[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]



 
                         [H.A.S.C. No. 113-17] 

     INFORMATION TECHNOLOGY AND CYBER OPERATIONS: MODERNIZATION AND 

               POLICY ISSUES TO SUPPORT THE FUTURE FORCE 

                               __________

                                HEARING

                               BEFORE THE

    SUBCOMMITTEE ON INTELLIGENCE, EMERGING THREATS AND CAPABILITIES

                                 OF THE

                      COMMITTEE ON ARMED SERVICES

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              HEARING HELD

                             MARCH 13, 2013

                                     
              [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                               ----------
                         U.S. GOVERNMENT PRINTING OFFICE 

80-187 PDF                       WASHINGTON : 2013 



    SUBCOMMITTEE ON INTELLIGENCE, EMERGING THREATS AND CAPABILITIES

                    MAC THORNBERRY, Texas, Chairman

JEFF MILLER, Florida                 JAMES R. LANGEVIN, Rhode Island
JOHN KLINE, Minnesota                SUSAN A. DAVIS, California
BILL SHUSTER, Pennsylvania           HENRY C. ``HANK'' JOHNSON, Jr., 
RICHARD B. NUGENT, Florida               Georgia
TRENT FRANKS, Arizona                ANDRE CARSON, Indiana
DUNCAN HUNTER, California            DANIEL B. MAFFEI, New York
CHRISTOPHER P. GIBSON, New York      DEREK KILMER, Washington
VICKY HARTZLER, Missouri             JOAQUIN CASTRO, Texas
JOSEPH J. HECK, Nevada               SCOTT H. PETERS, California
                 Kevin Gates, Professional Staff Member
                 Tim McClees, Professional Staff Member
                          Julie Herbert, Clerk



                            C O N T E N T S

                              ----------                              

                     CHRONOLOGICAL LIST OF HEARINGS
                                  2013

                                                                   Page

Hearing:

Wednesday, March 13, 2013, Information Technology and Cyber 
  Operations: Modernization and Policy Issues to Support the 
  Future Force...................................................     1

Appendix:

Wednesday, March 13, 2013........................................    27
                              ----------                              

                       WEDNESDAY, MARCH 13, 2013
 INFORMATION TECHNOLOGY AND CYBER OPERATIONS: MODERNIZATION AND POLICY 
                   ISSUES TO SUPPORT THE FUTURE FORCE
              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS

Langevin, Hon. James R., a Representative from Rhode Island, 
  Ranking Member, Subcommittee on Intelligence, Emerging Threats 
  and Capabilities...............................................     1
Thornberry, Hon. Mac, a Representative from Texas, Chairman, 
  Subcommittee on Intelligence, Emerging Threats and Capabilities     1

                               WITNESSES

Alexander, GEN Keith B., USA, Commander, United States Cyber 
  Command........................................................     6
McGrath, Hon. Elizabeth A., Deputy Chief Management Officer, U.S. 
  Department of Defense..........................................     5
Takai, Hon. Teresa M., Chief Information Officer, U.S. Department 
  of Defense.....................................................     3

                                APPENDIX

Prepared Statements:

    Alexander, GEN Keith B.......................................    62
    Langevin, Hon. James R.......................................    31
    McGrath, Hon. Elizabeth A....................................    54
    Takai, Hon. Teresa M.........................................    33

Documents Submitted for the Record:

    [There were no Documents submitted.]

Witness Responses to Questions Asked During the Hearing:

    Mr. Thornberry...............................................    77

Questions Submitted by Members Post Hearing:

    Mr. Franks...................................................    87
    Mr. Langevin.................................................    84
    Mr. Rogers...................................................    85
    Mr. Thornberry...............................................    81
 INFORMATION TECHNOLOGY AND CYBER OPERATIONS: MODERNIZATION AND POLICY 
                   ISSUES TO SUPPORT THE FUTURE FORCE

                              ----------                              

                  House of Representatives,
                       Committee on Armed Services,
            Subcommittee on Intelligence, Emerging Threats 
                                          and Capabilities,
                         Washington, DC, Wednesday, March 13, 2013.
    The subcommittee met, pursuant to call, at 3:46 p.m., in 
room 2212, Rayburn House Office Building, Hon. Mac Thornberry 
(chairman of the subcommittee) presiding.

OPENING STATEMENT OF HON. MAC THORNBERRY, A REPRESENTATIVE FROM 
TEXAS, CHAIRMAN, SUBCOMMITTEE ON INTELLIGENCE, EMERGING THREATS 
                        AND CAPABILITIES

    Mr. Thornberry. The subcommittee hearing will come to 
order. I appreciate our witnesses and guests and their 
patience. There are some days that just don't work very well, 
and this is certainly one of them.
    I will ask unanimous consent to put my opening statement in 
the record and yield to the gentleman from Rhode Island for any 
comments he would like to make.

  STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM 
  RHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON INTELLIGENCE, 
               EMERGING THREATS AND CAPABILITIES

    Mr. Langevin. Thank you, Mr. Chairman.
    I want to thank our witnesses for appearing before the 
subcommittee today. This is obviously an important hearing as 
our national security is dependent on our information systems, 
and those networks are critical to all aspects of our defense. 
Yet, one only needs to look at recent headlines, even of the 
day, to understand the unrelenting and sophisticated threats 
that we face in the cyber domain.
    Now we continue to see just how vulnerable such networks 
are in other sectors of our society, at a potential cost of 
billions lost to cybercrime, and we know our defense networks 
are at even greater risk. So obviously, though, they must be 
fail-proof and secure.
    Now we are still waiting for this year's budget, but I 
believe it is safe to say that IT [information technology] 
represents a large piece, $33 billion last year for that 
matter, and that is a significant figure. And we must be ever 
mindful of our responsibility to make the most effective use of 
taxpayer's investments in these capabilities.
    Now we are aware that the Department has experienced some 
challenges in acquiring certain IT systems and services in the 
past. So today, I would like to hear what steps we are taking 
to tackle those challenges in order to get the connectivity we 
need at a reasonable price.
    DOD [Department of Defense] cyber operations are quite 
literally a growth business, and it is one of the rare portions 
of the DOD that will be growing indefinitely into the future; 
and there have been significant developments in just one year 
since our last posture hearing.
    Now we are starting to get answers to some of the questions 
about how and when the United States might conduct the full 
range of military cyber activities, and I would like to discuss 
that today to the extent that this forum allows.
    And I understand that Cyber Command [CYBERCOM] is beginning 
to organize itself into mission teams, which is an exciting 
step. But the manpower cost is enormous and the education and 
training requirement significant. This is going to take, 
obviously, a lot of work to get right.
    I would be greatly interested to hear how, to hear our 
panelists' thoughts on how we refine the education, 
recruitment, retention and training of the highly specialized 
personnel that we need. And I would also like to hear how 
CYBERCOM is interfacing with combatant commanders to provide 
its unique capabilities wherever and whenever they are needed.
    Lastly, there are two other areas of vulnerability that I 
want to address today. The first is supply chain security for 
our IT systems. Now we could get IT functionality perfect and a 
robust defense of networks in place and still be at risk of 
compromise from counterfeit components as well as unknown 
design specifications within an approved component, 
particularly, also looking at things like zero-day exploits 
which we know our adversaries make extensive use of.
    So the second is the vulnerability of our critical 
infrastructure to cyber attacks. DOD relies on these services 
but they are defended by other Federal agencies or departments, 
or not at all. So I mention this frequently because I want to 
make progress in the effort to close these gaps. And today is 
another opportunity to see where we are on this matter.
    So with that, again, I want to welcome our witnesses here 
today. Before turning it over to you--back to you, Mr. 
Chairman, I just want to take this opportunity to congratulate 
General Alexander in particular. This is grandchild number 15 
was born today. A grandson. And General, I just want to 
congratulate you and your family on the addition to your 
family.
    [The prepared statement of Mr. Langevin can be found in the 
Appendix on page 31.]
    General Alexander. It is probably more than----
    Mr. Langevin. Thank you. And congratulations again, 
General. And I yield back, Mr. Chairman.
    Mr. Thornberry. And then what State was he born?
    General Alexander. Texas.
    [Laughter.]
    Mr. Thornberry. Thank you. I just want to get that on the 
record.
    Mr. Langevin. Point well taken.
    Mr. Thornberry. And I appreciate the gentleman's comments. 
And just as an administrative note, I want to remind members 
that next week, we have our first quarterly cyber operations 
briefing which is similar to the counterterrorism quarterly 
updates that we have been receiving. This is a new provision in 
the Defense Authorization Act, and we will have that classified 
briefing next week.
    Without objection, all of your statements will be made a 
part of the record. And we would appreciate your summarizing 
them. We again appreciate our witnesses, the Honorable Teresa 
``Teri'' Takai, Chief Information Officer of the Department of 
Defense; the Honorable Elizabeth McGrath, Deputy Chief 
Management Officer at the Department of Defense; and General 
Keith Alexander, Commander of USCYBERCOM.
    Thank you all for being here. Ms. Takai, you may summarize 
your statement.

 STATEMENT OF HON. TERESA M. TAKAI, CHIEF INFORMATION OFFICER, 
                   U.S. DEPARTMENT OF DEFENSE

    Ms. Takai. Good afternoon, Mr. Chairman and distinguished 
members of the subcommittee. Thank you so much for giving us 
the opportunity to testify today on the importance of 
information technology to the transformation of the Department 
of Defense.
    I am responsible for ensuring the Department has access to 
the information, the communication networks, and the decision 
support tools needed to successfully execute our warfighting 
and business support missions. The Department's IT investments 
support mission critical operations that must be delivered in 
both an office environment and the tactical edge.
    Just to give you some perspective on the size and scope of 
what we cover, we operate in over 6,000 locations worldwide. 
And we support the unique needs and missions of three military 
departments and over 40 defense agencies and field activities, 
and our services are used by 3.7 million people.
    Included in the overall IT budget are the Department's 
cybersecurity activities and efforts that are designed to 
ensure our information systems and networks are protected 
against the ever-increasing cyber threats the Department and 
the Nation face.
    We are undertaking an ambitious effort to realign and 
restructure our ability to provide better access to 
information, improve our ability to defend and keep pace. This 
effort is the Joint Information Environment [JIE].
    The Department is aligning its existing IT networks into a 
Joint Information Environment that will define how we are 
restructuring not only our networks but our computer centers, 
our computing networks and cyber defenses to provide a singular 
joint cybersecurity approach that is common across the 
classified, secret, and coalition networks. This is in contrast 
to today's networks in which each military department differs 
in its approach and design in cyber defense.
    The ultimate beneficiary is the commander in the field. The 
consistent network in IT and security architecture will enable 
innovative information technologies that keep pace with today's 
fast-paced operational requirements.
    Our standard security architecture will enable cyber 
operators at every level to see who is operating on our 
networks and what they are doing. This will enable a 
synchronized cyber response. And I am sure General Alexander 
will be speaking more to you about this in his words.
    The consolidation of data centers, operations centers and 
help desks will enable timely and secure access to the 
information and services needed to accomplish their assigned 
missions, regardless of the location.
    As we have refined the JIE concept, we have concluded that 
we can achieve all of the Department's cybersecurity goals but 
just as importantly, still have better joint warfighting 
decision support, better operational and acquisition agility, 
and also importantly, better efficiency. On cybersecurity we 
are focused on ensuring that the essential DOD missions are 
dependable and resilient in the face of cyber warfare. The 
first of the efforts that we will embark on as I have mentioned 
is JIE. The second effort is our deployment and use of 
cybersecurity identity credentials for all users of our secret 
network. We are currently deployed on our unclassified network 
and we will complete the classified network this year.
    The next is continuous monitoring. This will allow us much 
faster detection and remediation of mission vulnerability 
across the millions of computers that are in our networks, give 
us a chain of command and accountability tool, and will give 
the Cyber Command better ability to set remediation priorities.
    The fourth effort as was mentioned is our supply chain risk 
management. Globally sourced technology provides real benefits 
to the Department but it also provides the opportunity for 
potential adversaries to compromise our missions through 
subversion of the supply chain. The Department recently issued 
policy that makes permanent the Department's efforts to 
minimize the risk to DOD missions from this vulnerability.
    And lastly is our successful voluntary cyber information-
sharing efforts with the Defense Industrial Base. We have 78 
participating companies which represent a majority of our 
acquisition spending in the Department.
    We share classified and unclassified cyber threat 
information and companies that have been participating said 
that the program has significantly improved their cybersecurity 
efforts. We are also partnering with security service 
providers, for those companies that choose to use that service, 
they will have additional classified threat information.
    I would like to conclude by mentioning a few other efforts 
that we are working on. We have a new focus on the development 
of secure communications for Presidential and senior leader 
comms [communications], nuclear command and control, and 
continuity of government. We are working with other Federal 
agencies to ensure that we have the ability to communicate at 
all times. We are also working to ensure that the Department's 
position, navigation and timing infrastructure is robust.
    Next, my office recently issued the DOD commercial mobile 
device strategy and implementation plan which allows us to use 
commercial mobile devices in both a classified and unclassified 
environment.
    And finally, spectrum has become increasingly important not 
only to the Department's mission but to consumers and the 
economy of the Nation. While fully committed to the President's 
500 megahertz initiative, it is important that we balance the 
use of our finite radio spectrum to meet national security 
requirements as well.
    Thank you so much for your interest in our efforts and I 
look forward to taking your questions.
    [The prepared statement of Ms. Takai can be found in the 
Appendix on page 33.]
    Mr. Thornberry. Thank you, Ma'am.
    Ms. McGrath.

STATEMENT OF HON. ELIZABETH A. MCGRATH, DEPUTY CHIEF MANAGEMENT 
              OFFICER, U.S. DEPARTMENT OF DEFENSE

    Ms. McGrath. Thank you, Mr. Chairman. Good afternoon. We 
really appreciate the opportunity to discuss with you the 
progress that we have made in the defense business operations. 
We feel they are critical enablers of our national security 
mission and our goal is to ensure we have effective, agile and 
innovative business operations that support and enable our 
warfighters.
    This work spans every organization in all functional areas. 
Our goals are to optimize business processes and identify key 
outcome-based measures. Here, information technology is a key 
enabler. Over the past number of years, attention to this issue 
has steadily increased and Congress has been instrumental in 
shaping the governance framework and supporting processes the 
Department uses to oversee these efforts. And we thank you for 
that.
    My written statement provides updates on our integrated 
business environment framework; therein you will see evidence 
of the maturation of our Business Enterprise Architecture and 
some of the recent successes and challenges in the 
implementations of our largest IT systems.
    I will take a few moments to highlight a few of the points. 
First, Section 901 of the 2012 National Defense Authorization 
Act included significant changes to the Department's investment 
management process for defense business systems. We established 
a single Investment Review Board which we execute through a 
Defense Business Council which replaced five separate 
functionally based boards.
    It also significantly expanded the scope of the systems to 
be reviewed by the board to include those in sustainment. 
Previously, it was simply modernization and development. This 
new investment process allows the Department for the first time 
to holistically manage the entire portfolio of business systems 
in a deliberate and organized manner.
    This legislation is truly serving as a catalyst for 
dramatic improvements across the defense enterprise. We now 
have functional strategies that articulate goals, outcomes, 
expectations, standards, mandatory solution across business 
lines.
    Military departments and defense agencies all must align 
with execution plans to these imperatives across their IT 
portfolio. As an example of the Investment Review Board's 
value, we identified approximately 10 percent of the systems 
reviewed as legacy systems that will be retired over the next 3 
years. And we are using this process to both ensure 
architectural compliance and business process reengineering.
    Second, I would like to highlight the ongoing work to 
improve the implementation of some of the Department's most 
visible defense business systems, our Enterprise Resource 
Planning systems or ERPs. The Department is committed to 
learning from its successes and failures as well as learning 
from the findings from the Government Accountability Office and 
the Inspector General.
    In addition to a number of ongoing initiatives to improve 
specific aspects of our implementations, I have over the last 6 
months undertaken a substantial effort to work with industry 
leaders to fully understand and define the leading root causes 
of program successes and failures across the dimension of cost, 
schedule and performance.
    Our findings reinforce the need to focus the Department on 
quality upfront work extremely early in a program's life cycle 
to include ensuring clarity of requirements, quantifiable 
business cases. As a result of this work, I have directed a 
number of actions across the Department.
    While we have certainly faced challenges, the Department is 
making steady progress in this area including having now 
successfully fielded a number of Enterprise Resource Planning 
systems.
    In closing, the Department remains committed to improving 
the management and acquisition of IT systems as well as our 
overarching business environment. These issues receive 
significant management attention and are a key part of our 
enterprise strategy to build better business processes that 
will create lasting results for our men and women in uniform 
and the American taxpayer.
    I look forward to your questions.
    [The prepared statement of Ms. McGrath can be found in the 
Appendix on page 54.]
    Mr. Thornberry. Thank you.
    General Alexander.

  STATEMENT OF GEN KEITH B. ALEXANDER, USA, COMMANDER, UNITED 
                      STATES CYBER COMMAND

    General Alexander. Chairman, Ranking Member, I would read 
my statement but you know I can't read so I am just going to 
give you the highlights from that. And I know both Ms. Takai 
and Ms. McGrath can read really well. Perhaps you should read 
my part.
    What I want to hit is a few things that I think it is 
important for the committee to know. First, you all know we 
have great people. We are getting great people both in our 
staff and the service components that have--that are building 
the teams that we need. And issues come up with sequester 
especially for the civilian folks; having to furlough those 
people that we are bringing in sends a wrong message.
    Further, the continuing resolution compounds our ability to 
actually conduct the training missions that we need to bring 
these teams on board. We talked a great deal about the threat. 
You know what is going on in Wall Street, what has happened 
over the last 6 months. What happened in Saudi Arabia with 
Saudi Aramco, the threat is real and growing.
    From our perspective, we need to be prepared for attacks 
against our Nation in cyberspace. In order to do this, we do it 
as a team. And that team includes DHS, Department of Homeland 
Security, FBI [Federal Bureau of Investigation] and, of course, 
DOD.
    DHS has the resilience and recovery just like it would in a 
kinetic operation. And it is the public interface for our 
industry. FBI would lead investigations, look at who is doing 
this inside the United States; they are the domestic handler. 
And DOD has responsibility to defend our Nation from an attack, 
to support the combatant commands and their operations in 
planning, defend the DOD networks and other networks as 
authorized.
    We have created roles and responsibilities between 
Secretary Napolitano, myself and Director Bob Mueller, we all 
agree on that, it has gone to the White House. I think that 
helps lay out the plan for how we can work with you in 
establishing legislation for the future. And I can talk to 
legislation and questions if that comes up.
    When is civil liberties and privacy upfront here? We know 
how important that is. We can protect civil liberties and 
privacy in our networks. This isn't one or the other, it is 
both. And I think we can do both. And to understand that, I 
think we need to get into technical details. I won't do that 
here, but you know we have the capacity to do that.
    And I just encourage you to look at the facts in this as we 
go forward. Five things that we are looking at from my 
perspective in setting up Cyber Command and the teams that we 
have. First and most important are people, building and 
training a ready workforce. The second thing, command and 
control and doctrine, we are establishing that and how we work 
with the combatant commands that I can answer more, Congressman 
Langevin, to your question later on about how we work with the 
combatant commands. Situational awareness--how do you see what 
is going on in cyberspace and how do you react to it. A 
defensible architecture, I think this is absolutely vital, 
especially for the Defense Department. Today, we have 15,000 
enclaves. It is very difficult to defend and get situational 
awareness around that. We need to go the Joint Information 
Environment, something that we work very closely with Ms. Takai 
and her folks. And finally the authorities, policies and 
standing rules of engagement. Those are vital for the future 
and we need to work with you to get those right.
    That is a quick summary of my 26-page written--and so, Mr. 
Chairman, I turn it back to you.
    [The prepared statement of General Alexander can be found 
in the Appendix on page 62.]
    Mr. Thornberry. Thank you. I think that may be a record on 
shortness of your testimony.
    Let me just start by asking about a couple of things. 
General Alexander, I think the statements you just made that 
there is a role for the military, especially Cyber Command, to 
defend the country in cyberspace. I think that is a step beyond 
where we have been in previous years' hearings.
    Can you tell us a little bit more about how that--where we 
are in that discussion? Exactly what should we expect the 
military to defend us against and what sort of circumstances? 
And then what are the sort of circumstances that industries or 
us as individuals are required to defend ourselves?
    General Alexander. So there is two parts to this, to your 
question. And I will give it to you as accurately as I can from 
my perspective and then show you where the range of options 
that the administration and the Defense Department have to look 
at.
    First, I think it is reasonable that we the American people 
know that when our Nation is under attack, whether it is 
physical attack or cyber attack, that the Defense Department 
will do its part to defend the country.
    It is not going to just defend itself. Our job is to defend 
the country. And the focus would be, obviously, on critical 
infrastructure just as it would in kinetic and other things. 
The issue becomes when does an exploit become an attack and 
when does an attack become something that we respond to?
    Those are policy decisions and the red lines that goes to 
those would be policy decisions. Our job would be to set up the 
options that the President and the Secretary could do to stop 
that. And as you may recall, both the former President and the 
current President have both said that they would keep the 
options open in this area.
    I mean, I think that is reasonable, from using State 
Department to demarche all the way over to kinetic options or 
cyber. So they have that whole range. What we are building is 
the cyber options that would fit that tool kit for the 
administration and policymakers to determine exactly what to 
do.
    As an example, it is reasonable to expect that we would 
have the ability to stop a distributed denial of service 
attack, and so creating the tools and capabilities of that, 
which would get into the classified area, you would expect that 
we would actually go and work with our teams to do that. And 
those are the kinds of things that we do. So how do we defend 
the country in that? What kinds of capabilities that we need? 
We have laid that out in great detail. And I think the training 
on that is superb.
    Mr. Thornberry. Just to make an editorial comment. I 
appreciate your point that the authorities, policies, rules of 
engagement are key to deciding how to use the tools that your 
folks have evolved. My opinion is that the more the 
administration consults with Congress, the more we can make 
these decisions out in the open, the better result we will have 
and in addition, the more you will have the support of the 
American people.
    The more that is kept secret with some White House meeting 
or White House paper that is hard to access to, the more 
suspicions there will be about what the government is really 
doing. So I know that is kind of a different realm from yours 
but I think the circumstances under which the government will 
act and how it will act and who will act are important to be as 
public and transparent as we possibly can.
    Finally, let me ask, Ms. Takai, I have got this Defense 
Science Board study that came out in January that basically 
concludes, we cannot be confident that our critical information 
technology systems will work under attack from a sophisticated 
actor.
    I mean, I am sure you have seen it. Can you just make a 
comment about whether you think this Defense Science Board 
study got it right about our vulnerabilities?
    Ms. Takai. Well, I think, first of all, any independent 
report like that is useful because it does give us an 
independent view of a way of looking at our vulnerabilities. 
The report is a year old at this point in time and it really 
is--it does precede several of the actions that General 
Alexander has taken in terms of looking to remediate.
    It also does not consider some of the actions that we have 
been taking to change our cyber defense approach from looking 
at how we protect the perimeter and how we just protect 
networks to actually how we look at it from a mission 
perspective.
    So what we have done is ahead of actually the Defense 
Science Board report coming out, those are the same areas that 
we have been looking at. Those are the same areas that we are 
looking for remediation actions and some of the things that I 
described in my testimony are really a step toward actually 
moving forward to address some of those issues.
    Now, the challenge is you are never 100 percent. And so, I 
think the point around, really, looking at it from a mission 
perspective is important because we need to be sure that we are 
prioritizing from the standpoint of where we put our resources, 
looking at it from the most critical areas and making sure they 
are secure.
    Mr. Thornberry. If your folks look at this and think it 
appropriate, I would appreciate in a written answer some more 
updates as to how far you think we have come in addressing the 
shortfalls that they identified here.
    Ms. Takai. Yes, sir. Absolutely. General Alexander and I 
are actually working on that document, so we would be happy as 
we get that developed to provide that to the committee.
    [The information referred to can be found in the Appendix 
beginning on page 77.]
    Mr. Thornberry. Thank you.
    Mr. Langevin.
    Mr. Langevin. Thank you, Mr. Chairman. Again, thank you to 
our witnesses. General Alexander, I would just start with you, 
if I could. More of a follow-on on to the chairman's question. 
Can you speak to the role of CYBERCOM as defender of last 
resort in the event upon civilian--in the event of an attack on 
civilian critical infrastructure?
    As we know, these attacks move at network speed. And what I 
want to know is what the, you know, the processes that are put 
in place in terms of establishing rules of the road so that you 
know how and when you can respond--if there is an attack on 
critical infrastructure and CYBERCOM has to step in as the 
defender of last resort?
    General Alexander. So we are working with the Defense 
Department, the White House, and the interagency to set up 
those standing rules of engagement, put forward what I will 
call the way in which we would actually execute some of these.
    Right now, those decisions would rest with the President, 
the Secretary. And they would tell us to execute. I think as we 
go down the road, we are going to have to look at what are the 
things that you would automatically do, think of this as the 
missile defense, but missiles in real time.
    And I think that is an education and learning process that 
changes fundamentally the way that we have defended the Nation 
from a kinetic perspective to how we are going to have to 
defend the Nation in a cyber perspective.
    So there is a lot to learn there. Most important on that, 
one is the team that I talked about. But two is the partnership 
with industry. And that is where the legislation is going to be 
important.
    We cannot see attacks going against Wall Street today. 
Somebody has to tell us, and if we are going to be able to 
react to it in time to have favorable results, we need to know 
that at network speed so that we can react at network speed. So 
those types of information-sharing and the liability of 
protection that goes with them is key to this. The other part, 
you know, you could put under building up standards and helping 
people get to this, the executive order takes a great step in 
that direction.
    I think getting incentives would really help. So I think 
there is a partnership here, one within the administration for 
how we set this up and the rules of engagement, I take the 
chairman's comments that you put about working together in a 
transparent way. And the second part is we have got to have 
that same discussion with industry.
    Mr. Langevin. And let me use this as an opportunity to talk 
about the information-sharing, and give you an opportunity to 
talk about the, you know, the concerns that people have in 
terms of information that would be shared with the government.
    I understand--you and I understand that we are not actually 
looking at information that would be shared, it is more the 
bits and bytes, the ones and zeros, the attack signatures that 
we would be looking for.
    But I would like to again give you the opportunity for the 
public to reassure them of what this is, what information would 
be shared.
    General Alexander. Thank you, Congressman, because I do 
think this a key point.
    The issue would be if somebody were throwing an attack at 
Wall Street, as an example, what we would want to know is the 
fact of the attack and the type of attack. We don't need to 
read people's email or see their communications to get that 
information.
    The Internet service providers would actually see that. So 
we could tell them the types of attacks, the types of exploits 
and those things that the government needs to know. That 
includes DHS, FBI, NSA [National Security Agency] and the 
Defense Department, all together need to know that.
    What we are talking about is, for example, I use the car 
going up the New Jersey Turnpike on its way to Rhode Island and 
it would go through an E-ZPass lane--well, in E-ZPass what 
happens is the car is scanned. You don't read what is inside 
the car. You just get the metadata.
    In a similar way, if a packet were going forward, what the 
Internet service providers need to tell us is there was a 
packet, we saw bad software, malicious software in that packet, 
of the type you were looking for. We stopped that packet. It 
was coming from this IP [Internet protocol] address, going to 
this IP address.
    And it would be up to FBI if it was domestic to work with 
the courts to do that or to Cyber Command if it were coming 
from outside the United States. And so, the bottom line, there 
is a way to do this that ensures civil liberties and privacy 
and does ensure the protection of the country.
    And I think we ought to work towards that and help educate 
the American people on what we are trying to do here.
    Mr. Langevin. I agree and I appreciate you getting that out 
there.
    General, if I could, I would also turn our discussion to 
the new mission teams that are forming within your command. In 
testimony before the Senate Armed Services Committee on 
Tuesday, you noted the creation of 13 teams within--with an 
offensive focus. Can you lay out for us what authority these 
teams would be operating under and how will they interface with 
their Intelligence Community colleagues?
    General Alexander. Sure, Congressman. The key is we 
organize the teams into groups. So the teams that you are 
referencing, those 13 are what I will call the National Mission 
teams, that would have the mission to counter an adversary who 
is attacking our country.
    They are the counter-cyber force. I call that offensive 
because their job is to stop--like a missile coming into the 
country, their job would be to stop that and provide options 
for the White House and the President on what more to do.
    So they are the folks that would counter any cyber 
adversary. We also are creating teams to support combatant 
commanders and their missions and operations, and then we are 
building teams to operate and defend our networks within DOD 
and work with DHS and FBI as required.
    So those are the three sets of teams and the three general 
missions that they have. And then, we have supporting them, 
what we call direct support teams that provide the analytic 
support that we would need for that.
    All of this is integrated and works seamlessly with the 
Intelligence Community and with FBI to ensure we don't have 
duplication of effort and we are not all operating on the same 
place in cyberspace so that that is deconflicted.
    Mr. Langevin. My time is expired. I will have more 
questions for the witnesses in round two. I yield back.
    Mr. Thornberry. I thank the gentleman. And I think it is 
helpful that explanation of what offensive means in this 
context because there is a variety of definitions that people 
use for that.
    Dr. Heck.
    Dr. Heck. Thank you, Mr. Chairman. I thank all of you for 
being here.
    General Alexander, there have been some discussions about 
the roles of Cyber Command and protecting domestic critical 
infrastructure. How would that role differ if the attack was 
coming from OCONUS [outside the contiguous United States] 
versus CONUS [contiguous United States] and do you have the 
Title 10 authorities necessary to respond to a domestic attack 
in real time since you are really the only entity that can 
defend in real time.
    General Alexander. Congressman, thanks, because I think for 
clarity, from my perspective, the domestic actor would be the 
FBI. And the FBI, we share our tools with the FBI.
    They would work through the courts to have the authority to 
do what they need to do in domestic space to withstand an 
attack. We have worked very closely together.
    Director Mueller and his teams are absolutely superb to 
work with. And we have come up with a way that he would do 
inside, we would do outside. Now, there may be points in time 
where you have different--you know, significant attacks where 
we need to change parts of that.
    But the key thing is to have him do inside the country. We 
can support back and forth and do this at network speed. So we 
are practicing that. I think that is something that we can do.
    He would work with the courts as appropriate to do his 
portion of the mission. Outside the country, that is where we 
would operate.
    Dr. Heck. So you would be comfortable if there was a Saudi 
Aramco kind of attack that originated from within the United 
States at U.S. infrastructure, that the FBI would be able to 
respond and thwart that attack in real time?
    General Alexander. Assuming that we could see it because 
that kind of an attack is a whole different issue. And on that, 
where we would really depend is on working with the Internet 
service providers. They would stop that packet initially by 
some signature that we gave them.
    And so, that is something that would go to a domain 
controller that we could stop. I think that is a different set 
of tactics that you would use versus the distributed denial of 
service attack where you are trying to take out the bots and 
the command and control infrastructure.
    Dr. Heck. Okay. And then, how is the IC [Intelligence 
Community] supporting the cyber intelligence needs of DOD? I 
mean, beyond NSA, what IC organizations are the primary 
intelligence providers for CYBERCOM?
    General Alexander. Well, there are several, of course, the 
Central Intelligence Agency [CIA], the Defense Intelligence 
Agency [DIA] and NGA, the National Geospatial Agency. Tish Long 
and her folks have done a superb job, too.
    It is kind of interesting. You say, ``Well, what can you 
see from imagery?'' But there are some great things that you 
can do by bringing the actual physical infrastructure and 
overlaying the cyber infrastructure--so all those work.
    And within the military, DIA has, within our J2, people, at 
Cyber Command that work at--and of course, NSA has a great 
foundation of folks that really provide the best support that 
we have across that technical layer.
    Dr. Heck. Thank you, Mr. Chairman.
    Mr. Thornberry. Thank you.
    Mr. Kilmer.
    Mr. Kilmer. Thank you, Mr. Chairman.
    I am particularly interested in workforce issues and how we 
prepare the workforce to meet the needs within the cyberspace. 
And I have a number of questions in that regard.
    And I guess, Ms. Takai, I will start with you. As CIO 
[Chief Information Officer] you oversee the Information 
Technology Exchange Program that is set to expire on September 
the 30th, which seems like a good opportunity to leverage 
talent that is already in the workforce to bring industry and 
the Federal Government together, to knowledge share and learn 
best practices in cybersecurity.
    I was hoping you would give a little update on that 
program's success and then I have a few specific questions 
therein. Do you feel like enough private companies know about 
the program and have been able to take part? Can you speak to 
the advantages of extending and/or expanding the program?
    Have there been any problems with any aspects of the 
program that you think, if we looked at continuing it, should 
be addressed? And then, finally, I know to be eligible, an 
employee must be a GS-11 or the equivalent or above. Do you 
think that is an appropriate level or would you think there 
would a value in adding additional--involving additional 
workers in the mix?
    Ms. Takai. Well, let me see if I can take all those 
questions in turn.
    First of all, I think, we probably do need to expand our 
communications on that program. The program has been, I think, 
a great opportunity for us to bring industry technology experts 
into DOD and likewise, be able to look at where DOD employees 
can go out into industry to get experience.
    But to date, we really do need to think about how we expand 
the program and from a communication perspective. However, I 
think it is important to note that right now, we have a key 
individual who has just recently joined my department from 
Cisco.
    He is a very skilled, highly capable architect and one that 
is always difficult to grow. That kind of technical knowledge 
is something that just takes time. And so, the ability to bring 
that individual in and have them take a look at the work we are 
doing on the Joint Information Environment has really been 
valuable.
    So we are really seeing the benefit of the program and 
therefore it is very important to us to continue the program. I 
think in terms of some of the challenges that we have had in 
terms of moving the program forward, it has really been 
understanding how to get the companies to understand the 
security requirements and for us to be able to get them in 
through our fairly long security process.
    And I think some of that is just a part of it. But I think 
also we need to be in a position where we can better educate 
the companies on the kinds of security requirements that we are 
going to be asking about. And so, we are looking very much to 
take the lessons learned from the program, to be able to expand 
it. I think from a level perspective, I think starting at the 
GS-15s is sort of the--you know, the first level is actually a 
good place because it does give us the opportunity to go from 
the GS-11 level up through various levels, you know, into 
actually an SES [Senior Executive Service] level, which is the 
more highly skilled folks.
    So I think starting there is a good place and the program 
does give us the flexibility then to bring people in at 
different levels. So we are very excited about the program. As 
I say, we appreciate the industry participation we have had so 
far and would very much like to continue the program past the 
sunset date in September.
    Mr. Kilmer. Thank you. Maybe just in follow-up, I would 
just like to ask more generally what you feel collectively we 
can do as Members of Congress to help you recruit an adequate 
number of workers in the cybersecurity realm?
    Ms. McGrath. So I can say from a--again, I am more in the 
business space within the Department and it is always 
challenging to find skill sets even with the Enterprise 
Resource Planning and the more modern technological capability.
    So we are buying commercial-off-the-shelf. It is really 
educating the workforce to get there. The Congress has passed 
legislation to enable us to hire highly qualified experts. I 
feel the Department has not leveraged the opportunity that we 
have so far, or to date, as much as we could have, really 
bringing folks in for a term.
    It can be 1 to 5 years to work on some of these really sort 
of hard problems that we have, to ensure that our outcomes are 
what we need. But we do have actually a very good model in the 
SECDEF [Secretary of Defense] Corporate Fellows Program where 
we take our military and send them out to industry for a year 
at some of the, I would say, best and brightest companies like 
Cisco and Caterpillar and Google and--so we are not leaving 
anybody out, but I couldn't possibly mention them all.
    Because they are already cleared, they have, I will say 
those kinds of requirements already met and it seems to be an 
easier transition from within the Department for our military 
externally, but I would wholeheartedly welcome, you know, 
anything we could do to advance the communication because I 
think it helps certainly in the business space with the 
activities we have under way.
    Mr. Thornberry. Mr. Peters.
    Mr. Peters. Thank you, Mr. Chairman.
    Just maybe a follow-up on that. I think, General, it was 
you who may have told us a few weeks ago about some of the 
difficulties you were having recruiting talented individuals in 
light of the budget uncertainty that we had.
    That perhaps, people are coming to you and saying--I heard 
this at one testimony I think it was you--saying, ``Gee, you 
know we can't really depend on this for a career if we don't 
think that Congress is behind it.''
    Last week, we took an action to relieve some of the 
pressure, perhaps, on the military side at the House level and 
that is working its way through Congress. But, do you want to 
update us, just to follow on Mr. Kilmer's question, how is the 
uncertainty around the budget or how is the budgeting 
continuing to affect your ability to recruit the kind of people 
we need to be our warriors?
    General Alexander. So, you have hit it right on the head, 
Congressman, that what we are getting from some of our people 
especially those who come from industry, they already take a 
pay cut coming to the government. And they do this because they 
are patriots.
    The issue is they have taken a pay cut and now we are 
saying, ``Well, you might get a pay cut again and this pay cut 
will be furlough and we are not sure how that is going to go, 
or where that is going to be.''
    That uncertainty is something that truly complicates their 
willingness to stay with us. And we don't--we should not do 
this to them. You know, we are trying to get the great people 
into cyber. These are technically qualified people.
    You go out to Google, they are looking for people today. 
You know, I sat down with the Google HR [human relations] 
folks. They said, ``Look, we are paying, you know, probably 
twice as much as you are paying folks'' and they are having 
trouble getting them.
    We get them because they want to do something good for the 
Nation. So as a consequence, I do think we have to, one, give 
them the certainty. I would just say, two, they are our most 
valuable assets. You know, it is the people. That is the talent 
that we need and we need to let them know we care about them, 
all of us, and we need your support in that.
    Mr. Peters. Thank you.
    Thank you, Mr. Chairman. I yield back.
    Mr. Thornberry. Thank you.
    Mrs. Davis.
    Mrs. Davis. Thank you, Mr. Chairman.
    And I would certainly appreciate that comment because 
sometimes we have a perception out there that somehow Federal 
workers are not necessary to make everything work in this 
country. And I think that we know that that isn't true on just 
about every level. And so, I appreciate your comments.
    I wanted to ask about the electronic health records. I know 
that is not exactly on the agenda right now. But I wonder if I 
could do that because we know that recently it was announced 
that the Department of Defense was going to--no longer are we 
going to have parallel efforts, I think, in trying to create an 
interoperable system. And that the Department of Defense was 
going to try and work with the Veterans Administration [VA]. 
Can you talk a little bit about that and what is going on? We 
had had that strategy articulated that they were going to do 
that, and it is just not clear now, exactly, what we are going 
to do.
    I know that the discussion was around trying to cut costs, 
that we were going to create this common system, but in light 
of the fact that we are not going to do that, how are we going 
to create this interoperable system that is going to work?
    Ms. McGrath. So I would be happy to take that question.
    The Department of Defense and Veterans Affairs have been 
working together over probably 10 years to enable greater 
sharing of information between the two organizations. So when 
our military members transition from defense to the VA, that 
all their information comes with them and we could get out of a 
more paper-based approach to medical treatment and history.
    And I think we have made significant progress in terms of 
sharing the information over big, I'll just say, pipes of 
interfaces between the two organizations. Both DOD and VA were 
looking to modernize their legacy environment.
    And so, back in March of 2011, then Secretary of Defense 
Gates and Secretary Shinseki of the VA decided to abandon, if 
you will, either legacy system--so in VA it is VistA [Veterans 
Health Information Systems and Technology Architecture] and DOD 
it is AHLTA [Armed Forces Health Longitudinal Technology 
Application]--and move together jointly for sort of a common 
system, if you will, although it would probably be a family of 
systems that enable this capability to happen.
    And we moved out smartly and made sure that we were 
approaching the solution, if you will, with a common 
architecture, a common data standard which is really key toward 
interoperability.
    VA has moved their systems into our DISA [Defense 
Information Systems Agency], so that we are collocating as much 
as possible common business practices.
    Because if you don't have all these things, you are still, 
I will just say, the IT will only get you so far.
    And so, the foundational aspects of all these things we 
agreed to in 2011.
    What you have heard recently, is the, in December of 2012 
the Interagency Program Office had completed an engineering-
based or bottoms-up, if you will, lifecycle cost estimate which 
really put the approach, the affordability of the approach, in 
question.
    So the question Secretary Panetta and Shinseki said to the 
teams was, is there a more economical way to still deliver an 
innovative electronic health record to our military members and 
veterans, but it is done in a less risky way.
    So you reduce the risk, decrease the cost and maintain the 
schedule that we are on. And that is when the Departments 
decided to instead of build, if you will, the system piece by 
piece, to start from a core set of capabilities and build out 
from a core.
    So the VA decided to go back to their legacy system, again, 
VistA. The DOD does not have, right now anyway, a desire to use 
its legacy system and want to ensure that we have explored all 
opportunities.
    So when we are looking at what would our core capability--
would it be the VA's VistA core, VistA as our core? Would we 
look at--would we have something commercial? The health space 
has gone, has made tremendous leaps in terms of modernization 
over years. We want to ensure that we are assessing the 
capabilities that commercial market brings.
    And we are right now--we issued a request for information 
in February. We got all the answer, all the responses in. We 
are evaluating them through our Cost Assessment and Program 
Evaluation team has the lead for that and they will make a 
determination whether or not we will go with a COTS 
[commercial-off-the-shelf]-based solution or a government-based 
solution by the end of March.
    Mrs. Davis. Is it fair to say that we have kind of 
abandoned, though, the joint strategy?
    Ms. McGrath. I think the joint strategy still exists from a 
data interoperability and integration. If I talk about a 
military member's health record, I am populating that record 
from data from different sources.
    The change in the strategy is really the underlying IT 
system. We still want to do as much joint as we can from the 
various applications like immunization, lab, and all the other 
health-related stuff.
    And I think that the architecture, again all the handshakes 
that we made in the beginning in terms of architecture data, 
those are all still absolutely at the forefront.
    So there has been certainly a change with the approach to 
the underlying IT. But there has been no change to our----
    Mrs. Davis. I guess what would be helpful to know about 
that is how is that going to affect the service member. And if 
they are--it sounds like you are looking at a new acquisition 
strategy perhaps. And I think we would certainly be concerned 
about costs involved and kind of, what have we lost I guess, in 
that time that we were working on all that.
    So I just wonder maybe we can follow up with those 
discussions. But I appreciate it because I wanted to just take 
this opportunity to try and understand better what has happened 
and how we can move forward.
    Ms. McGrath. Yes, ma'am, I would be happy to----
    Mrs. Davis. We have spent a lot of time on that.
    Ms. McGrath. We have and I would just say that all the 
infrastructure, the very foundational things that we have been 
working on since the agreement in 2011, all will be carried 
forward. And so, we are not, I will just say, scrapping 
anything from that perspective; we continue to use those 
foundational pieces because they are key irrespective of the 
applications that will ride on top of that infrastructure.
    But I would be happy to give you more detail.
    Mrs. Davis. Thank you. Thank you, Mr. Chairman.
    Mr. Thornberry. I appreciate the gentlelady asking about 
that because I remember very well the hearing we had in the 
full committee with Secretary Panetta and Secretary Shinseki. 
And this was the key thing they trumpeted. Never before would 
we have this kind of cooperation between the VA and the 
Pentagon with one health record that would follow a service 
member from the day he enlisted all the way through.
    And it is discouraging that under the best case scenario it 
is going to be significantly delayed to have that available as 
you all work through these various options. I don't understand 
or underestimate the technical difficulty in doing so.
    I don't know. It is just frustrating I guess when this was 
trumpeted as such an achievement; that at least, there is a 
change in strategy.
    Ms. McGrath, I am really not trying to pick on you but let 
me ask you about one other situation that maybe hadn't turned 
out so well.
    The Air Force's Expeditionary Combat Support System [ECSS], 
what happened with that? And what have we learned from it?
    Ms. McGrath. I would like to say--and I will very quickly 
move to the ECSS question.
    But the two things on the electronic health record. One is 
the underlying system piece, and sort of the modernization.
    What we are also focused on is accelerating data 
interoperability. We have standard data in the Defense 
Department across the entire organization. Because of the 
mobility of our military members, the information must be 
wherever the military member is--that is theater, East Coast, 
West Coast, does not matter.
    The VA--we are mapping the DOD health data dictionary to 
the VA data so that by the end of this year we will be using 
standard data between the two organizations and we will be able 
to populate a military record, an integrated electronic health 
record, with DOD and VA information.
    And so I don't want to--I understand the concerns. I have 
been----
    Mr. Thornberry. That is helpful, I appreciate you 
clarifying that.
    Ms. McGrath. And so, we do. We are moving very smartly 
forward.
    With regard to the Air Force logistics transformation 
program, true, not as positive a story. It was a story that 
began in the 2005 timeframe, and it was laden with I will just 
call them issues. We had a couple of protests along the way I 
think that added at least a year-plus to the program. We 
restructured it in 2009. They didn't meet a 5-year initial 
operational capability in the 2010 timeframe. So then we put I 
will just say stronger fiscal controls on the program to make 
sure that we identified success criteria both from a government 
perspective and a vendor performance perspective.
    We also restructured the contract to be more outcome-
oriented. And frankly, the program overall was not delivering. 
And, therefore, we cancelled it in the December timeframe of 
last year.
    We have this in terms of this program that has provided 
many lessons learned as well as some of the other programs, 
both--some successful--we still learn from these programs and 
some not, in the area of size and scale this clearly was one of 
those programs that was way too big.
    We need to chunk these IT systems, if you will, into 
smaller capability sets. And so, we are delivering and then 
adding as opposed to trying to deliver the whole thing at once.
    Buy in leadership skill sets. And we talked a little bit 
about cyber skills and I mentioned the skill sets. Data, data 
quality is huge. For any of these IT programs, you are really 
trying to take really old data from old legacy systems, bring 
them into the new modern, much more tightly controlled 
environment. We have learned a ton with regard to data.
    The infrastructure also can't be understated. The work that 
Ms. Takai is doing with the Joint Information Environment so 
that we have a much more holistic perspective on the network. 
How it runs, it is optimized. We find in every program I will 
just call it too much infrastructure, so it adds to latency and 
all of these kinds of issues. We have captured all of these, if 
you will, lessons learned along with some standardization of 
leading indicators across programs; we weren't managing and 
monitoring them in a similar way. And we have made those 
changes so that the program office, us, and us together, can 
look at really the health of each one of these programs as they 
move throughout the life cycle.
    Mr. Thornberry. Well, to state the obvious I realize, but 
under the best case scenario we are going to have tight defense 
budgets as far as the eye can see. And a large amount of money 
goes to these various IT programs.
    And obviously we have the same interest that you do, I 
know, into making sure that the money we spend is spent well 
and you get something for it.
    It is particularly--I mean I appreciate the lessons 
learned, which are important absolutely. But it is frustrating 
also to spend money and then not have a system that works at 
the end of the day.
    Hopefully, the lessons will improve others but it is 
something we are going to have to continue to get better about, 
no doubt.
    Ms. McGrath. Excuse me, sir, may I add just very quickly?
    Mr. Thornberry. Of course.
    Ms. McGrath. Because I mean we do share both the desire to 
get it better and the frustration when it doesn't. And I am 
constantly looking for ways in how you apply the lessons 
learned from program A to program B or whatever the next one 
is.
    But I would also say that I don't want to lose sight of 
some of the capability that has been delivered.
    And the only data point that I will give you is that in 
2009--and when we looked at the amount of money being spent on 
really we have about 14 of these major business programs. We 
were highly in a developmental stage.
    The number of users in these main ERP [Enterprise Resource 
Planning] programs was about 27,000. Today, those same 
programs, we have 195,000 users. So we have delivered 
capability without going through the--I will just say the [word 
unclear] we tend to talk about, those that are sort of really 
big, expensive and not go so well. But there has been progress 
made in terms of delivering supply chain capability, financial 
capability, and also contracting. And I just don't want to lose 
that--and I appreciate you allowing me to share that.
    Mr. Thornberry. Yes, ma'am. I appreciate it.
    Kind of continuing on a theme of trying to spend smarter or 
at least exploring ways, Ms. Takai, the Defense Business Board 
made recommendations about satellite communications [SATCOM] 
and recommended that we could make some capital leases in 
multiple increments of up to 10 years. It has also been 
suggested that we could lease these satellite services for more 
than 1 year at a time which is what we have been doing and 
probably the most expensive way to do it.
    Can you comment on that suggestion? And is that not 
something the Department should look at as a way of saving 
money for the commercial satellite services that we, that the 
Department depends so much on?
    Ms. Takai. Yes, sir. We have seen the Defense Business 
Board recommendations and we do believe that there is benefit 
in looking at the cost recovery model that we are using for 
commercial SATCOM. And it is a requirement that we actually 
look at that over a multi-year period because of the nature of 
the industry.
    So one of the things that we are doing is to actually put 
together a cost recovery model that takes into account a multi-
year acquisition, to look at what is the best approach so that 
we can guide programs going forward.
    We are implementing a converged SATCOM gateway architecture 
that will help to standardize more on the way that we are 
buying commercial SATCOM and actually our own SATCOM. We are 
looking at a plan of action for our own nuclear voice 
conferencing integration and then looking at--we are actually 
conducting an analysis of alternative study as it relates to 
that.
    One of the challenges for us is that when we look at 
commercial SATCOM, it is also important for us to look at the 
security of that commercial SATCOM. And in many cases, we are 
asking those commercial SATCOM providers to actually provide us 
capabilities that aren't necessarily the demand from the rest 
of their customers to the extent that we are looking at it.
    So that requires some upfront investment for them, and if 
we are not able to actually commit to a multi-year capability, 
then we get into a couple of situations, neither of which is 
good. One of which is we would ask them to take that on and yet 
at the point in time we want to use it, we no longer have the 
funding in order to be able to do it.
    On the other side, we fund it upfront and we aren't 
necessarily using the capability. That is why we need to look 
at a different way of the cost recovery model from a multi-year 
perspective in order to be able to manage the issue that was 
raised by the Defense Business Bureau.
    Mr. Thornberry. Well, if there are additional authorities 
that you need to look at multi-year procurement of these 
services, please come and talk to us because I don't see if you 
are a satellite company how you can meet the Defense Department 
needs a year at a time particularly given what you just said 
about enhanced security requirements as part of that. I don't 
see how that can ever be done cost-efficiently without looking 
ahead several years.
    General Alexander, I am going to take the other side of the 
argument now. This is a brochure from one of your two hats 
about commercial solutions for classified. And I guess it is 
inviting commercial companies to submit their products to see 
whether it could be used in a classified environment.
    I mean--and I guess in a general way, is this a new 
emphasis on making more use of commercial hardware and software 
in a classified environment? And can we do that in a secure 
way? Again, thinking back to the Defense Science Board saying 
we got problems here.
    General Alexander. Chairman, I think we can. A couple of 
areas. If you think about encryption capabilities, going out 
and getting commercial encryption and making sure that it meets 
the standards, and we can set the standards based on different 
encryption levels. We can if we know the company and the way 
they actually create the capabilities, the tokens. And you can 
look at some of the DOD cards and stuff that we actually use. 
We can ensure that it is done right, then there is a great 
opportunity for us to work with industry.
    I think this is going to become hugely important as we grow 
mobile devices that, you know, our spouses will use for 
banking, need to be secured at a comparable level to the way 
that we would need to do classified and sensitive operations.
    So ensuring that the devices have that capability not only 
helps industry, it helps the government, and I think there are 
great ways to do it. We look at that in some of the encryption 
stuff we work with NATO [North Atlantic Treaty Organization] 
and elsewhere, so I do think it is a great step forward, and 
industry does provide us some great capabilities.
    Mr. Thornberry. Mr. Langevin.
    Mr. Langevin. So maybe on that line of commercial, let's 
talk a little bit about the cloud as where--we seem to be 
moving more and more toward the cloud. You know, articles that 
I have been reading recently have diminished my confidence in 
the security of the cloud, at least it has called it into 
question anyway.
    There have been some high-profile thefts of information 
from that, in that realm. And yet I know that certainly is 
something that your operation, General, are looking at moving 
more into, more in that direction.
    Let's talk about the security of the cloud. And if we do 
make a robust change in that direction, you know, what are we 
doing about guaranteeing security? What is your level of 
confidence in securing the cloud?
    General Alexander. So this has several dimensions to answer 
that question. I am going to try to hit each of those, and then 
if you want more information, we can come back.
    First, when we talk about cloud security versus what we 
call legacy architectures, the problem that we have with legacy 
architectures is if you look at the Defense Department's 15,000 
enclaves with administrators for each of those enclaves, the 
ability to patch those networks and set vulnerabilities is at 
the manual speed.
    And the problem that that creates if you say that the time 
a vulnerability is publicly identified until it is done in the 
Department, it takes way too long because it is done to those 
15,000 network parts.
    We are using the host-based sensor systems to help speed 
that up but it is not where it needs to be. And your ability to 
actually see into those enclaves is very difficult. So the 
first thing that a cloud can give you is the ability to patch 
those systems almost in real time. You can reach out and patch 
that network there.
    Now there are some issues that we have had with the cloud. 
One of the things that we saw is the cloud systems as we saw 
them did not have data element-level security tagging 
capabilities. So in the one that we created, Accumulo, we 
allowed it to have each element of data tagged and secured at 
that level, and only accessible at that level.
    And there are some exceptional things that we can do in 
this area that I can go into more detail in another setting 
that gives you how I think this is more securable than legacy 
architectures. From our perspective, from our technical 
perspective, it is much better. It is not perfect. The issue is 
somebody who hacks into your networks over here, you don't know 
where they are but they have free--they are free to roam around 
once they are inside. You just don't know they are there.
    As you may know, most companies that get hacked in the 
legacy system don't know about it for 6 to 9 months. I think we 
can go much further in the cloud and I think you will see that 
that will far outstrip legacy architectures in security. Unless 
you come up with an architecture that is completely 
independent, nobody else can get into.
    But for what we need it for the Defense Department, we need 
mobile secure comms [communications]. And when you think about 
it, think about our ships, our aircraft and our mobile teams 
out there, they have to talk to something in the mobile 
environment. They are going to end up talking to the cloud. So 
we have to fix that cloud environment.
    I will tell you that what Ms. Takai and her folks are doing 
with the Joint Staff J6 and our folks on the JIE is a huge step 
in that direction. It will address all of those types of issues 
and there is more. You know, I feel like the Ginsu knife guy--
``wait, wait, wait, there is more''--because, you know, think 
about what you can do in a cloud that you can't do in a normal 
system, just to give you a couple of ideas.
    You can jump your networks, you can jump your databases, 
like frequency-hopping, that makes your ability to hack into 
them very, very difficult; and each day down that can be 
encrypted with a different algorithm depending on the security 
levels of the people who need access to that data. That is a 
huge step forward. We are having tremendous success in that 
area. And I think you have seen some of the folks who are 
working on that.
    I think you may talked to some of them, Dave Hurry and some 
of the others that are really good at that.
    Mr. Langevin. Well, thank you for the answer. That helps 
quite a bit. If I could, let me turn now to Ms. Takai. So 
obviously this is, you know, all of these great technologies 
that we have ultimately come down to the people.
    How well they are trained, do they know the capabilities of 
the systems and so--I know you touched on this a little bit but 
can you speak further to us about how you are developing the 
pipeline of cyber and IT professionals in the Department and 
are there things that we can do better to support you? And I 
know you have talked on this a little bit, I would like to give 
you an opportunity to expand on this even further if you would.
    Ms. Takai. Thank you very much. Well, first of all, let me 
just give you a synopsis of the actions that we are taking 
around growing the cyber workforce. The first steps are really 
around being able to support General Alexander and making sure 
that as we are growing the cyber capabilities, we are doing it 
to the requirements of what he feels he needs from the cyber 
workforce perspective.
    So it is important that we recognize that the capabilities 
that we are growing are going to be operational capabilities 
and we are really focused on that partnership and making it 
happen. We are putting together that strategy today. The first 
grouping will be individuals that we have inside DOD and we 
will need to update our certifications, we are going to need to 
upgrade our capabilities.
    And the other thing I think and General Alexander can speak 
to this even more. It isn't just necessarily technical people 
that are going to be on these teams. It is going to be a 
breadth of experience and it is going to really need several 
capabilities. Now, just to speak to the technical side of it, 
we are going to be bringing in and growing the resources from 
some of the technical people that we have today.
    The plan is through the Joint Information Environment 
really as we begin to implement it, we will be able to free up 
individuals who can then be trained with some of the technical 
background to be able to move into the cyber defense area much 
more heavily than they are today. So that is one--number one.
    And then secondly is we are going to step up our recruiting 
and with that we are going to have to be more definitive around 
the career path for the civilians that we hire. Clearly, the 
military and General Alexander is addressing how the military 
will be moving folks through. But one of our challenges is we 
aren't going to be able to rotate people in and out of jobs in 
the same way, because the skill sets that are required here 
means we need to have a single career path for these 
individuals to continue to grow.
    And that will be an area that we will want to come back and 
talk with you about because today the way that we do that 
career development doesn't necessarily allow us to keep people 
in a single path and move them up progressively, it tends to 
move them around from position to position. So, that is an area 
that we will be back to you.
    The third area is that we are going to have to find a way 
to be able to recruit individuals at the more senior levels to 
be able to supplement. We are not going to be able to grow 
everybody from within. And that is an area where we are going 
to have to look at our existing programs to see what we can do 
from a competitive salary perspective.
    We can get a lot of good people because the national 
mission is important, but at the same time we are going to have 
to look at what those sources of individuals would be and that 
would be as I say not only looking at our university systems 
and being able to grow them, but also what will it take to 
recruit some of them from the outside.
    Mr. Langevin. Thank you. Further, you know, to talk about 
this issue of integration, how are you planning to integrate 
our total force capability such as those resident in the 
National Guard cyber units into a comprehensive CYBERCOM 
approach, particularly with regard to command and control and 
authorities?
    Ms. Takai. Let me start and then ask General Alexander to 
comment on this as well. We believe that the National Guard 
does provide a great opportunity to actually look at being able 
to look at other forces. So for instance, particularly in areas 
like Washington, particularly around Redmond, and in the areas 
of Silicon Valley, we know already that we have individuals 
that are in the National Guard that are highly capable.
    The key thing I think is to make sure that as we utilize 
the National Guard, we are doing it in not only a uniform way 
but we are doing it in a way so that we have the advantage in 
two senses. One is that it is integrated with the entire cyber 
approach that General Alexander is going to speak to. But 
second of all, that as we are moving people through there and 
as we are actually utilizing them in different settings, that 
again they are going to be operating in the same way, they are 
going to be able to be integrated rather than them having sort 
of a separate approach to the way they are doing the training 
and not be able to call them in when they are needed.
    But General Alexander, let me have you also talk to how 
they are going to fit within your teams.
    General Alexander. Congressman, I would add also the great 
teams in Rhode Island, Texas and Nevada, just to get all three 
of them out.
    Mr. Langevin. The 102nd in Rhode Island.
    General Alexander. And of course, I know Ms. Takai wanted 
me to mention those. We sat down with the National Guard a 
couple weeks ago. We have had our first Guard exercise last 
summer. We will have another one this summer. As Ms. Takai 
said, we are training everybody to the same standard. My 
comments to them is, look, your folks have to be trained and 
certified to the same standards as the Active Force.
    Our focus would initially be on the cyber protection teams 
that they would create. And I think they will focus on regional 
teams. The 10 regions of the Guard, create those teams first, 
train them and operate them. See what their role and 
relationship would be working with us, DHS, FBI and NORTHCOM 
[Northern Command] defense support to civil authorities. There 
are some great things that we can do.
    We will also create some offensive teams and some of the 
Guard units are already doing that. I talked to General Grass 
today on this topic. He, General Jacobi and I will meet next 
Tuesday and perhaps we are going to meet right now. That must 
be him calling in.
    We will meet next Tuesday to actually lay out a transparent 
program so the service chiefs see what we are buying. We want 
to make sure that this is a program the service chiefs sign up 
to because parts of this are going to be in their budget and we 
want to make sure that everybody is transparent in what we are 
getting here.
    So that is the process. There is a Cyber Guard exercise 
coming up. I think those are some of the things that you and 
some of the other members may be very interested in; you are 
welcome to attend parts of that.
    Mr. Langevin. Thank you. I am very impressed with the work 
of the National Guard and as you have mentioned we have the 
102nd in Rhode Island that is actively working with various 
aspects of cyber, particularly with the 24th Air Force. I have 
had the ability to get down to the 24th Air Force in Texas and 
visit with General Vautrinot there. And I know that they are 
working very closely with our Rhode Island National Guard in 
that respect.
    General, as always, we thank you for--and your team. Please 
pass on our appreciation to the extraordinary men and women 
under your command and also, Ms. Takai, at the Pentagon, for 
the work that they are doing, how dedicated they are, it is 
obviously very important. We want to do everything we can to 
support you and before I yield back I just want to thank the 
chairman for his partnership in this effort as well.
    There are very few people in the Congress--not enough--that 
focus on this issue of cybersecurity and I know, Chairman 
Thornberry, how much you put a lot of time and effort into this 
issue and there is not another Member of the Congress that has 
worked as hard on this issue as you have, so thank you.
    Mr. Thornberry. I appreciate it, Jim--obviously, the 
gentleman has been a leader in this for some time. Dr. Heck, do 
you have other questions?
    I just had two more things I wanted to ask about. General 
Alexander, to the extent you can talk about it in open session, 
this subcommittee has been interested before on tactical use of 
cyber in military operations. And I noted that part of your 
teams, the teams you are creating in Cyber Command, are those 
teams--some teams to support combatant commanders.
    And can you in this forum describe how that will work, to 
whom they will answer, how it will be decided what operations 
to carry out and whatnot, that sort of thing?
    General Alexander. Chairman, broadly speaking they are 
going to work at the strategic level, those combatant command 
[COCOM] mission teams will be directly focused on the COCOM 
requirements and answer to those requirements.
    We will have a deconfliction process that that combatant 
commander and myself will work together to make sure that if 
somebody else is working in that space we deconflict it, and 
that is logical so that you don't have two people working in 
the same space.
    That is different than the tactical service teams that we 
would create. So if you go into Iraq like in the past 10 years 
and look at what we did for our intelligence teams that support 
brigade combat teams, that was a huge success.
    In the future, you can imagine that we will eventually 
grow, at the tactical level, cyber teams that are part of those 
intelligence teams or working together with them to provide 
local cyber effects. They would have to be trained to the same 
standard, deconflict through a theater and others, just as we 
do other areas. But I think it would provide that.
    And then you can see that the Air Force and Navy would have 
tactical and operational level that would nest into what we are 
building at the combatant command level. So I think they will 
work as a team, think of that as a cryptologic architecture now 
for cyber going all the way down. And I think this provides us 
tremendous capability at the tactical edge.
    Mr. Thornberry. I fully agree, it does. I guess, what I 
haven't quite got my mind around is how you deconflict what you 
think is a tactical operation when there really is not 
geography in cyberspace. And so the equities that--part of 
our--my concern has been that if you want to have a tactical 
cyber operation, you basically have to have a full complement 
of all the agencies in Washington to hash it all out. And that 
is not very time efficient for cyberspace and just how that 
would work on a practical basis. I think we got to work our way 
through it. It is just something that I have been interested in 
and we have worked on from time to time. Do you have one----
    Ms. Takai, we could not have a hearing without me asking a 
question about spectrum, because it is such an important part 
of what goes on. I know there was a recommendation for sharing 
spectrum as a possible, I don't know solution, but as a 
possible step that could increase spectrum for anybody. Do you 
have any comments on that recommendation?
    Ms. Takai. Yes, sir, and I was wondering whether we would 
get to the spectrum question or not, so here we are. We 
actually feel very strongly that it is important that we look 
at spectrum-sharing as a possibility.
    I think the report that you are referring to is probably 
the President's PCAST [President's Council of Advisers on 
Science and Technology] report that suggested that we have to 
look at spectrum-sharing going forward. We are participating 
now in five different working groups that are being led by the 
NTIA [National Telecommunications and Information 
Administration] to look at different areas of spectrum-sharing.
    And we actually have had success in spectrum-sharing. We 
have had an instance where we have been able to actually use 
and be able to share with a medical device, a medical alert 
device for some of the areas. So we do believe that there are 
opportunities.
    But with that, spectrum-sharing has its challenges. It 
isn't a new concept; it is certainly just coming to light now 
because of the severe pressure on spectrum. There are several 
different ways to do it. One of them is geographic, where you 
look at exclusion zones.
    The difficulty for us in certain bands, like the 1755 to 
1850 band, is that the exclusion zones would actually be in the 
same areas that the commercial providers are interested in. So 
we have to look at that. The second thing is whether we could 
do it from a time standpoint.
    But again in 1755 to 1850 which we use very heavily for 
training in CONUS, that becomes difficult because we can't 
predict where in fact we are going to be in the timeframe we 
are going to be using it.
    So I think it is--there are great opportunities. I think we 
do need to explore and we are working and have signed some of 
the first ever MOUs [memorandums of understanding] with the 
some of the commercial companies to actually do some 
experimentation in certain geographic locations.
    But I think it is a step beyond where we can, you know, 
necessarily say we can go to say that spectrum-sharing is going 
to solve the problem. It is really a combination of where do we 
have to vacate, where will we need comparable spectrum, and 
then where are the areas that we can share now and then going 
into the future.
    Mr. Thornberry. Thank you. And thank you all again for your 
patience and for your brevity. We hit on a wide variety of 
topics today and that was very helpful. And as the gentleman 
from Rhode Island said, we appreciate each of you and the folks 
who work with you and what they do for the country.
    With that the hearing stands adjourned.
    [Whereupon, at 5:05 p.m., the subcommittee was adjourned.]
      
=======================================================================

                            A P P E N D I X

                             March 13, 2013

=======================================================================


              PREPARED STATEMENTS SUBMITTED FOR THE RECORD

                             March 13, 2013

=======================================================================
      
      
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
      
=======================================================================

              WITNESS RESPONSES TO QUESTIONS ASKED DURING

                              THE HEARING

                             March 13, 2013

=======================================================================
      
            RESPONSE TO QUESTION SUBMITTED BY MR. THORNBERRY

    Ms. Takai. Response to DSB Report on Resiliency:
    The Defense Science Board (DSB) report entitled, ``Resilient 
Military Systems and the Advanced Cyber Threat'' makes a series of 
recommendations. There is significant effort in the CIO, USCYBERCOM, 
and NSA mission spaces already happening or planned in each 
recommendation area. Below are short summaries of the major DSB 
recommendations, and examples of ongoing and planned work to meet them. 
This list does not include efforts outside of the CIO/USCYBERCOM/NSA 
area of responsibility.

    DSB Recommendation #1: Determine the Mix of Cyber, Protected-
Conventional, and Nuclear Capabilities Necessary for Assured Operation 
in the Face of a Full-Spectrum Adversary (DSB report page 7).
    Secretary of Defense assign United States Strategic Command the 
task to ensure the availability of Nuclear Command, Control and 
Communications ([N]C3) and the Triad delivery platforms in the face of 
a full-spectrum Tier V-VI attack--including cyber (supply chain, 
insiders, communications, etc.)
    Examples of ongoing efforts
      Multi-level human intervention and off-line launch code 
authentications
      NSA-produced NC3 Information Assurance (IA) materials
      Stood up the Strategic and National C3 and Intelligence 
(SNC3I) Joint Systems Engineering & Integration Office (JSEIO) to do 
end-to-end engineering of NC3
      CIO & USD(AT&L) signed DODI 5200.44 which 
institutionalizes supply chain risk management in acquisition and 
sustainment
      CIO & USD(AT&L) assisting STRATCOM in application of 
supply chain risk management (SCRM) to its key programs

    DSB Recommendation #2: Determine the Mix of Cyber, Protected-
Conventional, and Nuclear Capabilities Necessary for Assured Operation 
in the Face of a Full-Spectrum Adversary (DSB report page 7).
    SECDEF and Chairman, Joint Chiefs of Staff (CJCS) designate a mix 
of forces necessary for assured operation . . . . Segment Sufficient 
Forces to Assure Mission Execution in a Cyber Environment
    Examples of ongoing efforts
      Established Cyber National Mission Force-trained and 
certified teams
      Implementing the Joint Information Environment (JIE) to 
improve cyber defense and resilience of unclassified and secret 
networks for better protected conventional capabilities
      Increased funding for cyber capability development (on-
hold for sequestration and Continuing Resolution)
      NSA collection and analysis critical to understanding 
adversary

    DSB Recommendation #3: Refocus Intelligence Collection and Analysis 
to Understand Adversarial Cyber Capabilities, Plans and Intentions, and 
to Enable Counterstrategies (DSB report page 8). SECDEF in coordination 
with the Directors of CIA, FBI, and DHS, should require the Director of 
National Intelligence (DNI) to support enhanced intelligence collection 
and analysis on high-end cyber threats
    Examples of ongoing efforts
      Improving threat information sharing in real-time across 
USG
      Increased Intelligence Community (IC)/NSA focus on 
cyberspace operations support
      Increased ``hunting'' on blue networks
      Cyber integrees from NSA/USCYBERCOM at FBI, CIA, and DHS; 
and vice versa

    DSB Recommendation #4: Build and Maintain World-Class Cyber 
Offensive Capabilities (with appropriate authorities) (DSB report page 
9).
    United States Cyber Command (USCYBERCOM) develop capability to 
model, game and train for full-scale cyber warfare.
    Under Secretary of Defense for Personnel and Readiness (USD(P&R)) 
establish a formal career path for civilian and military personnel 
engaged in offensive cyber actions.
    Examples of ongoing efforts
      Established Cyber National Mission Force (Cyber National 
Mission Teams and Combatant Command Mission Teams)
      Cyberspace operations-focused training exercises (Cyber 
Flag, Cyber Guard, and Cyber Knight)
      CJCS cyber emergency action conferences

    DSB Recommendation #5: Enhance Defenses to Protect Against Low and 
Mid-Tier Threats (DSB report page 9).
    The DOD should establish an enterprise security architecture, 
including appropriate ``Building Codes and Standards'', that ensure the 
availability of enabling enterprise missions . . . . The DOD should 
leverage commercial technologies to automate portions of network 
maintenance and ``real-time'' mitigation of detected malware . . . . 
USD(P&R), in Collaboration with the DOD CIO and the Service Chiefs 
Establish a Formal Career Path for DOD Civilian and Military Personnel 
Engaged in Cyber Defense
    Examples of ongoing efforts
      Developed JIE enterprise security architecture for 
unclassified, secret, and coalition networks
      Migrating all internet-facing servers into a separate 
zone to isolate and contain attacks
      Improving SIPRNET/Coalition/Federal gateways and NIPRNET/
Internet boundary defenses
      Developing a Department-wide Cyber Workforce Strategy 
that includes military and civilian qualifications and career paths
      Automating continuous monitoring of cyber vulnerability 
via use of the already deployed Host-Based Security System (HBSS)

    DSB Recommendation #6: Change DOD's Culture Regarding Cyber and 
Cyber Security (DSB report page 10). Commander, USCYBERCOM and the DOD 
CIO establish a plan with measurable milestones and flow down to all 
organization elements.
    Examples of ongoing efforts
      Creating a capstone Cyber Defense strategy document, 
describing strategic imperatives that will change behavior, culture, 
operations, and intelligence support (e.g., Defending DOD Networks, 
Systems, and Data: Strategic Choices for 2020)
      Conducting annual IA training across the DOD
      Simulating ``Phish-me'' exercises and other real life 
exercises
      Providing each organization and its chain of command an 
automated cyber risk score via continuous monitoring

    DSB Recommendation #7: Build a Cyber Resilient Force (DSB report 
page 11). DEPSECDEF should direct specific actions to introduce cyber 
resiliency requirements throughout DOD force structure.
    For programs not part of the segmented force, provide a cyber 
standard set of requirements (expected to be a subset of the critical 
program requirements list) to be applied to all DOD programs 
(USD(AT&L), DOD CIO, SAEs))
    Develop DOD-wide cyber technical workforce to support the build out 
of the cyber critical survivable mission capability and rolled out to 
DOD force structure (USD(AT&L), CIO, SAEs, DOT&E, USD(I), USD(P&R)).
    Examples of ongoing efforts
      DOD CIO and USCYBERCOM identifying key cyber terrain and 
infrastructure that supports critical C4 systems and assets in order to 
assure mission execution while under degraded cyber conditions
      Developing Resiliency Framework criteria that helps 
delineate requirements for contracts and that can be used in the 
acquisition process
      Creating Cyber security Implementation Guidebook to 
assist acquisition program managers in successfully implementing cyber 
security requirements (with AT&L)
      Use of Cyber Ranges for simulated live fire cyber 
security exercises with active Red Team participation
[See page 9.]
?

      
=======================================================================


              QUESTIONS SUBMITTED BY MEMBERS POST HEARING

                             March 13, 2013

=======================================================================

      
                 QUESTIONS SUBMITTED BY MR. THORNBERRY

    Mr. Thornberry. Will you comment on requirements and guidelines 
being generated by CYBERCOM with respect to an insider threat program? 
How do you prevent implementation of this policy devolving into a mere 
``check the box'' requirement that does little to enhance our security? 
The FY13 NDAA included language on next generation host-based security 
solutions and mentioned insider threat mitigation as one of those 
capabilities that needed to be addressed in this context. Are 
CYBERCOM's guidelines going to specify that established host-based 
solutions are required to satisfy the enterprise monitoring and audit 
requirements? As a part of your overall risk mitigation strategy, which 
networks will your requirements cover in terms of Insider Threat 
Monitoring?
    General Alexander. USCYBERCOM has developed requirements for 
implementation of insider threat capabilities on DOD networks in 
coordination with the National Insider Threat Task Force (NITTF) and 
the Comprehensive National Cybersecurity Initiative to develop and 
implement a government-wide Cyber Counterintelligence Plan (CNCI 6) to 
achieve the objectives described in the FY13 NDAA. These insider threat 
requirements include auditing and monitoring, insider threat awareness 
and training, foreign travel and contact reporting, polygraphs, 
personnel security, evaluation, analysis, and reporting and security 
incident reporting and evaluation. This provides a comprehensive 
defense-in-depth strategy for the detection of and protection from the 
insider threat. In addition, these capabilities will deter malicious 
insider activity. The comprehensiveness of this approach prevents the 
policy from becoming a ``check the box'' requirement. USCYBERCOM 
directives as spelled out in OPORD 12-106 specify that host-based 
solutions are required to satisfy the enterprise monitoring and audit 
requirements. All U.S. owned and operated DOD Non-secure Internet 
Protocol Router Network (NIPRNET) and Secret Internet Protocol Router 
Network (SIPRNET) networks are covered by these requirements for host-
based security and insider threat monitoring.
    Mr. Thornberry. What progress has DOD made in improving the agility 
and flexibility of the IT acquisition process?
    Ms. McGrath. DOD has taken a number of important steps to improve 
the agility and flexibility of our IT acquisition processes both 
through policy and through proactive involvement with active IT 
acquisition programs. A common theme of these efforts has been to 
tailor the processes to the unique attributes of IT in a way that 
speeds delivery of capability into the hands of our users.
    One important development has been the adoption of an acquisition 
model tailored for defense business systems. This alternative 
acquisition model provides a comprehensive process that aligns 
requirements, investment, and acquisition processes for defense 
business systems under an integrated governance framework and focuses 
on incremental delivery of capability, within eighteen months of 
program initiation. This incremental approach improves control over 
cost, schedule and performance requirements.
    The Under Secretary of Defense (Acquisition, Technology & 
Logistics) issued implementing policy for this model in the summer of 
2011 and the guidance was incorporated into the Defense Acquisition 
Guidebook in the fall of 2012. This policy is being incorporated into 
the next update of the DOD 5000.02 acquisition instruction. The Defense 
Enterprise Accounting and Management System (DEAMS), an Air Force 
financial management program, was the first program to achieve an 
acquisition decision under this new policy and we are in the process of 
transitioning several other major IT programs to this new approach as 
well.
    Through the use of this approach, DEAMS has integrated 
traditionally stove-piped processes and enabled tight integration 
between the functional sponsor and the program office. We continue to 
conduct targeted outreach with Program Managers, Functional Sponsors, 
and Program Executive Officers on this new policy, and are working with 
the Defense Acquisition University to embed the new process into 
appropriate curriculum.
    Mr. Thornberry. In the FY12 NDAA, this committee directed the 
establishment of an insider threat detection program. Can you please 
describe the current status of this effort, which is supposed to 
achieve full operational capability later this year?
    Ms. Takai. DOD has been actively participating in National Insider 
Threat Task Force (NITTF) addressing government-wide insider threat 
issue--consistent with EO 13587, ``Structural Reforms to Improve the 
Security of Classified Networks and the Responsible Sharing and 
Safeguarding of Classified Information.'' The NITTF issued 
implementation guidance of EO 13587 via Presidential memo on Nov 21, 
2012.
    Internally, DOD has:
      instituted read/write controls for external secret 
computer access ports and restrictions and audits of removable media 
(USBs, etc.,);
      driven out anonymity and instituted access control 
through public key infrastructure (PKI) implementation; and
      improved our ability to detect anomalous or malicious 
behavior on the DOD's secret network.
        o  Provides limited ability to discern data access that signal 
        exceptions to normal data access.
        o  Provides full packet capture in order to discern patterns of 
        malicious activity and allow for the investigation of 
        incidents.
    Mr. Thornberry. How will the Joint Information Enterprise (JIE) 
interact with other major IT related initiatives, like the Defense 
Intelligence Information Enterprise or electronic health records 
interoperability? Will it be interoperable with the networks of the 
Intelligence Community?
    Ms. Takai. The DOD CIO is leading the DOD's IT effectiveness effort 
to achieve the Joint Information Environment (JIE) and the Director of 
National Intelligence CIO is leading a similar effort of the 
Intelligence Community Information Technology Enterprise. Both CIO's 
share common objectives and end-states, and actively participate on 
each other's governance boards, standards and architect forums, and 
Identity Management and data framework forums. Both CIO's recently 
established a Joint Information Standards Committee (JESC), and a 
directed policy governing the reuse of standards and specifications 
between the two communities to ensure interoperability and information 
sharing.
    The Defense Intelligence Information Enterprise (DI2E) is a 
unifying construct between the Department of Defense, the Intelligence 
Community (IC), and coalition Intelligence Information Enterprises, and 
aligns with the Intelligence Community IT Enterprise (ICITE) and DOD 
Joint Information Enterprise (JIE) policy and strategy.
    The DI2E Governance Council oversees development and implementation 
of a DI2E that is standardized, secure, optimized and interoperable, 
that aligns with DOD, IC and Coalition IT Enterprises. The Council 
coordinates on similar efforts by the IC Chief Information Officer 
(CIO), the DOD CIO, and the Defense Information Systems Agency (DISA) 
to ensure intelligence information integration across all security 
domains, including top secret, secret, unclassified, and various 
coalition fabrics. It enables seamless theater intelligence 
architectures and achieves efficiencies across the Defense Intelligence 
enterprise by recommending cost saving measures.
    With respect to electronic health records interoperability, DOD is 
establishing a Medical Community of Interest (Med-COI) virtual network, 
under the auspices of JIE and its single security architecture. The 
Med-COI, using the JIE architectural construct, will provide enterprise 
services and operate within the secure and protected DOD Global 
Information Grid (GIG). This capability will support unhindered and 
timely data access of patient records for DOD and VA clinicians and 
adjudication of VA Benefit claims.
    Mr. Thornberry. What role does the Cyber Investment Management 
Board (CIMB) play in decisions related to the JIE, especially with 
decisions related to service-specific system and network acquisitions?
    Ms. Takai. The CIMB is an advisory and management body, established 
to facilitate cohesion across S&T, requirements, acquisition, R&D, T&E, 
and sustainment efforts to ensure that cyber warfare investments are 
effectively coordinated across the Department. In this capacity, the 
CIMB is intended to provide a framework to make resourcing 
prioritization recommendations consistent with established JIE 
milestones.
    Mr. Thornberry. In discussing the Joint Information Environment 
(JIE), there seems to be a lot that is aspirational with this 
construct, but you will be limited by the current network environment 
that you have. How does DOD plan to get from the current ``as-is'' 
state to the ideal ``to-be'' state?
    Ms. Takai. DOD is continually modernizing its IT infrastructure and 
systems, and has several ``network'' initiatives on-going (i.e., 
LANDWARNET, AFNET, NGEN, etc.) that are focused on achieving the same 
objectives as JIE for the individual Military Services. JIE effort will 
leverage their already planned activities and technology refresh cycles 
to optimize the current network environment to our desired ``to-be'' 
state from an enterprise perspective. At the enterprise level, DISA has 
planned upgrades of the Defense Information Systems Network (DISN) 
consistent with the target architecture for the JIE, to include the 
replacement of circuit-based switches with IP-enabled technologies, and 
replacement of legacy transport routing to Multiprotocol Label 
Switching (MPLS). The detailed solution architectures for the JIE are 
scheduled for completion in June 2013, and are being incorporated into 
Component programming activities for FY15 and beyond. The Department's 
JIE Technical Synchronization Office (JTSO) is developing a 
consolidated synchronization plan in conjunction with other DOD 
Components.
    Mr. Thornberry. Last year, the House Oversight and Government 
Reform committee introduced the Federal Information Technology 
Acquisition Reform Act (FITARA). Are you familiar with this proposed 
legislation? If so, what thoughts do you have on how this might affect 
DOD equities?
    Ms. Takai. I am aware of the some of the provisions of last year's 
draft bill, as well as the current version that was introduced earlier 
this year. I believe because of the complexity of the Department's 
missions, we will need to examine the legislation carefully to ensure 
that it does not undo important relationships we have developed between 
the Office of the Secretary of Defense and the Services and Agencies as 
well as introduce new or overlapping requirements for the Department 
for its IT investments.
    Mr. Thornberry. Following the termination of the Net-Enabled 
Command Capability (NECC), what is the Department doing to modernize 
its command and control capabilities?
    Ms. Takai. The Department is executing a sustainment and 
modernization plan to evolve the current Global Command and Control 
System (GCCS) family of systems and related command and control 
programs to improve mission effectiveness, achieve efficiencies, and 
provide required command and control capabilities to the joint 
warfighter. Our sustainment and modernization efforts will ensure 
support to current operational priorities while migrating to objective 
capabilities described in the recently updated Joint C2 Capability 
Development Document (CDD).
    Mr. Thornberry. How do you plan to address ``Bring-Your-Own-
Device'' (BYOD) policy and the use of cloud technologies? Also, how can 
DOD keep up with the rate of technological change while using the DFAR? 
Are current acquisition reform efforts sufficient?
    Ms. Takai. Bring Your Own Device (BYOD) and portable cloud services 
are emerging trends in commercial industry. Many issues must be 
addressed before the DOD can embrace these technologies, such as 
overcoming existing DOD policy constraints, understanding the various 
operational use scenarios, examining potential security 
vulnerabilities, and avoiding potential legal issues that surround BYOD 
solutions. My office published the DOD Mobile Device Strategy on June 
8, 2012, and the DOD Commercial Mobile Device Implementation Plan on 
February 15, 2013, with the focus on improving three areas that are 
critical to mobility: 1) the networking infrastructure to support 
wireless mobile devices, 2) mobile applications, and 3) a framework 
that will allow the Department to sustain a commercial mobile solution 
that is reliable, secure, and flexible enough to keep pace with fast-
changing technology. The DOD CIO will continue to monitor BYOD efforts 
across our Federal Government and, in conjunction with the Digital 
Government Strategy, will continue to evaluate BYOD options.
    Cloud Computing is becoming a critical component of the Joint 
Information Environment (JIE) and the Department's Information 
Technology (IT) modernization efforts and will enable users the access 
to data anywhere, anytime on any approved device. One key objective is 
to drive the delivery and adoption of a secure, dependable, resilient 
multi-provider enterprise cloud computing environment that will enhance 
mission effectiveness and improve IT efficiencies. Cloud services will 
enhance warfighter mobility by providing secure access to mission data 
and enterprise services regardless of where the user is located and 
what device he or she uses.
    My office recently issued the DOD Cloud Computing Strategy to 
provide an approach to move the Department to an end state that is an 
agile, secure, and cost effective service environment that can rapidly 
respond to changing mission needs. There are two key components of the 
Department's cloud strategy. The first component is the establishment 
of a private enterprise cloud infrastructure that supports the full 
range of DOD activities in unclassified and classified environments and 
optimizes data center consolidation efforts. The second is the 
Department's adoption of commercial cloud services that can meet the 
Department's cybersecurity and other IT needs while providing 
capabilities that are at least as effective and efficient as those 
provided internally.
    The Defense Information Systems Agency (DISA) is designated the DOD 
Enterprise Cloud Service Broker to facilitate and optimize access and 
use of commercial cloud services that can meet DOD's security and 
interoperability requirements, and ensure that new services are not 
duplicative of others within the Department while consolidating cloud 
service demand at an enterprise level. In addition, DISA, as the DOD 
broker, will leverage the Federal Risk Authorization and Management 
Program (FedRAMP) standardized security authorization process, 
including the accepted minimum security baseline for low and moderate 
information security categorizations, and ongoing continuous monitoring 
to ensure that appropriate security controls remain in place and are 
functioning properly.
    Current acquisition reform efforts offer opportunities to 
accelerate the adoption of commercial technologies. In many respects, 
despite their rapid evolution, mobility solutions are much like other 
traditional IT systems that empower users and managers with the tools 
and information they need to execute their missions. Our strategy of 
integrating well-orchestrated limited deployment pilot implementations 
allows users and managers to rapidly innovate, mature critical 
technologies, and resolve integration challenges to swiftly address 
mission challenges. The Implementation Plan incorporates many of the 
Services technology development efforts in a spiral approach with an 
18-month acquisition cycle. The Implementation Plan streamlines the 
certification and accreditation (C&A) process for mobile devices, 
operating systems, and applications. Sharing the workload with industry 
will bring the timeline for C&A down from over 18 months to about 30 
days with no reduction in security posture. Though the platforms will 
continue to evolve, we have the same commitment to systematic 
acquisition practices that serve the defense community most 
effectively. We continue to review the mobility acquisition lifecycle 
for efficiency opportunities.
    Mr. Thornberry. Would you tell us how much funding has been set 
aside to assist DOD organizations in establishing Insider Threat 
Programs in accordance with the recent Presidential Mandate, Memo, and 
National Insider Threat Standards? Further, who will be the 
organization responsible for identifying and distributing the necessary 
funding to each DOD entity? Who will be on point from your office to 
ensure the funding is being appropriately spent on the Insider Threat 
Mission within each DOD entity? Are there additional monies coming from 
the ODNI or the Office of the National Counterintelligence Executive 
(NCIX) for Enterprise Audit and Insider Threat missions?
    Ms. Takai. The Department initially programmed $162M, FY12-16, in 
order to satisfy the Executive Order 13587 requirements. The Department 
is assessing the need for additional resources to address the insider 
threat as part of our FY 15 budget deliberations. The Defense 
Information Systems Agency (DISA) and the Defense Manpower Data Center 
(DMDC) are the responsible implementing agencies for the initial $162M. 
My office is overseeing implementation of the budgeted and programmed 
funds provided to date. The Department is developing the necessary 
policy and responsibilities required under the Presidential mandate 
issued November 21, 2012. Regarding additional monies, there has been 
limited funding provided to a number of our Title 50 elements by ODNI 
and NCIX in FY 11 and 12. We don't anticipate any additional funding 
from ODNI or NCIX.
    Mr. Thornberry. Does the Department have a strategy to leverage 
commercial cyber security solutions to enable it to benefit from such 
capabilities as real time, global threat intelligence that has been 
optimized to work in highly sensitive environments? Who in the 
Department is responsible for the operational requirements, technical 
requirements, funding and acquisition? When does the Department plan to 
start executing against each of these requirements?
    Ms. Takai. Yes, for instance, initial funding was secured beginning 
in FY 14, under the program name ``Zero day Network Defense'' (ZND) 
which consists of commercial tools to be acquired and deployed in 
partnership between the Defense Information Systems Agency (DISA) and 
NSA to provide this defensive capability at the DOD perimeter, and on 
classified end point systems.
    While unclassified systems are just beginning to use this 
technology from commercial vendors, we are currently seeking funding to 
expand the ZND capability to unclassified networks and develop a Global 
Reputation Service that will be capable of ingesting information from 
commercial vendors, as well as government sources.
    The requirements for this capability were derived from multiple 
sources, including the Cyber Situational Awareness Initial Capabilities 
Document with input from all DOD components and agencies.
                                 ______
                                 
                  QUESTIONS SUBMITTED BY MR. LANGEVIN
    Mr. Langevin. General Alexander, in testimony before the Senate 
Armed Services Committee on Tuesday, you noted the creation of 13 teams 
with an offensive focus. Given that cyber in many cases requires 
preparatory work in order to access the full range of capabilities, how 
forward-leaning will these teams be?
    What training will you be providing to the identified mission teams 
and to other personnel who are being assigned to cyber work? Do you 
require additional authorities or resources in order to fully train the 
men and women under your command, particularly with regard to language 
skills, emulation and red-teaming?
    General Alexander. USCYBERCOM identified 42 specific work roles and 
the standards and skills required for planning and executing cyberspace 
operations. We worked with the National Security Agency, Service 
Departments, academia, and the private sector to leverage existing 
training solutions and created new ones, as appropriate, to train the 
personnel assigned to those work roles (see Exhibit A for additional 
detail.) Over the next three years we will train the Cyber Mission 
Forces that will perform world-class offensive and defensive cyber 
operations as part of our Cyber National Mission Teams, Cyber Combat 
Mission Teams and Cyber Protection Forces. We do not require additional 
authorities or resources to train the currently identified cyber 
professionals.
    [Exhibit A is For Official Use Only and is retained in the 
committee files.]
    Mr. Langevin. Ms. Takai, what progress has DOD made in improving 
the agility and flexibility of the IT acquisition process, and is there 
additional Congressional action needed?
    Ms. Takai. There are unique characteristics associated with the 
acquisition of information systems that require the use of acquisition 
approaches different from those normally used by the Department for 
acquiring weapons systems. All acquisition approaches should be 
tailored to the nature of the product being acquired. For example, 
information systems (e.g. business systems) do not require significant 
technology development like many weapons systems and they do not have 
the long term operations and support challenges facing most weapons 
systems. The Department has made steady progress in implementing 
several of the key approaches for improving the agility and flexibility 
of the IT acquisition process in the areas of requirements, 
acquisition, testing and certification and human capital. Many of these 
efforts will be captured in the next release of DODI 5000.02, 
``Operation of the Defense Acquisition System'' including:
      Requirements: The Joint Staff has updated the 
requirements management process (Joint Capability Integration and 
Development System (JCIDS) to include a more streamlined requirements 
management and approval process for acquisition of information systems.
      Acquisition: On June 23, 2011, a Directive-Type 
Memorandum (DTM) on Business Capability Lifecycle (BCL) was signed and 
issued by USD (AT&L). The BCL provides a framework for implementing 
more flexible and streamlined processes for the acquisition of these 
business information systems and has been incorporated into the next 
release of DOD 5000.2.
      Test and Certification: The Department's testing 
community has been working in collaboration with USD (AT&L) to 
incorporate an integrated testing, evaluation, and certification 
approach into the DODI 5000.02, to reduce redundancies in system 
testing activities and improve the efficiency and effectiveness of 
testing the Department's information systems.
      Human Capital: A comprehensive review of IT acquisition 
competencies is also currently being conducted by the Department's 
Chief Information Officer. This review will update the IT acquisition 
competencies to better define DOD critical skill sets and assist in the 
update of curricula at the Defense Acquisition University and the 
Information Resources Management College.
                                 ______
                                 
                   QUESTIONS SUBMITTED BY MR. ROGERS
    Mr. Rogers. Ms. Takai, could you please explain the Department's 
decisionmaking process for when to use ``sole source'' and ``brand name 
only'' solicitations, such as those run under the Air Force's NETCENTS-
1 and NETCENTS-2 contracts?
    Ms. Takai. The vast majority of procurements through the NETCENTS 
vehicles are accomplished via a competitive process. In the rare event 
that a sole source or specific brand name is required, appropriate 
Justification and Approval documentation is prepared and approved at a 
level commensurate with the dollar value of the proposed procurement.
    Mr. Rogers. What steps does DOD take to meet the statutory 
requirements of FAR sec. 6.303 and/or FAR sec. 16.505, as applicable, 
that are the prerequisites for a sole source and/or brand name product 
procurement, single name product procurement, including the necessity 
to conduct open procurements, determine minimum needs, and solicit the 
interest of manufacturers or prospective offerors?
    Ms. Takai. All DOD requiring officials must follow and adhere to 
applicable procurement policies in accordance with the Defense Federal 
Acquisition Regulation Supplement (DFARS), which is regularly revised 
to ensure alignment with the Federal Acquisition Regulations (FAR) as 
well as other regulations and statutes. DFARS subpart 216.5 requires 
that all orders for supplies or services exceeding $150,000 that are 
placed under multiple award contracts be awarded on a competitive basis 
with fair notice given to vendors of the intent to purchase, and an 
opportunity for all vendors to submit offers and receive fair 
consideration. There are allowable exceptions that must be based on 
justifications and/or determinations written and approved in accordance 
with FAR 8.405-6; if a statute requires the purchase be made from a 
particular source, or if one of the circumstances described in FAR 
16.505 (b) (2) (i) through (iv) applies. DOD contracting officers must 
always consider price or cost as factors when selecting a vendor for 
award, and should also consider past performance of potential vendors. 
As an overview, the steps followed to award in DOD include: 1) system 
engineering analysis to determine requirements, 2) market research to 
determine what products are available to satisfy those requirements, 
and 3) written documentation via a determination or Justification and 
Approval of anything less than full and open competition (including 
specification of a particular brand name product). Even when a 
particular brand name product is required and justified, there is an 
expectation of competition if there are multiple competing resellers of 
that same brand name product.
    Mr. Rogers. When the requirements of FAR sec. 6.303 and/or FAR sec. 
16.505, as applicable, are determined not to have been met, what 
remedial steps are in place to make sure these requirements are 
considered?
    Ms. Takai. There are many stages at which such a determination 
might be made, such as: by the program manager after market research 
activities, by the contracting officer or the contracting activity's 
Competition Advocate prior to solicitation and/or award or by the 
Government Accountability Office after an unsuccessful vendor files an 
appeal. There are different remedial steps for each scenario. Standard 
DOD acquisition and procurement procedures contain safeguards and 
checkpoints at multiple levels to ensure that any proposed exceptions 
to the competition rules are fully vetted and adequately justified. DOD 
contracting officers must make public the justification(s) required by 
FAR 6.303-1 in accordance with FAR 5.3 and as required by law. If a 
prospective (or unsuccessful) offeror believes that the procedures 
described in the FAR and/or DFARS have not been followed, they will 
generally contact the contracting officer who has responsibility for 
the acquisition, or the contracting activity's parent organization. If 
warranted, the contracting officer can then cancel the procurement 
activity--or issue a ``stop work'' order to study the situation (if the 
contract has already been awarded). In order to meet the requirements 
of the requesting office, the contracting officer may reshape the 
procurement into a competition among multiple vendors under a pre-
existing contract vehicle, or pursue full and open competition among 
all vendors of a particular type/class of capability.
    Mr. Rogers. What process does DOD use in deciding to standardize on 
particular technology, and how does such standardization further the 
goal of maintaining a competitive procurement process which is 
essential to reducing costs in government procurements? Does that 
process flow down to how the Services make similar decisions?
    Ms. Takai. When there are clearly definable minimum functional/
technical standards that are available and necessary to attain a 
required capability, the DOD CIO will assemble a cross-Component 
``tiger team'' (including Acquisition personnel) to translate those 
standards into requirements suitable for release of an Request for 
Quotes (RFQ) or a Request for Proposals (RFP) to industry. For example, 
when data-at-rest (DAR) software was initially identified as an urgent 
requirement for all DOD laptops and portable computers, the Defense-
Wide Information Assurance Program (DIAP) assembled such a tiger team 
to flesh out the applicable required specifications. Then they 
partnered with the DOD ESI Software Product Manager team from USAF to 
translate these specifications into an industry solicitation that 
resulted in the creation of DOD ESI Blanket Purchase Agreements from 10 
different publishers of DAR software. By DOD CIO policy, all DOD buyers 
of DAR software were required to buy DAR software only through one of 
these agreements. Competition among the resellers generally resulted in 
lower prices, and the DIAP certified that all purchased products met 
both the functional & technical standards.
                                 ______
                                 
                   QUESTIONS SUBMITTED BY MR. FRANKS
    Mr. Franks. General Alexander, I want to thank you for your service 
and leading such important missions with USCYBERCOM and the NSA. I am a 
strong believer that our military is, and should always be, better than 
the rest of the world's armed forces, and that we should never be 
entering fair fights. With that in mind, and the introduction of these 
new offensive cyber teams, and the fact that cyber threats are a 
relatively new phenomenon, how much better are we on offense, and 
defense in the cyber realm as compared to our enemies.
    General Alexander. We believe our offense is the best in the world. 
Cyber offense requires a deep, persistent and pervasive presence on 
adversary networks in order to precisely deliver effects. We maintain 
that access, gain deep understanding of the adversary, and develop 
offensive capabilities through the advanced skills and tradecraft of 
our analysts, operators and developers. When authorized to deliver 
offensive cyber effects, our technological and operational superiority 
delivers unparalleled effects against our adversaries systems.
    Team Cyber is constantly increasing its operational and analytic 
defensive capabilities through the adoption and use of standards to 
facilitate domain knowledge representation and information sharing 
across the community. In addition, the use of standards ensures 
compatibility with technologies commonly available in the public domain 
and allows for the rapid integration of new functional capabilities to 
avoid long-term engineering and development cycles.
    Potential adversaries are demonstrating a rapidly increasing level 
of sophistication in their offensive cyber capabilities and tactics. In 
order for the Department of Defense to deny these adversaries an 
asymmetric advantage, it is essential that we continue the rapid 
development and resourcing of our Cyber Mission Forces.
    Mr. Franks. General Alexander, last year I asked you a question: 
How prepared are we to carry out your mission if the power grid or 
substantial part of it were to go down for an extended period of time? 
For example, two weeks or longer due to severe space weather or a 
manmade electromagnetic pulse.
    Your answer included that fact that much of DOD's cyberspace is 
served through commercial providers. Do you feel that the power and 
electricity needed to carry out your mission is important enough to 
require those commercial providers of the power grid to successfully 
harden their grid from severe space weather or manmade electromagnetic 
pulse? Can the DOD require that of commercial providers of the grid? Do 
you feel that this issue is important enough that legislation is needed 
to force the hand of industry to act?
    General Alexander. While I absolutely agree with the criticality of 
cyber hardening the power grid, I also believe any legislative solution 
has to take into account the prohibitive costs associated with doing so 
given its antiquated state. I believe the activities underway through 
the President's EO 13636 ``Improving Critical Infrastructure 
Cybersecurity'' and PPD-21 ``Critical Infrastructure Security and 
Resilience'' are a good first step. Legislation which builds upon these 
activities by providing the right set of incentives would be 
invaluable.
    From an NSA and CYBERCOM perspective, it is also critical that 
Congress pass information sharing legislation that enables effective 
two-way sharing of cyber threat information and countermeasures between 
the private sector and the USG. By effective two-way sharing, I mean 
that the government needs to know, in real time, when there are 
indications of cyber intrusions or attacks against the nation's 
critical infrastructure, and the government needs to be able to share 
in real time, indications and warnings of attacks and associated 
countermeasures that the private sector needs to protect their 
networks. Given the authority to share information, the ISPs could act 
as a domestic radar that can see cyber threats and tip and queue the 
government to respond in real time.

                                  
