[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]
[H.A.S.C. No. 112-146]
DIGITAL WARRIORS:
IMPROVING MILITARY CAPABILITIES
FOR CYBER OPERATIONS
__________
HEARING
BEFORE THE
SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES
OF THE
COMMITTEE ON ARMED SERVICES
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
SECOND SESSION
__________
HEARING HELD
JULY 25, 2012
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13
SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES
MAC THORNBERRY, Texas, Chairman
JEFF MILLER, Florida JAMES R. LANGEVIN, Rhode Island
JOHN KLINE, Minnesota LORETTA SANCHEZ, California
BILL SHUSTER, Pennsylvania ROBERT ANDREWS, New Jersey
K. MICHAEL CONAWAY, Texas SUSAN A. DAVIS, California
CHRIS GIBSON, New York TIM RYAN, Ohio
BOBBY SCHILLING, Illinois HANK JOHNSON, Georgia
ALLEN B. WEST, Florida KATHLEEN C. HOCHUL, New York
TRENT FRANKS, Arizona RON BARBER, Arizona
DUNCAN HUNTER, California
Kevin Gates, Professional Staff Member
Mark Lewis, Professional Staff Member
James Mazol, Staff Assistant
C O N T E N T S
----------
CHRONOLOGICAL LIST OF HEARINGS
2012
Page
Hearing:
Wednesday, July 25, 2012, Digital Warriors: Improving Military
Capabilities for Cyber Operations.............................. 1
Appendix:
Wednesday, July 25, 2012......................................... 33
----------
WEDNESDAY, JULY 25, 2012
DIGITAL WARRIORS: IMPROVING MILITARY CAPABILITIES FOR CYBER OPERATIONS
STATEMENTS PRESENTED BY MEMBERS OF CONGRESS
Langevin, Hon. James R., a Representative from Rhode Island,
Ranking Member, Subcommittee on Emerging Threats and
Capabilities................................................... 1
Thornberry, Hon. Mac, a Representative from Texas, Chairman,
Subcommittee on Emerging Threats and Capabilities.............. 1
WITNESSES
Hernandez, LTG Rhett A., USA, Commander, U.S. Army Cyber Command,
U.S. Army...................................................... 3
Mills, LtGen Richard P., USMC, Deputy Commandant, Combat
Development and Integration, and Commanding General, USMC
Combat Development Command, U.S. Marine Corps.................. 6
Rogers, VADM Michael S., USN, Commander, U.S. Fleet Cyber
Command, and Commander, U.S. Tenth Fleet, U.S. Navy............ 4
Vautrinot, Maj Gen Suzanne M., USAF, Commander, 24th Air Force,
and Commander, Air Force Network Operations, U.S. Air Force.... 7
APPENDIX
Prepared Statements:
Hernandez, LTG Rhett A....................................... 40
Langevin, Hon. James R....................................... 38
Mills, LtGen Richard P....................................... 62
Rogers, VADM Michael S....................................... 51
Thornberry, Hon. Mac......................................... 37
Vautrinot, Maj Gen Suzanne M................................. 69
Documents Submitted for the Record:
[There were no Documents submitted.]
Witness Responses to Questions Asked During the Hearing:
[There were no Questions submitted during the hearing.]
Questions Submitted by Members Post Hearing:
Mr. Conaway.................................................. 104
Mr. Franks................................................... 103
Mr. Langevin................................................. 94
Mr. Thornberry............................................... 89
DIGITAL WARRIORS: IMPROVING MILITARY CAPABILITIES FOR CYBER OPERATIONS
----------
House of Representatives,
Committee on Armed Services,
Subcommittee on Emerging Threats and Capabilities,
Washington, DC, Wednesday, July 25, 2012.
The subcommittee met, pursuant to call, at 3:35 p.m. in
room 2119, Rayburn House Office Building, Hon. Mac Thornberry
(chairman of the subcommittee) presiding.
OPENING STATEMENT OF HON. MAC THORNBERRY, A REPRESENTATIVE FROM
TEXAS, CHAIRMAN, SUBCOMMITTEE ON EMERGING THREATS AND
CAPABILITIES
Mr. Thornberry. The subcommittee will come to order.
We welcome our witnesses, guests, and members to this
hearing in the Emerging Threats and Capabilities Subcommittee
on ``Digital Warriors: Improving Military Capabilities in the
Cyber Domain.''
There is widespread agreement that cyberspace is now a
domain of warfare, and many people regard it as the most
difficult, perplexing national security challenge we face.
Certainly the laws, policies, and organizations have not kept
pace with the evolution of technology. But if cyberspace is
important to our country's security and if it is a domain of
warfare, our military services, on whom we rely to protect and
defend us, must be prepared to operate in cyberspace as well.
That preparation involves a number of issues, including
organizational structure, recruitment and retention of
qualified personnel, training, rapid acquisition, among others;
and it is those issues which we want to examine in today's
hearing.
Before turning to our witnesses, let me yield to the
ranking member, Mr. Langevin, for any comments he would like to
make.
[The prepared statement of Mr. Thornberry can be found in
the Appendix on page 37.]
STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM
RHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON EMERGING THREATS
AND CAPABILITIES
Mr. Langevin. Thank you, Mr. Chairman.
I want to thank our witnesses for appearing here today. It
is a pleasure to see all of you again and to have you join us
for what I believe is going to be a critically important
hearing.
I agree with the chairman. There is no more critical task
in today's environment than safeguarding the Department of
Defense's networks. The cyber domain, as we all know, has
become an integral part of every action DOD [Department of
Defense] undertakes, whether offensive or defensive. And as
operating environments grow ever more complex, we need joint
forces that are manned, trained, and equipped to conduct the
full spectrum of operations in support of, and in some cases
supported by, what we think of as traditional military forces.
The Congress and the country as a whole have been
struggling with what cybersecurity means to us as a Nation. We
are grappling with how to protect our systems and our privacy
at the same time, and I am proud to be a part of that robust
discussion. I have held drafts of legislation and cosponsored
others, and now it looks as if something actually may be moving
over in the Senate, which I am pleased to hear. Let's hope so.
And I hope that today we will hear your thoughts on what
sorts of additional authorities you may need and how the
proposed legislation may or may not affect those needs, as well
as your thoughts on the delegation of authorities within the
executive branch. Most importantly, I hope that we hear about
how you are finding and retaining the sort of people that you
need today and in the future and being able to hold onto them.
This, I believe, is the fundamental challenge that faces
all of us. It is often said that the root strength of our
military is the quality of our people, and nowhere is that more
true than in your organizations.
As you think about growing your forces, what thought have
you given to where the people are going to come from? How will
you keep them, promote them, educate them, and continue to
challenge them even when outside organizations are keen to lure
people with those skill sets away to the private sector? And I
know some of you are probably already facing that dilemma right
now.
So, lastly, I need to take a minute to talk about a topic
that would be irresponsible to avoid. We all know that we are
facing significant fiscal challenges in the coming years, even
without the threat of sequestration looming. So cyber-related
activities are faring reasonably well so far, but nothing is
immune, and even noncyber-specific cuts could have an impact on
your commands as personnel resources are reduced or research
and development funding are decreased. Those are just two
examples.
So as you look ahead, how do you factor in the possibility
of even more austere fiscal environments? This is a tough
question but one that I believe we have to face in order to
responsibly address the complex challenges in the future.
So, with that, I want to thank you again for being here.
Mr. Chairman, thank you for holding this hearing. I know
your commitment to the issue of cybersecurity. And I enjoy
working with you and appreciate your organizing this hearing
today.
I yield back.
[The prepared statement of Mr. Langevin can be found in the
Appendix on page 38.]
Mr. Thornberry. I thank the gentleman, and I share his
cautious optimism that the Senate may actually pass something.
We will see.
Again, let me welcome our witnesses. We have before us
Lieutenant General Rhett Hernandez, Commander, U.S. Army Cyber
Command; Vice Admiral Michael S. Rogers, Commander, U.S. Fleet
Cyber Command, and Commander, U.S. Tenth Fleet--I made that as
hard as possible to say--Lieutenant General Richard P. Mills,
Deputy Commandant, Combat Development and Integration, and
Commanding General, U.S. Marine Corps Combat Development
Command; and Major General Suzanne Vautrinot, Commander, 24th
Air Force, and Commander, Air Force Network Operations.
You all have significant titles. I suspect the
responsibility and the challenge is commensurate with the
length of the titles.
Thank you for being here. Without objection, your full
written testimony will be made a part of the record. We would
appreciate if you can summarize your comments for us today.
General Hernandez.
STATEMENT OF LTG RHETT A. HERNANDEZ, USA, COMMANDER, U.S. ARMY
CYBER COMMAND, U.S. ARMY
General Hernandez. Thank you, Congressman.
Chairman Thornberry, Ranking Member Langevin, and
distinguished members of the subcommittee, thank you for your
support and for the opportunity to appear before you today. I
am pleased to be here with my fellow Service component
commanders, and I am honored to represent the Army soldiers and
civilians. Their great work enables our Army's ability to
operate every day and adds to our Nation's security. I am proud
to serve with them and really amazed at what they have
accomplished since October 2010.
The Command has been hard at work increasing Army capacity
and capability, defending all Army networks, and conducting
cyberspace operations in support of U.S. Cyber Command. We all
know the cyber threats are real, growing, sophisticated, and
evolving. Today, a wide range of actors are capable of
exploitation and disruption of our networks, with a growing
potential for destructive capabilities tomorrow. And all of
this could impact our freedom to operate.
To meet these threats, Army Cyber Command and its
supporting units are engaged daily in conducting cyberspace
operations critical to the Department of Defense, Cyber
Command, and Army missions. Our work is guided by the
Department of Defense's strategy for operating in cyberspace;
and the Command helps prevent conflict by maintaining
credibility based on capacity, readiness, and modernization. It
helps shape the environment by sustaining strong relationships
with our military allies in other nations and builds their
capacity and capability and, when required, supports winning
decisively, with the Army's operational level force organized
to conduct cyberspace operations, and daily we provide trained
and ready forces to Cyber Command in support of their mission.
We have completed a wide range of work and continue to
pursue other initiatives to train, organize, and equip the Army
to conduct operations in cyberspace. Strong training, leader
development, and education programs are essential to conducting
cyberspace operations. We have established a world-class,
cyber-opposing force that provides realistic training,
requiring commanders to defend and operate in a contested and
degraded cyberspace environment.
We continue to deploy dedicated information operations and
cyberspace capabilities to Army and joint forces, and we are
supporting combatant command cyber support elements, while
providing expeditionary cyber support elements to commanders
for contingencies and during exercises.
A significant organizational milestone occurred for the
Command on 1 December, 2011, when the Army activated its first
dedicated cyber brigade at Fort Meade. The 780th Military
Intelligence Brigade is organized to support Cyber Command and
combatant commanders in their conduct of cyberspace operations.
The Army has a wide range of capabilities being leveraged
today to operate and defend as well as support offensive
operations. We continue to respond to Cyber Command and
combatant commanders' requirements and have rapidly produced
capabilities to support missions.
While technology plays an important role in the cyberspace
domain, cyber warriors will determine our success. A team of
cyberspace professionals able to quickly act across a full
range of mission sets is who will make the difference. We must
continue to recruit, develop, and retain a skilled professional
workforce.
While there is still plenty to do in this new domain, Army
Cyber Command has made great progress and remains focused on
providing trained and ready forces able to conduct cyberspace
operations. We will provide depth and versatility in cyberspace
to the Joint Force and with our cyberspace capability provide
options and flexibility for commanders and national
decisionmakers to ensure the Army remains America's force of
decisive action and that Army Cyber Command remains second to
none.
I want to thank you for inviting me here today. I look
forward to your questions and our continued relationship and
would welcome your visit to Army Cyber Command. Thank you.
[The prepared statement of General Hernandez can be found
in the Appendix on page 40.]
Mr. Thornberry. Thank you.
Admiral.
STATEMENT OF VADM MICHAEL S. ROGERS, USN, COMMANDER, U.S. FLEET
CYBER COMMAND, AND COMMANDER, U.S. TENTH FLEET, U.S. NAVY
Admiral Rogers. Thank you.
Chairman Thornberry, Ranking Member Langevin, and
distinguished members of the subcommittee, thank you for
holding this hearing today and the opportunity to sit shoulder
to shoulder with my cyber teammates in the other Services.
As the Navy's Component Commander to U.S. Cyber Command and
the second echelon command within the Navy subordinate to the
Chief of Naval Operations, Fleet Cyber Command directs
cyberspace operations in defense and support of Navy and joint
forces. The Department and the Navy continue to mature
cyberspace operations by growing the workforce, exercising the
processes, and developing the capabilities we need to support
cyber operations. Our progress has been, and will continue to
be, guided by the Department's overall strategy for operating
in cyberspace; and I would like to take this opportunity to
highlight a few items that I think highlight some of the
progress as well as some of the challenges we have experienced
in the last year.
That progress has been an iterative one, and we continue to
refine concepts and doctrine, but there are two significant
achievements I think in the last year that will help us as we
move our efforts forward.
First, the approval and implementation of the Transitional
Command and Control Concept of Operations, which provides the
Services and the Geographic Combatant Commanders a standard
baseline for how we are going to execute cyberspace operations
by documenting the command and control relationships, the
missions, and the functions that we will be executing.
Secondly, U.S. Cyber Command's Operational Directive, which
specifies the standard tasks and mission responsibilities for
each of the Service components before you today, which will
provide initial insight into how U.S. Cyber Command intends to
use us as components, which in turn will provide a foundation
for how we will generate Navy capacity to support them.
In addition, the strength of our efforts over the last year
have been from our workforce, which continues to be a source of
strength. And, at the same time, the events of the last week
remind us just how great that workforce is.
Unfortunately, Fleet Cyber Command and Tenth Fleet suffered
the loss of a petty officer in Aurora, Colorado, on Friday in a
movie theater in a way that none of us would have ever
expected. I had the opportunity to see Petty Officer Larimer's
family in Chicago over the weekend after the tragedy, and I
will tell you if we had more Petty Officer Larimers in the
world, there is no challenge that we couldn't handle. But he is
symbolic of the broader workforce that we have.
And, to date, our recruitment, our development, and our
retention, although it remains a challenge, has in fact
exceeded our expectations. We hope that is what continues, and
we are working hard to make sure that is the case.
We also have taken a hard look over the last year about how
we are going to train the force of the future, establishing
summer internships with the Naval Academy and ROTC [Reserve
Officers' Training Corps] midshipmen with the Navy Cyber
Warfare Development Group, as well as our cyber defensive
operations.
In addition, we have established a cyber warfare engineer
career field designed to enable direct accessions from recent
college graduates who bring deep cyber expertise to the table.
In addition, to develop our sailors and civilians, we have
developed and begun implementing a tiered cyber training
strategy that tailors cyber training based on an individual's
particular roles and responsibilities.
We have also created a Navy Cyber Manpower 2020 Task Force
to plan and execute the steps necessary, we believe, that will
develop a comprehensive near to midterm cyber manpower
strategy.
We have also worked hard in the last year to strengthen our
networks and to reduce our exposure and our vulnerabilities,
and those efforts continue. We emphasize cross-communication
between our large network programs, both afloat and ashore; and
we are actively engaged in developing concepts with the
Department of a joint information environment which will be
comprised of information technology infrastructure and
enterprise services. These investments that we have made in
network consolidation and deployment of enterprise services
have already provided us with greater situational awareness of
our networks, which is a key element of our ability to defend
them.
In summary, sir, I would like to close by emphasizing that
our success to date in the maritime domain and the joint
operational environment depends on our ability to maintain
freedom of maneuver and deliver effects within cyberspace. And
to ensure we maintain our edge, the Navy will continue to drive
advancements in Navy cyberspace operations guided by the
initiatives set forth both by the Department and the joint
commander we support at U.S. Cyber Command.
I thank you for this opportunity, and I look forward to
answering any questions you might have. Thank you, sir.
[The prepared statement of Admiral Rogers can be found in
the Appendix on page 51.]
Mr. Thornberry. Thank you.
General.
STATEMENT OF LTGEN RICHARD P. MILLS, USMC, DEPUTY COMMANDANT,
COMBAT DEVELOPMENT AND INTEGRATION, AND COMMANDING GENERAL,
USMC COMBAT DEVELOPMENT COMMAND, U.S. MARINE CORPS
General Mills. Chairman Thornberry, Ranking Member
Langevin, Congressman Conaway, it is an honor to appear before
you today. On behalf of all the marines and their families, I
want to thank each of you for what you do and your continued
support in all things military.
I will keep my comments short, as my written statement has
been made a part of the official record.
Protecting cyberspace is a national security priority. Your
Marine Corps understands that and recognizes that fact. Indeed,
while Marine Forces Cyber Command is just 3 years old, Marines
have been conducting cyber operations for well over a decade.
We clearly understand that cyberspace, the convergence of
network systems brought about by so many disciplines, is
absolutely integral to our everyday lives, our national well-
being, and has become a key aspect of today's warfighting.
Around the world, and particularly in the United States,
cyberspace is part of all that we do. Smartphones and social
media, to efficiencies throughout our vast critical
infrastructure, it all depends on the grid.
Yet with all these positive advances come risks and
vulnerabilities. We know that Department of Defense systems are
attacked millions of times each day. Indeed, the Marine Corps
Enterprise Network is also attacked hundreds of thousands of
times each day. The critical infrastructure in the United
States is highly vulnerable to cyber attack.
As the Nation's expeditionary force in readiness, the
Marine Corps is preparing to meet these threats by increasing
capacity for network operations, by increasing our ability to
conduct defensive cyber operations, and, when directed, to
conduct offensive cyber operations. Ensuring the stable cyber
domain means that we will ensure our stability of our weapons
systems, our command and control systems, and indeed our
national industrial assets.
Today's dynamic global environment demands that the
maritime forces be flexible and scalable, thus allowing
operational commanders the ability to configure the sea base to
optimize the employment of appropriate size and capable forces
to accomplish a mission, whatever that mission may be, from
humanitarian assistance to major combat operations. Therefore,
our cyber operations must be tailored to provide flexibility to
the Marine Corps, to the Joint Force, and indeed to the Nation.
We need to meet emerging missions, enhancing the requirements
to support distributed operations today.
Since my predecessor, Lieutenant General George Flynn,
testified before this committee some 2 years ago, the Marine
Corps has made great strides in expanding the capability and
capacity of Marine Forces Cyber Command. We have increased its
workforce as well as our cyber-related Military Occupational
Specialties. In the future, we plan to increase our cyber
workforce by approximately 700 marines and civilian marines
through fiscal year 2016. I am very proud of our cyber marines
and our civilian marines. They work diligently every day to
defend and protect our cyber domain.
In addition to the progress we have made in developing our
cyber workforce, we have made great strides in securing our
network architecture. The Marine Corps has already standardized
its security boundary architecture through its implementation
of the Marine Corps Enterprise Network, and we are working with
the Joint Information Environment framework to comply with
developing shared security architectural standards. Indeed, as
we assume full control over our network transport and
enterprise services, we will collapse our remaining legacy
networks, which will then reduce our management footprint and
our costs, while achieving greater compliance and consistency,
again throughout the Marine Corps Enterprise Network.
We are taking a very deliberate and joint approach to cyber
requirements. We continually strive for the right balance in
supporting the requirements of both U.S. Cyber Command and our
own Service requirements.
Gentlemen, I appreciate the opportunity to discuss this
important project, and I look forward to our questions.
Thank you.
[The prepared statement of General Mills can be found in
the Appendix on page 62.]
Mr. Thornberry. Thank you.
General.
STATEMENT OF MAJ GEN SUZANNE M. VAUTRINOT, USAF, COMMANDER,
24TH AIR FORCE, AND COMMANDER, AIR FORCE NETWORK OPERATIONS,
U.S. AIR FORCE
General Vautrinot. General Thornberry, Ranking Member
Langevin, Congressman Conaway, and distinguished members of the
subcommittee, thank you for the opportunity to represent the
exceptional men and women of Air Forces Cyber before this
panel. It is an honor to appear before you alongside my Service
counterparts and to share our progress in responding to U.S.
Cyber Command and our Nation's mission requirements.
In Air Forces Cyber, through continued support from General
Shelton at Air Force Space Command and General Alexander at
U.S. Cyber Command, we have made great strides towards
normalizing and operationalizing cyber capabilities to match
the rigor and discipline of its air and space counterparts. I
have been privileged to witness firsthand cyber airmen
fulfilling our commitment, the commitment we pledged to you 2
years ago, to provide global vigilance, reach, and power by
doing what airmen do best, innovate. This culture of innovation
is foundational and has been vital to overcoming the myriad of
challenges associated with conducting cyber missions. I would
like to share a few examples of this culture in action.
In addition to the remotely piloted aircraft mission
assurance, which I described in my written remarks, we have
also collaborated with U.S. Transportation Command and employed
our specialized U.S. cyber teams to search within the .mil
networks to assure the mission by proactively discovering
vulnerabilities before they can be exploited. General Fraser's
Command worked with our teams inside the tanker airlift control
center to initially map that mission network to the
architecture. Then, in phase two, the operators proactively
searched for the network and leveraged capabilities to
identify, pursue, and mitigate threats impacting the critical
system interfaces that are essential to mission success, an
activity in the military which we seek to support in defense of
the Nation.
For mission assurance, a combatant command's prioritized
defended asset list determines where this focused capability
will be employed, in effect, the cyber high ground. These teams
are operational and have been deployed to protect against
adversaries' actions per Cyber Command tasking.
Mission capabilities and applications are critical, but
increasing the capacity to expand those capabilities in support
of joint operators is just as important. I recently attended a
graduation ceremony at Hurlburt Field, Florida, where our
Intermediate Network Warfare Training course, which is our
schoolhouse for a wide range of cyber operators and one of ten
in-residence and seven online courses, graduating over 7,000
students a year. As a result of this course, young cyber
warriors like Lieutenants Andrew Cook and Stephanie Stanford
are now experts in their field and carry unique certifications
that only 6,800 people in the world have attained.
Operationalizing cyber training and certification, our
commitment 2 years ago, a reality today. Likewise, high school
and college students around the country have been exposed to
science, technology, engineering, and mathematics through
successful programs such as Cyber Foundations, the Air Force
Association's CyberPatriot initiative, as well as the National
Collegiate Cyber Defense Competition. These programs have been
truly groundbreaking in that they get our next generation of
cyber professionals excited about and committed to a cyber
career. These professionals are key to U.S. Cyber Command's
mission and the Nation's defense.
We grieve the loss of one of those cyber warriors, Staff
Sergeant Jesse Childress, in the Aurora shooting; and we join
our sister Service, Fleet Cyber, in grieving the loss of Petty
Officer Larimer. We are grateful for their service.
Having new capabilities and expanding capacity, along with
academic, industrial, interagency, and international
collaboration is what will move this Nation forward and make
Jesse and John proud.
Air Forces Cyber has improved our collaboration with our
sister Services, other government agencies, academic and
industry partners to share situational awareness and increase
capabilities and capacity, which is the first essential step
towards transitioning to a more predictive and proactive
defense. From across the Air Force, we have synchronized
materiel command acquisition and engineering professionals,
research lab and test specialists, and 24th Air Force's real-
time cyber development expertise to establish a Center for
Cyber Innovation in Texas, with a goal of rapidly fielding
critical cyber capabilities.
General Alexander lists this capability as a top priority
in his May 2012, Operations Directive, and it was something you
requested in section 933 of last year's National Defense
Authorization Act. As a result, Air Forces Cyber executes U.S.
Cyber Command mission guidance by effectively supporting every
combatant command, providing full spectrum cyber operations.
I am extremely proud to play a part, as our airmen play, in
defending the Nation in cyberspace at the speed of cyber. For
me as an airman, that is Mach 880,000. Offensive, defensive,
and enterprise services are inextricably connected in this
domain. We all rely on cyber to be there. We have a personal
interest, a corporate interest, and a national security
interest in making sure it remains available for all our use,
while denying our adversaries' ability to use it against us. We
have made great advances and will continue do so. That is our
innovative culture as airmen, our obligation to General
Alexander.
Thank you for your continued support for this vital
mission, and I look forward to answering your questions.
[The prepared statement of General Vautrinot can be found
in the Appendix on page 69.]
Mr. Thornberry. Thank you, and I appreciate all of your
statements.
And I particularly appreciate, General, you and the Admiral
mentioning the loss in Colorado. It is a specific reminder to
us all about the tremendous potential of those lives that were
tragically cut short by that event.
Let me just ask one question and then yield to my
colleagues for their questions.
The ranking member mentioned sequestration. Obviously, it
is near the top of our minds in all we do in this committee and
around Congress. If there were to be sequestration, you know,
just say on the order of 10 percent, what would that mean for
the programs that you are responsible for?
If we could just go down the line briefly.
General Hernandez.
General Hernandez. Congressman, thank you.
Clearly, with sequestration no part of the Army would go
untouched. So we are not planning for it. And I would say, to
Congressman Langevin's point, if we were to invest in areas
that had to stay for us, it would have to be the people. We
have all talked about the significance of the workforce and
training, recruiting, developing, retaining that workforce.
And the second piece would be that we ensure that we invest
in the right S&T [Science and Technology] that allows us to
really capture the requirements for the future in this domain.
Mr. Thornberry. I am sorry--10 to 15 percent in the first
year alone. Obviously, if sequestration--we are talking about
that year after year after year. And, you know, again, I am
just kind of thinking about the first year.
Go ahead.
Admiral Rogers. Well, I believe we are all in the same boat
in the sense that the Department has done no planning or
provided no guidance; and under the terms of the sequestration,
it would be implemented across the Federal Government.
I think my concern as a commander, not having delved into
the specifics, is if we lose the ability to prioritize, if we
are going to take cuts that are just done indiscriminately--and
I don't mean that to be pejorative--but if we are going to take
cuts indiscriminately across the board, as an operational
commander, if we lose the ability to prioritize, if we lose the
ability to attempt to identify what are the core capabilities
that we want to make sure that we continue to fund at
consistent levels, that concerns me.
Mr. Thornberry. Well, that is the way it is. It is every
program, project, activity cut in an equal amount. So what we
are trying to get is, okay, what does that mean for cyber, an
area that is so dynamic, that, as Mr. Langevin said, has
actually been growing in recent years?
General.
General Mills. Sir, again, the impact across the Marine
Corps would be significant in readiness, in manning levels, and
in our ability to train and to exercise our forces. I think
probably the impact on Marine Forces Cyber and probably all
cyber programs would be disproportionate because of the speed
with which we have to acquire new equipment and new software.
So I see it as having a significant impact across the board and
I think a disproportionate impact within the world of cyber.
General Vautrinot. Chairman Thornberry, it would be
devastating. The strategy that has been provided by the
Department to move us forward in cyberspace and the vision
provided by General Alexander rests on future acquisitions, on
future changes; and I believe that under sequestration those
would not be realized.
In addition, those advancements that we have made over the
last years, as each of our commands stood up, requires
sustainment; and those sustainment levels have not been created
and stabilized. And so, as we back away from those, I believe
that we would actually lose ground in this important area and
in meeting the strategic goals that the Department has outlined
and in particular my Service has put into its master plan.
Mr. Thornberry. Mr. Langevin.
Mr. Langevin. Thank you, Mr. Chairman.
Thank you again to our witnesses for your testimony today
and thank you for mentioning the losses in Colorado. Like the
chairman said, it is important for us to be mindful of their
service and the loss that we have experienced in Colorado, and
our thoughts and prayers are with them and their families.
I appreciate you addressing the issue of sequestrations.
I can move onto another area. Talking about cyber
operators, can you tell me for each of you how many cyber
operators do each of you have? How many more do you need? And
where will you get them from? And how will you recruit and
retain them?
The issue of retention is going to be a big challenge going
forward, as identified. I know the private sector is always
looking to recruit from the military and to retain them. So we
have got a challenge on our hands to retain them.
How many do you have? And if you need to get back to us for
the record, that is fine. But if you do happen to have those
numbers, that would be helpful.
General, should we just start with you and go right down
the line?
General Hernandez. Congressman, let me start with a larger
number that we believe are engaged in conducting the full range
of cyberspace operations every day, which runs the three lines
of operation consistent with Cyber Command for operate, defend,
and offense. Of those organizations that are either assigned or
under the operational control of Army Cyber at this point, we
have about 11,000. Of that number, the predominant number is
focused every day on operating and defending our network.
The standing up of the cyber brigade really is the brigade
that brings the capability to conduct SIGINT [Signals
Intelligence] operations, defensive operations, and, when
ready, capable of conducting offensive operations. That brigade
will be about 1,200 when we are done training that brigade.
Because it is a long investment in training for that skill set,
and I don't know what the total requirement is yet. I think
that is really a part of the larger requirement with respect to
how we are going to operate in cyberspace, what the roles and
responsibilities will be. But we I think have a pretty good
head start in that. Now it is a matter of how we leverage the
skills that we have and retain those skills to do the missions
that we have been assigned.
Mr. Langevin. Have you thought about, too, about the
retention aspect of it? Clearly, if people know that these are
promotable skills and we can move them up the chain, they can
have a place within your--they are in for the long haul, they
are more likely to stay.
General Hernandez. I think we have learned some really
significant lessons as we recruited this cyber brigade. And we
did a lot of things that were important in recruiting that are
tied to how you assess, how you provide the right incentives to
bring them in, through questionnaires, through interviews,
through specific targeting of universities and different
programs that we try to bring the skill set that not only had a
desire to do this but they had a propensity for this hard work.
And through a combination of bonuses and incentives, we are
doing pretty good in bringing them in.
I think our most significant piece that we are learning is
that the pool is not very deep, as you talked about earlier,
and our development will have to be continuous. So we have
adjusted development programs for them. And the incentives to
retain them will have to be targeted. As we have done in the
past, we will have to continue to do.
Mr. Langevin. Thank you.
Admiral.
Admiral Rogers. Sir, within the Fleet Cyber Command arena,
there is approximately 14,000 within our workforce focused on
cyber operations, whether it is operating the networks,
defending them, or looking at the offensive applications of the
networks. The greater majority of those, probably something on
the order of 75 percent, are associated with the operations of
the networks; and the remainder are pretty evenly split between
the offensive and the defensive side.
In terms of where do I think the number is going to grow in
the future, clearly, I don't think we know yet what the
ultimate end state in all this is going to be, other than I
think we see some form of continued, measured growth.
When I say ``measured''--because I think part of the
challenge is, with 75 percent of our workforce oriented on
actually operating the networks day to day, that is a
percentage that, from my perspective, is totally out of whack.
It is a reflection of an architecture and approach to networks
that I think is very dated. As we shift into the cloud and we
go forward across the Department in a Joint Information
Environment, I view that as an opportunity to harvest the
savings of those operators, if you will, and invest them as the
seed corn for the cyber workforce in the future, to invest them
in the defensive and the offensive side.
In terms of our ability to retain those men and women, to
be honest, we have exceeded my expectations. As a person who
has been doing this for about 10 years in one form or another
now, I can well remember one of my concerns early on as I
became involved in this mission set was how are we going to
retain these men and women? I think the thing that has
surprised me the most and heartens me the most and what I
ascribe to that retention is the fact that increasingly these
men and women view themselves as warriors, and that is the
paradigm and the prism they use as they assess themselves and
they think about their future.
And that is one distinct advantage I think for us in
uniform. While our civilian counterparts offer many
opportunities and, arguably, advantage, the one area that they
don't offer is the ability to be a warrior. And the workforce
really seems to crystalize around that idea. As well as the
broader Navy as a whole is very energized by the mission set,
has great respect for its cyber partners, and goes out of its
way to highlight to its cyber partners how well positioned they
think they are for the future. And the workforce really
responds well to that.
Mr. Langevin. Excellent. Thank you.
General Mills.
General Mills. Sir, we draw our cyber warriors throughout
the Marine Corps. We consider every marine a cyber warrior, and
we have instituted training packages within our Professional
Military Education to enable them to understand what cyber
warfare is and how to utilize it.
Specifically, those that are directed to support Cyber
Command we are going to grow to about 700 over the next few
years, as I said in my opening statement. We draw mainly from
three fields--communications, intelligence, and signals
intelligence--to source those warriors.
Of note is that as the Marine Corps lowers its end strength
over the next few years as the war in Afghanistan winds down,
cyber is one of the communities that will in fact grow despite
the fiscal challenges that we face in the coming years.
Currently, we are increasing our marines that are involved
in the direct support to Cyber Command, conducting offensive
cyber operations. We are also growing a company that will be
directed to support our deploying MAGTFs [Marine Air Ground
Task Forces] as they go forward deployed aboard Navy shipping
and look to crisis spots throughout the world. Those warriors
are really a mixture of Active Duty marines, also reservists on
Active Duty who support us, mainly within my headquarters
outside Fort Meade, and, of course, civilian contractors that
we have been able to identify to fill a need.
We intend to recruit, as we always have, the best-qualified
young marines that we can find and then to ID those that may
have talent and interest within the cyber area and then to
train them adequately so they can move forward to do their job.
Like the other members up here on the board, we have not
had any trouble at this point in retention. I think that will
depend somewhat, obviously, on what the conditions are outside
the Services in the years to come. But at this point we have
not had a problem retaining our fine young cyber warriors.
Mr. Langevin. Thank you, General Mills.
General Vautrinot.
General Vautrinot. Mr. Chairman, as General Mills pointed
out, we have cyber expertise that is applied in our
acquisition, our engineering, our testing environments. In our
operational environment that is Air Forces Cyber and in the
component that supports U.S. Cyber Command there are 17,000
great professionals. About 11,000 of those are Guard and
Reserve for our total force, and some of those are being
repurposed in order to expand on the capabilities that they
have to better serve this great domain.
From the standpoint of that operation, it also leverages
within the Air Force our Air Force ISR agency: Intelligence,
Surveillance, and Reconnaissance; and I have the great
privilege of borrowing from Major General Bob Otto's folks, 945
of them, that are in direct support of Air Forces Cyber
operations in support of the missions every day.
The creation of the career fields, as mentioned by Admiral
Rogers, was similar in the Air Force. Several years ago, we
created a cyber operations career in the officer as well as the
enlisted ranks. And the one, Bravo 4, is continuing to expand
in our enlisted ranks, and we welcome them aboard with special
expertise.
That special expertise goes across the training they
receive at baseline, which is far, far more unique and
applicable to this domain. And then the follow-on courses, as I
mentioned in the statement, 10 courses within the Air Force
that are resident, seven that are nonresident, many of those
supported by our Guard and Reserve counterparts. And then, in
addition, those courses, many of them now open to our Service
counterparts. Also, the joint courses that are provided by the
Department, five different planning and specialty application
courses that these folks are able to attend.
We are also working towards tactics, techniques, and
procedures that apply that knowledge not just as cyber
expertise but cyber expertise applied to operational
applications in every domain. And the expansion of those TTPs
[tactics, techniques, and procedures] is what allows us to
operationalize this career field and this domain.
The last question was recruiting and retention. I am
fortunate to be part of a Service that recruits to retain; and
we have been privileged to have any number of folks that come
in not just to gain that expertise, which is oftentimes the
initiation, but they want to serve the Nation. Now they have
the advantage of serving the Nation with extraordinary
capabilities that are often not available in industry. And we
find that the ability to serve, coupled with those
extraordinary capabilities, is a retention factor, and it is a
factor in our advantage.
Mr. Langevin. Very good.
Thank you. I yield back.
Mr. Thornberry. Mr. Conaway.
Mr. Conaway. Well, thank you, Chairman.
And, folks, thanks to you all for being here.
Staying with the personnel theme, the typical cyber
warrior, you don't think of them in the traditional warrior
category. They need to be a lightning-fast typer and really be
able to think and those kinds of things.
In terms of recruiting and targeting the folks you need, I
am assuming that everybody you are talking about goes through
the exact same basic training, the officer candidate school,
all the regular entry-level schools that everybody else does.
Is that a barrier to getting folks that you really want? In
other words, do you ever foresee a point where they will need
those kinds of skills to continue to conduct cyber warfare
versus a group that might not be the prototypical marine or
airman or sailor or soldier that would need to shoot real
straight and be able to be physically very sound and
aggressive?
General Mills. Sir, I will take the first whack at that and
say that our cyber warriors are marines first, will always be
marines first. They will undergo the same training that every
marine undergoes, whether officer or enlisted, and will be
promoted and trained within the Marine Corps system. I don't
see a problem there, sir.
Admiral Rogers. For us on the Navy side, we are clearly
concerned about that phenomenon. We created a few niche
programs, if you will, to allow people with kind of
unconventional backgrounds to come into the field. Those
numbers are fairly small.
One of the thoughts in my mind is, over time, as our
capacity grows, does it overgrow our ability to assess people
in the kind of traditional models, if you will, that we tend to
do now? It is something that we pay great attention to, and I
am always looking in my mind when do we get to that critical
typical tipping point where the conventional mechanisms just
aren't going to be there for us? We are not there yet. I don't
see us getting there in the immediate near term, but it is
something I watch for, because I am concerned about it in the
future.
Mr. Conaway. General Hernandez.
General Hernandez. Thank you, Congressman.
I would add, as the Marines have said, that we have not
seen that as a barrier to entry. In fact, I think this idea of
cyber warrior is critical, because they see themselves as
warriors.
I have consistently said that in a way there are some
characteristics or values that we all have to have, and in this
domain there might be a few that we would add a little more
emphasis to. So we have talked about a professional team of
elite that we will have to really work our way through how we
select them, train them, develop, and retain them. Trusted.
Because I believe in this domain if you want to be able to gain
the authorities to do the missions that you want to do you have
to have trust. Discipline to do what it is that you can count
on the person in cyberspace, as you would a battle buddy on the
battlefield. And precise. Because collateral damage in this
domain can be as devastating as any other.
So those are four values, if you will, that we would add to
that. I do believe that we are clearly going to have to think
about how we develop them differently. And the schoolhouse
domain may not be in fact the same model. And they are learning
every day because things are changing so frequently that they
have to keep up, and the challenges need to stay in this
domain. So they have to get the mission that comes with being a
cyber warrior. And I believe that the entry will be similar to
what we are doing now. But we are looking for that special,
elite group.
General Vautrinot. Sir, I will echo my comrades. In wearing
the uniform, there is great pride. There is also great
responsibility; and the accession programs recognize that
necessity and leverage that.
But, in addition, the numbers that I spoke to were our
officers, our enlisted, our civilians, our contractors, and our
citizen airmen that come from the Reserve and Guard. And all of
them have the opportunity for this unique training. And as they
apply that training, they apply it in defense of the Nation. So
I think our cyber warriors extend to every one of those
categories. And certainly the specialized training for those
that wear the uniform and wear it in harm's way is appropriate
to someone that you need to depend upon in that regard.
Mr. Conaway. Thank you, Mr. Chairman.
Mr. Thornberry. Well, I know you all will continue to watch
that. Obviously, a little bit of intuitive common sense says
that we may have to treat some of these folks differently; and
if it gets to the point where that involves us with some sort
of different compensation system, some sort of special carve-
out or something, I would want you to let us know. Because it
just seems on the face of it that as we go by and, as you said,
as we expand and so forth, that we may have to not treat some
of these folks the way we always treat everybody else. So I
think we will all be interested in that comment.
Mr. Barber.
Mr. Barber. No questions.
Mr. Thornberry. You have no questions?
Let me--I don't know. Maybe these questions are a little
bit more suited for General Alexander, and maybe they are just
dumb questions, but let me give it a shot.
I understand that each of you all are responsible for your
Service's networks. Okay. But in thinking about supporting a
joint operation of some kind, whether it is a physical
operation that you are supporting or strictly as a cyber
operation, how do you decide who does what? Because it seems to
me that there is no particular benefit from one Service to the
next, no natural sort of inclination. So is it going to work
where Cyber Command says, okay, the Army is going to take care
of this target set and the Navy is going to take care of this
target set and kind of assign responsibilities? Or does Cyber
Command say, okay, we will take four Air Force people, a
marine, three sailors, and so forth. You all send them up to
Cyber Command, and we will set them next to each other and we
will tell them what to do. How does the Service component fit
into that kind of national mission I guess is kind of what I am
wondering.
Whoever wants to help me.
General Hernandez. That is a great question, Congressman.
In fact, we are all working through that right now with Cyber
Command; and, really, there are several different layers that
we have to work through.
The first piece is how do we provide value and resources
and forces to a national mission, which is part of what General
Alexander has, and what is our requirement for that? And then,
second, what do we do with our Title 10 role to provide trained
and ready forces to him for his Cyber Command mission? And the
third piece is for us to support Geographic Combatant
Commanders and in the Army's way also to be able to support
tactical and operational commanders that are supporting
Geographical Combatant Commanders. So we really have to nest
that strategy from the top to the bottom of who is going to do
what requirements.
I think we all believe that over time a couple things are
essential. One is that is going to become more joint in most
cases. Certainly the training and the standards that our cyber
warriors will need will need to be joint so that you can count
on them being able to interact with joint teams.
The second piece I think is the Joint Information
Environment that we have all talked a little bit about and the
need to get to that operational warfighting platform that
allows us to really have an operational network that we can
defend off of in a joint way. Because, after that, it will be
coalition operations. As well as an infrastructure that we can
conduct cyberspace operations off of. So I believe that work is
ongoing, and it is going to have to be nested from the top to
the bottom.
The last piece he has given us is a hard look at some
functional requirements, what we might do for specific
capabilities, command and control, IADS [Integrated Air Defense
Systems], and those types of functional looks at how we might
ensure that we are providing that capability as a force, as
opposed to duplication of effort or worrying about
deconflicting it too late because you have invested resources
that might not have been done that way. So we are working on
all of that together.
Admiral Rogers. Sir, from my perspective, this is an issue
we have spent a good deal of time working collaboratively with
each other and with U.S. Cyber Command on to address so how are
we going to apply the capacity and the capability that we are
each generating.
I will speak for the Navy, but I think it is fairly common
for all of us. We provide capabilities both within our Service
but, at the same time, as U.S. Cyber Command's Naval component,
or Navy component, my comment to him was, sir, we need to
generate capacity and capability for you in a way that does
this in an integrated fashion; and if we are each going to act
on our own, this isn't going to get us where we need to go.
I think, to General Alexander's credit, within the last few
months he has generated what we call the Operational Directive,
the OPDIR, where he has laid out for each of us here is how my
operational vision is in terms of how I will parse out who will
have leadership within different geographic areas around the
world. And then, once you are designated as the lead, then we
collaborate with each other for how we are going to generate
the full spectrum of capability and the capacity that we will
need to support those joint commanders.
Tie in then, as General Hernandez mentioned, the Joint
Information Environment that hopefully gives us over time an
underpinning that we can all plug into somewhat seamlessly, as
opposed to the environment where we operate in today, where
that is definitely not the case.
I think between those two things we are able to apply our
respective capabilities to maximum effect. But it is an issue
of great concern.
The last comment I would make is one other comment I make
regularly to U.S. Cyber Command, is please don't view your
components as manpower pools. We are integrated warfighting
organizations just like every other mission set within the
Department of Defense. Task us, just as we do in every other
mission area across the Department. Have us bring you capacity
and capability in an integrated, cohesive unit whole, which is
the way we are used to working as a Department and the way we
have all structured our selves.
General Mills. Sir, I would agree.
I would just add that we have talked about ensuring that we
have standardization, if you will, of training those cyber
warriors so they meet the requirements that General Alexander
has published. I think this is not particularly a new problem.
There are other areas in which you begin to cross over into
Title 10 responsibilities of our Service chiefs to man, train,
and equip their own forces. But we work in the joint
environment in many, many other ways where there are some
similarities of how we come together, how we provide forces
that are trained to accomplish a specific mission and yet we
retain our Service identities. So I think it is a thing we are
working through as the growth of Cyber Command takes place, but
it is not an insurmountable problem.
General Vautrinot. Sir, I will echo Admiral Rogers in the
discussion of the Operations Directive, which does two things:
It aligns us to provide direct interface with combatant
commands that have unique requirements, but it also leverages
the core competencies that are specialties within each of our
Services, not just for a given combatant command but in support
of each other as we provide those rare capabilities.
In addition, the orders process across the board as U.S.
Cyber Command was established has been very freeing in this
regard. Because those orders come through to all of us in order
to provide capability across the board. Cyber is foundational
to every one of the air, ground, sea, space missions. And
because it is foundational, we all need to operate in a
synchronized and consistent manner. The orders come to each of
us in the operation of our portion of the network to provide
that synchronization. And so, in following those orders, we are
all doing very like things but appropriate to the network that
they must be applied to.
So that is foundational, providing the unique core
competencies to enhance missions as they move forward, and then
certainly expanding cyber in order to provide alternatives that
are nonkinetic, that don't require heat-blasting fragmentation,
to the Nation through the cyber domain.
Mr. Thornberry. Well, that is helpful.
It just occurs to me, as you all sort through these issues
that seem to me rather complex, exercises are going to be
really essential to test this out. Because, you know, I am not
too concerned about the young folks that work for you all, but
I am more concerned about the bureaucratic gobbledygook that
can foul up even the best intentions. And until we exercise
some of this capability, you know, it will be hard to know
whether it will really work.
You all touched on this, but it was also a question I had
about the relationship of your components to Geographic
Combatant Commanders, how that is going to work. Is it Cyber
Command directing operations in Central Command and the other
commands? Or are you going to send a unit to the commander of
Central Command and he is giving all direction for it so that
they are completely a supportive body for the combatant
commander?
I don't know. Maybe it is not an either/or situation. But
you just think about an operation in country X. There is going
to be elements that are obviously supporting the tactical fight
there, but there are also elements maybe at a cyber domain that
will exceed even that geographic area.
Mr. Thornberry. And how does that fit with our current
geographic divided command structure of the combatant
commanders. Make sense?
General Hernandez. Makes absolute sense, Congressman. And
that is really part of this directive in reality what we have
been working for almost the last 2 years. So from an Army
perspective, General Alexander has asked Army Cyber Command to
take the lead for him for CENTCOM [U.S. Central Command] and
NORTHCOM [U.S. Northern Command]. Now what that translates into
is that we have a habitual relationship with a cyber support
element that is operating everyday as part of Cyber Command.
And we have participated in exercises that demonstrates our
ability to bring capability to integrate with his plans as well
as provide reachback support from Cyber Command. And as you
have described, really there is a Cyber Command global mission
that is supporting an operation that would have a national
piece to it and support to CENTCOM. And there is a CENTCOM
piece that would be directed in support of CENTCOM principally
led by Army Cyber Command but with Joint Forces and joint teams
from all of Services.
Mr. Thornberry. So who calls the shots when there is a
global component and a geographic component?
General Hernandez. Clearly, in a global domain, it needs to
be coordinated and integrated and deconflicted very quickly and
at the Cyber Command level.
Mr. Thornberry. It just seems to me it may be a challenge
to work our way through. I don't need to tell you that.
Last question for now, and then I will yield to my
colleagues. There are rumors that there are rules of engagement
bouncing around the Pentagon. I haven't seen anything yet, but
I guess my question to you all is how comfortable are you that
we are close to having rules of engagement that we--that the
country can move forward and operate with?
Admiral Rogers. That is really within General Alexander's
lane, if you will, as the Joint Commander. It is an issue he
continues to work with the Department and the Joint Staff
leadership and the rest of the combatant commanders. It has
been an issue of discussion for some period of time now. I
think there is recognition that that is a requirement,
something we need to do. The devil is always in the details, if
you will.
But my sense is that at some point in the near term, we
will start with something that will continue to evolve over
time, which is what you see in our standing rules of engagement
for the Department, for example. That is the way they worked
those. I think you will find the same thing in the cyber arena
as well.
Mr. Thornberry. Essentially, the Joint Staff and the Cyber
Command will hand you all rules of engagement that you will
then have to look at, plan with, operate from and will evolve
understandably over time.
Admiral Rogers. As will all commanders within the
Department, be standing rules of engagement for all.
General Vautrinot. Chairman, there are existing standing
rules of engagement for every one of the execute orders and the
orders that the military is working under with regard to cyber
operations today. And I believe the expansion of those orders
is in the area of defense of the Nation as opposed to the
defense of our Department's networks, but in defense of the
Nation. And certainly work in that regard is what General
Alexander is moving toward, but I did want to point out that
the standing rules do absolutely exist. And we test those as
well as test the potential rules of engagement in the exercises
that you mention. For example, if I am working with the
combatant commands on behalf of General Alexander to bring that
face and that cyber expertise toward them, Turbo Challenge,
Austeer Challenge, Global Lightning, Judicious Response and
those kind of tier 1 exercises in each one of the combatant
commands informs both the command and control relationships as
well as the necessary rules of engagement and any shortfalls.
And then Cyber Flag by U.S. Cyber Command brings us
together to do the force-on-force and engage and then take that
information back into both the Department's tabletop exercises
as they do strategy as well as war games, like Unified
Engagement, that bring leadership together to think about those
rules of engagement and how the civil leadership wants the
military to perform in that regard. So those exercises are
very, very successful in bringing that information forward.
Mr. Thornberry. The only point I would add--not that it is
you all's responsibility, but I made this point to other folks
in the Department--it seems to me that in this area of cyber
rules of engagement, it is more important than ever for the
Department to engage with Congress because a cyber engagement
is unlikely to take place in a timeframe where we can formerly
pass a declaration of war and authorization to use military
force.
The force that we are talking about here occurs at the
speed of light, and so having that consultation ahead of time
will smooth things for the time when there could be a use of
military force in cyberspace that will start getting into
constitutional issues and a variety of challenges for us on
this side of the river as well as the funny-shaped building
across the way.
So, Mr. Langevin.
Mr. Langevin. I do, Chairman. And in tangential to what the
chairman was just asking that is on my mind, because obviously,
these are very powerful tools, both the offensive and the
defensive side, and we have a lot of things to work through. Do
you believe that you need additional authority to undertake
your current mission sets?
And General, you touched on some of these things already,
but can you describe the legal authorities that govern
offensive and defensive operations, just to delve into it a
little deeper?
General Vautrinot. Sir, probably not my lane, in terms of
the legal authorities, and I certainly look to the Congress to
ensure that we have those authorities to move forward.
However, I can say that in doing operations on a daily
basis and in support of Cyber Command's mission tasking, we
leverage the authority of the intelligence community under
Title 50 of the U.S. code; certainly leverage the authorities
in law enforcement under Title 18 in order to support those
activities; and then of course your Title 32 authorities that
you are very familiar with--I know that you support the 102nd--
it is a Guard unit that works directly with us in mitigating
and responding to emergencies in cyber on a daily basis,
perform those operations under Title 32 for the Guard; and
then, of course, Title 10 operations, which we are most
familiar with in the military.
And the important area is to make sure that we can work
with unity of effort as we are all working toward in the
military and synchronize these things in a way that supports
the nation, both protecting the national security while also
preserving privacy and preserving intellectual property. And
that is the difficulty, is making sure that we ensure all of
those things, rather than trading off, and I applaud the work
that has been done both to dialogue in the Congress and now
going to the debates that will bring us forward in moving those
authorities.
Mr. Langevin. Thank you.
General Hernandez. Congressman, I would add that I, too, am
comfortable that we have the authorities needed to do our
mission. But I would say that most significant is the
legislation that is being worked. And I applaud that for a few
reasons. First, it helps codify and clarify ``dupe''
[duplicate] roles and responsibilities. The second and
important one to all of us is really if we are able to get into
information sharing in ways of looking at protecting our
critical infrastructure, that will now allow us to see things
and do things in real time, where others know things that would
help each other, they are left and right on a daily basis. So I
think that is critical to our work.
Admiral Rogers. And I would echo General Hernandez.
I am comfortable with our ability to execute our mission
set. Now one think I like about the Navy's construct, like the
joint world with General Alexander, the Navy cyber capabilities
both in the Title 10 and Title 50 arena are all OPCON
[Operational Control] to the Fleet Cyber Command and 10th
Fleet, much like General Alexander does in both his Director of
NSA [National Security Agency] as well as Commander, U.S. Cyber
Command, hat. That gives us flexibility.
And as General Hernandez indicated, the biggest issue I see
increasingly over time is the ability to share information
outside the Department and with partner sets that traditionally
we are just not used to dealing with. When I look at the
problem set, it is the nature of the future in this domain.
Mr. Langevin. Thank you.
General Mills. I would echo what my partners here have
said, I would point out that gap that exists between the
authorities we have to protect our critical infrastructure
onboard our bases and the critical infrastructure that exists
out in our local communities that yet support our bases,
electricity and things like that. So that gap in authorities I
think needs to be closed, and I believe that is what the
legislation is going to do. And that is why it is so critical,
I think, to the overall attempts of what we are trying to do.
Mr. Langevin. Very good. Thank you.
Mr. Conaway. Kind of a two-prong question.
One, does the Department of Defense have an adequate
definition of what is and isn't cyber with respect to budgeting
issues and how that all gets captured?
And then, two, acquisition, when you are buying big stuff,
it is obviously a problem to stay on the cutting edge. Your
domain, it would seem to me, would need to be the best tools
available at any one point in time, whether that is software,
hardware, those kind of things. Do you see acquisition
challenges that will prevent your team from having the best F-
35 in the Air Force's case? You know, that is leading to, are
the incremental costs not so much that it is really an issue?
General Vautrinot. Let me talk a little bit about
acquisition because we have had some real movement in this
regard, and I mentioned it in the written testimony as well as
the spoken. When you asked us in the authorization act to look
at the methodology by which we acquire and make it appropriate
for cyber, there is a recognition that the 5,000 series, the
acquisition of very long-term, long-term sustainable bent-metal
type programs is not appropriate to both the rapid change in
cyber as well as the ability to leverage capabilities against
an existing and very dynamic architecture.
And so we have moved forward in both providing real-time
development of tools that can be resident on those
architectures and can leverage the existing architectures,
which certainly we have already been working and provided
capabilities both to U.S. Cyber Command and to the combatant
commands.
The next step in that response is rapid acquisition, which
scales the folks that are doing material acquisition, the
engineers and the acquisition professionals that I would see in
ESC [Electronic Systems Center] as part of Materiel Command,
brought together with the testing environment, brought together
with the professionals in the Air Force, research, laboratory,
all of those folks are coming together, in my case, in Texas,
not to work for each other but to work those elements of
science and technology, prototyping, development, test,
fielding, and training of the forces to use those resources and
those capabilities in real-time.
And so that rapid acquisition is part of the response I
believe you will see from the Department in terms of how we
need to acquire for cyber and move forward more rapidly.
Mr. Conaway. Is that a joint acquisition, or is that each
Service would have their own stovepipe like you are talking
about?
General Vautrinot. Sir, I will defer to OSD AT&L [Office of
the Secretary of Defense for Acquisition, Technology, and
Logistics] as they respond to that, but the methodology is the
methodology that they are exploring. We are the pilot case. We
are actually applying that methodology within the Air Force
down in Texas.
General Hernandez. Congressman, a couple points----
Mr. Conaway. If you don't have anything to say, you don't
have to say. I mean, it is not a required response, but if you
have something, I would appreciate hearing it.
General Hernandez. I would start by saying we are working
very hard to capture all costs associated with this. As you
know, it is not--as you start defining cyber in the three lines
of efforts between operate, defend, and offense, there is a lot
of information technology. And how you sort those costs out is
work going on significantly in all the Services.
Within the Army, the Secretary of the Army has started an
IT [information technology] management reform initiative. There
are several pillars to that, but one of them is to establish a
governance that allows us to get after the cost, and another
one is a process that allows us to acquire IT through an agile
process. In the meantime, as we work through that, we have
worked hard our requirements from both defense and offense.
From a defensive standpoint the network integration
evaluations that we do every 6 months at Fort Bliss, where
everything that we intend to put on the network is tested
there, allows us an opportunity to rapidly test, deliver, and
field capabilities. And at the same time, we look at all of
them to make sure they are bringing no vulnerabilities to our
network. So I believe that will cause the process to go faster
with respect to acquisition from that end.
We do have--are working with an organization in the command
that has given us authorities to rapidly field and test
capabilities that we would need to have quickly if we wanted to
put inside of an operation. But I think the future really is
how we do more of that better and get at capabilities across
all the Services in a joint way.
Admiral Rogers. Sir, the only thing I would add, in the
Navy, this is something we spent some time thinking about, how
do you meet the acquisition challenges in the cyber arena?
While work with our broader joint partners and the broader
standard acquisition mechanisms within our Service, we also,
within Fleet Cyber Command, created a small core R&D [research
and development] capability under my control as operational
cyber commander for the Navy with some seed corn in it, if you
will, that allows me and others to rapidly acquire and develop
kind of top priority cyber capabilities for us that are done
outside, if you will, the traditional acquisition pipeline for
us, with some specific restrictions, if you will, about how we
do it so we are not duplicating the effort of others, but it
has proven to be a great capability for us.
Mr. Conaway. One quick follow-up, and it occurs to me while
we are sitting here thinking, is if we have got an array of
weapons that are appropriate for a Marine company or a platoon,
they are given certain tools and certain weapons that we all
agree to.
In this arena, there seems to be that each of those
operators have the opportunity to either build their own tools
or their own weapons, their own equivalents. Is that--have you
thought about that as a concern yet at this point in time, in
terms of what these folks are able--because these are going to
be bright people, and they are going to be in an arena where
innovation and being the first to be able to do X, Y or Z is a
real issue. And they are going to be--competition and
competitive to try to do that. How do you let that happen but
don't lose control of it?
Admiral Rogers. I will give you my perspective. I think the
positive side is so far we have managed to strike a good
balance that provides for the initiative, which is I think is
at the heart of really one of our positives, both as a nation
and within the Department. At the same time, as we each
generate unique capabilities, if you will, within our Service,
we will push them up in the joint arena to U.S. Cyber Command
and the National Security Agency to kind of act as a central
repository, if you will. And then we will harness that
capability as we are looking at different mission sets and what
tool sets are available out there that other partners have
developed, and we are finding ourselves more and more using
tools and techniques developed by other Services and by our
joint counterparts.
Mr. Conaway. Okay.
Mr. Thornberry. I think we have had provisions in the
fiscal year 2010 and fiscal year 2011 defense authorization
bill on rapid acquisition for cyber.
So I was listening to your answers, but I will make the
same offer, as you work through these issues, if you find that
you need some additional authorities, you know, please let us
know. We have provided some unique authorities in some other
areas, Special Operations and whatnot, and it may well be that
cyber just doesn't fit or somehow the tools available to DOD do
not fit this domain, and so I wanted to make that offer as
well.
Ms. Davis.
Mrs. Davis. Thank you, Mr. Chairman, and I am sorry that I
wasn't able to be here until the last few minutes, but I
certainly appreciate all of your work, your dedication to our
country, thank you very much.
I wanted to just ask a people question, and you may have
already addressed this, but in this unconventional domain in
which we are asking you all to work right now, could you just
talk for a minute about the stress levels and what you're
feeling or finding in terms of morale of the force that is the
feeling in this new area? What are we learning about that? And
are there things that we should be doing to really help and
support people along the way?
General Hernandez. Congresswoman, thank you.
We did have a little bit of this conversation, and I think
the key point I would say is, one, they appreciate being cyber
warriors. They are excited about the opportunity. They are
excited about what they are a part of. And our charge is to
continue to develop them and continue to keep that excitement
because we can't do it without them.
Admiral Rogers. I guess for me it is kind of interesting I
guess the more junior you are in our workforce at least, the
less you think about the challenges and the much more you are
focused on the opportunities and the energy that you bring to
the fight. Generally, as you are more senior, perhaps a little
older, I generally see at that level, you are much more
concerned or really focused on the challenge set. And you see
that stress where you are looking at the range of things that
you know we need to do. You are looking at the range of
resources that you have right now to do it, and you know you
have to prioritize. You have got to focus on what needs to be
fixed first. And so there is always those trade offs. But the
positive side I think is for our workforce, they are energized
by the situation, which is a great thing for us and the Nation.
General Mills. I would offer up the same observation. I
think morale is extraordinarily high because I think that the
people involved in the cyber understand that they are cutting-
edge, and they are developing a new weapon system that is going
to have a huge impact on the battlefield, and they are excited
about that. I think they are also excited about being a part of
ongoing real-world operations, and they understand that what
they are in is not just not simply a training mission or an
exercise, but they are out there doing real things and having a
real impact. I think that enables the morale to stay high,
despite the long hours and perhaps the shortage of personnel we
have from time to time to--morale is not an issue.
General Vautrinot. I will echo my Service counterparts.
There is an excitement. It is a target-rich environment of
things to fix, of things to change and an environment where you
can have so much impact on how the Nation is going to leverage
this capability and how we are going to help to protect the
Nation and meet the requirements. They are rising to that
challenge. I think that is what we see every day is that level
of excitement and that level of commitment.
Mrs. Davis. And do you have any concerns that you won't be
resourced properly? You said sometimes the numbers, as you are
growing more of this force, is that an issue? Are you worried
about that? You probably already talked about that as well.
General Mills. I don't. I think the training pipeline is
long, and so once you identify the personnel and you train them
within your own Service and then get them the joint training
they need to be able to be employed, that takes a while. And so
that is a challenge, but it is a challenge that we can
overcome.
Mrs. Davis. Great.
Thank you, Mr. Chairman.
Mr. Thornberry. Thank you.
Is there any disadvantage to choosing one of the career
fields in cyber right now as far as a long-term military
career? Have we standardized everything so there is no problem
at all, or can you pick one of these new cyber career fields,
stay in it for 20, 30 years, if you want to, and retire and so
forth and move on? Or is there any disadvantage is really my
question?
General Hernandez. I see no disadvantages today. In fact, I
think we talked that word before; they see more opportunity.
And as we develop the domain more and we move to an operational
network, I think we will see more convergence. And with
convergence comes the ability for defenders to also do not just
defense but operate potentially offense, and that is exciting.
And those that are offense will learn skills on how to defend,
and that moves us to a domain that you can really operate in,
and I think that will provide more opportunity and more
excitement for them than being stovepiped or think that they
are too narrowly focused. So getting that balance between
generalization and specialization with great development
opportunities I think is the future here.
Mr. Thornberry. I think that is a fair point. I guess I was
really thinking just more the way the military sees careers and
what it rewards, what it doesn't, who it promotes, all of those
sorts of issues. Do you think we are at a point where these
cyber career fields are treated equitably at least of other
career fields?
General Mills. I think it may about a little too early to
tell the answer to that question.
Mr. Thornberry. Haven't had enough experience yet.
General Mills. Yeah. I don't think there is enough depth
yet, enough officers are enlisted who have gone up for
promotion, et cetera, et cetera. I think that will play out. I
think part of that is incumbent on us to make sure that our
Services are educated as to what the individuals are doing, to
ensure that the Services understand the contribution they are
making, and understand, although their service record may be
unconventional, that in fact, much like special operators, what
they are doing is extraordinary valuable. So there is a--time
will tell.
Mr. Thornberry. Okay. Let me just ask this, thinking
midterm maybe, 3 to 5 years ahead, what technical capabilities
would be your priorities for development? And kind of an
ancillary question, do you have input into your Services' R&D
priorities for the future? That is another area the
subcommittee covers, our S&T programs. So what are your
technical priorities for the next 3 to 5 years? And do you have
input into your Services' research and development program over
that period?
General Hernandez. Congressman, I would answer absolutely
we do. And our R&D priorities are nested with the Department of
Defense's priorities in this arena. We have helped shape
several of the requirements that we know we will need from an
S&T standpoint for the future. And we are also working with a
lot of partners on near-term things that they can assist us
with.
My number one requirement for the near term really would be
capability that increases our situational awareness, that
allows us to see ourselves better, allows us to see the threats
better and allows us to see the cyber terrain we are operating
in. That is not an easy problem, and it is one that we are only
going to be as what we see and as we move through a global
domain, we will have to have better visibility to cross all of
it. So that's my number one short-term requirement.
Admiral Rogers. I would echo General Hernandez, probably
situational awareness, number one. Because if you want to
defend an operation--if you want to defend and operate in an
environment, the human condition, generally you have to be able
to visualize it and you have to be able to understand it in a
way that enables better and quicker decisionmaking,
particularly in this environment. The only other things that
come to my mind are automating--automated decision aids, again,
that increase speed and agility because we are going to
continue to use traditional timelines and methodologies we are
going to be behind the power curve in this domain. And then,
lastly, automating a lot of our defensive capabilities, things
that still require more of a man-in-the-loop than I would like,
for me at least.
Mr. Thornberry. I am sorry, General, if I could interrupt.
So do you have input into the research and development the Navy
puts into those issues, or do you look primarily to the private
sector for some of that?
Admiral Rogers. I do both, to be honest.
Mr. Thornberry. You develop it----
Admiral Rogers. Well, I--and I also look to the private
sector as to what kind of things are you working on that might
have applicability for us.
General Mills. Sir, I would echo what the Admiral said, as
well, and I would add that the Marine Corps looks to develop
ways to make these capabilities expeditionary; how we can
forward-deploy them, how we can support our crisis response
forces that are out forward-deployed at the point of the spear,
how we can bring those with us in an expeditionary manner. I
would also look to help us solve some of the area denial, anti-
access threats that are appearing, and we have to deal with as
we look at, again, maritime operations in areas in which we may
not be welcome. Those are the areas in which we are looking at,
as well as what the Admiral said.
General Vautrinot. Sir, I will address the second first,
and that is, do I have input? And the answer is absolutely. In
the Air Force, we have a core function lead integrator for the
entire Service that looks at each one of the core areas. And
for cyber, that is General Shelton who is Air Force Space
Command. And so, in a prioritization, we directly input, and
that is exactly what came out of the master plan in terms of
the prioritization.
We also do the ``one to n'' priorities associated with
science and technology and the research and development
activities that are being done by our Materiel Command in this
regard. So it is a very direct input, and we are seeing the
benefits of that collaboration and seeing it all come all the
way back into that what kind of capabilities we are now able to
field. So let me answer that portion next.
In the capabilities that we are seeing fielded, on the
defensive side, we talked about the AFNet migration, the Air
Force Network migration, which is an effort to create from the
heterogenous, the very individual networks that were then
brought together to become the network from the way that they
were originally designed, how do you make that more homogenous
and then you are able to apply situational awareness, an
automation to that homogenous network, and so we are very far I
long the path in doing that on our unclassified networks at
every one of the bases worldwide. So we have created an
architecture that says we go under the gateways, everyone comes
through those areas, that allows us to treat everything as an
operational environment and defense in-depth and then apply the
tools to best leverage and give additional capability, so it is
a platform, not discrete individual items thrown at the
problem. So you are doing it in an organized, operational,
normal fashion but at a very rapid pace.
Those same tools can then be applied to protect
infrastructure to look at what the vulnerabilities, the key
terrain in cyber for all of that infrastructure capability. And
I was talking to Congressman Langevin earlier about remote
forensics and the ability to do that in real-time and then
apply the lessons, both from the intelligence community that
are very dear, as well as your understanding of your own
network. So we are seeing both the prioritization and, more
importantly, the application to those priorities to the
capabilities that are right now coming out on both the
defensive and the full spectrum capabilities we are applying to
Cyber Command.
Mr. Thornberry. When you get all those networks working
together, I want to send you over to the finance people at the
Pentagon so maybe they can pass an audit before too long.
Mr. Langevin.
Mr. Langevin. Thank you, Mr. Chairman.
General Vautrinot, I wanted to touch on the role of the
Guard since you talked about that in your testimony, and I am
pleased to see that in your testimony, you did highlight the
role of Rhode Island Air National Guard's 102nd Information
Warfare Squadron. Can you talk about how you see the role of
the Air Guard, and Reserve cyber units evolving in future
years? And are these units properly resourced and manned? And
then, in addition to that, I talked about the combat
communications unit in Rhode Island that is going away and how
General McBride is looking to increase, kind of have that role
evolve and have the cyber warfare unit play an expanded role as
that is being replaced. But if you can talk on the role of the
Guard and Reserve and the cyber units and how they are going to
evolve in future years, that would be important.
General Vautrinot. Certainly, sir.
Admiral Rogers would say, a rising tide serves all boats.
In the airmen language, that would be, you need to gain a
little altitude in order to be able to maneuver. The use of the
total force gains us that altitude because these are citizen-
soldiers, and they go back to their communities. So, in the
case, for example, of the 102nd, they are part of the Air Force
Cyber Emergency Response Team.
They are using the same very high-end capabilities that we
just described in their day-to-day mission. It is an
operational mission, and it is serving the Air Force and Cyber
Command, but it also serves in bringing their level of
training, the exact same training and the same equipage, the
same capabilities, they can take that back to their community,
back to their corporate entities that they serve on a day-to-
day basis, and they can apply that same knowledge in the same
way that citizen airmen do when there is a crisis of any kind.
In this kind, it is a very technical application.
So, as we expand that, then we have I guess in cyber, it is
about team, and there really is an ``i'' in team. It is about
industry. It is about the intellectual capital of our
universities, like your University of Rhode Island, who just
got the Center of Excellence Award from NSA, very rare, sir. It
is about interagency, and it is about international
cooperation. And so you bring all of those ``i''s into team,
and literally, what you are doing by bringing the total force
together is expanding that across the Nation so that we can all
apply that.
Do we have sufficient resources? As the Guard does those
transitions from some missions that are no longer most
appropriate in the cyber environment, and so for combat
communications, they are a national treasure, but that treasure
is about hooking up communications in a deployed environment.
And what General Alexander and the Nation needs is the ability
to extend a defensible, robust, trusted network. And so that
extension is the way that we are moving forward in the future,
and so as the Guard would service that intent and that vision,
we would want to repurpose those forces into those kinds of
missions and make sure that we move forward.
In terms of total numbers, for example, the 119th in
Tennessee, a great effort to provide some resilient facilities
in Tennessee. And we are working with the Guard to try to
actually put resources, manpower resources, against that
facility to allow it to be a resilient capability for the
Nation, for the Air Force, on behalf of General Alexander.
So we need the Guard and the Reserve to move in that manner
in order to move this mission forward.
Thank you, sir.
Mr. Langevin. Any other----
General Hernandez. If I could add a few points, we are
working closely with Reserve component, both Guard General
Ingram and Army Reserve General Talley. All those units that
have cyber capability are under the operational control of Army
Cyber Command today. We leverage them routinely. They bring
unbelievable skills to all the mission sets.
There are a couple other areas that there is tremendous
opportunity that we are working with them on. And first is,
what else can they do to help with homeland defense, with the
defense network the National Guard has, not only in a recovery
but in a preventative way with their defenders, as well as
critical infrastructure protection?
The second thing is they have tremendous skills that we
haven't harnessed those skills. We know about where they are,
but they sign into units that are different than the skill set.
We haven't determined how we can best utilize those individual
skill sets. I think there is opportunity there that we are
working on.
The other area, as you know very well, is there are state
partnerships are strong and vibrant in other countries, and our
part of that would be, how do we establish those partnerships
in this domain with other countries where building partnership
capacity is important and there is a cyber element from a state
unit that could support us with that?
And the last one I would highlight is we have a pretty
robust STEM [Science, Technology, Engineering, and Mathematics]
program in e-cyber mission, and I think that there is
tremendous opportunity that we are starting to work with States
from the National Guard perspective to expand that STEM to the
communities.
Mr. Langevin. Yes, sir.
Admiral Rogers. And I would just add on the Navy side, I
find our Reserve teammates among the most flexible and willing
to try new innovative things when it comes to the application
of their capabilities. Every major combatant commander has tier
1 exercises during the course of the year, and the Pacific
TERMINAL FURY is Pacific Command's largest tier 1 exercise
during the course of the year. Like we do with every major
exercise in every major operation, we do we integrate our
Reserve teammates into what with do. For TERMINAL FURY 12, we
decided to try something a little different. Traditionally we
apply skill sets based on a pay grade or a designator if you
will that kind of codifies an individual's background. We
approach the Reserves this time and said, let's try something a
little different. I don't want to specify pay grade; I want to
specify a particular background or skill set in the civilian
sector and see how we would match those like matching by pay
grade, which was just amazing, the amount of capability and
expertise that is resident in that structure when you look at
it slightly differently and their willingness to do that. I
didn't get any pushback at all; was just amazing, and it really
energized them. So it is something we hope in the Navy hope to
build on in the future as a great experience and hope to do
more of them.
Mr. Langevin. General Mills.
General Mills. Our mobilized individual reservists bring
great skill sets with them when they come on Active Duty. They
play a very important role both at my headquarters MARFORCYBER
[Marine Forces Cyber], as well as over at CYBERCOM [U.S. Cyber
Command], where they fill some very critical billets. So very,
very important role for us as well.
Mr. Langevin. The last question I had since obviously the
younger generation seems to obviously take to technology like
fish to water and probably some of the youngest recruits are
going to have some of the most robust skills, what kind of
transparency or situational awareness do you have in terms of
throughout your various Services of those individuals that
aren't assigned or haven't chosen the cyber route as a career
path but that you could potentially tap into and recruit from
the rest of the various aspects of your Services that might at
some point have to think about encouraging them to go into a
career in cyber or that, in the event that the Nation needs
surge in the area of cyber, that you could quickly identify and
tap into and then draw the folks into your various roles? Have
you thought about that and if you could can you talk about that
briefly?
General Hernandez. I will start. We, our personnel systems
have limited visibility on the depth of skills that we would
want to identify for this particular domain. We have an
initiative that we will work total Army that is intended to get
at Active, Reserve component military and civilian called Green
Pages. We have done some pilots in the Army with Green Pages
that says, these are the list of skills that we are looking
for; do you have these skills, sign up for that. And then there
is a potential opportunity for you to serve in these
assignments, and you might get better matches than the way we
currently do it today. But it is a pretty large holistic view
that says what are the skills we would want to have and start
describing those that so that they can tell us what they have
and allow us to get a better utilization of them, but that is
work to do Congressman.
Admiral Rogers. Sir, I think for us--I think it is true for
all the Services--our view is that cyber is so fundamental to
the future that the idea that the only people that we are going
to train are some sort of core specialists, if you will, isn't
where we need to go. So as a Service, we have tried to put a
fundamental layer of cyber education, training, and awareness
across the entire force. As we do that we do that, we quite
frankly also use that as a vehicle to try to find, so who is
out there who would be interested in this, who has some skill
that might be interested in changing rating, if you will, or
specialty? And we have structures in place designed to allow us
to do that. We have been able to do that with a pretty high
degree of success so far about reorienting, if you will, the
workforce internally to align people that their skill sets
against perhaps a different specialty than they started their
journey.
General Mills. We identify those individuals at the entry
level who had that skill set or who are interested in a skill
set or at least had the academic qualifications to be able to
train in those areas. Being relatively a small Service and
joined from basically three communities, which are achieving
narrows that pool down, I think it becomes easier for us to
identify candidates that would do well with the cyber
specialty. We also give marines the opportunity to move from
MOS [Military Occupation Specialty] to MOS at certain times
during their career, during their reenlistments for instance.
And as we draw down in certain areas, we expand within cyber;
our young marines again will pick up on that and will have the
opportunity if they are qualified, they are talented, if they
are interested, to be able to move over into cyber.
We see the cyber warriors, if you will, moving into cyber
and then moving back to their own specialty in communications
or intelligence during their career, and that will grow a pool
of qualified individuals that we could assign if there were in
fact a requirement for a surge at some particular time.
Mr. Langevin. Thanks. Very good.
General Vautrinot. Congressman, on the Active Duty side,
our Air Force personnel center affords extraordinary insight
into the capabilities, the scores, the testing that are done in
the sessions. Particularly for our enlisted force, most of the
career fields in cyber are not accession career fields. We
actually cross-load them based on both their excellence and
those scores on the test and then bring them in and do the
training at a higher level. And so we have no shortage of folks
that want to move across in that crossflow, and it is usually
the program shortfalls that don't allow us to bring them fast
enough, and they are working on those across the board.
On the Guard and Reserve side, there is less visibility,
but I know that our counterparts are trying to work that
visibility, get the kinds of information that Admiral Rogers
mentioned in terms of what kinds of skill sets did they use in
their private employment? What kinds of skill sets did they
have as they were coming through their educational
opportunities that may differ from their current
responsibilities and their current functional designation and
allow us to leverage them and train them in this area, whether
it is applied to their current functions or whether it is
applied directly to the cyber environment?
Mr. Langevin. Very good. I thank you all for your answers
on those, and I am glad you are giving it thought. And
obviously, we are challenged nationally in terms of the number
of people that we have that can go into this field, and the
STEM fields, we have to do a better job at encouraging kids to
go into science, technology, engineering and mathematics.
General, you talked about Cyber Patriot, and we have
created in Rhode Island--and it is a national program; there
are a few different states that are doing it. It is called the
Cyber Challenge program. You take kids that are in high school,
and it is about a 6-week program, and you put them through the
paces. And you take kids that think maybe the computer is
something they do and it is a hobby, but you get them thinking
about a career path in that field and that is what Cyber
Patriot and Cyber Challenge are all about. I thank the
chairman. I yield back.
Mr. Thornberry. So, in that discussion, I think I have this
right, reminds me of Estonia, where after the denial of service
attack that they have suffered, they have people lined up in
banks, in retail all scattered all over the country to help
defend the country in cyberspace if they need to. Maybe that is
the sort of surge capability we need to think about eventually.
Ms. Davis, do you have other questions?
Mrs. Davis. No.
Mr. Thornberry. I think that is it.
Thank you all very much. We appreciate hearing about your
successes, but we also, as we move forward, want to hear about
the challenges you encounter. That, as I said a while ago, I
think that open communication across the river is going to be
especially important in this area. So, again, thanks for being
here.
With that, the hearing stands adjourned.
[Whereupon, at 5:17 p.m., the subcommittee was adjourned.]
=======================================================================
A P P E N D I X
July 25, 2012
=======================================================================
=======================================================================
PREPARED STATEMENTS SUBMITTED FOR THE RECORD
July 25, 2012
=======================================================================
Statement of Hon. Mac Thornberry
Chairman, House Subcommittee on Emerging Threats and Capabilities
Hearing on
Digital Warriors: Improving Military Capabilities for Cyber Operations
July 25, 2012
We welcome our witnesses, guests, and members to this
hearing in the Emerging Threats and Capabilities Subcommittee
on ``Digital Warriors: Improving Military Capabilities in the
Cyber Domain.''
There is widespread agreement that cyberspace is now a
domain of warfare, and many people regard it as the most
difficult, perplexing national security challenge we face.
Certainly the laws, policies, and organizations have not kept
pace with the evolution of technology. But if cyberspace is
important to our country's security and if it is a domain of
warfare, our military services, on whom we rely to protect and
defend us, must be prepared to operate in cyberspace as well.
That preparation involves a number of issues, including
organizational structure, recruitment and retention of
qualified personnel, training, rapid acquisition, among others;
and it is those issues which we want to examine in today's
hearing.
Statement of Hon. James R. Langevin
Ranking Member, House Subcommittee on Emerging Threats and Capabilities
Hearing on
Digital Warriors: Improving Military Capabilities for Cyber Operations
July 25, 2012
Thank you, Mr. Chairman and thank you very much to our
witnesses today. It's a pleasure to see you all again and to
have you join us for what I believe is a critically important
hearing.
There is no more critical task in today's environment than
safeguarding the Department of Defense's networks. The cyber
domain has become an integral part of every action DOD
undertakes, whether offensive or defensive. And as operating
environments grow ever more complex, we need joint forces that
are manned, trained, and equipped to conduct the full spectrum
of operations in support of, and in some cases, supported by,
what we think of as traditional military forces.
The Congress, and the country has a whole, has been
struggling with what cybersecurity means to us as a nation.
We're grappling with how to protect our systems and our privacy
at the same time. I'm proud to be part of that robust
discussion. I've helped draft some legislation and co-sponsored
others, and now it looks as if something may be moving over in
the Senate. Let's hope so. I hope today we'll hear your
thoughts on what sorts of additional authorities you may need
and how the proposed legislation may or may not affect those
needs, as well as your thoughts on the delegation of
authorities within the executive branch.
But most importantly, I hope we hear about how you are
finding and retaining the sort of people you need today and for
the future. This is, I believe, the fundamental challenge that
faces us. It is often said that the root strength of our
military is the quality of our people and nowhere is that more
true that in your organizations. As you think about growing
your forces, what thought have you given to where the people
are going to come from? How will you keep them, promote them,
educate them and continue to challenge them, even when outside
organizations are keen to lure people with these skill sets
away to the private sector?
Lastly, I need to take a minute to talk about a topic that
would be irresponsible to avoid. We all know that we are facing
significant fiscal challenges in the coming years, even without
the threat of sequestration looming. Cyber-related activities
are faring reasonably well so far, but nothing is immune, and
even non-cyber-specific cuts could have an impact on your
commands as personnel resources are reduced or research and
development funding decreased. Those are just two examples. As
you look ahead, how do you factor in the possibility of even
more austere fiscal environments? This is a tough question, but
one we must face in order to responsibly address the complex
challenges of the future.
Thank you, Mr. Chairman, for holding this hearing, and I
look forward to a robust discussion.
[GRAPHIC] [TIFF OMITTED] T5668.001
[GRAPHIC] [TIFF OMITTED] T5668.002
[GRAPHIC] [TIFF OMITTED] T5668.003
[GRAPHIC] [TIFF OMITTED] T5668.004
[GRAPHIC] [TIFF OMITTED] T5668.005
[GRAPHIC] [TIFF OMITTED] T5668.006
[GRAPHIC] [TIFF OMITTED] T5668.007
[GRAPHIC] [TIFF OMITTED] T5668.008
[GRAPHIC] [TIFF OMITTED] T5668.009
[GRAPHIC] [TIFF OMITTED] T5668.010
[GRAPHIC] [TIFF OMITTED] T5668.011
[GRAPHIC] [TIFF OMITTED] T5668.012
[GRAPHIC] [TIFF OMITTED] T5668.013
[GRAPHIC] [TIFF OMITTED] T5668.014
[GRAPHIC] [TIFF OMITTED] T5668.015
[GRAPHIC] [TIFF OMITTED] T5668.016
[GRAPHIC] [TIFF OMITTED] T5668.017
[GRAPHIC] [TIFF OMITTED] T5668.018
[GRAPHIC] [TIFF OMITTED] T5668.019
[GRAPHIC] [TIFF OMITTED] T5668.020
[GRAPHIC] [TIFF OMITTED] T5668.021
[GRAPHIC] [TIFF OMITTED] T5668.022
[GRAPHIC] [TIFF OMITTED] T5668.023
[GRAPHIC] [TIFF OMITTED] T5668.024
[GRAPHIC] [TIFF OMITTED] T5668.025
[GRAPHIC] [TIFF OMITTED] T5668.026
[GRAPHIC] [TIFF OMITTED] T5668.027
[GRAPHIC] [TIFF OMITTED] T5668.028
[GRAPHIC] [TIFF OMITTED] T5668.029
[GRAPHIC] [TIFF OMITTED] T5668.030
[GRAPHIC] [TIFF OMITTED] T5668.031
[GRAPHIC] [TIFF OMITTED] T5668.032
[GRAPHIC] [TIFF OMITTED] T5668.033
[GRAPHIC] [TIFF OMITTED] T5668.034
[GRAPHIC] [TIFF OMITTED] T5668.035
[GRAPHIC] [TIFF OMITTED] T5668.036
[GRAPHIC] [TIFF OMITTED] T5668.037
[GRAPHIC] [TIFF OMITTED] T5668.038
[GRAPHIC] [TIFF OMITTED] T5668.039
[GRAPHIC] [TIFF OMITTED] T5668.040
[GRAPHIC] [TIFF OMITTED] T5668.041
[GRAPHIC] [TIFF OMITTED] T5668.042
[GRAPHIC] [TIFF OMITTED] T5668.043
[GRAPHIC] [TIFF OMITTED] T5668.044
[GRAPHIC] [TIFF OMITTED] T5668.045
[GRAPHIC] [TIFF OMITTED] T5668.046
?
=======================================================================
QUESTIONS SUBMITTED BY MEMBERS POST HEARING
July 25, 2012
=======================================================================
QUESTIONS SUBMITTED BY MR. THORNBERRY
Mr. Thornberry. One of the main tools you have for defending your
networks is something called the Host-Based Security System (HBSS).
a. How has your experience been in implementing this system and
what improvements might you recommend for similar programs in the
future? b. Have you implemented the necessary tactics, techniques and
procedures to maximize the use of this tool? c. What capabilities would
you like to see integrated into future generations of HBSS?
General Hernandez. Our experience has shown the technology provides
significant host protection from threats, internal and external and
will only improve as our operational use matures. Programs of this
magnitude require a clear implementation, training, and sustainment
strategy to provide resources, people and money and we have worked to
close gaps in initial fielding tactics, techniques, and procedures,
sustainment training and manning requirements to establish a baseline
that will enable us to fully leverage the capabilities of the tool.
While we continue to assess our capability gaps, the ability of HBSS to
deliver Cyber SA with minimum latency and the capability to develop
custom modules to address unique requirements improves our defensive
stance. The inclusion of HBSS event data into existing IA/CND processes
will further enhance our capability to defend All Army networks.
Mr. Thornberry. How are your Services leveraging in-house graduate
educational facilities, like the Air Force Institute of Technology
(AFIT) or the Naval Postgraduate School (NPS), as well as DOD
accredited programs, such as the National Centers of Academic
Excellence in Cyber Operations, in order to improve workforce training
and education?
General Hernandez. ARCYBER continues to take a holistic approach by
leveraging the constellation construct for both training and
development to improve workforce training and education. The construct
consists of U.S. Government, Academia and Industry elements, each are
discussed below in both current and future actions, and will complement
each other to provide a more capable workforce.
Currently ARCYBER is leveraging U.S. Government developmental
activities and capabilities to take advantage of efficiencies and
future requirements. These activities include: The DOD Joint
Information Operations (IO) Range, Government Laboratories (such as:
Sandia, Army Research Laboratories, Johns Hopkins applied Physics
Laboratory, Adelphi, and Aberdeen Proving Ground Cyber Test
Laboratory), and continuous coordination with United States Cyber
Command, U.S. Strategic Command (USSTRATCOM), and Office of the
Secretary of Defense (OSD) Cyber initiatives. Future activities will
include increased partnerships with DHS, FBI, DARPA, DOD, and the
Intelligence community. Examples of early successes include five USMA
faculty and cadets summer internships with ARCYBER through the Advanced
Individual Academic Development (AIAD) program. Shortly, ARCYBER will
benefit from more than 14 interns from the Army Civilian Training,
Education Development System (ACTEDS). Moreover, ARCYBER will be an
active contributor to the Service and USG cyber lessons learned
programs.
Current Academic developmental activities include: Cooperation with
the Air Force Institute of Technology (AFIT) and its Masters Program,
and the ARCYBER scholarship program. This program is a two-year,
degree-producing program open to regular Army (RA) captains and majors
in the maneuver, fires & effects, operations support, and force
sustainment branches. Three officers per year pursue a master's degree
in cyber security at the University of Maryland (with additional
universities to be added). Though we are still assessing how best to
integrate and execute the NSA/DHS National Centers of Academic
Excellence training, it is a key component of our future training and
developing way ahead. We have two students attending the Naval Post
Graduate School and ARCYBER will receive three second-year masters
candidates in the NSA Information Assurance Scholarship Program (IASP)
in the spring of 2013. ARCYBER is continuing to address organizing
cyber within the Army e-Learning and Continuing Education Program. For
example, ARCYBER supports Civilian Career Program 34's, Information
Technology Management, and Cyber Academy Training Framework through
partnerships with University of Maryland University College (national
policy and law), University of Maryland Baltimore County (secure S/W
engineering), George Mason University (ethical hacking/analysis) and
Carnegie Mellon University (operational security). Future activities
will include Senior Service college ``Cyber fellows,'' RAND Cyber
Fellowships, and efforts to identify and recruit cyber talent from ROTC
programs and the USMA.
Industry is the third leg in training and development. It is
critical in providing additional current and future capabilities/
requirements as well as leveraging emerging trends and capabilities and
will assist in ensuring our DOD programs and in-house educational
activities are developed accordingly. Current developmental activities
with industry include: Coordination with Defense contractor
Laboratories, Training with Industry (e.g. MIT/Lincoln Labs, Lockheed
Martin, and Cisco), and participation in trade conferences (e.g. the
Armed Forces Communications and Electronics Association [AFCEA] and the
Association of the U. S. Army [AUSA]). Future activities will include:
Establishing additional industry research partners; Science and
Technology (S&T) outreach; Leveraging partner expertise to manage
problems; and increased recruiting and cyber training with industry.
Conclusion: A key attribute of the ARCYBER vision is to develop a
trained, professional team to complete our roles as the Army Service
Component to U.S. Cyber Command; To train, organize, and equip forces;
To provide Cyber Education, Training, and Leader Development; and
Execute Cyber Proponent functions. The three part constellation
approach is our way of getting at the issues of developing a workforce
in a dynamic environment. Our approach continues to evolve.
Mr. Thornberry. One of the main tools you have for defending your
networks is something called the Host-Based Security System (HBSS).
a. How has your experience been in implementing this system and
what improvements might you recommend for similar programs in the
future? b. Have you implemented the necessary tactics, techniques and
procedures to maximize the use of this tool? c. What capabilities would
you like to see integrated into future generations of HBSS?
Admiral Rogers. HBSS is a complex suite of cyber security tools
that is a critical element of the Navy's cyber defense posture.
Implementing this system throughout the Navy's afloat and shore-based
environments has presented unique challenges.
Our primary challenge has been its implementation in the afloat
environment. Navy modernization and fielding processes were not
developed with today's constantly evolving Cyber threats and
vulnerabilities in mind; thus, it can take up to three years to place a
new capability onboard an afloat platform. In contrast, updates to HBSS
are released by the Defense Information Systems Agency (DISA) every six
months. As a result, the Navy continues to lag in installs and updates
mandated by United States Cyber Command (USCC). While the Navy has
strived to address the problem for our most vulnerable systems and
deployed HBSS to Secure Internet Protocol Network (SIPRNET) on all Navy
and Military Sealift Command (MSC) platforms in 2011, the complexity of
installs, current processes, and funding constraints have delayed
installs of HBSS on Sensitive but Unclassified (SBU) IP Data (also
known as NIPRNET), which will not be completed before FY14.
In our shore-based environment, the Navy has encountered challenges
with scalability of HBSS. Our Navy and Marine Corps Intranet (NMCI)
networks are larger than most networks encountered in the private
sector, and we have had difficulty configuring HBSS to accommodate
larger network environments. While the vendor has responded to
technical problems, these issues have challenged the Navy's ability to
be fully compliant with USCC orders for installation of HBSS. For any
future similar programs, scalability should be a key factor when
designing solutions.
The Navy is leveraging HBSS Tactics, Techniques and Procedures
(TTPs) developed by USCC and continuing Service-specific efforts to
develop additional TTPs. Additionally, we are leveraging best practices
within the Service, such as those developed by Naval Air Systems
Command (NAVAIR), to better manage HBSS and ensure it meets our
operational needs. The Navy also continues to develop Standard
Operating Procedures (SOPs) and other documentation and training that
aid in operationalizing HBSS to provide actionable and timely
information to Cyber decisionmakers and operational commanders. Future
capabilities we would like integrated in future HBSS generations should
account for legacy hardware/software network environments. Capabilities
should also address low-bandwidth operations and upgrade installment
flexibility to account for the unique requirements of the U.S. Navy. We
continue to work closely with our partners at USCC and DISA to further
refine operational concepts, and ensure follow on versions and
acquisition efforts take advantage of lessons learned. We remain
especially focused on ensuring acquisition efforts and system release
schedules are tied closely to operational requirements and are
sensitive to operational environments.
Mr. Thornberry. How are your Services leveraging in-house graduate
educational facilities, like the Air Force Institute of Technology
(AFIT) or the Naval Postgraduate School (NPS), as well as DOD
accredited programs, such as the National Centers of Academic
Excellence in Cyber Operations, in order to improve workforce training
and education?
Admiral Rogers. Navy is leveraging in-house graduate educational
facilities and DOD accredited programs through close coordination with
these institutions and a focus on a smart post-education placement
process to ensure our most recently educated Sailors and civilians are
detailed to positions which will benefit the Navy most. We recognize
that affording our personnel graduate educational opportunities is
critical to maintaining our expertise as we drive advancements in Navy
cyberspace operations. With the quickly evolving nature of cyber, it is
absolutely critical that the educational partners and programs we
leverage keep pace with the changing cyber landscape.
To that end, the U.S. Navy leverages education and training from
six major programs:
Air Force Institute of Technology (AFIT) and Naval Postgraduate
School (NPS) In 2002, AFIT and the Naval Postgraduate School formed an
educational alliance to eliminate duplicate degree programs in the
fields of Oceanography and Aeronautical Engineering, and consolidate
educational resources. Navy continues its close coordination with AFIT
to refine course requirements, explore potential resource
consolidations, and improve quality.
NPS
NPS offers an 18-month Master of Science degree in Cyber Systems
and Operations that addresses a broad range of cyberspace operations
such as computer network attack, defense, and exploitation; cyber
analysis, operations, planning and engineering; and cyber intelligence
operations and analysis. Navy will graduate 14 officers from this
program in FY12 and is programmed to send 14 officers in FY13 per the
approved Officer Graduate Education Quota Plan.
NPS's Graduate School of Operational and Information Sciences
offers an Information Systems and Operations (ISO) Certificate Program.
This warfighter-oriented degree program focuses on integrating
information technologies, command and control processes, and
Information Operations (IO) methods and elements into innovative
operational concepts for IO in the context of Network Centric Warfare.
Since the program's inception in 2002, 318 officer, enlisted and
civilian personnel have completed this certificate program.
The Information Systems and Technology (IST) certificate program
provides an educational opportunity that is essential to helping the
U.S. military reach information superiority in the operational
environment. It offers advanced education in areas essential to
enabling global networked communications, including: databases, systems
analysis and design, decision support systems, and network security.
Since the program's inception in 2003, approximately 96 officer and
enlisted personnel have completed this certificate program. Both
programs are taught via asynchronous Web-based media (i.e., the
Internet). The asynchronous nature of these certificates has allowed us
to deliver these certificates to deployed forces at sea and ashore.
Additionally, NPS will offer a 12-month Enlisted Cyber Master's
Degree in September 2012 that provides selected Navy Sailors a Master
of Science in Cyber Systems and Operations; Security and Technology.
Selectees are assigned to a Navy-funded education program as full-time
students under permanent change of station orders to Monterey, CA. Navy
is sending five sailors through this program this year.
Finally, NPS just completed the approval process for a resident
Master of Science, Network Operations and Technology degree that begins
this fall and has eight officers scheduled to attend in 2013.
Masters of Information Technology Strategy (MITS)
In 2010, the Chief of Naval Operations directed the creation of the
Masters of Information Technology Strategy (MITS) pilot program in
partnership with Carnegie Mellon University (CMU). This program affords
civilian and military IDC personnel the opportunity to attend CMU for a
16-month Master's degree program in cyber-related disciplines. The
degree conferred is a Master's Degree in Information Technology and
Strategy (MITS) and is a cooperative endeavor between of the College of
Engineering (CIT), School of Computer Science (SCS), and College of
Humanities and Social Sciences (H&SS). The initial cohort of two
military and three civilians students commenced August 2011, and the
second group of four commenced in August 2012.
National Defense University (NDU)
NDU's Government Information Leadership (GIL) Master of Science is
a 39-credit hour curriculum of the GIL Master of Science Degree Program
and offers a combination of information management, technology, and
leadership intensive courses. Navy currently has 36 Master's degree
enrollments and 497 certificate enrollments.
NDU's ``iCollege'' Chief Information Officer (CIO) Program is the
recognized leader in graduate education for Federal CIO leaders and
agency personnel. It directly aligns with the Federal CIO Council-
defined CIO competencies and addresses the Clinger-Cohen Act and other
relevant legislation mandates. It is sponsored by the DOD CIO.
United States Naval Academy (USNA)
Although an undergraduate program, USNA's Center for Cyber Security
Studies is an important investment as it enhances workforce education
and training at the Service academy level. Established in 2009, the
Center provides support for the proposed curricular and professional
reforms across the Naval Academy and encompasses support for all
programs that contribute to the knowledge, study and research of cyber
warfare.
NSA/DHS National Centers of Academic Excellence
National Security Agency (NSA) and the Department of Homeland
Security (DHS) jointly sponsor the National Centers of Academic
Excellence in Information Assurance (IA) Education (CAE/IAE), IA 2-year
Education and Training (CAE/2Y) and IA Research (CAE/R) programs. The
goal of these programs is to reduce vulnerability in our national
information infrastructure by promoting higher education and research
in IA and producing a growing number of professionals with IA expertise
in various disciplines. Students attending CAE/IAE or CAE/R designated
schools are eligible to apply for scholarships and grants through the
Department of Defense Information Assurance Scholarship Program (IASP)
and the Federal Cyber Service Scholarship for Service Program. NPS is a
participant in this program.
To date, 84 uniformed and civilian Navy personnel have participated
in the DOD IASP from commands across the Navy.
Mr. Thornberry. One of the main tools you have for defending your
networks is something called the Host-Based Security System (HBSS).
a. How has your experience been in implementing this system and
what improvements might you recommend for similar programs in the
future? b. Have you implemented the necessary tactics, techniques and
procedures to maximize the use of this tool? c. What capabilities would
you like to see integrated into future generations of HBSS?
General Mills. a. The Marine Corps had little trouble implementing
HBSS as directed by USCYBERCOM. Challenges to the installation of HBSS
included anticipating and mitigating the potential impacts that various
modules could have on specific applications within the Marine Corps
Enterprise Network (MCEN). We recommend that future programs of this
type are designed and implementation timelines determined with Service
involvement at the earliest stages of development.
b. The Marine Corps continuously strives to improve our Tactics,
Techniques, and Procedures in an effort to maximize our defense in
depth strategy and enhance our security posture. There is more work to
be done in order to realize the benefits of HBSS--we need to train more
marines on the various modules and their employment, baseline, and
tuning. We need to educate commanders on the benefits of full
implementation and utilization of HBSS.
c. The Marine Corps recommends four areas of improvement for HBSS:
(1) HBSS lacks the redundancy provided by other critical IT
systems. The capability for production HBSS server suites to mirror
each other does not exist. The strength of the HBSS architecture could
be greatly improved if clients could seamlessly fail-over between
geographically separate servers.
(2) HBSS could be utilized to assist in the Information Assurance
Vulnerability Management (IAVM) program by analyzing systems for
critical vulnerabilities. Ideally, the DOD HBSS Program Manager could
obtain or develop benchmarks within HBSS to detect vulnerabilities of
interest published by the IAVM program.
(3) The number of local events logged at the local machine should
be pushed up to the enterprise level. Enterprise logging will allow
Computer Network Defense Service Providers (CNDSPs) to more effectively
respond to incidents and therefore better defend networks. (Examples
are of Data Loss Prevention (DLP) which identifies USB usage on DOD
Networks and Host Intrusion Prevention System (HIPS) which monitors
traffic for anomalies.
(4) We would like to see the continued integration of industry best
practice solutions into the management console to provide a single
optimized interface for operators. It is also important that the DOD
fully employ HBSS and the associated existing modules. Once those
efforts are complete, a true gap analysis can be conducted and specific
areas within our network architecture that lack coverage can be
identified, addressed, and mitigated.
Mr. Thornberry. How are your Services leveraging in-house graduate
educational facilities, like the Air Force Institute of Technology
(AFIT) or the Naval Postgraduate School (NPS), as well as DOD
accredited programs, such as the National Centers of Academic
Excellence in Cyber Operations, in order to improve workforce training
and education?
General Mills. The Marine Corps actively participates in the
Department of Defense Information Assurance Scholarship Program, which
provides access for both enlisted and officer students to AFIT, NPS,
the National Defense University, Capitol College, George Mason, and
other National Centers of Academic Excellence in Cyber Operations for
graduate degrees in cyberspace security, information assurance, and
computer security fields.
Through the National Intelligence University, marines with
intelligence-related military occupational specialties are able to
complete a Master of Science of Strategic Intelligence. Although this
curriculum does not include cyber-specific courses as part of the core
requirement, students are able to tailor their electives and focus
thesis topics to include cyber operations.
The Marine Corps is currently in discussions with Northern Virginia
Community College to establish a program to provide college credit for
marines receiving military training and experience within the
cyberspace operations workforce.
The Marine Corps University has initiated additional curricula in
its educational programs that include topics in cyberspace operations,
cyberspace planning, cyberspace law, and cyberspace implementation
theories. Thus far, the Marine Corps University has had one class
complete its program of instruction with this additional material.
Initial feedback is that it was well received, and the Marine Corps
University is evaluating comments to refine its curricula for future
courses.
The Marine Corps also leverages cyber and cyber-related courses
through NSA's National Cryptologic Schools for personnel serving at the
Marine Cryptologic Support Battalion and the operating forces' Radio
Battalions which provide Signals Intelligence and cyber related support
to the Marine Air Ground Task Force, USCYBERCOM through MARFORCYBER,
and the National Security Agency. Additionally, the Marine Corps uses
the U.S. Navy's Joint Cyber Analysis Course (JCAC) and the Joint
Network Attack Course to train enlisted marines and officers in cyber
and cyber-related skill sets for MOS development.
Mr. Thornberry. One of the main tools you have for defending your
networks is something called the Host-Based Security System (HBSS).
a. How has your experience been in implementing this system and
what improvements might you recommend for similar programs in the
future? b. Have you implemented the necessary tactics, techniques and
procedures to maximize the use of this tool? c. What capabilities would
you like to see integrated into future generations of HBSS?
General Vautrinot. a. The Air Force continues to address the
challenges of integrating and sustaining HBSS within existing
architecture as well as incorporating it within the numerous critical
mission systems operating on the Air Force provisioned portion of the
Global Information Grid. In addition to the challenges with fixed HBSS
implementations, expeditionary environments present additional risks in
HBSS employment, such as saturating downrange bandwidth and remaining
compliant. HBSS is critical to our Net Defense posture and we will
continue to review its fielding, operating, training and sustaining
needs.
b. The Air Force has taken significant action to maximize the HBSS
capability's effectiveness in increasing the defensive posture of our
network and IP-capable assets. We use the capability to generate
enterprise-wide situational awareness information, which is critical
for enabling and maintaining Command and Control across the network.
Expeditionary systems are now deployed with current patches and
policies to reduce or eliminate the initial unresponsive period when
updates were installed. Additionally, we continue to establish key Net
Defense policies, which are implemented across the Air Force and shared
with our DOD partners, to defend against active, future and existing
threats.
c. The HBSS capability has numerous critical network defense
capabilities that can identify existing vulnerabilities and report that
information for action to our operators who then must take intensive,
manual remediation and mitigation actions. The next step is integrating
into HBSS the capability to identify vulnerabilities and executing
automatic actions to remediate and mitigate the deficiency. This would
increase our capacity to leverage capabilities in support of the Joint
fight.
Mr. Thornberry. How are your Services leveraging in-house graduate
educational facilities, like the Air Force Institute of Technology
(AFIT) or the Naval Postgraduate School (NPS), as well as DOD
accredited programs, such as the National Centers of Academic
Excellence in Cyber Operations, in order to improve workforce training
and education?
General Vautrinot. Air Force Space Command (AFSPC) and Air
Education and Training Command (AETC) have established a full-range
cyber training and education construct that begins in Basic Military
Training and follows a challenging path that includes specialized
cyber-focused graduate degrees.
In addition to cyber-focused graduate programs (MS/PhD) in Computer
Science, Computer Engineering and Electrical Engineering with research
focused on such areas as encryption algorithms, botnet disruption,
network intrusion detection, and wireless network security, AFIT offers
two Master's programs in cyber operations and cyber warfare. The 18-
month Cyber Operations Master's Program provides extensive hands-on
laboratory experience with both offensive and defensive measures and
countermeasures, and is open to officers, enlisted, and civilians. The
12-month Cyber Warfare Degree Program for Majors and civilian
equivalents provides a developmental education opportunity that
addresses technical as well as policy and doctrine aspects of cyber
operations.
The Information Assurance Certificate Program (IACP) is a subset of
the Master of Science program. Students completing the required
coursework are eligible for certificates under National Training
Standards as an Information Security Professional, Senior System
Manager, and Senior Risk Analyst.
On June 19, 2008, the Secretary and Chief of Staff of the Air Force
designated AFIT and the Center for Cyberspace Research (CCR) as the Air
Force's Cyberspace Technical Center of Excellence (CyTCoE). The Center
serves as a bridge between the operational AF cyber forces and various
cyber research, education, and training communities across the Air
Force, the DOD, and national organizations.
The Center provides cyberspace professional continuing education
for currency and professional development of the cyberspace workforce.
The Air Force's Cyber 200 and 300 are Joint-accredited professional
development courses designed to increase the depth and breadth of cyber
operations understanding and to prepare individuals to apply cyber
capabilities and concepts in Joint military operations. These courses
are available to and attended by our Joint brethren in an effort to
standardize training and proficiency across the DOD. The Air Force is
also in the process of establishing disclosure guidance that will allow
our international partners to send individuals to Cyber 200 and 300.
The Air Force also utilizes graduate-level educational
opportunities offered by our DOD and Agency partners such as the
Information Assurance Scholarship Program (IASP) and the Computer
Network Operations Development Program (CNODP). The IASP is open to all
Air Force officers and is designed to retain a corps of highly skilled
IA professionals to accommodate diverse warfighting and mission
requirements. The CNODP is an intense, 3-year graduate-level internship
at the National Security Agency that develops technical leaders who
will lead the DOD and Services' employment of cyber capabilities.
Graduates of this program receive focused follow-on assignments that
capitalize on their breadth and depth of knowledge.
______
QUESTIONS SUBMITTED BY MR. LANGEVIN
Mr. Langevin. How are your Services leveraging both in-house
graduate educational facilities and DOD accredited programs, such as
the NSA/DHS National Centers of Academic Excellence?
General Hernandez. ARCYBER continues to take a holistic approach by
leveraging the constellation construct for both training and
development to improve workforce training and education. The construct
consists of U.S. Government, Academia and Industry elements, each are
discussed below in both current and future actions, and will complement
each other to provide a more capable workforce.
Currently ARCYBER is leveraging U.S. Government developmental
activities and capabilities to take advantage of efficiencies and
future requirements. These activities include: The DOD Joint
Information Operations (IO) Range, Government Laboratories (such as:
Sandia, Army Research Laboratories, Johns Hopkins applied Physics
Laboratory, Adelphi, and Aberdeen Proving Ground Cyber Test
Laboratory), and continuous coordination with United States Cyber
Command, U.S. Strategic Command (USSTRATCOM), and Office of the
Secretary of Defense (OSD) Cyber initiatives. Future activities will
include increased partnerships with DHS, FBI, DARPA, DOD, and the
Intelligence community. Examples of early successes include five USMA
faculty and cadets summer internships with ARCYBER through the Advanced
Individual Academic Development (AIAD) program. Shortly, ARCYBER will
benefit from more than 14 interns from the Army Civilian Training,
Education Development System (ACTEDS). Moreover, ARCYBER will be an
active contributor to the Service and USG cyber lessons learned
programs.
Current Academic developmental activities include: Cooperation with
the Air Force Institute of Technology (AFIT) and its Masters Program,
and the ARCYBER scholarship program. This program is a two-year,
degree-producing program open to regular Army (RA) captains and majors
in the maneuver, fires & effects, operations support, and force
sustainment branches. Three officers per year pursue a master's degree
in cyber security at the University of Maryland (with additional
universities to be added). Though we are still assessing how best to
integrate and execute the NSA/DHS National Centers of Academic
Excellence training, it is a key component of our future training and
developing way ahead. We have two students attending the Naval Post
Graduate School and ARCYBER will receive three second-year masters
candidates in the NSA Information Assurance Scholarship Program (IASP)
in the spring of 2013. ARCYBER is continuing to address organizing
cyber within the Army e-Learning and Continuing Education Program. For
example, ARCYBER supports Civilian Career Program 34's, Information
Technology Management, and Cyber Academy Training Framework through
partnerships with University of Maryland University College (national
policy and law), University of Maryland Baltimore County (secure S/W
engineering), George Mason University (ethical hacking/analysis) and
Carnegie Mellon University (operational security). Future activities
will include Senior Service college ``Cyber fellows,'' RAND Cyber
Fellowships, and efforts to identify and recruit cyber talent from ROTC
programs and the USMA.
Industry is the third leg in training and development. It is
critical in providing additional current and future capabilities/
requirements as well as leveraging emerging trends and capabilities and
will assist in ensuring our DOD programs and in-house educational
activities are developed accordingly. Current developmental activities
with industry include: Coordination with Defense contractor
Laboratories, Training with Industry (e.g. MIT/Lincoln Labs, Lockheed
Martin, and Cisco), and participation in trade conferences (e.g. the
Armed Forces Communications and Electronics Association [AFCEA] and the
Association of the U. S. Army [AUSA]). Future activities will include:
Establishing additional industry research partners; Science and
Technology (S&T) outreach; Leveraging partner expertise to manage
problems; and increased recruiting and cyber training with industry.
Conclusion: A key attribute of the ARCYBER vision is to develop a
trained, professional team to complete our roles as the Army Service
Component to U.S. Cyber Command; To train, organize, and equip forces;
To provide Cyber Education, Training, and Leader Development; and
Execute Cyber Proponent functions. The three part constellation
approach is our way of getting at the issues of developing a workforce
in a dynamic environment. Our approach continues to evolve.
Mr. Langevin. Could each of you explain the Command and Control
Relationships between your respective Service Cyber Components and
CYBERCOM, regional combatant commanders, and other command structures?
General Hernandez. Army Cyber Command (ARCYBER) operates under the
Operational Control (OPCON) of USCYBERCOM (USCC). As the Army's Service
component to USCC, Army Cyber Command exercises the designated command
and control authority and responsibility over trained and ready Army
forces, in support of Unified Land Operations, to ensure U.S./Allied
freedom of action in cyberspace.
A significant example is the 780th Military Intelligence Brigade
(780th MI BDE) (Cyber), which supports USCYBERCOM and combatant command
cyberspace operations. ARCYBER has OPCON of the brigade, which conducts
signals intelligence and computer network operations, and enables
Dynamic Computer Network Defense of Army and Department of Defense
networks.
The Army's Network Operations Security Centers and the Regional
Computer Emergency Response Teams are also under the OPCON of ARCYBER.
Control of these units has increased unity of command for the operation
and defense of our networks. Additionally, Reserve Component cyber and
information operations organizations are now OPCON to ARCYBER.
The Army has delegated OPCON of the Network Enterprise Technology
Command (NETCOM) to ARCYBER and the Secretary of the Army has delegated
OPCON of the 1st Information Operations Command.
There is no command relationship between ARCYBER and the Regional
Combatant Commands. To facilitate seamless integration, USCYBERCOM
directed the establishment of Cyber Security Elements (CSEs) to support
each of the Combatant Commands. The CSEs function under the OPCON of
USCYBERCOM in direct support of the respective Combatant Commands.
USCYBERCOM provides direct support to Regional Combatant Commanders
through its Service components. ARCYBER leads the Joint effort for
USCYBERCOM to provide cyber support to U.S. Central Command and U.S.
Northern Command.
Headquarters Department of the Army (HQDA) retains administrative
control over ARCYBER and is responsible to man, train, and equip Army
cyber forces. While ARCYBER provides support to both Joint and Army
commands, it currently has no established command relationship with
other Army Major Commands (MAJCOMs), Army Service Component Commands
(ASCCs), or Army Direct Reporting Units (DRUs).
Mr. Langevin. The value of red-teaming--threat emulation--was
proven perhaps most clearly in the Vietnam War with the establishment
of Top Gun. The Director for Operational Test and Evaluation (DOT&E)
has identified a shortfall in threat emulation and red teaming
capabilities across the FYDP. What is each of the Services doing to
address these shortfalls? Is the DOD investing adequately in the test
capabilities and range environments that will be needed to remain
current with advancing technologies?
General Hernandez. Army Cyber Command established the World Class
Cyber Opposing Force (WCCO) to provide live, interactive, expert, and
realistic adversarial emulation in support of Army Training and Leader
Development activities at the National Training Center and in support
of COCOM exercises. The WCCO builds upon and compliments existing red
team capability in 1st Information Operations Command and 780th
Military Intelligence Brigade, extending its mission beyond traditional
Information Assurance focused activities to include broader training
and leader development. The WCCO supports the Army's Opposing Force
program, providing a wide range of adversary ``Information Warfare''
activities during training events, to include Computer Network Attack
and Exploitation, Deception, and Propaganda.
Recognizing overall Army shortfalls in cyber capacity, we are
increasing our investment in all Defensive Cyber Operations (DCO)
forces which, in addition to adversary emulation, includes advanced
capabilities for adversary hunting and cyber vulnerability assessments.
While they support Army units from a blue perspective, they provide
many of the same benefits as traditional red teams. Beginning in FY14,
the planned growth in DCO capability will significantly improve our
ability to both protect Army systems and information and better
incorporate red team activity into training activities.
DOD leverages numerous cyber range capability for the purpose of
training and leader development, capability test and evaluation, and
modeling and simulation.
Mr. Langevin. How are your Services leveraging both in-house
graduate educational facilities and DOD accredited programs, such as
the NSA/DHS National Centers of Academic Excellence?
Admiral Rogers. Navy is leveraging in-house graduate educational
facilities and DOD accredited programs through close coordination with
these institutions and a focus on a smart post-education placement
process to ensure our most recently educated Sailors and civilians are
detailed to positions which will benefit the Navy most. We recognize
that affording our personnel graduate educational opportunities is
critical to maintaining our expertise as we drive advancements in Navy
cyberspace operations. With the quickly evolving nature of cyber, it is
absolutely critical that the educational partners and programs we
leverage keep pace with the changing cyber landscape.
To that end, the U.S. Navy leverages education and training from
six major programs:
Air Force Institute of Technology (AFIT) and Naval Postgraduate
School (NPS) In 2002, AFIT and the Naval Postgraduate School formed an
educational alliance to eliminate duplicate degree programs in the
fields of Oceanography and Aeronautical Engineering, and consolidate
educational resources. Navy continues its close coordination with AFIT
to refine course requirements, explore potential resource
consolidations, and improve quality.
NPS
NPS offers an 18-month Master of Science degree in Cyber Systems
and Operations that addresses a broad range of cyberspace operations
such as computer network attack, defense, and exploitation; cyber
analysis, operations, planning and engineering; and cyber intelligence
operations and analysis. Navy will graduate 14 officers from this
program in FY12 and is programmed to send 14 officers in FY13 per the
approved Officer Graduate Education Quota Plan.
NPS's Graduate School of Operational and Information Sciences
offers an Information Systems and Operations (ISO) Certificate Program.
This warfighter-oriented degree program focuses on integrating
information technologies, command and control processes, and
Information Operations (IO) methods and elements into innovative
operational concepts for IO in the context of Network Centric Warfare.
Since the program's inception in 2002, 318 officer, enlisted and
civilian personnel have completed this certificate program.
The Information Systems and Technology (IST) certificate program
provides an educational opportunity that is essential to helping the
U.S. military reach information superiority in the operational
environment. It offers advanced education in areas essential to
enabling global networked communications, including: databases, systems
analysis and design, decision support systems, and network security.
Since the program's inception in 2003, approximately 96 officer and
enlisted personnel have completed this certificate program. Both
programs are taught via asynchronous Web-based media (i.e., the
Internet). The asynchronous nature of these certificates has allowed us
to deliver these certificates to deployed forces at sea and ashore.
Additionally, NPS will offer a 12-month Enlisted Cyber Master's
Degree in September 2012 that provides selected Navy Sailors a Master
of Science in Cyber Systems and Operations; Security and Technology.
Selectees are assigned to a Navy-funded education program as full-time
students under permanent change of station orders to Monterey, CA. Navy
is sending five sailors through this program this year.
Finally, NPS just completed the approval process for a resident
Master of Science, Network Operations and Technology degree that begins
this fall and has eight officers scheduled to attend in 2013.
Masters of Information Technology Strategy (MITS)
In 2010, the Chief of Naval Operations directed the creation of the
Masters of Information Technology Strategy (MITS) pilot program in
partnership with Carnegie Mellon University (CMU). This program affords
civilian and military IDC personnel the opportunity to attend CMU for a
16-month Master's degree program in cyber-related disciplines. The
degree conferred is a Master's Degree in Information Technology and
Strategy (MITS) and is a cooperative endeavor between of the College of
Engineering (CIT), School of Computer Science (SCS), and College of
Humanities and Social Sciences (H&SS). The initial cohort of two
military and three civilians students commenced August 2011, and the
second group of four commenced in August 2012.
National Defense University (NDU)
NDU's Government Information Leadership (GIL) Master of Science is
a 39-credit hour curriculum of the GIL Master of Science Degree Program
and offers a combination of information management, technology, and
leadership intensive courses. Navy currently has 36 Master's degree
enrollments and 497 certificate enrollments.
NDU's ``iCollege'' Chief Information Officer (CIO) Program is the
recognized leader in graduate education for Federal CIO leaders and
agency personnel. It directly aligns with the Federal CIO Council-
defined CIO competencies and addresses the Clinger-Cohen Act and other
relevant legislation mandates. It is sponsored by the DOD CIO.
United States Naval Academy (USNA)
Although an undergraduate program, USNA's Center for Cyber Security
Studies is an important investment as it enhances workforce education
and training at the Service academy level. Established in 2009, the
Center provides support for the proposed curricular and professional
reforms across the Naval Academy and encompasses support for all
programs that contribute to the knowledge, study and research of cyber
warfare.
NSA/DHS National Centers of Academic Excellence
National Security Agency (NSA) and the Department of Homeland
Security (DHS) jointly sponsor the National Centers of Academic
Excellence in Information Assurance (IA) Education (CAE/IAE), IA 2-year
Education and Training (CAE/2Y) and IA Research (CAE/R) programs. The
goal of these programs is to reduce vulnerability in our national
information infrastructure by promoting higher education and research
in IA and producing a growing number of professionals with IA expertise
in various disciplines. Students attending CAE/IAE or CAE/R designated
schools are eligible to apply for scholarships and grants through the
Department of Defense Information Assurance Scholarship Program (IASP)
and the Federal Cyber Service Scholarship for Service Program. NPS is a
participant in this program.
To date, 84 uniformed and civilian Navy personnel have participated
in the DOD IASP from commands across the Navy.
Mr. Langevin. Admiral Rogers, your predecessor Admiral McCullough
previously testified that much of the power and water systems for naval
bases are served by single sources and have very limited backup
capabilities. Can you provide an update on how the Navy is addressing
threats to both its critical infrastructure and its secure and unsecure
networks? Are you sharing information with critical infrastructure
operators, and if so, through what channels does this information flow?
Admiral Rogers. In an effort to correct vulnerabilities/
deficiencies identified during recent critical infrastructure
assessments the Navy is coordinating efforts with OSD to prioritize and
fund the most urgent issues with FY13 Defense Critical Infrastructure
Program (DCIP) resources.
U.S. Navy Defense Critical Assets (DCA) and Task Critical Assets
(TCA) have been identified. The Naval Criminal Investigative Service
(NCIS) provides all DCAs, validated through the Joint Staff,
comprehensive counterintelligence support plans to identify foreign
entity threats. TCAs, recently validated by the U.S. Navy, will receive
similar coverage as required in DOD Instruction 5240.19. Identified
threat information to the critical assets is provided to the asset
operators through the most expeditious methods, however, generally
through the identified NCIS representative assigned to the facility.
Mr. Langevin. Could each of you explain the Command and Control
Relationships between your respective Service Cyber Components and
CYBERCOM, regional combatant commanders, and other command structures?
Admiral Rogers. The below figure (on page 99) from the Joint Staff
Transitional Cyberspace Operations Command and Control (C2) Concept of
Operations signed on 1 May 2012, depicts the C2 structure. The C2
relationships follow command relationships as defined in Joint Doctrine
unless otherwise specified in supplemental orders or directives. The
framework establishes a standardized baseline for cyberspace operations
C2 by documenting Joint Cyber Center (JCC) and Cyber Support Element
(CSE) command relationships, missions, functions, and tasks. In
addition, USCYBERCOM Operational Directive 12-001 specifies that
Service Components have Direct Liaison Authorized (DIRLAUTH) with other
Service Components, COCOMs, DOD Organizations, the Interagency, and
foreign and commercial partners, to plan and execute assigned cyber
operations.
[GRAPHIC] [TIFF OMITTED] T5668.047
U.S. Fleet Cyber Command/U.S. TENTH Fleet is the Navy's Component
Command to United States Cyber Command, and an Echelon Two Navy
Command, subordinate to the Chief of Naval Operations. Fleet Cyber
Command has unique responsibilities as the central operational
authority for networks, cryptology, signals intelligence, information
operations, cyber, electronic warfare and space in support of forces
afloat and ashore. As such, we organize and direct Navy cryptologic
operations worldwide and integrate information operation and space
planning and operations as directed.
Mr. Langevin. The value of red-teaming--threat emulation--was
proven perhaps most clearly in the Vietnam War with the establishment
of Top Gun. The Director for Operational Test and Evaluation (DOT&E)
has identified a shortfall in threat emulation and red teaming
capabilities across the FYDP. What is each of the Services doing to
address these shortfalls? Is the DOD investing adequately in the test
capabilities and range environments that will be needed to remain
current with advancing technologies?
Admiral Rogers. Fleet Cyber Command also values the impact of red
teaming. We believe that the issue is not one of capacity, but rather
how we better use the capacity that already exists within the cyber
domain. To make more efficient use of red teams, we have concentrated
improving coordination across all DOD red teams to increase support to
our cyber forces and help standardize red team activity.
The ongoing development and maturation of the USCYBERCOM and
USFLTCYBERCOM staffs has allowed broader and timely coordination during
the planning and execution phases of red team activity. As cyber
actions are becoming more common events in major exercises, early
planning and incorporation of cyber effects and training objectives
have allowed improved synchronization across Navy and all DOD red
teams. This early planning allows the capabilities of Service and DOD
teams to be synchronized to best stimulate local, theater and global
responses and allows the command and control structure of Defensive
Cyber Operations to be exercised under real world conditions. The
inventory and capabilities of Navy and joint test ranges is sufficient
to meet current demand. However, range environments and test
capabilities must be continually evaluated as technologies advance and
as cyber policies and doctrine allow increased application in the joint
planning and execution.
Mr. Langevin. How are your Services leveraging both in-house
graduate educational facilities and DOD accredited programs, such as
the NSA/DHS National Centers of Academic Excellence?
General Mills. The Marine Corps actively participates in the
Department of Defense Information Assurance Scholarship Program, which
provides access for both enlisted and officer students to AFIT, NPS,
the National Defense University, Capitol College, George Mason, and
other National Centers of Academic Excellence in Cyber Operations for
graduate degrees in cyberspace security, information assurance, and
computer security fields.
Through the National Intelligence University, marines with
intelligence-related military occupational specialties are able to
complete a Master of Science of Strategic Intelligence. Although this
curriculum does not include cyber-specific courses as part of the core
requirement, students are able to tailor their electives and focus
thesis topics to include cyber operations.
The Marine Corps is currently in discussions with Northern Virginia
Community College to establish a program to provide college credit for
marines receiving military training and experience within the
cyberspace operations workforce.
The Marine Corps University has initiated additional curricula in
its educational programs that include topics in cyberspace operations,
cyberspace planning, cyberspace law, and cyberspace implementation
theories. Thus far, the Marine Corps University has had one class
complete its program of instruction with this additional material.
Initial feedback is that it was well received, and the Marine Corps
University is evaluating comments to refine its curricula for future
courses.
The Marine Corps also leverages cyber and cyber-related courses
through NSA's National Cryptologic Schools for personnel serving at the
Marine Cryptologic Support Battalion and the operating forces' Radio
Battalions which provide Signals Intelligence and cyber related support
to the Marine Air Ground Task Force, USCYBERCOM through MARFORCYBER,
and the National Security Agency. Additionally, the Marine Corps uses
the U.S. Navy's Joint Cyber Analysis Course (JCAC) and the Joint
Network Attack Course to train enlisted marines and officers in cyber
and cyber-related skill sets for MOS development.
Mr. Langevin. Could each of you explain the Command and Control
Relationships between your respective Service Cyber Components and
CYBERCOM, regional combatant commanders, and other command structures?
General Mills. The Service Cyber Component to USCYBERCOM is
MARFORCYBER. MARFORCYBER is assigned to USSTRATCOM and USSTRATCOM has
delegated OPCON of MARFORCYBER to USCYBERCOM. There is no direct
command relationship between MARFORCYBER and the geographic combatant
commanders. That being said, USCYBERCOM tasked MARFORCYBER to, in
conjunction with USCYBERCOM, lead the joint effort to conduct cyber
support of U.S. Special Operations Command (USSOCOM). MARFORCYBER was
also tasked to provide a recommendation to USCYBERCOM on the
requirements and support structure for a joint Cyber Support Element
(CSE) at USSOCOM. In anticipation of approval of the CSE recommendation
provided to USCYBERCOM for USSOCOM, MARFORCYBER staffed a colonel at
USSOCOM as the USCYBERCOM Liaison Officer and Officer-in-Charge of the
CSE. Additionally, a major, a captain, and two staff sergeants have
orders to USSOCOM to form the nucleus of the CSE for USSOCOM.
Mr. Langevin. The value of red-teaming--threat emulation--was
proven perhaps most clearly in the Vietnam War with the establishment
of Top Gun. The Director for Operational Test and Evaluation (DOT&E)
has identified a shortfall in threat emulation and red teaming
capabilities across the FYDP. What is each of the Services doing to
address these shortfalls? Is the DOD investing adequately in the test
capabilities and range environments that will be needed to remain
current with advancing technologies?
General Mills. The Marine Corps Network Operations and Security
Center (MCNOSC) is task organized with organic red team and
intelligence sections. The Marine Corps Information Assurance Red Team
(Red Team) is tasked with finding new exploits and with emulating
threat vectors/adversary tactics, techniques, and procedures (TTPs).
This includes penetration testing, phishing, remote exploitation of
network devices, exploitation of website vulnerabilities, wireless
exploitation, close access, and insider threats. The Red Team
operations in cyberspace are based on two distinct operational
requirements: (1) internal and external exercise support and (2) MCNOSC
directed operations. The Marine Corps will continue evaluating its red
team requirements as added emphasis is placed on red team utilization
within the Department.
On behalf of the Department, the Marine Corps manages the DOD
Information Assurance Range--which is located in Quantico, Virginia.
The DOD Information Assurance Range was initiated and funded by the
Comprehensive National Cyber Initiative in 2009. This range emulates
DOD networks--to include computer network defense (CND) capabilities,
support to cyber exercises, and testing and evaluation of CND products
and TTPs. It can operate in a standalone mode or can be integrated with
other ranges (such as the Joint IO Range). The Marine Corps is
participating in a Department-wide effort to evaluate an appropriate
construct for cyber range governance to more effectively integrate,
resource, and utilize these capabilities in the future.
Mr. Langevin. How are your Services leveraging both in-house
graduate educational facilities and DOD accredited programs, such as
the NSA/DHS National Centers of Academic Excellence?
General Vautrinot. Air Force Space Command (AFSPC) and Air
Education and Training Command (AETC) have established a full-range
cyber training and education construct that begins in Basic Military
Training and follows a challenging path that includes specialized
cyber-focused graduate degrees.
In addition to cyber-focused graduate programs (MS/PhD) in Computer
Science, Computer Engineering and Electrical Engineering with research
focused on such areas as encryption algorithms, botnet disruption,
network intrusion detection, and wireless network security, AFIT offers
two Master's programs in cyber operations and cyber warfare. The 18-
month Cyber Operations Master's Program provides extensive hands-on
laboratory experience with both offensive and defensive measures and
countermeasures, and is open to officers, enlisted, and civilians. The
12-month Cyber Warfare Degree Program for Majors and civilian
equivalents provides a developmental education opportunity that
addresses technical as well as policy and doctrine aspects of cyber
operations.
The Information Assurance Certificate Program (IACP) is a subset of
the Master of Science program. Students completing the required
coursework are eligible for certificates under National Training
Standards as an Information Security Professional, Senior System
Manager, and Senior Risk Analyst.
On June 19, 2008, the Secretary and Chief of Staff of the Air Force
designated AFIT and the Center for Cyberspace Research (CCR) as the Air
Force's Cyberspace Technical Center of Excellence (CyTCoE). The Center
serves as a bridge between the operational Air Force cyber forces and
various cyber research, education, and training communities across the
Air Force, the DOD, and national organizations.
The Center provides cyberspace professional continuing education
for currency and professional development of the cyberspace workforce.
The Air Force's Cyber 200 and 300 are Joint-accredited professional
development courses designed to increase the depth and breadth of cyber
operations understanding and to prepare individuals to apply cyber
capabilities and concepts in Joint military operations. These courses
are available to and attended by our Joint brethren in an effort to
standardize training and proficiency across the DOD. The Air Force is
also in the process of establishing disclosure guidance that will allow
our international partners to send individuals to Cyber 200 and 300.
The Air Force also utilizes graduate-level educational opportunities
offered by our DOD and Agency partners such as the Information
Assurance Scholarship Program (IASP) and the Computer Network
Operations Development Program (CNODP). The IASP is open to all Air
Force officers and is designed to retain a corps of highly skilled IA
professionals to accommodate diverse warfighting and mission
requirements. The CNODP is an intense, 3-year graduate-level internship
at the National Security Agency that develops technical leaders who
will lead the DOD and Services' employment of cyber capabilities.
Graduates of this program receive focused follow-on assignments that
capitalize on their breadth and depth of knowledge.
Mr. Langevin. Could each of you explain the Command and Control
Relationships between your respective Service Cyber Components and
CYBERCOM, regional combatant commanders, and other command structures?
General Vautrinot. U.S. Cyber Command is the warfighting Sub-
Unified Command for cyber. Each of the Services provides component
cyber forces to the Joint fight through USCYBERCOM. For the Air Force,
the 24th Air Force Commander is also designated the Commander of
AFCYBER, the Service Component to U.S. Cyber Command. This direct
command and control relationship stems from the authorities laid out in
Title 10, USC. Operational orders flow from the President through the
Secretary of Defense to the Combatant Commander to the Sub-Unified
Commander and then to the Service Components. Under this authority,
AFCYBER forces support Joint missions as directed by USCYBERCOM.
AFCYBER, which is collocated with 24th Air Force in San Antonio, TX,
has its Deputy Commander and a portion of AFCYBER personnel collocated
with USCYBERCOM at Ft Meade, MD.
AFCYBER provides operational-level command and control of AF cyber
forces through the 624th Operations Center. The Operations Center
coordinates offensive, defensive and exploitation activities, provides
daily reporting of operations, and manages network operations on the AF
portion of the DOD network in accordance with USCYBERCOM guidance, as
well as acting as a Continuity of Operations Plan for USCYBERCOM.
AFCYBER supports regional combatant commanders through reachback or in-
place participation in the Cyber Support Elements at the Combatant
Command or AF Component (e.g., AF Central Command) level as tasked by
USCYBERCOM.
The Command and Control (C2) Transitional Concept of Operations
(CONOPS) and the Operational Directive (OPDIR) were released and
provided guidance for USCYBERCOM and Service Components, specifying
standard tasks and mission responsibilities for each of the Services.
Based on these two documents, AFCYBER is tasked with leading the Joint
effort to provide cyber support to USTRANSCOM, USEUCOM and USAFRICOM.
AFCYBER works with these COCOMs to ensure cyber effects are presented
to the Combatant Commanders as required. We continue to provide
planning and characterization efforts in support of future operations
through Operations/Concept of Operations Plans and Crisis Action
Planning tasks from USCYBERCOM.
We also work, via SECDEF direction through USCYBERCOM tasking, with
organizations and agencies while operating in support of authorities
other than our traditional Title 10 role. Through USCYBERCOM, we have
teamed with the Defense Cyber Crime Center and the Air Force Office of
Special Investigations, as well as the Federal Bureau of Investigation,
to work specific tasks under Title 18 authority. We use cyberspace
operations to support the National Intelligence mission under Title 50.
Additionally, we work with our Guard and Reserve personnel under Title
32 to add capacity and capability to AFCYBER.
Mr. Langevin. The value of red-teaming--threat emulation--was
proven perhaps most clearly in the Vietnam War with the establishment
of Top Gun. The Director for Operational Test and Evaluation (DOT&E)
has identified a shortfall in threat emulation and red teaming
capabilities across the FYDP. What is each of the Services doing to
address these shortfalls? Is the DOD investing adequately in the test
capabilities and range environments that will be needed to remain
current with advancing technologies?
General Vautrinot. The cyber red team concept focuses on
vulnerability assessments and intrusion missions of DOD networks.
AFCYBER's Opposing Force (OPFOR) construct enhances the red team
concept by providing a standard process for identifying vulnerabilities
in a realistic threat environment, as well as capturing lessons learned
and improving specific cyber tactics, techniques and procedures. The AF
OPFOR team's goal is to allow commanders to objectively assess mission
effectiveness and validate lessons learned to improve mission
readiness.
AFCYBER employs the Air Force cyber range operated by the 346th
Test Squadron at Lackland AFB, Texas, to support the full spectrum of
cyber activities. These activities span capability development and
tactics, techniques and procedures validation through employment of the
OPFOR concept in support of Combatant Command exercises like Terminal
Fury and Vigilant Shield. These ranges are already supporting the newly
validated USAF Weapons School's Cyber Operations Weapons Instructor
Course's capstone defensive mission and mission employment exercise,
allowing for advanced weapons and tactics employment. AFCYBER also uses
the Joint Information Operations Range to access and leverage the
latest threat environments and emulations available from other DOD
organizations, academia, and industry.
We continue to streamline the procurement process to facilitate
nation-state capabilities ensuring Air Force Cyber Test & Evaluation
infrastructure and personnel are able to reflect the changing nature of
benign and contested cyber environments.
______
QUESTIONS SUBMITTED BY MR. FRANKS
Mr. Franks. It is my belief that manmade and natural
electromagnetic pulse is the ultimate cybersecurity threat. For
example, an EMP attack on the U.S. would render our communications and
computer systems useless, and disrupt virtually everything reliant on
electricity. Furthermore, the DOD relies on a commercial electric grid,
which is butterfly wing delicate to EMP, for approximately 99% of its
military installations power requirements. What action is CYBERCOM
taking to ensure its electricity is not disrupted by a manmade or
natural EMP event, and how important is protecting the civilian
electric grid from EMP for CYBERCOM's mission effectiveness?
Admiral Rogers. Fleet Cyber Command does not have a specific
program to address EMP scenarios. We have very few facilities that are
hardened against an EMP event, and even those facilities are not fully
hardened. However, we have an aggressive program to manage power
outages, regardless of cause, across our domain. We have robust, well
managed, critical power systems that provide continuity of operations
to our mission critical systems. The critical power infrastructure
includes standby generators, automatic transfer switches, and UPS
(Uninterruptable Power Supply) systems. For most sites, this
infrastructure results in zero loss of power or mission when commercial
power is lost. This equipment is maintained, tested, and replaced as
needed. Facilities across the domain are routinely evaluated for areas
where the capacity or redundancy are insufficient, or mission growth
now requires critical power, and these recommendations are balanced
against other installation funding needs.
Given the criticality of the civilian electric grid, the Navy,
through its DOD leadership, continues to work closely with the
Department of Homeland Security on how to best to protect critical
infrastructure in the commercial sector.
Mr. Franks. Over the years the DOD has invested billions of dollars
hardening critical components against electromagnetic pulse. My efforts
to protect the civilian grid against EMP have had a mixed reception.
Most realize the enormity of the threat and the necessity to take
action; but others have expressed opposite convictions, and feel that
EMP is not the threat described in numerous scientific studies and
reports. Do you assess this investment to be wise or unnecessary? If
wise, should Congress make efforts to expand EMP protections to the
civilian grid?
Admiral Rogers. As stated in the question, science and studies
indicate EMP is a valid threat to the civilian power grid. Given the
criticality of the civilian power grid, it is prudent to consider the
protection of this infrastructure against EMP and all other threats.
The Navy, through its DOD leadership, continues to work closely with
the Department of Homeland Security on how to best to protect critical
infrastructure in the commercial sector.
______
QUESTION SUBMITTED BY MR. CONAWAY
Mr. Conaway. During the hearing, you referenced a direct accessions
program in the Navy. I would suggest that there could be a large number
of highly skilled cyber warriors that may not see the military as an
option. Can you expand on the direct accessions program for cyber?
Admiral Rogers. There are three specific cyber-related skills sets
the U.S. Navy directly accesses to develop and maintain our cyber
expertise: Cyber Warfare Engineers (CWE), Information Professionals
(IP) and Information Warfare Officers (IW).
Cyber Warfare Engineer: As a means of addressing the increased
demand for officers with specific computer network operations (CNO)
focused knowledge, skills and abilities, the Secretary of the Navy
approved the establishment of the Cyber Warfare Engineer (CWE)
designator in June 2010. CWE is a restricted line community within the
information Dominance Corps (IDC) and CWE officers use specific cyber
expertise to develop CNO capabilities. These CWEs apply the principles
and techniques of computer science and computer engineering to
research, design, develop, test, and evaluate software and firmware for
computer network attack, exploitation, and defense in cyberspace
operations. In addition to academic, age, and physical requirements,
CWE candidates must meet strict citizenship and security clearance
requirements and complete an interview process with Commander, Fleet
Cyber Command. The direct accession requirement has been established at
five officers per year.
Information Professional: Information Professionals (IP) provide
expertise in information, command and control, and space systems
through the planning, acquisition, operation, maintenance and security
of systems. Their roles include leading the Navy's network warfare
missions, developing tactics, techniques and procedures to realize
tactical, strategic and business advantages afloat and ashore, and
driving interoperability with Joint, Allied and Coalition partners. In
addition to academic, age, and physical requirements, IP candidates
must meet citizenship requirements, hold one or more active IT
certifications and complete a professional review board process. Work
experience in the field is strongly preferred. There are approximately
555 IPs in the Navy and we directly access approximately eight officers
per year.
Information Warfare: Information Warfare (IW) Officers (IWO) are
the DOD's premier force for Signals Intelligence (SIGINT), Electronic
Warfare (EW) and CNO. Their mission is to execute the full spectrum of
cyber, cryptology, SIGINT, information operations, CNO and electronic
warfare missions. This occurs across the cyber, electromagnetic and
space domains to deter and defeat aggression, to provide warning of
intent, and to ensure freedom of action while achieving military
objectives in and through cyberspace. In addition to academic, age, and
physical requirements, IW candidates must meet strict citizenship and
security clearance requirements and complete a professional review
board process. There are 930 IWs in the Navy and we directly access
approximately 40 officers each year.
�