b"<html>\n<title> - [H.A.S.C. No. 112-118]NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2013 AND OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS BEFORE THE COMMITTEE ON ARMED SERVICES HOUSE OF REPRESENTATIVES ONE HUNDRED TWELFTH CONGRESS SECOND SESSION</title>\n<body><pre>[House Hearing, 112 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n                         [H.A.S.C. No. 112-118]\n\n                                HEARING\n\n                                   ON\n \n                   NATIONAL DEFENSE AUTHORIZATION ACT\n\n                          FOR FISCAL YEAR 2013\n\n                                  AND\n\n              OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS\n\n                               BEFORE THE\n\n                      COMMITTEE ON ARMED SERVICES\n\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n       SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES HEARING\n\n                                   ON\n\nBUDGET REQUEST FOR INFORMATION TECHNOLOGY AND CYBER OPERATIONS PROGRAMS\n\n                               __________\n\n                              HEARING HELD\n\n                             MARCH 20, 2012\n\n                                     \n\n\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n73-790                    WASHINGTON : 2012\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n\n\n           SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES\n\n                    MAC THORNBERRY, Texas, Chairman\nJEFF MILLER, Florida                 JAMES R. LANGEVIN, Rhode Island\nJOHN KLINE, Minnesota                LORETTA SANCHEZ, California\nBILL SHUSTER, Pennsylvania           ROBERT ANDREWS, New Jersey\nK. MICHAEL CONAWAY, Texas            SUSAN A. DAVIS, California\nCHRIS GIBSON, New York               TIM RYAN, Ohio\nBOBBY SCHILLING, Illinois            C.A. DUTCH RUPPERSBERGER, Maryland\nALLEN B. WEST, Florida               HANK JOHNSON, Georgia\nTRENT FRANKS, Arizona                KATHLEEN C. HOCHUL, New York\nDUNCAN HUNTER, California\n                 Kevin Gates, Professional Staff Member\n                 Mark Lewis, Professional Staff Member\n                      James Mazol, Staff Assistant\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                     CHRONOLOGICAL LIST OF HEARINGS\n                                  2012\n\n                                                                   Page\n\nHearing:\n\nTuesday, March 20, 2012, Fiscal Year 2013 National Defense \n  Authorization Budget Request for Information Technology and \n  Cyber Operations Programs......................................     1\n\nAppendix:\n\nTuesday, March 20, 2012..........................................    29\n                              ----------                              \n\n                        TUESDAY, MARCH 20, 2012\n  FISCAL YEAR 2013 NATIONAL DEFENSE AUTHORIZATION BUDGET REQUEST FOR \n          INFORMATION TECHNOLOGY AND CYBER OPERATIONS PROGRAMS\n              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS\n\nLangevin, Hon. James R., a Representative from Rhode Island, \n  Ranking Member, Subcommittee on Emerging Threats and \n  Capabilities...................................................     2\nThornberry, Hon. Mac, a Representative from Texas, Chairman, \n  Subcommittee on Emerging Threats and Capabilities..............     1\n\n                               WITNESSES\n\nAlexander, GEN Keith, USA, Commander, U.S. Cyber Command, U.S. \n  Department of Defense..........................................     5\nCreedon, Hon. Madelyn, Assistant Secretary of Defense for Global \n  Strategic Affairs, U.S. Department of Defense..................     7\nTakai, Hon. Teresa, Chief Information Officer, U.S. Department of \n  Defense........................................................     3\n\n                                APPENDIX\n\nPrepared Statements:\n\n    Alexander, GEN Keith.........................................    51\n    Creedon, Hon. Madelyn........................................    72\n    Langevin, Hon. James R.......................................    34\n    Takai, Hon. Teresa...........................................    36\n    Thornberry, Hon. Mac.........................................    33\n\nDocuments Submitted for the Record:\n\n    [There were no Documents submitted.]\n\nWitness Responses to Questions Asked During the Hearing:\n\n    [There were no Questions submitted during the hearing.]\n\nQuestions Submitted by Members Post Hearing:\n\n    Mr. Franks...................................................    89\n    Mr. Langevin.................................................    83\n  FISCAL YEAR 2013 NATIONAL DEFENSE AUTHORIZATION BUDGET REQUEST FOR \n          INFORMATION TECHNOLOGY AND CYBER OPERATIONS PROGRAMS\n\n                              ----------                              \n\n                  House of Representatives,\n                       Committee on Armed Services,\n         Subcommittee on Emerging Threats and Capabilities,\n                           Washington, DC, Tuesday, March 20, 2012.\n    The subcommittee met, pursuant to call, at 2:22 p.m., in \nroom 2212, Rayburn House Office Building, Hon. Mac Thornberry \n(chairman of the subcommittee) presiding.\n\nOPENING STATEMENT OF HON. MAC THORNBERRY, A REPRESENTATIVE FROM \n     TEXAS, CHAIRMAN, SUBCOMMITTEE ON EMERGING THREATS AND \n                          CAPABILITIES\n\n    Mr. Thornberry. The hearing will come to order. And again, \nlet me thank our witnesses for your patience as we deal with \nthe schedule which we cannot control. But I appreciate you all \nbeing here.\n    Let me welcome our witnesses and guests to this hearing on \nthe Department of Defense 2013 Budget Request for Information \nTechnology and Cyber Programs.\n    I appreciate General Alexander and Ms. Takai being back \nwith us. And it is good to see Ms. Creedon here in a somewhat \ndifferent capacity than we have worked before.\n    It is striking to me that in the written testimony, General \nAlexander says in effect that things have gotten worse in cyber \nover the last year.\n    We talked last year about the growing threat and our \ndifficulty in catching up. And despite the successes of Cyber \nCommand over the past year, which I do not discount in any way, \nit still seems to me that the dangers to our Nation in \ncyberspace are growing faster than our ability to protect the \ncountry.\n    I think it is significant that the Speaker and Majority \nLeader are planning to bring broad cyber legislation to the \nHouse floor next month. And it is also significant that there \ncontinues to be bipartisan support for taking action, an effort \nin which the ranking member, Mr. Langevin, has been \ninstrumental for some years now.\n    I hope that the Senate will take action on the various \nproposals that they have before them. But, in a way, we should \nnot kid ourselves. The American people expect the Department of \nDefense to defend the country in whatever domain it is \nattacked.\n    And that means that Cyber Command must be ready, and \nCongress and the administration must find a way to ensure that \nit has the legal authorities it needs, and at the same time \nensure that the constitutional rights of Americans are \nprotected.\n    Today, I will be interested in hearing how the \nadministration's 2013 budget request takes us closer to that \ngoal.\n    Let me yield to the ranking member for any statement he \nwould like to make.\n    [The prepared statement of Mr. Thornberry can be found in \nthe Appendix on page 33.]\n\n     STATEMENT OF HON. JAMES R. LANGEVIN, RANKING MEMBER, \n       SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES\n\n    Mr. Langevin. Thank you, Mr. Chairman. And thanks to our \nwitnesses for appearing before the subcommittee today.\n    So much of our national security is dependent upon the \nreliable and timely flow of information across secure networks. \nTo say that our ability to defend those networks and project \npower as required into cyberspace is a priority in the area of \ngrowth within the Department [of Defense] is, to put it \nlightly, an understatement.\n    That is why this hearing could not be more timely.\n    And let me associate myself with the remarks of the \nchairman with respect to the threats and the needed attention, \nextra attention, we need to focus in on this particular area.\n    Information technology is pervasive across the entire \nDepartment of Defense [DOD], operating in the background of the \nfull range of DOD activities from the most mundane \nadministrative tasks to critical wartime functions. It is easy \nto overlook as a natural part of the environment.\n    But because it is so pervasive, it must work effectively \nand efficiently or all of those functions that rely on it grind \nto a halt. Moreover, if not properly protected from malignant \nactors, it could also be a significant national security \nvulnerability and a source of asymmetric advantage to an \nadversary.\n    At over $33 billion, IT [information technology] represents \na sizable investment in the Department's budget. It is a \nconsiderable challenge to stay abreast of all the developing \ntechnologies and growing departmental needs under an \narchitecture that provides both strategic vision and \nappropriate oversight.\n    Robust, flexible, rapid, and secure are the words not often \nfound together when describing defense programs. But I look \nforward to learning how the DOD looks to achieve savings in IT \nexpenditures, while still providing the high-quality IT \nservices that the DOD requires.\n    However, whatever work and resources we devote to providing \nthese IT services will be meaningless if the Department cannot \nsecure them. States, non-state actors, ``hacktivists,'' and \ncriminals are just some of the security challenges that \nthreaten the network.\n    Although our awareness cyber vulnerability has sharpened \nover the past few years, I still believe that we don't fully \nrecognize the potential for damage posed by a breached or \ndisrupted network.\n    It is good to see that in the area of fiscal constraint, \ntherefore the President's budget has preserved our investment \nin our cyber defense.\n    Still, there is much to be done. Much of our critical \ninfrastructure remains outside the DOD's protective umbrella, \neven as DOD relies upon it. The electric grid is but one of \nmany examples.\n    While I recognize that other Federal agencies and \ndepartments may have the responsibility for this aspect of our \nhomeland defense, DOD remains vulnerable as these gaps go un- \nor under-addressed.\n    While we have been assured by senior leaders in hearings \nearlier this year that such external dependencies are being \nexamined, in some cases mitigated, I am interested to know how \nfor the interagency dialogue--how far the interagency dialogue \nhas progressed along these lines on discussions on this point \nlast year.\n    Fiscal resources are only part of the challenge in the \ncyber domain. Questions still remain about how and when the \nUnited States will conduct the full range of military cyber \nactivities beyond the civil defense of the network.\n    Some of these questions lie in the development of a robust \ncyber policy. And some of them may require legislative action.\n    With that, I look forward to learning more about this and \nfurther issues in the discussion today. And I again want to \nthank our panel for their presence.\n    Thank you.\n    And Mr. Chairman, I yield back.\n    [The prepared statement of Mr. Langevin can be found in the \nAppendix on page 34.]\n    Mr. Thornberry. Thank the gentleman.\n    We have before us today, the Honorable Teresa Takai, Chief \nInformation Officer of the Department of Defense; General Keith \nAlexander, Commander, U.S. Cyber Command; and the Honorable \nMadelyn Creedon, Assistant Secretary of Defense for Global \nStrategic Affairs.\n    Without objection, each of your written statements will be \nmade part of the record. And if you can summarize your \ntestimony in about 5 minutes, then we can go to questions.\n    We are supposed to have another vote here in roughly an \nhour or so. And so, hope that will help us move along.\n    Ms. Takai, please proceed.\n\nSTATEMENT OF HON. TERESA TAKAI, CHIEF INFORMATION OFFICER, U.S. \n                     DEPARTMENT OF DEFENSE\n\n    Ms. Takai. Thank you.\n    Well, good afternoon, Chairman Thornberry, Ranking Member \nLangevin, and distinguished members of the subcommittee.\n    Thank you for this opportunity to testify on the \nDepartment's information technology and cybersecurity budget \nthat has been requested for fiscal year 2013.\n    I would like to describe for you the highlights of that IT \nand cybersecurity budget request, as well as give you an update \non what the Department is doing to modernize IT, that is so \nimportant both from the standpoint of a strong cybersecurity \ndefense, but also from the standpoint of effectiveness and \nefficiency.\n    The Department's fiscal year 2013 IT budget request of \napproximately $37 billion includes funding for a broad range of \ninformation technology investments that support our mission-\ncritical operations at the tactical edge, on the battlefield, \nas well as the business support operations.\n    Included in the overall IT budget is approximately $3.4 \nbillion for cybersecurity efforts designed to ensure our \ninformation systems and networks are protected against known \ncyber vulnerabilities and are resilient to the ever increasing \ncyber threats the Department and the Nation face.\n    Among the Department's efforts to improve its effectiveness \nand efficiency is the consolidation of the Department's IT \ninfrastructure: its networks, computing services, data centers, \napplication and data services, while simultaneously improving \nthe ability to defend that infrastructure against growing cyber \nthreats.\n    My office is currently leading the implementation of these \ninitiatives as described in our enterprise strategy and \nroadmap. But it is important that we work closely with the \nservices, Joint Staff, and U.S. Cyber Command to more \naggressively modernize our overall information systems.\n    One of the central pillars of that modernization and \neffectiveness is to move us to a single joint network \narchitecture. This will allow the Department, and specifically \nU.S. Cyber Command, to have better visibility into what is \nhappening on our networks and to better defend against cyber \nattacks.\n    This will be done in conjunction with our aggressive data \ncenter consolidation. We are currently working to eliminate our \nexcess capacity and consolidate into fewer data centers.\n    We are on track to significantly reduce the number of data \ncenters. And by the end of this year, we will reduce our \ncurrent inventory of 772 data centers by more than 115.\n    In addition to these Department-wide efforts, the services \nand defense agencies have individually taken actions to better \nposition the information enterprise and security posture.\n    Army has reduced the number of IT applications from 218 to \n77 during their BRAC [Base Closure and Realignment] move from \nFort Monmouth, New Jersey, to Aberdeen Proving Ground. And that \nis just one example of the challenges that they have faced and \nthe actions they have taken.\n    Navy has reduced by 50 percent the number of applications \nacross its 21 functional areas. The Marine Corps has gone from \n1,800 applications to only 700 over the past 18 months. And the \nAir Force has taken aggressive action and reduced its fiscal \nyear 2013 budget request by over $100 million.\n    As noted above, the $37 billion of the IT budget includes \napproximately $3.4 billion for our cybersecurity program. This \nincludes funding for cyber network defense, cryptographic \nsystems, communication security, network resiliency, workforce \ndevelopment, development of cybersecurity standards and \ntechnologies throughout the Department.\n    It does include Cyber Command's fiscal year 2013 budget \nrequest of $182 million.\n    I would like to highlight a few areas where I think the \nDepartment has made significant progress.\n    The Department has currently deployed a modular system \ncalled Host-Based Security System [HBSS], which enhances our \nsituational awareness of the network and improves our ability \nto detect, diagnose, and react to cyber intrusions in a more \ntimely manner.\n    We have currently deployed HBSS on our unclassified and \nsecret networks. Included in our fiscal year 2013 request, are \nfunds to continue the deployment and sustainment of new HBSS \ncapability modules to better harden, and to provide an \nautomated capability to continually monitor the computer's \nconfiguration and to improve the human and device identity \nmanagement capabilities.\n    We have also taken the lead in assessing the risk of the \nglobal supply chain to our critical information and \ncommunications technology by instituting the Trusted Defense \nSystems/Supply Chain Risk Management strategies that were \ndescribed in a report delivered to Congress in January of 2010.\n    Another critical success the Department has had is our \nDefense Industrial Base Cybersecurity and Information Assurance \nProgram. This program offers a holistic approach to \ncybersecurity to include our classified threat information \nsharing by the government, with voluntary sharing of incident \ndata by industry in our defense industrial base; sharing \nmitigation remediation strategies, digital forensic analysis, \nand cyber intrusion assessments.\n    Another area that has become increasingly important to the \nDepartment, our mission, consumers, and the economy is \nelectromagnetic spectrum. As pressure for access to spectrum \ncontinues, I look forward to working with Congress on future \nspectrum legislation proposals that achieve a balance between \nexpanding our wireless and broadband capabilities for the \nNation and the need for access to spectrum to support critical \nwarfighting capabilities in support of our national security.\n    Thank you very much for your interest in our efforts. I am \nhappy to answer any questions.\n    [The prepared statement of Ms. Takai can be found in the \nAppendix on page 36.]\n    Mr. Thornberry. Thank you.\n    General Alexander.\n\n STATEMENT OF GEN KEITH ALEXANDER, USA, COMMANDER, U.S. CYBER \n              COMMAND, U.S. DEPARTMENT OF DEFENSE\n\n    General Alexander. Thank you, Chairman Thornberry, Ranking \nMember Langevin, and distinguished members of the committee for \nthe opportunity to appear before you today.\n    I am pleased to be here with Honorable Creedon and Ms. \nTakai. We have worked closely over the last year on many of \nthese topics that we are presenting for you today.\n    And I think you will see that we are making great progress. \nBut as you stated, the risks are also increasing.\n    We have to thank the committee for all the things that you \nhave done to support us in developing Cyber Command and for the \nfunding that we have received. We really appreciate it.\n    It is a team sport. And one of the things that I would like \nto put on the table is from our perspective it requires the \nteam of Department of Homeland Security, the Federal Bureau of \nInvestigation, Department of Justice, as well as the DOD team \nthat you have before us here today.\n    From my perspective, as we look at it, that includes each \nof the services and the Defense Information Systems Agency; all \nkey partners in helping us do our cyber mission.\n    We have worked hard to make some progress. And I wanted to \ntalk a little bit about that progress over the next 25--no just \nkidding--4 minutes.\n    As you know, the United States relies on access to \ncyberspace for our national and economic security. Secretary of \nDefense Panetta and Chairman Dempsey both emphasized that cyber \nis one of the areas slated for investment in an overall defense \nbudget that will be leaner in the future.\n    The task of assuring cyberspace access has drawn the \nattention of our Nation's most senior leaders over the last \nyear. And their decisions have helped to clarify what we can \nand must do about developments that greatly concern us.\n    The U.S. Cyber Command, as I stated, is a component of a \nlarger U.S. government-wide effort to make cyberspace safer for \nall, to keep it a forum for vibrant citizen interaction, and to \npreserve our freedom to act in cyberspace in defense of our \nvital interests and those of our allies.\n    Although Cyber Command is specifically charged with \ndirecting the security, operation, and defense of the \nDepartment of Defense's information systems, our work and our \nactions are affected by threats well outside DOD networks, as \nthe ranking member stated; threats the Nation cannot afford to \nignore.\n    What we see both inside and outside the DOD information \nsystems underscores the imperative to act now to defend America \nin cyberspace.\n    In my time with you today, I would like to talk a little \nbit about the strategic context, the last 2.5 minutes, and give \nyou the five key areas that we are doing.\n    First, cyberspace is becoming more dangerous. The \nintelligence community's worldwide threat brief to Congress in \nJanuary raised cyber threats to just behind terrorism and \nproliferation in its list of the biggest challenges facing the \nNation.\n    Americans have digitized and networked more of their \nbusinesses, activities, and their personal lives, and with good \nreason they worry more about their privacy and the integrity of \ntheir data. So has our military.\n    Dangers are not something new in cyberspace. When I spoke \nto you last year, I noted the sort of threats that were once \ndiscussed in theoretical terms were becoming realities, and \nactually being deployed in the arsenals of various actors in \ncyberspace.\n    We have long seen cyber capabilities directed by \ngovernments to disrupt the communications and activities of \nrival states, and today we are seeing such capabilities \nemployed by regimes against critics outside and inside their \nown countries, for example, in the Arab Spring.\n    Cybercrime is changing as well. The more sophisticated \ncyber criminals are shifting away from botnets towards \nstealthier, targeted thefts of sensitive data they can sell.\n    We saw digital certificate issuers in the U.S. and Europe \nhit last year and a penetration of the internal network that \nstores RSA's authentication certification led to at least one \nU.S. defense contractor being victimized by actors wielding \ncounterfeit credentials.\n    Nation-state actors in cyberspace are riding this tide of \ncriminality. Several nations have turned their resources and \npower against us, and foreign businesses and enterprises, even \nthose that manage critical infrastructure in this country and \nothers.\n    There are five key areas that I would like to walk through \nthat we are working on that I think are important to this \ncommittee.\n    First, building the enterprise and training the force, \nsomething that we are working closely on. And, I think, as you \nthink about developing that force and where we need to go in \nthe future, that should be our number one priority.\n    As Teri mentioned, I think number two is developing a \ndefensible architecture. Three, getting the authorities correct \nthat we need. The teamwork that we have within the government, \nsetting that teamwork right is number four, and perhaps one of \nthe biggest areas that we can do. And finally, a concept for \noperating in cyberspace, and we have done those things.\n    In closing, I think we are making progress, as you stated. \nBut we also note that the risks that face our country are \ngrowing faster than our progress. And we have to work hard to \ndo that.\n    Thank you again for inviting me here today.\n    [The prepared statement of General Alexander can be found \nin the Appendix on page 51.]\n    Mr. Thornberry. Thank you.\n    Ms. Creedon.\n\n   STATEMENT OF HON. MADELYN CREEDON, ASSISTANT SECRETARY OF \n   DEFENSE FOR GLOBAL STRATEGIC AFFAIRS, U.S. DEPARTMENT OF \n                            DEFENSE\n\n    Secretary Creedon. Thank you, Chairman Thornberry and \nRanking Member Langevin, for inviting us to discuss the \nDepartment's strategies for operating in cyberspace.\n    I too am pleased to appear here today with Ms. Teri Takai, \nthe DOD Chief Information Officer, and General Keith Alexander, \nthe Commander of U.S. Cyber Command.\n    We are all here on behalf of the men and women of the \nDepartment of Defense who commit themselves every day to \nensuring the safety of the United States, both at home and \nabroad.\n    Today, I would like to present a brief overview of the \nDepartment's efforts in cyberspace. This includes an update on \nthe implementation of the defense strategy for operating in \ncyberspace, the progress we have made in meeting the goals of \nthe 2010 Quadrennial Defense Review, and the recently released \nDOD Strategic Guidance for Operating Effectively in Cyberspace.\n    DOD continues to develop effective strategies for ensuring \nthat the United States is prepared for all cyber contingencies \nalong the entire spectrum from peace to crisis to war.\n    Importantly, during these times of fiscal constraint, DOD \nis also taking advantage of the efficiencies that advances in \ninformation technology provide. Almost every feature of modern \nlife now requires access to information infrastructure, and DOD \nis no exception.\n    We maintain over 15,000 network enclaves and 7 million \ncomputing devices in installations around the globe. These \nnetworks, upon which DOD relies, represent both opportunities \nand challenges.\n    Whereas the threat was once the province of lone-wolf \nhackers, today, our Nation, our businesses, and even our \nindividual citizens are constantly targeted and exploited by an \nincreasingly sophisticated set of actors.\n    While it is difficult to get hard data, we believe the cost \nof these intrusions run into the billions of dollars annually. \nWe know they pose a clear threat to our economy and our \nsecurity.\n    We are also increasingly concerned about the threat to our \ndefense industrial base and the Nation's critical \ninfrastructure. We have seen the loss of significant amounts of \nintellectual property and sensitive defense information that \nreside on or transit defense industrial base systems.\n    The loss of intellectual property has the potential to give \nan adversary leap-ahead technology to achieve parity with some \nof our most sensitive capabilities.\n    The Department has been working around the clock, often in \nclose cooperation with the Department of Homeland Security and \nother agencies, to protect the Nation from these threats.\n    Last July, DOD released the Defense Strategy for Operating \nin Cyberspace, the DSOC. This document marked a significant \nmilestone for the Department because it is the first \ncomprehensive strategy to address this new operational domain.\n    The DSOC built upon the President's National Security \nStrategy, the International Strategy for Cyberspace, and the \nDepartment's Quadrennial Defense Review.\n    The DSOC guides DOD's military, business, and intelligence \nactivities in cyberspace in support of U.S. national interests.\n    The Department is currently conducting a thorough review of \nthe existing rules of engagement for cyberspace. We are working \nclosely with the Joint Staff on the implementation of a \ntransitional command and control model for cyberspace \noperations.\n    This interim framework will standardize existing \norganizational structures and command relationships across the \nDepartment for the application of the full spectrum of \ncyberspace capabilities.\n    Within the U.S. Government, DOD works very closely with our \ncolleagues in the Departments of Homeland Security, Justice, \nState, Treasury, Commerce, as well as a number of other \nagencies.\n    Although DOD maintains robust and unique cyber capabilities \nto defend our networks and the Nation, we believe strongly in a \nwhole-of-government approach to cybersecurity.\n    As such, we fully support the Department of Homeland \nSecurity's role in coordinating the overall national effort to \nenhance the cybersecurity of U.S. critical infrastructure.\n    We also believe that we have to approach cybersecurity from \na global perspective. As a result, DOD is pursuing both \nbilateral and multilateral engagements to enhance our \ncollective security and develop norms of behavior.\n    We have to respect and remember, however, the delicate \nbalance between the need for security and our cherished rights \nto privacy and civil liberties.\n    Make no mistake. DOD is committed to focusing on external \nactors while ensuring the privacy and civil liberties of our \ncitizens.\n    Thank you again for the opportunity to appear here today. \nAnd I look forward to your questions.\n    [The prepared statement of Secretary Creedon can be found \nin the Appendix on page 72.]\n    Mr. Thornberry. Thank you.\n    I would like to pose a question. I guess, a different \nquestion to each of you in this first round.\n    Ms. Takai, roughly $37 billion is, I think you said, is the \nDepartment's request for information technology.\n    You know, obviously under current law if something doesn't \nchange in January 2013, every program, project of the \nDepartment of Defense is going to be cut 8 to 12 percent \nbecause of sequestration. So it seems to me particularly in \ninformation technology, that that could cause some \ndifficulties.\n    Can you describe for us, briefly, what that would mean for \nthe programs that you are responsible for?\n    Ms. Takai. Well, there will be a variety of impacts.\n    First of all, one of the biggest challenges is we have a \nnumber of programs underway that will have to take both \nreductions and potentially--if in fact we are operating under \ncontinuing resolution--we will have to take a pause.\n    So for instance, we have several logistics projects \nunderway in several of the service areas to improve their \ncapability. And those would obviously be affected.\n    We have several of the IT modernization efforts that are \nbeing funded from our operations and maintenance budget that \nwould need to be slowed down.\n    And then on top of that, of course, those dollars would \nimpact the dollars that we are spending on cybersecurity.\n    So some of the programs for instance that I mentioned, \nwhere we are looking to roll out a process that we call \n``continuous monitoring'' to give us more capability to \nactually be able to, rather than take in periodic checks, be \nable to provide the tools to continually look at the network.\n    So I think what would happen is that many of those \nprograms, we would slow down. And then we would have to \nprioritize to determine--there may be some selected programs \nthat we would need to prioritize and effectively stop in order \nto make sure that we were continuing to fund some of the high \npriority items, for instance, in the cybersecurity area.\n    Mr. Thornberry. Okay, thank you.\n    Ms. Creedon, last year this subcommittee had several cyber \nhearings where we tried to understand what the responsibility \nof the Department of Defense was to defend the private sector \nin cyberspace.\n    And really we had a hard time getting an answer.\n    And I heard in your testimony that we are working through \nauthorities and rules of engagement and a variety of things. \nBut when do you think the administration would be able to go to \nthe private sector and say, ``Okay, here is what we will do for \nyou in cyberspace. Here is how we will defend you, beyond that \nyou have got to figure the rest of it out on your own.''\n    Or when can we make clear what the government's--DOD's \nresponsibility is versus other responsibilities?\n    Secretary Creedon. There are probably two pieces to this \nquestion. But the first is it is the Department of Homeland \nSecurity's role. They are the lead Federal agency to ensuring \nthat there is protection of the ``.gov'' and also working with \nthe private sector.\n    So like any other situation where DOD would provide \nassistance to civil authorities, DOD would provide assistance \nas needed, as requested, as required, by the Department of \nHomeland Security [DHS] in the event that there were some sort \nof an event where DHS required DOD assets, just like in \nresponding to a hurricane. So I mean, it would be very similar \nto that.\n    Now the second piece of this is the private sector that is \nuniquely connected with DOD, the defense industrial base. And \nso within the defense industrial base, the Department in an \neffort that is led by the CIO's office, by Ms. Takai, there is \na process where we are getting ready to expand the defense \nindustrial base which are our contractors that provide the \nunique services to DOD.\n    Now there is a subset of that as well. And that is what has \nbeen referred to as the DIB Pilot, the Defense Industrial Base \nPilot. And that is yet another subset of these defense \nindustrial base contractors where we are working with them in a \nunique way to provide additional capabilities to them.\n    And that program has been in close collaboration with \nCYBERCOM [U.S. Cyber Command] and also with DHS to provide \nadditional protections to this subset of the defense industrial \nbase, who will then turn around and provide protections to the \nrest of the industrial base.\n    And that one, we are in the process of expanding as well.\n    Mr. Thornberry. I hear what you are saying. I am just not \ncompletely convinced if we have a big section of the country \nwithout electricity that people are not going to look to the \nDepartment of Defense and say, ``Why aren't you protecting \nus,'' or some other sort of scenario.\n    I think it continues to provide policy challenges more to \nus and legal challenges more than technical challenges, which \nis part of the reason I posed the question.\n    Finally, General Alexander, kind of looking at this from a \nbroad perspective, as you know, and as I mentioned in my \nopening statement, Congress is working on cyber legislation to \ntry to update some of the laws that had not been updated.\n    This takes a little beyond maybe Cyber Command, but if you \nhad to name one thing that Congress could do legislatively, \nthat would, in your opinion, be of assistance in defending the \ncountry in cyberspace, what one thing or one area do you think \nwould make the most difference?\n    General Alexander. I think the key thing from my \nperspective is information sharing.\n    We need to be able to see an attack on the country, which I \nthink is DOD's domain to defend the country from an attack \nversus what DHS is doing to help prevent and protect.\n    So the resilience that they do in the public face, the DOD \nrequirement would--if our Nation is attacked by another nation-\nstate or a non-nation-state actor at a certain point, the \nDefense Department would step in.\n    We can only do that if we can see it.\n    And I think that goes in line with the standing rules of \nengagement that the policy folks are working along with the \ncriteria that goes with it. So information sharing.\n    Mr. Thornberry.\n    Thank you.\n    Mr. Langevin.\n    Mr. Langevin. Thank you, Mr. Chairman.\n    Again, thanks to the panel for your testimony here today.\n    I guess I would like to press a little further, and the \nChairman was raising this point.\n    How do you feel the unique and powerful capabilities of \nCYBERCOM, that CYBERCOM possesses, can best be leveraged to \nprotect networks and infrastructure that is outside of \n``.mil''?\n    General Alexander. We will start with you.\n    General Alexander. I was going to pass that to the \nHonorable Ms. Creedon. But, I think the first part is, I think \nin extremis the Defense Department would be the natural ones to \ndefend the country.\n    I believe within the administration, there is general \nagreement that that is correct. The issue is now what are those \ncircumstances, and how do we do it?\n    What does the Defense Department do?\n    Well, the Defense Department is the only one with, not only \nthe defensive capabilities that we have, that Teri Takai talked \nabout, and some of the offensive capabilities that the Nation \nwould need to defend itself.\n    I think both of those, coupled with the ability for the \nDefense Department networks to see globally with the \nintelligence community, are going to be key to defending the \nNation.\n    So that is what needs to be brought to bear. And for us to \nbe successful, we have to partner with industry to share \ninformation, to know when some of these events are going on.\n    I think that is key to it in setting up the framework.\n    I think the President's paper on cybersecurity that came \nout in May of 2009, sets the framework for that for the \ngovernment. So I do think that is the starting point.\n    And then add to it what the Department did last year, I \nthink, is the next step for showing what we would do.\n    Mr. Langevin. Very good.\n    Would you like to comment as well?\n    Secretary Creedon. If the Department, I mean, if the \ncountry were truly attacked, then the President would have the \nauthority obviously to defend the country however was needed. \nAnd DOD would be ready to do whatever it was that the President \ncalled upon the Department to do in the event of a real attack.\n    Now, one of the things, I think, that is important is that \nin the event of attack, all of the range of options would still \nbe available to the President. So you wouldn't necessarily \nlimit a cyber response. It could be a kinetic response. It \ncould be a diplomatic response. It could be the full range of \noptions available to the President.\n    But clearly, if there were a real attack, DOD would be \nready to do whatever it was called upon to do.\n    So I think if that was an uncertainty in this realm, I \nthink we believe that the realm of cyberspace is like the realm \nof any other attack.\n    Mr. Langevin. General, let me go back to you.\n    In many ways we are at a tipping point right now with \nrespect to the capabilities of cyber offense, cyber defense, \nintelligence gathering, if you will, and the degree to which \nyou can talk about this in this setting--and you and I have \nspoken about this often.\n    In order to be really effective at being able to defend the \ncountry, we have to be as far out from our shores as possible, \nand far out forward advanced in cyberspace as possible.\n    When--and I think you may have used this example before, \ncertainly others have--if we saw a missile coming to the United \nStates, the easiest, most effective way to take that down is at \nits source in the boost phase, same thing with a potential \nattack on the country.\n    Will we ever get to the point where we are going to have \npolicy in place that allows Cyber Command to act at the \nearliest possible stages before an attack is launched, or when \nit is in its first stages of being formulated or that it might \nbe in fact imminent?\n    General Alexander. Well, I think the Department is working \non the standing rules of engagement that would give us \nauthorities. Now the issue will be what set of authorities will \nwe be given. And what are the conditions under which we could \nconduct those authorities still have to be determined and \nironed out within the administration.\n    I do think that is at the top of the list of the cyber \nthings that we are working on right now.\n    I know in USD Policy [Office of the Under Secretary of \nDefense for Policy] that is one of the key actions that are \ngoing on. And we talk about it on a daily basis, pushing some \nof those forward.\n    So I am confident that over the next month or two, some of \nthat will actually go through.\n    Mr. Langevin. Last question before my time runs out. And I \njust want to return back to the part of my opening statement \nwhen I talked about critical infrastructure that resides off \n``.mil'' networks such as the power grid, essential to our \nmilitary bases, and our ability to conduct full spectrum \noperations.\n    What discussions are underway to address the points of \nvulnerability? And how has the dialogue advanced in the past \nyear?\n    General Alexander. I take it----\n    Mr. Langevin. General Alexander.\n    General Alexander. Yes. I think we are making progress.\n    As you may know, the Department of Homeland Security and \nthe Defense Department established a joint collaboration \nelement at NSA [National Security Agency] to help bring those \ntwo together to actually ensure that we leverage the \ncapabilities of both departments.\n    In that respect, I think that is going forward well. I \nthink we are making progress.\n    It hasn't solved the specific questions that you have \nasked. But it is a starting point for DHS which would be the \npublic face with industry. And they could leverage the \ntechnical capabilities of both NSA and the FBI [Federal Bureau \nof Investigation] in accomplishing their mission.\n    I think that is useful. And it keeps us from trying to \ndevelop again another NSA or another FBI.\n    And it is exactly what I think the Nation would want us to \ndo. So we are making progress in that area.\n    I think, in my opinion, everybody has great intentions in \ndoing it correctly. There is a lot of tough issues here on what \nis the government's role in this, what is industry's role, and \nwithin the government, making sure that we have each of the \nparts right.\n    But from my perspective, we are getting that set right. And \nI am comfortable with the position and the parts that they are \ngiving us to do.\n    And those are the things that I think the Nation would \nexpect the Defense Department and Cyber Command to do.\n    Mr. Langevin. Very good, thank you all.\n    And I yield back, Chairman.\n    Mr. Thornberry. Mr. Conaway.\n    Mr. Conaway. I thank the gentleman.\n    Ladies and gentlemen, thank you for being here.\n    Holding a little bit--Ms. Creedon, you mentioned that the \nrules of engagement are under development.\n    When do you expect to have those done?\n    Secretary Creedon. It is a collaborative process between \nthe Joint Staff and the Office of Policy. And we have been \nworking on these for quite a while.\n    Mr. Conaway. Right.\n    Secretary Creedon. And so our hope is, as General Alexander \nsaid, is to have these done in a couple of months.\n    Mr. Conaway. Okay. Is there a similar effort at Homeland \nSecurity to develop their rules of engagement that you guys \ncoordinate with those guys on?\n    I don't like the look of surprise on your face.\n    Secretary Creedon. I don't know the answer to that question \nactually.\n    Mr. Conaway. I guess for us this gets back a little bit to \nwhat the chairman was talking about, and that is we have got a \nbifurcated system. We have got Homeland Security with certain \nresponsibilities, and the Department of Defense with others.\n    And in terms of attack, cyber attacks, it is over before \nyou know what happened. These happen at lightning speed. Even \non the threats from the Soviet Union, we had some warning if \nthey were to launch something at us.\n    And in these circumstances, that warning would be over \nwith, in a cyber-speed. And we wouldn't develop a NORAD [North \nAmerican Aerospace Defense Command], and put it under a \ncivilian umbrella to say, ``alright, you warn them, and then we \nwill tell the Department of Defense what you need to know to \nwhat to launch.''\n    And it seems to me that is what we are building here.\n    And then my question is: is that the best way to defend the \ncountry is to have that bifurcation, because I agree with \nGeneral Alexander. We don't need to replicate, nor do I think \nwe can, because the quality of NSA.\n    I don't think you replicate it. They have got the best as \nit is. And so you can't replicate that at Homeland Security, \nnor would anybody suggest that.\n    So how do we make this work given two different cabinet \nagencies?\n    Secretary Creedon. The Department of Defense supports DHS \nin a whole-of-government approach. And this is one of the \nthings that we have been working on through a variety of \ndifferent mechanisms to make sure that, just like in response \nto a hurricane, DOD would provide whatever assistance was \nnecessary to DHS to respond.\n    You know, in the event of any sort of requirement that DHS \nhad from DOD, DOD would respond.\n    Now, one of the things that we have been doing is working \nvery closely with DHS to make sure that we are tightly \nintegrated through a variety of mechanisms. So General \nAlexander just mentioned the joint cyber element which is a \ncollaborative effort.\n    There are other collaborative efforts going on including \nthe extension of the DIB Pilot.\n    Mr. Conaway. Okay.\n    Secretary Creedon. We are working with them very closely to \nmake sure that we can provide them everything they need.\n    Mr. Conaway. Okay.\n    General Alexander. Could I just add to that?\n    I think if we look at the different roles, the Department \nof Homeland Security is the public face for what goes on in the \nUnited States for helping to set up the standards for \nresilience, for ensuring the rest of government networks are \nset.\n    And it is forensic in nature. When attack has occurred, \nthey bring together a team--or an exploit has occurred, they \nbring together a team. And we look at that and we figure out \nwhat more we could do to set up the defense.\n    The FBI's role would be one of law enforcement. Is this a \ncriminal act? Was this espionage? And they take the lead in \nthose cases.\n    Mr. Conaway. Yes.\n    General Alexander. If it is an attack though, now it shifts \nover to, in my mind, the Defense Department. The issue is can \nwe determine the difference between those.\n    So----\n    Mr. Conaway. And I don't disagree. I don't disagree with \nthat.\n    But at that point in time, the damage is done. So that is \nwhere--now we are looking back at it, how do we put the \nhurricane damage back together?\n    And I get that part. But this----\n    General Alexander [continuing]. So----\n    Mr. Conaway [continuing]. How do you stop it before it \nhappens?\n    General Alexander. So we agree that the three centers that \nwe have, between FBI, DHS and DOD, they have to be connected \nand integrated with people from each of those centers at the \nother.\n    So that when an event occurs that is FBI or DHS lead, we \nall agree that is it.\n    But when in extremis, the worst case is if it is an attack \non the Nation. They all see that now it shifts over to a DOD or \nwhoever the President has determined responsibility.\n    Mr. Conaway. Okay----\n    General Alexander. Because that is where the standing rules \nof engagement would actually----\n    Mr. Conaway [continuing]. Are those going to be quick \nenough in cyber to make a difference to stop the attack?\n    General Alexander. Well, that is what we are pushing for. \nWhat I am pushing for is to have those that can actually allow \nus to prevent----\n    Mr. Conaway. Right----\n    General Alexander [continuing]. And protect.\n    Mr. Conaway. Okay.\n    The DIB [Defense Industrial Base Pilot Project], the \nenhanced project, pilot project, whatever, how do we know that \neverything that we know that the private sector didn't already \nknow, and that we have over classified or we are protecting \ndata or information or at times modalities that are already \nknown to the private sector?\n    Where in the team do you look at that and say, you know, \nthis really is a secret that only we know or something that is \nbroader and we don't have to overlap and duplicate things?\n    General Alexander. That is a great question. I think it can \nbe more easily answered in a classified environment.\n    I think to hit this though, we do have capabilities that we \nare able to share the signatures with the companies. And we \nknow, based on their defenses, whether they have that signature \nor not.\n    Mr. Conaway. Okay.\n    General Alexander. And so the ability to share that, and we \ncan also see what companies after the fact did not have that \nbecause they have been exploited by it.\n    This is an area where information sharing would be \nabsolutely vital to stopping some of these exploits that are \ngoing on right now.\n    Mr. Conaway. All right.\n    Thank you, Mr. Chairman.\n    Mr. Thornberry. Thank you.\n    Mr. Andrews. Thank you, Mr. Chairman.\n    I want to focus on something that you have heard from \nseveral members of the committee and that is this notion that a \nhuge percentage of our critical assets are in the private \nsector, and how we deal with that.\n    I think you have all done a really good job given the way \nwe have collectively defined the problem. But I think we have \ncollectively misdefined the problem.\n    For years, for a couple of centuries, the way Newton viewed \nphysics was the right way to view it. And the data he collected \nweren't wrong. They were right given his premises. And then \nEinstein came along with the theory of relativity and the whole \nworld changed.\n    And what I am hearing thread through this discussion, I \nthink, is two misperceptions. First is that we centered the \njurisdiction to take care of the utility companies, and the \ncommercial sector, and homeland security because this is a \nthreat to the homeland.\n    I think the question should be: where is the threat from, \nnot what is it to?\n    And although we have domestic hackers who are criminals, I \nthink that the principal threat that we face would be \nasymmetric warfare or state-to-state warfare, propagated by \nenemies outside the country.\n    So I would question whether that is the right assumption.\n    And then the second one is that we have had a lot of \ndiscussion here about the rules of engagement once the attack \nhas occurred. I would chime in what Mr. Conaway just said.\n    The attack has occurred. It is kind of over in a lot of \nways. And there is not a whole lot to respond to once a system \nis corrupted.\n    I think the premise--the focus ought to be on prevention \nrather than engagement once the attack has begun. And it \nstrikes me that--well, it strikes me that because these \npremises are wrong, and this might violate hundreds of years of \ntradition of Posse Comitatus.\n    I think if we are worried about a threat coming from \noutside the United States to attack critical infrastructure, to \ncripple our economy, our telecommunications systems, our power \ngrid, that the Defense Department ought to be the focal point \nof the effort, number one, because our technology is more \nadvanced, and because the agency is geared that way.\n    And number two, I think our focus ought to be hardening our \nsystems to prevent an attack, number one. And then talk about \nresponding to it once it occurs.\n    What is wrong with that analysis?\n    Secretary Creedon. There is a lot in there. Let me unpack \nit just a tiny bit.\n    Mr. Andrews. All right.\n    Secretary Creedon. So first, let me just touch briefly on \nthe international side of it.\n    So right now, the Department is very much engaged with a \nnumber of our allies, particularly our close allies, Canada, \nU.K. [United Kingdom], Australia, and New Zealand. And we are \nworking with them to enhance our collective security and our \ncollective awareness.\n    So we are not in this just alone looking outside from here.\n    So we really are trying to build an international----\n    Mr. Andrews. But if I may, if----\n    Secretary Creedon [continuing]. Provide----\n    Mr. Andrews [continuing]. The lead agency to defend us \ninternally is Homeland Security, then it strikes me that an \nagency that regularly interacts with other governments ought to \nbe the lead here, right?\n    I mean, Homeland Security doesn't really interact all that \nmuch with the intelligence or tech capabilities of Germany or \nBrazil or whomever, do they?\n    Secretary Creedon. Well, they also have through an \norganization called the Ottawa Five. DHS, as well as other do \nparticipate in international forums.\n    DOD is working with the militaries of our close partners to \nbe prepared and to have the situational awareness.\n    Now the other thing that helps is information on all the \nnetworks. And so the various forms of cyber legislation that \nare pending, would also allow us additional situational \nawareness through the information sharing that would be allowed \nunder the authorities that are provided----\n    Mr. Andrews. I am glad that is happening----\n    Secretary Creedon. [Inaudible]----\n    Mr. Andrews [continuing]. I am also glad this pilot program \nis happening.\n    But I would just suggest to the chairman as the legislation \ngoes forward, one of the things we ought to really be thinking \nabout here, the way I look at it, is that how do we assure that \nour utility companies, and our banking system, and our power \ngrid people, and then all the others have the hardest systems \nthey can possibly have, and have access to the best available \ntechnology on an ongoing basis as they have?\n    And frankly, my observation would be that we are not there. \nAnd it is not because of the efforts of these outstanding \npeople, but it is because the way we define and conceptualize \nthis problem, I don't think is right.\n    And I would yield back.\n    Mr. Thornberry. I think the gentleman makes some \ninteresting and fair points. Part of my reaction is that is why \nwe need to take this step and a step-by-step, although there is \na lot of urgency to be taking some steps.\n    And so we will have the opportunity to do that, I think, as \nI mentioned, in about a month on the House floor.\n    We are going to have to recess. We have got two votes. I \napologize for the break.\n    But we will be back in just a few moments.\n    And with that, we will stand in recess.\n    [Recess.]\n    Mr. Thornberry. The hearing will come to order.\n    Again, thank you all for your patience.\n    Ms. Takai, I would like to ask you about a couple of areas.\n    You mentioned in your opening testimony about what I would \nterm essentially consolidation of information databases and so \nforth.\n    You know, obviously this is a trend where everybody talks \nabout the cloud, partly for efficiency, partly for convenience. \nI am sure you have looked at these issues.\n    One side says that if you store your data in a repository, \nit is easier to protect. Because you can ensure that the \ndefenses on that data are adequate.\n    Other people say if you put it all in one place, once you \nget in you have got everything.\n    So can you just briefly explain to us your reasoning on \nprotecting the Department's data. And how you think that debate \ncomes out.\n    Ms. Takai. Certainly.\n    Well, there are two ways I think to look at the way we are \napproaching moving to a cloud architecture as it relates to our \ninformation and our infrastructure.\n    One of them is that we truly believe that we will be able \nto, in a more uniform way, protect our information by moving to \nmore standardized platforms and ways of operating from an \ninfrastructure-protection standpoint.\n    Now, the thing I think that is important, the one point \nthere, is that for us that doesn't necessarily mean one cloud \nonly. With our size and scope, as we are moving to \nmodernization, as we are moving to consolidation, we will be \ndoing it in stages.\n    So we will be looking at what services are going to be \nprovided by each one of the military services, and the way they \nare moving to their own clouds. And then we will be looking at \nan enterprise cloud to provide services like identity \nmanagement, enterprise e-mail, some of those things that we \nneed across the Department from an information sharing \nstandpoint.\n    The second point then though that is important is that as \nwe look at the protection of the cloud, while in fact we are \ngoing to be able to better protect as we get more standardized, \nthe other thing is that we are not looking at just the \nprotection at the perimeter of the cloud.\n    We are looking at actually putting mechanisms in place--and \nthe commercial sector does this in some instances--where in \nfact, when we know that there will be instances where we may \nhave a breach of the external perimeter of that cloud, and we \nneed to be able to protect at the information level.\n    And that is why we are focusing very much on identity \nmanagement so we know who is in the cloud. And we are also \nlinking that to what information that particular individual has \naccess to.\n    So it is really both of those that really gives us an \nassurance that as we move to that kind of an architecture, that \nwe will be able to better protect our information.\n    Mr. Thornberry. Okay. Let me change topics completely.\n    You mentioned spectrum in your opening statement as well. \nAgain from a very broad perspective, my sense is that as we all \nrely more and more on various devices that connect to the \nInternet, spectrum becomes a bigger and bigger issue.\n    Can you just briefly describe for a lay person how you see \nthat moving ahead for the Department of Defense, and how the \ninvestments we are making now, where they lead us?\n    You know, so periodically, you know, we will have a bill. \nAnd we will reallocate spectrum in some way or another. But \nstill there is a finite amount to reallocate----\n    Ms. Takai. Right.\n    Mr. Thornberry. And so we are going to have to have a \ndifferent approach, aren't we?\n    Ms. Takai. Yes, sir. One of the things that we are doing \nright now is to actually do a spectrum study around our full \nuse of spectrum. And look at what are the issues going forward.\n    Now some of the things that we are looking at for instance \nis when do we think there will be viability in spectrum \nsharing. That is still very much in the early stages. And we \nare looking at when that might be a viable option.\n    The second is to your point. Even though and even with the \ncommercial need for spectrum, we also are becoming greater \nusers of spectrum as we move to more unmanned vehicles, as we \nmove to, you know, many of the ISR [intelligence, surveillance, \nand reconnaissance] capabilities. So we are the users of \nspectrum as well.\n    So the other piece is going to be for us to look at how we \nbetter use the spectrum that we have. And then thirdly, how we \nlook at some of the less crowded bands of spectrum which in \nsome cases will cost of us more to be able to utilize.\n    But as we are looking at programs, again to the point you \nare making, out in 10 to 25 years, how do we make sure that our \nfuture acquisition programs are recognizing the commercial \ndemand for spectrum, so that we are pointing those in the \ndirection of where we believe we will have a greater \nopportunity to have dedicated spectrum going forward.\n    But again, the challenge is in some of those cases it may \nmean that there are costs to the programs in order to move \nthere. But when we balance those against the other economic \nissues that I think we are facing as a nation, that that will \nbe the better way to go.\n    I think the last thing I would mention is that the \nchallenge around our utilization of spectrum is now very much \nbecoming an international issue. We just finished with this \nyear's World Radio Conference.\n    And clearly going into the World Radio Conference in 2015, \nthe issue of the utilization of spectrum not only here in North \nAmerica, but now the growing demand coming out of the \ndeveloping nations, is also going to make us take a very hard \nlook at the way that we are using spectrum globally.\n    So those are some of the issues we have coming at us in the \nfuture.\n    Mr. Thornberry. I think it is helpful if you and others in \nthe Department can alert us where we may have higher initial \ncosts based on future assumptions about spectrum. That kind of \nhelps explain to us some of the higher initial costs which we \nare asked to support.\n    Mr. Johnson.\n    Mr. Johnson. Thank you, Mr. Chairman, and thanks to our \nwitnesses for joining us today.\n    General Alexander, I have got a number of questions that I \nthink are structured in such a way so as to easily elicit a yes \nor no response. So if I could get your agreement to answer the \nquestions in that way.\n    And if you want to explain them after, I will certainly \ngive you a chance to explain.\n    But General Alexander, if Dick Cheney were elected \nPresident and wanted to detain and incessantly waterboard every \nAmerican who sent an e-mail making fun of his well-known \nhunting mishaps, what I would like to know is does the NSA have \nthe technological capacity to identify those Cheney bashers \nbased upon the content of their e-mails?\n    Yes or no?\n    General Alexander. No. Can I explain it?\n    Mr. Johnson. Yes.\n    General Alexander. The question is where are the e-mails, \nand where is NSA's coverage?\n    I assume by your question that those e-mails are in the \nUnited States.\n    Mr. Johnson. Correct.\n    General Alexander. NSA does not have the ability to do that \nin the United States.\n    Mr. Johnson. What about if the--when you say the e-mails \nare located--let us make sure we are talking about the same \nthing.\n    An American e-mailing another American about Dick Cheney, \ndoes the NSA have capacity to find out who those parties are by \nmonitoring--by the content of their e-mail?\n    General Alexander. No. In the United States, we would have \nto go through an FBI process, a warrant to get that and serve \nit to somebody to actually get it----\n    Mr. Johnson. If it were----\n    General Alexander. [Inaudible]----\n    Mr. Johnson [continuing]. But we do have the capability of \ndoing----\n    General Alexander. Not in the United States.\n    Mr. Johnson. Not without a warrant.\n    General Alexander. No, no, we don't have the technical \ninsights in the United States. In other words, you have to have \nsomething to intercept or some way of doing that either by \ngoing to a service provider with a warrant, or you have to be \ncollecting in that area.\n    We are not authorized to collect. Nor do we have the \nequipment in the United States to actually collect that kind of \ninformation.\n    Mr. Johnson. I see.\n    General Alexander. Does that make sense?\n    Mr. Johnson. Thank you. Yes, it does.\n    General, an article in Wired Magazine reported this month \nthat a whistleblower, formerly employed by the NSA, has stated \nNSA's signals intercepts include, quote,``eavesdropping on \ndomestic phone calls and inspection of domestic e-mails.''\n    Is that true?\n    General Alexander. No, not in that context. The question \nthat--or I think what he is trying to raise is: are we \ngathering all the information on the United States?\n    No, that is not correct.\n    Mr. Johnson. The author of the Wired Magazine article whose \nname is James Bashford. He writes that NSA has software that, \nquote, ``searches U.S. sources for targeted addresses, \nlocations, countries, and phone numbers, as well as watchlisted \nnames, key words, and phrases in e-mail. Any communication that \narouses suspicion, especially those to or from the million or \nso people on the agency watchlist, are automatically copied or \nrecorded and then transmitted to the NSA.''\n    Is this true?\n    General Alexander. No, it is not. Is that from James \nBashford?\n    Mr. Johnson. Yes.\n    Does the NSA routinely intercept American citizens' e-\nmails?\n    General Alexander. No.\n    Mr. Johnson. Does the NSA intercept Americans' cell phone \nconversations?\n    General Alexander. No.\n    Mr. Johnson. Google searches?\n    General Alexander. No.\n    Mr. Johnson. Text messages?\n    General Alexander. No.\n    Mr. Johnson. Amazon.com orders?\n    General Alexander. No.\n    Mr. Johnson. Bank records?\n    General Alexander. No.\n    Mr. Johnson. What judicial consent is required for NSA to \nintercept communications and information involving American \ncitizens?\n    General Alexander. Within the United States that would be \nthe FBI lead. If it was a foreign actor in the United States, \nthe FBI would still have the lead and could work that with NSA \nor other intelligence agencies as authorized.\n    But to conduct that kind of collection in the United \nStates, it would have to go through a court order. And the \ncourt would have to authorize it.\n    We are not authorized to do it nor do we do it.\n    Mr. Johnson. Thank you.\n    General, the NSA is an agency of the Department of Defense. \nAnd you are, in addition to your responsibilities as CYBERCOM \ncommander, you are a director of the National Security Agency.\n    What limitations does the Posse Comitatus Act place on the \nNSA's legal authority to intercept domestic communications?\n    General Alexander. Well, I think the intent of the Posse \nComitatus, and the impacts that we have for collecting in the \nUnited States are the same. And the fact is we do not do that \nin the United States without a warrant.\n    Mr. Johnson. Thank you.\n    And I will yield back.\n    Mr. Thornberry. I thank the gentleman.\n    Let me--I am not sure. This may be Ms. Takai and General \nAlexander, but in the 2010 Defense Authorization Act, we passed \nSection 804, that directed DOD to develop and implement a new \nacquisition process for IT systems.\n    And then in the 2011 Defense Authorization Act, we directed \nDOD to develop a strategy to provide for rapid acquisition of \ntools, applications, and other capabilities for cyber warfare \nfor the United States Cyber Command, and cyber operations of \nthe military departments.\n    Can either or both of you all give us an update on where \neach of those authorities or requirements stand now?\n    Ms. Takai. Yes, perhaps I can start. And General Alexander \ncan add on.\n    Let me start with the acquisition reform which is the 804.\n    I think that report was delivered. And we are in the \nprocess of implementing those changes.\n    Those are going--some of those changes that were in the \nreport are going into the DOD 5000 process which I think all of \nyou know is our acquisition process.\n    In addition, we are implementing many of the \nrecommendations, particularly around what we call ``agile \ndevelopment methodologies'' that allow us to turn out product \nmuch more quickly, in a much more cyclical fashion, if you \nwill, and to take large projects and put them into smaller \ndeliverable chunks.\n    So there are any number of actions against the 804 that we \nare in the process of developing and delivering on. And we are \nactually using those in our project delivery.\n    As it relates to the rapid acquisition from a cybersecurity \nperspective, we have all been working with the Acquisition, \nTechnology, and Logistics organization on the response to \nCongress on that which is known as our 933 Report.\n    We are actually now all coordinating on what we believe is \nthe final version of that report. In fact, we all saw it over \nthe weekend with the request that we would get our comments \nback in, because I think that Mr. Kendall knows that that needs \nto come forward.\n    It is looking at any number of different areas. It is \nlooking at actually being able to provide General Alexander \nwith several different ways of going at acquisition to make \nsure that he can turn them more quickly. But also taking \nrecognition that there will be some large project expenditures \nincluded in that as well.\n    So I think you can expect to see that report fairly \nshortly.\n    Mr. Thornberry. Well, I will just say for myself, if as you \nwork through those issues, if you believe additional \nauthorities are needed, please let us know. Because it makes no \nsense at all for us to operate at the speed of the industrial \nage in cyberspace, and then basically that is what we are \ntalking about here.\n    And so, you know, I will look forward to receiving the 933 \nReport. But please keep in mind that if you all decide you need \nadditional authorities, we want to know that.\n    General Alexander it was kind of an interesting \nconversation with Mr. Andrews a while ago. And part of--it \nseemed like that conversation was--we know for sure who is \nlaunching an attack or exploitation--just in this setting in a \nbrief way, can you summarize the threat in cyberspace as you \nare seeing it and as Cyber Command has to calibrate its efforts \nto deal with?\n    General Alexander. I characterize the threat, Chairman, in \nthree ways.\n    Largely what we see is exploitation and the theft of \nintellectual property. That is what is going on in the bulk of \nthe cyber events that we see in the United States.\n    In May of 2007, we witnessed a distributed denial-of-\nservice attack. Think of that as a disruptive attack against \nEstonia by unknown folks in the Russian area and around the \nworld, and then subsequently we have seen in Latvia, Lithuania, \nGeorgia, Azerbaijan, Kyrgyzstan.\n    What we are concerned about is shifting from exploitation \nto disruptive attacks to destructive attacks.\n    And what concerns us is that the destructive ones, those \nattacks that can destroy equipment, are on the horizon. And we \nhave to be prepared for them.\n    I do think the two things--if I could just state two things \nmore clearly. We talked about the rules of engagement which \nwould be key on this.\n    We do have rules of engagement in 2004. What we are talking \nabout is updating those to meet this evolving threat. So that \nis the key that the Department is working on.\n    The second is we do need DHS in this mix for a couple of \nreasons.\n    The Department of Homeland Security, I think, should be the \npublic face for all the reasons. And Mr. Johnson brings out a \ngood one. The American people have to know that what we are \ndoing is the right thing, that we are protecting civil \nliberties and privacy. And that we are doing this in a \ntransparent manner.\n    By having DHS working with FBI, NSA, and DOD all together, \nthere is transparency in that. At least the government and \neverybody will know that we are doing it right.\n    Two, I think they are the ones that need to set the \nstandards for other government agencies and work with them to \nensure those networks are defensible. If we tried to do that, \nit would sap much of our manpower that you really want us \nfocused on defending the country and going after the \nadversaries in foreign space.\n    That is where we should operate. And I think there is \nsynergy there in doing that.\n    Mr. Thornberry. Okay, thank you.\n    Ms. Creedon, you have, at several times today, mentioned a \nvariety of efforts underway in the administration to update \nauthorities, rules of engagement, a whole variety of things.\n    It seems to me that there are a host of difficult policy \nissues involved in cybersecurity, not all of which are DOD-\nfocused. And yet it has been challenging for me at least, to \ntry to get my arms around what the questions are, what those \ntough issues are.\n    Are you all--is the DOD policy shop--for lack of a better \nway to describe it--compiling a list of the tough policy \ndecisions that not just the administration, and not just the \ngovernment, but the country is going to have to grapple with as \nmore and more of our lives are dependent upon, and even to some \ndegree lived in cyberspace.\n    Secretary Creedon. Well, DOD has certainly been working on \nthose things that are within DOD's realm. And among those are \nsome of the issues that we recognize that we share with the \nother agencies.\n    And so, I mean, to go back to the legislation again, some \nof the common elements, but certainly in Lieberman-Collins \nbill, you know, some of the elements in that bill are the \nresults of the work that the whole interagency, including DOD, \nhave done to identify those things where we really do need some \nadditional input.\n    So that legislation for instance in terms of coming up with \nmethodologies to protect critical infrastructure protection, so \nthe bill would urge the setting of standards--would direct the \nsetting of standards.\n    The sharing of information, this again is a very delicate \nsituation where how do we share the right information to make \nsure that we have visibility into what is going in networks, \nbut are not doing anything to disrupt civil liberties and \nprivacy protection. So, you know, working that sharing issue, \nworking the liabilities issue.\n    So some of the work that has been done within the \ninteragency that really fleshed out these harder issues where \nwe really do need a system of legislative assistance. Those are \nin the bills.\n    The other things we are working internally and those are \nthe things that for the most part DOD believes we can do \ninternally.\n    Mr. Thornberry. Okay. Well----\n    Secretary Creedon. With guidance from the President, \nobviously, because----\n    Mr. Thornberry. Sure.\n    Secretary Creedon [continuing]. At the end of the day, it \nis the President's authority.\n    Mr. Thornberry. Yes. And I appreciate that. I recognize a \nwhole host of proposals are in the administration's cyber \nlegislation draft.\n    The only thing I would say is that a lot of these issues \nthat probably are DOD exclusively, or DOD-centered, about what \nis war in cyberspace, how do we defend the country--some of the \nthings that we have talked about already today.\n    I think that is going to require more than just an internal \nadministration process.\n    And I would just say that as the policy office and as the \nlawyers grapple with some of these difficult decisions on what \nwarfare means in cyberspace, that a dialogue between the \nadministration and Congress, and ultimately between the two of \nus and the country, is really going to be essential.\n    We will not be able to impose an Obama administration \npolicy on this, or even a government policy on this. It is \ngoing to have to be--it is a little bit--I analogize it to TSA \n[Transportation Security Administration].\n    Sometimes the government tries something and it is really \nstupid. And people rebel against it.\n    And so they rethink. And they find a little smarter way.\n    And we haven't found a smarter way to do it all yet. But my \npoint is it is part of a give and take on some of these \ndifficult issues.\n    And I think that is especially true when it comes to \nArticle 1, Section 8, and as it applies to the Congress on \ndeclaring war, and how can you do that at the speed of light.\n    So I know that is kind of long and philosophical. But my \npoint is, it is going to take us working together to work \nthrough these issues. And some more dialogue on these tough \nissues that don't have easy answers, I think would be helpful \nfor the country.\n    I yield to Mr. Langevin for any questions.\n    Mr. Langevin. Thank you very much. To the panel again, \nthank you for your patience today and your testimony and the \ngreat work you are doing.\n    You know, before I begin, the question that Mr. Johnson had \nasked, I think, you know, this certainly to the degree to which \nMembers have those concerns a question is important to be \nasked.\n    It has just been my experience, General, I just wanted to \nsay from a personal perspective, having observed you and \ninteracted with you over the years now, I have always been \nimpressed with the degree which you and the folks at NSA go to \nthe nth degree to try to always ``dot the i's'' and ``cross the \nt's'' and stay within the confines of the law. And it is \nreassuring that you have that dedication and respect for the \nother work that you folks are doing, so.\n    I had a question on the DIB Pilot.\n    Lessons learned--what lessons have you drawn from the \nDefense Industrial Base Pilot? And how have you captured the \nrecommendations from Carnegie Mellon's evaluation of the \nprogram?\n    There was some, you know, criticism. Some, you know, didn't \nthink it worked as well as it was intended. And improvements \nstill need to be made.\n    But can you talk to us about lesson learned.\n    General Alexander. Absolutely, Congressman.\n    First, we did the DIB Pilot. As you know, it started in \nAugust. And we started the evaluation not too long after.\n    And so one of the key things that we saw as an issue was \nhow do we share sensitive signatures with industry?\n    And when we started the pilot, we had not worked our way \nthrough sharing all those sensitive signatures with industry in \na classified form. And I think the result of that is some of \nthe early results were not much different than what they \nalready get from their own means for getting signatures.\n    I think once we started sharing those signatures, and it \ntook us a while, so that was our fault. But once we started \ndoing that, and they saw the value of that in specific cases, I \nthink that was a way of turning the corner.\n    The other thing that became clear as we went into this is \nindustry doesn't always see when somebody is trying to attack \nor exploit them. And so having a forum that somebody could say, \n``Hey, somebody is trying to get into your network. You need to \nknow it,'' is useful for industry as much as it is for \ngovernment to know when somebody is trying to attack us.\n    So I think from my perspective, the lessons learned were we \nhave got to be quicker on sharing. I think we have solved that \nproblem. And you can see now we are sharing.\n    In fact the companies that initially were not as favorable, \nnow have turned that around and have reentered that pilot \nprogram. I think that is a huge plus.\n    And the other one is the information sharing, which is a \nmajor part of the legislation. All the legislative packages \nthere which means that we can share with industry, industry can \nshare with us. And we have the ability to tip in queue, from my \nperspective in real time, optional. But I think that is going \nto be key to defending ourselves in cyberspace in the future.\n    Mr. Langevin. Very good.\n    Anyone else on the panel care to respond to that? Take your \nquestion about lessons learned on DIB or did the General cover \nit?\n    Okay.\n    What feedback loop do you have to ensure that what is \nshared of a classified nature isn't widely known in the \nindustry and thus shouldn't really be classified?\n    Is that a fair question?\n    General Alexander. There are two ways of doing that.\n    If we see information that is widely used, then we should \ndeclassify it. In other words, widely available, everybody is \nseeing it.\n    If we have sources and methods that are sensitive and \nclassified and not widely used, then I think we would keep that \nclassified.\n    Think of that as the difference between Enigma and other \npublic forums--if we have an Enigma-like fact in cyberspace, \nyou would want us to protect that.\n    And the issue is now in cyberspace, but we are going to \nhave to share that with some industry so that they too can be \nprotected from it.\n    If it is widely known the anti-virus community has it, we \nshould declassify it and get it out. And I think that is the \napproach that we are trying to take on it.\n    The issue will be trying to identify those at network \nspeed. And I think we will get better as we exercise in this \narea. As we work with industry, I think we will get better in \ndoing that.\n    Mr. Langevin. Fair enough.\n    Does the DIB in its pilot have an industry ombudsman to \nhelp broker the relationship and information sharing exchange \nbetween industry and government?\n    Or is that something that is planned?\n    General Alexander. Actually, we used the DIB--we actually \nhad an existing relationship that Ms. Takai and her folks ran \nthat we actually used as the forum for starting the sharing \nrelationship with DIB companies.\n    So we did have that.\n    And I think that started off pretty good. And it set the \nframework for how we actually put the DIB process together. It \nwas based on an existing set of relationships that already \noccurred between the CIO's office and industry.\n    So that was the starting point. And I think that was a good \nstarting point. And it gave us a basis to go ahead.\n    Ms. Takai. Well, I think it is important to note that out \nof the total number of DIB companies involved, we have about \n200 companies that are in what we call our information sharing \neffort. And 37 of those are included in the DIB Pilot.\n    And it is our intention--we have a rule, a Federal rule \nthat is going through now to be able to expand beyond the 200 \ncompanies, and be able to roll out to more DIB companies going \nforward from the standpoint of actually being able to share, \nboth from the standpoint of our threat information, but also in \nterms of what the companies are experiencing.\n    And we are seeing a number of areas just based on data \ncollection from those companies that we are getting information \non threats that we would not have seen otherwise. And they are \ngetting information from each other as well as from us about \nwhat the threats are and what the mitigation could be.\n    And I think that complements well then the DIB Pilot \nprocess which was focused very much around the ISPs [Internet \nService Providers] and being able to get some of that \nprotection piece of the information--or taking the information \nsharing and moving it to the protection piece.\n    So the two programs really go hand-in-hand. And one builds \nfrom the other.\n    Mr. Langevin. Good.\n    Secretary Creedon. If I----\n    Mr. Langevin. Okay, go ahead.\n    Secretary Creedon. If I can just add one piece to this. So \nas we go forward and we make this pilot permanent, and DHS \nbecomes lead, one of the advantages of having DHS in the lead \nis that DHS will also then be able to add additional signatures \nto the process that they see.\n    And the second piece of this is as we work with the ISPs, \nthe ISPs then can take these capabilities and they can provide \nthose security services to others who utilize their services as \nwell.\n    So through DHS and through this mechanism of making it \npermanent, we can actually provide more of an envelope of \nprotection beyond just the defense industrial base folks \nthrough the use of the ISPs.\n    Mr. Thornberry. If the gentleman will yield for just a--is \nthere a--one always hears about limits on scalability here. Is \nthere--you said 200 companies going to more. Is there a limit?\n    Ms. Takai. Right now we are going to be limited by the \nresources because clearly reaching out, working with each of \nthe companies, working through the structured memorandums of \nunderstanding that we need to have is going to be our gating \nfactor in terms of number of companies.\n    General Alexander. If I could, just to help clarify on \nthis. That is under the current thing. If we have information \nsharing agreements, that greatly simplifies that process.\n    The technical way essentially allows us to use the power of \nthe Internet. And so this will scale the approach that we are \ntaking in the DIB Pilot in terms of the technical capability to \nprotect all that we need to protect.\n    Where other solutions that we have put forward do not scale \nas easily, and are so cost prohibitive that from our \nperspective going to the DIB Pilot, managed security services, \nor whatever we call it, is probably the best thing to do for \nthe country and the cheapest, most efficient way.\n    I think they addressed that problem though is the \ninformation sharing thing is key to making that work.\n    Does that make sense?\n    Mr. Thornberry. Yes, sir. And that is why I wanted to try \nto delve down into that just a little bit.\n    And I appreciate the gentleman yielding.\n    Mr. Langevin. Yes, no, that is a great question.\n    And obviously I think we all can agree that the most \neffective defense that we can have, or programs we have to \ndefend our networks is this information sharing aspect. And you \nhave situation awareness, you can see what is coming at you, \nwhat to defend against. It is a force multiplier and highly \neffective.\n    What about leap-ahead technologies in the R&D realm? Are we \nany closer--I find that a fascinating statistic that, or fact \nthat the lines of code of the attackers as I understand it has, \nbasing the tax signatures, has stayed relatively constant. And \nyet the defense--the lines of code in defending against these \nattacks has grown exponentially.\n    And how are we doing on the R&D front in terms of, you \nknow, more robust defense?\n    General Alexander. I have seen, Congressman, those \nstatistics.\n    What we are seeing is that, you know, the millions of lines \nof codes that people quote for the defense is for much more \nelegant defense.\n    Of course you can come up with a small piece of malicious \nsoftware that is only 125 or whatever they stated this small \nthing. But the reality is I think they are in balance.\n    I think the key thing is the offense has the advantage \nhere. Those exploiting or attacking the system has the \nadvantage.\n    What we need to do is move to a system then that leverages \nthe power of the network to bring this back.\n    From our perspective, that is using the capabilities of all \nthe government agencies and industry to bring what we know \nabout that network and the vulnerabilities that we have to \nlight so that we can defend against them.\n    I think the other part that Ms. Takai talked about was the \ngoing to the IT infrastructure of the future, this thin virtual \ncloud environment will make it a much more defensible \narchitecture.\n    I think that is key to the future. Both of those are some \nof the things that we actually have to go through.\n    Mr. Langevin. Very good. And my last question, if I could, \njust going back to the DIB Pilot, in terms of the costs that \nwas some of the concerns that, you know, companies had. You \nknow, who is going to bear the cost for all this?\n    Where are we on that? Has that been worked out or is it \nstill a work in progress, if you will?\n    General Alexander. Informally, it looks like the cost per \nseat per month would be somewhere between 30 cents and $1 or \n$2. And so the costs have come way down which makes this much \nmore manageable.\n    So if you had 6,000 seats, you are talking somewhere \nbetween, you know, $1,800 and maybe $6,000 a month for that \nlevel of service. I think the Internet Service Providers are \nactually making great progress in this way which would make \nthis something that people would actually say, that is worth \ndoing.\n    Does that make sense?\n    Mr. Langevin. Yes. And that is news to me. That is very \nhelpful. I didn't realize that we are moving in the right----\n    General Alexander. We would like to get it to 30 cents a \nseat. I think it is going to be somewhere in that range. And I \nthink, you know, depending on what they add in, somewhere in \nthere.\n    But it is clearly more cost-effective than the way that we \nwere going.\n    Mr. Langevin. Excellent. Very good, that is good \ninformation to have.\n    With that, I want to thank you all again for your patience \ntoday and testimony, the great work you are doing. And look \nforward to our continued work together. It is a big issue.\n    And Mr. Chairman, thank you for the time and attention you \nhave given to this issue as well.\n    Thank you.\n    Mr. Thornberry. Well, thank you. I agree with everything \nyou just said.\n    I appreciate you all being here, and your patience, and the \nchance for us to continue to work together on these issues.\n    With that, the hearing stands adjourned.\n    [Whereupon, at 4:05 p.m., the subcommittee was adjourned.]\n\n\n\n=======================================================================\n\n\n\n\n                            A P P E N D I X\n\n                             March 20, 2012\n\n=======================================================================\n\n\n\n=======================================================================\n\n\n              PREPARED STATEMENTS SUBMITTED FOR THE RECORD\n\n                             March 20, 2012\n\n=======================================================================\n\n\n\n    [GRAPHIC] [TIFF OMITTED] 73790.001\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.002\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.003\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.004\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.005\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.006\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.007\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.008\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.009\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.010\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.011\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.012\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.013\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.014\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.015\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.016\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.017\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.018\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.019\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.020\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.021\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.022\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.023\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.024\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.025\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.026\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.027\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.028\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.029\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.030\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.031\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.032\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.033\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.034\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.035\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.036\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.037\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.038\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.039\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.040\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.041\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.042\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.043\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.044\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.045\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.046\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.047\n    \n    [GRAPHIC] [TIFF OMITTED] 73790.048\n    \n?\n\n      \n=======================================================================\n\n\n              QUESTIONS SUBMITTED BY MEMBERS POST HEARING\n\n                             March 20, 2012\n\n=======================================================================\n\n      \n                  QUESTIONS SUBMITTED BY MR. LANGEVIN\n\n    Mr. Langevin. Are you confident in the state of the career paths \nfor cyber professionals, and do you feel that your recruiting, \nretention, and career progression needs are being adequately addressed?\n    Ms. Takai. In light of emerging cyber threats, cyber workforce \nroles, responsibilities and skill requirements continue to evolve, not \nonly in, but across the Federal Government and industry. DOD is working \nwith the Federal Government through the National Initiative for \nCybersecurity Education (NICE) and Federal CIO Council to identify \ncurrent and forthcoming cyber skill requirements, define career paths \nfor cyber professionals, and to determine the optimal courses of action \nto ensure a pipeline of cyber professionals is available to meet \nmission mandates. These efforts may result in new requirements and \nmethodologies in the recruitment, retention and career management of \nthe Department's cyber workforce.\n    Currently, several strategies are in place to aid in recruiting and \nretaining a skilled cyber workforce. Federal direct-hire authority \nprovides with flexibility in recruiting and hiring select information \nsecurity (cybersecurity) personnel within the civilian IT Management \nseries. DOD also has Schedule A hiring authority for select \ncybersecurity positions for certain IT and non-IT civilian job series; \nthe Department is working with the Office of Personnel Management (OPM) \nto extend and enhance this authority as it expires in December 2012. \nDOD uses the Information Assurance Scholarship Program (IASP) to \nattract students from top universities and colleges, and to retain \npersonnel with cyber and information assurance skill sets who wish to \nfurther their education. In addition, CIO oversees the Information \nResources Management College (iCollege) of the National Defense \nUniversity, which recently introduced a Cyber Leadership Program. These \nauthorities and programs, along with military recruiting and retention \nbonuses, are currently used to recruit and retain cyber personnel and \nare essential to maintaining the health of this community.\n    Mr. Langevin. How is DOD capturing lessons learned from real-world \ncyber events and major exercises?\n    Ms. Takai. Real world lessons learned are submitted to the Joint \nLessons Learned Information System (JLLIS) database system of record. \nJLLIS is the system of record for Lessons Learned. Typically, they are \ncommunicated in the form of Situational Awareness Reports (SARs). For \ncertain major events, a detailed analysis of the incident is conducted \nand with the results published as an SAR, which details the incident, \nthreat tactics, techniques and procedures, as well as countermeasures/\nmitigation options. Lesser events are often documented in quarterly \nSARs that show trends, common TTPs, systemic issues, etc. Exercise \nlessons learned also are inputted into JLLIS and their capture in the \ndatabase has greatly improved over the last 12 to 18 months. Anyone \nwith SIPR access may request an account to access JLLIS content.\n    In addition to JLLIS, the Military Departments track major events \nvia their respective database systems. For example, Army Computer \nNetwork Defense (CND) events are tracked in ACID, the Army CND Incident \nDatabase. The Navy Lessons Learned System (NLLS) is the Navy's process \nfor collection and dissemination of significant lessons learned, \nsummary reports and port visit reports from maritime operations, \nexercises and other events.\n    Mr. Langevin. What more can be done to engage our allies, \nespecially NATO? How can we leverage DOD ``building partnership \ncapacity'' authorities to train and equip foreign forces to improve our \nallies' capabilities related to cyber operations?\n    Ms. Takai. We are engaging our key allies and partners, including \nNATO, through agreements to share unclassified and classified cyber \ndefense information. We may be able to do more by focusing on producing \nmore classified cyber defense information which is releasable to these \nallies and partners. We are leveraging theater security cooperation \nprograms in the Geographic Combatant Commands by including ``building \ncyber defense capacity'' with focused on treaty allies and priority \npartner nations. This effort is led in the CIO by our International \nCyber Security Program and coordinated with the Geographic Combatant \nCommand, Joint Staff and OSD Policy. Initially this generally consists \nof training all levels of cyber leadership and practitioners in cyber \ndefense best practices. This should establish an incident response \ncapability (e.g. a CERT) with the appropriate policies in place to \ngovern network operations and cyber defense. This may evolve into \ngreater information sharing and potentially exercises once a capability \nis developed. Additionally CIO semi-annually hosts an international \ncyber defense workshop to provide a week long virtual training workshop \nto over twenty nations. We regularly invite more than forty nations to \nthe workshop and usually have 25 or more participate.\n    Mr. Langevin. What discussions and actions are going on within NATO \nto improve the capabilities of the alliance to deal with cyber threats?\n    Ms. Takai. NATO developed a new cyber defense concept in March \n2011, a new Cyber Defense Policy in June 2011 and from that policy a \ncyber defense action plan to improve NATO's internal cyber defense \ncapability as a priority, additionally providing advice or assistance \nto nations that request assistance. The current actions are a recently \nawarded contract (58m Euro) to enhance the NATO Computer Incident \nResponse Capability and ongoing actions to monitor that project. \nOngoing discussions focus on developing a methodology for national \ninformation systems that support NATO missions to be identified and \nprovided minimum cyber defense standards. Further parts of the enhanced \ncapability in the cyber defense action plan are the development of \ntraining and exercises for NATO nations, providing minimum standards \nfor cyber defense for nations, and developing rapid reaction teams to \nassist nations when facing significant cyber incidents. Further \npossible enhancements are also under discussion but the current main \nfocus is on ensuring the ongoing project is closely monitored for \nadherence to timelines and completing the full package of enhanced \nsensors and systems for cyber defense. These ongoing efforts are \nregularly reviewed by CIO's International Cyber Security Program.\n    Mr. Langevin. What is the status of development and delivery of \nproposed National Cyber Range capabilities? Are resources adequate to \ncontinue maturing range capabilities?\n    Ms. Takai. The goal of the DARPA NCR program is to develop the \narchitecture and software tools for a secure test facility that can \nrapidly emulate the complexity of defense and commercial networks, \nallowing for cost-effective and timely validation of cyber \ntechnologies.\n    The program has completed the technical design and all major \nsoftware development. The developed architecture and tools are being \ndemonstrated at scale on a prototype facility. The NCR software \nincludes extensive experiment design tools, an automated range build-\nout capability, real-time data visualization tools, and automated range \nsanitization. The demonstration facility is currently accredited for \noperation from Unclassified to Top Secret/Special Access Program level \nand is capable of supporting simultaneous testing at multiple security \nlevels. Special Compartmentalized Information accreditation is \ncurrently being pursued.\n    To date, there have been two completed tests (December 2011 and \nJanuary 2012). Both tests showed the ability to setup the range in a \nday, test for multiple days (each test was at a different \nclassification level), and then tear the range down and sanitize it in \na day. Eight additional tests are currently being planned and \nscheduled.\n    The Department is planning a series of events on the NCR with Joint \nInformation Operations Range (JIOR), and Cyber Range also participating \nto stress NCR and other range capabilities, identify what is mature, \nwhat is not, and characterize the magnitude of gaps that will need to \nbe addressed for adequate testing and evaluation, training and exercise \ncapability.\n    Mr. Langevin. What CYBERCOM capabilities are in need of further \ndevelopment to address our national vulnerabilities in cyberspace?\n    General Alexander. Our desired end state is to maintain and \npreserve the U.S. freedom of access to allow maneuver in cyberspace \nwhile supporting the same for our allies and partners. To do this, it \nis essential to:\n    <bullet>  Develop capabilities to support Indications and Warning \n(I&W) of attacks in cyberspace\n    <bullet>  Develop integrated Command and Control for seamless \ntransition from defensive to offensive posture\n    <bullet>  Develop integrated situational awareness capability to \nsense, support real time maneuver, and engagement in cyberspace\n    <bullet>  Develop capability for training, testing, and effects \nprediction for cyber capabilities\n    <bullet>  Enhanced analytic and target development capabilities\n    <bullet>  Development of integrated architectures and frameworks to \nsupport network resiliency and maneuver in cyberspace especially in \ncontested and congested networks\n    Mr. Langevin. Since the signing of the Memorandum of Understanding \nbetween DOD and DHS, what activities have the two organizations been \ncarrying out under that MOU?\n    General Alexander. The implementation of the MOU has resulted in \nthe creation of a Fort Meade-based office for the DHS-DOD Joint \nCoordination Element (JCE), co-lead by DHS and DOD seniors. Activated \nin December 2010, the JCE now comprises 16 full-time personnel from DHS \nand DOD and is focused on achieving cross-departmental ``unity of \neffort'' in cyberspace operations. The ultimate goal is to enable the \nUSG to agilely perform integrated operational response in all areas in \nwhich the adversary pursues malicious activity--with the benefit of \nrobust shared situational awareness.\n    The JCE is creating enduring relationships and process improvements \nacross the two Departments. In its first year, the JCE initiated a \nnumber of major activities designed to enable these goals, by \nsuccessfully bridging the gap between policy and operations. A few \nexamples include:\n    <bullet>  Congress directed DHS and DOD to draft a Joint \nCybersecurity Pilot Plan. This plan was penned by the JCE, signed by \nboth Departments, and transmitted to the Committees on Appropriations \nin August 2011.\n    <bullet>  The JCE is defining cross-department command and control/\nunity of effort models to enable agile, effective, and timely \noperations.\n    <bullet>  The JCE is defining the discrete and complementary \nfunction of the major DHS and DOD operational organization to achieve \nharmonization of major DHS and DOD operational elements.\n    <bullet>  As an outgrowth of the Defense Industrial Base (DIB) \nCybersecurity ``opt in'' Pilot, Department seniors have agreed on a \nframework to create government-enabled Managed Security Services to \naddress advanced threats targeting the nation. The JCE has drafted \ndetailed plans to support this effort with an eye toward scalable \nsolutions.\n    Mr. Langevin. Are you confident in the state of the career paths \nfor cyber professionals, and do you feel that your recruiting, \nretention, and career progression needs are being adequately addressed?\n    General Alexander. There has been a great deal of work done in \ndeveloping career paths for cyber professionals. The pace at which we \nare developing cyber professionals is challenged by the demand for \nskilled personnel (in both government and in the private sector) to \nkeep pace with rapidly advancing technology. At USCYBERCOM we have made \nrecent, significant strides into defining and advising what those \ncareer paths should include. One of the biggest challenges to \n``operationalizing'' activities in this domain is the development of \nthe cyber workforce. The major cultural shift within the military has \nmomentum; however, codifying and teaching the required skills in such a \ndynamic, ever-evolving domain, is a challenge. We are confident that \nour activities have laid a solid foundation for cyber professional \ncareer paths. Examples of our ongoing efforts follow.\n    Joint Cyberspace Training and Certification Standards (JCT&CS). The \nJCT&CS provides an overarching framework for the Services, if they so \nchoose, for training for the current and future cyberspace workforce \nover their careers. JCT&CS advises nearly every aspect of individual \nforce training and education and follows the Joint Training System \nmodel for methodology. The standards outlined in JCT&CS inform \ncurriculum, certification, and other standards used to effectively \ntrain forces to meet the ever-evolving warfighter demands of the \ncyberspace domain. Based on the current lack of policy on cyber \ntraining, the Services use of these standards is voluntary at this \ntime.\n    Assessment and Recruiting. Initial assessment and recruiting to \nidentify the best candidates possible to support the cyberspace mission \nis critical. The JCT&CS provides key insights into the preliminary \nknowledge, skills, and abilities needed to ensure success. Service \nrecruiting efforts will be advised of these standards and special \nscreening techniques and evaluations will be developed to identify \nsuitable candidates. In addition, the newness of this command and our \nchallenging mission appears to be a draw for talented personnel. We \nanticipate the competition for cyber talent to become more intense and \nwe must be enabled to respond rapidly with appropriate DOD recruiting/\nretention policies and incentives. Delays in recruiting and retaining \ncyber talent could adversely affect the command's operational \ncapability in the future. Against our current authorizations, our \ncivilian fill rate is adequate. However, to efficiently operate as a \nSub-Unified Command we estimate an additional need of approximately 500 \nbillets. Moreover, we expect competition for future talent to \nintensify, affecting initial hires and retention. To address the \nanticipated challenges in the short-term, we are collaborating with \nUnited States Strategic Command and the Office of the Secretary of \nDefense to permanently extend the temporary hiring authorities granted \nto us (e.g. Schedule A- which is set to expire Dec `12). Long-term, we \nare advocating for: special salary rates, tuition reimbursement, access \nto specialized training and robust professional development \nopportunities as incentives for potential employees and to retain them \nonce they have been hired. Underlying all of these initiatives, we \nsupport the development of separate cyber operations/planner career \nfields for our civilian and military personnel.\n    Service School Qualification Training. The Services currently \nprovide for both enlisted and officers, basic entry training for their \nrespective skills. For many cryptologic skills today that instruction \nis provided through Joint Cyber Analysis Course at Corry Station in \nFlorida. As a backdrop, the JCT&CS will provide guidance through \ncurriculum advisory messages in curriculum development, advising the \nServices on the Knowledge, Skills and Abilities (KSAs) with metrics to \nensure success for those whose assignments require the ability to \nperform in one or multiple cyber work roles.\n    Professional and Continuing Education. Once the basic schooling is \ncompleted, Service military and civilians continue to work to sharpen \nskills and capabilities through professional and continuing education. \nFor the Joint community, this includes Joint Individual training and \nfor IA professionals, training and certification is completed in \ncompliance with prevailing DOD policy (DOD Directive 8570.01M). Again, \nthe JCT&CS provides a broad framework to inform joint and Service \ntraining for cyberspace KSAs. An aggressive and effective retention and \ncareer feedback process is permeated throughout the careers of the \ncyberspace workforce. Constant inputs to training value, curriculum \ndevelopment, and career utilization will be used to advise senior \nleadership on job satisfaction and how well training enables the \nworkforce to be successful in their assignments. Key to the success of \nthis program is the agility at which the joint training standards can \nbe modified and those changes permeated through professional and \ncontinuing education to keep the DOD cyberspace workforce in the \nforefront globally.\n    Collective Training. Even with a robust individual training \nprogram, individuals fight as crews, staffs, and organizations. The \ntraining spectrum includes an aggressive collective training program \nthat trains, certifies, and then exercises the future cyberspace \nworkforce. Training and certification guidelines are contained in the \nJCT&CS. Methods and modes are under development to measure the ability \nof crews, staffs, and organizations to meet the demands of fighting and \nwinning in the cyberspace domain. Ultimately, this training is tested \nin cyberspace exercise events that focus on cyberspace operations with \nobjectives that tie back to Joint Mission Essential Tasks. Today, at \nthe tactical level, we've developed Cyber Flag, currently an annual \nevent, that brings together the Service's cyber operators to defend and \nfight against a cunning, realistic aggressor. This environment allows \nus to understand the ability of our Service component teams and \nultimately, our ability to perform essential missions.\n    Mr. Langevin. Do you feel that the command structure for \nintegrating non-kinetic effects from cyber into the battlespace is \nadequately defined?\n    General Alexander. The command structure for integrating non-\nkinetic effects into joint operations is adequately defined, but the \nDepartment continues to develop and improve its implementation. Through \nthe refinement of joint doctrine, planning, and procedures, we have put \nin place a number of mechanisms to integrate kinetic and non-kinetic \neffects.\n    We have long recognized the need for cyberspace doctrine that can \naddress the unique attributes of cyberspace, the interdependencies with \nthe land, air, sea, and space domains, and provide a model command \nstructure to build upon.\n    The cyberspace operational planning process is aligned with joint \ndoctrine, which has been developed and battle-tested over time as the \npreferred way for combatant commanders to plan, synchronize, de-\nconflict, and conduct operations. We have successfully adapted this \nprocess for cyberspace and have exercised it a number of times with the \ncombatant commands to validate its applicability. Likewise, these \nexercises have helped us refine our command and control (C2) model to \nsupport the integration of cyberspace operations with other Combatant \nCommand operations.\n    Mr. Langevin. Can you briefly describe how CYBERCOM supports joint \ntraining efforts for inter-service missions?\n    General Alexander. USCYBERCOM works with Service Component, Joint \nStaff and Agency training leads to collaborate on processes for \ncontinued development/refinement of DOD cyberspace training and \ncertification standards. We have developed relationships with \nappropriate stakeholders including Service HQ, Combat Support Agencies, \npublic and private academic institutions, and Joint and Service \ntraining and education activities. We support efforts to draft and \nstaff policy that identifies roles, responsibilities, and processes as \nwell as ensures consistency with other policy/guidance documentation in \norder to support joint training efforts DOD-wide. The Joint Cyberspace \nTraining and Certification Standards (JCT&CS) provides an overarching \nframework for the Services, if they so choose, for training for the \ncurrent and future cyberspace workforce over their careers. JCT&CS \nadvises nearly every aspect of individual force training and education \nand follows the Joint Training System model for methodology. Our intent \nis to execute policy within national and military guidance in \ncoordination with stakeholders and Communities of Interest to \npromulgate common training and certification standards.\n    Additionally, USCYBERCOM supports the Combatant Commands exercise \nof their warplans via Tier 1 Exercises. USCYBERCOM and its Service \ncomponents provide planning and operations expertise to meet the \nexercise/training objectives. For FY12, USCYBERCOM is directly \nsupporting or involved with 17 joint exercises, and is planning \nCYBERFLAG-12. Priority of support resides with National level, \nUSCENTCOM, USPACOM, and USEUCOM exercises.\n    Mr. Langevin. What more can be done to engage our allies, \nespecially NATO? How can we leverage DOD ``building partnership \ncapacity'' authorities to train and equip foreign forces to improve our \nallies' capabilities related to cyber operations?\n    General Alexander. First, the United States can increase \ninformation and cyber capability sharing by developing and sharing \ncyber hygiene ``best practices,'' sharing cyber threat information, and \nproviding cybersecurity tools. Second, the United States can conduct \ntabletop exercises to identify legal and policy constraints and \n``live'' exercises to build shared situational awareness and \ninteroperability. Third, the United States can enhance education and \ntraining through congressional programs to allow foreign military \nofficers to attend training in the United States and host or co-host \nconferences or seminars on cybersecurity. Fourth, the United States can \nexpand the State Partnership Program to link more National Guard Cyber \nWarfare units with partner nations to increase engagement and training \nopportunities.\n    USCYBERCOM has shared portions of the methodology in developing \nJoint Cyberspace Training and Certification Standards (JCT&CS) for the \ncommand's cyber workforce and the workforce of the Service Cyber \nComponents that are under operational control of the Commander. \nUSCYBERCOM has also developed and manages several training courses that \ncontribute to the professionalization of the cyber workforce (i.e. \nJoint Advanced Cyber Warfare Course-JACWC, Joint Cyberspace Operational \nPlanners Course Mobile Training Team JCOPC MTT). The USCYBERCOM Joint \nExercises and Training Directorate developed a version of JACWC (Joint \nAdvanced Cyber Engagement Series-JACES) that is releasable to our \nallies, and is currently developing a similarly releasable version of \nJCOPC at the request of EUCOM and AFRICOM. The first session of JACES \nwith 33 key partner nation students concluded 20 April 2012. \nUSCYBERCOMs intent is to continue to build key partner relationships by \nsharing releasable components of its workforce development efforts.\n    Mr. Langevin. What discussions and actions are going on within NATO \nto improve the capabilities of the alliance to deal with cyber threats?\n    General Alexander. NATO has been actively working to improve the \nAlliance's capabilities to deal with cyber threats. A NATO Policy on \ncyber defense was recently approved and focuses on preventing cyber \nattacks and building resilience. The policy is being implemented via an \naction plan, which includes the NATO Computer Incident Response \nCapability (NCIRC) achieving full operational capability by the end of \n2012. U.S. European Command is a key enabler and provides support to \nthe NCIRC. Additionally, the United States is encouraging NATO to fully \nintegrate cyberspace operations into planning, exercises, training, and \neducation. Lastly, the United States is educating NATO on lessons \nlearned from the Government's realignment to meet cybersecurity goals \nand the organizational and command and control structure of U.S. Cyber \nCommand and other U.S. Government cyber units to influence NATO's \ncivilian and military command structure development.\n    At USCYBERCOM, we have participated in the annual NATO cyber \nexercise Cyber Coalition. This is a NATO event facilitating the \nimprovement and development of coherent procedures and mechanisms for \ncyber defense; exercise strategic decision-making procedures, technical \nand operational procedures, and collaboration between all participants, \nincluding the private and public sectors.\n    Several of our NATO allies are participating in the planning for \nCyber Flag 13-1. The eight-day exercise schedule consists of four days \nwith allies and the remaining four days as U.S. only due to \nclassification considerations. Coalition partners will be invited to \nparticipate in future Cyber Flag exercises in order to build capacities \nand further enable partnership opportunities.\n    Mr. Langevin. Are you confident in the state of the career paths \nfor cyber professionals, and do you feel that your recruiting, \nretention, and career progression needs are being adequately addressed?\n    Secretary Creedon. In light of emerging cyber threats, cyber \nworkforce roles, responsibilities and skill requirements continue to \nevolve, not only in DOD, but across the Federal Government and \nindustry. DOD is working with the Federal Government through the \nNational Initiative for Cybersecurity Education (NICE) and Federal CIO \nCouncil to identify current and forthcoming cyber skill requirements, \ndefine career paths for cyber professionals, and determine the optimal \ncourses of action to ensure a pipeline of cyber professionals is \navailable to meet mission mandates. These efforts may result in new \nrequirements and methodologies in the recruitment, retention and career \nmanagement of the Department's cyber workforce.\n    Currently, several strategies are in place to aid in recruiting and \nretaining a skilled cyber workforce. Federal direct-hire authority \nprovides with flexibility in recruiting and hiring select information \nsecurity (cybersecurity) personnel within the civilian IT Management \nseries. DOD also has Schedule A hiring authority for select \ncybersecurity positions for certain IT and non-IT civilian job series; \nthe Department is working with the Office of Personnel Management to \nextend and enhance this authority as it expires in December 2012. DOD \nuses the Information Assurance Scholarship Program (IASP) to attract \nstudents from top universities and colleges, and to retain personnel \nwith cyber and information assurance skill sets who wish to further \ntheir education. In addition, CIO oversees the Information Resources \nManagement College (iCollege) of the National Defense University, which \nrecently introduced a Cyber Leadership Program. These authorities and \nprograms, along with military recruiting and retention bonuses, are \ncurrently used to recruit and retain cyber personnel and are essential \nto maintaining the health of this community.\n    Mr. Langevin. How is DOD capturing lessons learned from real-world \ncyber events and major exercises?\n    Secretary Creedon. Real-world and exercise cyber lessons learned \nare submitted to the Joint Lessons Learned Information System (JLLIS) \ndatabase system of record. JLLIS is the system of record for Lessons \nLearned. Typically, they are communicated in the form of Situational \nAwareness Reports (SARs). For certain major events U.S. Cyber Command \nconducts detailed analysis of the incident and then publishes the \nresult as an SAR, which details the incident; threat tactics, \ntechniques and procedures; as well as countermeasures/mitigation \noptions. Lesser events are often documented in quarterly SARs that show \ntrends, common TTPs, and systemic issues. Exercise lessons learned also \nare input to JLLIS and their capture in the database has greatly \nimproved over the last 12 to 18 months. Anyone with SIPR access may \nrequest an account to access JLLIS content.\n    In addition to JLLIS, the Services also track major events via \ntheir respective database systems. For example, Army computer network \ndefense (CND) events are tracked in ACID, the Army CND Incident \nDatabase. The Navy Lessons Learned System (NLLS) is the Navy's process \nfor collection and dissemination of significant lessons learned, \nsummary reports and port visit reports from maritime operations, \nexercises and other events.\n    Mr. Langevin. What more can be done to engage our allies, \nespecially NATO? How can we leverage DOD ``building partnership \ncapacity'' authorities to train and equip foreign forces to improve our \nallies' capabilities related to cyber operations?\n    Secretary Creedon. The Department's authorities to build the \nsecurity capacity of our foreign partners can be useful tools that \ncontribute significantly to a variety of missions, from \ncounterterrorism and combating weapons of mass destruction, to \nstability and counterinsurgency operations. For cyber operations there \nare no current plans to use these specific authorities; rather the \nDepartment works collaboratively with NATO and other allies.\n    Our NATO allies recognize the increasing importance of cyber \ndefense, as demonstrated by the 2010 Lisbon Summit Declaration, NATO's \nrevised Strategic Concept, and the issuance of a revised NATO Policy on \nCyber Defense in June of 2011. We are actively engaged in working with \nour NATO allies to ensure their continued commitment to NATO's new \npolicy and the steps outlined in its Action Plan. More broadly, through \nour Geographic Combatant Commands, we are exploring ways in which we \ncan work more closely with allies and partners to help them improve \ntheir cyber security and ensure that they are investing in enhanced \nsecurity for their national networks. This is also an area where we are \nworking closely with the Departments of State, Homeland Security, and \nother key USG stakeholders\n    Mr. Langevin. What discussions and actions are going on within NATO \nto improve the capabilities of the alliance to deal with cyber threats?\n    Secretary Creedon. Beginning with the 2010 Lisbon Summit \nDeclaration and followed by NATO's revised Strategic Concept in which \nthe protection of the Alliance's information systems was made a \npriority task, the U.S. Department of Defense has been actively engaged \nin working with NATO to improve the Alliance's ability to defend \nagainst the ever growing cyber threats.\n    In addition, last year NATO Defense Ministers approved a revised \nNATO Policy on cyber defense. The policy offers a coordinated approach \nto cyber defense across the Alliance and focuses on preventing cyber \nattacks and building resilience. The new policy is currently being \nimplemented through an Action Plan that has a number of elements, but \nthe most important is achieving NATO Computer Incident Response \nCapability (NCIRC) full operational capability by the end of 2012. By \nbringing all of NATO organizations' networks under NCIRC authority and \nprotection, the NCIRC will significantly increase the Alliance's \nability to defend and recover in the event of a cyber attack against \nsystems of critical importance to the Alliance. Implementation is on \ntrack and the U.S. Department of Defense will continue to strongly \nsupport NATO's efforts in this area.\n                                 ______\n                                 \n                   QUESTIONS SUBMITTED BY MR. FRANKS\n    Mr. Franks. With respect to defense installations within the United \nStates, how reliant are our IT and cybersecurity systems on the supply \nof stable, reliable, and uninterrupted electricity from the civilian \npower grid, and how prepared are we to carry out the defense mission if \nthe power grid or a substantial part of it were to go down for extended \nperiod, for example: two weeks or longer due to severe space weather or \nman-made electromagnetic pulse?\n    General Alexander. Defense installations themselves typically have \nmeans to provide backup power for various durations. Additionally, DOD \ntypically contracts with multiple vendors for connectivity to minimize \nthe number of single points of failure. However, a great deal of DOD's \ncyberspace is served by and through commercial providers. The degree to \nwhich these commercial providers--and the companies upon which they \nrely--can sustain operations in the event of an extended power outage \nvaries considerably. We are aware that such dependencies exist and are \nactively working to identify just those kinds of critical \ninfrastructures and key resources as part of a larger strategy to \nensure robust cyber defense of the ``.com'' and ``.gov'' portions of \ncyberspace that DOD relies upon for mission readiness.\n    Mr. Franks. How confident are you that the private power industry \nis prepared to resist and defeat cyber attacks against its control and \npower distribution systems and are there approaches we can take with \nindustry that don't involve burdening industry with unnecessary \nregulation, to assist industry to protect this vital infrastructure and \nensure that defense-related IT and cybersecurity systems are not \ndegraded or rendered useless by an extended period of time without \nelectricity?\n    Secretary Creedon. Commercial power sources continue to be \nthreatened by a wide array of threats. Commercial electric power \nproviders rely on Industrial Control Systems (ICS) to control and \noperate the power grid and, due to potential vulnerabilities with these \nsystems, scenarios exist where malicious actors could gain control of \ncritical components. Today's threat environment is dynamic and, as a \nresult, organizations must be vigilant and adaptable in monitoring \nsystems and implementing controls in response to current threats.\n    DOD conducts ongoing analysis and partners with multiple entities \nincluding the Department of Energy (DOE), Department of Homeland \nSecurity (DHS), the commercial ICS community, and the Federal Energy \nRegulatory Commission to stay abreast of the threat and better assess \nindustry preparedness. DOD, along with its interagency and industry \npartners, is moving in a deliberate and aggressive fashion to close the \ngaps associated with energy surety.\n    In addition, DOE, and DHS recently launched the Energy Surety \nPublic Private Partnership to better understand and improve the surety \nof energy infrastructure supporting national security missions. DOD is \nalso participating in an effort led by DOE to develop a cybersecurity \nmaturity model focused on managing dynamic threats to the grid and \nevaluating cybersecurity capabilities. Finally, there are other efforts \nunderway focused on awareness and managing the threats to the grid such \nas the North American Electric Reliability Corporation cyber attack \ntask force and a public/private collaborative effort to develop risk \nmanagement guidelines. We believe these efforts will accomplish a great \ndeal in managing the threat to our power sector\n\n                                  <all>\n\x1a\n</pre></body></html>\n"