[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]




                         [H.A.S.C. No. 112-118]

                                HEARING

                                   ON
 
                   NATIONAL DEFENSE AUTHORIZATION ACT

                          FOR FISCAL YEAR 2013

                                  AND

              OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS

                               BEFORE THE

                      COMMITTEE ON ARMED SERVICES

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             SECOND SESSION

                               __________

       SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES HEARING

                                   ON

BUDGET REQUEST FOR INFORMATION TECHNOLOGY AND CYBER OPERATIONS PROGRAMS

                               __________

                              HEARING HELD

                             MARCH 20, 2012

                                     





                  U.S. GOVERNMENT PRINTING OFFICE
73-790                    WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001





           SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES

                    MAC THORNBERRY, Texas, Chairman
JEFF MILLER, Florida                 JAMES R. LANGEVIN, Rhode Island
JOHN KLINE, Minnesota                LORETTA SANCHEZ, California
BILL SHUSTER, Pennsylvania           ROBERT ANDREWS, New Jersey
K. MICHAEL CONAWAY, Texas            SUSAN A. DAVIS, California
CHRIS GIBSON, New York               TIM RYAN, Ohio
BOBBY SCHILLING, Illinois            C.A. DUTCH RUPPERSBERGER, Maryland
ALLEN B. WEST, Florida               HANK JOHNSON, Georgia
TRENT FRANKS, Arizona                KATHLEEN C. HOCHUL, New York
DUNCAN HUNTER, California
                 Kevin Gates, Professional Staff Member
                 Mark Lewis, Professional Staff Member
                      James Mazol, Staff Assistant



                            C O N T E N T S

                              ----------                              

                     CHRONOLOGICAL LIST OF HEARINGS
                                  2012

                                                                   Page

Hearing:

Tuesday, March 20, 2012, Fiscal Year 2013 National Defense 
  Authorization Budget Request for Information Technology and 
  Cyber Operations Programs......................................     1

Appendix:

Tuesday, March 20, 2012..........................................    29
                              ----------                              

                        TUESDAY, MARCH 20, 2012
  FISCAL YEAR 2013 NATIONAL DEFENSE AUTHORIZATION BUDGET REQUEST FOR 
          INFORMATION TECHNOLOGY AND CYBER OPERATIONS PROGRAMS
              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS

Langevin, Hon. James R., a Representative from Rhode Island, 
  Ranking Member, Subcommittee on Emerging Threats and 
  Capabilities...................................................     2
Thornberry, Hon. Mac, a Representative from Texas, Chairman, 
  Subcommittee on Emerging Threats and Capabilities..............     1

                               WITNESSES

Alexander, GEN Keith, USA, Commander, U.S. Cyber Command, U.S. 
  Department of Defense..........................................     5
Creedon, Hon. Madelyn, Assistant Secretary of Defense for Global 
  Strategic Affairs, U.S. Department of Defense..................     7
Takai, Hon. Teresa, Chief Information Officer, U.S. Department of 
  Defense........................................................     3

                                APPENDIX

Prepared Statements:

    Alexander, GEN Keith.........................................    51
    Creedon, Hon. Madelyn........................................    72
    Langevin, Hon. James R.......................................    34
    Takai, Hon. Teresa...........................................    36
    Thornberry, Hon. Mac.........................................    33

Documents Submitted for the Record:

    [There were no Documents submitted.]

Witness Responses to Questions Asked During the Hearing:

    [There were no Questions submitted during the hearing.]

Questions Submitted by Members Post Hearing:

    Mr. Franks...................................................    89
    Mr. Langevin.................................................    83
  FISCAL YEAR 2013 NATIONAL DEFENSE AUTHORIZATION BUDGET REQUEST FOR 
          INFORMATION TECHNOLOGY AND CYBER OPERATIONS PROGRAMS

                              ----------                              

                  House of Representatives,
                       Committee on Armed Services,
         Subcommittee on Emerging Threats and Capabilities,
                           Washington, DC, Tuesday, March 20, 2012.
    The subcommittee met, pursuant to call, at 2:22 p.m., in 
room 2212, Rayburn House Office Building, Hon. Mac Thornberry 
(chairman of the subcommittee) presiding.

OPENING STATEMENT OF HON. MAC THORNBERRY, A REPRESENTATIVE FROM 
     TEXAS, CHAIRMAN, SUBCOMMITTEE ON EMERGING THREATS AND 
                          CAPABILITIES

    Mr. Thornberry. The hearing will come to order. And again, 
let me thank our witnesses for your patience as we deal with 
the schedule which we cannot control. But I appreciate you all 
being here.
    Let me welcome our witnesses and guests to this hearing on 
the Department of Defense 2013 Budget Request for Information 
Technology and Cyber Programs.
    I appreciate General Alexander and Ms. Takai being back 
with us. And it is good to see Ms. Creedon here in a somewhat 
different capacity than we have worked before.
    It is striking to me that in the written testimony, General 
Alexander says in effect that things have gotten worse in cyber 
over the last year.
    We talked last year about the growing threat and our 
difficulty in catching up. And despite the successes of Cyber 
Command over the past year, which I do not discount in any way, 
it still seems to me that the dangers to our Nation in 
cyberspace are growing faster than our ability to protect the 
country.
    I think it is significant that the Speaker and Majority 
Leader are planning to bring broad cyber legislation to the 
House floor next month. And it is also significant that there 
continues to be bipartisan support for taking action, an effort 
in which the ranking member, Mr. Langevin, has been 
instrumental for some years now.
    I hope that the Senate will take action on the various 
proposals that they have before them. But, in a way, we should 
not kid ourselves. The American people expect the Department of 
Defense to defend the country in whatever domain it is 
attacked.
    And that means that Cyber Command must be ready, and 
Congress and the administration must find a way to ensure that 
it has the legal authorities it needs, and at the same time 
ensure that the constitutional rights of Americans are 
protected.
    Today, I will be interested in hearing how the 
administration's 2013 budget request takes us closer to that 
goal.
    Let me yield to the ranking member for any statement he 
would like to make.
    [The prepared statement of Mr. Thornberry can be found in 
the Appendix on page 33.]

     STATEMENT OF HON. JAMES R. LANGEVIN, RANKING MEMBER, 
       SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES

    Mr. Langevin. Thank you, Mr. Chairman. And thanks to our 
witnesses for appearing before the subcommittee today.
    So much of our national security is dependent upon the 
reliable and timely flow of information across secure networks. 
To say that our ability to defend those networks and project 
power as required into cyberspace is a priority in the area of 
growth within the Department [of Defense] is, to put it 
lightly, an understatement.
    That is why this hearing could not be more timely.
    And let me associate myself with the remarks of the 
chairman with respect to the threats and the needed attention, 
extra attention, we need to focus in on this particular area.
    Information technology is pervasive across the entire 
Department of Defense [DOD], operating in the background of the 
full range of DOD activities from the most mundane 
administrative tasks to critical wartime functions. It is easy 
to overlook as a natural part of the environment.
    But because it is so pervasive, it must work effectively 
and efficiently or all of those functions that rely on it grind 
to a halt. Moreover, if not properly protected from malignant 
actors, it could also be a significant national security 
vulnerability and a source of asymmetric advantage to an 
adversary.
    At over $33 billion, IT [information technology] represents 
a sizable investment in the Department's budget. It is a 
considerable challenge to stay abreast of all the developing 
technologies and growing departmental needs under an 
architecture that provides both strategic vision and 
appropriate oversight.
    Robust, flexible, rapid, and secure are the words not often 
found together when describing defense programs. But I look 
forward to learning how the DOD looks to achieve savings in IT 
expenditures, while still providing the high-quality IT 
services that the DOD requires.
    However, whatever work and resources we devote to providing 
these IT services will be meaningless if the Department cannot 
secure them. States, non-state actors, ``hacktivists,'' and 
criminals are just some of the security challenges that 
threaten the network.
    Although our awareness cyber vulnerability has sharpened 
over the past few years, I still believe that we don't fully 
recognize the potential for damage posed by a breached or 
disrupted network.
    It is good to see that in the area of fiscal constraint, 
therefore the President's budget has preserved our investment 
in our cyber defense.
    Still, there is much to be done. Much of our critical 
infrastructure remains outside the DOD's protective umbrella, 
even as DOD relies upon it. The electric grid is but one of 
many examples.
    While I recognize that other Federal agencies and 
departments may have the responsibility for this aspect of our 
homeland defense, DOD remains vulnerable as these gaps go un- 
or under-addressed.
    While we have been assured by senior leaders in hearings 
earlier this year that such external dependencies are being 
examined, in some cases mitigated, I am interested to know how 
for the interagency dialogue--how far the interagency dialogue 
has progressed along these lines on discussions on this point 
last year.
    Fiscal resources are only part of the challenge in the 
cyber domain. Questions still remain about how and when the 
United States will conduct the full range of military cyber 
activities beyond the civil defense of the network.
    Some of these questions lie in the development of a robust 
cyber policy. And some of them may require legislative action.
    With that, I look forward to learning more about this and 
further issues in the discussion today. And I again want to 
thank our panel for their presence.
    Thank you.
    And Mr. Chairman, I yield back.
    [The prepared statement of Mr. Langevin can be found in the 
Appendix on page 34.]
    Mr. Thornberry. Thank the gentleman.
    We have before us today, the Honorable Teresa Takai, Chief 
Information Officer of the Department of Defense; General Keith 
Alexander, Commander, U.S. Cyber Command; and the Honorable 
Madelyn Creedon, Assistant Secretary of Defense for Global 
Strategic Affairs.
    Without objection, each of your written statements will be 
made part of the record. And if you can summarize your 
testimony in about 5 minutes, then we can go to questions.
    We are supposed to have another vote here in roughly an 
hour or so. And so, hope that will help us move along.
    Ms. Takai, please proceed.

STATEMENT OF HON. TERESA TAKAI, CHIEF INFORMATION OFFICER, U.S. 
                     DEPARTMENT OF DEFENSE

    Ms. Takai. Thank you.
    Well, good afternoon, Chairman Thornberry, Ranking Member 
Langevin, and distinguished members of the subcommittee.
    Thank you for this opportunity to testify on the 
Department's information technology and cybersecurity budget 
that has been requested for fiscal year 2013.
    I would like to describe for you the highlights of that IT 
and cybersecurity budget request, as well as give you an update 
on what the Department is doing to modernize IT, that is so 
important both from the standpoint of a strong cybersecurity 
defense, but also from the standpoint of effectiveness and 
efficiency.
    The Department's fiscal year 2013 IT budget request of 
approximately $37 billion includes funding for a broad range of 
information technology investments that support our mission-
critical operations at the tactical edge, on the battlefield, 
as well as the business support operations.
    Included in the overall IT budget is approximately $3.4 
billion for cybersecurity efforts designed to ensure our 
information systems and networks are protected against known 
cyber vulnerabilities and are resilient to the ever increasing 
cyber threats the Department and the Nation face.
    Among the Department's efforts to improve its effectiveness 
and efficiency is the consolidation of the Department's IT 
infrastructure: its networks, computing services, data centers, 
application and data services, while simultaneously improving 
the ability to defend that infrastructure against growing cyber 
threats.
    My office is currently leading the implementation of these 
initiatives as described in our enterprise strategy and 
roadmap. But it is important that we work closely with the 
services, Joint Staff, and U.S. Cyber Command to more 
aggressively modernize our overall information systems.
    One of the central pillars of that modernization and 
effectiveness is to move us to a single joint network 
architecture. This will allow the Department, and specifically 
U.S. Cyber Command, to have better visibility into what is 
happening on our networks and to better defend against cyber 
attacks.
    This will be done in conjunction with our aggressive data 
center consolidation. We are currently working to eliminate our 
excess capacity and consolidate into fewer data centers.
    We are on track to significantly reduce the number of data 
centers. And by the end of this year, we will reduce our 
current inventory of 772 data centers by more than 115.
    In addition to these Department-wide efforts, the services 
and defense agencies have individually taken actions to better 
position the information enterprise and security posture.
    Army has reduced the number of IT applications from 218 to 
77 during their BRAC [Base Closure and Realignment] move from 
Fort Monmouth, New Jersey, to Aberdeen Proving Ground. And that 
is just one example of the challenges that they have faced and 
the actions they have taken.
    Navy has reduced by 50 percent the number of applications 
across its 21 functional areas. The Marine Corps has gone from 
1,800 applications to only 700 over the past 18 months. And the 
Air Force has taken aggressive action and reduced its fiscal 
year 2013 budget request by over $100 million.
    As noted above, the $37 billion of the IT budget includes 
approximately $3.4 billion for our cybersecurity program. This 
includes funding for cyber network defense, cryptographic 
systems, communication security, network resiliency, workforce 
development, development of cybersecurity standards and 
technologies throughout the Department.
    It does include Cyber Command's fiscal year 2013 budget 
request of $182 million.
    I would like to highlight a few areas where I think the 
Department has made significant progress.
    The Department has currently deployed a modular system 
called Host-Based Security System [HBSS], which enhances our 
situational awareness of the network and improves our ability 
to detect, diagnose, and react to cyber intrusions in a more 
timely manner.
    We have currently deployed HBSS on our unclassified and 
secret networks. Included in our fiscal year 2013 request, are 
funds to continue the deployment and sustainment of new HBSS 
capability modules to better harden, and to provide an 
automated capability to continually monitor the computer's 
configuration and to improve the human and device identity 
management capabilities.
    We have also taken the lead in assessing the risk of the 
global supply chain to our critical information and 
communications technology by instituting the Trusted Defense 
Systems/Supply Chain Risk Management strategies that were 
described in a report delivered to Congress in January of 2010.
    Another critical success the Department has had is our 
Defense Industrial Base Cybersecurity and Information Assurance 
Program. This program offers a holistic approach to 
cybersecurity to include our classified threat information 
sharing by the government, with voluntary sharing of incident 
data by industry in our defense industrial base; sharing 
mitigation remediation strategies, digital forensic analysis, 
and cyber intrusion assessments.
    Another area that has become increasingly important to the 
Department, our mission, consumers, and the economy is 
electromagnetic spectrum. As pressure for access to spectrum 
continues, I look forward to working with Congress on future 
spectrum legislation proposals that achieve a balance between 
expanding our wireless and broadband capabilities for the 
Nation and the need for access to spectrum to support critical 
warfighting capabilities in support of our national security.
    Thank you very much for your interest in our efforts. I am 
happy to answer any questions.
    [The prepared statement of Ms. Takai can be found in the 
Appendix on page 36.]
    Mr. Thornberry. Thank you.
    General Alexander.

 STATEMENT OF GEN KEITH ALEXANDER, USA, COMMANDER, U.S. CYBER 
              COMMAND, U.S. DEPARTMENT OF DEFENSE

    General Alexander. Thank you, Chairman Thornberry, Ranking 
Member Langevin, and distinguished members of the committee for 
the opportunity to appear before you today.
    I am pleased to be here with Honorable Creedon and Ms. 
Takai. We have worked closely over the last year on many of 
these topics that we are presenting for you today.
    And I think you will see that we are making great progress. 
But as you stated, the risks are also increasing.
    We have to thank the committee for all the things that you 
have done to support us in developing Cyber Command and for the 
funding that we have received. We really appreciate it.
    It is a team sport. And one of the things that I would like 
to put on the table is from our perspective it requires the 
team of Department of Homeland Security, the Federal Bureau of 
Investigation, Department of Justice, as well as the DOD team 
that you have before us here today.
    From my perspective, as we look at it, that includes each 
of the services and the Defense Information Systems Agency; all 
key partners in helping us do our cyber mission.
    We have worked hard to make some progress. And I wanted to 
talk a little bit about that progress over the next 25--no just 
kidding--4 minutes.
    As you know, the United States relies on access to 
cyberspace for our national and economic security. Secretary of 
Defense Panetta and Chairman Dempsey both emphasized that cyber 
is one of the areas slated for investment in an overall defense 
budget that will be leaner in the future.
    The task of assuring cyberspace access has drawn the 
attention of our Nation's most senior leaders over the last 
year. And their decisions have helped to clarify what we can 
and must do about developments that greatly concern us.
    The U.S. Cyber Command, as I stated, is a component of a 
larger U.S. government-wide effort to make cyberspace safer for 
all, to keep it a forum for vibrant citizen interaction, and to 
preserve our freedom to act in cyberspace in defense of our 
vital interests and those of our allies.
    Although Cyber Command is specifically charged with 
directing the security, operation, and defense of the 
Department of Defense's information systems, our work and our 
actions are affected by threats well outside DOD networks, as 
the ranking member stated; threats the Nation cannot afford to 
ignore.
    What we see both inside and outside the DOD information 
systems underscores the imperative to act now to defend America 
in cyberspace.
    In my time with you today, I would like to talk a little 
bit about the strategic context, the last 2.5 minutes, and give 
you the five key areas that we are doing.
    First, cyberspace is becoming more dangerous. The 
intelligence community's worldwide threat brief to Congress in 
January raised cyber threats to just behind terrorism and 
proliferation in its list of the biggest challenges facing the 
Nation.
    Americans have digitized and networked more of their 
businesses, activities, and their personal lives, and with good 
reason they worry more about their privacy and the integrity of 
their data. So has our military.
    Dangers are not something new in cyberspace. When I spoke 
to you last year, I noted the sort of threats that were once 
discussed in theoretical terms were becoming realities, and 
actually being deployed in the arsenals of various actors in 
cyberspace.
    We have long seen cyber capabilities directed by 
governments to disrupt the communications and activities of 
rival states, and today we are seeing such capabilities 
employed by regimes against critics outside and inside their 
own countries, for example, in the Arab Spring.
    Cybercrime is changing as well. The more sophisticated 
cyber criminals are shifting away from botnets towards 
stealthier, targeted thefts of sensitive data they can sell.
    We saw digital certificate issuers in the U.S. and Europe 
hit last year and a penetration of the internal network that 
stores RSA's authentication certification led to at least one 
U.S. defense contractor being victimized by actors wielding 
counterfeit credentials.
    Nation-state actors in cyberspace are riding this tide of 
criminality. Several nations have turned their resources and 
power against us, and foreign businesses and enterprises, even 
those that manage critical infrastructure in this country and 
others.
    There are five key areas that I would like to walk through 
that we are working on that I think are important to this 
committee.
    First, building the enterprise and training the force, 
something that we are working closely on. And, I think, as you 
think about developing that force and where we need to go in 
the future, that should be our number one priority.
    As Teri mentioned, I think number two is developing a 
defensible architecture. Three, getting the authorities correct 
that we need. The teamwork that we have within the government, 
setting that teamwork right is number four, and perhaps one of 
the biggest areas that we can do. And finally, a concept for 
operating in cyberspace, and we have done those things.
    In closing, I think we are making progress, as you stated. 
But we also note that the risks that face our country are 
growing faster than our progress. And we have to work hard to 
do that.
    Thank you again for inviting me here today.
    [The prepared statement of General Alexander can be found 
in the Appendix on page 51.]
    Mr. Thornberry. Thank you.
    Ms. Creedon.

   STATEMENT OF HON. MADELYN CREEDON, ASSISTANT SECRETARY OF 
   DEFENSE FOR GLOBAL STRATEGIC AFFAIRS, U.S. DEPARTMENT OF 
                            DEFENSE

    Secretary Creedon. Thank you, Chairman Thornberry and 
Ranking Member Langevin, for inviting us to discuss the 
Department's strategies for operating in cyberspace.
    I too am pleased to appear here today with Ms. Teri Takai, 
the DOD Chief Information Officer, and General Keith Alexander, 
the Commander of U.S. Cyber Command.
    We are all here on behalf of the men and women of the 
Department of Defense who commit themselves every day to 
ensuring the safety of the United States, both at home and 
abroad.
    Today, I would like to present a brief overview of the 
Department's efforts in cyberspace. This includes an update on 
the implementation of the defense strategy for operating in 
cyberspace, the progress we have made in meeting the goals of 
the 2010 Quadrennial Defense Review, and the recently released 
DOD Strategic Guidance for Operating Effectively in Cyberspace.
    DOD continues to develop effective strategies for ensuring 
that the United States is prepared for all cyber contingencies 
along the entire spectrum from peace to crisis to war.
    Importantly, during these times of fiscal constraint, DOD 
is also taking advantage of the efficiencies that advances in 
information technology provide. Almost every feature of modern 
life now requires access to information infrastructure, and DOD 
is no exception.
    We maintain over 15,000 network enclaves and 7 million 
computing devices in installations around the globe. These 
networks, upon which DOD relies, represent both opportunities 
and challenges.
    Whereas the threat was once the province of lone-wolf 
hackers, today, our Nation, our businesses, and even our 
individual citizens are constantly targeted and exploited by an 
increasingly sophisticated set of actors.
    While it is difficult to get hard data, we believe the cost 
of these intrusions run into the billions of dollars annually. 
We know they pose a clear threat to our economy and our 
security.
    We are also increasingly concerned about the threat to our 
defense industrial base and the Nation's critical 
infrastructure. We have seen the loss of significant amounts of 
intellectual property and sensitive defense information that 
reside on or transit defense industrial base systems.
    The loss of intellectual property has the potential to give 
an adversary leap-ahead technology to achieve parity with some 
of our most sensitive capabilities.
    The Department has been working around the clock, often in 
close cooperation with the Department of Homeland Security and 
other agencies, to protect the Nation from these threats.
    Last July, DOD released the Defense Strategy for Operating 
in Cyberspace, the DSOC. This document marked a significant 
milestone for the Department because it is the first 
comprehensive strategy to address this new operational domain.
    The DSOC built upon the President's National Security 
Strategy, the International Strategy for Cyberspace, and the 
Department's Quadrennial Defense Review.
    The DSOC guides DOD's military, business, and intelligence 
activities in cyberspace in support of U.S. national interests.
    The Department is currently conducting a thorough review of 
the existing rules of engagement for cyberspace. We are working 
closely with the Joint Staff on the implementation of a 
transitional command and control model for cyberspace 
operations.
    This interim framework will standardize existing 
organizational structures and command relationships across the 
Department for the application of the full spectrum of 
cyberspace capabilities.
    Within the U.S. Government, DOD works very closely with our 
colleagues in the Departments of Homeland Security, Justice, 
State, Treasury, Commerce, as well as a number of other 
agencies.
    Although DOD maintains robust and unique cyber capabilities 
to defend our networks and the Nation, we believe strongly in a 
whole-of-government approach to cybersecurity.
    As such, we fully support the Department of Homeland 
Security's role in coordinating the overall national effort to 
enhance the cybersecurity of U.S. critical infrastructure.
    We also believe that we have to approach cybersecurity from 
a global perspective. As a result, DOD is pursuing both 
bilateral and multilateral engagements to enhance our 
collective security and develop norms of behavior.
    We have to respect and remember, however, the delicate 
balance between the need for security and our cherished rights 
to privacy and civil liberties.
    Make no mistake. DOD is committed to focusing on external 
actors while ensuring the privacy and civil liberties of our 
citizens.
    Thank you again for the opportunity to appear here today. 
And I look forward to your questions.
    [The prepared statement of Secretary Creedon can be found 
in the Appendix on page 72.]
    Mr. Thornberry. Thank you.
    I would like to pose a question. I guess, a different 
question to each of you in this first round.
    Ms. Takai, roughly $37 billion is, I think you said, is the 
Department's request for information technology.
    You know, obviously under current law if something doesn't 
change in January 2013, every program, project of the 
Department of Defense is going to be cut 8 to 12 percent 
because of sequestration. So it seems to me particularly in 
information technology, that that could cause some 
difficulties.
    Can you describe for us, briefly, what that would mean for 
the programs that you are responsible for?
    Ms. Takai. Well, there will be a variety of impacts.
    First of all, one of the biggest challenges is we have a 
number of programs underway that will have to take both 
reductions and potentially--if in fact we are operating under 
continuing resolution--we will have to take a pause.
    So for instance, we have several logistics projects 
underway in several of the service areas to improve their 
capability. And those would obviously be affected.
    We have several of the IT modernization efforts that are 
being funded from our operations and maintenance budget that 
would need to be slowed down.
    And then on top of that, of course, those dollars would 
impact the dollars that we are spending on cybersecurity.
    So some of the programs for instance that I mentioned, 
where we are looking to roll out a process that we call 
``continuous monitoring'' to give us more capability to 
actually be able to, rather than take in periodic checks, be 
able to provide the tools to continually look at the network.
    So I think what would happen is that many of those 
programs, we would slow down. And then we would have to 
prioritize to determine--there may be some selected programs 
that we would need to prioritize and effectively stop in order 
to make sure that we were continuing to fund some of the high 
priority items, for instance, in the cybersecurity area.
    Mr. Thornberry. Okay, thank you.
    Ms. Creedon, last year this subcommittee had several cyber 
hearings where we tried to understand what the responsibility 
of the Department of Defense was to defend the private sector 
in cyberspace.
    And really we had a hard time getting an answer.
    And I heard in your testimony that we are working through 
authorities and rules of engagement and a variety of things. 
But when do you think the administration would be able to go to 
the private sector and say, ``Okay, here is what we will do for 
you in cyberspace. Here is how we will defend you, beyond that 
you have got to figure the rest of it out on your own.''
    Or when can we make clear what the government's--DOD's 
responsibility is versus other responsibilities?
    Secretary Creedon. There are probably two pieces to this 
question. But the first is it is the Department of Homeland 
Security's role. They are the lead Federal agency to ensuring 
that there is protection of the ``.gov'' and also working with 
the private sector.
    So like any other situation where DOD would provide 
assistance to civil authorities, DOD would provide assistance 
as needed, as requested, as required, by the Department of 
Homeland Security [DHS] in the event that there were some sort 
of an event where DHS required DOD assets, just like in 
responding to a hurricane. So I mean, it would be very similar 
to that.
    Now the second piece of this is the private sector that is 
uniquely connected with DOD, the defense industrial base. And 
so within the defense industrial base, the Department in an 
effort that is led by the CIO's office, by Ms. Takai, there is 
a process where we are getting ready to expand the defense 
industrial base which are our contractors that provide the 
unique services to DOD.
    Now there is a subset of that as well. And that is what has 
been referred to as the DIB Pilot, the Defense Industrial Base 
Pilot. And that is yet another subset of these defense 
industrial base contractors where we are working with them in a 
unique way to provide additional capabilities to them.
    And that program has been in close collaboration with 
CYBERCOM [U.S. Cyber Command] and also with DHS to provide 
additional protections to this subset of the defense industrial 
base, who will then turn around and provide protections to the 
rest of the industrial base.
    And that one, we are in the process of expanding as well.
    Mr. Thornberry. I hear what you are saying. I am just not 
completely convinced if we have a big section of the country 
without electricity that people are not going to look to the 
Department of Defense and say, ``Why aren't you protecting 
us,'' or some other sort of scenario.
    I think it continues to provide policy challenges more to 
us and legal challenges more than technical challenges, which 
is part of the reason I posed the question.
    Finally, General Alexander, kind of looking at this from a 
broad perspective, as you know, and as I mentioned in my 
opening statement, Congress is working on cyber legislation to 
try to update some of the laws that had not been updated.
    This takes a little beyond maybe Cyber Command, but if you 
had to name one thing that Congress could do legislatively, 
that would, in your opinion, be of assistance in defending the 
country in cyberspace, what one thing or one area do you think 
would make the most difference?
    General Alexander. I think the key thing from my 
perspective is information sharing.
    We need to be able to see an attack on the country, which I 
think is DOD's domain to defend the country from an attack 
versus what DHS is doing to help prevent and protect.
    So the resilience that they do in the public face, the DOD 
requirement would--if our Nation is attacked by another nation-
state or a non-nation-state actor at a certain point, the 
Defense Department would step in.
    We can only do that if we can see it.
    And I think that goes in line with the standing rules of 
engagement that the policy folks are working along with the 
criteria that goes with it. So information sharing.
    Mr. Thornberry.
    Thank you.
    Mr. Langevin.
    Mr. Langevin. Thank you, Mr. Chairman.
    Again, thanks to the panel for your testimony here today.
    I guess I would like to press a little further, and the 
Chairman was raising this point.
    How do you feel the unique and powerful capabilities of 
CYBERCOM, that CYBERCOM possesses, can best be leveraged to 
protect networks and infrastructure that is outside of 
``.mil''?
    General Alexander. We will start with you.
    General Alexander. I was going to pass that to the 
Honorable Ms. Creedon. But, I think the first part is, I think 
in extremis the Defense Department would be the natural ones to 
defend the country.
    I believe within the administration, there is general 
agreement that that is correct. The issue is now what are those 
circumstances, and how do we do it?
    What does the Defense Department do?
    Well, the Defense Department is the only one with, not only 
the defensive capabilities that we have, that Teri Takai talked 
about, and some of the offensive capabilities that the Nation 
would need to defend itself.
    I think both of those, coupled with the ability for the 
Defense Department networks to see globally with the 
intelligence community, are going to be key to defending the 
Nation.
    So that is what needs to be brought to bear. And for us to 
be successful, we have to partner with industry to share 
information, to know when some of these events are going on.
    I think that is key to it in setting up the framework.
    I think the President's paper on cybersecurity that came 
out in May of 2009, sets the framework for that for the 
government. So I do think that is the starting point.
    And then add to it what the Department did last year, I 
think, is the next step for showing what we would do.
    Mr. Langevin. Very good.
    Would you like to comment as well?
    Secretary Creedon. If the Department, I mean, if the 
country were truly attacked, then the President would have the 
authority obviously to defend the country however was needed. 
And DOD would be ready to do whatever it was that the President 
called upon the Department to do in the event of a real attack.
    Now, one of the things, I think, that is important is that 
in the event of attack, all of the range of options would still 
be available to the President. So you wouldn't necessarily 
limit a cyber response. It could be a kinetic response. It 
could be a diplomatic response. It could be the full range of 
options available to the President.
    But clearly, if there were a real attack, DOD would be 
ready to do whatever it was called upon to do.
    So I think if that was an uncertainty in this realm, I 
think we believe that the realm of cyberspace is like the realm 
of any other attack.
    Mr. Langevin. General, let me go back to you.
    In many ways we are at a tipping point right now with 
respect to the capabilities of cyber offense, cyber defense, 
intelligence gathering, if you will, and the degree to which 
you can talk about this in this setting--and you and I have 
spoken about this often.
    In order to be really effective at being able to defend the 
country, we have to be as far out from our shores as possible, 
and far out forward advanced in cyberspace as possible.
    When--and I think you may have used this example before, 
certainly others have--if we saw a missile coming to the United 
States, the easiest, most effective way to take that down is at 
its source in the boost phase, same thing with a potential 
attack on the country.
    Will we ever get to the point where we are going to have 
policy in place that allows Cyber Command to act at the 
earliest possible stages before an attack is launched, or when 
it is in its first stages of being formulated or that it might 
be in fact imminent?
    General Alexander. Well, I think the Department is working 
on the standing rules of engagement that would give us 
authorities. Now the issue will be what set of authorities will 
we be given. And what are the conditions under which we could 
conduct those authorities still have to be determined and 
ironed out within the administration.
    I do think that is at the top of the list of the cyber 
things that we are working on right now.
    I know in USD Policy [Office of the Under Secretary of 
Defense for Policy] that is one of the key actions that are 
going on. And we talk about it on a daily basis, pushing some 
of those forward.
    So I am confident that over the next month or two, some of 
that will actually go through.
    Mr. Langevin. Last question before my time runs out. And I 
just want to return back to the part of my opening statement 
when I talked about critical infrastructure that resides off 
``.mil'' networks such as the power grid, essential to our 
military bases, and our ability to conduct full spectrum 
operations.
    What discussions are underway to address the points of 
vulnerability? And how has the dialogue advanced in the past 
year?
    General Alexander. I take it----
    Mr. Langevin. General Alexander.
    General Alexander. Yes. I think we are making progress.
    As you may know, the Department of Homeland Security and 
the Defense Department established a joint collaboration 
element at NSA [National Security Agency] to help bring those 
two together to actually ensure that we leverage the 
capabilities of both departments.
    In that respect, I think that is going forward well. I 
think we are making progress.
    It hasn't solved the specific questions that you have 
asked. But it is a starting point for DHS which would be the 
public face with industry. And they could leverage the 
technical capabilities of both NSA and the FBI [Federal Bureau 
of Investigation] in accomplishing their mission.
    I think that is useful. And it keeps us from trying to 
develop again another NSA or another FBI.
    And it is exactly what I think the Nation would want us to 
do. So we are making progress in that area.
    I think, in my opinion, everybody has great intentions in 
doing it correctly. There is a lot of tough issues here on what 
is the government's role in this, what is industry's role, and 
within the government, making sure that we have each of the 
parts right.
    But from my perspective, we are getting that set right. And 
I am comfortable with the position and the parts that they are 
giving us to do.
    And those are the things that I think the Nation would 
expect the Defense Department and Cyber Command to do.
    Mr. Langevin. Very good, thank you all.
    And I yield back, Chairman.
    Mr. Thornberry. Mr. Conaway.
    Mr. Conaway. I thank the gentleman.
    Ladies and gentlemen, thank you for being here.
    Holding a little bit--Ms. Creedon, you mentioned that the 
rules of engagement are under development.
    When do you expect to have those done?
    Secretary Creedon. It is a collaborative process between 
the Joint Staff and the Office of Policy. And we have been 
working on these for quite a while.
    Mr. Conaway. Right.
    Secretary Creedon. And so our hope is, as General Alexander 
said, is to have these done in a couple of months.
    Mr. Conaway. Okay. Is there a similar effort at Homeland 
Security to develop their rules of engagement that you guys 
coordinate with those guys on?
    I don't like the look of surprise on your face.
    Secretary Creedon. I don't know the answer to that question 
actually.
    Mr. Conaway. I guess for us this gets back a little bit to 
what the chairman was talking about, and that is we have got a 
bifurcated system. We have got Homeland Security with certain 
responsibilities, and the Department of Defense with others.
    And in terms of attack, cyber attacks, it is over before 
you know what happened. These happen at lightning speed. Even 
on the threats from the Soviet Union, we had some warning if 
they were to launch something at us.
    And in these circumstances, that warning would be over 
with, in a cyber-speed. And we wouldn't develop a NORAD [North 
American Aerospace Defense Command], and put it under a 
civilian umbrella to say, ``alright, you warn them, and then we 
will tell the Department of Defense what you need to know to 
what to launch.''
    And it seems to me that is what we are building here.
    And then my question is: is that the best way to defend the 
country is to have that bifurcation, because I agree with 
General Alexander. We don't need to replicate, nor do I think 
we can, because the quality of NSA.
    I don't think you replicate it. They have got the best as 
it is. And so you can't replicate that at Homeland Security, 
nor would anybody suggest that.
    So how do we make this work given two different cabinet 
agencies?
    Secretary Creedon. The Department of Defense supports DHS 
in a whole-of-government approach. And this is one of the 
things that we have been working on through a variety of 
different mechanisms to make sure that, just like in response 
to a hurricane, DOD would provide whatever assistance was 
necessary to DHS to respond.
    You know, in the event of any sort of requirement that DHS 
had from DOD, DOD would respond.
    Now, one of the things that we have been doing is working 
very closely with DHS to make sure that we are tightly 
integrated through a variety of mechanisms. So General 
Alexander just mentioned the joint cyber element which is a 
collaborative effort.
    There are other collaborative efforts going on including 
the extension of the DIB Pilot.
    Mr. Conaway. Okay.
    Secretary Creedon. We are working with them very closely to 
make sure that we can provide them everything they need.
    Mr. Conaway. Okay.
    General Alexander. Could I just add to that?
    I think if we look at the different roles, the Department 
of Homeland Security is the public face for what goes on in the 
United States for helping to set up the standards for 
resilience, for ensuring the rest of government networks are 
set.
    And it is forensic in nature. When attack has occurred, 
they bring together a team--or an exploit has occurred, they 
bring together a team. And we look at that and we figure out 
what more we could do to set up the defense.
    The FBI's role would be one of law enforcement. Is this a 
criminal act? Was this espionage? And they take the lead in 
those cases.
    Mr. Conaway. Yes.
    General Alexander. If it is an attack though, now it shifts 
over to, in my mind, the Defense Department. The issue is can 
we determine the difference between those.
    So----
    Mr. Conaway. And I don't disagree. I don't disagree with 
that.
    But at that point in time, the damage is done. So that is 
where--now we are looking back at it, how do we put the 
hurricane damage back together?
    And I get that part. But this----
    General Alexander [continuing]. So----
    Mr. Conaway [continuing]. How do you stop it before it 
happens?
    General Alexander. So we agree that the three centers that 
we have, between FBI, DHS and DOD, they have to be connected 
and integrated with people from each of those centers at the 
other.
    So that when an event occurs that is FBI or DHS lead, we 
all agree that is it.
    But when in extremis, the worst case is if it is an attack 
on the Nation. They all see that now it shifts over to a DOD or 
whoever the President has determined responsibility.
    Mr. Conaway. Okay----
    General Alexander. Because that is where the standing rules 
of engagement would actually----
    Mr. Conaway [continuing]. Are those going to be quick 
enough in cyber to make a difference to stop the attack?
    General Alexander. Well, that is what we are pushing for. 
What I am pushing for is to have those that can actually allow 
us to prevent----
    Mr. Conaway. Right----
    General Alexander [continuing]. And protect.
    Mr. Conaway. Okay.
    The DIB [Defense Industrial Base Pilot Project], the 
enhanced project, pilot project, whatever, how do we know that 
everything that we know that the private sector didn't already 
know, and that we have over classified or we are protecting 
data or information or at times modalities that are already 
known to the private sector?
    Where in the team do you look at that and say, you know, 
this really is a secret that only we know or something that is 
broader and we don't have to overlap and duplicate things?
    General Alexander. That is a great question. I think it can 
be more easily answered in a classified environment.
    I think to hit this though, we do have capabilities that we 
are able to share the signatures with the companies. And we 
know, based on their defenses, whether they have that signature 
or not.
    Mr. Conaway. Okay.
    General Alexander. And so the ability to share that, and we 
can also see what companies after the fact did not have that 
because they have been exploited by it.
    This is an area where information sharing would be 
absolutely vital to stopping some of these exploits that are 
going on right now.
    Mr. Conaway. All right.
    Thank you, Mr. Chairman.
    Mr. Thornberry. Thank you.
    Mr. Andrews. Thank you, Mr. Chairman.
    I want to focus on something that you have heard from 
several members of the committee and that is this notion that a 
huge percentage of our critical assets are in the private 
sector, and how we deal with that.
    I think you have all done a really good job given the way 
we have collectively defined the problem. But I think we have 
collectively misdefined the problem.
    For years, for a couple of centuries, the way Newton viewed 
physics was the right way to view it. And the data he collected 
weren't wrong. They were right given his premises. And then 
Einstein came along with the theory of relativity and the whole 
world changed.
    And what I am hearing thread through this discussion, I 
think, is two misperceptions. First is that we centered the 
jurisdiction to take care of the utility companies, and the 
commercial sector, and homeland security because this is a 
threat to the homeland.
    I think the question should be: where is the threat from, 
not what is it to?
    And although we have domestic hackers who are criminals, I 
think that the principal threat that we face would be 
asymmetric warfare or state-to-state warfare, propagated by 
enemies outside the country.
    So I would question whether that is the right assumption.
    And then the second one is that we have had a lot of 
discussion here about the rules of engagement once the attack 
has occurred. I would chime in what Mr. Conaway just said.
    The attack has occurred. It is kind of over in a lot of 
ways. And there is not a whole lot to respond to once a system 
is corrupted.
    I think the premise--the focus ought to be on prevention 
rather than engagement once the attack has begun. And it 
strikes me that--well, it strikes me that because these 
premises are wrong, and this might violate hundreds of years of 
tradition of Posse Comitatus.
    I think if we are worried about a threat coming from 
outside the United States to attack critical infrastructure, to 
cripple our economy, our telecommunications systems, our power 
grid, that the Defense Department ought to be the focal point 
of the effort, number one, because our technology is more 
advanced, and because the agency is geared that way.
    And number two, I think our focus ought to be hardening our 
systems to prevent an attack, number one. And then talk about 
responding to it once it occurs.
    What is wrong with that analysis?
    Secretary Creedon. There is a lot in there. Let me unpack 
it just a tiny bit.
    Mr. Andrews. All right.
    Secretary Creedon. So first, let me just touch briefly on 
the international side of it.
    So right now, the Department is very much engaged with a 
number of our allies, particularly our close allies, Canada, 
U.K. [United Kingdom], Australia, and New Zealand. And we are 
working with them to enhance our collective security and our 
collective awareness.
    So we are not in this just alone looking outside from here.
    So we really are trying to build an international----
    Mr. Andrews. But if I may, if----
    Secretary Creedon [continuing]. Provide----
    Mr. Andrews [continuing]. The lead agency to defend us 
internally is Homeland Security, then it strikes me that an 
agency that regularly interacts with other governments ought to 
be the lead here, right?
    I mean, Homeland Security doesn't really interact all that 
much with the intelligence or tech capabilities of Germany or 
Brazil or whomever, do they?
    Secretary Creedon. Well, they also have through an 
organization called the Ottawa Five. DHS, as well as other do 
participate in international forums.
    DOD is working with the militaries of our close partners to 
be prepared and to have the situational awareness.
    Now the other thing that helps is information on all the 
networks. And so the various forms of cyber legislation that 
are pending, would also allow us additional situational 
awareness through the information sharing that would be allowed 
under the authorities that are provided----
    Mr. Andrews. I am glad that is happening----
    Secretary Creedon. [Inaudible]----
    Mr. Andrews [continuing]. I am also glad this pilot program 
is happening.
    But I would just suggest to the chairman as the legislation 
goes forward, one of the things we ought to really be thinking 
about here, the way I look at it, is that how do we assure that 
our utility companies, and our banking system, and our power 
grid people, and then all the others have the hardest systems 
they can possibly have, and have access to the best available 
technology on an ongoing basis as they have?
    And frankly, my observation would be that we are not there. 
And it is not because of the efforts of these outstanding 
people, but it is because the way we define and conceptualize 
this problem, I don't think is right.
    And I would yield back.
    Mr. Thornberry. I think the gentleman makes some 
interesting and fair points. Part of my reaction is that is why 
we need to take this step and a step-by-step, although there is 
a lot of urgency to be taking some steps.
    And so we will have the opportunity to do that, I think, as 
I mentioned, in about a month on the House floor.
    We are going to have to recess. We have got two votes. I 
apologize for the break.
    But we will be back in just a few moments.
    And with that, we will stand in recess.
    [Recess.]
    Mr. Thornberry. The hearing will come to order.
    Again, thank you all for your patience.
    Ms. Takai, I would like to ask you about a couple of areas.
    You mentioned in your opening testimony about what I would 
term essentially consolidation of information databases and so 
forth.
    You know, obviously this is a trend where everybody talks 
about the cloud, partly for efficiency, partly for convenience. 
I am sure you have looked at these issues.
    One side says that if you store your data in a repository, 
it is easier to protect. Because you can ensure that the 
defenses on that data are adequate.
    Other people say if you put it all in one place, once you 
get in you have got everything.
    So can you just briefly explain to us your reasoning on 
protecting the Department's data. And how you think that debate 
comes out.
    Ms. Takai. Certainly.
    Well, there are two ways I think to look at the way we are 
approaching moving to a cloud architecture as it relates to our 
information and our infrastructure.
    One of them is that we truly believe that we will be able 
to, in a more uniform way, protect our information by moving to 
more standardized platforms and ways of operating from an 
infrastructure-protection standpoint.
    Now, the thing I think that is important, the one point 
there, is that for us that doesn't necessarily mean one cloud 
only. With our size and scope, as we are moving to 
modernization, as we are moving to consolidation, we will be 
doing it in stages.
    So we will be looking at what services are going to be 
provided by each one of the military services, and the way they 
are moving to their own clouds. And then we will be looking at 
an enterprise cloud to provide services like identity 
management, enterprise e-mail, some of those things that we 
need across the Department from an information sharing 
standpoint.
    The second point then though that is important is that as 
we look at the protection of the cloud, while in fact we are 
going to be able to better protect as we get more standardized, 
the other thing is that we are not looking at just the 
protection at the perimeter of the cloud.
    We are looking at actually putting mechanisms in place--and 
the commercial sector does this in some instances--where in 
fact, when we know that there will be instances where we may 
have a breach of the external perimeter of that cloud, and we 
need to be able to protect at the information level.
    And that is why we are focusing very much on identity 
management so we know who is in the cloud. And we are also 
linking that to what information that particular individual has 
access to.
    So it is really both of those that really gives us an 
assurance that as we move to that kind of an architecture, that 
we will be able to better protect our information.
    Mr. Thornberry. Okay. Let me change topics completely.
    You mentioned spectrum in your opening statement as well. 
Again from a very broad perspective, my sense is that as we all 
rely more and more on various devices that connect to the 
Internet, spectrum becomes a bigger and bigger issue.
    Can you just briefly describe for a lay person how you see 
that moving ahead for the Department of Defense, and how the 
investments we are making now, where they lead us?
    You know, so periodically, you know, we will have a bill. 
And we will reallocate spectrum in some way or another. But 
still there is a finite amount to reallocate----
    Ms. Takai. Right.
    Mr. Thornberry. And so we are going to have to have a 
different approach, aren't we?
    Ms. Takai. Yes, sir. One of the things that we are doing 
right now is to actually do a spectrum study around our full 
use of spectrum. And look at what are the issues going forward.
    Now some of the things that we are looking at for instance 
is when do we think there will be viability in spectrum 
sharing. That is still very much in the early stages. And we 
are looking at when that might be a viable option.
    The second is to your point. Even though and even with the 
commercial need for spectrum, we also are becoming greater 
users of spectrum as we move to more unmanned vehicles, as we 
move to, you know, many of the ISR [intelligence, surveillance, 
and reconnaissance] capabilities. So we are the users of 
spectrum as well.
    So the other piece is going to be for us to look at how we 
better use the spectrum that we have. And then thirdly, how we 
look at some of the less crowded bands of spectrum which in 
some cases will cost of us more to be able to utilize.
    But as we are looking at programs, again to the point you 
are making, out in 10 to 25 years, how do we make sure that our 
future acquisition programs are recognizing the commercial 
demand for spectrum, so that we are pointing those in the 
direction of where we believe we will have a greater 
opportunity to have dedicated spectrum going forward.
    But again, the challenge is in some of those cases it may 
mean that there are costs to the programs in order to move 
there. But when we balance those against the other economic 
issues that I think we are facing as a nation, that that will 
be the better way to go.
    I think the last thing I would mention is that the 
challenge around our utilization of spectrum is now very much 
becoming an international issue. We just finished with this 
year's World Radio Conference.
    And clearly going into the World Radio Conference in 2015, 
the issue of the utilization of spectrum not only here in North 
America, but now the growing demand coming out of the 
developing nations, is also going to make us take a very hard 
look at the way that we are using spectrum globally.
    So those are some of the issues we have coming at us in the 
future.
    Mr. Thornberry. I think it is helpful if you and others in 
the Department can alert us where we may have higher initial 
costs based on future assumptions about spectrum. That kind of 
helps explain to us some of the higher initial costs which we 
are asked to support.
    Mr. Johnson.
    Mr. Johnson. Thank you, Mr. Chairman, and thanks to our 
witnesses for joining us today.
    General Alexander, I have got a number of questions that I 
think are structured in such a way so as to easily elicit a yes 
or no response. So if I could get your agreement to answer the 
questions in that way.
    And if you want to explain them after, I will certainly 
give you a chance to explain.
    But General Alexander, if Dick Cheney were elected 
President and wanted to detain and incessantly waterboard every 
American who sent an e-mail making fun of his well-known 
hunting mishaps, what I would like to know is does the NSA have 
the technological capacity to identify those Cheney bashers 
based upon the content of their e-mails?
    Yes or no?
    General Alexander. No. Can I explain it?
    Mr. Johnson. Yes.
    General Alexander. The question is where are the e-mails, 
and where is NSA's coverage?
    I assume by your question that those e-mails are in the 
United States.
    Mr. Johnson. Correct.
    General Alexander. NSA does not have the ability to do that 
in the United States.
    Mr. Johnson. What about if the--when you say the e-mails 
are located--let us make sure we are talking about the same 
thing.
    An American e-mailing another American about Dick Cheney, 
does the NSA have capacity to find out who those parties are by 
monitoring--by the content of their e-mail?
    General Alexander. No. In the United States, we would have 
to go through an FBI process, a warrant to get that and serve 
it to somebody to actually get it----
    Mr. Johnson. If it were----
    General Alexander. [Inaudible]----
    Mr. Johnson [continuing]. But we do have the capability of 
doing----
    General Alexander. Not in the United States.
    Mr. Johnson. Not without a warrant.
    General Alexander. No, no, we don't have the technical 
insights in the United States. In other words, you have to have 
something to intercept or some way of doing that either by 
going to a service provider with a warrant, or you have to be 
collecting in that area.
    We are not authorized to collect. Nor do we have the 
equipment in the United States to actually collect that kind of 
information.
    Mr. Johnson. I see.
    General Alexander. Does that make sense?
    Mr. Johnson. Thank you. Yes, it does.
    General, an article in Wired Magazine reported this month 
that a whistleblower, formerly employed by the NSA, has stated 
NSA's signals intercepts include, quote,``eavesdropping on 
domestic phone calls and inspection of domestic e-mails.''
    Is that true?
    General Alexander. No, not in that context. The question 
that--or I think what he is trying to raise is: are we 
gathering all the information on the United States?
    No, that is not correct.
    Mr. Johnson. The author of the Wired Magazine article whose 
name is James Bashford. He writes that NSA has software that, 
quote, ``searches U.S. sources for targeted addresses, 
locations, countries, and phone numbers, as well as watchlisted 
names, key words, and phrases in e-mail. Any communication that 
arouses suspicion, especially those to or from the million or 
so people on the agency watchlist, are automatically copied or 
recorded and then transmitted to the NSA.''
    Is this true?
    General Alexander. No, it is not. Is that from James 
Bashford?
    Mr. Johnson. Yes.
    Does the NSA routinely intercept American citizens' e-
mails?
    General Alexander. No.
    Mr. Johnson. Does the NSA intercept Americans' cell phone 
conversations?
    General Alexander. No.
    Mr. Johnson. Google searches?
    General Alexander. No.
    Mr. Johnson. Text messages?
    General Alexander. No.
    Mr. Johnson. Amazon.com orders?
    General Alexander. No.
    Mr. Johnson. Bank records?
    General Alexander. No.
    Mr. Johnson. What judicial consent is required for NSA to 
intercept communications and information involving American 
citizens?
    General Alexander. Within the United States that would be 
the FBI lead. If it was a foreign actor in the United States, 
the FBI would still have the lead and could work that with NSA 
or other intelligence agencies as authorized.
    But to conduct that kind of collection in the United 
States, it would have to go through a court order. And the 
court would have to authorize it.
    We are not authorized to do it nor do we do it.
    Mr. Johnson. Thank you.
    General, the NSA is an agency of the Department of Defense. 
And you are, in addition to your responsibilities as CYBERCOM 
commander, you are a director of the National Security Agency.
    What limitations does the Posse Comitatus Act place on the 
NSA's legal authority to intercept domestic communications?
    General Alexander. Well, I think the intent of the Posse 
Comitatus, and the impacts that we have for collecting in the 
United States are the same. And the fact is we do not do that 
in the United States without a warrant.
    Mr. Johnson. Thank you.
    And I will yield back.
    Mr. Thornberry. I thank the gentleman.
    Let me--I am not sure. This may be Ms. Takai and General 
Alexander, but in the 2010 Defense Authorization Act, we passed 
Section 804, that directed DOD to develop and implement a new 
acquisition process for IT systems.
    And then in the 2011 Defense Authorization Act, we directed 
DOD to develop a strategy to provide for rapid acquisition of 
tools, applications, and other capabilities for cyber warfare 
for the United States Cyber Command, and cyber operations of 
the military departments.
    Can either or both of you all give us an update on where 
each of those authorities or requirements stand now?
    Ms. Takai. Yes, perhaps I can start. And General Alexander 
can add on.
    Let me start with the acquisition reform which is the 804.
    I think that report was delivered. And we are in the 
process of implementing those changes.
    Those are going--some of those changes that were in the 
report are going into the DOD 5000 process which I think all of 
you know is our acquisition process.
    In addition, we are implementing many of the 
recommendations, particularly around what we call ``agile 
development methodologies'' that allow us to turn out product 
much more quickly, in a much more cyclical fashion, if you 
will, and to take large projects and put them into smaller 
deliverable chunks.
    So there are any number of actions against the 804 that we 
are in the process of developing and delivering on. And we are 
actually using those in our project delivery.
    As it relates to the rapid acquisition from a cybersecurity 
perspective, we have all been working with the Acquisition, 
Technology, and Logistics organization on the response to 
Congress on that which is known as our 933 Report.
    We are actually now all coordinating on what we believe is 
the final version of that report. In fact, we all saw it over 
the weekend with the request that we would get our comments 
back in, because I think that Mr. Kendall knows that that needs 
to come forward.
    It is looking at any number of different areas. It is 
looking at actually being able to provide General Alexander 
with several different ways of going at acquisition to make 
sure that he can turn them more quickly. But also taking 
recognition that there will be some large project expenditures 
included in that as well.
    So I think you can expect to see that report fairly 
shortly.
    Mr. Thornberry. Well, I will just say for myself, if as you 
work through those issues, if you believe additional 
authorities are needed, please let us know. Because it makes no 
sense at all for us to operate at the speed of the industrial 
age in cyberspace, and then basically that is what we are 
talking about here.
    And so, you know, I will look forward to receiving the 933 
Report. But please keep in mind that if you all decide you need 
additional authorities, we want to know that.
    General Alexander it was kind of an interesting 
conversation with Mr. Andrews a while ago. And part of--it 
seemed like that conversation was--we know for sure who is 
launching an attack or exploitation--just in this setting in a 
brief way, can you summarize the threat in cyberspace as you 
are seeing it and as Cyber Command has to calibrate its efforts 
to deal with?
    General Alexander. I characterize the threat, Chairman, in 
three ways.
    Largely what we see is exploitation and the theft of 
intellectual property. That is what is going on in the bulk of 
the cyber events that we see in the United States.
    In May of 2007, we witnessed a distributed denial-of-
service attack. Think of that as a disruptive attack against 
Estonia by unknown folks in the Russian area and around the 
world, and then subsequently we have seen in Latvia, Lithuania, 
Georgia, Azerbaijan, Kyrgyzstan.
    What we are concerned about is shifting from exploitation 
to disruptive attacks to destructive attacks.
    And what concerns us is that the destructive ones, those 
attacks that can destroy equipment, are on the horizon. And we 
have to be prepared for them.
    I do think the two things--if I could just state two things 
more clearly. We talked about the rules of engagement which 
would be key on this.
    We do have rules of engagement in 2004. What we are talking 
about is updating those to meet this evolving threat. So that 
is the key that the Department is working on.
    The second is we do need DHS in this mix for a couple of 
reasons.
    The Department of Homeland Security, I think, should be the 
public face for all the reasons. And Mr. Johnson brings out a 
good one. The American people have to know that what we are 
doing is the right thing, that we are protecting civil 
liberties and privacy. And that we are doing this in a 
transparent manner.
    By having DHS working with FBI, NSA, and DOD all together, 
there is transparency in that. At least the government and 
everybody will know that we are doing it right.
    Two, I think they are the ones that need to set the 
standards for other government agencies and work with them to 
ensure those networks are defensible. If we tried to do that, 
it would sap much of our manpower that you really want us 
focused on defending the country and going after the 
adversaries in foreign space.
    That is where we should operate. And I think there is 
synergy there in doing that.
    Mr. Thornberry. Okay, thank you.
    Ms. Creedon, you have, at several times today, mentioned a 
variety of efforts underway in the administration to update 
authorities, rules of engagement, a whole variety of things.
    It seems to me that there are a host of difficult policy 
issues involved in cybersecurity, not all of which are DOD-
focused. And yet it has been challenging for me at least, to 
try to get my arms around what the questions are, what those 
tough issues are.
    Are you all--is the DOD policy shop--for lack of a better 
way to describe it--compiling a list of the tough policy 
decisions that not just the administration, and not just the 
government, but the country is going to have to grapple with as 
more and more of our lives are dependent upon, and even to some 
degree lived in cyberspace.
    Secretary Creedon. Well, DOD has certainly been working on 
those things that are within DOD's realm. And among those are 
some of the issues that we recognize that we share with the 
other agencies.
    And so, I mean, to go back to the legislation again, some 
of the common elements, but certainly in Lieberman-Collins 
bill, you know, some of the elements in that bill are the 
results of the work that the whole interagency, including DOD, 
have done to identify those things where we really do need some 
additional input.
    So that legislation for instance in terms of coming up with 
methodologies to protect critical infrastructure protection, so 
the bill would urge the setting of standards--would direct the 
setting of standards.
    The sharing of information, this again is a very delicate 
situation where how do we share the right information to make 
sure that we have visibility into what is going in networks, 
but are not doing anything to disrupt civil liberties and 
privacy protection. So, you know, working that sharing issue, 
working the liabilities issue.
    So some of the work that has been done within the 
interagency that really fleshed out these harder issues where 
we really do need a system of legislative assistance. Those are 
in the bills.
    The other things we are working internally and those are 
the things that for the most part DOD believes we can do 
internally.
    Mr. Thornberry. Okay. Well----
    Secretary Creedon. With guidance from the President, 
obviously, because----
    Mr. Thornberry. Sure.
    Secretary Creedon [continuing]. At the end of the day, it 
is the President's authority.
    Mr. Thornberry. Yes. And I appreciate that. I recognize a 
whole host of proposals are in the administration's cyber 
legislation draft.
    The only thing I would say is that a lot of these issues 
that probably are DOD exclusively, or DOD-centered, about what 
is war in cyberspace, how do we defend the country--some of the 
things that we have talked about already today.
    I think that is going to require more than just an internal 
administration process.
    And I would just say that as the policy office and as the 
lawyers grapple with some of these difficult decisions on what 
warfare means in cyberspace, that a dialogue between the 
administration and Congress, and ultimately between the two of 
us and the country, is really going to be essential.
    We will not be able to impose an Obama administration 
policy on this, or even a government policy on this. It is 
going to have to be--it is a little bit--I analogize it to TSA 
[Transportation Security Administration].
    Sometimes the government tries something and it is really 
stupid. And people rebel against it.
    And so they rethink. And they find a little smarter way.
    And we haven't found a smarter way to do it all yet. But my 
point is it is part of a give and take on some of these 
difficult issues.
    And I think that is especially true when it comes to 
Article 1, Section 8, and as it applies to the Congress on 
declaring war, and how can you do that at the speed of light.
    So I know that is kind of long and philosophical. But my 
point is, it is going to take us working together to work 
through these issues. And some more dialogue on these tough 
issues that don't have easy answers, I think would be helpful 
for the country.
    I yield to Mr. Langevin for any questions.
    Mr. Langevin. Thank you very much. To the panel again, 
thank you for your patience today and your testimony and the 
great work you are doing.
    You know, before I begin, the question that Mr. Johnson had 
asked, I think, you know, this certainly to the degree to which 
Members have those concerns a question is important to be 
asked.
    It has just been my experience, General, I just wanted to 
say from a personal perspective, having observed you and 
interacted with you over the years now, I have always been 
impressed with the degree which you and the folks at NSA go to 
the nth degree to try to always ``dot the i's'' and ``cross the 
t's'' and stay within the confines of the law. And it is 
reassuring that you have that dedication and respect for the 
other work that you folks are doing, so.
    I had a question on the DIB Pilot.
    Lessons learned--what lessons have you drawn from the 
Defense Industrial Base Pilot? And how have you captured the 
recommendations from Carnegie Mellon's evaluation of the 
program?
    There was some, you know, criticism. Some, you know, didn't 
think it worked as well as it was intended. And improvements 
still need to be made.
    But can you talk to us about lesson learned.
    General Alexander. Absolutely, Congressman.
    First, we did the DIB Pilot. As you know, it started in 
August. And we started the evaluation not too long after.
    And so one of the key things that we saw as an issue was 
how do we share sensitive signatures with industry?
    And when we started the pilot, we had not worked our way 
through sharing all those sensitive signatures with industry in 
a classified form. And I think the result of that is some of 
the early results were not much different than what they 
already get from their own means for getting signatures.
    I think once we started sharing those signatures, and it 
took us a while, so that was our fault. But once we started 
doing that, and they saw the value of that in specific cases, I 
think that was a way of turning the corner.
    The other thing that became clear as we went into this is 
industry doesn't always see when somebody is trying to attack 
or exploit them. And so having a forum that somebody could say, 
``Hey, somebody is trying to get into your network. You need to 
know it,'' is useful for industry as much as it is for 
government to know when somebody is trying to attack us.
    So I think from my perspective, the lessons learned were we 
have got to be quicker on sharing. I think we have solved that 
problem. And you can see now we are sharing.
    In fact the companies that initially were not as favorable, 
now have turned that around and have reentered that pilot 
program. I think that is a huge plus.
    And the other one is the information sharing, which is a 
major part of the legislation. All the legislative packages 
there which means that we can share with industry, industry can 
share with us. And we have the ability to tip in queue, from my 
perspective in real time, optional. But I think that is going 
to be key to defending ourselves in cyberspace in the future.
    Mr. Langevin. Very good.
    Anyone else on the panel care to respond to that? Take your 
question about lessons learned on DIB or did the General cover 
it?
    Okay.
    What feedback loop do you have to ensure that what is 
shared of a classified nature isn't widely known in the 
industry and thus shouldn't really be classified?
    Is that a fair question?
    General Alexander. There are two ways of doing that.
    If we see information that is widely used, then we should 
declassify it. In other words, widely available, everybody is 
seeing it.
    If we have sources and methods that are sensitive and 
classified and not widely used, then I think we would keep that 
classified.
    Think of that as the difference between Enigma and other 
public forums--if we have an Enigma-like fact in cyberspace, 
you would want us to protect that.
    And the issue is now in cyberspace, but we are going to 
have to share that with some industry so that they too can be 
protected from it.
    If it is widely known the anti-virus community has it, we 
should declassify it and get it out. And I think that is the 
approach that we are trying to take on it.
    The issue will be trying to identify those at network 
speed. And I think we will get better as we exercise in this 
area. As we work with industry, I think we will get better in 
doing that.
    Mr. Langevin. Fair enough.
    Does the DIB in its pilot have an industry ombudsman to 
help broker the relationship and information sharing exchange 
between industry and government?
    Or is that something that is planned?
    General Alexander. Actually, we used the DIB--we actually 
had an existing relationship that Ms. Takai and her folks ran 
that we actually used as the forum for starting the sharing 
relationship with DIB companies.
    So we did have that.
    And I think that started off pretty good. And it set the 
framework for how we actually put the DIB process together. It 
was based on an existing set of relationships that already 
occurred between the CIO's office and industry.
    So that was the starting point. And I think that was a good 
starting point. And it gave us a basis to go ahead.
    Ms. Takai. Well, I think it is important to note that out 
of the total number of DIB companies involved, we have about 
200 companies that are in what we call our information sharing 
effort. And 37 of those are included in the DIB Pilot.
    And it is our intention--we have a rule, a Federal rule 
that is going through now to be able to expand beyond the 200 
companies, and be able to roll out to more DIB companies going 
forward from the standpoint of actually being able to share, 
both from the standpoint of our threat information, but also in 
terms of what the companies are experiencing.
    And we are seeing a number of areas just based on data 
collection from those companies that we are getting information 
on threats that we would not have seen otherwise. And they are 
getting information from each other as well as from us about 
what the threats are and what the mitigation could be.
    And I think that complements well then the DIB Pilot 
process which was focused very much around the ISPs [Internet 
Service Providers] and being able to get some of that 
protection piece of the information--or taking the information 
sharing and moving it to the protection piece.
    So the two programs really go hand-in-hand. And one builds 
from the other.
    Mr. Langevin. Good.
    Secretary Creedon. If I----
    Mr. Langevin. Okay, go ahead.
    Secretary Creedon. If I can just add one piece to this. So 
as we go forward and we make this pilot permanent, and DHS 
becomes lead, one of the advantages of having DHS in the lead 
is that DHS will also then be able to add additional signatures 
to the process that they see.
    And the second piece of this is as we work with the ISPs, 
the ISPs then can take these capabilities and they can provide 
those security services to others who utilize their services as 
well.
    So through DHS and through this mechanism of making it 
permanent, we can actually provide more of an envelope of 
protection beyond just the defense industrial base folks 
through the use of the ISPs.
    Mr. Thornberry. If the gentleman will yield for just a--is 
there a--one always hears about limits on scalability here. Is 
there--you said 200 companies going to more. Is there a limit?
    Ms. Takai. Right now we are going to be limited by the 
resources because clearly reaching out, working with each of 
the companies, working through the structured memorandums of 
understanding that we need to have is going to be our gating 
factor in terms of number of companies.
    General Alexander. If I could, just to help clarify on 
this. That is under the current thing. If we have information 
sharing agreements, that greatly simplifies that process.
    The technical way essentially allows us to use the power of 
the Internet. And so this will scale the approach that we are 
taking in the DIB Pilot in terms of the technical capability to 
protect all that we need to protect.
    Where other solutions that we have put forward do not scale 
as easily, and are so cost prohibitive that from our 
perspective going to the DIB Pilot, managed security services, 
or whatever we call it, is probably the best thing to do for 
the country and the cheapest, most efficient way.
    I think they addressed that problem though is the 
information sharing thing is key to making that work.
    Does that make sense?
    Mr. Thornberry. Yes, sir. And that is why I wanted to try 
to delve down into that just a little bit.
    And I appreciate the gentleman yielding.
    Mr. Langevin. Yes, no, that is a great question.
    And obviously I think we all can agree that the most 
effective defense that we can have, or programs we have to 
defend our networks is this information sharing aspect. And you 
have situation awareness, you can see what is coming at you, 
what to defend against. It is a force multiplier and highly 
effective.
    What about leap-ahead technologies in the R&D realm? Are we 
any closer--I find that a fascinating statistic that, or fact 
that the lines of code of the attackers as I understand it has, 
basing the tax signatures, has stayed relatively constant. And 
yet the defense--the lines of code in defending against these 
attacks has grown exponentially.
    And how are we doing on the R&D front in terms of, you 
know, more robust defense?
    General Alexander. I have seen, Congressman, those 
statistics.
    What we are seeing is that, you know, the millions of lines 
of codes that people quote for the defense is for much more 
elegant defense.
    Of course you can come up with a small piece of malicious 
software that is only 125 or whatever they stated this small 
thing. But the reality is I think they are in balance.
    I think the key thing is the offense has the advantage 
here. Those exploiting or attacking the system has the 
advantage.
    What we need to do is move to a system then that leverages 
the power of the network to bring this back.
    From our perspective, that is using the capabilities of all 
the government agencies and industry to bring what we know 
about that network and the vulnerabilities that we have to 
light so that we can defend against them.
    I think the other part that Ms. Takai talked about was the 
going to the IT infrastructure of the future, this thin virtual 
cloud environment will make it a much more defensible 
architecture.
    I think that is key to the future. Both of those are some 
of the things that we actually have to go through.
    Mr. Langevin. Very good. And my last question, if I could, 
just going back to the DIB Pilot, in terms of the costs that 
was some of the concerns that, you know, companies had. You 
know, who is going to bear the cost for all this?
    Where are we on that? Has that been worked out or is it 
still a work in progress, if you will?
    General Alexander. Informally, it looks like the cost per 
seat per month would be somewhere between 30 cents and $1 or 
$2. And so the costs have come way down which makes this much 
more manageable.
    So if you had 6,000 seats, you are talking somewhere 
between, you know, $1,800 and maybe $6,000 a month for that 
level of service. I think the Internet Service Providers are 
actually making great progress in this way which would make 
this something that people would actually say, that is worth 
doing.
    Does that make sense?
    Mr. Langevin. Yes. And that is news to me. That is very 
helpful. I didn't realize that we are moving in the right----
    General Alexander. We would like to get it to 30 cents a 
seat. I think it is going to be somewhere in that range. And I 
think, you know, depending on what they add in, somewhere in 
there.
    But it is clearly more cost-effective than the way that we 
were going.
    Mr. Langevin. Excellent. Very good, that is good 
information to have.
    With that, I want to thank you all again for your patience 
today and testimony, the great work you are doing. And look 
forward to our continued work together. It is a big issue.
    And Mr. Chairman, thank you for the time and attention you 
have given to this issue as well.
    Thank you.
    Mr. Thornberry. Well, thank you. I agree with everything 
you just said.
    I appreciate you all being here, and your patience, and the 
chance for us to continue to work together on these issues.
    With that, the hearing stands adjourned.
    [Whereupon, at 4:05 p.m., the subcommittee was adjourned.]



=======================================================================




                            A P P E N D I X

                             March 20, 2012

=======================================================================



=======================================================================


              PREPARED STATEMENTS SUBMITTED FOR THE RECORD

                             March 20, 2012

=======================================================================



    [GRAPHIC] [TIFF OMITTED] 73790.001
    
    [GRAPHIC] [TIFF OMITTED] 73790.002
    
    [GRAPHIC] [TIFF OMITTED] 73790.003
    
    [GRAPHIC] [TIFF OMITTED] 73790.004
    
    [GRAPHIC] [TIFF OMITTED] 73790.005
    
    [GRAPHIC] [TIFF OMITTED] 73790.006
    
    [GRAPHIC] [TIFF OMITTED] 73790.007
    
    [GRAPHIC] [TIFF OMITTED] 73790.008
    
    [GRAPHIC] [TIFF OMITTED] 73790.009
    
    [GRAPHIC] [TIFF OMITTED] 73790.010
    
    [GRAPHIC] [TIFF OMITTED] 73790.011
    
    [GRAPHIC] [TIFF OMITTED] 73790.012
    
    [GRAPHIC] [TIFF OMITTED] 73790.013
    
    [GRAPHIC] [TIFF OMITTED] 73790.014
    
    [GRAPHIC] [TIFF OMITTED] 73790.015
    
    [GRAPHIC] [TIFF OMITTED] 73790.016
    
    [GRAPHIC] [TIFF OMITTED] 73790.017
    
    [GRAPHIC] [TIFF OMITTED] 73790.018
    
    [GRAPHIC] [TIFF OMITTED] 73790.019
    
    [GRAPHIC] [TIFF OMITTED] 73790.020
    
    [GRAPHIC] [TIFF OMITTED] 73790.021
    
    [GRAPHIC] [TIFF OMITTED] 73790.022
    
    [GRAPHIC] [TIFF OMITTED] 73790.023
    
    [GRAPHIC] [TIFF OMITTED] 73790.024
    
    [GRAPHIC] [TIFF OMITTED] 73790.025
    
    [GRAPHIC] [TIFF OMITTED] 73790.026
    
    [GRAPHIC] [TIFF OMITTED] 73790.027
    
    [GRAPHIC] [TIFF OMITTED] 73790.028
    
    [GRAPHIC] [TIFF OMITTED] 73790.029
    
    [GRAPHIC] [TIFF OMITTED] 73790.030
    
    [GRAPHIC] [TIFF OMITTED] 73790.031
    
    [GRAPHIC] [TIFF OMITTED] 73790.032
    
    [GRAPHIC] [TIFF OMITTED] 73790.033
    
    [GRAPHIC] [TIFF OMITTED] 73790.034
    
    [GRAPHIC] [TIFF OMITTED] 73790.035
    
    [GRAPHIC] [TIFF OMITTED] 73790.036
    
    [GRAPHIC] [TIFF OMITTED] 73790.037
    
    [GRAPHIC] [TIFF OMITTED] 73790.038
    
    [GRAPHIC] [TIFF OMITTED] 73790.039
    
    [GRAPHIC] [TIFF OMITTED] 73790.040
    
    [GRAPHIC] [TIFF OMITTED] 73790.041
    
    [GRAPHIC] [TIFF OMITTED] 73790.042
    
    [GRAPHIC] [TIFF OMITTED] 73790.043
    
    [GRAPHIC] [TIFF OMITTED] 73790.044
    
    [GRAPHIC] [TIFF OMITTED] 73790.045
    
    [GRAPHIC] [TIFF OMITTED] 73790.046
    
    [GRAPHIC] [TIFF OMITTED] 73790.047
    
    [GRAPHIC] [TIFF OMITTED] 73790.048
    
?

      
=======================================================================


              QUESTIONS SUBMITTED BY MEMBERS POST HEARING

                             March 20, 2012

=======================================================================

      
                  QUESTIONS SUBMITTED BY MR. LANGEVIN

    Mr. Langevin. Are you confident in the state of the career paths 
for cyber professionals, and do you feel that your recruiting, 
retention, and career progression needs are being adequately addressed?
    Ms. Takai. In light of emerging cyber threats, cyber workforce 
roles, responsibilities and skill requirements continue to evolve, not 
only in, but across the Federal Government and industry. DOD is working 
with the Federal Government through the National Initiative for 
Cybersecurity Education (NICE) and Federal CIO Council to identify 
current and forthcoming cyber skill requirements, define career paths 
for cyber professionals, and to determine the optimal courses of action 
to ensure a pipeline of cyber professionals is available to meet 
mission mandates. These efforts may result in new requirements and 
methodologies in the recruitment, retention and career management of 
the Department's cyber workforce.
    Currently, several strategies are in place to aid in recruiting and 
retaining a skilled cyber workforce. Federal direct-hire authority 
provides with flexibility in recruiting and hiring select information 
security (cybersecurity) personnel within the civilian IT Management 
series. DOD also has Schedule A hiring authority for select 
cybersecurity positions for certain IT and non-IT civilian job series; 
the Department is working with the Office of Personnel Management (OPM) 
to extend and enhance this authority as it expires in December 2012. 
DOD uses the Information Assurance Scholarship Program (IASP) to 
attract students from top universities and colleges, and to retain 
personnel with cyber and information assurance skill sets who wish to 
further their education. In addition, CIO oversees the Information 
Resources Management College (iCollege) of the National Defense 
University, which recently introduced a Cyber Leadership Program. These 
authorities and programs, along with military recruiting and retention 
bonuses, are currently used to recruit and retain cyber personnel and 
are essential to maintaining the health of this community.
    Mr. Langevin. How is DOD capturing lessons learned from real-world 
cyber events and major exercises?
    Ms. Takai. Real world lessons learned are submitted to the Joint 
Lessons Learned Information System (JLLIS) database system of record. 
JLLIS is the system of record for Lessons Learned. Typically, they are 
communicated in the form of Situational Awareness Reports (SARs). For 
certain major events, a detailed analysis of the incident is conducted 
and with the results published as an SAR, which details the incident, 
threat tactics, techniques and procedures, as well as countermeasures/
mitigation options. Lesser events are often documented in quarterly 
SARs that show trends, common TTPs, systemic issues, etc. Exercise 
lessons learned also are inputted into JLLIS and their capture in the 
database has greatly improved over the last 12 to 18 months. Anyone 
with SIPR access may request an account to access JLLIS content.
    In addition to JLLIS, the Military Departments track major events 
via their respective database systems. For example, Army Computer 
Network Defense (CND) events are tracked in ACID, the Army CND Incident 
Database. The Navy Lessons Learned System (NLLS) is the Navy's process 
for collection and dissemination of significant lessons learned, 
summary reports and port visit reports from maritime operations, 
exercises and other events.
    Mr. Langevin. What more can be done to engage our allies, 
especially NATO? How can we leverage DOD ``building partnership 
capacity'' authorities to train and equip foreign forces to improve our 
allies' capabilities related to cyber operations?
    Ms. Takai. We are engaging our key allies and partners, including 
NATO, through agreements to share unclassified and classified cyber 
defense information. We may be able to do more by focusing on producing 
more classified cyber defense information which is releasable to these 
allies and partners. We are leveraging theater security cooperation 
programs in the Geographic Combatant Commands by including ``building 
cyber defense capacity'' with focused on treaty allies and priority 
partner nations. This effort is led in the CIO by our International 
Cyber Security Program and coordinated with the Geographic Combatant 
Command, Joint Staff and OSD Policy. Initially this generally consists 
of training all levels of cyber leadership and practitioners in cyber 
defense best practices. This should establish an incident response 
capability (e.g. a CERT) with the appropriate policies in place to 
govern network operations and cyber defense. This may evolve into 
greater information sharing and potentially exercises once a capability 
is developed. Additionally CIO semi-annually hosts an international 
cyber defense workshop to provide a week long virtual training workshop 
to over twenty nations. We regularly invite more than forty nations to 
the workshop and usually have 25 or more participate.
    Mr. Langevin. What discussions and actions are going on within NATO 
to improve the capabilities of the alliance to deal with cyber threats?
    Ms. Takai. NATO developed a new cyber defense concept in March 
2011, a new Cyber Defense Policy in June 2011 and from that policy a 
cyber defense action plan to improve NATO's internal cyber defense 
capability as a priority, additionally providing advice or assistance 
to nations that request assistance. The current actions are a recently 
awarded contract (58m Euro) to enhance the NATO Computer Incident 
Response Capability and ongoing actions to monitor that project. 
Ongoing discussions focus on developing a methodology for national 
information systems that support NATO missions to be identified and 
provided minimum cyber defense standards. Further parts of the enhanced 
capability in the cyber defense action plan are the development of 
training and exercises for NATO nations, providing minimum standards 
for cyber defense for nations, and developing rapid reaction teams to 
assist nations when facing significant cyber incidents. Further 
possible enhancements are also under discussion but the current main 
focus is on ensuring the ongoing project is closely monitored for 
adherence to timelines and completing the full package of enhanced 
sensors and systems for cyber defense. These ongoing efforts are 
regularly reviewed by CIO's International Cyber Security Program.
    Mr. Langevin. What is the status of development and delivery of 
proposed National Cyber Range capabilities? Are resources adequate to 
continue maturing range capabilities?
    Ms. Takai. The goal of the DARPA NCR program is to develop the 
architecture and software tools for a secure test facility that can 
rapidly emulate the complexity of defense and commercial networks, 
allowing for cost-effective and timely validation of cyber 
technologies.
    The program has completed the technical design and all major 
software development. The developed architecture and tools are being 
demonstrated at scale on a prototype facility. The NCR software 
includes extensive experiment design tools, an automated range build-
out capability, real-time data visualization tools, and automated range 
sanitization. The demonstration facility is currently accredited for 
operation from Unclassified to Top Secret/Special Access Program level 
and is capable of supporting simultaneous testing at multiple security 
levels. Special Compartmentalized Information accreditation is 
currently being pursued.
    To date, there have been two completed tests (December 2011 and 
January 2012). Both tests showed the ability to setup the range in a 
day, test for multiple days (each test was at a different 
classification level), and then tear the range down and sanitize it in 
a day. Eight additional tests are currently being planned and 
scheduled.
    The Department is planning a series of events on the NCR with Joint 
Information Operations Range (JIOR), and Cyber Range also participating 
to stress NCR and other range capabilities, identify what is mature, 
what is not, and characterize the magnitude of gaps that will need to 
be addressed for adequate testing and evaluation, training and exercise 
capability.
    Mr. Langevin. What CYBERCOM capabilities are in need of further 
development to address our national vulnerabilities in cyberspace?
    General Alexander. Our desired end state is to maintain and 
preserve the U.S. freedom of access to allow maneuver in cyberspace 
while supporting the same for our allies and partners. To do this, it 
is essential to:
      Develop capabilities to support Indications and Warning 
(I&W) of attacks in cyberspace
      Develop integrated Command and Control for seamless 
transition from defensive to offensive posture
      Develop integrated situational awareness capability to 
sense, support real time maneuver, and engagement in cyberspace
      Develop capability for training, testing, and effects 
prediction for cyber capabilities
      Enhanced analytic and target development capabilities
      Development of integrated architectures and frameworks to 
support network resiliency and maneuver in cyberspace especially in 
contested and congested networks
    Mr. Langevin. Since the signing of the Memorandum of Understanding 
between DOD and DHS, what activities have the two organizations been 
carrying out under that MOU?
    General Alexander. The implementation of the MOU has resulted in 
the creation of a Fort Meade-based office for the DHS-DOD Joint 
Coordination Element (JCE), co-lead by DHS and DOD seniors. Activated 
in December 2010, the JCE now comprises 16 full-time personnel from DHS 
and DOD and is focused on achieving cross-departmental ``unity of 
effort'' in cyberspace operations. The ultimate goal is to enable the 
USG to agilely perform integrated operational response in all areas in 
which the adversary pursues malicious activity--with the benefit of 
robust shared situational awareness.
    The JCE is creating enduring relationships and process improvements 
across the two Departments. In its first year, the JCE initiated a 
number of major activities designed to enable these goals, by 
successfully bridging the gap between policy and operations. A few 
examples include:
      Congress directed DHS and DOD to draft a Joint 
Cybersecurity Pilot Plan. This plan was penned by the JCE, signed by 
both Departments, and transmitted to the Committees on Appropriations 
in August 2011.
      The JCE is defining cross-department command and control/
unity of effort models to enable agile, effective, and timely 
operations.
      The JCE is defining the discrete and complementary 
function of the major DHS and DOD operational organization to achieve 
harmonization of major DHS and DOD operational elements.
      As an outgrowth of the Defense Industrial Base (DIB) 
Cybersecurity ``opt in'' Pilot, Department seniors have agreed on a 
framework to create government-enabled Managed Security Services to 
address advanced threats targeting the nation. The JCE has drafted 
detailed plans to support this effort with an eye toward scalable 
solutions.
    Mr. Langevin. Are you confident in the state of the career paths 
for cyber professionals, and do you feel that your recruiting, 
retention, and career progression needs are being adequately addressed?
    General Alexander. There has been a great deal of work done in 
developing career paths for cyber professionals. The pace at which we 
are developing cyber professionals is challenged by the demand for 
skilled personnel (in both government and in the private sector) to 
keep pace with rapidly advancing technology. At USCYBERCOM we have made 
recent, significant strides into defining and advising what those 
career paths should include. One of the biggest challenges to 
``operationalizing'' activities in this domain is the development of 
the cyber workforce. The major cultural shift within the military has 
momentum; however, codifying and teaching the required skills in such a 
dynamic, ever-evolving domain, is a challenge. We are confident that 
our activities have laid a solid foundation for cyber professional 
career paths. Examples of our ongoing efforts follow.
    Joint Cyberspace Training and Certification Standards (JCT&CS). The 
JCT&CS provides an overarching framework for the Services, if they so 
choose, for training for the current and future cyberspace workforce 
over their careers. JCT&CS advises nearly every aspect of individual 
force training and education and follows the Joint Training System 
model for methodology. The standards outlined in JCT&CS inform 
curriculum, certification, and other standards used to effectively 
train forces to meet the ever-evolving warfighter demands of the 
cyberspace domain. Based on the current lack of policy on cyber 
training, the Services use of these standards is voluntary at this 
time.
    Assessment and Recruiting. Initial assessment and recruiting to 
identify the best candidates possible to support the cyberspace mission 
is critical. The JCT&CS provides key insights into the preliminary 
knowledge, skills, and abilities needed to ensure success. Service 
recruiting efforts will be advised of these standards and special 
screening techniques and evaluations will be developed to identify 
suitable candidates. In addition, the newness of this command and our 
challenging mission appears to be a draw for talented personnel. We 
anticipate the competition for cyber talent to become more intense and 
we must be enabled to respond rapidly with appropriate DOD recruiting/
retention policies and incentives. Delays in recruiting and retaining 
cyber talent could adversely affect the command's operational 
capability in the future. Against our current authorizations, our 
civilian fill rate is adequate. However, to efficiently operate as a 
Sub-Unified Command we estimate an additional need of approximately 500 
billets. Moreover, we expect competition for future talent to 
intensify, affecting initial hires and retention. To address the 
anticipated challenges in the short-term, we are collaborating with 
United States Strategic Command and the Office of the Secretary of 
Defense to permanently extend the temporary hiring authorities granted 
to us (e.g. Schedule A- which is set to expire Dec `12). Long-term, we 
are advocating for: special salary rates, tuition reimbursement, access 
to specialized training and robust professional development 
opportunities as incentives for potential employees and to retain them 
once they have been hired. Underlying all of these initiatives, we 
support the development of separate cyber operations/planner career 
fields for our civilian and military personnel.
    Service School Qualification Training. The Services currently 
provide for both enlisted and officers, basic entry training for their 
respective skills. For many cryptologic skills today that instruction 
is provided through Joint Cyber Analysis Course at Corry Station in 
Florida. As a backdrop, the JCT&CS will provide guidance through 
curriculum advisory messages in curriculum development, advising the 
Services on the Knowledge, Skills and Abilities (KSAs) with metrics to 
ensure success for those whose assignments require the ability to 
perform in one or multiple cyber work roles.
    Professional and Continuing Education. Once the basic schooling is 
completed, Service military and civilians continue to work to sharpen 
skills and capabilities through professional and continuing education. 
For the Joint community, this includes Joint Individual training and 
for IA professionals, training and certification is completed in 
compliance with prevailing DOD policy (DOD Directive 8570.01M). Again, 
the JCT&CS provides a broad framework to inform joint and Service 
training for cyberspace KSAs. An aggressive and effective retention and 
career feedback process is permeated throughout the careers of the 
cyberspace workforce. Constant inputs to training value, curriculum 
development, and career utilization will be used to advise senior 
leadership on job satisfaction and how well training enables the 
workforce to be successful in their assignments. Key to the success of 
this program is the agility at which the joint training standards can 
be modified and those changes permeated through professional and 
continuing education to keep the DOD cyberspace workforce in the 
forefront globally.
    Collective Training. Even with a robust individual training 
program, individuals fight as crews, staffs, and organizations. The 
training spectrum includes an aggressive collective training program 
that trains, certifies, and then exercises the future cyberspace 
workforce. Training and certification guidelines are contained in the 
JCT&CS. Methods and modes are under development to measure the ability 
of crews, staffs, and organizations to meet the demands of fighting and 
winning in the cyberspace domain. Ultimately, this training is tested 
in cyberspace exercise events that focus on cyberspace operations with 
objectives that tie back to Joint Mission Essential Tasks. Today, at 
the tactical level, we've developed Cyber Flag, currently an annual 
event, that brings together the Service's cyber operators to defend and 
fight against a cunning, realistic aggressor. This environment allows 
us to understand the ability of our Service component teams and 
ultimately, our ability to perform essential missions.
    Mr. Langevin. Do you feel that the command structure for 
integrating non-kinetic effects from cyber into the battlespace is 
adequately defined?
    General Alexander. The command structure for integrating non-
kinetic effects into joint operations is adequately defined, but the 
Department continues to develop and improve its implementation. Through 
the refinement of joint doctrine, planning, and procedures, we have put 
in place a number of mechanisms to integrate kinetic and non-kinetic 
effects.
    We have long recognized the need for cyberspace doctrine that can 
address the unique attributes of cyberspace, the interdependencies with 
the land, air, sea, and space domains, and provide a model command 
structure to build upon.
    The cyberspace operational planning process is aligned with joint 
doctrine, which has been developed and battle-tested over time as the 
preferred way for combatant commanders to plan, synchronize, de-
conflict, and conduct operations. We have successfully adapted this 
process for cyberspace and have exercised it a number of times with the 
combatant commands to validate its applicability. Likewise, these 
exercises have helped us refine our command and control (C2) model to 
support the integration of cyberspace operations with other Combatant 
Command operations.
    Mr. Langevin. Can you briefly describe how CYBERCOM supports joint 
training efforts for inter-service missions?
    General Alexander. USCYBERCOM works with Service Component, Joint 
Staff and Agency training leads to collaborate on processes for 
continued development/refinement of DOD cyberspace training and 
certification standards. We have developed relationships with 
appropriate stakeholders including Service HQ, Combat Support Agencies, 
public and private academic institutions, and Joint and Service 
training and education activities. We support efforts to draft and 
staff policy that identifies roles, responsibilities, and processes as 
well as ensures consistency with other policy/guidance documentation in 
order to support joint training efforts DOD-wide. The Joint Cyberspace 
Training and Certification Standards (JCT&CS) provides an overarching 
framework for the Services, if they so choose, for training for the 
current and future cyberspace workforce over their careers. JCT&CS 
advises nearly every aspect of individual force training and education 
and follows the Joint Training System model for methodology. Our intent 
is to execute policy within national and military guidance in 
coordination with stakeholders and Communities of Interest to 
promulgate common training and certification standards.
    Additionally, USCYBERCOM supports the Combatant Commands exercise 
of their warplans via Tier 1 Exercises. USCYBERCOM and its Service 
components provide planning and operations expertise to meet the 
exercise/training objectives. For FY12, USCYBERCOM is directly 
supporting or involved with 17 joint exercises, and is planning 
CYBERFLAG-12. Priority of support resides with National level, 
USCENTCOM, USPACOM, and USEUCOM exercises.
    Mr. Langevin. What more can be done to engage our allies, 
especially NATO? How can we leverage DOD ``building partnership 
capacity'' authorities to train and equip foreign forces to improve our 
allies' capabilities related to cyber operations?
    General Alexander. First, the United States can increase 
information and cyber capability sharing by developing and sharing 
cyber hygiene ``best practices,'' sharing cyber threat information, and 
providing cybersecurity tools. Second, the United States can conduct 
tabletop exercises to identify legal and policy constraints and 
``live'' exercises to build shared situational awareness and 
interoperability. Third, the United States can enhance education and 
training through congressional programs to allow foreign military 
officers to attend training in the United States and host or co-host 
conferences or seminars on cybersecurity. Fourth, the United States can 
expand the State Partnership Program to link more National Guard Cyber 
Warfare units with partner nations to increase engagement and training 
opportunities.
    USCYBERCOM has shared portions of the methodology in developing 
Joint Cyberspace Training and Certification Standards (JCT&CS) for the 
command's cyber workforce and the workforce of the Service Cyber 
Components that are under operational control of the Commander. 
USCYBERCOM has also developed and manages several training courses that 
contribute to the professionalization of the cyber workforce (i.e. 
Joint Advanced Cyber Warfare Course-JACWC, Joint Cyberspace Operational 
Planners Course Mobile Training Team JCOPC MTT). The USCYBERCOM Joint 
Exercises and Training Directorate developed a version of JACWC (Joint 
Advanced Cyber Engagement Series-JACES) that is releasable to our 
allies, and is currently developing a similarly releasable version of 
JCOPC at the request of EUCOM and AFRICOM. The first session of JACES 
with 33 key partner nation students concluded 20 April 2012. 
USCYBERCOMs intent is to continue to build key partner relationships by 
sharing releasable components of its workforce development efforts.
    Mr. Langevin. What discussions and actions are going on within NATO 
to improve the capabilities of the alliance to deal with cyber threats?
    General Alexander. NATO has been actively working to improve the 
Alliance's capabilities to deal with cyber threats. A NATO Policy on 
cyber defense was recently approved and focuses on preventing cyber 
attacks and building resilience. The policy is being implemented via an 
action plan, which includes the NATO Computer Incident Response 
Capability (NCIRC) achieving full operational capability by the end of 
2012. U.S. European Command is a key enabler and provides support to 
the NCIRC. Additionally, the United States is encouraging NATO to fully 
integrate cyberspace operations into planning, exercises, training, and 
education. Lastly, the United States is educating NATO on lessons 
learned from the Government's realignment to meet cybersecurity goals 
and the organizational and command and control structure of U.S. Cyber 
Command and other U.S. Government cyber units to influence NATO's 
civilian and military command structure development.
    At USCYBERCOM, we have participated in the annual NATO cyber 
exercise Cyber Coalition. This is a NATO event facilitating the 
improvement and development of coherent procedures and mechanisms for 
cyber defense; exercise strategic decision-making procedures, technical 
and operational procedures, and collaboration between all participants, 
including the private and public sectors.
    Several of our NATO allies are participating in the planning for 
Cyber Flag 13-1. The eight-day exercise schedule consists of four days 
with allies and the remaining four days as U.S. only due to 
classification considerations. Coalition partners will be invited to 
participate in future Cyber Flag exercises in order to build capacities 
and further enable partnership opportunities.
    Mr. Langevin. Are you confident in the state of the career paths 
for cyber professionals, and do you feel that your recruiting, 
retention, and career progression needs are being adequately addressed?
    Secretary Creedon. In light of emerging cyber threats, cyber 
workforce roles, responsibilities and skill requirements continue to 
evolve, not only in DOD, but across the Federal Government and 
industry. DOD is working with the Federal Government through the 
National Initiative for Cybersecurity Education (NICE) and Federal CIO 
Council to identify current and forthcoming cyber skill requirements, 
define career paths for cyber professionals, and determine the optimal 
courses of action to ensure a pipeline of cyber professionals is 
available to meet mission mandates. These efforts may result in new 
requirements and methodologies in the recruitment, retention and career 
management of the Department's cyber workforce.
    Currently, several strategies are in place to aid in recruiting and 
retaining a skilled cyber workforce. Federal direct-hire authority 
provides with flexibility in recruiting and hiring select information 
security (cybersecurity) personnel within the civilian IT Management 
series. DOD also has Schedule A hiring authority for select 
cybersecurity positions for certain IT and non-IT civilian job series; 
the Department is working with the Office of Personnel Management to 
extend and enhance this authority as it expires in December 2012. DOD 
uses the Information Assurance Scholarship Program (IASP) to attract 
students from top universities and colleges, and to retain personnel 
with cyber and information assurance skill sets who wish to further 
their education. In addition, CIO oversees the Information Resources 
Management College (iCollege) of the National Defense University, which 
recently introduced a Cyber Leadership Program. These authorities and 
programs, along with military recruiting and retention bonuses, are 
currently used to recruit and retain cyber personnel and are essential 
to maintaining the health of this community.
    Mr. Langevin. How is DOD capturing lessons learned from real-world 
cyber events and major exercises?
    Secretary Creedon. Real-world and exercise cyber lessons learned 
are submitted to the Joint Lessons Learned Information System (JLLIS) 
database system of record. JLLIS is the system of record for Lessons 
Learned. Typically, they are communicated in the form of Situational 
Awareness Reports (SARs). For certain major events U.S. Cyber Command 
conducts detailed analysis of the incident and then publishes the 
result as an SAR, which details the incident; threat tactics, 
techniques and procedures; as well as countermeasures/mitigation 
options. Lesser events are often documented in quarterly SARs that show 
trends, common TTPs, and systemic issues. Exercise lessons learned also 
are input to JLLIS and their capture in the database has greatly 
improved over the last 12 to 18 months. Anyone with SIPR access may 
request an account to access JLLIS content.
    In addition to JLLIS, the Services also track major events via 
their respective database systems. For example, Army computer network 
defense (CND) events are tracked in ACID, the Army CND Incident 
Database. The Navy Lessons Learned System (NLLS) is the Navy's process 
for collection and dissemination of significant lessons learned, 
summary reports and port visit reports from maritime operations, 
exercises and other events.
    Mr. Langevin. What more can be done to engage our allies, 
especially NATO? How can we leverage DOD ``building partnership 
capacity'' authorities to train and equip foreign forces to improve our 
allies' capabilities related to cyber operations?
    Secretary Creedon. The Department's authorities to build the 
security capacity of our foreign partners can be useful tools that 
contribute significantly to a variety of missions, from 
counterterrorism and combating weapons of mass destruction, to 
stability and counterinsurgency operations. For cyber operations there 
are no current plans to use these specific authorities; rather the 
Department works collaboratively with NATO and other allies.
    Our NATO allies recognize the increasing importance of cyber 
defense, as demonstrated by the 2010 Lisbon Summit Declaration, NATO's 
revised Strategic Concept, and the issuance of a revised NATO Policy on 
Cyber Defense in June of 2011. We are actively engaged in working with 
our NATO allies to ensure their continued commitment to NATO's new 
policy and the steps outlined in its Action Plan. More broadly, through 
our Geographic Combatant Commands, we are exploring ways in which we 
can work more closely with allies and partners to help them improve 
their cyber security and ensure that they are investing in enhanced 
security for their national networks. This is also an area where we are 
working closely with the Departments of State, Homeland Security, and 
other key USG stakeholders
    Mr. Langevin. What discussions and actions are going on within NATO 
to improve the capabilities of the alliance to deal with cyber threats?
    Secretary Creedon. Beginning with the 2010 Lisbon Summit 
Declaration and followed by NATO's revised Strategic Concept in which 
the protection of the Alliance's information systems was made a 
priority task, the U.S. Department of Defense has been actively engaged 
in working with NATO to improve the Alliance's ability to defend 
against the ever growing cyber threats.
    In addition, last year NATO Defense Ministers approved a revised 
NATO Policy on cyber defense. The policy offers a coordinated approach 
to cyber defense across the Alliance and focuses on preventing cyber 
attacks and building resilience. The new policy is currently being 
implemented through an Action Plan that has a number of elements, but 
the most important is achieving NATO Computer Incident Response 
Capability (NCIRC) full operational capability by the end of 2012. By 
bringing all of NATO organizations' networks under NCIRC authority and 
protection, the NCIRC will significantly increase the Alliance's 
ability to defend and recover in the event of a cyber attack against 
systems of critical importance to the Alliance. Implementation is on 
track and the U.S. Department of Defense will continue to strongly 
support NATO's efforts in this area.
                                 ______
                                 
                   QUESTIONS SUBMITTED BY MR. FRANKS
    Mr. Franks. With respect to defense installations within the United 
States, how reliant are our IT and cybersecurity systems on the supply 
of stable, reliable, and uninterrupted electricity from the civilian 
power grid, and how prepared are we to carry out the defense mission if 
the power grid or a substantial part of it were to go down for extended 
period, for example: two weeks or longer due to severe space weather or 
man-made electromagnetic pulse?
    General Alexander. Defense installations themselves typically have 
means to provide backup power for various durations. Additionally, DOD 
typically contracts with multiple vendors for connectivity to minimize 
the number of single points of failure. However, a great deal of DOD's 
cyberspace is served by and through commercial providers. The degree to 
which these commercial providers--and the companies upon which they 
rely--can sustain operations in the event of an extended power outage 
varies considerably. We are aware that such dependencies exist and are 
actively working to identify just those kinds of critical 
infrastructures and key resources as part of a larger strategy to 
ensure robust cyber defense of the ``.com'' and ``.gov'' portions of 
cyberspace that DOD relies upon for mission readiness.
    Mr. Franks. How confident are you that the private power industry 
is prepared to resist and defeat cyber attacks against its control and 
power distribution systems and are there approaches we can take with 
industry that don't involve burdening industry with unnecessary 
regulation, to assist industry to protect this vital infrastructure and 
ensure that defense-related IT and cybersecurity systems are not 
degraded or rendered useless by an extended period of time without 
electricity?
    Secretary Creedon. Commercial power sources continue to be 
threatened by a wide array of threats. Commercial electric power 
providers rely on Industrial Control Systems (ICS) to control and 
operate the power grid and, due to potential vulnerabilities with these 
systems, scenarios exist where malicious actors could gain control of 
critical components. Today's threat environment is dynamic and, as a 
result, organizations must be vigilant and adaptable in monitoring 
systems and implementing controls in response to current threats.
    DOD conducts ongoing analysis and partners with multiple entities 
including the Department of Energy (DOE), Department of Homeland 
Security (DHS), the commercial ICS community, and the Federal Energy 
Regulatory Commission to stay abreast of the threat and better assess 
industry preparedness. DOD, along with its interagency and industry 
partners, is moving in a deliberate and aggressive fashion to close the 
gaps associated with energy surety.
    In addition, DOE, and DHS recently launched the Energy Surety 
Public Private Partnership to better understand and improve the surety 
of energy infrastructure supporting national security missions. DOD is 
also participating in an effort led by DOE to develop a cybersecurity 
maturity model focused on managing dynamic threats to the grid and 
evaluating cybersecurity capabilities. Finally, there are other efforts 
underway focused on awareness and managing the threats to the grid such 
as the North American Electric Reliability Corporation cyber attack 
task force and a public/private collaborative effort to develop risk 
management guidelines. We believe these efforts will accomplish a great 
deal in managing the threat to our power sector

                                  
