETARY OF THE AIR FORCE

    General Shelton. Good afternoon, Chairman Smith, 
Congressman Miller, distinguished members of the subcommittee. 
I am pleased to be here today, along with members of the DOD's 
cyber leadership team, to appear before you and address our 
efforts to meet the challenges in the cyberspace domain.
    Several years ago the U.S. Air Force recognized the growing 
importance of cyberspace. On December 7, 2005, we took the 
unprecedented step of adding cyberspace to our mission 
statement and placed that domain on an equal footing with our 
more traditional operating environments of air and space.
    Since that time, we have been moving forward to organize, 
train, and equip our Air Force for both defensive and offensive 
capabilities in cyberspace or joint operations. As we have 
continued our study of cyberspace, we are finding that the most 
significant challenge we face is the constantly evolving nature 
of the threat in cyberspace. Threats in cyberspace move at the 
speed of light, and we are literally under attack every day as 
our networks are constantly probed and our adversaries seek to 
exploit vulnerabilities in our network enterprise.
    I would like to thank the committee for its support and for 
this opportunity to highlight the outstanding efforts that the 
dedicated men and women of the United States Air Force [USAF] 
to help secure the nation and cyberspace. This domain is both 
highly complex and extremely challenging, but it is one that 
the Air Force is fully embracing.
    Thank you again, and I look forward to your questions.
    [The prepared statement of General Shelton can be found in 
the Appendix on page 54.]
    Mr. Smith. Thank you, General.
    Mr. Lentz.

   STATEMENT OF ROBERT LENTZ, DEPUTY ASSISTANT SECRETARY OF 
    DEFENSE FOR CYBER, IDENTITY MANAGEMENT, AND INFORMATION 
     ASSURANCE, AND SENIOR INFORMATION ASSURANCE OFFICIAL, 
                     DEPARTMENT OF DEFENSE

    Mr. Lentz. Good afternoon, Chairman Smith, Congressman 
Miller, and members of the subcommittee. I am pleased to appear 
before the subcommittee to discuss initiatives to enhance the 
department's and the nation's information assurance cyber 
security posture.
    This is a critical priority in the Department of Defense. 
With information and information technology assets distributed 
over a vast enterprise and with diverse domestic and 
international partners, we know that we can not execute 
operations without the GIG, Global Information Grid, or the DOD 
network.
    The GIG is where business goods and services are 
coordinated, where medical information resides, where 
intelligence data is fused, where weapons platforms are 
designed, built, and maintained, where commanders plan 
operations and control forces, and where training, readiness, 
morale, and welfare are sustained. Maintaining freedom of 
action in cyberspace is critical to the department and to the 
nation.
    Therefore, the department is focused on building and 
operating the GIG as a joint global enterprise. This enterprise 
network approach, coupled with skilled users, defenders, and 
first responders, and in partnership with the intelligence and 
homeland security communities, will allow us to more readily 
identify and respond to cyber attacks.
    The DOD information assurance cyber security program is 
thus aimed at ensuring that DOD missions and operations 
continue under any cyber situation or condition, and the cyber 
components of DOD weapons systems perform as expected. There 
are many examples of current initiatives in my statement for 
the record. I will quickly highlight a few today.
    To protect sensitive data on mobile and portable devices 
like laptops, we help make discounted encryption products 
available to all federal, state, local, and tribal government 
agencies and to NATO [North Atlantic Treaty Organization]. 
Since July of 2007, the resulting U.S. government cost 
avoidance has exceeded $98 million.
    To address cyber security risks to the defense industrial 
base we have put in place a multi-faceted pilot for threat and 
vulnerability sharing, incident reporting, and damage 
assessment. For the global supply chain, the department has 
launched a program to protect mission-critical systems.
    This year we are establishing four centers of excellence to 
support program executive offices and supply chain risk 
mitigation throughout the system lifecycle. Additionally, we 
are executing vulnerability assessments in accordance with the 
2009 National Defense Appropriations Act.
    We continue to rely on the national centers of academic 
excellence and IA [information assurance] education for 
critical cyber security skills. There are currently 94 centers 
in 38 states and the District of Columbia. One of the centers--
the University of Nebraska at Omaha--cosponsored and hosted 
last year's fifth annual International Cyber Defense Workshop.
    In 2008, the department helped bring cyber security to the 
Wounded Warrior Program. Wounded, disabled, and transitioning 
veterans are receiving no-cost vocational training in digital 
forensics, a critical technical shortfall for the nation and 
for the department. The program started at Walter Reed and is 
being expanded to other DOD and VA hospitals.
    In conclusion, the DOD's CIO [Chief Information Officer] is 
working towards a resilient and defendable core network for the 
department and for the nation in the face of the daunting 
security challenges. We are preparing the GIG [Global 
Information Grid] and the GIG-dependent missions to operate 
under duress, and we are doing so under conditions of rising 
hostilities.
    I am happy to take questions. Thank you.
    [The prepared statement of Mr. Lentz can be found in the 
Appendix on page 66.]
    Mr. Smith. Thank you very much.
    General Alexander.

 STATEMENT OF LT. GEN. KEITH ALEXANDER, USA, COMMANDER, JOINT 
    FUNCTIONAL COMPONENT COMMAND NETWORK WARFARE, DIRECTOR, 
        NATIONAL SECURITY AGENCY, DEPARTMENT OF DEFENSE

    General Alexander. Well, that was quick, Mr. Chairman----
    Mr. Smith [continuing]. Astonished. We moved very, very 
quickly through that.
    General Alexander. I won't slow it down.
    Mr. Smith. No----
    General Alexander. Mr. Chairman, Ranking Member----
    Mr. Smith. We are ahead of schedule at this point.
    General Alexander. Well, I don't know enough to fill it up, 
so I will talk briefly here.
    I would like to just give you a little bit of background 
about what NSA, the National Security Agency, but more 
importantly, what the Joint Functional Component Command [JFCC] 
for Network Warfare is doing in network operations--where we 
are, where we are going, and the way ahead, because I think it 
leverages off of what my colleagues have already brought up. It 
has to be a team to work this across the services, within DOD, 
to set up the right apparatus. So I will end on that.
    Let me go back to the beginning, and if I could, just hit 
briefly on World War II, and in World War II, just hitting on 
some of the key things that happened in World War II, 
specifically Enigma and Red and Purple, the Japanese encryption 
systems and the German encryption systems. The reason I bring 
those up, as you may recall, the Germans had Enigma; we broke 
it--actually the Poles and the Brits broke it; and in 1941 
Admiral Donitz understood that it was broken and added a fourth 
rotor to make the decrypting of those communications more 
difficult.
    From January to March of 1942 the United States lost 216 
ships off the cost--off the East Coast, and our efforts in 
Europe were going down rapidly. We were able to break that 
collectively, with industry, Army, Navy, working together with 
our allies, and it changed the balance of that war.
    And if you think about it, we broke their encryption, we 
broke the Japanese encryption, and they didn't break ours. And 
that was huge for warfighting.
    The network that we have today has taken what was an analog 
network to a digital network, and a consequence of that change, 
going from analog to packets, is huge. It allows us to leverage 
things like iPhones, the iTouch--I have 11 grandchildren, and 
they have these little iPod Shuffles; they are hooked to the 
networks. They can do things at seven years old--they are 
googling on the network. They are linked--the same network. One 
network.
    Great things are possible. Our military leverages that 
today for great good--for command and control, for integration 
of our intelligence with operations, with logistics, with 
everything we have on the battlefield. Great opportunities, 
great vulnerabilities.
    And with those vulnerabilities comes the reason we really 
have to focus as a team on cyber security. The way we are 
approaching it today does not work.
    Recently, commander of STRATCOM [Strategic Command] 
delegated to myself under net warfare [JFCC-NW], the 
responsibility for directing the defense and operations of the 
GIG as well as our current role for net warfare, so that we 
have all those missions together so that we could put the 
defense and the offense together for the good of the Defense 
Department.
    As you saw in my written statement for the record, the 
Defense Department is considering an option to stand up a sub-
unified command that would allow us to leverage the defense and 
the offense for the good of our forces around the world to 
ensure that we have the communications availability, the 
integrity of our communications, and the reliability that we 
need to conduct our missions abroad. In order to do that, the 
services and the joint community has to work together to 
support our regional combatant commands.
    So I think what each of the services has said and where we 
are is now we are looking at the steps of what we have to put 
together in the sub-unified command as an option, or in a Joint 
Functional Component Command--how will we put these 
capabilities together to ensure our networks are secure and 
provide us freedom of maneuver in cyberspace?
    So with that, a lot of work to be done is ahead of us. I 
think where the Defense Department is today is in a good place 
and moving up. We understand the problem; it doesn't mean that 
there aren't issues with training, with equipping, and with the 
tactics, techniques, and procedures that we have to do, but I 
do think that we have come up with a way of working together to 
face these and to come up with a good plan for the future.
    So with that, Mr. Chairman, I turn it back over to you.
    [The prepared statement of General Alexander can be found 
in the Appendix on page 94.]
    Mr. Smith. Thank you.
    And we will--in questions we will observe the five-minute 
rule. Hopefully--we got great very brief statements by our 
witnesses--we will have time to go around more than once. But 
just to keep it flowing we will make sure we keep everybody to 
five minutes, including me.
    My first question is just sort of a follow up on that last 
point about how coordinated the effort is in the Joint 
Functional Component Command. So when you look out across DOD, 
and certainly we have many of the key components here--Army, 
Navy, Air Force--and if you are in your position, or STRATCOM's 
position, or even a higher up, and you are going, ``How secure 
is my network?''
    How compartmentalized is that and how coordinated is that? 
You know, how much do you guys get together on a regular basis 
so that you, as the person in charge of that, or the Secretary 
of Defense, or somebody higher up can say with confidence, 
``Our network is secure and we are paying attention to the 
different pieces of it.''
    Or, I guess the better question is, to know the 
vulnerabilities--to know in a coordinated fashion so that it is 
not stovepiped, because as you know, in this situation, in many 
cases, you are only as strong as your weakest link into the 
network. How do you do that coordination within DOD?
    And then I have a follow-on question about how you handle 
the interagency piece. But just starting in DOD, and you 
touched on that a little bit, but if you would get more 
specific about how coordinated that effort is.
    General Alexander. I will hit the first part and then I 
will let Bob and some of the others----
    Mr. Smith. Okay.
    General Alexander [continuing]. Pick up on that. We direct 
the defense of the network to the Joint Task Force-Global 
Network Operations. Lieutenant General Carroll Pollett, from 
the Defense Information Systems Agency [DISA], is the commander 
of the Joint Task Force-Global Network Operations and works for 
me in that regard, and his day-to-day guy is Brigadier General 
John Davis. They put out written guidance of how to defend the 
network--the unclassified and the classified networks.
    I would like to say that our networks are secure, but that 
would not be correct. We do have vulnerabilities.
    And the issue, and one of the things that we have wrestled 
with over the last six months, is a strategy for closing those 
vulnerabilities very quickly. I think we are making good 
progress on that, because the level of problems that we have 
had with things like Conficker and others have been greatly 
diminished because of the great steps that have been taken by 
Global Network Operations but implemented by the services.
    Mr. Smith. And what were some of those steps, if you could 
walk through the specifics here?
    General Alexander. Well, let us see. In an unclassified 
forum that becomes very difficult. It would be the way that you 
use removable media, would be a great case in point--how you 
have to use removable media or not use it in a network, what 
the restraints are, dictating those restraints, how you have 
your Information Assurance Vulnerability Analysis IAVA 
compliance out there, which means, do you have your McAfee or 
Symantec antivirus software up to date? Are you using the 
latest update? Have you scanned your system for these things? 
And ensuring that those kinds of things are done.
    How do we tell that at a global scale? Others' mission is 
to look on the periphery and see if we see problems on the 
network.
    I would like to give you one key element here I think is 
crucial to it. If we try to defend our networks like we do a 
castle--the moat--we will never be successful. We have to 
defend it on the network globally, because that is how it 
exists on the network.
    And so that means we and our allies in industry and 
government have to work together in this enterprise. That is 
going to be key to our success.
    Bob, and----
    Mr. Lentz. I will give you two examples, Mr. Chairman, to 
your question. First of all, one unclassified example of the 
cooperation at a technical level is the Federal Desktop Core 
Configuration.
    The fact that we locked down the computers so tightly at 
our endpoint within the DOD network working with the services--
in fact, the Air Force led that effort--and Microsoft, which is 
our most ubiquitous product throughout the Department of 
Defense, is locked down in terms of the stable configuration, 
and that has allowed us to defend the network much more 
effectively. I think that is a technical example.
    To your first question regarding the cooperation within the 
Department of Defense, one of the things that--we have a DOD 
CIO policy that has been fully implemented is, we align every 
single service and agency within the Department of Defense to 
what we call a computer network defense service provider, or a 
Computer Emergency Response Team [CERT]. So every entity in the 
Department of Defense, from our schools to our main military 
operations, are aligned to certified CND [computer network 
defense] service providers, and those CND service providers 
work together under the leadership of STRATCOM and the JTF-GNO 
[Joint Task Force-Global Network Operations] working in 
partnership with NSA and the law enforcement community part of 
our infrastructure to work on these cyber events. So I think 
that is an example of the cooperation that goes on within the 
DOD.
    Mr. Smith. Okay.
    I will yield back the point and yield to Mr. Miller.
    Mr. Miller. Thank you, Mr. Chairman.
    Could you talk about the role that you think the federal 
government should play in securing the networks of our defense 
industry partners?
    Mr. Lentz.
    Mr. Lentz. Clearly, it is absolutely essential, in terms of 
having a robust capability in the face of the cyber attack, is, 
we need a partnership in every tier, from our international 
partners--we have found on one cyber event after another cyber 
event that they have insights that are very critical for us. 
Plus, just because of the nature of the geography, our 
international partners oftentimes will have an advanced warning 
to give us insight into cyber events.
    At the domestic level, we team with the major centers 
across the cyber landscape, to include the counter-
intelligence, the law enforcement communities, and of course, 
all the CERTs [Computer Emergency Response Teams]. And at the 
industry level, it is absolutely essential we team with the 
ISPs [Internet service providers], we team with Carnegie 
Mellon, we team with all the industry leaders in this area to 
gain insight into cyber events, particularly when it comes to 
vulnerabilities in which we have to have advanced notice in 
today's cyber environment.
    Mr. Miller. General? Would you like to answer?
    General Alexander. So the role that--just to take up where 
Bob left off--so one of the roles that the intelligence 
community and the Defense Department is going to have is, how 
do you make those identifications of the vulnerabilities and 
the signatures and how do we work those with industry and other 
government entities so that they know how to defend their 
system?
    I think if you take the analogy that I was talking about, 
this--we are defending a castle today, but we want to defend 
our network and perhaps our allies' networks, then you are 
going to have to have an early warning capability that exists 
between networks to tip and cue on problems that are coming. I 
think that is going to be key for future problems that we 
face--for example, some of these robot networks, or botnets, 
that are out there, and things like that.
    How do you defend against them? It is going to take our 
country and our allies to work together and tip and cue at 
network speed to defeat them.
    Mr. Miller. How does the DOD ensure that we--you had 
mentioned the word ``robust''--have a robust computer network 
defense and information assurance structure in place but we 
don't replicate across the service lines?
    Mr. Lentz. Well, I think we actually do have a very robust 
capability working with the services. As I mentioned, early the 
CND [Computer Network Defense] service provider program that we 
have--we have 23 different CND service providers across the 
Department of Defense, of which the services make up a good 
share of those. And each one of those CND service providers 
coordinate constantly in real time what is going on in cyber 
events.
    Mr. Smith. Mr. Marshall for five minutes.
    Mr. Marshall. Thank you, Mr. Chairman.
    I wonder what the limits of the effective partnership 
between DOD, or the nation generally, and business might be--
the private sector might be. I was involved in an enterprise at 
one point that decided it was going to acquire a bunch of 
laptops that each individual employee would then use to enter 
data while they were out. We had a range of possible laptops 
that we could pick, and some of the more expensive laptops were 
less vulnerable to damage if they were dropped, if, you know, 
they were exposed to water, to heat, et cetera, and then there 
was the question of weight, and typically the ones that were 
less vulnerable were also heavier, and so we ultimately decided 
we were going to go with the lightweight one because we could, 
in our circumstances, not have to worry too much about things 
being dropped or subjected to water or heat.
    I assume that for some of the applications that we might 
use laptops for where the Army is concerned and the services 
are concerned, going to go with the heavier version that can 
handle them. And I wonder if those--I am sure that those same 
kinds of decision-making differences between the private sector 
and the public sector exist with regard to the issues that you 
all deal with that are way above my pay grade. And I am 
wondering if you can describe where it is that your interests 
diverge or your objectives diverge in ways that will make the 
partnership more difficult.
    General Alexander. I will take a first whack at that, sir. 
Let me just give you my thought, and that is, where they 
converge are where it is in our nation's interest to ensure 
those networks exist and can function and they are reliable--
our power grid, our critical infrastructure at large. We have, 
I think, there a responsibility to partner with industry to 
assure that our nation can operate in a time of crisis, and the 
government has some kind of role there and I think we have got 
to determine--and I think some of the stuff coming out of the 
60-day review and other studies will look at, so how do we 
partner with industry to do that?
    Our partnership might be giving them early warning, sharing 
with them threat data, and helping them secure their networks 
with some of the standards that Bob talked about, in terms of 
how you would set up your desktop configuration to active 
tipping and cuing to defend their networks. One of the key 
things that industry has done on the network is their 
intellectual secrets, their financial--wealth, all that is 
stored on the networks, their personal data. Much of that is an 
industry, I think, responsibility to secure, and government 
would support in some way.
    So I think that is where it starts to diverge, as you get 
industry that is out there on its own--there are some things--
you know, our own personal communications from my wife to 
myself--that doesn't need government, and if that goes down, 
well then I won't buy the milk and bread tonight. I will be 
good.
    But, you know, our personal communications aren't a 
national priority, so I think you are going to have that range 
from those things that are, how do we ensure the security of 
our nation, so that if a network attack blossoms into a warfare 
we know where that line is.
    Mr. Marshall. There is no question a tremendous opportunity 
exists for synergy here and for taking advantage of the private 
sector's obvious interest in protecting data. I mean, literally 
billions or trillions of dollars are at stake, you know, 
besides personal private information.
    And so the private sector is paying top dollar to the best 
possible minds to protect the infrastructure that holds access 
to those kinds of money flows, to that kind of private 
information. I am wondering where it diverges in any 
substantial way.
    General Alexander. Well, I think part of the divergence is 
that, you know, they are going to harden like a shell for 
theirs, but the government is going to operate across a global 
thing with our allies, so we have a global responsibility. You 
can harden a network for an industry within a network and 
almost sever it completely and have that almost ensured 
security.
    Where we have to have an Army in the field, or an Air Force 
in the field, or a Navy out there, they are going to have 
communications that are both wireless and wired, and as a 
consequence they are going to have vulnerabilities that are far 
different than what industry might have. Now, having said that, 
it doesn't necessarily mean that there aren't things that we 
couldn't work together with or should work together with; I 
think there will be.
    So I think you will have all the way from the far you know, 
all the way over here on the far right, those things that we 
are not worried about and even if somebody loses them, to those 
things that we are worried about as the national interest; and 
then take the other axis that you were doing, the economic 
access, from those things you don't worry about somebody 
hitting over here, perhaps, in one level of industry all the 
way over to the banking industry and security of those. And 
both of those at the far end of that--the banking industry and 
our national military command authority--both have to be 
secured with the best that we have. And I think there is great 
synergy here and great divergence at the other end.
    Mr. Smith. Thank you. If you have something quick, I want 
to make sure we keep moving to the other members. Mr. 
Thornberry.
    Mr. Thornberry. Thank you, Mr. Chairman. If we are 
literally under attack every day and are to treat cyber as a 
domain of warfare, like we have treated others, it seems to me 
we have to have the legal, policy, and doctrine discussions as 
well as funding, training, equipping, and all the things that 
go with domains of warfare that we are serious about.
    General Shelton, you mentioned the Air Force has been in 
front on this. Does the Air Force have a specific plan to 
implement what Secretary Gates talked about in quadrupling the 
number of people trained in cyber warfare?
    General Shelton. Yes, sir. We are moving out on adapting 
courses--adopting courses. There are joint courses we are 
pursuing that are already in place. There are new ones that are 
standing up.
    We are changing the way we train at our training centers, 
both officer and enlisted, and also creating training 
opportunities for our civilians. So the answer is, absolutely. 
We are trying to expand our universe in terms of trained people 
in this area.
    Mr. Thornberry. But is that down to the point where there 
is a piece of paper that shows, we are going to ramp up our 
training to meet this specific number that he talked about that 
has been signed off on?
    General Shelton. We aren't there yet, sir, to the actual 
numbers, but we do have a way ahead in terms of concept. But is 
it numerically in place? It is not.
    Mr. Thornberry. I am just trying to understand how far we 
have gotten towards being serious--and I am not picking on you, 
particularly--but just how far we have gone to being serious 
about some of these tough issues.
    General Alexander, to pick on you a little bit--not really 
pick on you, but----
    General Alexander. Thank you.
    Mr. Thornberry [continuing]. But what are the policy and 
legal issues that we need to be thinking about? I mean, a lot 
of this is the stuff that is in you all's bailiwick, and we 
have got to oversee the funding and so forth, but it seems to 
me there are some legal policy issues that are our 
responsibility. What are they?
    General Alexander. I think one of the clear ones--what you 
would expect us to do is to defend our networks, and we have 
the right to defend our networks and to keep adversaries from 
getting into our networks, to secure our classified networks 
and all of that. And I think there is inherent right, and we 
have the legal framework to go ahead and do that.
    Here is where it starts to break down and where I think 
you, with the administration and others--the discussion that we 
are now going to enter into. I think once the 60-day review has 
come up, and so now going back to the earlier question, so what 
is that role and responsibility primarily with DHS [Department 
of Homeland Security], because they will have to lead for the 
rest of the dot-gov networks and for that partnership with 
industry, so what is the legal framework for sharing threat 
signatures with industry that are classified? How do we do it 
at network speed so that it is defensible? And what is that 
legal framework and what is that operational framework?
    And those are areas that technically are easier to do than 
they are to set the legal framework up, because you have 
industries--for example, your antivirus community. If we give 
them a classified signature, how do we ensure it is not given 
out so widely that our adversaries have it when they are a 
global antivirus community? Things like that we are going to 
have do look at. There is a whole series of issues, I think, in 
those realms.
    Mr. Thornberry. Well, for example, when the Constitution 
says Congress has the responsibility to declare war, what does 
that mean when we are under attack every day? How do we deal 
with warfare in cyberspace?
    General Alexander. Well, I think the loose use of the word 
``under attack'' and ``warfare'' is probably more accurately 
described as people probing our network. We call that, I 
think--others loosely call that an attack on your network, but 
it falls short of what I think we would legally look at, and I 
have got the head lawyer back there right behind me, so he will 
raise his hand and make sure I say this right, but----
    Mr. Smith. He was nodding his head. Let the record reflect 
it.
    General Alexander. This way, or this way?
    Mr. Thornberry. Well, was Estonia or Georgia under attack, 
and was their infrastructure under attack in a way that, you 
know, gets closer to that declaration of war?
    General Alexander. No, I think you are starting to--on 
those you are starting to get close to what would be. The 
problem that you have there is who. The attribution. And so I 
think what you have is the inherent right to defend first, and 
attribute, and preferably to do those at network speed. So what 
we just agreed on, I think, if you agree with those two 
statements to do those both at network speed, is the reason 
that we need the defense, the exploit, and the attack to work 
synonymously as a team at network speed to do just that.
    Because if we don't--if we leave the defend, to defend 
itself and they are getting hit over here and somebody says, 
``Hey, did you know they are getting hammered? The Air Force is 
getting hit on the network,'' we would say no, we didn't. It 
has happened to our industry players. And so if you are not 
aware of it you can't help mitigate it, you can't help 
attribute it.
    So that partnership has to come in. I think in the legal 
framework it starts to go up to, when is it going from exploit 
to damage? And in that change is where you go from what I will 
call spying operations into warfare.
    And there is, I think, a more specific set of terms that 
would define those, and--did I get all that right, Bill?
    Mr. Smith. Mr. Langevin.
    Mr. Langevin. Thank you, Mr. Chairman.
    Gentlemen, thank you for your testimony here today.
    To continue on that line, General Alexander, clearly the 
tools available to us in cyberspace are very powerful. I know 
the NSA, in particular, is very good at what we do. How far 
down the road are we in really setting the rules of engagement, 
and who and when do those decisions get made?
    Clearly modern warfare has forever changed; we will never 
have a conflict in the future that doesn't have a cyber 
component to it. And where are we on that stage, you know, in 
terms of where we escalate to the fact--to where we would 
attack and cause great damage in response to an attack on our 
own networks? Where are the rules of engagement at this point, 
and who is going to make those decisions along the way?
    General Alexander. Well, I think if you start out within 
the defense community, those rules for defending, exploiting, 
and attacking on the networks as part of war fall within the 
Defense Department. I think we can easily envision--there was a 
Chinese PLA [People's Liberation Army] statement in 1996 that 
said something to the effect, ``If you want to attack the 
United States, attack its banking system.''
    Now, the issue--this complicates it and it puts us into 
answering your question more accurately. It gives you a 
understanding that it may not be the Defense Department that is 
attacked.
    But if we assume symmetrically that they would attack us, 
the Defense Department, and the Defense Department would 
respond back, you are now into one form. The issue, I think, 
that realistically faces us, though, is that it would be 
asymmetrical. It would go against our industry, and it might be 
our critical infrastructure.
    And then the question of the partnership between the 
Defense Department, Homeland Security, and the intel community 
has to be clear. We have to have laid out those rules and 
walked through that. We are walking our way down that; we are 
not far enough.
    I think within the DOD we have laid out the legal framework 
for what constitutes an attack, how we defend our networks, 
what we do in that--specific to the Defense Department for DOD 
operations, for example, on the war on terror.
    But that is a very limited and a very focused set. I think 
to really get to the heart of your question, you have to have 
that partnership and we have to operate seamlessly across all 
of those if we are going to be successful. And that is going to 
take some work.
    Mr. Langevin. In the CSIS [Center for Strategic and 
International Studies] report, the commission that I co-chaired 
and worked on with a number of others, one of the things--the 
conclusions--that we came up with was that the president should 
make clear that cyberspace and our cyber assets are a national 
asset and that we will use full assets of national power to 
protect it. Do you agree that it is time that we have, perhaps, 
a cyber Monroe document that lays out clearly what our response 
would be in terms of protecting our cyber assets?
    General Alexander. I do.
    Mr. Langevin. Let me add----
    General Alexander. There is four others that--you want to--
I do. I think they do, too, but I don't----
    Mr. Langevin. Anybody else?
    General Alexander. But, I don't want to speak for 
everybody.
    Mr. Smith. I guess the follow up to that, what would be 
involved in making sure that that is clear? Is there an 
executive order that is needed? And following up a little bit 
on what Mr. Thornberry was asking about in terms of your 
authority to act--is that understood, or is there more action 
that is needed to allow you to have that authority?
    General Alexander. Well, I think what the 60-day review is 
looking at is taken right from your study and others and 
saying, ``So how do we start that at the top? What is the White 
House role in doing that?'' And I think they are going to set 
that up and say, ``Here is the White House role,'' and lay that 
out.
    So that is yet to be fully disclosed, and I think they have 
got a couple more steps to complete that. But my gut reaction 
is that they will do essentially where you are, so we have to 
set up a national leadership for it at the White House. Roles 
and responsibility to the Defense Department, DHS, our 
partnership with industry, and our partnership with allies 
needs to be clearly documented. And I think we have to start 
walking down that road.
    The follow-on question is, okay, so you have these--you 
have the legal framework that we talked about, that has got to 
come up. You have to have the operational framework. And I 
would submit that first we have got to lay out operational 
frameworks that will work.
    There are operational frameworks that people can put on the 
table that just don't make technical sense, so that is where 
our partnership with industry really has to come to the 
forefront. What technically can we do to secure those networks 
with the Defense Department, the intelligence community, and 
DHS, and industry, and then how do we take that--what do we 
need legally to make that work? And I think we have yet to walk 
through those, and I think the first step will be when the 
White House puts out that 60-day study.
    Mr. Smith. Ask a little bit about acquisition issues, and 
maybe have the three individual services speak to their ability 
to acquire what they need technologically, because there is the 
challenge in the IT world that basically Moore's Law runs 
headlong into the acquisition process. You know, things update 
very rapidly, and yet it takes a couple of years to go through 
the ability to acquire systems.
    Now, I know reforms have been made to a certain extent 
within IT to give greater flexibility to enable you to purchase 
more equipment more quickly. How well is that working, and what 
more do we need to do to make sure you are able to buy the 
equipment that you need? And just if each one of you could sort 
of give a little vignette from your experiences within your 
individual service.
    General Shelton.
    General Shelton. Glad to start. You are exactly right. We 
have a real challenge of what I would call an industrial age 
acquisition process trying to operate in IT space, which is not 
adequate. We have vehicles that we can use to acquire IT 
solutions, and in many cases those are commercial off-the-shelf 
products or commercial off-the-shelf products that we slightly 
modify and adapt to our purposes. In some cases, the question 
is scalability, but beyond that those solutions are there.
    So I think we are in reasonably good shape from the overall 
capability to acquire. It is that we don't often exercise that 
capability the way we should, so----
    Mr. Smith. Why not?
    General Shelton. We sometimes revert to the way we have 
always acquired. So we are forcing that inside the Air Force. 
We are forcing that toward much different solutions, and we are 
forcing an architecture that will allow much different 
solutions----
    Mr. Smith. Well, Mr. Carey, if you could talk a little bit 
about Navy's experience with the Navy-Marine Corps Intranet, 
which was a big transition system in terms of the software 
being put in place--how difficult was that to acquire? Or just 
more broadly within the same acquisition area, what challenges 
are you facing? What do you think needs to be done to overcome 
them?
    Mr. Carey. NMCI [Navy Marine Corps Intranet], sir, was a 
huge culture change to the department in the IT space. To move 
from a system of lots and lots of networks controlled by 
individual unit commanders or organizational commands through a 
homogeneous, centrally-controlled network apparatus was just a 
huge culture change, so it took some time to get there.
    The acquisition process allowed us to get there----
    Mr. Smith. Okay.
    Mr. Carey [continuing]. In a reasonable amount of time, but 
imagine that it is now the largest intranet in the world, so 
grew from having hundreds of networks--we are not subsumed by 
one--using the process.
    Mr. Smith. Okay.
    Do you have anything you want to add?
    Mr. Krieger. Sir, I think your discussion on the 
acquisition process not being agile is really a cultural issue.
    Mr. Smith. Okay.
    Mr. Krieger. So I think within the acquisition process, 
both legislatively and regulatorily, the agility is there. This 
is a cultural change for the department. Can we deliver spiral 
capabilities--not a full capability--quicker and spiral it out, 
versus the culture has been to deliver a completed product over 
time?
    Mr. Smith. Well, does that also feed into sort of how 
personnel are rewarded and/or punished depending on how they do 
things? That basically there is a culture that says, ``Hey, as 
long as I am following the process, as long as I am going 
through the acquisition process there I am good. If I step 
outside of it I am in real danger''?
    Because it strikes me that it would really take, you know, 
creative personnel who understand IT to say, ``Hey, I need this 
solution now. I am going to go do it, not go through the normal 
process as empowered.''
    And I can see where you might be limited within the 
military concept, people saying, ``Look, if I do this, you 
know, I am not going to be rewarded for it if it goes well and 
I am sure as hell going to be punished for it if it doesn't go 
well.'' Is there a problem with that in terms of changing how 
we promote and reward behavior?
    Mr. Krieger. Sir, I know within the Army in the current 
global war on terrorism, we are at the point in the Army now 
that when we generate a requirement from the field of JUONS 
[joint urgent operational needs statement], and we document it, 
we are delivering capability real quick now. And so I think 
that culture is changing, and we certainly have soldiers, and 
sailors, and airmen in need now, but we are discovering, 
culturally, that it is possible to deliver IT quicker and 
outside--within the system but not the traditional way that we 
build airplanes and ships and things. And certainly there is 
lots of examples in the current war where we have identified a 
problem, we have documented the requirement, and we have 
delivered spiraled-out capability.
    Mr. Smith. Thank you. I very much appreciate it.
    I will go to Mr. Miller and then I will go to Mr. Conaway, 
who walked in right at the end of the questioning there, but we 
don't want to get you out of the loop there, so we will go to 
Miller, Conaway, and then back to the other.
    Mr. Miller. Thank you, Mr. Chairman.
    One brief question to General Alexander, if you would, in 
reference to the new idea of the new sub-unified four-star: 
Will DISA and NSA be rolled into the command and how will the 
relationship between DISA and ODNI [Office of the Director of 
National Intelligence] be affected?
    General Alexander. It is not clear, in my mind, that it 
would--it will not be rolled in, per say. I think that part--it 
will be leveraged in the foundation for it. I think we have to 
have the synergy between what NSA does for the intel community, 
for what NSA does for the cyber community, and those are 
inextricably linked.
    So, specifically today, we have JFCC-NW at NSA, and as a 
consequence of having them there at NSA they can leverage the 
different offices that look globally to do their mission. I see 
that--we growing that connective tissue between what NSA is 
doing and what this command is doing.
    I think there are some things that will be in common that 
we are going to have to put in both in the concept that is 
being looked at, and that is, how do we see cyberspace? An 
integrated cyber operations facility. What is it that you see 
for your defense? How do you see your network boundaries?
    What do you see globally? What do our allies see? What is 
going on on the network? And how do you mitigate and attribute, 
going back to the question?
    Because if you can't see it you are not doing it in real 
time. So how are you doing that in real time? How are you 
bouncing those back and forth?
    So what I imagine will happen is, we will put the pieces 
together at Fort Meade, at least in the recommendations and the 
thing that is under consideration, and then look at how you 
build the command to specifically do cyber operations, 
leveraging what NSA brings in network exploitation. And I think 
that is the key part, is to have them coexist.
    In that respect, the DNI [Director of National 
Intelligence] is comfortable and a proponent for it, because it 
does both. I think it is good for both of us and we can do 
both, in that regard.
    The second question--the logical question that stems out of 
that, and what is your relationship with DHS because they need 
some of the same support? We see that that is a foundation that 
DHS can lean on--a technical foundation--while DHS takes on its 
missions to operate and defend the rest of the dot-gov 
networks.
    Mr. Smith. Thank you. Mr. Conaway.
    Mr. Conaway. Thank you, Mr. Chairman. Since I just got here 
I will not replow----
    Mr. Smith. Thank you. Mr. Marshall.
    Mr. Marshall. Thank you, Mr. Chairman. I would like to 
return to the line of questioning that I had when I was--just a 
minute ago, and it is again, where is it that you perceive the 
private sector's interests, motivation diverging from ours?
    And General Alexander, you described, you know, a private 
sector company that might be able to--that had a similar 
interest because billions of dollars are at stake, or very, 
very sensitive information was at stake so they wanted to 
protect that information. And being able to harden itself, and 
its use probably more so than we could, practically speaking, 
given the cost associated and given the kind of uses that we 
have to make of information technology across the military.
    But can you give other examples that would help me 
understand how they diverge, and would--this is a question to 
all members of the panel, not just General Alexander.
    I know, Mr. Lentz, you were about to say something and I 
had run out of time.
    Mr. Lentz. Well, I can give you a couple examples of that. 
I think the biggest challenge we are going to have--and I think 
the laptop example that you alluded to in the beginning is a 
good example of that--when we did our data-at-rest encryption 
policy, we went out to industry, established a standard, we 
worked with industry to figure out where that bar for security 
needs to be and where they can meet that bar at the cost and 
operational effectiveness that meets both entities' standards, 
for them to make a profit, but also for us to be able to get 
the most secure capability out in the field.
    We did that very quickly over the course of several months. 
We developed the standard, and we have 12 companies that bid 
competitively for that process.
    The cost for a data-at-rest piece of software license would 
normally cost you $200 if you went and got it yourself. Because 
of this competitive standard-based process, we dropped the cost 
to less than $10 per software license. Now, that is an example 
where we had convergence.
    Now, as the bar goes higher in cyberspace because the cyber 
threat is increasing exponentially, we have to work with 
industry to build in much more robust capability. And that is 
not just dealing with encryption, but all the aspects that go 
around hardware and software.
    And that is where industry is going to have a more 
difficult time, because as that bar gets raised, their profits 
start to decrease. And that is where we have to look at the 
government-private sector partnership to figure out how we can 
get that bar raised in a cooperative way, at the same time 
maintain the competitive acquisition process.
    General Alexander. My experience with industry, though, is 
there is more convergence than there is divergence. They see 
the obvious rationale for securing the networks just like we 
do.
    More importantly, they also see that they, in part--many of 
the industry folks that I have talked to said, ``We need 
government support here.'' I don't think they want government 
compelling them to do things on the network, but I think they 
need government support in securing it and developing a 
framework--a technical framework--that is securable.
    That is probably going to be impossible, so how do we get 
as close to that as we can? I think industry is absolutely 
looking for partnership with government and with our allies 
setting up some solution like that.
    So my experience has been almost completely convergent in 
that regard. I have not seen--I asked one industry, I said, 
``Why don't we give you this problem?''
    They said, ``We can't afford to do it without government 
support.'' That was the only divergence.
    We said, ``Well, this would be one that we would throw 
over. Critical infrastructure--that is an industry thing. Why 
don't you take care of it?'' And they said----
    Mr. Marshall. So, industry interest is not broad enough to 
justify the cost, is in essence what you are saying, and so to 
the extent that we have got to have a certain level of security 
or capability, industry is not necessarily going to generate 
for us because either there are too many defeatist characters 
competing with one another with different products, and 
consequently different companies looking at those different 
products, or there are just not enough companies that are that 
interested in that level of security or capability?
    General Alexander. Banking industry clearly has a 
compelling need to create that existing secure infrastructure, 
and they are working hard to do that. There are things that 
government and industry--and that industry--could work together 
to make it even better. Your electrical power grid and some of 
your other ones are low cost when you look at the network.
    So the power companies that are going to have to go out and 
change the configuration of their networks, that is a cost that 
if you take what Bob was saying, one further step, now to 
upgrade their networks to make sure they are secure is a jump 
in cost for them, and now you are going to have to work through 
their committees, through the regulatory committees to get the 
rate increases so that they can actually secure their networks.
    So when you talk to the power industry, as an example, that 
is one where you are not going to look at, so how does 
government--because we are interested in perhaps having 
reliable power--how do we ensure that that happens as a 
critical infrastructure? So DHS and that critical 
infrastructure have to work together to walk through that.
    Mr. Smith. Thank you.
    Mr. Thornberry----
    Mr. Thornberry. Let me give the Army and Navy a chance to 
answer what you all's services are doing to train, equip, 
develop career paths for cyber warfare. Do you have cultural 
difficulties there, too, particularly in whether you see cyber 
as an enabler for the things that you are already doing or a 
domain of warfare on its own.
    Mr. Krieger. Sir, you raised a very good issue, and the 
Army is trying to come to grips with that right now and 
studying it, and we have got a study going on by TRADOC 
[Training and Doctrine Command] to figure out what we want to 
do, both at the officer level and the warrant officer level and 
the soldier and NCO level.
    The question is exactly on target. I don't have an answer 
yet, but that is what we are trying to figure out.
    Mr. Carey. We believe that everyone that engages the 
network becomes a cyber warrior at some point. If you are going 
to touch the network, you are involved in something that is 
greater than you might have actually thought. So changing that 
culture, as my colleagues have said, is something that we are 
working on very diligently right now as we move into our next 
generation network environment, and that we are bringing on 
more people to operate in this domain, both in the uniform side 
and the civilian side, to allow ourselves that span of control 
that we don't have right now inside the department.
    Mr. Smith. Thank you.
    I had one more line of questioning, but Mr. Conaway, go 
ahead.
    Mr. Conaway. Well, thank you, Mr. Chairman.
    A few of us are working on an acquisitions panel issues, 
and I was just wondering, Mr. Lentz, can we use the acquisition 
regulations and practices to incent defense contractors to be--
their cyber warfare posture, to make sure they are compliant or 
that they are protected as they need to be to handle our data 
and handle our work? Is that an appropriate use of those?
    Mr. Lentz. Yes. We are working with AT&L [Acquisition, 
Technology, and Logistics] to look at the----
    Mr. Conaway. AT&L?
    Mr. Lentz. I am sorry. The acquisition organization in DOD.
    Mr. Conaway. Okay.
    Mr. Lentz [continuing]. To look at modifying the defense 
acquisition regs and the federal acquisition regs for including 
stronger language in there regarding meeting certain security 
benchmark standards in terms of protecting information that 
resides on their networks. That is something we are doing right 
now.
    Mr. Conaway. And you think you will get pushback from the 
contractors on this deal?
    Mr. Lentz. No, we are not. In fact, they are asking for 
that language. No problem.
    Mr. Conaway. All right.
    And then, General Shelton, when you guys set up your cyber 
command, can you walk us through the rationale between why that 
was a numbered air force versus a four-star command?
    General Shelton. Sure. As we first started to look into 
this, we said a major command seemed appropriate because that 
is how we organize, train, and equip in the Air Force. But then 
as we thought more about it, we said, we are really about how 
do we operate? And the way we operate in the Air Force and 
present forces in the Air Force is through numbered air forces.
    So if we are really all about trying to provide cyber 
operations for joint employment, it is more appropriate for a 
numbered air force. And then the organize, train, and equip 
aspects can be subsumed by Air Force Space Command. So that was 
the rationale.
    Mr. Conaway. Okay. And you are comfortable with--the Air 
Force is comfortable, so far, that that was the right decision?
    General Shelton. Absolutely. Very comfortable.
    Mr. Conaway. Thank you, Mr. Chairman.
    Mr. Smith. Just quickly--in terms of personnel, we talk in 
this committee each year about the challenges of making sure 
that you have the best and the brightest folks who understand 
the IT infrastructure, because it is a constantly evolving 
thing. Whatever the systems, it really comes down to people and 
their ability to adapt.
    Just, you know, if anyone has initial thoughts. I don't 
know who would be best to comment on this, so I will throw it 
open to all of you. You know, how are you doing in terms of 
recruiting the personnel that you need to do the IT work that 
you need to get done?
    Mr. Lentz. I can start out, and then----
    First of all, and I know, Congressman Thornberry, your 
interest is on target regarding the fact that within the 
Department of Defense we have over 90,000 personnel that we 
have identified working with the services and agencies that are 
deemed to be cyber warrior-type individuals. Now, these are sys 
admin, that manage the system, and network administrators that 
have part-time jobs both to defend the network as well as to 
administer, and you can't separate those functions.
    Ninety thousand. We have a plan that we are 2 years into to 
certify all 90,000, and we right now have a goal by the end of 
this year to be at 45 percent. And so that is a major goal.
    The other thing we are doing is we are adding highly 
specialized skills on top of them, in light of the cyber events 
that we have talked about, and that will add another layer of 
more highly skilled cyber warriors that will go to schools, 
like in Pensacola and Maxwell and Fort Gordon, possibly, to be 
able to get more in-depth training working with the National 
Cryptologic School at NSA and other institutions.
    The fill rate overall--I will let the services comment on 
that--but what we are seeing right now is, the fill rate for 
those cyber warriors is a fairly good rate. We are seeing over 
90 percent, in terms of those positions that we are talking 
about right now, which, by the way, are contractors, civilians, 
and military personnel.
    Mr. Smith. All right.
    I guess just in general, in any----
    Go ahead, General. Sorry.
    General Shelton. Sir, I was just going to say, in terms of 
technical expertise we have, certainly, a concern, along with 
everyone else in the nation, that there is just not that many 
people coming out of our schools that are prepared for the 
technical-type work. They don't have the educational 
background, haven't studied math, engineering science, those 
sorts of things. So we join the course of many--this is a real 
problem for us.
    Mr. Smith. Yes.
    Gentlemen, do you have anything to add to that?
    Mr. Carey. All I would add is that we are all competing for 
that limited resource----
    Mr. Smith. Right.
    Mr. Carey [continuing]. Whether it is industry, Army, Navy, 
Air Force, Marines, we are all competing for that. And so there 
has not been a challenge that we have seen yet, but we will be 
ramping up for the coming months so we will have more 
information somewhere in the fall.
    Mr. Smith. Okay. Thanks.
    And General Alexander, I just want to follow up quickly on 
the interagency aspect of cyber security. And I think from this 
panel we have got a pretty good idea what the DOD is doing. How 
do you interact--you touched on it a little bit--I mean, 
Homeland Security theoretically is the lead agency for the 
interagency piece of cyber security.
    Does DOD sort of, you know, exist in their own world and 
work on their own systems while Homeland Security is dealing 
with the other aspects of it? What is the integration? How is 
that working?
    General Alexander. Well, for offensive operations we have a 
joint task force--joint interagency task force--which brings in 
all the players. We have great partnerships with FBI, CIA, and 
others, DHS. They sit on these panels--State Department--and 
look at the options and where we are, and I think that is well 
run.
    Where I think there is work to be done, the U.S. CERT is 
growing rapidly, which is the DHS element that would actually 
do the computer emergency response team's job for the rest of 
the dot-gov, is taking that on in a way analogous to what the 
Joint Task Force-Global Network Ops and the CERTs under it does 
with the services. So there is some room to grow in the rest of 
the dot-gov to catch up where I think the Defense Department is 
today.
    Within the intel community, I think they have a strong 
network security program so that that is running pretty good. 
What is lacking today is a integrated defense where you can tip 
and cue between the different government entities and agencies 
at network speed to defend elements of it, and that is one of 
the things we are going to have to grow, which I think DHS 
would leverage what the intel community and the DOD has today, 
both technically and the real time alerting and cuing. Think of 
that as a radar system for cyber security.
    Mr. Smith. I had one more question, but I wanted to see if 
any of my colleagues had anything further.
    Mr. Marshall. I do.
    Mr. Smith. Go ahead, Jim.
    Mr. Marshall. Thank you.
    I am continuing the same line. So, different possibilities 
here--we have got a requirement that needs to be met that we 
have identified. Industry has already met that requirement, so 
we go out and we acquire either the software or the hardware 
and that takes care of that.
    We have a requirement that has not been met by industry as 
well, and it is the banking industry. And the banking industry 
recognizes this need to secure billions and billions and 
billions of dollars of exposure that it would otherwise have. 
Or it is the up--you know, hardening the defense of the 
electrical grid, which has all these collateral public and 
private possible consequences if, in fact, there is a failure, 
that an attack is successful.
    Could you describe--is there a difference in the way we go 
about trying to figure out the partnership and who carries what 
load in--here is the banking system. It is going to get there, 
and you know it is going to get there because there is just too 
much at stake. It is the brightest people in the world they are 
able to hire, and they are going to pay them big bucks, and 
they are going to get there.
    But they would love to have us step up to the plate and pay 
for it. You know, that just makes more money for them. So there 
is obviously a give and take as we discuss with the banking 
system or banking industry who is going to do this.
    And then, where the electrical grid is concerned, they kind 
of go, ``Well, you know, we don't need that kind of level of 
security. That requirement is not one that we want to meet. We 
will take a chance on the grid going down and we will just send 
our guys out there and fix it. You know, actually, they might 
make some money. It might be better for us, in a sense, if the 
grid goes down.''
    Could you describe how you deal with those two different 
kinds of circumstances in order to figure out who carries the 
load? Well, at this--where we are talking about electrical 
grid, who winds up paying the freight, okay?
    General Alexander. I think DHS would have the lead in 
orchestrating that with the Critical Infrastructure Protection 
Advisory Committees that they have, the CIPACs, that go across 
each of those. And in the banking industry, it would be a DHS-
Treasury partnership to look at how we do it with other players 
in the community. So I think you have got DHS in the lead.
    The interesting part that you have put on the table is that 
there may be things that the government technically knows that 
would be useful to industry to secure their networks a degree 
beyond where they are today. How do we do that without risking 
some of our nation's crown jewels, but ensuring their 
protection?
    And that is one of the things where I think the partnership 
between DHS and DOD is going to have to be laid out, and I 
think it is being worked. So there is, right now--DHS has set 
up a good framework for critical infrastructure protection, and 
they have a framework for cyber throughout that.
    They work and they actually partner with DOD and the intel 
community in those regards, and I think they would draw on 
that. I don't know that anybody has come down clearly and said 
the different roles--I don't think they are at that point where 
they could define specifically the roles.
    I will pass it over to Bob.
    Mr. Lentz. Well, I think that is exactly the answer. I 
think where DHS has set the framework up under their National 
Infrastructure Protection Plan, and they are working and we are 
supporting, as an example with the financial sector, we work 
through Treasury and we compare technologies and techniques and 
procedures that we are using, and trying to raise that bar.
    And then as you work some of these other sectors, the 
interesting challenge is going to be, like you addressed, is 
going to be at some point they may say, ``That is enough. I 
can't subsidize this level of protection any longer, especially 
against a nation state.''
    And therefore, we have to have a mutual dialogue at the 
highest levels of the government with industry to determine, 
how are we going to get that bar to a level we are all 
comfortable with? And that is going to be the interesting 
discussion in the future.
    Mr. Marshall. Thank you, Mr. Chairman.
    Mr. Smith. Thank you.
    Just one final question. Mr. Thornberry had mentioned the 
attacks on Estonia and Georgia, which really sort of got 
everyone's attention about what can go beyond, you know, some 
of the more basic stuff that we face. And obviously, you know, 
our main concern right now is data-mining--people accessing our 
network and pulling out information out of it as opposed to 
affirmatively attacking the network.
    But in looking at what happened in those two countries, how 
vulnerable are our DOD networks to similar attacks? How 
confident are you that we have the, you know, system set up to 
withstand that type of an attack?
    General Alexander. I think a distributed denial-of-service 
attack from botnets, like you saw in Estonia, if large enough, 
would really hamper any network today, including the defense--
--
    And the issue is, how do we grow a defense in depth to 
ensure that we don't have that? So that is where our allies and 
partnerships with our allies is going to become crucial.
    If you try to defend it at your gateway, you surely will 
lose on that. And so you are going to have to have a defense in 
depth for that type of attack specifically.
    Mr. Smith. Forgive me. Walk me through a defense in depth, 
what that means exactly, in terms of what you try to do to 
prepare.
    General Alexander. So you would have--if you just look 
globally at the global network, instead of trying to stop all 
the stuff here, you might want to shut them down at the point 
of origin or somewhere in between, and that means that your 
offense and your defense are going to have to be partnered 
together to do that.
    Mr. Smith. Okay.
    General Alexander. I think that is the only way you are 
ever going to--I think we are going to be forced into operating 
like that in the future, and the consequences of that jump--the 
intellectual jump--is developing the tactics and techniques and 
procedures that I briefly discussed earlier.
    Mr. Smith. Gentlemen, anybody else want to comment on that, 
in terms of the security of your systems?
    General.
    General Shelton. Yes, sir. Just one comment. What we are 
trying to do is implement some tight security on our networks, 
so when somebody comes onto the network we make them put a card 
in, we make them enter a code, and in the future probably have 
some sort of biometric so we know exactly who that is and we 
know exactly what permissions they have got, what data they 
have got access to, and somebody outside that realm can't have 
that access.
    Mr. Smith. Right.
    General Shelton. So you are defending inside as opposed to 
defending at the wall. That is the architecture----
    Mr. Smith. Right. And how, I mean--that is really hard with 
all the different people on the network. There are so many 
different access points to the network. But I guess that is 
more of a statement than a question, but you are working on it.
    Anybody else?
    Well, thank you very much. That was very, very informative. 
Look forward to working with you on this issue going forward.
    Thank you all for your testimony and for answering our 
questions. Thanks.
    We are adjourned.
    [Whereupon, at 5:12 p.m., the subcommittee was adjourned.]
?

      
=======================================================================




                            A P P E N D I X

                              May 5, 2009

=======================================================================

      
?

      
=======================================================================


              PREPARED STATEMENTS SUBMITTED FOR THE RECORD

                              May 5, 2009

=======================================================================

      
      
    [GRAPHIC] [TIFF OMITTED] T7218.001
    
    [GRAPHIC] [TIFF OMITTED] T7218.002
    
    [GRAPHIC] [TIFF OMITTED] T7218.003
    
    [GRAPHIC] [TIFF OMITTED] T7218.004
    
    [GRAPHIC] [TIFF OMITTED] T7218.005
    
    [GRAPHIC] [TIFF OMITTED] T7218.006
    
    [GRAPHIC] [TIFF OMITTED] T7218.007
    
    [GRAPHIC] [TIFF OMITTED] T7218.008
    
    [GRAPHIC] [TIFF OMITTED] T7218.009
    
    [GRAPHIC] [TIFF OMITTED] T7218.010
    
    [GRAPHIC] [TIFF OMITTED] T7218.011
    
    [GRAPHIC] [TIFF OMITTED] T7218.012
    
    [GRAPHIC] [TIFF OMITTED] T7218.013
    
    [GRAPHIC] [TIFF OMITTED] T7218.014
    
    [GRAPHIC] [TIFF OMITTED] T7218.015
    
    [GRAPHIC] [TIFF OMITTED] T7218.016
    
    [GRAPHIC] [TIFF OMITTED] T7218.017
    
    [GRAPHIC] [TIFF OMITTED] T7218.018
    
    [GRAPHIC] [TIFF OMITTED] T7218.019
    
    [GRAPHIC] [TIFF OMITTED] T7218.020
    
    [GRAPHIC] [TIFF OMITTED] T7218.021
    
    [GRAPHIC] [TIFF OMITTED] T7218.022
    
    [GRAPHIC] [TIFF OMITTED] T7218.023
    
    [GRAPHIC] [TIFF OMITTED] T7218.024
    
    [GRAPHIC] [TIFF OMITTED] T7218.025
    
    [GRAPHIC] [TIFF OMITTED] T7218.026
    
    [GRAPHIC] [TIFF OMITTED] T7218.027
    
    [GRAPHIC] [TIFF OMITTED] T7218.028
    
    [GRAPHIC] [TIFF OMITTED] T7218.029
    
    [GRAPHIC] [TIFF OMITTED] T7218.030
    
    [GRAPHIC] [TIFF OMITTED] T7218.031
    
    [GRAPHIC] [TIFF OMITTED] T7218.032
    
    [GRAPHIC] [TIFF OMITTED] T7218.033
    
    [GRAPHIC] [TIFF OMITTED] T7218.034
    
    [GRAPHIC] [TIFF OMITTED] T7218.035
    
    [GRAPHIC] [TIFF OMITTED] T7218.036
    
    [GRAPHIC] [TIFF OMITTED] T7218.037
    
    [GRAPHIC] [TIFF OMITTED] T7218.038
    
    [GRAPHIC] [TIFF OMITTED] T7218.039
    
    [GRAPHIC] [TIFF OMITTED] T7218.040
    
    [GRAPHIC] [TIFF OMITTED] T7218.041
    
    [GRAPHIC] [TIFF OMITTED] T7218.042
    
    [GRAPHIC] [TIFF OMITTED] T7218.043
    
    [GRAPHIC] [TIFF OMITTED] T7218.044
    
    [GRAPHIC] [TIFF OMITTED] T7218.045
    
    [GRAPHIC] [TIFF OMITTED] T7218.046
    
    [GRAPHIC] [TIFF OMITTED] T7218.047
    
    [GRAPHIC] [TIFF OMITTED] T7218.048
    
    [GRAPHIC] [TIFF OMITTED] T7218.049
    
    [GRAPHIC] [TIFF OMITTED] T7218.050
    
    [GRAPHIC] [TIFF OMITTED] T7218.051
    
    [GRAPHIC] [TIFF OMITTED] T7218.052
    
    [GRAPHIC] [TIFF OMITTED] T7218.053
    
    [GRAPHIC] [TIFF OMITTED] T7218.054
    
    [GRAPHIC] [TIFF OMITTED] T7218.055
    
    [GRAPHIC] [TIFF OMITTED] T7218.056
    
    [GRAPHIC] [TIFF OMITTED] T7218.057
    
    [GRAPHIC] [TIFF OMITTED] T7218.058
    
    [GRAPHIC] [TIFF OMITTED] T7218.059
    
    [GRAPHIC] [TIFF OMITTED] T7218.060
    
    [GRAPHIC] [TIFF OMITTED] T7218.061
    
    [GRAPHIC] [TIFF OMITTED] T7218.062
    
    [GRAPHIC] [TIFF OMITTED] T7218.063
    
    [GRAPHIC] [TIFF OMITTED] T7218.064
    
    [GRAPHIC] [TIFF OMITTED] T7218.065
    
    [GRAPHIC] [TIFF OMITTED] T7218.066
    
    [GRAPHIC] [TIFF OMITTED] T7218.067
    
    [GRAPHIC] [TIFF OMITTED] T7218.068
    
?

      
=======================================================================


              QUESTIONS SUBMITTED BY MEMBERS POST HEARING

                              May 5, 2009

=======================================================================

      
                    QUESTIONS SUBMITTED BY MR. SMITH

    Mr. Smith. Knowing that our IT adversaries are becoming more 
complex, what steps is the Army taking to protect our wireless 
communications?
    Mr. Krieger. The Army places tremendous focus on Transmission 
Security (TRANSEC) in order to protect our wireless communications from 
detection and interception. To mitigate this increasingly adept and 
complex threat we maintain rigorous Certification and Accreditation 
programs for our IP based networks; including routine network scanning 
for unauthorized wireless access points and systems. Technical 
mitigation strategies are used to reduce the probability of detection 
and interception of our FM tactical communications systems. Encryption 
is used on our FM and IP networks using NSA approved type 1 encryption 
while traversing the wireless spectrum. Additionally, the Army is 
leveraging OSD's cooperative program with major defense contractors to 
identify and remediate efforts to exploit wireless communications 
network vulnerabilities.
    Mr. Smith. What is the process for remediating a hardware or 
software vulnerability identified during an information assurance 
vulnerability assessment? Are there institutional processes and funds 
available, or are you forced to ``take this out of hide.''
    Mr. Krieger. The Army participates in the DOD Information Assurance 
Vulnerability Management (IAVM) program which identifies and resolves 
discovered vulnerabilities in systems and platforms. It requires the 
completion of four distinct phases to ensure compliance. These phases 
are: (1) vulnerability identification, dissemination, and 
acknowledgement; (2) application of measures to affected systems to 
make them compliant; (3) compliance reporting; and (4) compliance 
verification. This program includes Information Assurance Vulnerability 
Alerts (IAVAs), Information Assurance Vulnerability Bulletins (IAVBs), 
and technical advisories. The Army Global Network Operations & Security 
Center (A-GNOSC) is the Army's focal point for coordinating the 
mitigation efforts for identified vulnerabilities across the Army. 
While institutional processes are used and some centralized support is 
available, the Army still is required to ``take out of hide'' resources 
in order to mitigate information assurance risks.
    Mr. Smith. What are you doing in the Services and OSD to develop a 
career cyber force?
    Mr. Krieger. The Army is evaluating the current force and comparing 
it to the requirements of the proposed cyber force. Once the analysis 
is completed, the Army will develop a management program to meet the 
requirement.
    Mr. Smith. What incentives are available to recruit and retain the 
types of individuals you would like to attract to the military cyber 
corps? Are there other incentives that you would like to be able to 
offer, but do not currently have the authority to provide?
    Mr. Krieger. The Army continually reviews its incentives for 
recruiting and retaining individuals who have critical skills. The Army 
manages its resources to achieve the best possible outcome. If given 
additional resources the Army could increase its ability to offer more 
incentives to achieve better outcome.
    Mr. Smith. What kinds of leap-ahead technologies do you believe we 
need to be investing in?
    Mr. Krieger. Technologies which can provide the Army with a 
superior advantage to prevent, detect, analyze, and respond to threat 
events at network speed.
    Mr. Smith. The outsourcing of NMCI resulted in an outsourcing of 
much of the brains of the Navy, especially with regards to technical 
and architectural designs and senior-level technology management. What 
is the Navy doing to rectify that situation?
    Mr. Carey. Although NMCI caused a shift in responsibility for core 
network operations to industry, the Navy and Marine Corps retained a 
significant amount of technical, architectural and technology expertise 
supporting other networks, including afloat, overseas, in-garrison, 
medical, educational, and research and development networks. One of the 
principal concepts of the Next Generation Enterprise Network (NGEN) 
program is to restore the decision-making, design control and oversight 
to the DON. A modest recruiting campaign for network talent will 
commence in Fiscal Year 2010, and we have established a comprehensive 
training and education strategy embodied in our IT of the Future 
program. As the DON implements the concepts of the Naval Networks 
Environment 2016, prioritized decision making, design control and 
oversight positions will be filled by members of the government 
workforce.
    The DON will also partner with other organizations, including the 
Defense Information Systems Agency (DISA), the Defense Advance Research 
Projects Agency (DARPA), and other DOD Services and Agencies for 
analysis, best practices and lessons learned. Finally, private sector 
design development and technological expertise will continue to support 
government workforce decision making and oversight.
    Mr. Smith. What is the process for remediating a hardware or 
software vulnerability identified during an information assurance 
vulnerability assessment? Are there institutional processes and funds 
available, or are you forced to ``take this out of hide.''
    Mr. Carey. The DON fully supports the IAVA process and a tool by 
which we can improve our network security posture. Institutional 
processes are in place if vulnerabilities are found during a 
vulnerability assessment. This guidance can be found on the DISA 
Information Assurance Support Environment page located at http://
iase.disa.mil/index2.html. Specific actions are provided in the DISA 
IAVM Handbook. The DON provides additional guidance within our IA 
Policy document and our IA Manual.
    When a vulnerability notice has been issued by the JTF-GNO/
NetDefense, the DOD Vulnerability Management System (VMS) sends email 
notices through command channels to the individuals responsible for the 
affected assets. Notices are also sent to all IA Managers and 
organizational oversight users. The VMS notice directs users to access 
the JTF-GNO/NetDefense Web Page to obtain detailed information on the 
specific vulnerability.
    Funding for routine hardware/software support is part of the annual 
IT support budget for most programs. If an upgrade is required that is 
outside the scope of the support contract, then funding for these 
``previously unknown'' vulnerabilities must be found using the DON 
process for conducting budget trade analyses.
    Mr. Smith. What are you doing in the Services and OSD to develop a 
career cyber force?
    Mr. Carey. DON is working closely with DOD leadership and the other 
Services to determine the scope, missions, functions and tasks relevant 
to the cyber workforce. We are working with operational organizations 
including the National Security Agency (NSA) and the new U.S. Cyber 
Command to determine DON roles and responsibilities and to implement 
the DON command and control necessary to support cyber operations. We 
are also exchanging information on manpower, personnel, training and 
education requirements and solutions development with DOD and the other 
Services to leverage work done by others as we determine the best means 
of meeting DON cyber missions.
    The Secretary of the Navy has issued policy that designates the 
Under Secretary of the Navy as the DON Chief Cyberspace Officer, with 
the DON CIO and the DUSN as his chief advisors for CND/CandA/CNE. The 
document also directs the Chief of Naval Operations and the Commandant 
of the Marine Corps to establish organizational constructs for cyber 
operations and to maximize training and education efficiency in 
cyberspace career fields. Additionally, the policy directs DON CIO to 
work directly with DOD and DON cyberspace leadership to develop 
workforce policy and guidance and to work with the Assistant Secretary 
of the Navy for Manpower and Reserve Affairs to track and measure the 
effectiveness of cyberspace manpower, personnel, training and education 
efforts.
    Both the Navy and Marine Corps headquarters staffs are working to 
document cyber manpower, personnel, and training and education 
requirements. This team includes professionals from each of the 
communities that supports cyber operations and reports to the Chief of 
Naval Operations or the Commandant of the Marine Corps.
    The Navy is the executive agent for the Joint Cyber Analysis Course 
attended by personnel from all Services. Additionally, the DON 
participates in the DOD Information Workforce Improvement Program which 
provides Joint opportunities for Information Assurance training and 
certification.
    Mr. Smith. What incentives are available to recruit and retain the 
types of individuals you would like to attract to the military cyber 
corps? Are there other incentives that you would like to be able to 
offer, but do not currently have the authority to provide?
    Mr. Carey. The Navy has the authorities available to recruit and 
retain cyber professionals. In the execution of attracting and 
retaining cyber professionals we will leverage accession and retention 
incentives where appropriate. Accession bonuses, critical skills 
retention bonuses, scholarship for service, fellowships and post-
graduate education all remain important tools that can be utilized to 
recruit and retain our cyber corps.
    Mr. Smith. What kinds of leap-ahead technologies do you believe we 
need to be investing in?
    Mr. Carey. The DON will seek to invest in and deploy emerging 
technologies that enable collaboration and increase the security of our 
networks. New technologies and capabilities, such as IPv6, self-forming 
wireless mobile networking (for people on-the-move, IP sensor networks, 
etc.), and Web 2.0 tools present opportunities worthy of investigation.
    The DON must also explore the use of virtualization and cloud 
computing. Many organizations both within and outside the DOD are 
examining the use of ``private clouds'' to reduce costs, increase 
security and lessen the environmental impact of IT. Additionally, we 
must focus on Identity Management and Attribute Based Access Control as 
they increase security and enhance information sharing.
    New technologies are becoming available at a rapid pace, and while 
our unique position requires that we be selective in which tools we 
implement, we continuously look for ways to increase security, promote 
collaboration and improve the mission effectiveness of our operating 
forces.
    Mr. Smith. What is the process for remediating a hardware or 
software vulnerability identified during an information assurance 
vulnerability assessment? Are there institutional processes and funds 
available, or are you forced to ``take this out of hide.''
    General Shelton. Remediation of hardware or software 
vulnerabilities is dependent upon type and severity of the 
vulnerability identified. Every organization conducting an information 
assurance vulnerability assessment requires local operating 
instructions governing remediation steps for that particular 
organization and for specific vulnerability levels. Institutional 
processes for remediating discovered vulnerabilities are defined in 
United States Strategic Command's Secure Configuration Compliance 
Validation Initiative and are inherent in the assessment tool used. No 
additional funds are needed because on-site vulnerability assessment 
personnel and system owners work together to remediate identified 
vulnerabilities.
    Mr. Smith. What are you doing in the Services and OSD to develop a 
career cyber force?
    General Shelton. The Air Force is establishing dedicated officer, 
enlisted and civilian cyber operations career fields to meet Joint and 
Service cyber missions. Additionally, we continue to participate in 
robust inter-Service dialogue and OSD efforts to develop DOD-wide cyber 
career force guidance.
    Mr. Smith. What incentives are available to recruit and retain the 
types of individuals you would like to attract to the military cyber 
corps? Are there other incentives that you would like to be able to 
offer, but do not currently have the authority to provide?
    General Shelton. The Air Force has many incentives available to 
support recruiting and retention, to include enlistment and 
reenlistment bonuses, undergraduate and graduate education benefits, 
and education with industry opportunities. At this time, we believe 
existing authorities and incentive programs are flexible enough to 
support cyber recruiting and retention efforts.
    Mr. Smith. What kinds of leap-ahead technologies do you believe we 
need to be investing in?
    General Shelton. Cyber technologies are a pervasive set of 
technologies that cannot be developed in isolation from the entire 
national enterprise. Communication is the foundation of effective 
national governance and current and future warfighting capabilities. As 
a result, cyber leap-ahead technology development is not being done in 
isolation by the Air Force. Future technologies could include self-
generating communication networks that adapt to network attacks, 
advanced computing including quantum computer architectures and optical 
networks for its ability to transmit very large volumes of data over 
long distances. Additionally, information fusion and multi-level 
security could enable early detection of cyber attacks.
    Mr. Smith. In an age of increasing outsourcing and globalization, 
can you describe the threat to the software and hardware supply chain? 
What are we doing to mitigate the risks to the global supply chain?
    Mr. Lentz. While globalization has many economic benefits, it also 
provides increased access and opportunity for malicious actors to 
manipulate information and communications technology (ICT) products and 
services to gain unauthorized access to otherwise closed-off 
technologies and services. The multi-tiered, global nature of our ICT 
supply chain means that the government has suppliers that it may not 
know and may never see. With less insight into their security practices 
and less control over how they conduct their business, the global 
supply chain may make the U.S. Government (USG) more vulnerable to a 
sophisticated adversary who can use security gaps in the global supply 
chain to alter or steal data, disrupt operations, or interrupt 
communications.
    Threats to the ICT supply chain can affect both software and 
hardware products. Software is growing exponentially in size and 
complexity, which creates assurance challenges. In addition, software 
design, development, testing, distribution, and maintenance can also be 
done more inexpensively offshore in easier reach of malicious actors. 
Security of the ICT supply chain can also be compromised by 
untrustworthy or counterfeit microelectronic components. The 
semiconductor industry has increasingly moved toward offshore or 
foreign-owned semiconductor component production. This trend creates an 
increasing threat to the U.S. as the potential for unauthorized design 
inclusions to appear on integrated circuits used in military 
applications increases. Furthermore, counterfeit ICT products have the 
potential to fail unexpectedly and prematurely, which may cause the 
mission critical systems in which they are used to malfunction.
    The national security concern regarding the global marketplace is 
that software or microelectronic circuitry may include deliberately-
inserted malicious logic or ``malware'' that an adversary might slip 
into a computer system to steal or corrupt data or disrupt the system. 
The malware might act immediately, or it may be designed to lie dormant 
until it is activated by a future signal. Buried in the millions of 
lines of code that comprise the modern computer application, such 
malware is difficult to detect with malware protection applications, 
and no one may be aware of its existence until after the damage is 
done.
    DOD approaches supply chain risk management (SCRM) through a 
defense-in-breadth strategy--a multi-faceted risk mitigation strategy 
that seeks to identify, manage, mitigate, and monitor risk at every 
stage of the system or network lifecycle, from product design to system 
retirement. DOD is actively working to ensure that policies and 
processes are put in place to raise awareness of the risk, empower 
acquirers to make informed decisions when they procure and integrate 
ICT products and services, and arm acquirers with practices and tools 
necessary to mitigate risk when ICT products are used across the 
government.
    DOD is incrementally implementing SCRM through pilots in fiscal 
year (FY) 2009 and FY 2010 and will be fully executing SCRM by FY 2016. 
In addition, the Department is analyzing existing regulatory and 
legislative authorities to provide guidance on the use of SCRM in 
procurement planning and decision making, and to recommend proposed 
clarification of DOD authorities to reduce litigation risks associated 
with managing supply chain risk during acquisition. DOD is also 
collaborating with industry to develop standards and best practices 
that recognize security challenges in commercial global sourcing. 
Finally, under the Comprehensive National Cybersecurity Initiative, DOD 
is working with other federal agencies to develop a multi-pronged, USG-
wide approach to global supply chain risk management where best 
practices, risk mitigation techniques, and lessons learned are shared 
and the overall risk posture of the USG is enhanced.
    Mr. Smith. How might we better utilize acquisition regulations and 
contracting clauses to better enforce the cybersecurity posture of our 
defense contractors?
    Mr. Lentz. DOD plans to publish an Advance Notice of Proposed 
Rulemaking (ANPR) in the near future to obtain public input on needed 
changes to the Defense Federal acquisition Regulation Supplement with 
regard to safeguarding and cyber intrusion reporting of unclassified 
DOD information within industry. The establishment of minimum 
safeguarding requirements for unclassified DOD Program Information on 
defense Industrial Base (DIB) partner networks will identify cyber 
security as a standard practice, and address vulnerability to 
compromise, loss, or exfiltration of unclassified DOD Information.
    Mr. Smith. What is the process for remediating a hardware or 
software vulnerability identified during an information assurance 
vulnerability assessment? Are there institutional processes and funds 
available, or are you forced to ``take this out of hide.''
    Mr. Lentz. The Department's Information Assurance Vulnerability 
Management (IAVM) Program is specified in Chairman of the Joint Chiefs 
of Staff Manual (CJCSM) 6510.01 Change 2, dated 26 Jan 2006. This 
policy provides reporting and compliance guidance for publishing 
Information Assurance Vulnerability Alerts (IAVAs) for all Combatant 
Commands, Services, Agencies, and Activities (CC/S/As). IAVAs address 
immediate threats to the Departments Global Information Grid. IA 
vulnerabilities, whether they be in the form of IAVAs or found during 
routine evaluations, are tracked in a Vulnerability Management System 
(VMS) managed by the Defense Information Systems Agency. In support of 
this policy, each CC/S/A must report acknowledgment, mitigation, and 
expected correction date to the VMS database. All systems must either 
be patched or have an approved Plan of Action and milestones (POA&M), 
for mitigations to be implemented. Vulnerability assessments not only 
address cyber vulnerabilities, but also identify out of date software, 
physical security problems, and system configuration issues, etc.
    In addition, DOD Instruction 8510.01, ``DOD Information Assurance 
Certification and Accreditation Process (DIACAP),'' dated 27 November 
2007, identifies detailed life cycle support requirements for 
information systems and addresses high-level procedures related to the 
Protect; Monitor, Analyze, and Detect; and Respond phases of the 
computer network defense lifecycle. In support of this policy, the 
Program Manager or System Manager for DOD information systems is 
responsible to plan and budget for IA controls implementation, 
validation, and sustainment throughout the system life cycle, including 
timely and effective configuration and vulnerability management.
    While there is generally no separate funding set aside for 
vulnerability mitigation and related actions by CC/S/As, system 
mitigation efforts are considered and funded as a normal part of the 
CC/S/A network defense operations resources and budgeting process. 
Ensuring adequate life cycle sustainment resources are available is a 
planning, programming, budgeting, and execution process role of the CC/
S/A as identified in the DIACAP. In order to facilitate standardization 
of vulnerability mitigation capabilities and to leverage the use of 
common tools, DOD currently has an enterprise software license 
providing tools that enable automated vulnerability scanning and 
remediation.
    Mr. Smith. What are you doing in the Services and OSD to develop a 
career cyber force?
    Mr. Lentz. The DOD is currently working with the Services, 
Agencies, Joint Staff, and STRATCOM to develop baseline cyber workforce 
standards. The current model for these standards is the DOD 8570.01-M 
``Information Assurance Workforce Improvement Program''. The basic 
requirements for developing a career cyber force include:

      Defining baseline position descriptions based on functions
      Identifying positions in manpower databases
      Specifying baseline training and or certification 
requirements aligned to the functions performed by the positions
      Continuous education, training, and participation in 
exercises to maintain and expand skills

    Mr. Smith. What incentives are available to recruit and retain the 
types of individuals you would like to attract to the military cyber 
corps? Are there other incentives that you would like to be able to 
offer, but do not currently have the authority to provide?
    Mr. Lentz. Current incentive authorities available to provide cyber 
qualified members:

      Enlistment and reenlistment bonuses
      Accelerated promotion opportunities
      Recognition programs such as special patches or badges 
for Cyber qualified personnel
      Specialized training and education opportunities

    The DOD IA Scholarship Program is a proven retention tool for Cyber 
security military personnel. Since the program's inception in 2001, DOD 
military personnel have pursued master's or PhD degrees in IA related 
disciplines. Graduates are working full time in strategic positions 
across the Department. All of the Services have participated to some 
capacity.
    Other potential incentive authorities for consideration:

      Authorize specialty pay for cybersecurity certified 
personnel
      Authorize specialty pay for cyber warfare qualified 
personnel (once defined)

    Mr. Smith. What kinds of leap-ahead technologies do you believe we 
need to be investing in?
    Mr. Lentz. The philosophy explored by leap-ahead is that, while 
some progress on cybersecurity will be made by researching better 
solutions to today's problems, some of those problems may be too hard 
to solve; we need rather to leap over them by finding a way to make 
them irrelevant. This latter approach we call changing the game, as in 
``if you are playing a game you can't win, change the game!'' Most of 
today's research, development, technology and engineering (RDT&E) 
efforts are focused on ``playing today's game better.'' But, since our 
adversaries have an advantage in today's cyber ``game,'' we advocate 
investment in RDT&E that moves us away from having to play that game, 
in other words, moves us towards a cyber environment where our security 
does not depend on the solution of today's intractable problems. To 
understand this paradigm shift, we can look at three areas which can 
yield game change in a reasonable time frame and which would be very 
useful to the DOD.

    1) Today's game: eliminate vulnerabilities which enable 
penetration;
    Tomorrow's game: reduce consequences of penetration

    Today users and their applications are our front line of defense 
against adversaries. Malware enters our systems through vulnerabilities 
in the applications with which we access the Internet, or is invited in 
by users who unwittingly download malicious attachments onto enterprise 
systems. Though we struggle to keep browsers patched and users aware of 
the latest spear phishing attacks, it is impossible to keep up, so in 
the new game we worry less about eliminating every vulnerability, but 
place an emphasis on technologies which mitigate the effects of the 
attacks which vulnerabilities enable. For example, using the technique 
of virtualization, we can create a temporary or ``non-persistent'' 
computer-within-a-computer for our risky browsing and email sessions. 
User mistakes don't hurt us because attacks which enter through the 
virtual computer never touch our mission network. Other ideas in this 
vein include advanced key management techniques to enable ubiquitous 
encryption of mission data and prevention of exfiltration of 
intellectual property (adversaries may get in, but they can't see 
anything); also a network operating system to instantiate access policy 
at any level of the architecture and prevent adversaries from 
escalating privileges (adversaries may get in, but they can't do 
anything).

    2) Today's game: check for maliciousness;
    Tomorrow's game: know what to trust

    Today we spend a lot of energy testing digital content to determine 
whether it is trustworthy. Virus-checkers and content filters attempt 
to ascertain by inspection whether applications and data are safe to 
place on our systems. Root-kit detection tools try to tell us if our 
computers have themselves been compromised. All of these tools are 
generally only as good as the catalog of attacks they have seen before. 
Again, it is impossible to keep up, so in the new game the emphasis is 
on roots of trust, or what it is that we can know for sure about our IT 
assets. Using new hardware constructs like the Trusted Platform Module 
and techniques of measurement and attestation, we can begin to have a 
means to monitor and restore the integrity of computers throughout 
their deployment life. Other useful avenues along these lines include 
provenance technologies for associating integrity and authenticity 
proofs with all types of digital content and events; also unspoofable 
identity authentication to eliminate masquerades. These approaches 
allow us to trust our assets because we know they are good, rather than 
because we haven't proven that they are bad.

    3) Today's game: avoid damage;
    Tomorrow's game: fight through and recover quickly from damage

    Today we have a large investment in perimeter defense not only to 
keep adversaries from learning our secrets, but also to prevent their 
tampering with our data and command and control systems. We have COOPs 
and mirrored data centers designed for recovery from physical damage. 
We have learned, though, that perimeter defense does not always work, 
and that attacks on the integrity or available of our assets look very 
different from flood damage or electrical blackouts, so in the new game 
we emphasize the ability to maintain operations in the face of attack. 
Virtualization can help us again here. Virtualization obviates the 
necessity for coupling together specific logical and physical assets. 
For example, each user's environment (data and computing tools) can be 
stored and maintained as a digital file or image in a central control 
area. Should those environments be lost or compromised, they can easily 
be ``reincarnated'' into any compatible physical platform. We may also 
choose to prophylactically refresh stored images periodically just in 
case. Other promising paths include ``battle mode'' where assets are 
stripped down to an easier-to-guarantee austere functionality, and 
self-healing to bootstrap back up.
    The new paradigms described above take us to a future where we are 
not so vulnerable to the asymmetric advantage enjoyed today by the 
remote network attacker. Each of the new games takes advantage of 
technology which seems to be emerging on the near horizon to mitigate 
our need to depend on things that are too hard for us to do.
    Mr. Smith. The Secretary of Defense recently placed the Joint Task 
Force for Global Network Operations under the operational control of 
JFCC-NW. Why was that important and how does it make our DOD systems 
more secure?
    General Alexander. Earlier, the Department of Defense established 
two separate military cyber component commands under U.S. Strategic 
Command--one dedicated to defensive cyber operations (JTF-GNO), the 
other to building an offensive capability (JFCC-NW). However, neither 
of these entities was fully resourced and their separation inherently 
precluded the type of dynamic defense and agile, fluid maneuvering 
needed to secure our equities in cyberspace. In recognition of this, 
the decision was made in November of 2008 to consolidate these two 
components. The contested cyber environment clearly demands an ability 
to seamlessly integrate and synchronize cyber offense with cyber 
defense--at network speed. Further, it requires a unifying construct 
with the focus, scope of responsibility and authority to succeed in 
this mission space. Unifying command and control along the full range 
of capabilities will streamline operations, improve situational 
awareness and ultimately provide a much more robustly and reliably 
defended Global Information Grid.
    Mr. Smith. What are the pros and cons of establishing a sub-unified 
Cyber Command under STRATCOM? How would this be different from the 
current structure?
    General Alexander. The decision to establish a sub-unified Cyber 
Command was made in the Office of the Secretary of Defense (OSD) and is 
best answered by OSD.
    Mr. Smith. What role do you have in helping define the S&T 
requirements for cyberoperations?
    General Alexander. Joint Task Force-Global Network Operations (JTF-
GNO) and Joint Functional Component Command for Network Warfare (JFCC-
NW) have a cadre of military, government, and contractor personnel who 
directly support cyber operations planning, define cyber capabilities 
requirements, prototype and/or manage funding, on behalf of U.S. 
Strategic Command, related to cyber capabilities, technical assurance 
and risk assessment. Collection of Combatant Command requirements is a 
proactive endeavor, conducted and maintained via a JWICS-based 
intellipedia wiki website known as the Collaborative Environment (CE).
    In general, these requirements require long term solutions and 
extensive intelligence efforts software and hardware research 
development, as well as test and operational fielding. Emergent 
operational needs or enabling requirements are also identified by cyber 
operators, crisis planners and Combatant Commands, sometimes in ``real 
time.'' Emergent requirements may drive more future S&T efforts but the 
standing Combatant Command requirements are the primary drivers for the 
ongoing S&T efforts which are funded through a Call for Proposals 
process. This also provides a direct linkage to the Service and Agency 
research laboratories, which are the primary developers of 
capabilities. The National Security Agency (NSA), JFCC-NW and JTF-GNO 
provide collaborative operational and technical inputs to U.S. 
Strategic Command's Integrated Priority List gap analysis effort to 
ensure both budgetary and S&T awareness of areas requiring attention.
    Mr. Smith. What is the process for remediating a hardware or 
software vulnerability identified during an information assurance 
vulnerability assessment? Are there institutional processes and funds 
available, or are you forced to ``take this out of hide.''
    General Alexander. As a routine matter, the remediation process for 
hardware and software vulnerabilities that are identified during an 
inspection are usually mitigated by the associated vendor. Each vendor 
provides fixes for products with active support for lifecycles. These 
fixes are provided to the users of those products at no additional 
costs to the user as long as they are within the supported lifecycle. 
In many instances Agencies will purchase an additional support 
agreement for specific products for technical guidance or warranties 
for newly purchased products. During the purchase of those products, 
vendors will recommend a support agreement for their product for an 
additional fee or on an as required basis (hourly rate). This agreement 
will normally provide the user with an account or support contact to 
access the required update or technical support information
    Most large software companies (i.e. Microsoft, Cisco and Oracle 
etc.) will provide fixes for vulnerable software Operating Systems and 
applications that are still supported by the vendor at no additional 
cost to the user. Open source applications are usually updated/upgraded 
as vulnerabilities are identified by any associated developer that has 
technical knowledge of the affected code and is normally provided at no 
additional charge. At any given time a vendor patch has the ability to 
break something. In this case the vendor will try to provide an 
appropriate fix for their product however; if this is a special case 
you may need a Technical Support Agreement with the vendor to 
troubleshoot your problem which may incur an additional cost.
    However, there are other significant costs associated with 
investigation, analysis and remediation of compromised systems outside 
of the normal life-cycle arrangements. This question is best answered 
by the individual services and agencies as they are in the best 
position to discuss the budgetary impact of those activities.
    Mr. Smith. What are you doing in the Services and OSD to develop a 
career cyber force?
    General Alexander. Developing cyber forces is a Service organize, 
train, and equip responsibility, and they are best positioned to 
address individual Service career field development efforts.
    A lot of planning work is being done within all the Services, 
regarding identification of new skills needed to perform emerging 
missions. We must also leverage the unique contributions of 
universities and research institutions as well as private enterprise to 
ensure U.S. forces are always on the cutting edge.
    The Secretary of Defense has directed all the Services to maximize 
the facility at the Center for Information Dominance in Corry Station, 
Pensacola (the Executive Agent for Cryptologic Computer Network 
Exploitation and Defense training) to acquire the technical skills 
required for cybersecurity missions. (Those with more analytic work 
roles receive their training at Goodfellow Air Force Base.) It is 
expected that graduates of both programs will be assigned to places 
where they can practice what they learned, gain mission experience in 
several sectors of Computer Network Operations, and participate in more 
advanced training fielded by the Services and the Crytologic Training 
System.
    Mr. Smith. What incentives are available to recruit and retain the 
types of individuals you would like to attract to the military cyber 
corps? Are there other incentives that you would like to be able to 
offer, but do not currently have the authority to provide?
    General Alexander. Recruiting will be one of our top priorities. 
Unfortunately, very little is available today as the Services do not 
currently recruit specifically for cyberspace forces. However, as we 
move forward, there are a number of recruitment and retention 
incentives we would recommend.
    We will encourage Service ``cyberspace branches'' to operate 
independent of recruiting operations within their Service, with subject 
matter experts interviewing and testing candidates from within the 
ranks. We should provide recruiters with sufficient knowledge of the 
cyberspace career opportunities in DOD to address basic questions of 
potential recruits. We should enhance recruiting organizations with 
cyber mentors, test materials, and military cyberspace points of 
contact. And just as importantly, we must use DOD and Service public 
affairs resources to aggressively promote a professional cyberspace 
field. In addition, we should also consider the implications of total 
force recruitment, leveraging our Reserve and National Guard 
components, to identify colleagues as potential members of the DOD 
workforce while also identifying and considering the cyber-related 
talents they may bring from their civilian employment.
    Once we've begun to recruit highly motivated candidates with the 
potential to succeed in the cyberspace workforce, we will continue to 
seek and leverage a wide variety of incentives and career options to 
retain them. Individual services should seek to introduce incentives 
based on their ability to attract and retain personnel can develop 
monetary and other incentives that are widely used across DOD. 
Incentives such as additional skills pay, performance and re-enlistment 
bonuses, special schooling and certifications, as well as advancement 
in specialized fields (e.g., nuclear power incentive pays) will have to 
be considered. We should seek to recruit DOD civilian cyber specialists 
from our military personnel and allow them to benefit from military 
retirement benefits while continue to advance their careers as 
government civilians. We should consider a ``cyber branch'' model that 
allows us to affect assignment tempo for exceptionally talented 
performers, thus allow cyber specialists to continue to work their 
specialties. To keep our world-class force, we need to provide non-
traditional means to routinely update cyber skills and develop inter- 
and intra-Service competitions to identify and reward the best of the 
best. Finally, we should continually emphasize the uniqueness of the 
work, access to some of the world's most advanced cyber technologies, 
and the critical importance of this mission to both DOD and the nation.
    Mr. Smith. What kinds of leap-ahead technologies do you believe we 
need to be investing in?
    General Alexander. The following are examples of current 
investments:

      Knowledge Management Systems (KMS). An integrated and 
automated requirements database; a tools and tactics repository; and an 
Analyst Workcenter interface with an information warfare planning 
system.
      Common Cyber Operational Picture (COP): Automated 
combination/deconfliction of germane real-time exploitation and attack 
warning and characterization along with real-time situational awareness 
of defense measures; functionally tailorable to facilitate information 
sharing with different U.S. agencies and allies.
      Attribution Science: Anti-anonymizer technologies (how to 
both create them and defeat them); hardware and software signatures; 
and tactics techniques and procedures (TTP) for operational uses.
      Internet Governance. Thorough research of: 1) the next 
generation Internet Protocol version 6 (IPv6), which is prevalent in 
many universities and R&D environments and is quickly emerging in many 
foreign sectors. 2) the ``.tel'' internet domain, the online equivalent 
to the phone directory, which is the most significant innovation in the 
domain name system since the advent of .com.
      Network Traffic Interdiction Capabilities: Capabilities 
facilitating interdiction of targeted traffic in transit across the 
global network.
      Automated network re-configuration and Computer Network 
Defense applications. Requires all of the above technologies to be 
applied and integrated in real-time.
                                 ______
                                 
                 QUESTIONS SUBMITTED BY MR. THORNBERRY

    Mr. Thornberry. Define a cyber warfighter, or cyber warfare 
professional as he exists today.
    Mr. Krieger. ``Cyber warfigher'' and ``Cyber Warfare Professional'' 
are still fluid terms; however, the terms can include professionals who 
perform duties under three categories: Computer Network Attack (CNA), 
Computer Network Exploit (CNE), or Computer Network Defense (CND)/
Network Operations (NETOPS).
    Mr. Thornberry. Describe what you envision for the cyber warfighter 
of the future in terms of education (undergraduate/graduate or high 
school only, too), training, career path, rank structure, capability, 
mission, responsibilities, organization, etc.
    Mr. Krieger. Army's education, career path and management of future 
cyber warfighters is being developed using standard paths through our 
personnel management system for officers, enlisted and Department of 
the Army Civilians to ensure that our workforce meets the Army's needs 
in the Cyberspace field. The Army follows the Federal Information 
Security Management Act (FISMA) and Department of Defense Training and 
Certification mandates which require Information Security 
Certifications and all levels of our Information Security Professional 
Corp.
    Mr. Thornberry. Given the limited pool of individuals with the 
necessary technical skills, as stated recently by Gen Shelton, and the 
growing cyber personnel requirements articulated by Secretary Gates, 
what is the plan to recruit, organize, train, and equip prospective and 
current cyber warfare professionals? Is it joint or by service? Please 
explain.
    Mr. Krieger. The Army conducts ongoing reviews to ensure it is 
manned, trained and equipped to meet the Army's operational missions 
and increase the pool of eligible candidates that meet the standards 
for occupational skills which are deemed critical. The Army works 
diligently with Joint Staff and other services to combine its training 
and other efforts wherever possible to make sure that the needs of the 
Department of Defense are integrated wherever possible to increase 
efficiency and effectiveness.
    Mr. Thornberry. In your opinion should the cyber warfighter be 
trained by service branch, jointly, jointly with service specific 
trailer courses, or somehow else? Why?
    Mr. Krieger. The Army fights as a Joint/Coalition force and 
therefore supports Joint training to the maximum extent possible, but 
recognizes the peculiarities of each individual service. Joint training 
allows services to train to a single standard and leverages the one-
time investment in infrastructure, training curriculum and reduces 
duplication. The Land, Air, Sea, and Space domains each have unique 
characteristics and challenges while working in and through the 
cyberspace domain. Functioning effectively in each of these domains 
require different equipment sets/characteristics, training/education 
and operational principles. As standardized and/or unique joint mission 
requirements are identified, specific joint trailer courses will allow 
the services to focus the skill sets of the personnel to satisfy that 
particular mission.
    Mr. Thornberry. In the current overseas contingencies, please 
describe to what extent, if any, has U.S. Strategic Command 
(USSTRATCOM) taken an active role supporting U.S. Central Command?
    Mr. Krieger. USSTRATCOM along with the Army Service Component 
Command has played a very active role in the development of Computer 
Network Operations tools supporting USCENTCOM. USSTRATCOM was integral 
in mitigating Computer Network Defense/Information Assurance issues in 
support of Operation Iraqi Freedom and Operation Enduring Freedom. 
USSTRATCOM recently marshaled resources to mitigate capacity 
degradation stemming from breaks in undersea cables, restoring service 
with no significant operational impact. USSTRATCOM's main focus over 
the past year has been on establishing common standards, procedures, 
and discipline to better secure military networks. This benefits all 
warfighters, to include USCENTCOM, who are dependent on Cyberspace to 
conduct operations.
    Mr. Thornberry. Irrespective of service branch, does USSTRATCOM's 
cyber warfighters possess the skills necessary to ensure all secure 
battlefield communications? Please explain.
    Mr. Krieger. Gen Chilton, Commander USSTRATCOM, stated in 
Congressional Testimony to the Senate Committee on Armed Services, on 
19 March 2009:
    ``The provisioning of adequate cyber forces to execute our assigned 
missions remains our greatest need in this mission area.''
    The Army is aware of this requirement, and has been very proactive 
in training, equipping and manning USSTRATCOM and its Functional 
Components with requested cyber warfighters to secure the internet and 
battlefield communications. Consistent with the National Military 
Strategy for Cyberspace Operations, the Army has made progress toward 
defining Service level requirements and advocating for Service 
cyberspace workforces. We understand the demands, and have moved 
aggressively to grow our cyber expertise; organize and orient against 
threats; and improve the technical and manpower capabilities our Joint 
Warfighters and interagency partners require for the cyberspace fight.
    Mr. Thornberry. How is responsibility between USSTRATCOM, NSA, and 
DISA clearly defined in theater?
    Mr. Krieger. Currently, USSTRATCOM operates through two subordinate 
component commands: Joint Functional Component Command for Network 
Warfare (JFCC NW) and Joint Task Force for Global Network Operations 
(JTF-GNO). Both commands have implemented a more responsive command and 
control structure reliant on centralized orders and decentralized 
execution. Tightening the relationship between JFCC NW and JTF-GNO this 
past year has led to a better, more responsive capability to defend our 
military networks. But, we have found the need for closer coordination 
and clearer delineation of responsibilities at the national and theater 
levels, and are moving to form USCYBERCOM. This new organizational 
structure will enable DOD-wide leadership to address computer security 
incidents and network compromises enhancing timely threat 
identification and mitigation through unity of effort, both within 
theater and globally.
    Mr. Thornberry. Should the Department of Defense establish a 
``Cyber Agency'' at the same level of the National Security Agency 
(NSA) and Defense Information Services Agency (DISA)? Why or why not?
    Mr. Krieger. Army stands ready to support the strategy defined by 
Department of Defense leadership.
    Mr. Thornberry. To what extent is the cyber domain being integrated 
into other domain and domain awareness initiatives (i.e. battlespace, 
maritime, air, space)? Please describe.
    Mr. Krieger. The U.S. Army Training and Doctrine Command 
established an Integrated Capabilities Development Team (ICDT) 
chartered to integrate cyberspace operations into full spectrum land 
domain operations. This ICDT is developing a Cyberspace Operations 
Concept of Operations (CONOPS) which will articulate how the Army 
intends to fight in the Cyberspace domain which incorporates lessons 
learned from Operation Iraqi Freedom (OIF), Operation Enduring Freedom 
(OEF) and our National Training Centers which stresses integration. The 
CONOPS describes how the Army will use the other domains to support 
land component Battle command in terms of cyberspace awareness. This 
CONOPS will form the basis for future Army analysis and capability 
development efforts.
    Mr. Thornberry. Define a cyber warfighter, or cyber warfare 
professional as he exists today.
    Mr. Carey. While all who engage the network to perform their 
missions are members of the cyber workforce, we consider a cyber 
warfare professional as an officer, enlisted member or civilian trained 
to work in an interdisciplinary domain including networks, computer 
applications and services. These professionals work in information 
operations, computer network defense, attack, and exploitation aspects 
of network operations, which must be aligned from end to end with the 
Intelligence Community. They will work as a cohesive unit, combining 
Intelligence and Operations to perform information assurance in 
protecting, monitoring, analyzing, detecting and responding to threats 
on the network, and manage information by retrieving, caching, 
compiling, cataloging and distributing it. The management mission also 
includes information technology system acquisition and architecture 
development and compliance.
    Mr. Thornberry. Describe what you envision for the cyber warfighter 
of the future in terms of education (undergraduate/graduate or high 
school only, too), training, career path, rank structure, capability, 
mission, responsibilities, organization, etc.
    Mr. Carey. The DON will recruit cyber workforce personnel from 
multiple educational levels, hiring experienced personnel and 
developing the cyber skills of others through career path education and 
training. The DON will recruit from high school, vocational school, 
junior college, undergraduate and graduate programs. DON cyber 
personnel will be educated and trained through a blended approach of 
traditional schoolhouse instruction, on line, and commercial vendor 
instruction including cyber and information assurance certification and 
licensing programs, joint education, on-the-job training and 
qualification, and team and unit tactical training. A key element of 
this program will be standardized training (applicable to positions 
regardless of the military or civilian status of the person performing 
the work in the position) and education curricula to support a core 
capability that is fungible across the contractor/civilian/military 
workforces.
    Rank and grade structures for military and civilian personnel will 
follow current structures, and it is expected that cyber workforce 
personnel will be required at all rank and grade levels. Career path 
development is still in progress as the missions, functions and tasks 
of the DON cyber structure are developed, but it is expected that there 
will be military career paths leading to the most senior enlisted and 
officer ranks. Civilian personnel will be able to follow paths leading 
to, and including Senior Executive Service positions.
    The DON cyber workforce will be capable of supporting all DON 
missions. Within the cyber arena they will provide Computer Network 
Defense (CND), Network Operations (NETOPs), Information Assurance (IA), 
Computer Network Attack (CNA), Computer Network Exploitation (CNE), and 
All-Source Intelligence support; telecommunications, and management 
functions including design and development, strategic planning and 
investment, policy and planning, and acquisition.
    Cyber workforce responsibilities will be split among military, 
government civilian and contractor support personnel as required. 
Decisions on workforce structure, the number of inherently governmental 
activities, and the scope of in-sourcing and outsourcing will be 
finalized following the establishment of the Department of Defense and 
the DON Cyber Command structures, missions, functions and tasks.
    Mr. Thornberry. Given the limited pool of individuals with the 
necessary technical skills, as stated recently by Gen Shelton, and the 
growing cyber personnel requirements articulated by Secretary Gates, 
what is the plan to recruit, organize, train, and equip prospective and 
current cyber warfare professionals? Is it joint or by service? Please 
explain.
    Mr. Carey. The Department of the Navy (DON) is developing plans to 
recruit, organize, train, and equip military and civilian cyber warfare 
professionals. The first step being taken is to determine the specific 
skill sets needed for cyber warfare. The DON will also develop career 
options to support recruitment, retention, and development of personnel 
with the needed skill sets. The DON is looking at ways to modify career 
paths and improve training to prepare the current workforce to meet the 
cyber challenge. The Navy along with the other services will continue 
to leverage training and educational opportunities by sharing resources 
at the Center for Information Dominance, Joint/National-sponsored 
schools, and post-graduate schools. The task of equipping this force 
will follow closely the training model for the near term, primarily 
leveraging Joint/National capabilities.
    Mr. Thornberry. In your opinion should the cyber warfighter be 
trained by service branch, jointly, jointly with service specific 
trailer courses, or somehow else? Why?
    Mr. Carey. Cyber warfighters must be thoroughly trained, employing 
both formal education and on-the-job training tracks within both their 
respective Services and the Joint environment. This is essential, due 
to the nature of cyber warfare and the need to be able to defend the 
Global Information Grid and its Service components. Foundational 
education and training should take place within the Service framework, 
and experienced personnel should take that knowledge into the Joint 
operational and training environments, facilitating DOD-wide synergies. 
When possible, DON cyber workforce development plans should include 
participation in forums including not only DOD, but also other Federal 
and private industry workers. Increased familiarity with non-
governmental and inter/intra-agency organizations' tactics, techniques, 
and procedures will increase the overall efficiency and effectiveness 
of cyber operations supporting national security objectives.
    Mr. Thornberry. In the current overseas contingencies, please 
describe to what extent, if any, has U.S. Strategic Command 
(USSTRATCOM) taken an active role supporting U.S. Central Command?
    Mr. Carey. The Department of the Navy Chief Information Officer 
respects the direction and authority of the Secretary of Defense and 
his assignment of Title 10 and UCP authority to CDR USSTRATCOM.
    Service network operations centers (NOSCs) are under CDR 
USSTRATCOM's operational control. JTF-GNO orders Service NOSCs to 
perform network operations and defense. USSTRATCOM, through the CENTCOM 
AOR DON Network Operation Centers' direct reporting relationship to the 
Joint Task Force-Global Network Operations, is very active in providing 
direction on network operations and defense and ensuring computer 
devices and networks are compliant with published IA Vulnerability 
Alerts (IAVAs), Communications Tasking Orders (CTOs), Operations 
Directive Messages (ODMs), etc. These efforts mitigate vulnerabilities 
and eliminate (or reduce) the instance of infections. This work is a 
major challenge in the forward tactical environment where forces 
frequently rotate every six months to one year, bringing with them 
personnel who have various (often limited) levels of network 
administration skills. Additionally, the Commander, USSTRATCOM and his 
staff have traveled to the CENTCOM AOR, visiting the Defense 
Information Systems Agency and Service NOSCs in search of ways in which 
U.S. Strategic Command can better support the current overseas 
contingencies.
    Mr. Thornberry. Irrespective of service branch, does USSTRATCOM's 
cyber warfighters possess the skills necessary to ensure all secure 
battlefield communications? Please explain.
    Mr. Carey. The Department of the Navy Chief Information Officer 
respects the direction and authority of the Secretary of Defense and 
his assignment of responsibilities to USSTRATCOM. However, it should be 
noted that most technical work in the battlefield/AOR is performed by 
Service-specific personnel/organizations, and not USSTRATCOM personnel.
    Mr. Thornberry. How is responsibility between USSTRATCOM, NSA, and 
DISA clearly defined in theater?
    Mr. Carey. The Department of the Navy Chief Information Officer 
respects the direction and authority of the Secretary of Defense and 
his assignment of Title 10/50 and UCP authorities to CDR USSTRATCOM, 
NSA, and DISA. The in-theater responsibilities of USSTRATCOM, NSA, and 
DISA are outlined in Chairman, Joint Chiefs of Staff Directives and 
Instructions, including interactions with COCOMs and the Services. NSA 
responsibilities are also found in U.S. Signals Intelligence Directives 
(USSIDs).
    Mr. Thornberry. Should the Department of Defense establish a 
``Cyber Agency'' at the same level of the National Security Agency 
(NSA) and Defense Information Services Agency (DISA)? Why or why not?
    Mr. Carey. The Department of the Navy Chief Information Officer 
respects the direction and authority of the Secretary of Defense in his 
establishment of the USCYBERCOM. The SECDEF memo of 23 June 09 stated 
it best when it said that the ``Department of Defense requires a 
command that possesses the required technical capability and remains 
focused on the integration of cyberspace operations. Further, this 
command must be capable of synchronizing warfighting effects across the 
global security environment as well as providing support to civil 
authorities and international partners.'' The DON supports the 
establishment of U. S. Cyber Command, which presently appoints the 
Director, National Security Agency the Commander, U.S. Cyber Command, 
making the integration of activities easier. The Director of the 
Defense Information Systems Agency (DISA) is tasked to provide network 
and information assurance technical assistance to USCYBERCOM as 
required. The Joint Task Force-Global Network Operations (JTF-GNO) and 
the Joint Functional Component Command for Network Warfare are merged 
into the new Cyber Command, bringing together the strengths of both of 
these commands. The DON believes that functional reporting 
relationships between the cyber operating forces, USCYBERCOM and the 
Military Departments and Services must be established to ensure 
efficient and effective command and control of these vital assets.
    Mr. Thornberry. To what extent is the cyber domain being integrated 
into other domain and domain awareness initiatives (i.e. battlespace, 
maritime, air, space)? Please describe.
    Mr. Carey. In May 2008, the Department of Defense published the 
following definition of cyberspace: ``A global domain within the 
information environment consisting of the interdependent network of 
information technology infrastructures, including the Internet, 
telecommunications networks, computer systems, and embedded processors 
and controllers.'' This definition is almost identical to that which 
was developed by the Department of Homeland Security and the National 
Institute of Standards and Technology.
    The Information Technology Reform Act of 1996 (Clinger Cohen Act) 
defines IT as: ``Any equipment or interconnected system or subsystem of 
equipment that is used in the automatic acquisition, storage, 
manipulation, management, movement, control, display, switching, 
interchange, transmission, or reception of data or information.'' The 
term information technology includes computers, ancillary equipment, 
software, firmware and similar procedures, services (including support 
services), and related resources.
    Given these terms of reference, Cyberspace (IM/IT) is present in 
all domains. The ability to operate within cyberspace is vital to the 
DON's mission. Achieving an appropriate balance between the need to 
collaborate and share information and the need to protect information 
will be key to our success.
    The DON has established a DON Enterprise Architecture framework or 
``blueprint'' to enable the exchange of information, integration of 
systems and management of resources to support cyberspace domain 
capabilities across all mission areas (surface (sea and ground), sub-
surface, air and space). Further, to support system development and 
integration, the DON mandates use of the Defense Information System 
Registry (DISR) as its authoritative standards source. The DON 
established a governance structure to ensure adherence to the DON EA 
framework and standards in system development supporting the cyberspace 
domain.
    Mr. Thornberry. Define a cyber warfighter, or cyber warfare 
professional as he exists today.
    General Shelton. Cyber warfighters are skilled professionals 
working to deter and prevent cyberspace attacks against vital U.S. 
interests, ensure our freedom of action in cyberspace, respond to 
attacks and reconstitute operations, develop persistent cyberspace 
situational awareness and defeat adversaries operating through 
cyberspace.
    Today, these personnel are drawn primarily from communications, 
intelligence and engineering specialties, often returning after a 
single assignment. While initially adequate, cyberspace has emerged as 
a dynamic and technically demanding warfighting domain of strategic 
national importance. The Air Force recognizes this and has committed to 
establishing dedicated officer, enlisted and civilian career fields to 
meet emerging demand and address recruiting, training, retention and 
force development challenges.
    Mr. Thornberry. Describe what you envision for the cyber warfighter 
of the future in terms of education (undergraduate/graduate or high 
school only, too), training, career path, rank structure, capability, 
mission, responsibilities, organization, etc.
    General Shelton. Cyber warfighters are skilled professionals 
working to deter and prevent cyberspace attacks against vital U.S. 
interests, ensure our freedom of action in cyberspace, respond to 
attacks and reconstitute operations, develop persistent cyberspace 
situational awareness and defeat adversaries operating through 
cyberspace.
    Today, these personnel are drawn primarily from communications, 
intelligence and engineering specialties, often returning after a 
single assignment. While initially adequate, cyberspace has emerged as 
a dynamic and technically demanding warfighting domain of strategic 
national importance. The Air Force recognizes this and has committed to 
establishing dedicated officer, enlisted and civilian career fields to 
meet emerging demand and address recruiting, training, retention and 
force development challenges.
    Mr. Thornberry. Given the limited pool of individuals with the 
necessary technical skills, as stated recently by Gen Shelton, and the 
growing cyber personnel requirements articulated by Secretary Gates, 
what is the plan to recruit, organize, train, and equip prospective and 
current cyber warfare professionals? Is it joint or by service? Please 
explain.
    General Shelton. Growing and developing cyber forces is a DOD-wide 
challenge. Recognizing this, the Services are cooperating with each 
other, Joint Staff and OSD to develop new approaches and more effective 
solutions for recruiting, acquisitions, training and retention.
    Mr. Thornberry. In your opinion should the cyber warfighter be 
trained by service branch, jointly, jointly with service specific 
trailer courses, or somehow else? Why?
    General Shelton. Initial training of cyber forces should be 
conducted by the Services, with joint post graduate training reserved 
for specialized tasks.
    Mr. Thornberry. In the current overseas contingencies, please 
describe to what extent, if any, has U.S. Strategic Command 
(USSTRATCOM) taken an active role supporting U.S. Central Command?
    General Shelton. Congressman, I would respectfully ask that this 
question be directed to the Commander of U.S. Strategic Command, 
General Chilton, who can provide you with the most up-to-date and 
accurate information regarding his command's support to U.S. Central 
Command.
    Mr. Thornberry. Irrespective of service branch, does USSTRATCOM's 
cyber warfighters possess the skills necessary to ensure all secure 
battlefield communications? Please explain.
    General Shelton. Congressman, I would respectfully ask that this 
question be directed to the Commander of U.S. Strategic Command, 
General Chilton, who can provide you with the most up-to-date and 
accurate information regarding his command's ability to secure 
battlefield communications.
    Mr. Thornberry. How is responsibility between USSTRATCOM, NSA, and 
DISA clearly defined in theater?
    General Shelton. Congressman, I would respectfully ask that this 
question be directed to the Commander of U.S. Strategic Command, 
General Chilton, the Director of NSA, Lieutenant General Alexander, and 
Lieutenant General Pollet, the Director of DISA, who can provide you 
with the most up-to-date and accurate information regarding the 
division of their responsibilities in theater.
    Mr. Thornberry. Should the Department of Defense establish a 
``Cyber Agency'' at the same level of the National Security Agency 
(NSA) and Defense Information Services Agency (DISA)? Why or why not?
    General Shelton. Currently, it is the Secretary of Defense's intent 
to establish a U.S. Cyber Command as a sub-unified command under U.S. 
Strategic Command. The Air Force is standing up the 24th Air Force in 
order to present Air Force cyber forces to this command. The Air Force 
stands ready to respond to any cyber-related requirements from the 
Department.
    Mr. Thornberry. To what extent is the cyber domain being integrated 
into other domain and domain awareness initiatives (i.e. battlespace, 
maritime, air, space)? Please describe.
    General Shelton. Secretary Gates' decision to stand-up USCYBERCOM 
indicates the importance the Department of Defense places on this 
domain. The Air Force also recognizes the criticality of cyberspace to 
Joint and AF operations and is standing up 24th Air Force to focus on 
this key area. The integration of cyberspace operations with other 
operations happens at Joint and Service levels. For the Air Force, this 
integration will occur at 24 AF with USSTRATCOM/USCYBERCOM and at Air 
Operations Centers (AOC) supporting Combatant Commanders (CCDR). When 
CCDRs rely on reach-back cyberspace operations, Airmen in the 24 AF and 
AOCs will facilitate integration of applicable AF capabilities.
    Mr. Thornberry. Define a cyber warfighter, or cyber warfare 
professional as he exists today.
    Mr. Lentz. The Cyber warfighter is evolving from a variety of 
military specialties such as Intelligence, Communications, Information 
Technology, and Information Assurance. The primary roles currently 
identified for Cyberspace Operations include military, civilian, and 
contractors performing:

      Computer Network Operations (CNO) Execution, consisting 
of:
          Computer Network Attack (CNA)
          Computer Network Exploitation (CNE)
          Computer Network Defense (CND)
          Network Operations (NetOps)
          Information Assurance (IA) Computer Network Defense 
        Service-Providers

    The ``Cyber-warfighter'' is a relatively new concept. The 
Department is developing the concept of operations. This includes the 
structure, missions, career progression and general responsibilities of 
the developing Cyber workforce. The diagram below suggests notional 
thoughts on the integration of the various components of the Cyber 
workforce.

[GRAPHIC] [TIFF OMITTED] T7218.069


    Mr. Thornberry. Describe what you envision for the cyber warfighter 
of the future in terms of education (undergraduate/graduate or high 
school only, too), training, career path, rank structure, capability, 
mission, responsibilities, organization, etc.
    Mr. Lentz. Cyber Warfighter Education and Training will depend on 
how the position/person supports cyber warfighting. We anticipate the 
cyber warfighter of the future to reflect the following basic education 
and training qualifications:
    Military Officers: Receive professional military education in 
conjunction with cyber specific training so that they can conduct cyber 
warfare in their role as leaders and managers.

    Education:

          Bachelor or advanced degree preferably in information 
        systems related program
          Service officer basic professional education
          Service intermediate professional education
          Service/Joint Warfare Command and Staff College

    Training:

          Common foundational cyber warfare skills at career start
          Functional mission specific cyber warfare skills at mid-
        career
          Senior strategic leadership training across the cyber 
        warfare domain
          Baseline IA/IT commercial certification

    Government Civilian Cyber Warfare Managers: May receive DOD 
education in conjunction with cyber training so that they can apply 
cyber to their role as managers.

    Education:

          Bachelor or advanced degree preferably in information 
        systems related program
          National Defense University (NDU) Information Resource 
        Management College (IRMC) professional development programs or 
        certificates.

    Training:

          Component-specific policy, processes, and requirements
          Cyber related continuous training
          Component-specific/sponsored cyber courses
          Baseline IA/IT commercial certification

    Contractors performing cyber warfare management roles should meet 
the same/equivalent education and training as their government 
counterparts. DOD unique training or equivalent should be available to 
contractors.

    Military Operators (hands-on/technical): We anticipate these 
individuals will receive cyber warfare training along with their 
military and technical education for their role as operators.

    Education:

          High school/community college
          Rank/Grade appropriate professional education

    Training:

          Basic and advanced cyber related occupational specialty 
        training
          NetOps/IA certification depending on position 
        requirements
          Operational and exercise training

    Government Civilian Operators (hands-on/technical): Receive cyber 
training, which they apply along with their technical education to 
their role as operators.

    Education:

          Community college/baccalaureate degree in information 
        technology field

    Training:

          NetOps/IA certification depending on position 
        requirements
          Operational and exercise training

    Contractors performing cyber warfare technical roles should meet 
the same/equivalent education and training as their government 
counterparts. DOD unique training or equivalent should be available to 
contractors.
    Mr. Thornberry. Given the limited pool of individuals with the 
necessary technical skills, as stated recently by Gen Shelton, and the 
growing cyber personnel requirements articulated by Secretary Gates, 
what is the plan to recruit, organize, train, and equip prospective and 
current cyber warfare professionals? Is it joint or by service? Please 
explain.
    Mr. Lentz. There are several steps required to recruit and train 
personnel into the cyber workforce. The Services and Agencies are 
specifically responsible for accomplishing these tasks in compliance 
with DOD policy (which is still evolving for cyber warfare and its 
workforce). Based on current processes, the following actions must be 
accomplished by the Services and Agencies to develop a Cyber Workforce:

          Define their cyber workforce (what are the position 
        requirements)
          Identify their position requirements
          Document manning requirements/table of organization
          Program and budget to fill the documented positions.
          Develop recruiting requirements/quotas
          Identify recruitment incentives to attract potential 
        cyber warriors
          Recruit personnel with qualifications/potential to learn 
        required skills
          Provide baseline training for specific job/positions 
        skills
          Provide Continuous training via on-line, classroom, or 
        exercises

    The DOD is currently working with the Services, Agencies, Joint 
Staff, and STRATCOM to develop baseline cyber workforce standards. The 
current model for these standards is the current DOD 8570.01-M 
``Information Assurance Workforce Improvement Program''.
    Organizing and equipping the cyber warfare professionals is a 
function of mission capability requirements defined by the Chairman of 
Joint Chiefs of Staff and executed by the Services and Agencies.
    Mr. Thornberry. In your opinion should the cyber warfighter be 
trained by service branch, jointly, jointly with service specific 
trailer courses, or somehow else? Why?
    Mr. Lentz. The cyber warfighter should be primarily trained to meet 
DOD and service level baseline requirements established by the Services 
under Title 10 authorities. Such training should be augmented by 
applicable joint specialized training.
    Efforts are underway by the Joint Staff to finalize the cyber joint 
mission task list and to develop a joint learning continuum for cyber 
training. This should form the basis for joint specialized training.
    At both the DOD and joint level, there is a significant emphasis on 
joint training exercises for the cybersecurity workforce. Exercises are 
focused on attack detection, diagnosis, and reaction at military 
speeds.
    Mr. Thornberry. In the current overseas contingencies, please 
describe to what extent, if any, has U.S. Strategic Command 
(USSTRATCOM) taken an active role supporting U.S. Central Command?
    Mr. Lentz. Joint Functional Component Command for Network Warfare 
(JFCC-NW) and Joint Task Force-Global Network Operations (JTF-GNO), 
which are two USSTRATCOM components, are actively engaged in support of 
U.S. forces in the USCENTCOM area of responsibility.
    In today's battlefield, our networks are a critical force 
multiplier. Both JTF-GNO and JFCC-NW work closely with USCENTCOM 
leaders and staff, in Tampa as well as forward in theater, to ensure 
vital warfighting networks are robust and defended.
    Mr. Thornberry. Irrespective of service branch, does USSTRATCOM's 
cyber warfighters possess the skills necessary to ensure all secure 
battlefield communications? Please explain.
    Mr. Lentz. Commander, USSTRATCOM met the DOD's 2008 Information 
Assurance (IA) workforce certification goal to certify 40% of their 
Information Assurance/Cybersecurity workforce by December 31, 2008. 
Overall, the Department's information assurance workforce personnel 
certification rate as of December 31, 2008, was 23% (for its 
approximately 84,000 IA positions), with a target date of December 31, 
2010, for certification of the remaining IA workforce.
    Commander, USSTRATCOM has ``cyber-warfighters'' from a variety of 
military specialties such as Intelligence, Communications, Information 
Technology, and Information Assurance with the skills necessary to 
direct the DOD's Global Information Grid operations and defense. 
USSTRATCOM provides direction to the Services and organizations to 
secure their portions of the defense information environment including 
battlefield communications. The ``cyber-warfighter'' skill requirements 
are evolving and DOD is developing the structure, missions, career 
progression and general responsibilities of the cyber workforce.
    Mr. Thornberry. How is responsibility between USSTRATCOM, NSA, and 
DISA clearly defined in theater?
    Mr. Lentz. Joint Functional Component Command for Network Warfare 
(JFCC-NW) and Joint Task Force-Global Network Operations (JTF-GNO), the 
two USSTRATCOM components for which I am responsible, maintain a close 
and collaborative partnership with NSA and DISA. NSA maintains a robust 
forward presence in Iraq and Afghanistan to provide both cryptologic 
and information assurance support to deployed forces. These 
capabilities support both JFCC-NW and JTF-GNO in their respective 
missions of providing support for offensive and defensive cyber 
operations. DISA's mission to build, provision and engineer the 
backbone of the military networks also serves as a key enabler for JTF-
GNO's ability to direct the operations and defense of these networks.
    We use liaison officers and support elements embedded within each 
organization to help ensure our activities are mutually supporting and 
to avoid conflicting objectives. While each organization has distinct 
responsibilities, functions and authorities as defined by law and DOD 
regulations, connective tissue between these organizations is naturally 
bolstered by the relationships which exist between the Director, DISA 
dual-hatted as Commander, JTF-GNO, my role as both Director, NSA and 
Commander, JFCC-NW and since November 08, the relationship established 
by the SECDEF's decision to place JTF-GNO under the operational control 
of JFCCNW. It is critical that we continue to maintain and strengthen 
this connective tissue between our organizations in order to optimize 
agile cyber support for combatant commanders and DOD as a whole.
    Mr. Thornberry. Should the Department of Defense establish a 
``Cyber Agency'' at the same level of the National Security Agency 
(NSA) and Defense Information Services Agency (DISA)? Why or why not?
    Mr. Lentz. Cyberspace is critical to joint military operations, and 
we must protect it. To do this, the Department of Defense needs to 
ensure it has the right balance of integrated cyber capabilities. Our 
increasing dependency on cyberspace, alongside a growing array of cyber 
threats and vulnerabilities, adds a new element of risk to national 
security. To effectively address this risk and secure freedom of access 
in cyberspace, the DOD requires a command possessing the required 
technical capability and which remains focused on streamlining 
cyberspace operations. The Secretary of Defense has recently 
recommended the officer serving as Director of the National Security 
Agency be nominated as Commander of USCYBERCOM. In his role as the 
commander of USCYBERCOM, he will report to the Commander of USSTRATCOM.
    Mr. Thornberry. To what extent is the cyber domain being integrated 
into other domain and domain awareness initiatives (i.e. battlespace, 
maritime, air, space)? Please describe.
    Mr. Lentz. The cyber domain is integrated with the other domains 
and provides supporting capabilities that enable command, control, 
communications, computing, and information (C4I) processes. The cyber 
domain is an essential enabler for virtually all functions, including 
mission operations, information sharing and mission-related data 
processing.
    Domain awareness for the cyber domain is a difficult challenge. At 
this time, cyber domain awareness capabilities are not completely 
integrated with domain awareness capabilities for the other operational 
domains. Cyber domain awareness is routinely included in daily status 
briefs to commanders, providing a rough awareness of key cyber issues 
to warfighting commanders. However, cyber operations and incidents are 
difficult to model and present in visual form, and they are generally 
not depicted in warfighting common operational pictures.
    Mr. Thornberry. Define a cyber warfighter, or cyber warfare 
professional as he exists today.
    General Alexander. Cyber professionals are a cross-disciplinary 
team of highly-trained individuals that bring together diverse skill 
sets to conduct cyberspace operations. Their mission includes operation 
and defense of Department of Defense Global Information Grid. Technical 
expertise and roles cover the span of traditional military planning, 
intelligence preparation, command and control, operational assessment, 
requirements development, and operationalization of capabilities; all 
done in an ever-changing mission space. Cyber warfighters are directly 
supported by experienced intelligence analysts familiar with the larger 
cultural and operational contexts, expert language analysts, network 
analysts, cryptologists and operational planners, to name a few. These 
experts, be they military or civilian, work together in real time to 
effectively operate in cyberspace.
    Mr. Thornberry. Describe what you envision for the cyber warfighter 
of the future in terms of education (undergraduate/graduate or high 
school only, too), training, career path, rank structure, capability, 
mission, responsibilities, organization, etc.
    General Alexander. DOD's Cyber force must be continuously educated 
and mentored, sharpened by experience and drilled to operate in a 
dynamic environment. I envision a total force solution, active and 
reserve components, military and civilian, appropriately supported by 
contractors to build the cyber warfighters of the future. They will 
arrive with high school diplomas, undergraduate, and graduate degrees. 
Our training and education programs will fill the skill gaps to create 
increasingly skilled and adaptable personnel who will either specialize 
in specific cyberspace capabilities or develop broad-based experience 
to lead and manage future cyberspace operations. Continual specialized 
training will be necessary because the mission space encompasses an 
enormous number of different systems and software and is constantly 
being updated and reconfigured. Mentoring and growing leaders must be 
done as we do in other specialized fields to ensure experience is 
distilled to the next generation of planners and operators; a challenge 
for the nation as well as the military. On the learning continuum, a 
cyber warfighter will progress from the most basic of tasks through the 
most complex, by attending formal training, having work assignments 
that provide the opportunity to perform various missions, and 
participating in formal education programs.
    The Secretary of Defense has directed all the Services to maximize 
the facility at the Center for Information Dominance in Corry Station, 
Pensacola (the Executive Agent for Cryptologic Computer Network 
Exploitation and Defense training) to acquire the technical skills 
required for cybersecurity missions. (Those with more analytic roles 
receive their training at Goodfellow Air Force Base.) It is expected 
that graduates of both programs will be assigned to places where they 
can practice what they learned, gain mission experience in several 
sectors of Computer Network Operations, and participate in more 
advanced training fielded by the Services and the Crytologic Training 
System.
    Specific plans regarding rank structure, responsibilities, and 
organizations are all under development. The future cyberspace warrior 
must be adaptive and flexible with the ability to fulfill multiple 
roles that quickly adjust to changing conditions within the cyberspace 
domain and the joint warfighter's requirements. Of special importance 
will be the ability to shift though all missions required for steady 
state and surge requirements. It is important that individuals be 
assigned to organizations that are flexible enough to meet the complex 
challenges of the environment in which they will operate. While a 
specific organizational construct remains in development, the 
capabilities should be centered on cyberspace operations that support 
joint warfighter requirements.
    Mr. Thornberry. Given the limited pool of individuals with the 
necessary technical skills, as stated recently by Gen Shelton, and the 
growing cyber personnel requirements articulated by Secretary Gates, 
what is the plan to recruit, organize, train, and equip prospective and 
current cyber warfare professionals? Is it joint or by service? Please 
explain.
    General Alexander. In anticipation of this need, we have been hard 
at work over the past year identifying the necessary individual 
technical skills for future cyberspace missions and the training 
required for those skills.
    We currently conduct this training at both Corry Station in 
Pensacola, Florida and Fort Meade, Maryland and are working through 
resource requirements to meet future demand for trained and ready 
cyberspace forces.
    While we were developing training, we've also worked closely with 
the Services and national community to determine future force number 
requirements for the Department that included initial estimates for the 
expected end strength in a ``total force'' approach.
    We envision that the future cyberspace forces will be a total force 
approach of both Service and joint--the Services will organize, train, 
and equip cyberspace forces that will be presented to joint 
warfighters. Additionally, there will be a joint force that provides 
day-to-day support to USCYBERCOM missions as directed by Commander, 
USSTRATCOM. Using common force training and skills baseline, the 
services will generate forces that will rotate back and forth between 
the joint community and Service unit assignments.
    We must also leverage the unique contributions of universities and 
research institutions as well as private enterprise to ensure U.S. 
forces are always on the cutting edge.
    Mr. Thornberry. In your opinion should the cyber warfighter be 
trained by service branch, jointly, jointly with service specific 
trailer courses, or somehow else? Why?
    General Alexander. There is clearly a need for Service and Joint 
training for the cyber warfighter as well as more robust leveraging of 
the scientific and technical expertise found in our universities, 
research institutions and private enterprise. The complex and dynamic 
nature of the operational environment should dissuade us from adopting 
a one-size-fits-all approach. As in other military disciplines, we must 
train individuals with the basic skills they will need to operate and 
adapt in this domain: technology, analytics, cryptanalysis, languages, 
intelligence, operational planning and effective command and control. 
The Services play an enormous role here. There is a great deal of work 
being done by the Services to determine how they can best organize, 
train and equip forces for the combatant commanders. The Services, of 
course, also need much of this same expertise to effectively operate, 
secure and defend their networks and communication systems.
    Joint training is also critical; we must train how we fight. Part 
of the reason Secretary Perry first created the Joint Task Force-
Computer Defense Network in the late 1990s was because he realized 
then, as we do now, that unity of command and unity of effort is as 
essential in cyberspace as it is in the physical domains of air, sea, 
land and space. All we have learned in the intervening years led 
Secretary Gates to direct the creation of U.S. Cyber Command. It is 
only by focusing the talent and resources of the Services and forging 
and training Joint teams with interoperable equipment and unifying 
doctrine that we will be as effective in this domain as we are in the 
physical domains.
    Mr. Thornberry. In the current overseas contingencies, please 
describe to what extent, if any, has U.S. Strategic Command 
(USSTRATCOM) taken an active role supporting U.S. Central Command?
    General Alexander. Joint Functional Component Command for Network 
Warfare (JFCC-NW) and Joint Task Force-Global Network Operations (JTF-
GNO), the two USSSTRATCOM components for which I am responsible, are 
actively engaged in support of U.S. forces in the USCENTCOM area of 
responsibility.
    In today's battlefield, our networks are a critical force 
multiplier. Both JTF-GNO and JFCC-NW work closely with USCENTCOM 
leaders and staff, in Tampa as well as forward in theater, to ensure 
vital warfighting networks are robust and defended. We also plan, 
synchronize and execute cyberspace operations to deny a widely 
disbursed adversary the ability to easily use the Internet to 
orchestrate complex operations that target our forces, friends and 
allies. Of course, these commands also engage in deliberate planning in 
support of other long-term USCENTCOM priorities.
    The bright, energetic people assigned to these organizations are 
committed to this mission. They work to build the relationships with 
USCENTCOM that are so vital to the kinds of sophisticated, synchronized 
operations conducted by U.S. forces and Coalition partners. We must 
build the same kind of robust relationship with the other Combatant 
Commanders and ensure our operational planning and activities are well 
integrated with the other global missions for which USSTRATCOM is 
responsible.
    Mr. Thornberry. Irrespective of service branch, does USSTRATCOM's 
cyber warfighters possess the skills necessary to ensure all secure 
battlefield communications? Please explain.
    General Alexander. Let me begin by saying that no commander can 
guarantee battlefield communications will always get through or that 
they won't be intercepted by an adversary. The military, by definition, 
must be able to operate in a degraded environment. Yet, it is 
imperative that we ensure availability and security of communications. 
The Department of Defense has come a long way since the President first 
assigned U.S. Strategic Command the mission to defend DOD networks in 
2002. In Joint Task Force-Global Network Operations and Joint 
Functional Component Command for Network Warfare, U.S. Strategic 
Command has highly-motivated, well-trained personnel engaged in the 24/
7/365 defense of our vital networks. But we must do more.
    Over the years, the Secretary of Defense has provided U.S. 
Strategic Command with the authority to direct the operations and 
defense of defense networks, known as the ``Global Information Grid'' 
or ``GIG.'' We have established command and control that begins to 
enable the coordinated security configuration and defense of globally 
dispersed military networks. We also established baseline standards for 
network configuration, readiness standards and incident response. 
Service and Joint training are based on these collaboratively developed 
standards.
    However, even with well-trained and engaged personnel, the 
challenges are great. The Internet's open architecture is one of its 
principal strengths, but it is also its principal vulnerability. To 
defend national interests, DOD's GIG must be reliable, resilient and 
its individual components and date must be secured. We must be able to 
operate at ``network speed'' to be effective. Without greater machine-
to-machine interfaces, we cannot hope to dynamically configure systems 
to contain and defeat the threat of malicious traffic on a real-time 
basis--a necessity in this era's battlefield environments. Achieving 
much greater unity of effort throughout the Department as well as 
information sharing and collaboration with our Intelligence Community, 
Law Enforcement and Homeland Security partners as well as leveraging 
the expertise of universities, research institutions and private 
enterprise is also essential. We must continue to evolve training and 
operational exercises to ensure all personnel can appropriately and 
quickly leverage the diverse skill-sets needed to secure and defend 
military networks in this dynamic domain.
    Mr. Thornberry. How is responsibility between USSTRATCOM, NSA, and 
DISA clearly defined in theater?
    General Alexander. Joint Functional Component Command for Network 
Warfare (JFCC-NW) and Joint Task Force-Global Network Operations (JTF-
GNO), the two USSTRATCOM components for which I am responsible, 
maintain a close and collaborative partnership with NSA and DISA. NSA 
maintains a robust forward presence in Iraq and Afghanistan to provide 
both cryptologic and information assurance support to deployed forces. 
These capabilities support both JFCC-NW and JTF-GNO in their respective 
missions of providing support for offensive and defensive cyber 
operations. DISA's mission to build, provision and engineer the 
backbone of the military networks also serves as a key enabler for JTF-
GNO's ability to direct the operations and defense of these networks.
    We use liaison officers and support elements embedded within each 
organization to help ensure our activities are mutually supporting and 
to avoid conflicting objectives. While each organization has distinct 
responsibilities, functions and authorities as defined by law and DOD 
regulations, connective tissue between these organizations is naturally 
bolstered by the relationships which exist between the Director, DISA 
dual-hatted as Commander, JTF-GNO, my role as both Director, NSA and 
Commander, JFCC-NW and since November 08, the relationship established 
by the SECDEF's decision to place JTF-GNO under the operational control 
of JFCC-NW. It is critical that we continue to maintain and strengthen 
this connective tissue between our organizations in order to optimize 
agile cyber support for combatant commanders and DOD as a whole.
    Mr. Thornberry. Should the Department of Defense establish a 
``Cyber Agency'' at the same level of the National Security Agency 
(NSA) and Defense Information Services Agency (DISA)? Why or why not?
    General Alexander. On 23 June 2009, Secretary of Defense Gates 
directed the Commander of U.S. Strategic Command (USSTRATCOM) to 
establish a subunified U.S. Cyber Command (USCYBERCOM). Since that 
time, a STRATCOM-chartered CYBERCOM Implementation Team, with 
membership from NSA, DISA, JFCC-NW and JTF-GNO, have been working to 
produce a plan which would outline the mission and operating framework 
for this command. Both DISA and NSA will play critical roles in the 
Command's ability to successfully operate and defend our military 
networks.
    Mr. Thornberry. To what extent is the cyber domain being integrated 
into other domain and domain awareness initiatives (i.e. battlespace, 
maritime, air, space)? Please describe.
    General Alexander. Cyberspace operations are being integrated with 
operations in other domains through a myriad of efforts. These include 
developing joint doctrine to inform warfighters of extant capabilities, 
tactics, techniques, and procedures; developing cyber force constructs 
and associated training; integrating cyberspace operations within joint 
force exercises; ensuring cyberspace operations are included in 
combatant command plans; and developing initiatives which inform cyber 
users by examining culture, conduct, and capabilities. Although still 
in initial stages, initiatives to provide decision-makers with holistic 
views of the cyberspace domain, similar to the Maritime Awareness 
Initiative, are being addressed. Much remains to be done; however, the 
increasing national focus on cybersecurity is encouraging and will 
provide impetus to DOD and interagency efforts to increase awareness of 
this critical domain.
                                 ______
                                 
                   QUESTIONS SUBMITTED BY MR. MURPHY
    Mr. Murphy. We have heard a lot about how our government's 
resources are organized to address the threat posed by cyber hackers, 
but if we want to direct our efforts most effectively, it's also 
important to know how the hacker community is organized. What do we 
know about the culture of hackers, what motivates their actions, and 
what political, economic and social forces shape their behavior? It 
would seem that the answers to these questions should inform some of 
our decisions on how best to organize ourselves.
    General Alexander, I understand that a small office at the NSA--the 
Institute for Analysis--has done some innovative work to address these 
questions about the culture of hackers. Can you briefly describe, in an 
unclassified manner, this work and how it is contributing to our cyber 
security efforts?
    General Alexander.

    Background
    The Institute for Analysis (IFA) is an NSA-sponsored program 
launched in October 2004 with the intent of 1) reaching out to and 
engaging external world-class experts in addressing internal 
intelligence analytic problems in an unclassified setting and 2) 
learning from and applying new or unique analytic processes, 
methodologies, techniques, and associated tools developed in the ``real 
world'' to improve the overall health of analytic tradecraft at NSA. 
The primary vehicle used by the IFA is a ``challenge problem'' which is 
essentially an unclassified ``analog'' problem that stands in for/
represents the actual classified analytic problem identified by mission 
elements. IFA also facilitates networking between external experts and 
analysts and also develops and offers new analytic methodology training 
courses to analysts. Since 2008, IFA has been able to increasingly 
share these opportunities with other Intelligence Community partners.

    The Challenge
    In early 2008, an analyst from the NSA/VCSS Threat Operations 
Center (NTOC) brought the issue of understanding hacker cultures to the 
IFA as a potential challenge problem. The analyst understood that 
hacker scenes evolve and continue to evolve. In an effort to best focus 
his time and resources, the analyst wanted to know if there was a way 
to better understand the culture of hacker groups and therefore better 
understand the potential for a group of hackers to pose a significant 
national security threat. Specifically, he wanted to know the answers 
to the following questions:

      What motivates hackers?
      How do they learn, team up, and execute attacks?
      How do their strategies and operations differ from 
country to country?

    NTOC analysts have a solid understanding of the technical elements 
associated with hacking, but they wanted to know more about the 
sociological and ``cultural'' aspects. The challenge therefore was to 
strengthen analysts' understandings of the human side of hacking: what 
motivates hackers; where do they go to learn new techniques; how do 
they find out about new technologies; what self-identified hacker 
communities have emerged; and finally, what the relationship was, if 
any, between relatively benign ``tinkering networks'' and truly 
malicious hackers?
    What makes this a difficult problem was that virtually all hacker 
scenes are animated by a culture of secrecy and anonymity. Many 
hackers, and especially those who are likely to be of most interest to 
the USG, do not wish to have their activities and habits documented.

    Project Scope

    There were three specific goals built into this challenge question, 
as follows:
      1)   Systematically identify subcultures within the global hacker 
scene, and the key traits that distinguish them from other hacker 
subcultures, with a focus on teaming/interaction, learning, technology 
use, and motivations with the intent of developing the ability to 
``strategically segment'' these subcultures to identify other hackers 
of potential interest;
      2)   Identify how these scenes vary from region to region (or 
along other lines, e.g., by generation, motivation, etc.) with 
potential concentrations on Russia, China, and/or the Middle East. This 
would allow analysts to differentiate the threat matrix by region or 
other factors;
      3)   Research and analyze how these scenes have changed over the 
past decade and may continue to change going forward. This will enable 
analysts to better anticipate strategic or tactical surprises that may 
emerge from the hacker scene.

    Two substantive limits were also identified, as follows:
      1)   This project focused on the culture of hackers and the 
hacking scene, not on the wider issue of cybercrime, writ large. That 
is to say, the analysts were interested in understanding the habits of 
those who like to break into secured computer systems, whatever their 
motives, rather than on criminality which just happens to take place on 
or via the Internet. Clearly criminals of one sort and another may well 
adopt innovations and techniques that emerge from the hacker scene for 
their own purposes but that was not the main focus of the challenge 
problem;
      2)   Open source research would focus on the dimensions of the 
hacking scene that are most pertinent to national security: penetration 
of government systems, disruption of critical infrastructure, 
significant intellectual property theft, etc. This scoping excluded, 
for example, spambots, the hacking of consumer electronics, defacement 
of websites, etc., except insofar as such activities connected in some 
tangible way to national security.

    Challenge Results
    Specific results of this challenge problem provided detailed 
descriptions of hacker cultures in two areas of interest to NTOC as 
well as a framework that allowed NTOC analysts to rapidly identify, 
characterize, and categorize hacking activities based on potential 
threats to national security. The framework in particular has already 
been integrated into NTOC operations and has resulted in a quantitative 
increase in reporting on adversarial capabilities, including 
capabilities previously undiscovered using more conventional 
techniques. According to NTIOC management, this framework has also 
resulted in a significant savings of time, measured in man-years, in 
the ``discovery'' process.

                                  
