[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]



                                     

                         [H.A.S.C. No. 111-180]
 
 OPERATING IN THE DIGITAL DOMAIN: ORGANIZING THE MILITARY DEPARTMENTS 
                          FOR CYBER OPERATIONS

                               __________

                                HEARING

                               BEFORE THE

   SUBCOMMITTEE ON TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES

                                 OF THE

                      COMMITTEE ON ARMED SERVICES

                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             SECOND SESSION

                               __________

                              HEARING HELD

                           SEPTEMBER 23, 2010

                                     
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13

                                     

                  U.S. GOVERNMENT PRINTING OFFICE
62-398                    WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  
  


   SUBCOMMITTEE ON TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES

                LORETTA SANCHEZ, California, Chairwoman
ADAM SMITH, Washington               JEFF MILLER, Florida
MIKE McINTYRE, North Carolina        FRANK A. LoBIONDO, New Jersey
ROBERT ANDREWS, New Jersey           JOHN KLINE, Minnesota
JAMES R. LANGEVIN, Rhode Island      K. MICHAEL CONAWAY, Texas
JIM COOPER, Tennessee                THOMAS J. ROONEY, Florida
JIM MARSHALL, Georgia                MAC THORNBERRY, Texas
BRAD ELLSWORTH, Indiana              CHARLES K. DJOU, Hawaii
BOBBY BRIGHT, Alabama
SCOTT MURPHY, New York
                 Kevin Gates, Professional Staff Member
                 Kari Bingen, Professional Staff Member
                      Jeff Cullen, Staff Assistant


                            C O N T E N T S

                              ----------                              

                     CHRONOLOGICAL LIST OF HEARINGS
                                  2010

                                                                   Page

Hearing:

Thursday, September 23, 2010, Operating in the Digital Domain: 
  Organizing the Military Departments for Cyber Operations.......     1

Appendix:

Thursday, September 23, 2010.....................................    17
                              ----------                              

                      THURSDAY, SEPTEMBER 23, 2010
 OPERATING IN THE DIGITAL DOMAIN: ORGANIZING THE MILITARY DEPARTMENTS 
                          FOR CYBER OPERATIONS
              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS

Miller, Hon. Jeff, a Representative from Florida, Ranking Member, 
  Subcommittee on Terrorism, Unconventional Threats and 
  Capabilities...................................................     2
Sanchez, Hon. Loretta, a Representative from California, 
  Chairwoman, Subcommittee on Terrorism, Unconventional Threats 
  and Capabilities...............................................     1

                               WITNESSES

Flynn, Lt. Gen. George J., USMC, Deputy Commandant for Combat 
  Development and Integration, U.S. Marine Corps.................     4
Hernandez, Maj. Gen. Rhett A., USA, Assistant Deputy Chief of 
  Staff,
  G3/5/7, U.S. Army, Incoming Commanding General, U.S. Army 
  Forces Cyber Command...........................................     5
McCullough, Vice Adm. Bernard J., III, USN, Commander, U.S. Fleet 
  Cyber Command/U.S. 10th Fleet, U.S. Navy.......................     3
Webber, Maj. Gen. Richard E., USAF, Commander, 24th Air Force and 
  Air Force Network Operations, U.S. Air Force...................     6

                                APPENDIX

Prepared Statements:

    Flynn, Lt. Gen. George J.....................................    36
    Hernandez, Maj. Gen. Rhett A.................................    43
    McCullough, Vice Adm. Bernard J., III........................    25
    Miller, Hon. Jeff............................................    23
    Sanchez, Hon. Loretta........................................    21
    Webber, Maj. Gen. Richard E..................................    58

Documents Submitted for the Record:

    [There were no Documents submitted.]

Witness Responses to Questions Asked During the Hearing:

    [There were no Questions submitted during the hearing.]

Questions Submitted by Members Post Hearing:

    Ms. Sanchez..................................................    75


 OPERATING IN THE DIGITAL DOMAIN: ORGANIZING THE MILITARY DEPARTMENTS 
                          FOR CYBER OPERATIONS

                              ----------                              

                  House of Representatives,
                       Committee on Armed Services,
                  Subcommittee on Terrorism, Unconventional
                                  Threats and Capabilities,
                      Washington, DC, Thursday, September 23, 2010.
    The subcommittee met, pursuant to call, at 2:05 p.m., in 
room 2212, Rayburn House Office Building, Hon. Loretta Sanchez 
(chairwoman of the subcommittee) presiding.

  OPENING STATEMENT OF HON. LORETTA SANCHEZ, A REPRESENTATIVE 
    FROM CALIFORNIA, CHAIRWOMAN, SUBCOMMITTEE ON TERRORISM, 
            UNCONVENTIONAL THREATS AND CAPABILITIES

    Ms. Sanchez. Good afternoon. I am sorry for being delayed. 
But I would like to welcome all of you and thank you for 
joining us here today.
    The recent announcement by the Department of Defense [DOD] 
that they had suffered a major compromise of classified 
military computer networks has renewed discussions about what 
more DOD and the government should do to operate in the digital 
domain. The establishment of the United States Cyber Command 
[USCYBERCOM] and the announcement of a new cybersecurity 
strategy by Deputy Secretary of Defense William Lynn are 
important milestones, but we all know that more needs to be 
done.
    Today the subcommittee is looking to discuss three main 
objectives for this hearing: One, to understand the plan to 
organizational structure for the military services' cyber 
component organizations and how they will present forces to the 
U.S. Cyber Command; understand--two, understand services' 
challenges to recruiting, retraining, to training a cadre of 
cyber operations professionals; and three, to discuss 
initiatives supporting service-specific requirements for cyber 
operations.
    The purpose of this hearing is for the members of this 
subcommittee to learn what progress the services are making and 
organizing to carry out the full range of cyber operations, 
including computer network defense, offense, and exploitation 
functions. We also hope that the witnesses before us will be 
able to flesh out the doctrinal training and recruiting needs 
that will enable service concepts.
    So today we have four distinguished witnesses before us. 
First we have Vice Admiral Bernard McCullough, III, of the U.S. 
Navy, the Commander of the U.S. Fleet Cyber Command and the 
U.S. 10th Fleet. Welcome.
    Lieutenant General George J. Flynn, U.S. Marine Corps, is 
the Deputy Commandant for Combat Development and Integration.
    Major General Rhett Hernandez, the U.S. Army, is the 
Assistant Deputy Chief of Staff, G3/5/7. I know what that 
means. Oh, hi.
    And Major General Richard Webber, U.S. Air Force, is the 
Commander of the 24th Air Force.
    Once again, I want to thank all of the witnesses for being 
here today. I look forward to hearing your testimony. Without 
objection, we will take your written testimonies and submit 
them for the record. And what I would like to have you all is 
to summarize or tell us what you think we should be taking away 
from your testimonies, or what you haven't told us that is 
important for us to know.
    And we will be observing the 5-minute rule for questions 
from the Members. As you see, I have our ranking member here 
Mr. Miller, very diligent. And we probably will be joined by 
some others, but what this will allow us to do is probably ask 
as many questions as we probably want to, Mr. Miller.
    So I will now yield to the ranking member from Florida Mr. 
Miller for his opening statement.
    [The prepared statement of Ms. Sanchez can be found in the 
Appendix on page 21.]

 STATEMENT OF HON. JEFF MILLER, A REPRESENTATIVE FROM FLORIDA, 
   RANKING MEMBER, SUBCOMMITTEE ON TERRORISM, UNCONVENTIONAL 
                    THREATS AND CAPABILITIES

    Mr. Miller. Thank you, Madam Chairman. I have a full 
statement I would like entered into the record.
    And as you know, we had a full committee hearing this 
morning with General Alexander. And I think it is appropriate 
that we take an opportunity to visit with each of the services 
today and see where they are going, what their issues are that 
they need to bring before us, because we know this is an 
operational area that we cannot cede to anybody. Our forces are 
too reliant on its capability, and its effectiveness is only 
enhanced by the sophisticated and expert application of its 
benefits.
    So in view of time, knowing that we have votes coming up, I 
would like to again ask that my full statement be entered into 
the record.
    [The prepared statement of Mr. Miller can be found in the 
Appendix on page 23.]
    Ms. Sanchez. Great. I thank my ranking member.
    And I have just been notified that we are looking at votes 
maybe in--starting in about another 20 or 30 minutes, so I 
think that it is incredibly important that we begin and at 
least get the testimony in of our witnesses.
    Again, gentlemen, thank you so much for taking the time to 
be before us today. And maybe we will begin with Vice Admiral 
McCullough of the U.S. Navy.

    STATEMENT OF VICE ADM. BERNARD J. MCCULLOUGH III, USN, 
 COMMANDER, U.S. FLEET CYBER COMMAND/U.S. 10TH FLEET, U.S. NAVY

    Admiral McCullough. Chairman, thanks for holding this 
hearing. We think it is incredibly important to the defense of 
the United States.
    Chairwoman Sanchez, Ranking Member Miller, thank you for 
the opportunity to discuss the United States Fleet Cyber 
Command and the U.S. 10th Fleet.
    Madam Chairwoman, on 29 January, 2010, I assumed command of 
the United States Fleet Cyber Command and the United States 
Navy 10th Fleet. As the Navy's component command to the United 
States Cyber Command, Fleet Cyber Command directs cyberspace 
operations to deter and defeat aggression, ensure freedom of 
action, and achieve military objectives in and through 
cyberspace. While much of our mission parallels those of the 
other services' cyber components, Fleet Cyber Command has 
unique responsibilities as a central operational authority for 
networks, cryptology, signals intelligence, information 
operations, cyber, electronic warfare and space operations in 
support of forces afloat and ashore.
    The Navy's vision is to fully develop our ability to 
operate in cyberspace and to accomplish this task by fusing and 
developing our capacity across all networks, signals 
intelligence systems, and electronic warfare systems. As such, 
we organize and direct Navy cryptologic operations worldwide 
and integrate information operation and space planning and 
operations as directed.
    Tenth Fleet was originally established during the Second 
World War to develop and implement antisubmarine warfare 
capability and capacity. Today the reestablishment of the 10th 
Fleet is built upon the same principles. The operational focus 
of the 10th Fleet in the U.S. Fleet Cyber Command will enable 
us to accomplish our mission across all ranges of cyber 
operations.
    To succeed we must be able to operate freely across the 
electronic spectrum while facing threats that range from the 
mundane, such as atmospheric interference, to highly advanced 
threats, such as network intrusion and malicious attack. It is 
Fleet Cyber Command's responsibility to analyze this advanced 
threat and develop the tactics, techniques, and procedures 
necessary to defend our network and be ready to take whatever 
steps are necessary to freely operate across all domains.
    As Fleet Cyber Command continues to mature, we are finding 
ways to capitalize on the expertise of our sister services, 
working together to identify threats and establish a unified 
response.
    Operationally we are moving out. Since our standup in 
January, we have partnered with USCYBERCOM--CYBERCOM's service 
components that are with me here today, as well as the U.S. 
Coast Guard, in support of United States Pacific Command and 
Pacific Fleet exercises. We are viewing--we are reviewing our 
network operations to enhance shared situational awareness and 
the inherent security that comes from cooperative oversight. We 
have also partnered with industry, academia and federally 
funded research and development centers during these exercises 
and routinely to take advantage of their knowledge and 
capability. The commercial sector drives this domain, and we 
must leverage their capacity and investment.
    None of our efforts will provide mission accomplishment 
without effective recruiting and training of sailors who are 
technologically savvy and able to apply their skills to the 
defense of the fleet's networks. I have visited all but one of 
my subordinate operational commands, and I can assure the 
subcommittee that the Navy has an outstanding force of sailors 
ready to support the Nation across the entire range of cyber 
operations.
    We have initiatives to create new officer specialties, 
including cyber warfare engineers and cyber warrant officers. 
The establishment of a training program at the United States 
Naval Academy will create new opportunities to train officers 
dedicated to cyber operations.
    With any new operational area or domain, there is always 
room for tremendous growth. Every day I am amazed at the 
ability of our sailors to think beyond the traditional 
operational areas and to apply their expertise to the cyber 
realm. It is in that environment that we will cultivate and use 
to help recruit future experts.
    There is no way the Department of Defense can compete with 
industry in the area of monetary compensation, salary if you 
will, but we can provide our people with expanded opportunities 
for education, training, and help them build experience as 
leaders that cannot be matched elsewhere.
    My staff in command headquarters at Fort Meade is growing 
in strength and capacity each month. We currently operate with 
a headquarter staff of 130 that will grow to approximately 200 
personnel over the next year, ensuring that we have the 
expertise needed to successfully operationalize cyber.
    I thank you for this opportunity to discuss U.S. Fleet 
Cyber Command and the 10th Fleet and appreciate your support of 
our Navy and the Department of Defense. I look forward to 
answering your questions.
    [The prepared statement of Admiral McCullough can be found 
in the Appendix on page 25.]
    Ms. Sanchez. Thank you, Admiral.
    We will talk now to--or we will hear from Lieutenant 
General George Flynn, U.S. Marine Corps, please.

STATEMENT OF LT. GEN. GEORGE J. FLYNN, USMC, DEPUTY COMMANDANT 
   FOR COMBAT DEVELOPMENT AND INTEGRATION, U.S. MARINE CORPS

    General Flynn. Chairwoman Sanchez, Representative Miller, 
and distinguished members of the subcommittee, thank you for 
the opportunity to be here today. Let me begin by saying thanks 
for all you and all the other members of the House Armed 
Services Committee do to support our service men and women, 
their families, and especially our marines.
    Cyberspace is clearly a new domain, and because it is 
manmade, it is something we learn more about each day. It is 
many things to many people. In my view, it is like terrain. It 
must be defended, and we must use it to gain advantage.
    Just like the other traditional domains, our goal in 
developing our cyber capability is to create the means to 
maintain our freedom of action, not only in cyber, but in the 
other domains as well. Our focus initially has been in three 
areas: to improve our ability to defend our networks; to create 
a small component command staff to support not only the efforts 
of U.S. Cyber Command, but also to develop the capabilities 
needed to be inherent in our service force structure; and also 
to create the operators needed to support USCYBERCOM efforts.
    Accordingly, we are taking a deliberate and joint approach 
to our cyber requirements, and we are using some of the past 
lessons to inform our requirement efforts in developing our 
organizational equipment and training requirements. We are 
seeking to find the right balance of efficiency and 
effectiveness in meeting both the U.S. Cyber Command 
requirements and our service requirements. This is why we are 
joined at the hip with U.S. Cyber Command to build the 
necessary mission capabilities, and we will adjust our approach 
as we learn more about the challenges and opportunities that 
are assuredly ahead.
    I have prepared a written statement. I would request that 
it be a part of the record. And I am looking forward to 
answering your questions.
    [The prepared statement of General Flynn can be found in 
the Appendix on page 36.]
    Ms. Sanchez. Perfect. Thank you so much, General.
    Now we will ask Major General Hernandez of the U.S. Army 
for his 5 minutes or less.

   STATEMENT OF MAJ. GEN. RHETT A. HERNANDEZ, USA, ASSISTANT 
 DEPUTY CHIEF OF STAFF, G3/5/7, U.S. ARMY, INCOMING COMMANDING 
            GENERAL, U.S. ARMY FORCES CYBER COMMAND

    General Hernandez. Chairwoman Sanchez, Congressman Miller, 
and members of the subcommittee, thank you for your ongoing 
support of our military and for the opportunity to appear 
before this panel with my counterparts from other military 
services today.
    The Army established Army Forces Cyber Command as our 
service component to the United States Cyber Command. Our 
mission is to plan, synchronize, direct, and conduct network 
operations in defense of all Army networks and mission 
objectives. We stand ready when directed to conduct those 
cyberspace operations necessary to ensure U.S. and allied 
freedom of action in cyberspace.
    We are organizing, training, and equipping Army forces to 
support Cyber Command's lines of operation. By providing shared 
situational awareness of the Army's portion of the Department 
of Defense information networks, we help the Commander, Cyber 
Command exercise command and control.
    On 1 October, I will become the Commander of Army Cyber 
Command. I will ensure the Army closely coordinates with other 
services and the combatant commanders to fully protect our 
digital infrastructure, and that the combatant commanders 
receive the cyber support they require to accomplish their 
joint missions.
    The Army organizes, trains, and equips to ensure that we 
can help protect and defend our Nation. Cyberspace is a domain 
and dimension of that defense. In cyberspace we know operations 
occur at net speed routinely and instantly across national 
boundaries and often involve multiple state and non-state 
actors. We are challenged to rapidly attribute adversary 
activity and anticipate collateral effects. We must address 
these requirements and undertake more robust measures to 
operate and defend our networks.
    The Army Cyber Command construct leverages years of 
experience and a deliberate approach that will now meld unique 
cyber operations capabilities from the 9th Signal Command, the 
Intelligence and Security Command, and the 1st Information 
Operations Command into one fully integrated command structure 
to globally command and control all cyber operations for the 
Army. We will use a single--and are using it today--operations 
center that is tied to Cyber Command's Joint Operational Center 
as the focal point for planning, synchronizing, and conducting 
cyber operations.
    In this organization people will be the centerpiece of our 
efforts to improve cyber operations. To effectively operate, we 
must change our culture. The first line of defense in 
cyberspace is the user, and every individual must understand 
that cyberspace is a contested environment that we must 
protect.
    The second line of defense is our corps of cyber 
professionals who defend our networks and ensure operations. We 
will win in cyberspace with the best-trained and most 
professional personnel. To that end we must increase our 
capacity to grow cyber professionals, and resources are 
necessary to train the cyber workforce required for this ever-
changing environment. Once trained, we must keep them in the 
ranks. Retaining highly trained cyber professionals is 
essential to maintaining our ability to effectively conduct 
cyber operations.
    As our workforce matures, we must continue to quickly 
identify and acquire new capabilities in this rapidly evolving 
mission. The Army has multiple initiatives under way to improve 
our global network operations in defense, as well as expand our 
cyber capabilities, and Army Cyber Command will drive these 
efforts.
    Chairwoman Sanchez and other members of the subcommittee, 
as I assume command, I pledge my support to you and to our 
Nation, and I look forward to our continued relationship. Your 
Army stands ready to defend and protect our digital 
infrastructure. I appreciate the opportunity to speak on these 
important matters and look forward to addressing any questions. 
Thank you.
    [The prepared statement of General Hernandez can be found 
in the Appendix on page 43.]
    Ms. Sanchez. Thank you very much.
    And next we have Major General Richard Webber, U.S. Air 
Force. Hello, General.

STATEMENT OF MAJ. GEN. RICHARD E. WEBBER, USAF, COMMANDER, 24TH 
   AIR FORCE AND AIR FORCE NETWORK OPERATIONS, U.S. AIR FORCE

    General Webber. I would like to thank Chairwoman Sanchez, 
Ranking Member Miller, and the other distinguished members of 
the subcommittee for the opportunity to appear before you and 
represent the dedicated and exceptional men and women of 24th 
Air Force.
    As our Secretary of the Air Force and Chief of Staff of the 
Air Force stated, our goal is to protect our mission-critical 
infrastructure, improve our capabilities, and develop greater 
cyber expertise and awareness to complement the entire 
Department of Defense cyberspace effort.
    Twenty-Fourth Air Force just celebrated its 1-year 
anniversary, and I would like to take this opportunity to 
highlight some of the Command's recent accomplishments. On 
September 11, 2010, the Air Force Space Command Inspector 
General conducted an assessment and declared 24th Air Force 
ready for the full operational capability. And as soon as we--
and soon we anticipate declaring 24th Air Force fully 
operational.
    There are numerous ways 24th Air Force has made progress 
towards achieving this major full-operational capability 
milestone. I would like to touch on four significant examples.
    First, we have undertaken extensive collaboration with our 
fellow air components and other combatant commands to integrate 
cyber courses of action into their operational plans. This is a 
distinct transition from our legacy approach in which cyber was 
relegated to a support role focused on assuring the network, 
rather than assuring the mission.
    Second, we have made strides in obtaining dedicated 
intelligence resources to support our operations. As a result, 
we are shifting from a reactive network defense posture to one 
that is more predictive and dynamic. Ultimately this will 
facilitate our ability to predict and deter attacks before they 
take place.
    Third, we have worked with Air Force Space Command to 
restructure and train our cyber professional workforce to 
produce capable, vigilant personnel with an operational rather 
than a maintenance-only mindset.
    Finally, we have streamlined our cyber acquisition 
processes. This gives our airmen the tools they need when they 
need them to rapidly deliver capabilities for operations in an 
increasingly dynamic and contested domain.
    Let me summarize by saying that the Air Force is committed 
to producing professional cyber warriors dedicated to assuring 
the joint mission and preserving our freedom of action in 
cyberspace. Because operating in cyberspace is a team sport, I, 
the men and women of 24th Air Force are proud to work alongside 
our teammates in USCYBERCOM and our sister services.
    I would like to thank the subcommittee for your continued 
support as we endeavor to meet the challenges of defending 
cyberspace for the joint warfighter. I look forward to your 
questions.
    [The prepared statement of General Webber can be found in 
the Appendix on page 58.]
    Ms. Sanchez. Thank you, General. Thank you to all you 
gentlemen.
    I will remind my colleagues that we will go by the 5-minute 
rule, and I will begin by asking some questions.
    The first thing I would like to ask you all is there is 
somewhat of a difference of opinion. I have been, as you know, 
chairwoman since about the end of January with respect to this 
subcommittee, and the issues that go before it, cybersecurity 
being one of the more newer, difficult--you all know it is a 
very complex issue. So some have told me that with respect to 
the military, everybody has got a different system; even within 
each department, every ship, every plane, every unit, everybody 
has got different--they are operating under all different 
systems.
    So my question is, is it your experience or your thought 
that the more consolidated our networks become, the more 
sameness we have across our networks within a service or 
across--or even across all services, that the easier it will be 
to defend that, or are we so stuck in legacy systems and 
upgrades and everything to all of that that we are never going 
to see that, and it would be easier for you all to defend all 
the different systems that you each have under you?
    Maybe we will start with the admiral over there.
    Admiral McCullough. Chairwoman, as you suggest, as we built 
the network inside the military, we all sort of built it in our 
own way. The Navy, for instance, has three different systems. 
We have the Navy-Marine Corps Intranet that is transitioning to 
Next Generation Enterprise Network for our CONUS [continental 
United States] in Alaska and Hawaii part of our organization. 
OCONUS [outside the continental United States], we have 
something called ONE-NET, and then on ships we have something 
called IT-21. So we have got three networks inside what I will 
call our service enterprise network, and it is by nature the 
way the system was developed.
    I think it is beneficial--and as General Alexander 
explained earlier this morning about moving to a different type 
of network, and he called it ``computing on the edge'' or 
``cloud computing.'' And I think it is advantageous as we move 
forward that we do it as a united joint--in a united joint 
manner.
    I also think it is imperative as we develop dynamic 
situational awareness of the networks that we--all the services 
do it in a manner that is interoperable, compatible, and takes 
advantage of what USCYBERCOM does under STRATCOM [Strategic 
Command] to develop that situational awareness so we don't go 
on a divergent path. I think if we gain that ability and 
capability, that the network will be much easier to defend and 
maintain.
    Ms. Sanchez. Anybody have a differing approach or something 
you all want to add?
    And this is my concern. My concern is, of course, that we 
not only have to worry about what is inside the services' 
network or networks, but we also have to worry about the fact 
that we interact with outside networks, let us just say 
contractors who are providing for us, and that the more we are 
one joint, the more openings there are, if we are all looking 
at--if we are working with contractors and others. And, of 
course, that seems to me in talking to everybody, that is one 
of the easiest ways to break into a system is the weakest link, 
which is individuals sometimes inside the military, but, of 
course, you know, we are exponentially creating even larger 
avenues into our networks.
    Do you all have a concern about that, or do you think just 
concentrating--if we really had one network that worked across 
everything, that concentrating all our efforts just to protect 
one thing would be easier than walling off into different 
sections everything that we do?
    Yes, General.
    General Webber. If I could add, our legacy within the Air 
Force was essentially a separate network for each of our major 
commands. So Air Combat Command, Space Command, Air Mobility 
Command, they each had their own approach. And each of those 
systems were made up of a collection of hardware and software, 
each with their strengths and their weaknesses.
    But in this arena, you are only as strong as your weakest 
link. And so what we are doing is we are migrating over several 
years to a single, more homogeneous Air Force network that will 
be much better designed in terms of giving us situational 
awareness, as well as allowing us efficiencies to operate, 
because when your system is not working and you pick up the 
phone, you want to call the help desk that knows how your 
system operates.
    Now, once you have done that, then you need to consider how 
you defend things in depth. If you try to defend everywhere, in 
essence you defend nowhere. And so what we are asking our 
warfighters to do is identify to us what are those crown 
jewels, those mission-critical things that you must have to do 
your mission; for example, air mobility. You must have this op 
center, these key links, this hardware, this software, this 
data in motion, this data at rest. And then we are going to 
design a defense in depth for those crown jewels.
    Ms. Sanchez. Let me ask one more question, and then I will 
let my colleague Mr. Miller ask some questions.
    As you are moving and evolving towards this larger network, 
do you feel that you have the right acquisition process that 
allows you to meet those needs? And I will give you an example. 
When we--on another committee when we were looking at a 
particular project--it was a very big project--we did not have 
the right acquisition people within a particular department, so 
we all--what happened was that the contractor was allowed to 
almost act as the contract officer within the department, 
because, you know, information and this--and this technical 
skill sometimes can be easier found outside than brought in 
house.
    So do you feel that you--and we know it from engineers and 
STEM [Science, Technology, Engineering and Mathematics] and 
everything, but there is also the acquisition process which 
sometimes has some of those people, but a lot of times doesn't 
have somebody so well-versed in what we are actually looking to 
acquire. So my question to you is do we have--do you have the 
ability to build an acquisition process, or do you have it in 
place, that will allow us to know what we are asking for and 
really get the best systems that we need as we evolve to the 
future? Anybody?
    Yes. General.
    General Webber. I can tell you the three-step approach that 
my boss for the organize, train, and equip side of the 
business, General Kehler at Air Force Space Command, has put in 
place, and I think it gets at all the challenges of this 
domain. And if you would envision a pyramid, and at the tip of 
the pyramid are those things that you literally need in hours 
or days. That is done for us by our 688th Information 
Operations Wing. And if you see a piece of malware, and you 
need a response to it now, these are the professionals that 
take care of that for us.
    The second stage are things you would need in the 12-, 18-, 
24-month timeframe, and in that arena, we are looking towards 
things like a Cyber Safari, which is a version of Big Safari, 
or even to a certain extent the Air Force TENCAP [tactical 
exploitation of national capabilities] Program that is skilled 
at matching these kind of rapid acquisitions.
    And then the foundation of the pyramid is the classic 
acquisition where you have your PEO [Program Executive 
Officer], and you go to your product center. Although in that 
arena, because this domain changes so rapidly, you need to 
spiral develop. You need to consider block updates, and you 
need to make sure that you can spiral in new technologies, as 
well as be able to spiral the requirements as the threat 
changes.
    Ms. Sanchez. Thank you, General.
    Mr. Miller.
    Mr. Miller. Reading an article from Under Secretary Lynn in 
a recent Foreign Affairs magazine, he identified ways to 
effectively defend the networks from attacks and exploitation. 
And what I want to know is, yes, as we continue to defend, are 
we combining offensive actions with our current defensive 
actions? And can you talk about it in this setting?
    Admiral McCullough. I will take a stab at that, sir.
    General Alexander talked about this morning to some degree, 
and--when he explained what we did in response to Buckshot 
Yankee, and how previous to that time we had an offensive team 
which was Joint Force Combined Command Network Warfare and 
Joint Task Force Global Network Operations. So the operations 
and the defense were under Global Network Operations, and other 
capability was resident in Network Warfare. And they had 
different levels of security clearance and access to different 
levels of information. And we found when we went to Buckshot 
Yankee that you had to combine those teams to be able to 
conduct full-spectrum cyber operations to both defend and 
operate and deter. And so within the confines of this room, we 
are working across a full spectrum of network operations, sir.
    Mr. Miller. We have got some budget constraints upon us and 
I think the chairman and I both want to make sure that we are 
efficiently spending all the funds that you have at your 
disposal. The question would be if we need to cut any programs 
or any initiatives, have you identified those that we can 
afford to cut?
    General Flynn. Sir, are you talking in the area of cyber 
or--that is real difficult to answer right now because we are 
in the middle of standing up what we are doing right now. And 
right now we are not looking at cutting what we are doing in 
cyber because this really has become something new that we are 
doing. We are increasing our defensive capabilities because we 
are more reliant on the Net than we ever were. And in addition 
to that, we need to increase the number of people that we have 
assigned to work at U.S. Cyber Command on network operations.
    So the question, I think, is not so much what you would cut 
within Cyber Command, it would be more recognizing this as 
something new that is happening out there. It is what is old 
that would be the trade-off. And, for example, what we are 
doing in our service, in the Marine Corps, right now, we are 
conducting a force structure review group. It is to take a look 
at what structure you are going to need in the future. And 
this--I think cyber would be one of those fact-of-life changes 
that is new. So what--because this is new, and what is legacy 
then could go away. And that is a detailed process, that is 
what we are doing.
    But in cyber, if you--off the top of my head, what would 
you--what would you do in a fiscally informed environment? I 
think right now this is where the growth is, because this is 
where--this is something new, and it is something that changes 
every day. So I don't have one off the top of my head to offer 
on that, sir.
    Mr. Miller. I have got four more questions that I just want 
to submit for the record since we have got a vote.
    Ms. Sanchez. Certainly.
    We just had a vote call. We probably have about 10 minutes 
before we have to stop. I would like to give the opportunity to 
Mr. Langevin to ask his questions for 5 minutes or less. The 
gentleman from Rhode Island.
    Mr. Langevin. I thank the Chair.
    Gentlemen, thank you for being here, for the outstanding 
work that you are doing, and really talking about a critical 
issue, I think, that in many ways has been and in many ways 
still is overlooked, an overlooked element of our national 
defense. Obviously cybersecurity is going to become a growing 
and more complex challenge as time goes on, and we are never 
going to be able to get to the point where we are fully secure 
because it is such a moving target. So we all have our work cut 
out for us, and I thank you for the outstanding work you are 
doing.
    Having chaired the subcommittee that oversaw our Federal 
cybersecurity efforts, this is certainly a long--both a 
professional and personal interest of mine. And securing our 
critical data and information infrastructure is an immensely 
challenging and complex task, one which the Department of 
Defense has really confronted head on. And DOD obviously is 
viewed as a standard bearer not just for its technical 
abilities, but also due to a keen appreciation of the 
seriousness of the threat that faces our Nation.
    For me, this is the--our cyber challenges are--some of the 
vulnerabilities are the kind of things that certainly keep me 
up at night. However, there is obviously still room for 
improvement, despite the advances we have made and the steps we 
have taken, especially at the individual service level.
    Now, earlier this morning, General Alexander touched on one 
of the important issues, and that is the protection of our 
physical critical infrastructure. My question for you all is 
many military bases are reliant on outside, privately 
controlled power plants, water systems. Recently--the recent 
public attacks, such as the Stuxnet worm, demonstrated a 
growing interest in targeting industrial control devices such 
as SCADA [Supervisory Control and Data Acquisition] systems. So 
my question is how are your individual services working to 
address these types of threats? And have there been any damage 
assessments performed on cyber, including control system 
vulnerabilities to individual bases?
    General Flynn. Sir, one of the additional hats I wear is I 
oversee a base a little bit south of here, and one of the key 
things we have done is we have identified all our critical 
infrastructure. So we know where the critical nodes are, 
whether it be in power, water supply, or anything else that may 
pass through the base. So the first step has been throughout 
not only the base down at Quantico, but throughout the Marine 
Corps, we have identified those critical nodes.
    In the area of communications, where necessary we have 
created the redundancy that we need to be able to do that. But 
the first step in coming up with a solution is we have 
identified where those critical nodes are, and we are taking 
the steps to do what we can to mitigate them if it is possible.
    Mr. Langevin. Very good.
    General.
    General Webber. The Air Force is partnering with the 
national labs that are also working very hard on this issue, 
and our objective is to take each one of these vulnerabilities 
that are based on industrial control systems, understand how 
they work. And then my intent is to put out a direct--a 
Commander's direction that would be throughout the Air Force 
that says if you have this fuel system, or this HVAC [Heating, 
Ventilation and Air Conditioning] system, or this water system, 
or this power system, it will be installed in this way, it will 
be protected with a firewall this way, the settings will be set 
up very specifically. But right now those systems are very much 
wide open, and we haven't even taken the low-hanging fruit 
steps that we need to start taking now.
    Mr. Langevin. Admiral McCullough.
    Admiral McCullough. Congressman, I mean, as you well know, 
the systems that you discuss are very vulnerable to attack. The 
Navy has worked through the Commander of Navy Installations 
Command to identify critical nodes in that infrastructure. Do 
we have a plan for alternate power sources or alternate water 
sources? A lot of this is single source into a basin. If you 
take that capacity away, you have some capability on backup 
electric-power generation, but very little in other resources, 
such as water, sewer, et cetera.
    And so it is--our mission sets DOD networks, but we are 
very well aware that given the vulnerabilities of various 
systems, that we have to work with DHS and others to get at the 
root issue, and we are working in that direction, sir.
    Mr. Langevin. And General Hernandez.
    General Hernandez. Congressman, that is a great question. I 
am not aware of the level of detail that the Army has gone into 
identifying critical infrastructure and vulnerabilities. I will 
gladly take that as part of my assessment and take it as a 
statement and question for the record and come back to you as 
soon as I have completed that.
    [The information referred to was not available at the time 
of printing.]
    Mr. Langevin. I hope we can pay particular attention to all 
of this. I just--in closing, when I chaired the subcommittee on 
emerging threats and cybersecurity at Homeland Security, one of 
the vulnerabilities to critical infrastructure that came to 
light as a result of work done at Idaho National Labs was the 
threat to our electric grid. And again, so much of our--so many 
of our bases are dependent on local power systems, maybe off 
base. And if they are not secure, then clearly our bases are 
not going to be secure. Idaho National Labs, through this 
Aurora test, was able to actually blow up a--cause a generator 
through a SCADA attack to blow up and take the generator out.
    These things aren't just sitting on a shelf somewhere where 
you can just plug them in. They are going to take months to 
build, ship and install. So again, I hope we can redouble our 
efforts to pay attention to our vulnerabilities, particularly 
in that area and other areas in critical infrastructure, 
especially as it affects our bases.
    Thank you.
    Ms. Sanchez. I thank the gentleman from Rhode Island.
    We have six votes on the floor, and so we will have to wrap 
up this hearing, unfortunately. And I say that because I know 
how much you all prepared to be before us today, and I am sorry 
that it is, you know, crazy season in the Congress and that we 
have floor votes.
    But I would like to ask a question before we close, and I 
have a feeling that many of the Members will submit for the 
record some questions, and we would love to have--if you could 
answer those for us.
    I recently had Dr. Regina Dugan out--the Director of DARPA 
[Defense Advanced Research Projects Agency]--out in my 
district, and we went to schools to talk to young people about 
how important and--to motivate them to be in the science, 
technology, engineering, mathematics arena because, as we know, 
that really is the future for a lot of what we are talking 
about.
    Can you talk about--one of you mentioned, and I think it 
was the Vice Commandant--that--how you motivate people to come 
and actually work for the military when the salary is not 
comparable and the benefit package obviously is not comparable 
to what we see in Silicon Valley or even in my area of Orange 
County, California, where we have so much of this going on in 
the private sector? What are the challenges? And what can we do 
to help you to ensure that we are getting the right talent to 
help us with such an incredibly important issue? Any of you?
    Yes, General.
    General Webber. I think the first step has to be how do you 
get the young folks hooked on the idea of working in the cyber 
environment and paying attention to their math and science 
skills. One thing that I would commend to you and I have 
already commended to my fellow component commanders is an Air 
Force Association program called Cyber Patriot. And basically 
what it is is a program that teaches junior ROTC [Reserve 
Office Training Corps] folks--so this is high-school age--how 
to build and operate and then defend a network. And then they 
compete in a nationwide shoot-out in terms of how well did they 
build their network, how well did they operate it, and then how 
well did they defend it. So far we are anticipating at least 
300 high schools across the Nation are going to compete in 
this. So that is one of the good ways to get these folks 
hooked.
    I think they are attracted to the training that we offer 
them. For each of us, these are going to be high-skill jobs. It 
is going to take probably a minimum of 24 months of training, 
and we are all looking for ways that we can keep them at least 
back-to-back assignments in the mission area. But then should 
they decide that they--that they want to leave the Air Force 
and perhaps work for a contractor or another government agency, 
I think that is where the Total Force comes in. And I think we 
collectively need to place our Guard units and our Reserve 
units in the right locations--and we in the Air Force have done 
that--where they can just take off that suit maybe once a month 
and walk across the street and do these exciting missions in 
cyber that they have been trained in.
    Ms. Sanchez. Great.
    Anybody else?
    General Flynn. One of the key parts here is we are also 
going to take a Total Force look. And the challenge is not only 
getting the Active Duty, but, as General Webber said, also the 
Reserves.
    So the Total Force does have a piece to play here, and it 
is something that we can take a look at as we right now try to 
define what an operational reserve is. And this is one area to 
take a look at. And we also have to also attract the 
professional civilian workforce as well.
    The other part I would say is we have to take a look at 
some of our personnel practices within the services. A lot of 
what we do, we have never did it for money anyway, so there is 
a motivation that comes to cause a young man or woman to join 
any of the Armed Forces. So we have to continue to capitalize 
on that.
    But one thing that we have to take a look at is once you 
get somebody schooled in this area, and they become an 
effective operator, they need to stay in it. And so we are 
going to have to take a look at career progression that--you 
know, is it going to be acceptable to somebody not to have to 
do out-of-occupational-specialty assignment to get promoted? 
This may be the case where once you are in cyber, you never 
leave cyber, something like we do with some of our Special 
Operations units.
    And then the other part is the training investment. We are 
going to have to take a look at maybe the length of our 
enlistment contracts. If it takes you 2 years to get somebody 
to be a skilled operator, then in most cases you only have 2 
years left on Active Duty. So we have to take a look at that, 
and then, I think, what would be the appropriate incentive 
package. And in some cases, for--just like we see with young 
marines now returning again and again to Afghanistan, sometimes 
it is just the opportunity to do what you like doing and being 
part of something that is bigger than yourself.
    Ms. Sanchez. Thank you.
    Admiral McCullough. If I could pile on.
    Ms. Sanchez. Yes, Admiral. Pile on, pile on. Go ahead.
    Admiral McCullough. Okay. I think you can recruit the young 
men and women based on their excitement about the opportunities 
that are given, the educational opportunities that are given in 
this field, the opportunities to have a broad scope of 
responsibility that you don't necessarily get in the commercial 
sector. And once we educate them in the Navy--ours are 6-year 
contracts for these folks. Once you educate them, you have got 
to get them out into the field to practice this art, and then I 
think you have them.
    But we do understand monetary compensation and what the 
limits that we have in that area. In the Navy we provide 
selective reenlistment bonuses for our cryptology technicians 
that do most of this work for us, up to $75,000 for a 6-year 
reenlistment. We also have broader educational opportunities 
for these folks.
    And so I think, with satisfaction of mission and excitement 
about the opportunity that they have, that you can generate a 
stable workforce in the military for this. Now, the problem is 
how much does the general population bear in this type of folk, 
and we are all--the four services are competing with industry, 
with academia and other Federal agencies. And so does the 
Nation, as you suggest, have the right capacity to support what 
we are doing in this area?
    Thank you.
    Ms. Sanchez. Thank you.
    General.
    General Hernandez. Chairwoman, my piling on would be that--
in my testimony, and I firmly believe that the centerpiece and 
the center of gravity to our ability to operate in cyberspace 
is ensuring we can grow, retain, and train the right personnel. 
So I sign up for everything that everyone has said.
    The only piece I would add to this is that I think it is 
going to take even more than that, and we are going to have to 
use our imagination to think about what other things might we 
be able to do or need to do. And I would re-echo the Air Force 
comments that we need to do it earlier and do it with more 
scholarships earlier in school programs to identify that 
special talent that is critical in this field.
    Ms. Sanchez. Great.
    Thank you, gentlemen, for your testimony. Again, I am sure 
that some of the other Members and I also will be submitting 
for the record some more questions for you. I know your time is 
valuable. As soon as you can get those answers back to us would 
be great.
    And with that, I believe that the committee is adjourned. 
Thank you.
    [Whereupon, at 2:51 p.m., the subcommittee was adjourned.]
?

      
=======================================================================




                            A P P E N D I X

                           September 23, 2010

=======================================================================

      
?

      
=======================================================================


              PREPARED STATEMENTS SUBMITTED FOR THE RECORD

                           September 23, 2010

=======================================================================

      
      
    [GRAPHIC] [TIFF OMITTED] T2398.001
    
    [GRAPHIC] [TIFF OMITTED] T2398.002
    
    [GRAPHIC] [TIFF OMITTED] T2398.003
    
    [GRAPHIC] [TIFF OMITTED] T2398.004
    
    [GRAPHIC] [TIFF OMITTED] T2398.005
    
    [GRAPHIC] [TIFF OMITTED] T2398.006
    
    [GRAPHIC] [TIFF OMITTED] T2398.007
    
    [GRAPHIC] [TIFF OMITTED] T2398.008
    
    [GRAPHIC] [TIFF OMITTED] T2398.009
    
    [GRAPHIC] [TIFF OMITTED] T2398.010
    
    [GRAPHIC] [TIFF OMITTED] T2398.011
    
    [GRAPHIC] [TIFF OMITTED] T2398.012
    
    [GRAPHIC] [TIFF OMITTED] T2398.013
    
    [GRAPHIC] [TIFF OMITTED] T2398.014
    
    [GRAPHIC] [TIFF OMITTED] T2398.015
    
    [GRAPHIC] [TIFF OMITTED] T2398.016
    
    [GRAPHIC] [TIFF OMITTED] T2398.017
    
    [GRAPHIC] [TIFF OMITTED] T2398.018
    
    [GRAPHIC] [TIFF OMITTED] T2398.019
    
    [GRAPHIC] [TIFF OMITTED] T2398.020
    
    [GRAPHIC] [TIFF OMITTED] T2398.021
    
    [GRAPHIC] [TIFF OMITTED] T2398.022
    
    [GRAPHIC] [TIFF OMITTED] T2398.023
    
    [GRAPHIC] [TIFF OMITTED] T2398.024
    
    [GRAPHIC] [TIFF OMITTED] T2398.025
    
    [GRAPHIC] [TIFF OMITTED] T2398.026
    
    [GRAPHIC] [TIFF OMITTED] T2398.027
    
    [GRAPHIC] [TIFF OMITTED] T2398.028
    
    [GRAPHIC] [TIFF OMITTED] T2398.029
    
    [GRAPHIC] [TIFF OMITTED] T2398.030
    
    [GRAPHIC] [TIFF OMITTED] T2398.031
    
    [GRAPHIC] [TIFF OMITTED] T2398.032
    
    [GRAPHIC] [TIFF OMITTED] T2398.033
    
    [GRAPHIC] [TIFF OMITTED] T2398.034
    
    [GRAPHIC] [TIFF OMITTED] T2398.035
    
    [GRAPHIC] [TIFF OMITTED] T2398.036
    
    [GRAPHIC] [TIFF OMITTED] T2398.037
    
    [GRAPHIC] [TIFF OMITTED] T2398.038
    
    [GRAPHIC] [TIFF OMITTED] T2398.039
    
    [GRAPHIC] [TIFF OMITTED] T2398.040
    
    [GRAPHIC] [TIFF OMITTED] T2398.041
    
    [GRAPHIC] [TIFF OMITTED] T2398.042
    
    [GRAPHIC] [TIFF OMITTED] T2398.043
    
    [GRAPHIC] [TIFF OMITTED] T2398.044
    
    [GRAPHIC] [TIFF OMITTED] T2398.045
    
    [GRAPHIC] [TIFF OMITTED] T2398.046
    
    [GRAPHIC] [TIFF OMITTED] T2398.047
    
    [GRAPHIC] [TIFF OMITTED] T2398.048
    
    [GRAPHIC] [TIFF OMITTED] T2398.049
    
    [GRAPHIC] [TIFF OMITTED] T2398.050
    
    [GRAPHIC] [TIFF OMITTED] T2398.051
    
?

      
=======================================================================


              QUESTIONS SUBMITTED BY MEMBERS POST HEARING

                           September 23, 2010

=======================================================================

      
                   QUESTIONS SUBMITTED BY MS. SANCHEZ

    Ms. Sanchez. Have DOD and U.S. Cyber Command provided the services 
with clear doctrine, guidance, policies, and/or requirements to 
accomplish their cyberspace operations mission?
    Admiral McCullough. [The information referred to was not available 
at the time of printing.]
    Ms. Sanchez. What additional doctrine, guidance, policies, and/or 
requirements do the services need from DOD and U.S. Cyber Command to 
accomplish their cyberspace operations mission?
    Admiral McCullough. [The information referred to was not available 
at the time of printing.]
    Ms. Sanchez. Please describe the doctrine, guidance, policies, and/
or requirements the services are developing individually and in 
coordination with one another?
    Admiral McCullough. [The information referred to was not available 
at the time of printing.]
    Ms. Sanchez. Given current budget and personnel constraints (i.e. 
shrinking end strength and heightened operational demands), describe 
steps you are taking to meet your requirements to fund and staff your 
cyberspace operations?
    Admiral McCullough. [The information referred to was not available 
at the time of printing.]
    Ms. Sanchez. What efforts have the services made to define the 
emerging role of the cyber warrior for both service-specific and joint 
cyberspace operations mission areas (including the development of 
mission specialties, job qualification and training opportunities)?
    Admiral McCullough. [The information referred to was not available 
at the time of printing.]
    Ms. Sanchez. What service and joint training and educational 
institutions do you use now, or will you use in the future, for 
developing your cadre of cyber warriors?
    Admiral McCullough. [The information referred to was not available 
at the time of printing.]
    Ms. Sanchez. How are you integrating cyber capabilities into 
Service-level, joint, international or interagency exercises?
    Admiral McCullough. [The information referred to was not available 
at the time of printing.]
    Ms. Sanchez. What capabilities do you have to conduct active 
network operations, such as network hunting, penetration testing and 
other forms of red teaming? Do you have unmet needs in this area (in 
terms of people or tools)?
    Admiral McCullough. [The information referred to was not available 
at the time of printing.]
    Ms. Sanchez. The Committee appreciates the complexity of 
coordinating cyber operations in various Service, Agency, interagency, 
international and non-governmental organizations geographically 
dispersed across the world. To deal with that challenge, what tools, 
technologies, processes or procedures do you have in place, or are 
planning, to facilitate collaboration across the full range of cyber 
operations?
    Admiral McCullough. [The information referred to was not available 
at the time of printing.]
    Ms. Sanchez. Can you please explain your understanding of command 
and control responsibilities, relationships and authorities between 
U.S. Cyber Command and the military services?
    General Flynn. [The information referred to was not available at 
the time of printing.]
    Ms. Sanchez. Have DOD and U.S. Cyber Command provided the services 
with clear doctrine, guidance, policies, and/or requirements to 
accomplish their cyberspace operations mission?
    General Flynn. [The information referred to was not available at 
the time of printing].
    Ms. Sanchez. What additional doctrine, guidance, policies, and/or 
requirements do the services need from DOD and U.S. Cyber Command to 
accomplish their cyberspace operations mission?
    General Flynn. [The information referred to was not available at 
the time of printing.]
    Ms. Sanchez. Please describe the doctrine, guidance, policies, and/
or requirements the services are developing individually and in 
coordination with one another?
    General Flynn. [The information referred to was not available at 
the time of printing.]
    Ms. Sanchez. Given current budget and personnel constraints (i.e. 
shrinking end strength and heightened operational demands), describe 
steps you are taking to meet your requirements to fund and staff your 
cyberspace operations?
    General Flynn. [The information referred to was not available at 
the time of printing.]
    Ms. Sanchez. What efforts have the services made to define the 
emerging role of the cyber warrior for both service-specific and joint 
cyberspace operations mission areas (including the development of 
mission specialties, job qualification and training opportunities)?
    General Flynn. [The information referred to was not available at 
the time of printing.]
    Ms. Sanchez. What service and joint training and educational 
institutions do you use now, or will you use in the future, for 
developing your cadre of cyber warriors?
    General Flynn. [The information referred to was not available at 
the time of printing.]
    Ms. Sanchez. How are you integrating cyber capabilities into 
Service-level, joint, international or interagency exercises?
    General Flynn. [The information referred to was not available at 
the time of printing.]
    Ms. Sanchez. What capabilities do you have to conduct active 
network operations, such as network hunting, penetration testing and 
other forms of red teaming? Do you have unmet needs in this area (in 
terms of people or tools)?
    General Flynn. [The information referred to was not available at 
the time of printing.]
    Ms. Sanchez. The Committee appreciates the complexity of 
coordinating cyber operations in various Service, Agency, interagency, 
international and non-governmental organizations geographically 
dispersed across the world. To deal with that challenge, what tools, 
technologies, processes or procedures do you have in place, or are 
planning, to facilitate collaboration across the full range of cyber 
operations?
    General Flynn. [The information referred to was not available at 
the time of printing.]
    Ms. Sanchez. Can you please explain your understanding of command 
and control responsibilities, relationships and authorities between 
U.S. Cyber Command and the military services?
    General Hernandez. [The information referred to was not available 
at the time of printing.]
    Ms. Sanchez. Have DOD and U.S. Cyber Command provided the services 
with clear doctrine, guidance, policies, and/or requirements to 
accomplish their cyberspace operations mission?
    General Hernandez. [The information referred to was not available 
at the time of printing.]
    Ms. Sanchez. What additional doctrine, guidance, policies, and/or 
requirements do the services need from DOD and U.S. Cyber Command to 
accomplish their cyberspace operations mission?
    General Hernandez. [The information referred to was not available 
at the time of printing.]
    Ms. Sanchez. Please describe the doctrine, guidance, policies, and/
or requirements the services are developing individually and in 
coordination with one another?
    General Hernandez. [The information referred to was not available 
at the time of printing.]
    Ms. Sanchez. Given current budget and personnel constraints (i.e. 
shrinking end strength and heightened operational demands), describe 
steps you are taking to meet your requirements to fund and staff your 
cyberspace operations?
    General Hernandez. [The information referred to was not available 
at the time of printing.]
    Ms. Sanchez. What efforts have the services made to define the 
emerging role of the cyber warrior for both service-specific and joint 
cyberspace operations mission areas (including the development of 
mission specialties, job qualification and training opportunities)?
    General Hernandez. [The information referred to was not available 
at the time of printing.]
    Ms. Sanchez. What service and joint training and educational 
institutions do you use now, or will you use in the future, for 
developing your cadre of cyber warriors?
    General Hernandez. [The information referred to was not available 
at the time of printing.]
    Ms. Sanchez. How are you integrating cyber capabilities into 
Service-level, joint, international or interagency exercises?
    General Hernandez. [The information referred to was not available 
at the time of printing.]
    Ms. Sanchez. What capabilities do you have to conduct active 
network operations, such as network hunting, penetration testing and 
other forms of red teaming? Do you have unmet needs in this area (in 
terms of people or tools)?
    General Hernandez. [The information referred to was not available 
at the time of printing.]
    Ms. Sanchez. The Committee appreciates the complexity of 
coordinating cyber operations in various Service, Agency, interagency, 
international and non-governmental organizations geographically 
dispersed across the world. To deal with that challenge, what tools, 
technologies, processes or procedures do you have in place, or are 
planning, to facilitate collaboration across the full range of cyber 
operations?
    General Hernandez. [The information referred to was not available 
at the time of printing.]
    Ms. Sanchez. Can you please explain your understanding of command 
and control responsibilities, relationships and authorities between 
U.S. Cyber Command and the military services?
    General Webber. [The information referred to was not available at 
the time of printing.]
    Ms. Sanchez. Have DOD and U.S. Cyber Command provided the services 
with clear doctrine, guidance, policies, and/or requirements to 
accomplish their cyberspace operations mission?
    General Webber. [The information referred to was not available at 
the time of printing.]
    Ms. Sanchez. What additional doctrine, guidance, policies, and/or 
requirements do the services need from DOD and U.S. Cyber Command to 
accomplish their cyberspace operations mission?
    General Webber. [The information referred to was not available at 
the time of printing.]
    Ms. Sanchez. Please describe the doctrine, guidance, policies, and/
or requirements the services are developing individually and in 
coordination with one another?
    General Webber. [The information referred to was not available at 
the time of printing.]
    Ms. Sanchez. Given current budget and personnel constraints (i.e. 
shrinking end strength and heightened operational demands), describe 
steps you are taking to meet your requirements to fund and staff your 
cyberspace operations?
    General Webber. [The information referred to was not available at 
the time of printing.]
    Ms. Sanchez. What efforts have the services made to define the 
emerging role of the cyber warrior for both service-specific and joint 
cyberspace operations mission areas (including the development of 
mission specialties, job qualification and training opportunities)?
    General Webber. [The information referred to was not available at 
the time of printing.]
    Ms. Sanchez. What service and joint training and educational 
institutions do you use now, or will you use in the future, for 
developing your cadre of cyber warriors?
    General Webber. [The information referred to was not available at 
the time of printing.]
    Ms. Sanchez. How are you integrating cyber capabilities into 
Service-level, joint, international or interagency exercises?
    General Webber. [The information referred to was not available at 
the time of printing.]
    Ms. Sanchez. What capabilities do you have to conduct active 
network operations, such as network hunting, penetration testing and 
other forms of red teaming? Do you have unmet needs in this area (in 
terms of people or tools)?
    General Webber. [The information referred to was not available at 
the time of printing.]
    Ms. Sanchez. The Committee appreciates the complexity of 
coordinating cyber operations in various Service, Agency, interagency, 
international and non-governmental organizations geographically 
dispersed across the world. To deal with that challenge, what tools, 
technologies, processes or procedures do you have in place, or are 
planning, to facilitate collaboration across the full range of cyber 
operations?
    General Webber. [The information referred to was not available at 
the time of printing.]
    Ms. Sanchez. The committee is aware that there is an Application 
Software Assurance Center of Excellence (ASACOE) at Gunter Annex, 
Alabama that has been recognized by the DOD for its software 
vulnerability analysis tools and methodologies. What role does the 
ASACOE in 24th Air Force efforts to secure AF networks? Is the ASACOE a 
program of record with funding across the FYDP to support additional 
software vulnerability analysis work from the AF, or with other 
services, defense agencies or Federal partners?
    General Webber. [The information referred to was not available at 
the time of printing.]

                                  
