[House Hearing, 112 Congress] [From the U.S. Government Publishing Office] [H.A.S.C. No. 112-146] DIGITAL WARRIORS: IMPROVING MILITARY CAPABILITIES FOR CYBER OPERATIONS __________ HEARING BEFORE THE SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES OF THE COMMITTEE ON ARMED SERVICES HOUSE OF REPRESENTATIVES ONE HUNDRED TWELFTH CONGRESS SECOND SESSION __________ HEARING HELD JULY 25, 2012 [GRAPHIC] [TIFF OMITTED] TONGRESS.#13 SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES MAC THORNBERRY, Texas, Chairman JEFF MILLER, Florida JAMES R. LANGEVIN, Rhode Island JOHN KLINE, Minnesota LORETTA SANCHEZ, California BILL SHUSTER, Pennsylvania ROBERT ANDREWS, New Jersey K. MICHAEL CONAWAY, Texas SUSAN A. DAVIS, California CHRIS GIBSON, New York TIM RYAN, Ohio BOBBY SCHILLING, Illinois HANK JOHNSON, Georgia ALLEN B. WEST, Florida KATHLEEN C. HOCHUL, New York TRENT FRANKS, Arizona RON BARBER, Arizona DUNCAN HUNTER, California Kevin Gates, Professional Staff Member Mark Lewis, Professional Staff Member James Mazol, Staff Assistant C O N T E N T S ---------- CHRONOLOGICAL LIST OF HEARINGS 2012 Page Hearing: Wednesday, July 25, 2012, Digital Warriors: Improving Military Capabilities for Cyber Operations.............................. 1 Appendix: Wednesday, July 25, 2012......................................... 33 ---------- WEDNESDAY, JULY 25, 2012 DIGITAL WARRIORS: IMPROVING MILITARY CAPABILITIES FOR CYBER OPERATIONS STATEMENTS PRESENTED BY MEMBERS OF CONGRESS Langevin, Hon. James R., a Representative from Rhode Island, Ranking Member, Subcommittee on Emerging Threats and Capabilities................................................... 1 Thornberry, Hon. Mac, a Representative from Texas, Chairman, Subcommittee on Emerging Threats and Capabilities.............. 1 WITNESSES Hernandez, LTG Rhett A., USA, Commander, U.S. Army Cyber Command, U.S. Army...................................................... 3 Mills, LtGen Richard P., USMC, Deputy Commandant, Combat Development and Integration, and Commanding General, USMC Combat Development Command, U.S. Marine Corps.................. 6 Rogers, VADM Michael S., USN, Commander, U.S. Fleet Cyber Command, and Commander, U.S. Tenth Fleet, U.S. Navy............ 4 Vautrinot, Maj Gen Suzanne M., USAF, Commander, 24th Air Force, and Commander, Air Force Network Operations, U.S. Air Force.... 7 APPENDIX Prepared Statements: Hernandez, LTG Rhett A....................................... 40 Langevin, Hon. James R....................................... 38 Mills, LtGen Richard P....................................... 62 Rogers, VADM Michael S....................................... 51 Thornberry, Hon. Mac......................................... 37 Vautrinot, Maj Gen Suzanne M................................. 69 Documents Submitted for the Record: [There were no Documents submitted.] Witness Responses to Questions Asked During the Hearing: [There were no Questions submitted during the hearing.] Questions Submitted by Members Post Hearing: Mr. Conaway.................................................. 104 Mr. Franks................................................... 103 Mr. Langevin................................................. 94 Mr. Thornberry............................................... 89 DIGITAL WARRIORS: IMPROVING MILITARY CAPABILITIES FOR CYBER OPERATIONS ---------- House of Representatives, Committee on Armed Services, Subcommittee on Emerging Threats and Capabilities, Washington, DC, Wednesday, July 25, 2012. The subcommittee met, pursuant to call, at 3:35 p.m. in room 2119, Rayburn House Office Building, Hon. Mac Thornberry (chairman of the subcommittee) presiding. OPENING STATEMENT OF HON. MAC THORNBERRY, A REPRESENTATIVE FROM TEXAS, CHAIRMAN, SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES Mr. Thornberry. The subcommittee will come to order. We welcome our witnesses, guests, and members to this hearing in the Emerging Threats and Capabilities Subcommittee on ``Digital Warriors: Improving Military Capabilities in the Cyber Domain.'' There is widespread agreement that cyberspace is now a domain of warfare, and many people regard it as the most difficult, perplexing national security challenge we face. Certainly the laws, policies, and organizations have not kept pace with the evolution of technology. But if cyberspace is important to our country's security and if it is a domain of warfare, our military services, on whom we rely to protect and defend us, must be prepared to operate in cyberspace as well. That preparation involves a number of issues, including organizational structure, recruitment and retention of qualified personnel, training, rapid acquisition, among others; and it is those issues which we want to examine in today's hearing. Before turning to our witnesses, let me yield to the ranking member, Mr. Langevin, for any comments he would like to make. [The prepared statement of Mr. Thornberry can be found in the Appendix on page 37.] STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM RHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES Mr. Langevin. Thank you, Mr. Chairman. I want to thank our witnesses for appearing here today. It is a pleasure to see all of you again and to have you join us for what I believe is going to be a critically important hearing. I agree with the chairman. There is no more critical task in today's environment than safeguarding the Department of Defense's networks. The cyber domain, as we all know, has become an integral part of every action DOD [Department of Defense] undertakes, whether offensive or defensive. And as operating environments grow ever more complex, we need joint forces that are manned, trained, and equipped to conduct the full spectrum of operations in support of, and in some cases supported by, what we think of as traditional military forces. The Congress and the country as a whole have been struggling with what cybersecurity means to us as a Nation. We are grappling with how to protect our systems and our privacy at the same time, and I am proud to be a part of that robust discussion. I have held drafts of legislation and cosponsored others, and now it looks as if something actually may be moving over in the Senate, which I am pleased to hear. Let's hope so. And I hope that today we will hear your thoughts on what sorts of additional authorities you may need and how the proposed legislation may or may not affect those needs, as well as your thoughts on the delegation of authorities within the executive branch. Most importantly, I hope that we hear about how you are finding and retaining the sort of people that you need today and in the future and being able to hold onto them. This, I believe, is the fundamental challenge that faces all of us. It is often said that the root strength of our military is the quality of our people, and nowhere is that more true than in your organizations. As you think about growing your forces, what thought have you given to where the people are going to come from? How will you keep them, promote them, educate them, and continue to challenge them even when outside organizations are keen to lure people with those skill sets away to the private sector? And I know some of you are probably already facing that dilemma right now. So, lastly, I need to take a minute to talk about a topic that would be irresponsible to avoid. We all know that we are facing significant fiscal challenges in the coming years, even without the threat of sequestration looming. So cyber-related activities are faring reasonably well so far, but nothing is immune, and even noncyber-specific cuts could have an impact on your commands as personnel resources are reduced or research and development funding are decreased. Those are just two examples. So as you look ahead, how do you factor in the possibility of even more austere fiscal environments? This is a tough question but one that I believe we have to face in order to responsibly address the complex challenges in the future. So, with that, I want to thank you again for being here. Mr. Chairman, thank you for holding this hearing. I know your commitment to the issue of cybersecurity. And I enjoy working with you and appreciate your organizing this hearing today. I yield back. [The prepared statement of Mr. Langevin can be found in the Appendix on page 38.] Mr. Thornberry. I thank the gentleman, and I share his cautious optimism that the Senate may actually pass something. We will see. Again, let me welcome our witnesses. We have before us Lieutenant General Rhett Hernandez, Commander, U.S. Army Cyber Command; Vice Admiral Michael S. Rogers, Commander, U.S. Fleet Cyber Command, and Commander, U.S. Tenth Fleet--I made that as hard as possible to say--Lieutenant General Richard P. Mills, Deputy Commandant, Combat Development and Integration, and Commanding General, U.S. Marine Corps Combat Development Command; and Major General Suzanne Vautrinot, Commander, 24th Air Force, and Commander, Air Force Network Operations. You all have significant titles. I suspect the responsibility and the challenge is commensurate with the length of the titles. Thank you for being here. Without objection, your full written testimony will be made a part of the record. We would appreciate if you can summarize your comments for us today. General Hernandez. STATEMENT OF LTG RHETT A. HERNANDEZ, USA, COMMANDER, U.S. ARMY CYBER COMMAND, U.S. ARMY General Hernandez. Thank you, Congressman. Chairman Thornberry, Ranking Member Langevin, and distinguished members of the subcommittee, thank you for your support and for the opportunity to appear before you today. I am pleased to be here with my fellow Service component commanders, and I am honored to represent the Army soldiers and civilians. Their great work enables our Army's ability to operate every day and adds to our Nation's security. I am proud to serve with them and really amazed at what they have accomplished since October 2010. The Command has been hard at work increasing Army capacity and capability, defending all Army networks, and conducting cyberspace operations in support of U.S. Cyber Command. We all know the cyber threats are real, growing, sophisticated, and evolving. Today, a wide range of actors are capable of exploitation and disruption of our networks, with a growing potential for destructive capabilities tomorrow. And all of this could impact our freedom to operate. To meet these threats, Army Cyber Command and its supporting units are engaged daily in conducting cyberspace operations critical to the Department of Defense, Cyber Command, and Army missions. Our work is guided by the Department of Defense's strategy for operating in cyberspace; and the Command helps prevent conflict by maintaining credibility based on capacity, readiness, and modernization. It helps shape the environment by sustaining strong relationships with our military allies in other nations and builds their capacity and capability and, when required, supports winning decisively, with the Army's operational level force organized to conduct cyberspace operations, and daily we provide trained and ready forces to Cyber Command in support of their mission. We have completed a wide range of work and continue to pursue other initiatives to train, organize, and equip the Army to conduct operations in cyberspace. Strong training, leader development, and education programs are essential to conducting cyberspace operations. We have established a world-class, cyber-opposing force that provides realistic training, requiring commanders to defend and operate in a contested and degraded cyberspace environment. We continue to deploy dedicated information operations and cyberspace capabilities to Army and joint forces, and we are supporting combatant command cyber support elements, while providing expeditionary cyber support elements to commanders for contingencies and during exercises. A significant organizational milestone occurred for the Command on 1 December, 2011, when the Army activated its first dedicated cyber brigade at Fort Meade. The 780th Military Intelligence Brigade is organized to support Cyber Command and combatant commanders in their conduct of cyberspace operations. The Army has a wide range of capabilities being leveraged today to operate and defend as well as support offensive operations. We continue to respond to Cyber Command and combatant commanders' requirements and have rapidly produced capabilities to support missions. While technology plays an important role in the cyberspace domain, cyber warriors will determine our success. A team of cyberspace professionals able to quickly act across a full range of mission sets is who will make the difference. We must continue to recruit, develop, and retain a skilled professional workforce. While there is still plenty to do in this new domain, Army Cyber Command has made great progress and remains focused on providing trained and ready forces able to conduct cyberspace operations. We will provide depth and versatility in cyberspace to the Joint Force and with our cyberspace capability provide options and flexibility for commanders and national decisionmakers to ensure the Army remains America's force of decisive action and that Army Cyber Command remains second to none. I want to thank you for inviting me here today. I look forward to your questions and our continued relationship and would welcome your visit to Army Cyber Command. Thank you. [The prepared statement of General Hernandez can be found in the Appendix on page 40.] Mr. Thornberry. Thank you. Admiral. STATEMENT OF VADM MICHAEL S. ROGERS, USN, COMMANDER, U.S. FLEET CYBER COMMAND, AND COMMANDER, U.S. TENTH FLEET, U.S. NAVY Admiral Rogers. Thank you. Chairman Thornberry, Ranking Member Langevin, and distinguished members of the subcommittee, thank you for holding this hearing today and the opportunity to sit shoulder to shoulder with my cyber teammates in the other Services. As the Navy's Component Commander to U.S. Cyber Command and the second echelon command within the Navy subordinate to the Chief of Naval Operations, Fleet Cyber Command directs cyberspace operations in defense and support of Navy and joint forces. The Department and the Navy continue to mature cyberspace operations by growing the workforce, exercising the processes, and developing the capabilities we need to support cyber operations. Our progress has been, and will continue to be, guided by the Department's overall strategy for operating in cyberspace; and I would like to take this opportunity to highlight a few items that I think highlight some of the progress as well as some of the challenges we have experienced in the last year. That progress has been an iterative one, and we continue to refine concepts and doctrine, but there are two significant achievements I think in the last year that will help us as we move our efforts forward. First, the approval and implementation of the Transitional Command and Control Concept of Operations, which provides the Services and the Geographic Combatant Commanders a standard baseline for how we are going to execute cyberspace operations by documenting the command and control relationships, the missions, and the functions that we will be executing. Secondly, U.S. Cyber Command's Operational Directive, which specifies the standard tasks and mission responsibilities for each of the Service components before you today, which will provide initial insight into how U.S. Cyber Command intends to use us as components, which in turn will provide a foundation for how we will generate Navy capacity to support them. In addition, the strength of our efforts over the last year have been from our workforce, which continues to be a source of strength. And, at the same time, the events of the last week remind us just how great that workforce is. Unfortunately, Fleet Cyber Command and Tenth Fleet suffered the loss of a petty officer in Aurora, Colorado, on Friday in a movie theater in a way that none of us would have ever expected. I had the opportunity to see Petty Officer Larimer's family in Chicago over the weekend after the tragedy, and I will tell you if we had more Petty Officer Larimers in the world, there is no challenge that we couldn't handle. But he is symbolic of the broader workforce that we have. And, to date, our recruitment, our development, and our retention, although it remains a challenge, has in fact exceeded our expectations. We hope that is what continues, and we are working hard to make sure that is the case. We also have taken a hard look over the last year about how we are going to train the force of the future, establishing summer internships with the Naval Academy and ROTC [Reserve Officers' Training Corps] midshipmen with the Navy Cyber Warfare Development Group, as well as our cyber defensive operations. In addition, we have established a cyber warfare engineer career field designed to enable direct accessions from recent college graduates who bring deep cyber expertise to the table. In addition, to develop our sailors and civilians, we have developed and begun implementing a tiered cyber training strategy that tailors cyber training based on an individual's particular roles and responsibilities. We have also created a Navy Cyber Manpower 2020 Task Force to plan and execute the steps necessary, we believe, that will develop a comprehensive near to midterm cyber manpower strategy. We have also worked hard in the last year to strengthen our networks and to reduce our exposure and our vulnerabilities, and those efforts continue. We emphasize cross-communication between our large network programs, both afloat and ashore; and we are actively engaged in developing concepts with the Department of a joint information environment which will be comprised of information technology infrastructure and enterprise services. These investments that we have made in network consolidation and deployment of enterprise services have already provided us with greater situational awareness of our networks, which is a key element of our ability to defend them. In summary, sir, I would like to close by emphasizing that our success to date in the maritime domain and the joint operational environment depends on our ability to maintain freedom of maneuver and deliver effects within cyberspace. And to ensure we maintain our edge, the Navy will continue to drive advancements in Navy cyberspace operations guided by the initiatives set forth both by the Department and the joint commander we support at U.S. Cyber Command. I thank you for this opportunity, and I look forward to answering any questions you might have. Thank you, sir. [The prepared statement of Admiral Rogers can be found in the Appendix on page 51.] Mr. Thornberry. Thank you. General. STATEMENT OF LTGEN RICHARD P. MILLS, USMC, DEPUTY COMMANDANT, COMBAT DEVELOPMENT AND INTEGRATION, AND COMMANDING GENERAL, USMC COMBAT DEVELOPMENT COMMAND, U.S. MARINE CORPS General Mills. Chairman Thornberry, Ranking Member Langevin, Congressman Conaway, it is an honor to appear before you today. On behalf of all the marines and their families, I want to thank each of you for what you do and your continued support in all things military. I will keep my comments short, as my written statement has been made a part of the official record. Protecting cyberspace is a national security priority. Your Marine Corps understands that and recognizes that fact. Indeed, while Marine Forces Cyber Command is just 3 years old, Marines have been conducting cyber operations for well over a decade. We clearly understand that cyberspace, the convergence of network systems brought about by so many disciplines, is absolutely integral to our everyday lives, our national well- being, and has become a key aspect of today's warfighting. Around the world, and particularly in the United States, cyberspace is part of all that we do. Smartphones and social media, to efficiencies throughout our vast critical infrastructure, it all depends on the grid. Yet with all these positive advances come risks and vulnerabilities. We know that Department of Defense systems are attacked millions of times each day. Indeed, the Marine Corps Enterprise Network is also attacked hundreds of thousands of times each day. The critical infrastructure in the United States is highly vulnerable to cyber attack. As the Nation's expeditionary force in readiness, the Marine Corps is preparing to meet these threats by increasing capacity for network operations, by increasing our ability to conduct defensive cyber operations, and, when directed, to conduct offensive cyber operations. Ensuring the stable cyber domain means that we will ensure our stability of our weapons systems, our command and control systems, and indeed our national industrial assets. Today's dynamic global environment demands that the maritime forces be flexible and scalable, thus allowing operational commanders the ability to configure the sea base to optimize the employment of appropriate size and capable forces to accomplish a mission, whatever that mission may be, from humanitarian assistance to major combat operations. Therefore, our cyber operations must be tailored to provide flexibility to the Marine Corps, to the Joint Force, and indeed to the Nation. We need to meet emerging missions, enhancing the requirements to support distributed operations today. Since my predecessor, Lieutenant General George Flynn, testified before this committee some 2 years ago, the Marine Corps has made great strides in expanding the capability and capacity of Marine Forces Cyber Command. We have increased its workforce as well as our cyber-related Military Occupational Specialties. In the future, we plan to increase our cyber workforce by approximately 700 marines and civilian marines through fiscal year 2016. I am very proud of our cyber marines and our civilian marines. They work diligently every day to defend and protect our cyber domain. In addition to the progress we have made in developing our cyber workforce, we have made great strides in securing our network architecture. The Marine Corps has already standardized its security boundary architecture through its implementation of the Marine Corps Enterprise Network, and we are working with the Joint Information Environment framework to comply with developing shared security architectural standards. Indeed, as we assume full control over our network transport and enterprise services, we will collapse our remaining legacy networks, which will then reduce our management footprint and our costs, while achieving greater compliance and consistency, again throughout the Marine Corps Enterprise Network. We are taking a very deliberate and joint approach to cyber requirements. We continually strive for the right balance in supporting the requirements of both U.S. Cyber Command and our own Service requirements. Gentlemen, I appreciate the opportunity to discuss this important project, and I look forward to our questions. Thank you. [The prepared statement of General Mills can be found in the Appendix on page 62.] Mr. Thornberry. Thank you. General. STATEMENT OF MAJ GEN SUZANNE M. VAUTRINOT, USAF, COMMANDER, 24TH AIR FORCE, AND COMMANDER, AIR FORCE NETWORK OPERATIONS, U.S. AIR FORCE General Vautrinot. General Thornberry, Ranking Member Langevin, Congressman Conaway, and distinguished members of the subcommittee, thank you for the opportunity to represent the exceptional men and women of Air Forces Cyber before this panel. It is an honor to appear before you alongside my Service counterparts and to share our progress in responding to U.S. Cyber Command and our Nation's mission requirements. In Air Forces Cyber, through continued support from General Shelton at Air Force Space Command and General Alexander at U.S. Cyber Command, we have made great strides towards normalizing and operationalizing cyber capabilities to match the rigor and discipline of its air and space counterparts. I have been privileged to witness firsthand cyber airmen fulfilling our commitment, the commitment we pledged to you 2 years ago, to provide global vigilance, reach, and power by doing what airmen do best, innovate. This culture of innovation is foundational and has been vital to overcoming the myriad of challenges associated with conducting cyber missions. I would like to share a few examples of this culture in action. In addition to the remotely piloted aircraft mission assurance, which I described in my written remarks, we have also collaborated with U.S. Transportation Command and employed our specialized U.S. cyber teams to search within the .mil networks to assure the mission by proactively discovering vulnerabilities before they can be exploited. General Fraser's Command worked with our teams inside the tanker airlift control center to initially map that mission network to the architecture. Then, in phase two, the operators proactively searched for the network and leveraged capabilities to identify, pursue, and mitigate threats impacting the critical system interfaces that are essential to mission success, an activity in the military which we seek to support in defense of the Nation. For mission assurance, a combatant command's prioritized defended asset list determines where this focused capability will be employed, in effect, the cyber high ground. These teams are operational and have been deployed to protect against adversaries' actions per Cyber Command tasking. Mission capabilities and applications are critical, but increasing the capacity to expand those capabilities in support of joint operators is just as important. I recently attended a graduation ceremony at Hurlburt Field, Florida, where our Intermediate Network Warfare Training course, which is our schoolhouse for a wide range of cyber operators and one of ten in-residence and seven online courses, graduating over 7,000 students a year. As a result of this course, young cyber warriors like Lieutenants Andrew Cook and Stephanie Stanford are now experts in their field and carry unique certifications that only 6,800 people in the world have attained. Operationalizing cyber training and certification, our commitment 2 years ago, a reality today. Likewise, high school and college students around the country have been exposed to science, technology, engineering, and mathematics through successful programs such as Cyber Foundations, the Air Force Association's CyberPatriot initiative, as well as the National Collegiate Cyber Defense Competition. These programs have been truly groundbreaking in that they get our next generation of cyber professionals excited about and committed to a cyber career. These professionals are key to U.S. Cyber Command's mission and the Nation's defense. We grieve the loss of one of those cyber warriors, Staff Sergeant Jesse Childress, in the Aurora shooting; and we join our sister Service, Fleet Cyber, in grieving the loss of Petty Officer Larimer. We are grateful for their service. Having new capabilities and expanding capacity, along with academic, industrial, interagency, and international collaboration is what will move this Nation forward and make Jesse and John proud. Air Forces Cyber has improved our collaboration with our sister Services, other government agencies, academic and industry partners to share situational awareness and increase capabilities and capacity, which is the first essential step towards transitioning to a more predictive and proactive defense. From across the Air Force, we have synchronized materiel command acquisition and engineering professionals, research lab and test specialists, and 24th Air Force's real- time cyber development expertise to establish a Center for Cyber Innovation in Texas, with a goal of rapidly fielding critical cyber capabilities. General Alexander lists this capability as a top priority in his May 2012, Operations Directive, and it was something you requested in section 933 of last year's National Defense Authorization Act. As a result, Air Forces Cyber executes U.S. Cyber Command mission guidance by effectively supporting every combatant command, providing full spectrum cyber operations. I am extremely proud to play a part, as our airmen play, in defending the Nation in cyberspace at the speed of cyber. For me as an airman, that is Mach 880,000. Offensive, defensive, and enterprise services are inextricably connected in this domain. We all rely on cyber to be there. We have a personal interest, a corporate interest, and a national security interest in making sure it remains available for all our use, while denying our adversaries' ability to use it against us. We have made great advances and will continue do so. That is our innovative culture as airmen, our obligation to General Alexander. Thank you for your continued support for this vital mission, and I look forward to answering your questions. [The prepared statement of General Vautrinot can be found in the Appendix on page 69.] Mr. Thornberry. Thank you, and I appreciate all of your statements. And I particularly appreciate, General, you and the Admiral mentioning the loss in Colorado. It is a specific reminder to us all about the tremendous potential of those lives that were tragically cut short by that event. Let me just ask one question and then yield to my colleagues for their questions. The ranking member mentioned sequestration. Obviously, it is near the top of our minds in all we do in this committee and around Congress. If there were to be sequestration, you know, just say on the order of 10 percent, what would that mean for the programs that you are responsible for? If we could just go down the line briefly. General Hernandez. General Hernandez. Congressman, thank you. Clearly, with sequestration no part of the Army would go untouched. So we are not planning for it. And I would say, to Congressman Langevin's point, if we were to invest in areas that had to stay for us, it would have to be the people. We have all talked about the significance of the workforce and training, recruiting, developing, retaining that workforce. And the second piece would be that we ensure that we invest in the right S&T [Science and Technology] that allows us to really capture the requirements for the future in this domain. Mr. Thornberry. I am sorry--10 to 15 percent in the first year alone. Obviously, if sequestration--we are talking about that year after year after year. And, you know, again, I am just kind of thinking about the first year. Go ahead. Admiral Rogers. Well, I believe we are all in the same boat in the sense that the Department has done no planning or provided no guidance; and under the terms of the sequestration, it would be implemented across the Federal Government. I think my concern as a commander, not having delved into the specifics, is if we lose the ability to prioritize, if we are going to take cuts that are just done indiscriminately--and I don't mean that to be pejorative--but if we are going to take cuts indiscriminately across the board, as an operational commander, if we lose the ability to prioritize, if we lose the ability to attempt to identify what are the core capabilities that we want to make sure that we continue to fund at consistent levels, that concerns me. Mr. Thornberry. Well, that is the way it is. It is every program, project, activity cut in an equal amount. So what we are trying to get is, okay, what does that mean for cyber, an area that is so dynamic, that, as Mr. Langevin said, has actually been growing in recent years? General. General Mills. Sir, again, the impact across the Marine Corps would be significant in readiness, in manning levels, and in our ability to train and to exercise our forces. I think probably the impact on Marine Forces Cyber and probably all cyber programs would be disproportionate because of the speed with which we have to acquire new equipment and new software. So I see it as having a significant impact across the board and I think a disproportionate impact within the world of cyber. General Vautrinot. Chairman Thornberry, it would be devastating. The strategy that has been provided by the Department to move us forward in cyberspace and the vision provided by General Alexander rests on future acquisitions, on future changes; and I believe that under sequestration those would not be realized. In addition, those advancements that we have made over the last years, as each of our commands stood up, requires sustainment; and those sustainment levels have not been created and stabilized. And so, as we back away from those, I believe that we would actually lose ground in this important area and in meeting the strategic goals that the Department has outlined and in particular my Service has put into its master plan. Mr. Thornberry. Mr. Langevin. Mr. Langevin. Thank you, Mr. Chairman. Thank you again to our witnesses for your testimony today and thank you for mentioning the losses in Colorado. Like the chairman said, it is important for us to be mindful of their service and the loss that we have experienced in Colorado, and our thoughts and prayers are with them and their families. I appreciate you addressing the issue of sequestrations. I can move onto another area. Talking about cyber operators, can you tell me for each of you how many cyber operators do each of you have? How many more do you need? And where will you get them from? And how will you recruit and retain them? The issue of retention is going to be a big challenge going forward, as identified. I know the private sector is always looking to recruit from the military and to retain them. So we have got a challenge on our hands to retain them. How many do you have? And if you need to get back to us for the record, that is fine. But if you do happen to have those numbers, that would be helpful. General, should we just start with you and go right down the line? General Hernandez. Congressman, let me start with a larger number that we believe are engaged in conducting the full range of cyberspace operations every day, which runs the three lines of operation consistent with Cyber Command for operate, defend, and offense. Of those organizations that are either assigned or under the operational control of Army Cyber at this point, we have about 11,000. Of that number, the predominant number is focused every day on operating and defending our network. The standing up of the cyber brigade really is the brigade that brings the capability to conduct SIGINT [Signals Intelligence] operations, defensive operations, and, when ready, capable of conducting offensive operations. That brigade will be about 1,200 when we are done training that brigade. Because it is a long investment in training for that skill set, and I don't know what the total requirement is yet. I think that is really a part of the larger requirement with respect to how we are going to operate in cyberspace, what the roles and responsibilities will be. But we I think have a pretty good head start in that. Now it is a matter of how we leverage the skills that we have and retain those skills to do the missions that we have been assigned. Mr. Langevin. Have you thought about, too, about the retention aspect of it? Clearly, if people know that these are promotable skills and we can move them up the chain, they can have a place within your--they are in for the long haul, they are more likely to stay. General Hernandez. I think we have learned some really significant lessons as we recruited this cyber brigade. And we did a lot of things that were important in recruiting that are tied to how you assess, how you provide the right incentives to bring them in, through questionnaires, through interviews, through specific targeting of universities and different programs that we try to bring the skill set that not only had a desire to do this but they had a propensity for this hard work. And through a combination of bonuses and incentives, we are doing pretty good in bringing them in. I think our most significant piece that we are learning is that the pool is not very deep, as you talked about earlier, and our development will have to be continuous. So we have adjusted development programs for them. And the incentives to retain them will have to be targeted. As we have done in the past, we will have to continue to do. Mr. Langevin. Thank you. Admiral. Admiral Rogers. Sir, within the Fleet Cyber Command arena, there is approximately 14,000 within our workforce focused on cyber operations, whether it is operating the networks, defending them, or looking at the offensive applications of the networks. The greater majority of those, probably something on the order of 75 percent, are associated with the operations of the networks; and the remainder are pretty evenly split between the offensive and the defensive side. In terms of where do I think the number is going to grow in the future, clearly, I don't think we know yet what the ultimate end state in all this is going to be, other than I think we see some form of continued, measured growth. When I say ``measured''--because I think part of the challenge is, with 75 percent of our workforce oriented on actually operating the networks day to day, that is a percentage that, from my perspective, is totally out of whack. It is a reflection of an architecture and approach to networks that I think is very dated. As we shift into the cloud and we go forward across the Department in a Joint Information Environment, I view that as an opportunity to harvest the savings of those operators, if you will, and invest them as the seed corn for the cyber workforce in the future, to invest them in the defensive and the offensive side. In terms of our ability to retain those men and women, to be honest, we have exceeded my expectations. As a person who has been doing this for about 10 years in one form or another now, I can well remember one of my concerns early on as I became involved in this mission set was how are we going to retain these men and women? I think the thing that has surprised me the most and heartens me the most and what I ascribe to that retention is the fact that increasingly these men and women view themselves as warriors, and that is the paradigm and the prism they use as they assess themselves and they think about their future. And that is one distinct advantage I think for us in uniform. While our civilian counterparts offer many opportunities and, arguably, advantage, the one area that they don't offer is the ability to be a warrior. And the workforce really seems to crystalize around that idea. As well as the broader Navy as a whole is very energized by the mission set, has great respect for its cyber partners, and goes out of its way to highlight to its cyber partners how well positioned they think they are for the future. And the workforce really responds well to that. Mr. Langevin. Excellent. Thank you. General Mills. General Mills. Sir, we draw our cyber warriors throughout the Marine Corps. We consider every marine a cyber warrior, and we have instituted training packages within our Professional Military Education to enable them to understand what cyber warfare is and how to utilize it. Specifically, those that are directed to support Cyber Command we are going to grow to about 700 over the next few years, as I said in my opening statement. We draw mainly from three fields--communications, intelligence, and signals intelligence--to source those warriors. Of note is that as the Marine Corps lowers its end strength over the next few years as the war in Afghanistan winds down, cyber is one of the communities that will in fact grow despite the fiscal challenges that we face in the coming years. Currently, we are increasing our marines that are involved in the direct support to Cyber Command, conducting offensive cyber operations. We are also growing a company that will be directed to support our deploying MAGTFs [Marine Air Ground Task Forces] as they go forward deployed aboard Navy shipping and look to crisis spots throughout the world. Those warriors are really a mixture of Active Duty marines, also reservists on Active Duty who support us, mainly within my headquarters outside Fort Meade, and, of course, civilian contractors that we have been able to identify to fill a need. We intend to recruit, as we always have, the best-qualified young marines that we can find and then to ID those that may have talent and interest within the cyber area and then to train them adequately so they can move forward to do their job. Like the other members up here on the board, we have not had any trouble at this point in retention. I think that will depend somewhat, obviously, on what the conditions are outside the Services in the years to come. But at this point we have not had a problem retaining our fine young cyber warriors. Mr. Langevin. Thank you, General Mills. General Vautrinot. General Vautrinot. Mr. Chairman, as General Mills pointed out, we have cyber expertise that is applied in our acquisition, our engineering, our testing environments. In our operational environment that is Air Forces Cyber and in the component that supports U.S. Cyber Command there are 17,000 great professionals. About 11,000 of those are Guard and Reserve for our total force, and some of those are being repurposed in order to expand on the capabilities that they have to better serve this great domain. From the standpoint of that operation, it also leverages within the Air Force our Air Force ISR agency: Intelligence, Surveillance, and Reconnaissance; and I have the great privilege of borrowing from Major General Bob Otto's folks, 945 of them, that are in direct support of Air Forces Cyber operations in support of the missions every day. The creation of the career fields, as mentioned by Admiral Rogers, was similar in the Air Force. Several years ago, we created a cyber operations career in the officer as well as the enlisted ranks. And the one, Bravo 4, is continuing to expand in our enlisted ranks, and we welcome them aboard with special expertise. That special expertise goes across the training they receive at baseline, which is far, far more unique and applicable to this domain. And then the follow-on courses, as I mentioned in the statement, 10 courses within the Air Force that are resident, seven that are nonresident, many of those supported by our Guard and Reserve counterparts. And then, in addition, those courses, many of them now open to our Service counterparts. Also, the joint courses that are provided by the Department, five different planning and specialty application courses that these folks are able to attend. We are also working towards tactics, techniques, and procedures that apply that knowledge not just as cyber expertise but cyber expertise applied to operational applications in every domain. And the expansion of those TTPs [tactics, techniques, and procedures] is what allows us to operationalize this career field and this domain. The last question was recruiting and retention. I am fortunate to be part of a Service that recruits to retain; and we have been privileged to have any number of folks that come in not just to gain that expertise, which is oftentimes the initiation, but they want to serve the Nation. Now they have the advantage of serving the Nation with extraordinary capabilities that are often not available in industry. And we find that the ability to serve, coupled with those extraordinary capabilities, is a retention factor, and it is a factor in our advantage. Mr. Langevin. Very good. Thank you. I yield back. Mr. Thornberry. Mr. Conaway. Mr. Conaway. Well, thank you, Chairman. And, folks, thanks to you all for being here. Staying with the personnel theme, the typical cyber warrior, you don't think of them in the traditional warrior category. They need to be a lightning-fast typer and really be able to think and those kinds of things. In terms of recruiting and targeting the folks you need, I am assuming that everybody you are talking about goes through the exact same basic training, the officer candidate school, all the regular entry-level schools that everybody else does. Is that a barrier to getting folks that you really want? In other words, do you ever foresee a point where they will need those kinds of skills to continue to conduct cyber warfare versus a group that might not be the prototypical marine or airman or sailor or soldier that would need to shoot real straight and be able to be physically very sound and aggressive? General Mills. Sir, I will take the first whack at that and say that our cyber warriors are marines first, will always be marines first. They will undergo the same training that every marine undergoes, whether officer or enlisted, and will be promoted and trained within the Marine Corps system. I don't see a problem there, sir. Admiral Rogers. For us on the Navy side, we are clearly concerned about that phenomenon. We created a few niche programs, if you will, to allow people with kind of unconventional backgrounds to come into the field. Those numbers are fairly small. One of the thoughts in my mind is, over time, as our capacity grows, does it overgrow our ability to assess people in the kind of traditional models, if you will, that we tend to do now? It is something that we pay great attention to, and I am always looking in my mind when do we get to that critical typical tipping point where the conventional mechanisms just aren't going to be there for us? We are not there yet. I don't see us getting there in the immediate near term, but it is something I watch for, because I am concerned about it in the future. Mr. Conaway. General Hernandez. General Hernandez. Thank you, Congressman. I would add, as the Marines have said, that we have not seen that as a barrier to entry. In fact, I think this idea of cyber warrior is critical, because they see themselves as warriors. I have consistently said that in a way there are some characteristics or values that we all have to have, and in this domain there might be a few that we would add a little more emphasis to. So we have talked about a professional team of elite that we will have to really work our way through how we select them, train them, develop, and retain them. Trusted. Because I believe in this domain if you want to be able to gain the authorities to do the missions that you want to do you have to have trust. Discipline to do what it is that you can count on the person in cyberspace, as you would a battle buddy on the battlefield. And precise. Because collateral damage in this domain can be as devastating as any other. So those are four values, if you will, that we would add to that. I do believe that we are clearly going to have to think about how we develop them differently. And the schoolhouse domain may not be in fact the same model. And they are learning every day because things are changing so frequently that they have to keep up, and the challenges need to stay in this domain. So they have to get the mission that comes with being a cyber warrior. And I believe that the entry will be similar to what we are doing now. But we are looking for that special, elite group. General Vautrinot. Sir, I will echo my comrades. In wearing the uniform, there is great pride. There is also great responsibility; and the accession programs recognize that necessity and leverage that. But, in addition, the numbers that I spoke to were our officers, our enlisted, our civilians, our contractors, and our citizen airmen that come from the Reserve and Guard. And all of them have the opportunity for this unique training. And as they apply that training, they apply it in defense of the Nation. So I think our cyber warriors extend to every one of those categories. And certainly the specialized training for those that wear the uniform and wear it in harm's way is appropriate to someone that you need to depend upon in that regard. Mr. Conaway. Thank you, Mr. Chairman. Mr. Thornberry. Well, I know you all will continue to watch that. Obviously, a little bit of intuitive common sense says that we may have to treat some of these folks differently; and if it gets to the point where that involves us with some sort of different compensation system, some sort of special carve- out or something, I would want you to let us know. Because it just seems on the face of it that as we go by and, as you said, as we expand and so forth, that we may have to not treat some of these folks the way we always treat everybody else. So I think we will all be interested in that comment. Mr. Barber. Mr. Barber. No questions. Mr. Thornberry. You have no questions? Let me--I don't know. Maybe these questions are a little bit more suited for General Alexander, and maybe they are just dumb questions, but let me give it a shot. I understand that each of you all are responsible for your Service's networks. Okay. But in thinking about supporting a joint operation of some kind, whether it is a physical operation that you are supporting or strictly as a cyber operation, how do you decide who does what? Because it seems to me that there is no particular benefit from one Service to the next, no natural sort of inclination. So is it going to work where Cyber Command says, okay, the Army is going to take care of this target set and the Navy is going to take care of this target set and kind of assign responsibilities? Or does Cyber Command say, okay, we will take four Air Force people, a marine, three sailors, and so forth. You all send them up to Cyber Command, and we will set them next to each other and we will tell them what to do. How does the Service component fit into that kind of national mission I guess is kind of what I am wondering. Whoever wants to help me. General Hernandez. That is a great question, Congressman. In fact, we are all working through that right now with Cyber Command; and, really, there are several different layers that we have to work through. The first piece is how do we provide value and resources and forces to a national mission, which is part of what General Alexander has, and what is our requirement for that? And then, second, what do we do with our Title 10 role to provide trained and ready forces to him for his Cyber Command mission? And the third piece is for us to support Geographic Combatant Commanders and in the Army's way also to be able to support tactical and operational commanders that are supporting Geographical Combatant Commanders. So we really have to nest that strategy from the top to the bottom of who is going to do what requirements. I think we all believe that over time a couple things are essential. One is that is going to become more joint in most cases. Certainly the training and the standards that our cyber warriors will need will need to be joint so that you can count on them being able to interact with joint teams. The second piece I think is the Joint Information Environment that we have all talked a little bit about and the need to get to that operational warfighting platform that allows us to really have an operational network that we can defend off of in a joint way. Because, after that, it will be coalition operations. As well as an infrastructure that we can conduct cyberspace operations off of. So I believe that work is ongoing, and it is going to have to be nested from the top to the bottom. The last piece he has given us is a hard look at some functional requirements, what we might do for specific capabilities, command and control, IADS [Integrated Air Defense Systems], and those types of functional looks at how we might ensure that we are providing that capability as a force, as opposed to duplication of effort or worrying about deconflicting it too late because you have invested resources that might not have been done that way. So we are working on all of that together. Admiral Rogers. Sir, from my perspective, this is an issue we have spent a good deal of time working collaboratively with each other and with U.S. Cyber Command on to address so how are we going to apply the capacity and the capability that we are each generating. I will speak for the Navy, but I think it is fairly common for all of us. We provide capabilities both within our Service but, at the same time, as U.S. Cyber Command's Naval component, or Navy component, my comment to him was, sir, we need to generate capacity and capability for you in a way that does this in an integrated fashion; and if we are each going to act on our own, this isn't going to get us where we need to go. I think, to General Alexander's credit, within the last few months he has generated what we call the Operational Directive, the OPDIR, where he has laid out for each of us here is how my operational vision is in terms of how I will parse out who will have leadership within different geographic areas around the world. And then, once you are designated as the lead, then we collaborate with each other for how we are going to generate the full spectrum of capability and the capacity that we will need to support those joint commanders. Tie in then, as General Hernandez mentioned, the Joint Information Environment that hopefully gives us over time an underpinning that we can all plug into somewhat seamlessly, as opposed to the environment where we operate in today, where that is definitely not the case. I think between those two things we are able to apply our respective capabilities to maximum effect. But it is an issue of great concern. The last comment I would make is one other comment I make regularly to U.S. Cyber Command, is please don't view your components as manpower pools. We are integrated warfighting organizations just like every other mission set within the Department of Defense. Task us, just as we do in every other mission area across the Department. Have us bring you capacity and capability in an integrated, cohesive unit whole, which is the way we are used to working as a Department and the way we have all structured our selves. General Mills. Sir, I would agree. I would just add that we have talked about ensuring that we have standardization, if you will, of training those cyber warriors so they meet the requirements that General Alexander has published. I think this is not particularly a new problem. There are other areas in which you begin to cross over into Title 10 responsibilities of our Service chiefs to man, train, and equip their own forces. But we work in the joint environment in many, many other ways where there are some similarities of how we come together, how we provide forces that are trained to accomplish a specific mission and yet we retain our Service identities. So I think it is a thing we are working through as the growth of Cyber Command takes place, but it is not an insurmountable problem. General Vautrinot. Sir, I will echo Admiral Rogers in the discussion of the Operations Directive, which does two things: It aligns us to provide direct interface with combatant commands that have unique requirements, but it also leverages the core competencies that are specialties within each of our Services, not just for a given combatant command but in support of each other as we provide those rare capabilities. In addition, the orders process across the board as U.S. Cyber Command was established has been very freeing in this regard. Because those orders come through to all of us in order to provide capability across the board. Cyber is foundational to every one of the air, ground, sea, space missions. And because it is foundational, we all need to operate in a synchronized and consistent manner. The orders come to each of us in the operation of our portion of the network to provide that synchronization. And so, in following those orders, we are all doing very like things but appropriate to the network that they must be applied to. So that is foundational, providing the unique core competencies to enhance missions as they move forward, and then certainly expanding cyber in order to provide alternatives that are nonkinetic, that don't require heat-blasting fragmentation, to the Nation through the cyber domain. Mr. Thornberry. Well, that is helpful. It just occurs to me, as you all sort through these issues that seem to me rather complex, exercises are going to be really essential to test this out. Because, you know, I am not too concerned about the young folks that work for you all, but I am more concerned about the bureaucratic gobbledygook that can foul up even the best intentions. And until we exercise some of this capability, you know, it will be hard to know whether it will really work. You all touched on this, but it was also a question I had about the relationship of your components to Geographic Combatant Commanders, how that is going to work. Is it Cyber Command directing operations in Central Command and the other commands? Or are you going to send a unit to the commander of Central Command and he is giving all direction for it so that they are completely a supportive body for the combatant commander? I don't know. Maybe it is not an either/or situation. But you just think about an operation in country X. There is going to be elements that are obviously supporting the tactical fight there, but there are also elements maybe at a cyber domain that will exceed even that geographic area. Mr. Thornberry. And how does that fit with our current geographic divided command structure of the combatant commanders. Make sense? General Hernandez. Makes absolute sense, Congressman. And that is really part of this directive in reality what we have been working for almost the last 2 years. So from an Army perspective, General Alexander has asked Army Cyber Command to take the lead for him for CENTCOM [U.S. Central Command] and NORTHCOM [U.S. Northern Command]. Now what that translates into is that we have a habitual relationship with a cyber support element that is operating everyday as part of Cyber Command. And we have participated in exercises that demonstrates our ability to bring capability to integrate with his plans as well as provide reachback support from Cyber Command. And as you have described, really there is a Cyber Command global mission that is supporting an operation that would have a national piece to it and support to CENTCOM. And there is a CENTCOM piece that would be directed in support of CENTCOM principally led by Army Cyber Command but with Joint Forces and joint teams from all of Services. Mr. Thornberry. So who calls the shots when there is a global component and a geographic component? General Hernandez. Clearly, in a global domain, it needs to be coordinated and integrated and deconflicted very quickly and at the Cyber Command level. Mr. Thornberry. It just seems to me it may be a challenge to work our way through. I don't need to tell you that. Last question for now, and then I will yield to my colleagues. There are rumors that there are rules of engagement bouncing around the Pentagon. I haven't seen anything yet, but I guess my question to you all is how comfortable are you that we are close to having rules of engagement that we--that the country can move forward and operate with? Admiral Rogers. That is really within General Alexander's lane, if you will, as the Joint Commander. It is an issue he continues to work with the Department and the Joint Staff leadership and the rest of the combatant commanders. It has been an issue of discussion for some period of time now. I think there is recognition that that is a requirement, something we need to do. The devil is always in the details, if you will. But my sense is that at some point in the near term, we will start with something that will continue to evolve over time, which is what you see in our standing rules of engagement for the Department, for example. That is the way they worked those. I think you will find the same thing in the cyber arena as well. Mr. Thornberry. Essentially, the Joint Staff and the Cyber Command will hand you all rules of engagement that you will then have to look at, plan with, operate from and will evolve understandably over time. Admiral Rogers. As will all commanders within the Department, be standing rules of engagement for all. General Vautrinot. Chairman, there are existing standing rules of engagement for every one of the execute orders and the orders that the military is working under with regard to cyber operations today. And I believe the expansion of those orders is in the area of defense of the Nation as opposed to the defense of our Department's networks, but in defense of the Nation. And certainly work in that regard is what General Alexander is moving toward, but I did want to point out that the standing rules do absolutely exist. And we test those as well as test the potential rules of engagement in the exercises that you mention. For example, if I am working with the combatant commands on behalf of General Alexander to bring that face and that cyber expertise toward them, Turbo Challenge, Austeer Challenge, Global Lightning, Judicious Response and those kind of tier 1 exercises in each one of the combatant commands informs both the command and control relationships as well as the necessary rules of engagement and any shortfalls. And then Cyber Flag by U.S. Cyber Command brings us together to do the force-on-force and engage and then take that information back into both the Department's tabletop exercises as they do strategy as well as war games, like Unified Engagement, that bring leadership together to think about those rules of engagement and how the civil leadership wants the military to perform in that regard. So those exercises are very, very successful in bringing that information forward. Mr. Thornberry. The only point I would add--not that it is you all's responsibility, but I made this point to other folks in the Department--it seems to me that in this area of cyber rules of engagement, it is more important than ever for the Department to engage with Congress because a cyber engagement is unlikely to take place in a timeframe where we can formerly pass a declaration of war and authorization to use military force. The force that we are talking about here occurs at the speed of light, and so having that consultation ahead of time will smooth things for the time when there could be a use of military force in cyberspace that will start getting into constitutional issues and a variety of challenges for us on this side of the river as well as the funny-shaped building across the way. So, Mr. Langevin. Mr. Langevin. I do, Chairman. And in tangential to what the chairman was just asking that is on my mind, because obviously, these are very powerful tools, both the offensive and the defensive side, and we have a lot of things to work through. Do you believe that you need additional authority to undertake your current mission sets? And General, you touched on some of these things already, but can you describe the legal authorities that govern offensive and defensive operations, just to delve into it a little deeper? General Vautrinot. Sir, probably not my lane, in terms of the legal authorities, and I certainly look to the Congress to ensure that we have those authorities to move forward. However, I can say that in doing operations on a daily basis and in support of Cyber Command's mission tasking, we leverage the authority of the intelligence community under Title 50 of the U.S. code; certainly leverage the authorities in law enforcement under Title 18 in order to support those activities; and then of course your Title 32 authorities that you are very familiar with--I know that you support the 102nd-- it is a Guard unit that works directly with us in mitigating and responding to emergencies in cyber on a daily basis, perform those operations under Title 32 for the Guard; and then, of course, Title 10 operations, which we are most familiar with in the military. And the important area is to make sure that we can work with unity of effort as we are all working toward in the military and synchronize these things in a way that supports the nation, both protecting the national security while also preserving privacy and preserving intellectual property. And that is the difficulty, is making sure that we ensure all of those things, rather than trading off, and I applaud the work that has been done both to dialogue in the Congress and now going to the debates that will bring us forward in moving those authorities. Mr. Langevin. Thank you. General Hernandez. Congressman, I would add that I, too, am comfortable that we have the authorities needed to do our mission. But I would say that most significant is the legislation that is being worked. And I applaud that for a few reasons. First, it helps codify and clarify ``dupe'' [duplicate] roles and responsibilities. The second and important one to all of us is really if we are able to get into information sharing in ways of looking at protecting our critical infrastructure, that will now allow us to see things and do things in real time, where others know things that would help each other, they are left and right on a daily basis. So I think that is critical to our work. Admiral Rogers. And I would echo General Hernandez. I am comfortable with our ability to execute our mission set. Now one think I like about the Navy's construct, like the joint world with General Alexander, the Navy cyber capabilities both in the Title 10 and Title 50 arena are all OPCON [Operational Control] to the Fleet Cyber Command and 10th Fleet, much like General Alexander does in both his Director of NSA [National Security Agency] as well as Commander, U.S. Cyber Command, hat. That gives us flexibility. And as General Hernandez indicated, the biggest issue I see increasingly over time is the ability to share information outside the Department and with partner sets that traditionally we are just not used to dealing with. When I look at the problem set, it is the nature of the future in this domain. Mr. Langevin. Thank you. General Mills. I would echo what my partners here have said, I would point out that gap that exists between the authorities we have to protect our critical infrastructure onboard our bases and the critical infrastructure that exists out in our local communities that yet support our bases, electricity and things like that. So that gap in authorities I think needs to be closed, and I believe that is what the legislation is going to do. And that is why it is so critical, I think, to the overall attempts of what we are trying to do. Mr. Langevin. Very good. Thank you. Mr. Conaway. Kind of a two-prong question. One, does the Department of Defense have an adequate definition of what is and isn't cyber with respect to budgeting issues and how that all gets captured? And then, two, acquisition, when you are buying big stuff, it is obviously a problem to stay on the cutting edge. Your domain, it would seem to me, would need to be the best tools available at any one point in time, whether that is software, hardware, those kind of things. Do you see acquisition challenges that will prevent your team from having the best F- 35 in the Air Force's case? You know, that is leading to, are the incremental costs not so much that it is really an issue? General Vautrinot. Let me talk a little bit about acquisition because we have had some real movement in this regard, and I mentioned it in the written testimony as well as the spoken. When you asked us in the authorization act to look at the methodology by which we acquire and make it appropriate for cyber, there is a recognition that the 5,000 series, the acquisition of very long-term, long-term sustainable bent-metal type programs is not appropriate to both the rapid change in cyber as well as the ability to leverage capabilities against an existing and very dynamic architecture. And so we have moved forward in both providing real-time development of tools that can be resident on those architectures and can leverage the existing architectures, which certainly we have already been working and provided capabilities both to U.S. Cyber Command and to the combatant commands. The next step in that response is rapid acquisition, which scales the folks that are doing material acquisition, the engineers and the acquisition professionals that I would see in ESC [Electronic Systems Center] as part of Materiel Command, brought together with the testing environment, brought together with the professionals in the Air Force, research, laboratory, all of those folks are coming together, in my case, in Texas, not to work for each other but to work those elements of science and technology, prototyping, development, test, fielding, and training of the forces to use those resources and those capabilities in real-time. And so that rapid acquisition is part of the response I believe you will see from the Department in terms of how we need to acquire for cyber and move forward more rapidly. Mr. Conaway. Is that a joint acquisition, or is that each Service would have their own stovepipe like you are talking about? General Vautrinot. Sir, I will defer to OSD AT&L [Office of the Secretary of Defense for Acquisition, Technology, and Logistics] as they respond to that, but the methodology is the methodology that they are exploring. We are the pilot case. We are actually applying that methodology within the Air Force down in Texas. General Hernandez. Congressman, a couple points---- Mr. Conaway. If you don't have anything to say, you don't have to say. I mean, it is not a required response, but if you have something, I would appreciate hearing it. General Hernandez. I would start by saying we are working very hard to capture all costs associated with this. As you know, it is not--as you start defining cyber in the three lines of efforts between operate, defend, and offense, there is a lot of information technology. And how you sort those costs out is work going on significantly in all the Services. Within the Army, the Secretary of the Army has started an IT [information technology] management reform initiative. There are several pillars to that, but one of them is to establish a governance that allows us to get after the cost, and another one is a process that allows us to acquire IT through an agile process. In the meantime, as we work through that, we have worked hard our requirements from both defense and offense. From a defensive standpoint the network integration evaluations that we do every 6 months at Fort Bliss, where everything that we intend to put on the network is tested there, allows us an opportunity to rapidly test, deliver, and field capabilities. And at the same time, we look at all of them to make sure they are bringing no vulnerabilities to our network. So I believe that will cause the process to go faster with respect to acquisition from that end. We do have--are working with an organization in the command that has given us authorities to rapidly field and test capabilities that we would need to have quickly if we wanted to put inside of an operation. But I think the future really is how we do more of that better and get at capabilities across all the Services in a joint way. Admiral Rogers. Sir, the only thing I would add, in the Navy, this is something we spent some time thinking about, how do you meet the acquisition challenges in the cyber arena? While work with our broader joint partners and the broader standard acquisition mechanisms within our Service, we also, within Fleet Cyber Command, created a small core R&D [research and development] capability under my control as operational cyber commander for the Navy with some seed corn in it, if you will, that allows me and others to rapidly acquire and develop kind of top priority cyber capabilities for us that are done outside, if you will, the traditional acquisition pipeline for us, with some specific restrictions, if you will, about how we do it so we are not duplicating the effort of others, but it has proven to be a great capability for us. Mr. Conaway. One quick follow-up, and it occurs to me while we are sitting here thinking, is if we have got an array of weapons that are appropriate for a Marine company or a platoon, they are given certain tools and certain weapons that we all agree to. In this arena, there seems to be that each of those operators have the opportunity to either build their own tools or their own weapons, their own equivalents. Is that--have you thought about that as a concern yet at this point in time, in terms of what these folks are able--because these are going to be bright people, and they are going to be in an arena where innovation and being the first to be able to do X, Y or Z is a real issue. And they are going to be--competition and competitive to try to do that. How do you let that happen but don't lose control of it? Admiral Rogers. I will give you my perspective. I think the positive side is so far we have managed to strike a good balance that provides for the initiative, which is I think is at the heart of really one of our positives, both as a nation and within the Department. At the same time, as we each generate unique capabilities, if you will, within our Service, we will push them up in the joint arena to U.S. Cyber Command and the National Security Agency to kind of act as a central repository, if you will. And then we will harness that capability as we are looking at different mission sets and what tool sets are available out there that other partners have developed, and we are finding ourselves more and more using tools and techniques developed by other Services and by our joint counterparts. Mr. Conaway. Okay. Mr. Thornberry. I think we have had provisions in the fiscal year 2010 and fiscal year 2011 defense authorization bill on rapid acquisition for cyber. So I was listening to your answers, but I will make the same offer, as you work through these issues, if you find that you need some additional authorities, you know, please let us know. We have provided some unique authorities in some other areas, Special Operations and whatnot, and it may well be that cyber just doesn't fit or somehow the tools available to DOD do not fit this domain, and so I wanted to make that offer as well. Ms. Davis. Mrs. Davis. Thank you, Mr. Chairman, and I am sorry that I wasn't able to be here until the last few minutes, but I certainly appreciate all of your work, your dedication to our country, thank you very much. I wanted to just ask a people question, and you may have already addressed this, but in this unconventional domain in which we are asking you all to work right now, could you just talk for a minute about the stress levels and what you're feeling or finding in terms of morale of the force that is the feeling in this new area? What are we learning about that? And are there things that we should be doing to really help and support people along the way? General Hernandez. Congresswoman, thank you. We did have a little bit of this conversation, and I think the key point I would say is, one, they appreciate being cyber warriors. They are excited about the opportunity. They are excited about what they are a part of. And our charge is to continue to develop them and continue to keep that excitement because we can't do it without them. Admiral Rogers. I guess for me it is kind of interesting I guess the more junior you are in our workforce at least, the less you think about the challenges and the much more you are focused on the opportunities and the energy that you bring to the fight. Generally, as you are more senior, perhaps a little older, I generally see at that level, you are much more concerned or really focused on the challenge set. And you see that stress where you are looking at the range of things that you know we need to do. You are looking at the range of resources that you have right now to do it, and you know you have to prioritize. You have got to focus on what needs to be fixed first. And so there is always those trade offs. But the positive side I think is for our workforce, they are energized by the situation, which is a great thing for us and the Nation. General Mills. I would offer up the same observation. I think morale is extraordinarily high because I think that the people involved in the cyber understand that they are cutting- edge, and they are developing a new weapon system that is going to have a huge impact on the battlefield, and they are excited about that. I think they are also excited about being a part of ongoing real-world operations, and they understand that what they are in is not just not simply a training mission or an exercise, but they are out there doing real things and having a real impact. I think that enables the morale to stay high, despite the long hours and perhaps the shortage of personnel we have from time to time to--morale is not an issue. General Vautrinot. I will echo my Service counterparts. There is an excitement. It is a target-rich environment of things to fix, of things to change and an environment where you can have so much impact on how the Nation is going to leverage this capability and how we are going to help to protect the Nation and meet the requirements. They are rising to that challenge. I think that is what we see every day is that level of excitement and that level of commitment. Mrs. Davis. And do you have any concerns that you won't be resourced properly? You said sometimes the numbers, as you are growing more of this force, is that an issue? Are you worried about that? You probably already talked about that as well. General Mills. I don't. I think the training pipeline is long, and so once you identify the personnel and you train them within your own Service and then get them the joint training they need to be able to be employed, that takes a while. And so that is a challenge, but it is a challenge that we can overcome. Mrs. Davis. Great. Thank you, Mr. Chairman. Mr. Thornberry. Thank you. Is there any disadvantage to choosing one of the career fields in cyber right now as far as a long-term military career? Have we standardized everything so there is no problem at all, or can you pick one of these new cyber career fields, stay in it for 20, 30 years, if you want to, and retire and so forth and move on? Or is there any disadvantage is really my question? General Hernandez. I see no disadvantages today. In fact, I think we talked that word before; they see more opportunity. And as we develop the domain more and we move to an operational network, I think we will see more convergence. And with convergence comes the ability for defenders to also do not just defense but operate potentially offense, and that is exciting. And those that are offense will learn skills on how to defend, and that moves us to a domain that you can really operate in, and I think that will provide more opportunity and more excitement for them than being stovepiped or think that they are too narrowly focused. So getting that balance between generalization and specialization with great development opportunities I think is the future here. Mr. Thornberry. I think that is a fair point. I guess I was really thinking just more the way the military sees careers and what it rewards, what it doesn't, who it promotes, all of those sorts of issues. Do you think we are at a point where these cyber career fields are treated equitably at least of other career fields? General Mills. I think it may about a little too early to tell the answer to that question. Mr. Thornberry. Haven't had enough experience yet. General Mills. Yeah. I don't think there is enough depth yet, enough officers are enlisted who have gone up for promotion, et cetera, et cetera. I think that will play out. I think part of that is incumbent on us to make sure that our Services are educated as to what the individuals are doing, to ensure that the Services understand the contribution they are making, and understand, although their service record may be unconventional, that in fact, much like special operators, what they are doing is extraordinary valuable. So there is a--time will tell. Mr. Thornberry. Okay. Let me just ask this, thinking midterm maybe, 3 to 5 years ahead, what technical capabilities would be your priorities for development? And kind of an ancillary question, do you have input into your Services' R&D priorities for the future? That is another area the subcommittee covers, our S&T programs. So what are your technical priorities for the next 3 to 5 years? And do you have input into your Services' research and development program over that period? General Hernandez. Congressman, I would answer absolutely we do. And our R&D priorities are nested with the Department of Defense's priorities in this arena. We have helped shape several of the requirements that we know we will need from an S&T standpoint for the future. And we are also working with a lot of partners on near-term things that they can assist us with. My number one requirement for the near term really would be capability that increases our situational awareness, that allows us to see ourselves better, allows us to see the threats better and allows us to see the cyber terrain we are operating in. That is not an easy problem, and it is one that we are only going to be as what we see and as we move through a global domain, we will have to have better visibility to cross all of it. So that's my number one short-term requirement. Admiral Rogers. I would echo General Hernandez, probably situational awareness, number one. Because if you want to defend an operation--if you want to defend and operate in an environment, the human condition, generally you have to be able to visualize it and you have to be able to understand it in a way that enables better and quicker decisionmaking, particularly in this environment. The only other things that come to my mind are automating--automated decision aids, again, that increase speed and agility because we are going to continue to use traditional timelines and methodologies we are going to be behind the power curve in this domain. And then, lastly, automating a lot of our defensive capabilities, things that still require more of a man-in-the-loop than I would like, for me at least. Mr. Thornberry. I am sorry, General, if I could interrupt. So do you have input into the research and development the Navy puts into those issues, or do you look primarily to the private sector for some of that? Admiral Rogers. I do both, to be honest. Mr. Thornberry. You develop it---- Admiral Rogers. Well, I--and I also look to the private sector as to what kind of things are you working on that might have applicability for us. General Mills. Sir, I would echo what the Admiral said, as well, and I would add that the Marine Corps looks to develop ways to make these capabilities expeditionary; how we can forward-deploy them, how we can support our crisis response forces that are out forward-deployed at the point of the spear, how we can bring those with us in an expeditionary manner. I would also look to help us solve some of the area denial, anti- access threats that are appearing, and we have to deal with as we look at, again, maritime operations in areas in which we may not be welcome. Those are the areas in which we are looking at, as well as what the Admiral said. General Vautrinot. Sir, I will address the second first, and that is, do I have input? And the answer is absolutely. In the Air Force, we have a core function lead integrator for the entire Service that looks at each one of the core areas. And for cyber, that is General Shelton who is Air Force Space Command. And so, in a prioritization, we directly input, and that is exactly what came out of the master plan in terms of the prioritization. We also do the ``one to n'' priorities associated with science and technology and the research and development activities that are being done by our Materiel Command in this regard. So it is a very direct input, and we are seeing the benefits of that collaboration and seeing it all come all the way back into that what kind of capabilities we are now able to field. So let me answer that portion next. In the capabilities that we are seeing fielded, on the defensive side, we talked about the AFNet migration, the Air Force Network migration, which is an effort to create from the heterogenous, the very individual networks that were then brought together to become the network from the way that they were originally designed, how do you make that more homogenous and then you are able to apply situational awareness, an automation to that homogenous network, and so we are very far I long the path in doing that on our unclassified networks at every one of the bases worldwide. So we have created an architecture that says we go under the gateways, everyone comes through those areas, that allows us to treat everything as an operational environment and defense in-depth and then apply the tools to best leverage and give additional capability, so it is a platform, not discrete individual items thrown at the problem. So you are doing it in an organized, operational, normal fashion but at a very rapid pace. Those same tools can then be applied to protect infrastructure to look at what the vulnerabilities, the key terrain in cyber for all of that infrastructure capability. And I was talking to Congressman Langevin earlier about remote forensics and the ability to do that in real-time and then apply the lessons, both from the intelligence community that are very dear, as well as your understanding of your own network. So we are seeing both the prioritization and, more importantly, the application to those priorities to the capabilities that are right now coming out on both the defensive and the full spectrum capabilities we are applying to Cyber Command. Mr. Thornberry. When you get all those networks working together, I want to send you over to the finance people at the Pentagon so maybe they can pass an audit before too long. Mr. Langevin. Mr. Langevin. Thank you, Mr. Chairman. General Vautrinot, I wanted to touch on the role of the Guard since you talked about that in your testimony, and I am pleased to see that in your testimony, you did highlight the role of Rhode Island Air National Guard's 102nd Information Warfare Squadron. Can you talk about how you see the role of the Air Guard, and Reserve cyber units evolving in future years? And are these units properly resourced and manned? And then, in addition to that, I talked about the combat communications unit in Rhode Island that is going away and how General McBride is looking to increase, kind of have that role evolve and have the cyber warfare unit play an expanded role as that is being replaced. But if you can talk on the role of the Guard and Reserve and the cyber units and how they are going to evolve in future years, that would be important. General Vautrinot. Certainly, sir. Admiral Rogers would say, a rising tide serves all boats. In the airmen language, that would be, you need to gain a little altitude in order to be able to maneuver. The use of the total force gains us that altitude because these are citizen- soldiers, and they go back to their communities. So, in the case, for example, of the 102nd, they are part of the Air Force Cyber Emergency Response Team. They are using the same very high-end capabilities that we just described in their day-to-day mission. It is an operational mission, and it is serving the Air Force and Cyber Command, but it also serves in bringing their level of training, the exact same training and the same equipage, the same capabilities, they can take that back to their community, back to their corporate entities that they serve on a day-to- day basis, and they can apply that same knowledge in the same way that citizen airmen do when there is a crisis of any kind. In this kind, it is a very technical application. So, as we expand that, then we have I guess in cyber, it is about team, and there really is an ``i'' in team. It is about industry. It is about the intellectual capital of our universities, like your University of Rhode Island, who just got the Center of Excellence Award from NSA, very rare, sir. It is about interagency, and it is about international cooperation. And so you bring all of those ``i''s into team, and literally, what you are doing by bringing the total force together is expanding that across the Nation so that we can all apply that. Do we have sufficient resources? As the Guard does those transitions from some missions that are no longer most appropriate in the cyber environment, and so for combat communications, they are a national treasure, but that treasure is about hooking up communications in a deployed environment. And what General Alexander and the Nation needs is the ability to extend a defensible, robust, trusted network. And so that extension is the way that we are moving forward in the future, and so as the Guard would service that intent and that vision, we would want to repurpose those forces into those kinds of missions and make sure that we move forward. In terms of total numbers, for example, the 119th in Tennessee, a great effort to provide some resilient facilities in Tennessee. And we are working with the Guard to try to actually put resources, manpower resources, against that facility to allow it to be a resilient capability for the Nation, for the Air Force, on behalf of General Alexander. So we need the Guard and the Reserve to move in that manner in order to move this mission forward. Thank you, sir. Mr. Langevin. Any other---- General Hernandez. If I could add a few points, we are working closely with Reserve component, both Guard General Ingram and Army Reserve General Talley. All those units that have cyber capability are under the operational control of Army Cyber Command today. We leverage them routinely. They bring unbelievable skills to all the mission sets. There are a couple other areas that there is tremendous opportunity that we are working with them on. And first is, what else can they do to help with homeland defense, with the defense network the National Guard has, not only in a recovery but in a preventative way with their defenders, as well as critical infrastructure protection? The second thing is they have tremendous skills that we haven't harnessed those skills. We know about where they are, but they sign into units that are different than the skill set. We haven't determined how we can best utilize those individual skill sets. I think there is opportunity there that we are working on. The other area, as you know very well, is there are state partnerships are strong and vibrant in other countries, and our part of that would be, how do we establish those partnerships in this domain with other countries where building partnership capacity is important and there is a cyber element from a state unit that could support us with that? And the last one I would highlight is we have a pretty robust STEM [Science, Technology, Engineering, and Mathematics] program in e-cyber mission, and I think that there is tremendous opportunity that we are starting to work with States from the National Guard perspective to expand that STEM to the communities. Mr. Langevin. Yes, sir. Admiral Rogers. And I would just add on the Navy side, I find our Reserve teammates among the most flexible and willing to try new innovative things when it comes to the application of their capabilities. Every major combatant commander has tier 1 exercises during the course of the year, and the Pacific TERMINAL FURY is Pacific Command's largest tier 1 exercise during the course of the year. Like we do with every major exercise in every major operation, we do we integrate our Reserve teammates into what with do. For TERMINAL FURY 12, we decided to try something a little different. Traditionally we apply skill sets based on a pay grade or a designator if you will that kind of codifies an individual's background. We approach the Reserves this time and said, let's try something a little different. I don't want to specify pay grade; I want to specify a particular background or skill set in the civilian sector and see how we would match those like matching by pay grade, which was just amazing, the amount of capability and expertise that is resident in that structure when you look at it slightly differently and their willingness to do that. I didn't get any pushback at all; was just amazing, and it really energized them. So it is something we hope in the Navy hope to build on in the future as a great experience and hope to do more of them. Mr. Langevin. General Mills. General Mills. Our mobilized individual reservists bring great skill sets with them when they come on Active Duty. They play a very important role both at my headquarters MARFORCYBER [Marine Forces Cyber], as well as over at CYBERCOM [U.S. Cyber Command], where they fill some very critical billets. So very, very important role for us as well. Mr. Langevin. The last question I had since obviously the younger generation seems to obviously take to technology like fish to water and probably some of the youngest recruits are going to have some of the most robust skills, what kind of transparency or situational awareness do you have in terms of throughout your various Services of those individuals that aren't assigned or haven't chosen the cyber route as a career path but that you could potentially tap into and recruit from the rest of the various aspects of your Services that might at some point have to think about encouraging them to go into a career in cyber or that, in the event that the Nation needs surge in the area of cyber, that you could quickly identify and tap into and then draw the folks into your various roles? Have you thought about that and if you could can you talk about that briefly? General Hernandez. I will start. We, our personnel systems have limited visibility on the depth of skills that we would want to identify for this particular domain. We have an initiative that we will work total Army that is intended to get at Active, Reserve component military and civilian called Green Pages. We have done some pilots in the Army with Green Pages that says, these are the list of skills that we are looking for; do you have these skills, sign up for that. And then there is a potential opportunity for you to serve in these assignments, and you might get better matches than the way we currently do it today. But it is a pretty large holistic view that says what are the skills we would want to have and start describing those that so that they can tell us what they have and allow us to get a better utilization of them, but that is work to do Congressman. Admiral Rogers. Sir, I think for us--I think it is true for all the Services--our view is that cyber is so fundamental to the future that the idea that the only people that we are going to train are some sort of core specialists, if you will, isn't where we need to go. So as a Service, we have tried to put a fundamental layer of cyber education, training, and awareness across the entire force. As we do that we do that, we quite frankly also use that as a vehicle to try to find, so who is out there who would be interested in this, who has some skill that might be interested in changing rating, if you will, or specialty? And we have structures in place designed to allow us to do that. We have been able to do that with a pretty high degree of success so far about reorienting, if you will, the workforce internally to align people that their skill sets against perhaps a different specialty than they started their journey. General Mills. We identify those individuals at the entry level who had that skill set or who are interested in a skill set or at least had the academic qualifications to be able to train in those areas. Being relatively a small Service and joined from basically three communities, which are achieving narrows that pool down, I think it becomes easier for us to identify candidates that would do well with the cyber specialty. We also give marines the opportunity to move from MOS [Military Occupation Specialty] to MOS at certain times during their career, during their reenlistments for instance. And as we draw down in certain areas, we expand within cyber; our young marines again will pick up on that and will have the opportunity if they are qualified, they are talented, if they are interested, to be able to move over into cyber. We see the cyber warriors, if you will, moving into cyber and then moving back to their own specialty in communications or intelligence during their career, and that will grow a pool of qualified individuals that we could assign if there were in fact a requirement for a surge at some particular time. Mr. Langevin. Thanks. Very good. General Vautrinot. Congressman, on the Active Duty side, our Air Force personnel center affords extraordinary insight into the capabilities, the scores, the testing that are done in the sessions. Particularly for our enlisted force, most of the career fields in cyber are not accession career fields. We actually cross-load them based on both their excellence and those scores on the test and then bring them in and do the training at a higher level. And so we have no shortage of folks that want to move across in that crossflow, and it is usually the program shortfalls that don't allow us to bring them fast enough, and they are working on those across the board. On the Guard and Reserve side, there is less visibility, but I know that our counterparts are trying to work that visibility, get the kinds of information that Admiral Rogers mentioned in terms of what kinds of skill sets did they use in their private employment? What kinds of skill sets did they have as they were coming through their educational opportunities that may differ from their current responsibilities and their current functional designation and allow us to leverage them and train them in this area, whether it is applied to their current functions or whether it is applied directly to the cyber environment? Mr. Langevin. Very good. I thank you all for your answers on those, and I am glad you are giving it thought. And obviously, we are challenged nationally in terms of the number of people that we have that can go into this field, and the STEM fields, we have to do a better job at encouraging kids to go into science, technology, engineering and mathematics. General, you talked about Cyber Patriot, and we have created in Rhode Island--and it is a national program; there are a few different states that are doing it. It is called the Cyber Challenge program. You take kids that are in high school, and it is about a 6-week program, and you put them through the paces. And you take kids that think maybe the computer is something they do and it is a hobby, but you get them thinking about a career path in that field and that is what Cyber Patriot and Cyber Challenge are all about. I thank the chairman. I yield back. Mr. Thornberry. So, in that discussion, I think I have this right, reminds me of Estonia, where after the denial of service attack that they have suffered, they have people lined up in banks, in retail all scattered all over the country to help defend the country in cyberspace if they need to. Maybe that is the sort of surge capability we need to think about eventually. Ms. Davis, do you have other questions? Mrs. Davis. No. Mr. Thornberry. I think that is it. Thank you all very much. We appreciate hearing about your successes, but we also, as we move forward, want to hear about the challenges you encounter. That, as I said a while ago, I think that open communication across the river is going to be especially important in this area. So, again, thanks for being here. With that, the hearing stands adjourned. [Whereupon, at 5:17 p.m., the subcommittee was adjourned.] ======================================================================= A P P E N D I X July 25, 2012 ======================================================================= ======================================================================= PREPARED STATEMENTS SUBMITTED FOR THE RECORD July 25, 2012 ======================================================================= Statement of Hon. Mac Thornberry Chairman, House Subcommittee on Emerging Threats and Capabilities Hearing on Digital Warriors: Improving Military Capabilities for Cyber Operations July 25, 2012 We welcome our witnesses, guests, and members to this hearing in the Emerging Threats and Capabilities Subcommittee on ``Digital Warriors: Improving Military Capabilities in the Cyber Domain.'' There is widespread agreement that cyberspace is now a domain of warfare, and many people regard it as the most difficult, perplexing national security challenge we face. Certainly the laws, policies, and organizations have not kept pace with the evolution of technology. But if cyberspace is important to our country's security and if it is a domain of warfare, our military services, on whom we rely to protect and defend us, must be prepared to operate in cyberspace as well. That preparation involves a number of issues, including organizational structure, recruitment and retention of qualified personnel, training, rapid acquisition, among others; and it is those issues which we want to examine in today's hearing. Statement of Hon. James R. Langevin Ranking Member, House Subcommittee on Emerging Threats and Capabilities Hearing on Digital Warriors: Improving Military Capabilities for Cyber Operations July 25, 2012 Thank you, Mr. Chairman and thank you very much to our witnesses today. It's a pleasure to see you all again and to have you join us for what I believe is a critically important hearing. There is no more critical task in today's environment than safeguarding the Department of Defense's networks. The cyber domain has become an integral part of every action DOD undertakes, whether offensive or defensive. And as operating environments grow ever more complex, we need joint forces that are manned, trained, and equipped to conduct the full spectrum of operations in support of, and in some cases, supported by, what we think of as traditional military forces. The Congress, and the country has a whole, has been struggling with what cybersecurity means to us as a nation. We're grappling with how to protect our systems and our privacy at the same time. I'm proud to be part of that robust discussion. I've helped draft some legislation and co-sponsored others, and now it looks as if something may be moving over in the Senate. Let's hope so. I hope today we'll hear your thoughts on what sorts of additional authorities you may need and how the proposed legislation may or may not affect those needs, as well as your thoughts on the delegation of authorities within the executive branch. But most importantly, I hope we hear about how you are finding and retaining the sort of people you need today and for the future. This is, I believe, the fundamental challenge that faces us. It is often said that the root strength of our military is the quality of our people and nowhere is that more true that in your organizations. As you think about growing your forces, what thought have you given to where the people are going to come from? How will you keep them, promote them, educate them and continue to challenge them, even when outside organizations are keen to lure people with these skill sets away to the private sector? Lastly, I need to take a minute to talk about a topic that would be irresponsible to avoid. We all know that we are facing significant fiscal challenges in the coming years, even without the threat of sequestration looming. Cyber-related activities are faring reasonably well so far, but nothing is immune, and even non-cyber-specific cuts could have an impact on your commands as personnel resources are reduced or research and development funding decreased. Those are just two examples. As you look ahead, how do you factor in the possibility of even more austere fiscal environments? This is a tough question, but one we must face in order to responsibly address the complex challenges of the future. Thank you, Mr. Chairman, for holding this hearing, and I look forward to a robust discussion. [GRAPHIC] [TIFF OMITTED] T5668.001 [GRAPHIC] [TIFF OMITTED] T5668.002 [GRAPHIC] [TIFF OMITTED] T5668.003 [GRAPHIC] [TIFF OMITTED] T5668.004 [GRAPHIC] [TIFF OMITTED] T5668.005 [GRAPHIC] [TIFF OMITTED] T5668.006 [GRAPHIC] [TIFF OMITTED] T5668.007 [GRAPHIC] [TIFF OMITTED] T5668.008 [GRAPHIC] [TIFF OMITTED] T5668.009 [GRAPHIC] [TIFF OMITTED] T5668.010 [GRAPHIC] [TIFF OMITTED] T5668.011 [GRAPHIC] [TIFF OMITTED] T5668.012 [GRAPHIC] [TIFF OMITTED] T5668.013 [GRAPHIC] [TIFF OMITTED] T5668.014 [GRAPHIC] [TIFF OMITTED] T5668.015 [GRAPHIC] [TIFF OMITTED] T5668.016 [GRAPHIC] [TIFF OMITTED] T5668.017 [GRAPHIC] [TIFF OMITTED] T5668.018 [GRAPHIC] [TIFF OMITTED] T5668.019 [GRAPHIC] [TIFF OMITTED] T5668.020 [GRAPHIC] [TIFF OMITTED] T5668.021 [GRAPHIC] [TIFF OMITTED] T5668.022 [GRAPHIC] [TIFF OMITTED] T5668.023 [GRAPHIC] [TIFF OMITTED] T5668.024 [GRAPHIC] [TIFF OMITTED] T5668.025 [GRAPHIC] [TIFF OMITTED] T5668.026 [GRAPHIC] [TIFF OMITTED] T5668.027 [GRAPHIC] [TIFF OMITTED] T5668.028 [GRAPHIC] [TIFF OMITTED] T5668.029 [GRAPHIC] [TIFF OMITTED] T5668.030 [GRAPHIC] [TIFF OMITTED] T5668.031 [GRAPHIC] [TIFF OMITTED] T5668.032 [GRAPHIC] [TIFF OMITTED] T5668.033 [GRAPHIC] [TIFF OMITTED] T5668.034 [GRAPHIC] [TIFF OMITTED] T5668.035 [GRAPHIC] [TIFF OMITTED] T5668.036 [GRAPHIC] [TIFF OMITTED] T5668.037 [GRAPHIC] [TIFF OMITTED] T5668.038 [GRAPHIC] [TIFF OMITTED] T5668.039 [GRAPHIC] [TIFF OMITTED] T5668.040 [GRAPHIC] [TIFF OMITTED] T5668.041 [GRAPHIC] [TIFF OMITTED] T5668.042 [GRAPHIC] [TIFF OMITTED] T5668.043 [GRAPHIC] [TIFF OMITTED] T5668.044 [GRAPHIC] [TIFF OMITTED] T5668.045 [GRAPHIC] [TIFF OMITTED] T5668.046 ? ======================================================================= QUESTIONS SUBMITTED BY MEMBERS POST HEARING July 25, 2012 ======================================================================= QUESTIONS SUBMITTED BY MR. THORNBERRY Mr. Thornberry. One of the main tools you have for defending your networks is something called the Host-Based Security System (HBSS). a. How has your experience been in implementing this system and what improvements might you recommend for similar programs in the future? b. Have you implemented the necessary tactics, techniques and procedures to maximize the use of this tool? c. What capabilities would you like to see integrated into future generations of HBSS? General Hernandez. Our experience has shown the technology provides significant host protection from threats, internal and external and will only improve as our operational use matures. Programs of this magnitude require a clear implementation, training, and sustainment strategy to provide resources, people and money and we have worked to close gaps in initial fielding tactics, techniques, and procedures, sustainment training and manning requirements to establish a baseline that will enable us to fully leverage the capabilities of the tool. While we continue to assess our capability gaps, the ability of HBSS to deliver Cyber SA with minimum latency and the capability to develop custom modules to address unique requirements improves our defensive stance. The inclusion of HBSS event data into existing IA/CND processes will further enhance our capability to defend All Army networks. Mr. Thornberry. How are your Services leveraging in-house graduate educational facilities, like the Air Force Institute of Technology (AFIT) or the Naval Postgraduate School (NPS), as well as DOD accredited programs, such as the National Centers of Academic Excellence in Cyber Operations, in order to improve workforce training and education? General Hernandez. ARCYBER continues to take a holistic approach by leveraging the constellation construct for both training and development to improve workforce training and education. The construct consists of U.S. Government, Academia and Industry elements, each are discussed below in both current and future actions, and will complement each other to provide a more capable workforce. Currently ARCYBER is leveraging U.S. Government developmental activities and capabilities to take advantage of efficiencies and future requirements. These activities include: The DOD Joint Information Operations (IO) Range, Government Laboratories (such as: Sandia, Army Research Laboratories, Johns Hopkins applied Physics Laboratory, Adelphi, and Aberdeen Proving Ground Cyber Test Laboratory), and continuous coordination with United States Cyber Command, U.S. Strategic Command (USSTRATCOM), and Office of the Secretary of Defense (OSD) Cyber initiatives. Future activities will include increased partnerships with DHS, FBI, DARPA, DOD, and the Intelligence community. Examples of early successes include five USMA faculty and cadets summer internships with ARCYBER through the Advanced Individual Academic Development (AIAD) program. Shortly, ARCYBER will benefit from more than 14 interns from the Army Civilian Training, Education Development System (ACTEDS). Moreover, ARCYBER will be an active contributor to the Service and USG cyber lessons learned programs. Current Academic developmental activities include: Cooperation with the Air Force Institute of Technology (AFIT) and its Masters Program, and the ARCYBER scholarship program. This program is a two-year, degree-producing program open to regular Army (RA) captains and majors in the maneuver, fires & effects, operations support, and force sustainment branches. Three officers per year pursue a master's degree in cyber security at the University of Maryland (with additional universities to be added). Though we are still assessing how best to integrate and execute the NSA/DHS National Centers of Academic Excellence training, it is a key component of our future training and developing way ahead. We have two students attending the Naval Post Graduate School and ARCYBER will receive three second-year masters candidates in the NSA Information Assurance Scholarship Program (IASP) in the spring of 2013. ARCYBER is continuing to address organizing cyber within the Army e-Learning and Continuing Education Program. For example, ARCYBER supports Civilian Career Program 34's, Information Technology Management, and Cyber Academy Training Framework through partnerships with University of Maryland University College (national policy and law), University of Maryland Baltimore County (secure S/W engineering), George Mason University (ethical hacking/analysis) and Carnegie Mellon University (operational security). Future activities will include Senior Service college ``Cyber fellows,'' RAND Cyber Fellowships, and efforts to identify and recruit cyber talent from ROTC programs and the USMA. Industry is the third leg in training and development. It is critical in providing additional current and future capabilities/ requirements as well as leveraging emerging trends and capabilities and will assist in ensuring our DOD programs and in-house educational activities are developed accordingly. Current developmental activities with industry include: Coordination with Defense contractor Laboratories, Training with Industry (e.g. MIT/Lincoln Labs, Lockheed Martin, and Cisco), and participation in trade conferences (e.g. the Armed Forces Communications and Electronics Association [AFCEA] and the Association of the U. S. Army [AUSA]). Future activities will include: Establishing additional industry research partners; Science and Technology (S&T) outreach; Leveraging partner expertise to manage problems; and increased recruiting and cyber training with industry. Conclusion: A key attribute of the ARCYBER vision is to develop a trained, professional team to complete our roles as the Army Service Component to U.S. Cyber Command; To train, organize, and equip forces; To provide Cyber Education, Training, and Leader Development; and Execute Cyber Proponent functions. The three part constellation approach is our way of getting at the issues of developing a workforce in a dynamic environment. Our approach continues to evolve. Mr. Thornberry. One of the main tools you have for defending your networks is something called the Host-Based Security System (HBSS). a. How has your experience been in implementing this system and what improvements might you recommend for similar programs in the future? b. Have you implemented the necessary tactics, techniques and procedures to maximize the use of this tool? c. What capabilities would you like to see integrated into future generations of HBSS? Admiral Rogers. HBSS is a complex suite of cyber security tools that is a critical element of the Navy's cyber defense posture. Implementing this system throughout the Navy's afloat and shore-based environments has presented unique challenges. Our primary challenge has been its implementation in the afloat environment. Navy modernization and fielding processes were not developed with today's constantly evolving Cyber threats and vulnerabilities in mind; thus, it can take up to three years to place a new capability onboard an afloat platform. In contrast, updates to HBSS are released by the Defense Information Systems Agency (DISA) every six months. As a result, the Navy continues to lag in installs and updates mandated by United States Cyber Command (USCC). While the Navy has strived to address the problem for our most vulnerable systems and deployed HBSS to Secure Internet Protocol Network (SIPRNET) on all Navy and Military Sealift Command (MSC) platforms in 2011, the complexity of installs, current processes, and funding constraints have delayed installs of HBSS on Sensitive but Unclassified (SBU) IP Data (also known as NIPRNET), which will not be completed before FY14. In our shore-based environment, the Navy has encountered challenges with scalability of HBSS. Our Navy and Marine Corps Intranet (NMCI) networks are larger than most networks encountered in the private sector, and we have had difficulty configuring HBSS to accommodate larger network environments. While the vendor has responded to technical problems, these issues have challenged the Navy's ability to be fully compliant with USCC orders for installation of HBSS. For any future similar programs, scalability should be a key factor when designing solutions. The Navy is leveraging HBSS Tactics, Techniques and Procedures (TTPs) developed by USCC and continuing Service-specific efforts to develop additional TTPs. Additionally, we are leveraging best practices within the Service, such as those developed by Naval Air Systems Command (NAVAIR), to better manage HBSS and ensure it meets our operational needs. The Navy also continues to develop Standard Operating Procedures (SOPs) and other documentation and training that aid in operationalizing HBSS to provide actionable and timely information to Cyber decisionmakers and operational commanders. Future capabilities we would like integrated in future HBSS generations should account for legacy hardware/software network environments. Capabilities should also address low-bandwidth operations and upgrade installment flexibility to account for the unique requirements of the U.S. Navy. We continue to work closely with our partners at USCC and DISA to further refine operational concepts, and ensure follow on versions and acquisition efforts take advantage of lessons learned. We remain especially focused on ensuring acquisition efforts and system release schedules are tied closely to operational requirements and are sensitive to operational environments. Mr. Thornberry. How are your Services leveraging in-house graduate educational facilities, like the Air Force Institute of Technology (AFIT) or the Naval Postgraduate School (NPS), as well as DOD accredited programs, such as the National Centers of Academic Excellence in Cyber Operations, in order to improve workforce training and education? Admiral Rogers. Navy is leveraging in-house graduate educational facilities and DOD accredited programs through close coordination with these institutions and a focus on a smart post-education placement process to ensure our most recently educated Sailors and civilians are detailed to positions which will benefit the Navy most. We recognize that affording our personnel graduate educational opportunities is critical to maintaining our expertise as we drive advancements in Navy cyberspace operations. With the quickly evolving nature of cyber, it is absolutely critical that the educational partners and programs we leverage keep pace with the changing cyber landscape. To that end, the U.S. Navy leverages education and training from six major programs: Air Force Institute of Technology (AFIT) and Naval Postgraduate School (NPS) In 2002, AFIT and the Naval Postgraduate School formed an educational alliance to eliminate duplicate degree programs in the fields of Oceanography and Aeronautical Engineering, and consolidate educational resources. Navy continues its close coordination with AFIT to refine course requirements, explore potential resource consolidations, and improve quality. NPS NPS offers an 18-month Master of Science degree in Cyber Systems and Operations that addresses a broad range of cyberspace operations such as computer network attack, defense, and exploitation; cyber analysis, operations, planning and engineering; and cyber intelligence operations and analysis. Navy will graduate 14 officers from this program in FY12 and is programmed to send 14 officers in FY13 per the approved Officer Graduate Education Quota Plan. NPS's Graduate School of Operational and Information Sciences offers an Information Systems and Operations (ISO) Certificate Program. This warfighter-oriented degree program focuses on integrating information technologies, command and control processes, and Information Operations (IO) methods and elements into innovative operational concepts for IO in the context of Network Centric Warfare. Since the program's inception in 2002, 318 officer, enlisted and civilian personnel have completed this certificate program. The Information Systems and Technology (IST) certificate program provides an educational opportunity that is essential to helping the U.S. military reach information superiority in the operational environment. It offers advanced education in areas essential to enabling global networked communications, including: databases, systems analysis and design, decision support systems, and network security. Since the program's inception in 2003, approximately 96 officer and enlisted personnel have completed this certificate program. Both programs are taught via asynchronous Web-based media (i.e., the Internet). The asynchronous nature of these certificates has allowed us to deliver these certificates to deployed forces at sea and ashore. Additionally, NPS will offer a 12-month Enlisted Cyber Master's Degree in September 2012 that provides selected Navy Sailors a Master of Science in Cyber Systems and Operations; Security and Technology. Selectees are assigned to a Navy-funded education program as full-time students under permanent change of station orders to Monterey, CA. Navy is sending five sailors through this program this year. Finally, NPS just completed the approval process for a resident Master of Science, Network Operations and Technology degree that begins this fall and has eight officers scheduled to attend in 2013. Masters of Information Technology Strategy (MITS) In 2010, the Chief of Naval Operations directed the creation of the Masters of Information Technology Strategy (MITS) pilot program in partnership with Carnegie Mellon University (CMU). This program affords civilian and military IDC personnel the opportunity to attend CMU for a 16-month Master's degree program in cyber-related disciplines. The degree conferred is a Master's Degree in Information Technology and Strategy (MITS) and is a cooperative endeavor between of the College of Engineering (CIT), School of Computer Science (SCS), and College of Humanities and Social Sciences (H&SS). The initial cohort of two military and three civilians students commenced August 2011, and the second group of four commenced in August 2012. National Defense University (NDU) NDU's Government Information Leadership (GIL) Master of Science is a 39-credit hour curriculum of the GIL Master of Science Degree Program and offers a combination of information management, technology, and leadership intensive courses. Navy currently has 36 Master's degree enrollments and 497 certificate enrollments. NDU's ``iCollege'' Chief Information Officer (CIO) Program is the recognized leader in graduate education for Federal CIO leaders and agency personnel. It directly aligns with the Federal CIO Council- defined CIO competencies and addresses the Clinger-Cohen Act and other relevant legislation mandates. It is sponsored by the DOD CIO. United States Naval Academy (USNA) Although an undergraduate program, USNA's Center for Cyber Security Studies is an important investment as it enhances workforce education and training at the Service academy level. Established in 2009, the Center provides support for the proposed curricular and professional reforms across the Naval Academy and encompasses support for all programs that contribute to the knowledge, study and research of cyber warfare. NSA/DHS National Centers of Academic Excellence National Security Agency (NSA) and the Department of Homeland Security (DHS) jointly sponsor the National Centers of Academic Excellence in Information Assurance (IA) Education (CAE/IAE), IA 2-year Education and Training (CAE/2Y) and IA Research (CAE/R) programs. The goal of these programs is to reduce vulnerability in our national information infrastructure by promoting higher education and research in IA and producing a growing number of professionals with IA expertise in various disciplines. Students attending CAE/IAE or CAE/R designated schools are eligible to apply for scholarships and grants through the Department of Defense Information Assurance Scholarship Program (IASP) and the Federal Cyber Service Scholarship for Service Program. NPS is a participant in this program. To date, 84 uniformed and civilian Navy personnel have participated in the DOD IASP from commands across the Navy. Mr. Thornberry. One of the main tools you have for defending your networks is something called the Host-Based Security System (HBSS). a. How has your experience been in implementing this system and what improvements might you recommend for similar programs in the future? b. Have you implemented the necessary tactics, techniques and procedures to maximize the use of this tool? c. What capabilities would you like to see integrated into future generations of HBSS? General Mills. a. The Marine Corps had little trouble implementing HBSS as directed by USCYBERCOM. Challenges to the installation of HBSS included anticipating and mitigating the potential impacts that various modules could have on specific applications within the Marine Corps Enterprise Network (MCEN). We recommend that future programs of this type are designed and implementation timelines determined with Service involvement at the earliest stages of development. b. The Marine Corps continuously strives to improve our Tactics, Techniques, and Procedures in an effort to maximize our defense in depth strategy and enhance our security posture. There is more work to be done in order to realize the benefits of HBSS--we need to train more marines on the various modules and their employment, baseline, and tuning. We need to educate commanders on the benefits of full implementation and utilization of HBSS. c. The Marine Corps recommends four areas of improvement for HBSS: (1) HBSS lacks the redundancy provided by other critical IT systems. The capability for production HBSS server suites to mirror each other does not exist. The strength of the HBSS architecture could be greatly improved if clients could seamlessly fail-over between geographically separate servers. (2) HBSS could be utilized to assist in the Information Assurance Vulnerability Management (IAVM) program by analyzing systems for critical vulnerabilities. Ideally, the DOD HBSS Program Manager could obtain or develop benchmarks within HBSS to detect vulnerabilities of interest published by the IAVM program. (3) The number of local events logged at the local machine should be pushed up to the enterprise level. Enterprise logging will allow Computer Network Defense Service Providers (CNDSPs) to more effectively respond to incidents and therefore better defend networks. (Examples are of Data Loss Prevention (DLP) which identifies USB usage on DOD Networks and Host Intrusion Prevention System (HIPS) which monitors traffic for anomalies. (4) We would like to see the continued integration of industry best practice solutions into the management console to provide a single optimized interface for operators. It is also important that the DOD fully employ HBSS and the associated existing modules. Once those efforts are complete, a true gap analysis can be conducted and specific areas within our network architecture that lack coverage can be identified, addressed, and mitigated. Mr. Thornberry. How are your Services leveraging in-house graduate educational facilities, like the Air Force Institute of Technology (AFIT) or the Naval Postgraduate School (NPS), as well as DOD accredited programs, such as the National Centers of Academic Excellence in Cyber Operations, in order to improve workforce training and education? General Mills. The Marine Corps actively participates in the Department of Defense Information Assurance Scholarship Program, which provides access for both enlisted and officer students to AFIT, NPS, the National Defense University, Capitol College, George Mason, and other National Centers of Academic Excellence in Cyber Operations for graduate degrees in cyberspace security, information assurance, and computer security fields. Through the National Intelligence University, marines with intelligence-related military occupational specialties are able to complete a Master of Science of Strategic Intelligence. Although this curriculum does not include cyber-specific courses as part of the core requirement, students are able to tailor their electives and focus thesis topics to include cyber operations. The Marine Corps is currently in discussions with Northern Virginia Community College to establish a program to provide college credit for marines receiving military training and experience within the cyberspace operations workforce. The Marine Corps University has initiated additional curricula in its educational programs that include topics in cyberspace operations, cyberspace planning, cyberspace law, and cyberspace implementation theories. Thus far, the Marine Corps University has had one class complete its program of instruction with this additional material. Initial feedback is that it was well received, and the Marine Corps University is evaluating comments to refine its curricula for future courses. The Marine Corps also leverages cyber and cyber-related courses through NSA's National Cryptologic Schools for personnel serving at the Marine Cryptologic Support Battalion and the operating forces' Radio Battalions which provide Signals Intelligence and cyber related support to the Marine Air Ground Task Force, USCYBERCOM through MARFORCYBER, and the National Security Agency. Additionally, the Marine Corps uses the U.S. Navy's Joint Cyber Analysis Course (JCAC) and the Joint Network Attack Course to train enlisted marines and officers in cyber and cyber-related skill sets for MOS development. Mr. Thornberry. One of the main tools you have for defending your networks is something called the Host-Based Security System (HBSS). a. How has your experience been in implementing this system and what improvements might you recommend for similar programs in the future? b. Have you implemented the necessary tactics, techniques and procedures to maximize the use of this tool? c. What capabilities would you like to see integrated into future generations of HBSS? General Vautrinot. a. The Air Force continues to address the challenges of integrating and sustaining HBSS within existing architecture as well as incorporating it within the numerous critical mission systems operating on the Air Force provisioned portion of the Global Information Grid. In addition to the challenges with fixed HBSS implementations, expeditionary environments present additional risks in HBSS employment, such as saturating downrange bandwidth and remaining compliant. HBSS is critical to our Net Defense posture and we will continue to review its fielding, operating, training and sustaining needs. b. The Air Force has taken significant action to maximize the HBSS capability's effectiveness in increasing the defensive posture of our network and IP-capable assets. We use the capability to generate enterprise-wide situational awareness information, which is critical for enabling and maintaining Command and Control across the network. Expeditionary systems are now deployed with current patches and policies to reduce or eliminate the initial unresponsive period when updates were installed. Additionally, we continue to establish key Net Defense policies, which are implemented across the Air Force and shared with our DOD partners, to defend against active, future and existing threats. c. The HBSS capability has numerous critical network defense capabilities that can identify existing vulnerabilities and report that information for action to our operators who then must take intensive, manual remediation and mitigation actions. The next step is integrating into HBSS the capability to identify vulnerabilities and executing automatic actions to remediate and mitigate the deficiency. This would increase our capacity to leverage capabilities in support of the Joint fight. Mr. Thornberry. How are your Services leveraging in-house graduate educational facilities, like the Air Force Institute of Technology (AFIT) or the Naval Postgraduate School (NPS), as well as DOD accredited programs, such as the National Centers of Academic Excellence in Cyber Operations, in order to improve workforce training and education? General Vautrinot. Air Force Space Command (AFSPC) and Air Education and Training Command (AETC) have established a full-range cyber training and education construct that begins in Basic Military Training and follows a challenging path that includes specialized cyber-focused graduate degrees. In addition to cyber-focused graduate programs (MS/PhD) in Computer Science, Computer Engineering and Electrical Engineering with research focused on such areas as encryption algorithms, botnet disruption, network intrusion detection, and wireless network security, AFIT offers two Master's programs in cyber operations and cyber warfare. The 18- month Cyber Operations Master's Program provides extensive hands-on laboratory experience with both offensive and defensive measures and countermeasures, and is open to officers, enlisted, and civilians. The 12-month Cyber Warfare Degree Program for Majors and civilian equivalents provides a developmental education opportunity that addresses technical as well as policy and doctrine aspects of cyber operations. The Information Assurance Certificate Program (IACP) is a subset of the Master of Science program. Students completing the required coursework are eligible for certificates under National Training Standards as an Information Security Professional, Senior System Manager, and Senior Risk Analyst. On June 19, 2008, the Secretary and Chief of Staff of the Air Force designated AFIT and the Center for Cyberspace Research (CCR) as the Air Force's Cyberspace Technical Center of Excellence (CyTCoE). The Center serves as a bridge between the operational AF cyber forces and various cyber research, education, and training communities across the Air Force, the DOD, and national organizations. The Center provides cyberspace professional continuing education for currency and professional development of the cyberspace workforce. The Air Force's Cyber 200 and 300 are Joint-accredited professional development courses designed to increase the depth and breadth of cyber operations understanding and to prepare individuals to apply cyber capabilities and concepts in Joint military operations. These courses are available to and attended by our Joint brethren in an effort to standardize training and proficiency across the DOD. The Air Force is also in the process of establishing disclosure guidance that will allow our international partners to send individuals to Cyber 200 and 300. The Air Force also utilizes graduate-level educational opportunities offered by our DOD and Agency partners such as the Information Assurance Scholarship Program (IASP) and the Computer Network Operations Development Program (CNODP). The IASP is open to all Air Force officers and is designed to retain a corps of highly skilled IA professionals to accommodate diverse warfighting and mission requirements. The CNODP is an intense, 3-year graduate-level internship at the National Security Agency that develops technical leaders who will lead the DOD and Services' employment of cyber capabilities. Graduates of this program receive focused follow-on assignments that capitalize on their breadth and depth of knowledge. ______ QUESTIONS SUBMITTED BY MR. LANGEVIN Mr. Langevin. How are your Services leveraging both in-house graduate educational facilities and DOD accredited programs, such as the NSA/DHS National Centers of Academic Excellence? General Hernandez. ARCYBER continues to take a holistic approach by leveraging the constellation construct for both training and development to improve workforce training and education. The construct consists of U.S. Government, Academia and Industry elements, each are discussed below in both current and future actions, and will complement each other to provide a more capable workforce. Currently ARCYBER is leveraging U.S. Government developmental activities and capabilities to take advantage of efficiencies and future requirements. These activities include: The DOD Joint Information Operations (IO) Range, Government Laboratories (such as: Sandia, Army Research Laboratories, Johns Hopkins applied Physics Laboratory, Adelphi, and Aberdeen Proving Ground Cyber Test Laboratory), and continuous coordination with United States Cyber Command, U.S. Strategic Command (USSTRATCOM), and Office of the Secretary of Defense (OSD) Cyber initiatives. Future activities will include increased partnerships with DHS, FBI, DARPA, DOD, and the Intelligence community. Examples of early successes include five USMA faculty and cadets summer internships with ARCYBER through the Advanced Individual Academic Development (AIAD) program. Shortly, ARCYBER will benefit from more than 14 interns from the Army Civilian Training, Education Development System (ACTEDS). Moreover, ARCYBER will be an active contributor to the Service and USG cyber lessons learned programs. Current Academic developmental activities include: Cooperation with the Air Force Institute of Technology (AFIT) and its Masters Program, and the ARCYBER scholarship program. This program is a two-year, degree-producing program open to regular Army (RA) captains and majors in the maneuver, fires & effects, operations support, and force sustainment branches. Three officers per year pursue a master's degree in cyber security at the University of Maryland (with additional universities to be added). Though we are still assessing how best to integrate and execute the NSA/DHS National Centers of Academic Excellence training, it is a key component of our future training and developing way ahead. We have two students attending the Naval Post Graduate School and ARCYBER will receive three second-year masters candidates in the NSA Information Assurance Scholarship Program (IASP) in the spring of 2013. ARCYBER is continuing to address organizing cyber within the Army e-Learning and Continuing Education Program. For example, ARCYBER supports Civilian Career Program 34's, Information Technology Management, and Cyber Academy Training Framework through partnerships with University of Maryland University College (national policy and law), University of Maryland Baltimore County (secure S/W engineering), George Mason University (ethical hacking/analysis) and Carnegie Mellon University (operational security). Future activities will include Senior Service college ``Cyber fellows,'' RAND Cyber Fellowships, and efforts to identify and recruit cyber talent from ROTC programs and the USMA. Industry is the third leg in training and development. It is critical in providing additional current and future capabilities/ requirements as well as leveraging emerging trends and capabilities and will assist in ensuring our DOD programs and in-house educational activities are developed accordingly. Current developmental activities with industry include: Coordination with Defense contractor Laboratories, Training with Industry (e.g. MIT/Lincoln Labs, Lockheed Martin, and Cisco), and participation in trade conferences (e.g. the Armed Forces Communications and Electronics Association [AFCEA] and the Association of the U. S. Army [AUSA]). Future activities will include: Establishing additional industry research partners; Science and Technology (S&T) outreach; Leveraging partner expertise to manage problems; and increased recruiting and cyber training with industry. Conclusion: A key attribute of the ARCYBER vision is to develop a trained, professional team to complete our roles as the Army Service Component to U.S. Cyber Command; To train, organize, and equip forces; To provide Cyber Education, Training, and Leader Development; and Execute Cyber Proponent functions. The three part constellation approach is our way of getting at the issues of developing a workforce in a dynamic environment. Our approach continues to evolve. Mr. Langevin. Could each of you explain the Command and Control Relationships between your respective Service Cyber Components and CYBERCOM, regional combatant commanders, and other command structures? General Hernandez. Army Cyber Command (ARCYBER) operates under the Operational Control (OPCON) of USCYBERCOM (USCC). As the Army's Service component to USCC, Army Cyber Command exercises the designated command and control authority and responsibility over trained and ready Army forces, in support of Unified Land Operations, to ensure U.S./Allied freedom of action in cyberspace. A significant example is the 780th Military Intelligence Brigade (780th MI BDE) (Cyber), which supports USCYBERCOM and combatant command cyberspace operations. ARCYBER has OPCON of the brigade, which conducts signals intelligence and computer network operations, and enables Dynamic Computer Network Defense of Army and Department of Defense networks. The Army's Network Operations Security Centers and the Regional Computer Emergency Response Teams are also under the OPCON of ARCYBER. Control of these units has increased unity of command for the operation and defense of our networks. Additionally, Reserve Component cyber and information operations organizations are now OPCON to ARCYBER. The Army has delegated OPCON of the Network Enterprise Technology Command (NETCOM) to ARCYBER and the Secretary of the Army has delegated OPCON of the 1st Information Operations Command. There is no command relationship between ARCYBER and the Regional Combatant Commands. To facilitate seamless integration, USCYBERCOM directed the establishment of Cyber Security Elements (CSEs) to support each of the Combatant Commands. The CSEs function under the OPCON of USCYBERCOM in direct support of the respective Combatant Commands. USCYBERCOM provides direct support to Regional Combatant Commanders through its Service components. ARCYBER leads the Joint effort for USCYBERCOM to provide cyber support to U.S. Central Command and U.S. Northern Command. Headquarters Department of the Army (HQDA) retains administrative control over ARCYBER and is responsible to man, train, and equip Army cyber forces. While ARCYBER provides support to both Joint and Army commands, it currently has no established command relationship with other Army Major Commands (MAJCOMs), Army Service Component Commands (ASCCs), or Army Direct Reporting Units (DRUs). Mr. Langevin. The value of red-teaming--threat emulation--was proven perhaps most clearly in the Vietnam War with the establishment of Top Gun. The Director for Operational Test and Evaluation (DOT&E) has identified a shortfall in threat emulation and red teaming capabilities across the FYDP. What is each of the Services doing to address these shortfalls? Is the DOD investing adequately in the test capabilities and range environments that will be needed to remain current with advancing technologies? General Hernandez. Army Cyber Command established the World Class Cyber Opposing Force (WCCO) to provide live, interactive, expert, and realistic adversarial emulation in support of Army Training and Leader Development activities at the National Training Center and in support of COCOM exercises. The WCCO builds upon and compliments existing red team capability in 1st Information Operations Command and 780th Military Intelligence Brigade, extending its mission beyond traditional Information Assurance focused activities to include broader training and leader development. The WCCO supports the Army's Opposing Force program, providing a wide range of adversary ``Information Warfare'' activities during training events, to include Computer Network Attack and Exploitation, Deception, and Propaganda. Recognizing overall Army shortfalls in cyber capacity, we are increasing our investment in all Defensive Cyber Operations (DCO) forces which, in addition to adversary emulation, includes advanced capabilities for adversary hunting and cyber vulnerability assessments. While they support Army units from a blue perspective, they provide many of the same benefits as traditional red teams. Beginning in FY14, the planned growth in DCO capability will significantly improve our ability to both protect Army systems and information and better incorporate red team activity into training activities. DOD leverages numerous cyber range capability for the purpose of training and leader development, capability test and evaluation, and modeling and simulation. Mr. Langevin. How are your Services leveraging both in-house graduate educational facilities and DOD accredited programs, such as the NSA/DHS National Centers of Academic Excellence? Admiral Rogers. Navy is leveraging in-house graduate educational facilities and DOD accredited programs through close coordination with these institutions and a focus on a smart post-education placement process to ensure our most recently educated Sailors and civilians are detailed to positions which will benefit the Navy most. We recognize that affording our personnel graduate educational opportunities is critical to maintaining our expertise as we drive advancements in Navy cyberspace operations. With the quickly evolving nature of cyber, it is absolutely critical that the educational partners and programs we leverage keep pace with the changing cyber landscape. To that end, the U.S. Navy leverages education and training from six major programs: Air Force Institute of Technology (AFIT) and Naval Postgraduate School (NPS) In 2002, AFIT and the Naval Postgraduate School formed an educational alliance to eliminate duplicate degree programs in the fields of Oceanography and Aeronautical Engineering, and consolidate educational resources. Navy continues its close coordination with AFIT to refine course requirements, explore potential resource consolidations, and improve quality. NPS NPS offers an 18-month Master of Science degree in Cyber Systems and Operations that addresses a broad range of cyberspace operations such as computer network attack, defense, and exploitation; cyber analysis, operations, planning and engineering; and cyber intelligence operations and analysis. Navy will graduate 14 officers from this program in FY12 and is programmed to send 14 officers in FY13 per the approved Officer Graduate Education Quota Plan. NPS's Graduate School of Operational and Information Sciences offers an Information Systems and Operations (ISO) Certificate Program. This warfighter-oriented degree program focuses on integrating information technologies, command and control processes, and Information Operations (IO) methods and elements into innovative operational concepts for IO in the context of Network Centric Warfare. Since the program's inception in 2002, 318 officer, enlisted and civilian personnel have completed this certificate program. The Information Systems and Technology (IST) certificate program provides an educational opportunity that is essential to helping the U.S. military reach information superiority in the operational environment. It offers advanced education in areas essential to enabling global networked communications, including: databases, systems analysis and design, decision support systems, and network security. Since the program's inception in 2003, approximately 96 officer and enlisted personnel have completed this certificate program. Both programs are taught via asynchronous Web-based media (i.e., the Internet). The asynchronous nature of these certificates has allowed us to deliver these certificates to deployed forces at sea and ashore. Additionally, NPS will offer a 12-month Enlisted Cyber Master's Degree in September 2012 that provides selected Navy Sailors a Master of Science in Cyber Systems and Operations; Security and Technology. Selectees are assigned to a Navy-funded education program as full-time students under permanent change of station orders to Monterey, CA. Navy is sending five sailors through this program this year. Finally, NPS just completed the approval process for a resident Master of Science, Network Operations and Technology degree that begins this fall and has eight officers scheduled to attend in 2013. Masters of Information Technology Strategy (MITS) In 2010, the Chief of Naval Operations directed the creation of the Masters of Information Technology Strategy (MITS) pilot program in partnership with Carnegie Mellon University (CMU). This program affords civilian and military IDC personnel the opportunity to attend CMU for a 16-month Master's degree program in cyber-related disciplines. The degree conferred is a Master's Degree in Information Technology and Strategy (MITS) and is a cooperative endeavor between of the College of Engineering (CIT), School of Computer Science (SCS), and College of Humanities and Social Sciences (H&SS). The initial cohort of two military and three civilians students commenced August 2011, and the second group of four commenced in August 2012. National Defense University (NDU) NDU's Government Information Leadership (GIL) Master of Science is a 39-credit hour curriculum of the GIL Master of Science Degree Program and offers a combination of information management, technology, and leadership intensive courses. Navy currently has 36 Master's degree enrollments and 497 certificate enrollments. NDU's ``iCollege'' Chief Information Officer (CIO) Program is the recognized leader in graduate education for Federal CIO leaders and agency personnel. It directly aligns with the Federal CIO Council- defined CIO competencies and addresses the Clinger-Cohen Act and other relevant legislation mandates. It is sponsored by the DOD CIO. United States Naval Academy (USNA) Although an undergraduate program, USNA's Center for Cyber Security Studies is an important investment as it enhances workforce education and training at the Service academy level. Established in 2009, the Center provides support for the proposed curricular and professional reforms across the Naval Academy and encompasses support for all programs that contribute to the knowledge, study and research of cyber warfare. NSA/DHS National Centers of Academic Excellence National Security Agency (NSA) and the Department of Homeland Security (DHS) jointly sponsor the National Centers of Academic Excellence in Information Assurance (IA) Education (CAE/IAE), IA 2-year Education and Training (CAE/2Y) and IA Research (CAE/R) programs. The goal of these programs is to reduce vulnerability in our national information infrastructure by promoting higher education and research in IA and producing a growing number of professionals with IA expertise in various disciplines. Students attending CAE/IAE or CAE/R designated schools are eligible to apply for scholarships and grants through the Department of Defense Information Assurance Scholarship Program (IASP) and the Federal Cyber Service Scholarship for Service Program. NPS is a participant in this program. To date, 84 uniformed and civilian Navy personnel have participated in the DOD IASP from commands across the Navy. Mr. Langevin. Admiral Rogers, your predecessor Admiral McCullough previously testified that much of the power and water systems for naval bases are served by single sources and have very limited backup capabilities. Can you provide an update on how the Navy is addressing threats to both its critical infrastructure and its secure and unsecure networks? Are you sharing information with critical infrastructure operators, and if so, through what channels does this information flow? Admiral Rogers. In an effort to correct vulnerabilities/ deficiencies identified during recent critical infrastructure assessments the Navy is coordinating efforts with OSD to prioritize and fund the most urgent issues with FY13 Defense Critical Infrastructure Program (DCIP) resources. U.S. Navy Defense Critical Assets (DCA) and Task Critical Assets (TCA) have been identified. The Naval Criminal Investigative Service (NCIS) provides all DCAs, validated through the Joint Staff, comprehensive counterintelligence support plans to identify foreign entity threats. TCAs, recently validated by the U.S. Navy, will receive similar coverage as required in DOD Instruction 5240.19. Identified threat information to the critical assets is provided to the asset operators through the most expeditious methods, however, generally through the identified NCIS representative assigned to the facility. Mr. Langevin. Could each of you explain the Command and Control Relationships between your respective Service Cyber Components and CYBERCOM, regional combatant commanders, and other command structures? Admiral Rogers. The below figure (on page 99) from the Joint Staff Transitional Cyberspace Operations Command and Control (C2) Concept of Operations signed on 1 May 2012, depicts the C2 structure. The C2 relationships follow command relationships as defined in Joint Doctrine unless otherwise specified in supplemental orders or directives. The framework establishes a standardized baseline for cyberspace operations C2 by documenting Joint Cyber Center (JCC) and Cyber Support Element (CSE) command relationships, missions, functions, and tasks. In addition, USCYBERCOM Operational Directive 12-001 specifies that Service Components have Direct Liaison Authorized (DIRLAUTH) with other Service Components, COCOMs, DOD Organizations, the Interagency, and foreign and commercial partners, to plan and execute assigned cyber operations. [GRAPHIC] [TIFF OMITTED] T5668.047 U.S. Fleet Cyber Command/U.S. TENTH Fleet is the Navy's Component Command to United States Cyber Command, and an Echelon Two Navy Command, subordinate to the Chief of Naval Operations. Fleet Cyber Command has unique responsibilities as the central operational authority for networks, cryptology, signals intelligence, information operations, cyber, electronic warfare and space in support of forces afloat and ashore. As such, we organize and direct Navy cryptologic operations worldwide and integrate information operation and space planning and operations as directed. Mr. Langevin. The value of red-teaming--threat emulation--was proven perhaps most clearly in the Vietnam War with the establishment of Top Gun. The Director for Operational Test and Evaluation (DOT&E) has identified a shortfall in threat emulation and red teaming capabilities across the FYDP. What is each of the Services doing to address these shortfalls? Is the DOD investing adequately in the test capabilities and range environments that will be needed to remain current with advancing technologies? Admiral Rogers. Fleet Cyber Command also values the impact of red teaming. We believe that the issue is not one of capacity, but rather how we better use the capacity that already exists within the cyber domain. To make more efficient use of red teams, we have concentrated improving coordination across all DOD red teams to increase support to our cyber forces and help standardize red team activity. The ongoing development and maturation of the USCYBERCOM and USFLTCYBERCOM staffs has allowed broader and timely coordination during the planning and execution phases of red team activity. As cyber actions are becoming more common events in major exercises, early planning and incorporation of cyber effects and training objectives have allowed improved synchronization across Navy and all DOD red teams. This early planning allows the capabilities of Service and DOD teams to be synchronized to best stimulate local, theater and global responses and allows the command and control structure of Defensive Cyber Operations to be exercised under real world conditions. The inventory and capabilities of Navy and joint test ranges is sufficient to meet current demand. However, range environments and test capabilities must be continually evaluated as technologies advance and as cyber policies and doctrine allow increased application in the joint planning and execution. Mr. Langevin. How are your Services leveraging both in-house graduate educational facilities and DOD accredited programs, such as the NSA/DHS National Centers of Academic Excellence? General Mills. The Marine Corps actively participates in the Department of Defense Information Assurance Scholarship Program, which provides access for both enlisted and officer students to AFIT, NPS, the National Defense University, Capitol College, George Mason, and other National Centers of Academic Excellence in Cyber Operations for graduate degrees in cyberspace security, information assurance, and computer security fields. Through the National Intelligence University, marines with intelligence-related military occupational specialties are able to complete a Master of Science of Strategic Intelligence. Although this curriculum does not include cyber-specific courses as part of the core requirement, students are able to tailor their electives and focus thesis topics to include cyber operations. The Marine Corps is currently in discussions with Northern Virginia Community College to establish a program to provide college credit for marines receiving military training and experience within the cyberspace operations workforce. The Marine Corps University has initiated additional curricula in its educational programs that include topics in cyberspace operations, cyberspace planning, cyberspace law, and cyberspace implementation theories. Thus far, the Marine Corps University has had one class complete its program of instruction with this additional material. Initial feedback is that it was well received, and the Marine Corps University is evaluating comments to refine its curricula for future courses. The Marine Corps also leverages cyber and cyber-related courses through NSA's National Cryptologic Schools for personnel serving at the Marine Cryptologic Support Battalion and the operating forces' Radio Battalions which provide Signals Intelligence and cyber related support to the Marine Air Ground Task Force, USCYBERCOM through MARFORCYBER, and the National Security Agency. Additionally, the Marine Corps uses the U.S. Navy's Joint Cyber Analysis Course (JCAC) and the Joint Network Attack Course to train enlisted marines and officers in cyber and cyber-related skill sets for MOS development. Mr. Langevin. Could each of you explain the Command and Control Relationships between your respective Service Cyber Components and CYBERCOM, regional combatant commanders, and other command structures? General Mills. The Service Cyber Component to USCYBERCOM is MARFORCYBER. MARFORCYBER is assigned to USSTRATCOM and USSTRATCOM has delegated OPCON of MARFORCYBER to USCYBERCOM. There is no direct command relationship between MARFORCYBER and the geographic combatant commanders. That being said, USCYBERCOM tasked MARFORCYBER to, in conjunction with USCYBERCOM, lead the joint effort to conduct cyber support of U.S. Special Operations Command (USSOCOM). MARFORCYBER was also tasked to provide a recommendation to USCYBERCOM on the requirements and support structure for a joint Cyber Support Element (CSE) at USSOCOM. In anticipation of approval of the CSE recommendation provided to USCYBERCOM for USSOCOM, MARFORCYBER staffed a colonel at USSOCOM as the USCYBERCOM Liaison Officer and Officer-in-Charge of the CSE. Additionally, a major, a captain, and two staff sergeants have orders to USSOCOM to form the nucleus of the CSE for USSOCOM. Mr. Langevin. The value of red-teaming--threat emulation--was proven perhaps most clearly in the Vietnam War with the establishment of Top Gun. The Director for Operational Test and Evaluation (DOT&E) has identified a shortfall in threat emulation and red teaming capabilities across the FYDP. What is each of the Services doing to address these shortfalls? Is the DOD investing adequately in the test capabilities and range environments that will be needed to remain current with advancing technologies? General Mills. The Marine Corps Network Operations and Security Center (MCNOSC) is task organized with organic red team and intelligence sections. The Marine Corps Information Assurance Red Team (Red Team) is tasked with finding new exploits and with emulating threat vectors/adversary tactics, techniques, and procedures (TTPs). This includes penetration testing, phishing, remote exploitation of network devices, exploitation of website vulnerabilities, wireless exploitation, close access, and insider threats. The Red Team operations in cyberspace are based on two distinct operational requirements: (1) internal and external exercise support and (2) MCNOSC directed operations. The Marine Corps will continue evaluating its red team requirements as added emphasis is placed on red team utilization within the Department. On behalf of the Department, the Marine Corps manages the DOD Information Assurance Range--which is located in Quantico, Virginia. The DOD Information Assurance Range was initiated and funded by the Comprehensive National Cyber Initiative in 2009. This range emulates DOD networks--to include computer network defense (CND) capabilities, support to cyber exercises, and testing and evaluation of CND products and TTPs. It can operate in a standalone mode or can be integrated with other ranges (such as the Joint IO Range). The Marine Corps is participating in a Department-wide effort to evaluate an appropriate construct for cyber range governance to more effectively integrate, resource, and utilize these capabilities in the future. Mr. Langevin. How are your Services leveraging both in-house graduate educational facilities and DOD accredited programs, such as the NSA/DHS National Centers of Academic Excellence? General Vautrinot. Air Force Space Command (AFSPC) and Air Education and Training Command (AETC) have established a full-range cyber training and education construct that begins in Basic Military Training and follows a challenging path that includes specialized cyber-focused graduate degrees. In addition to cyber-focused graduate programs (MS/PhD) in Computer Science, Computer Engineering and Electrical Engineering with research focused on such areas as encryption algorithms, botnet disruption, network intrusion detection, and wireless network security, AFIT offers two Master's programs in cyber operations and cyber warfare. The 18- month Cyber Operations Master's Program provides extensive hands-on laboratory experience with both offensive and defensive measures and countermeasures, and is open to officers, enlisted, and civilians. The 12-month Cyber Warfare Degree Program for Majors and civilian equivalents provides a developmental education opportunity that addresses technical as well as policy and doctrine aspects of cyber operations. The Information Assurance Certificate Program (IACP) is a subset of the Master of Science program. Students completing the required coursework are eligible for certificates under National Training Standards as an Information Security Professional, Senior System Manager, and Senior Risk Analyst. On June 19, 2008, the Secretary and Chief of Staff of the Air Force designated AFIT and the Center for Cyberspace Research (CCR) as the Air Force's Cyberspace Technical Center of Excellence (CyTCoE). The Center serves as a bridge between the operational Air Force cyber forces and various cyber research, education, and training communities across the Air Force, the DOD, and national organizations. The Center provides cyberspace professional continuing education for currency and professional development of the cyberspace workforce. The Air Force's Cyber 200 and 300 are Joint-accredited professional development courses designed to increase the depth and breadth of cyber operations understanding and to prepare individuals to apply cyber capabilities and concepts in Joint military operations. These courses are available to and attended by our Joint brethren in an effort to standardize training and proficiency across the DOD. The Air Force is also in the process of establishing disclosure guidance that will allow our international partners to send individuals to Cyber 200 and 300. The Air Force also utilizes graduate-level educational opportunities offered by our DOD and Agency partners such as the Information Assurance Scholarship Program (IASP) and the Computer Network Operations Development Program (CNODP). The IASP is open to all Air Force officers and is designed to retain a corps of highly skilled IA professionals to accommodate diverse warfighting and mission requirements. The CNODP is an intense, 3-year graduate-level internship at the National Security Agency that develops technical leaders who will lead the DOD and Services' employment of cyber capabilities. Graduates of this program receive focused follow-on assignments that capitalize on their breadth and depth of knowledge. Mr. Langevin. Could each of you explain the Command and Control Relationships between your respective Service Cyber Components and CYBERCOM, regional combatant commanders, and other command structures? General Vautrinot. U.S. Cyber Command is the warfighting Sub- Unified Command for cyber. Each of the Services provides component cyber forces to the Joint fight through USCYBERCOM. For the Air Force, the 24th Air Force Commander is also designated the Commander of AFCYBER, the Service Component to U.S. Cyber Command. This direct command and control relationship stems from the authorities laid out in Title 10, USC. Operational orders flow from the President through the Secretary of Defense to the Combatant Commander to the Sub-Unified Commander and then to the Service Components. Under this authority, AFCYBER forces support Joint missions as directed by USCYBERCOM. AFCYBER, which is collocated with 24th Air Force in San Antonio, TX, has its Deputy Commander and a portion of AFCYBER personnel collocated with USCYBERCOM at Ft Meade, MD. AFCYBER provides operational-level command and control of AF cyber forces through the 624th Operations Center. The Operations Center coordinates offensive, defensive and exploitation activities, provides daily reporting of operations, and manages network operations on the AF portion of the DOD network in accordance with USCYBERCOM guidance, as well as acting as a Continuity of Operations Plan for USCYBERCOM. AFCYBER supports regional combatant commanders through reachback or in- place participation in the Cyber Support Elements at the Combatant Command or AF Component (e.g., AF Central Command) level as tasked by USCYBERCOM. The Command and Control (C2) Transitional Concept of Operations (CONOPS) and the Operational Directive (OPDIR) were released and provided guidance for USCYBERCOM and Service Components, specifying standard tasks and mission responsibilities for each of the Services. Based on these two documents, AFCYBER is tasked with leading the Joint effort to provide cyber support to USTRANSCOM, USEUCOM and USAFRICOM. AFCYBER works with these COCOMs to ensure cyber effects are presented to the Combatant Commanders as required. We continue to provide planning and characterization efforts in support of future operations through Operations/Concept of Operations Plans and Crisis Action Planning tasks from USCYBERCOM. We also work, via SECDEF direction through USCYBERCOM tasking, with organizations and agencies while operating in support of authorities other than our traditional Title 10 role. Through USCYBERCOM, we have teamed with the Defense Cyber Crime Center and the Air Force Office of Special Investigations, as well as the Federal Bureau of Investigation, to work specific tasks under Title 18 authority. We use cyberspace operations to support the National Intelligence mission under Title 50. Additionally, we work with our Guard and Reserve personnel under Title 32 to add capacity and capability to AFCYBER. Mr. Langevin. The value of red-teaming--threat emulation--was proven perhaps most clearly in the Vietnam War with the establishment of Top Gun. The Director for Operational Test and Evaluation (DOT&E) has identified a shortfall in threat emulation and red teaming capabilities across the FYDP. What is each of the Services doing to address these shortfalls? Is the DOD investing adequately in the test capabilities and range environments that will be needed to remain current with advancing technologies? General Vautrinot. The cyber red team concept focuses on vulnerability assessments and intrusion missions of DOD networks. AFCYBER's Opposing Force (OPFOR) construct enhances the red team concept by providing a standard process for identifying vulnerabilities in a realistic threat environment, as well as capturing lessons learned and improving specific cyber tactics, techniques and procedures. The AF OPFOR team's goal is to allow commanders to objectively assess mission effectiveness and validate lessons learned to improve mission readiness. AFCYBER employs the Air Force cyber range operated by the 346th Test Squadron at Lackland AFB, Texas, to support the full spectrum of cyber activities. These activities span capability development and tactics, techniques and procedures validation through employment of the OPFOR concept in support of Combatant Command exercises like Terminal Fury and Vigilant Shield. These ranges are already supporting the newly validated USAF Weapons School's Cyber Operations Weapons Instructor Course's capstone defensive mission and mission employment exercise, allowing for advanced weapons and tactics employment. AFCYBER also uses the Joint Information Operations Range to access and leverage the latest threat environments and emulations available from other DOD organizations, academia, and industry. We continue to streamline the procurement process to facilitate nation-state capabilities ensuring Air Force Cyber Test & Evaluation infrastructure and personnel are able to reflect the changing nature of benign and contested cyber environments. ______ QUESTIONS SUBMITTED BY MR. FRANKS Mr. Franks. It is my belief that manmade and natural electromagnetic pulse is the ultimate cybersecurity threat. For example, an EMP attack on the U.S. would render our communications and computer systems useless, and disrupt virtually everything reliant on electricity. Furthermore, the DOD relies on a commercial electric grid, which is butterfly wing delicate to EMP, for approximately 99% of its military installations power requirements. What action is CYBERCOM taking to ensure its electricity is not disrupted by a manmade or natural EMP event, and how important is protecting the civilian electric grid from EMP for CYBERCOM's mission effectiveness? Admiral Rogers. Fleet Cyber Command does not have a specific program to address EMP scenarios. We have very few facilities that are hardened against an EMP event, and even those facilities are not fully hardened. However, we have an aggressive program to manage power outages, regardless of cause, across our domain. We have robust, well managed, critical power systems that provide continuity of operations to our mission critical systems. The critical power infrastructure includes standby generators, automatic transfer switches, and UPS (Uninterruptable Power Supply) systems. For most sites, this infrastructure results in zero loss of power or mission when commercial power is lost. This equipment is maintained, tested, and replaced as needed. Facilities across the domain are routinely evaluated for areas where the capacity or redundancy are insufficient, or mission growth now requires critical power, and these recommendations are balanced against other installation funding needs. Given the criticality of the civilian electric grid, the Navy, through its DOD leadership, continues to work closely with the Department of Homeland Security on how to best to protect critical infrastructure in the commercial sector. Mr. Franks. Over the years the DOD has invested billions of dollars hardening critical components against electromagnetic pulse. My efforts to protect the civilian grid against EMP have had a mixed reception. Most realize the enormity of the threat and the necessity to take action; but others have expressed opposite convictions, and feel that EMP is not the threat described in numerous scientific studies and reports. Do you assess this investment to be wise or unnecessary? If wise, should Congress make efforts to expand EMP protections to the civilian grid? Admiral Rogers. As stated in the question, science and studies indicate EMP is a valid threat to the civilian power grid. Given the criticality of the civilian power grid, it is prudent to consider the protection of this infrastructure against EMP and all other threats. The Navy, through its DOD leadership, continues to work closely with the Department of Homeland Security on how to best to protect critical infrastructure in the commercial sector. ______ QUESTION SUBMITTED BY MR. CONAWAY Mr. Conaway. During the hearing, you referenced a direct accessions program in the Navy. I would suggest that there could be a large number of highly skilled cyber warriors that may not see the military as an option. Can you expand on the direct accessions program for cyber? Admiral Rogers. There are three specific cyber-related skills sets the U.S. Navy directly accesses to develop and maintain our cyber expertise: Cyber Warfare Engineers (CWE), Information Professionals (IP) and Information Warfare Officers (IW). Cyber Warfare Engineer: As a means of addressing the increased demand for officers with specific computer network operations (CNO) focused knowledge, skills and abilities, the Secretary of the Navy approved the establishment of the Cyber Warfare Engineer (CWE) designator in June 2010. CWE is a restricted line community within the information Dominance Corps (IDC) and CWE officers use specific cyber expertise to develop CNO capabilities. These CWEs apply the principles and techniques of computer science and computer engineering to research, design, develop, test, and evaluate software and firmware for computer network attack, exploitation, and defense in cyberspace operations. In addition to academic, age, and physical requirements, CWE candidates must meet strict citizenship and security clearance requirements and complete an interview process with Commander, Fleet Cyber Command. The direct accession requirement has been established at five officers per year. Information Professional: Information Professionals (IP) provide expertise in information, command and control, and space systems through the planning, acquisition, operation, maintenance and security of systems. Their roles include leading the Navy's network warfare missions, developing tactics, techniques and procedures to realize tactical, strategic and business advantages afloat and ashore, and driving interoperability with Joint, Allied and Coalition partners. In addition to academic, age, and physical requirements, IP candidates must meet citizenship requirements, hold one or more active IT certifications and complete a professional review board process. Work experience in the field is strongly preferred. There are approximately 555 IPs in the Navy and we directly access approximately eight officers per year. Information Warfare: Information Warfare (IW) Officers (IWO) are the DOD's premier force for Signals Intelligence (SIGINT), Electronic Warfare (EW) and CNO. Their mission is to execute the full spectrum of cyber, cryptology, SIGINT, information operations, CNO and electronic warfare missions. This occurs across the cyber, electromagnetic and space domains to deter and defeat aggression, to provide warning of intent, and to ensure freedom of action while achieving military objectives in and through cyberspace. In addition to academic, age, and physical requirements, IW candidates must meet strict citizenship and security clearance requirements and complete a professional review board process. There are 930 IWs in the Navy and we directly access approximately 40 officers each year.