[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
[H.A.S.C. No. 114-19]
CYBER OPERATIONS: IMPROVING THE
MILITARY CYBERSECURITY POSTURE IN
AN UNCERTAIN THREAT ENVIRONMENT
__________
HEARING
BEFORE THE
SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES
OF THE
COMMITTEE ON ARMED SERVICES
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
HEARING HELD
MARCH 4, 2015
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
____________
U.S. GOVERNMENT PUBLISHING OFFICE
94-221 WASHINGTON : 2015
______________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES
JOE WILSON, South Carolina, Chairman
JOHN KLINE, Minnesota JAMES R. LANGEVIN, Rhode Island
BILL SHUSTER, Pennsylvania JIM COOPER, Tennessee
DUNCAN HUNTER, California JOHN GARAMENDI, California
RICHARD B. NUGENT, Florida JOAQUIN CASTRO, Texas
RYAN K. ZINKE, Montana MARC A. VEASEY, Texas
TRENT FRANKS, Arizona, Vice Chair DONALD NORCROSS, New Jersey
DOUG LAMBORN, Colorado BRAD ASHFORD, Nebraska
MO BROOKS, Alabama PETE AGUILAR, California
BRADLEY BYRNE, Alabama
ELISE M. STEFANIK, New York
Kevin Gates, Professional Staff Member
Lindsay Kavanaugh, Professional Staff Member
Julie Herbert, Clerk
C O N T E N T S
----------
Page
STATEMENTS PRESENTED BY MEMBERS OF CONGRESS
Langevin, Hon. James R., a Representative from Rhode Island,
Ranking Member, Subcommittee on Emerging Threats and
Capabilities................................................... 2
Wilson, Hon. Joe, a Representative from South Carolina, Chairman,
Subcommittee on Emerging Threats and Capabilities.............. 1
WITNESSES
Cardon, LTG Edward C., USA, Commander, U.S. Army Cyber Command... 4
O'Donohue, MajGen Daniel J., USMC, Commanding General, U.S.
Marine Corps Forces Cyberspace................................. 6
Rogers, ADM Michael S., USN, Commander, U.S. Cyber Command....... 3
Tighe, VADM Jan E., USN, Commander, U.S. Fleet Cyber Command/U.S.
10th Fleet (FCC/C10F).......................................... 5
Wilson, Maj Gen Burke E., USAF, Commander, Air Forces Cyber and
24th Air Force................................................. 8
APPENDIX
Prepared Statements:
Cardon, LTG Edward C......................................... 53
O'Donohue, MajGen Daniel J................................... 79
Rogers, ADM Michael S........................................ 35
Tighe, VADM Jan E............................................ 66
Wilson, Hon. Joe............................................. 33
Wilson, Maj Gen Burke E...................................... 87
Documents Submitted for the Record:
[There were no Documents submitted.]
Witness Responses to Questions Asked During the Hearing:
Mr. Langevin................................................. 101
Questions Submitted by Members Post Hearing:
Mr. Ashford.................................................. 106
Mr. Wilson................................................... 105
CYBER OPERATIONS: IMPROVING THE MILITARY
CYBERSECURITY POSTURE IN AN UNCERTAIN
THREAT ENVIRONMENT
----------
House of Representatives,
Committee on Armed Services,
Subcommittee on Emerging Threats and Capabilities,
Washington, DC, Wednesday, March 4, 2015.
The subcommittee met, pursuant to call, at 3:33 p.m., in
room 2118, Rayburn House Office Building, Hon. Joe Wilson
(chairman of the subcommittee) presiding.
OPENING STATEMENT OF HON. JOE WILSON, A REPRESENTATIVE FROM
SOUTH CAROLINA, CHAIRMAN, SUBCOMMITTEE ON EMERGING THREATS AND
CAPABILITIES
Mr. Wilson of South Carolina. Ladies and gentlemen, I call
this hearing on the Emerging Threats and Capabilities
Subcommittee of the House Armed Services Committee to order.
I am pleased to welcome everyone here today for the very
important hearing of the fiscal year 2016 budget request for
cyber operations programs of the Department of Defense [DOD].
One need only read the headlines of almost any newspaper on
almost any day by way of the media to see the challenges we
face as a Nation when it comes to hacking and cyber threats.
The array of threats both from state and non-state actors pose
significant challenges to our military forces, our economic
well-being, and our diplomatic activities worldwide.
The recent government accountability report on the
vulnerabilities to our air traffic control networks vividly
illustrate the need to work across departments, agencies, and
even internationally to ensure our security. We recognize that
the Department of Defense capabilities will be critical to
those efforts, but must be provided the resources and the
authorities to be effective. As we look at this budget request
and as the witnesses describe their plans for how they will
execute their activities in fiscal year 2016, I ask that you
address the following questions. What specifically are you
requesting in the budget, and what major initiatives do you
expect to fund? If defense sequestration caps are enforced in
the budget request, what impacts do you expect this year? How
are you measuring or assessing the cybersecurity posture of the
Department of Defense networks, and what vulnerabilities do you
see?
Today we have invited a panel that represents the top
military leadership for cyber operations across the Department
of Defense. Our witnesses include Admiral Michael Rogers,
Commander of the U.S. Cyber Command [CYBERCOM]; Lieutenant
General Edward C. Cardon, Commander, U.S. Army Cyber Command;
Vice Admiral Jan Tighe, Commander at Navy Fleet Cyber Command,
10th Fleet; Major General Daniel J. O'Donohue, Commanding
General Marine Forces Cyber [MARFORCYBER]; and Major General
Burke E. Wilson, Commander, 24th Air Force.
Now I would like to invite the subcommittee ranking member,
Mr. Langevin of Rhode Island, to make any comments that he
might have.
[The prepared statement of Mr. Wilson can be found in the
Appendix on page 33.]
STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM
RHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON EMERGING THREATS
AND CAPABILITIES
Mr. Langevin. Well, thank you, Mr. Chairman.
And I want to thank our witnesses for being here today, and
I look forward to hearing your testimony, and, as always, I
thank you for the work you are doing on behalf of our country.
Thank you all for your service.
The 2014 Quadrennial Defense Review stated that, and I
quote, ``The importance of cyberspace to the American way of
life and to the Nation's security makes cyberspace an
attractive target for those seeking to challenge our security
and economic order,'' end quote. I could not agree more. Last
year the Director of National Intelligence placed cyber threats
number one on the list of strategic threats to the United
States.
Most recently, the National Security Strategy cites the
danger of destruction and even destructive cyber attack is
growing. The cyber domain is complex. We all understand that.
Threats in this space continuously evolve based on emerging
technologies and techniques to counter our efforts. Threats are
carried out by a diverse set of actors. Securing, defending,
and operating freely in this space presents a nontraditional
challenge requiring an immediate but thoughtful response.
Since the creation of U.S. Cyber Command, the Department
has made substantial strides in understanding and enabling
freedom of action in the cyber domain, as well as understanding
and protecting Department of Defense networks. Significant
investments have been made. In fact, cyberspace is the only
area of growth in the Department of Defense's budget in the
last few years. I commend the Department's efforts, and I am
proud of what has been achieved so far, yet there is still much
to be done. Confronting this challenge will continue to require
dialogue between the Department and Congress on the policies,
capabilities, and other resources needed to appropriately and
successfully operate in the cyber domain. That is why this
hearing is so important.
Together we can build and maintain a ready cyber force for
the Nation. I look forward to receiving an update from the
witnesses on the buildout of our cyber capacity and the fiscal
year 2016 budget request. I hope the services will provide us
an understanding of total force requirements for cyber
operations, both service-specific and for the U.S. Cyber
Command to enable the subcommittee to better understand all
resources needed and provide for a ready force.
Specifically, I am eager to hear about how the services are
recruiting and retaining qualified military and civilian
personnel, managing cyber as a career field, and any challenges
associated with those fields. I look forward to hearing how the
services are incorporating the Reserve Components into the
cyber mission forces. Additionally, I would like to understand
how science and technology investments are being leveraged now
and in the future to deliver the latest and best capabilities.
I would also like the witnesses' perspective on whether the
current acquisition process delivers tools in time to meet and
stay ahead of the threat, which as we know as technology
changes so quickly, that is a significant challenge on our
hands. So there is much to discuss on this issue, and in order
to allow for dialogue, I am going to end my remarks here.
And again I want to thank our witnesses for appearing
before the subcommittee and to you, Mr. Chairman, for holding
this hearing, and I yield back.
Mr. Wilson of South Carolina. Thank you, Mr. Langevin.
Before we begin, I would like to remind our witnesses that
your written statements will be submitted for the record, so we
ask that you summarize your comments to 5 minutes or less.
Admiral Rogers, we begin with you.
STATEMENT OF ADM MICHAEL S. ROGERS, USN, COMMANDER, U.S. CYBER
COMMAND
Admiral Rogers. Thank you, sir.
Chairman Wilson, Ranking Member Langevin, and distinguished
members of the committee, I am honored to appear before you
today to discuss our military cybersecurity posture, and I
would like to thank you for convening this forum.
I am equally pleased to be sitting alongside my colleagues
from each of the four service components of the United States
Cyber Command. It gives me great pride to appear before you
today to highlight and commend the accomplishments of the
uniformed and civilian personnel of U.S. Cyber Command and its
components, and I am both grateful for and humbled by the
opportunity that I have been given to lead this cyber team.
The current threat environment is, as you have just
described in your opening remarks, uncertain. That said, we are
certain of one particular thing, and that is the pervasive
nature of these cyber threats and the sophistication of the
adversaries we face. Our military networks are probed for
vulnerabilities literally thousands of times a day. The very
assets within our military that provide us formidable
advantages over adversaries are precisely the reason that our
enemies seek to map, understand, exploit, and disrupt our
global network architecture.
The cyber intruders of today not only want to disrupt our
actions, but they seek to establish a permanent presence on our
networks. Quite simply, threats and vulnerabilities are
changing and expanding at an accelerating and significant pace.
Compounding this threat is the fact that we are dependent on
cyberspace. Operating freely and securely in cyberspace is
critical to not only our military and our government, but also
to the private sector, which is responsible for maintaining
much of our Nation's critical infrastructure to including that
of key parts of the Department of Defense.
The bottom line is weakness in cyberspace has the potential
to hold back our success in every field where our [Nation] is
engaged. And I would like to focus in our comments today on the
progress we have made so far, the achievements that we are
doing in the operational arena, and what I think is the way
ahead, and I look forward to that discussion.
With that, I will conclude my opening remarks.
[The prepared statement of Admiral Rogers can be found in
the Appendix on page 35.]
Mr. Wilson of South Carolina. Thank you very much.
And General Cardon.
STATEMENT OF LTG EDWARD C. CARDON, USA, COMMANDER, U.S. ARMY
CYBER COMMAND
General Cardon. Chairman Wilson, Ranking Member Langevin,
members of the committee, it is an honor to be here on behalf
of the U.S. Army Cyber Command and Second Army alongside
Admiral Rogers and my fellow commanders.
We appreciate the work of this committee to protect the
American people from emerging threats and ensure our military
has the capabilities we need to defend the Nation. Over the
last few years we have had tremendous momentum, both within the
institution and operationalizing cyberspace, but a lot of work
remains. For the institution, we have consolidated cyberspace
under one commander. We have created the Cyber Center of
Excellence in Fort Gordon, Georgia, and the Army Cyber
Institute at the United States Military Academy.
The Army is currently establishing the necessary frameworks
to build capabilities for the Army, and by extension, the Joint
Force. Operationally, we are making progress with mission-
focused approaches supporting Army and combatant commanders. We
made progress this year developing the Army's portion of the
Cyber Mission Force with 25 of 41 teams on mission now, and we
expect to have all 41 on mission by the end of fiscal year 2016
as planned.
In the face of determined adversaries, though, we are
employing these teams as they reach initial operating
capability and will continue to bring forces and capabilities
online through 2017. The threat, vulnerabilities, and missions
set, demand this sense of urgency. This also includes bringing
online 21 U.S. Army Reserve and Army National Guard Protection
Teams that will be trained at the same standards as the Active
Component cyber force.
We are going to need more personnel beyond the Cyber
Mission Force to build out the support required to fully employ
the Cyber Mission Force and to build capabilities for Army
formations. To better manage our people, the Army created a
cyber branch, and we are exploring the creation of a cyber
career field for civilian personnel.
For training, we have a centrally funded joint model for
individually training, but we are working to also build
collective training capabilities and their associated
facilities within a joint construct. For equipping the forces,
we are developing and refining the necessary framework to give
us the agility that we will need in programming, resourcing,
and acquisition for infrastructure platforms and tools. And for
a more defensible architecture and network, we are partnered
with the Army's Chief Information Officer and Defense
Information Systems Agency [DISA] in the Air Force for an
extensive network modernization efforts.
These are essential for the security, operation, and
defense of our Department of Defense networks. We have made
tremendous progress, and with your support we have the
necessary program resources to continue our momentum, but we
cannot delay for the struggle is on us now.
Thank you, and I will be happy to answer your questions.
[The prepared statement of General Cardon can be found in
the Appendix on page 53.]
Mr. Wilson of South Carolina. Thank you very much, General.
Admiral Tighe.
STATEMENT OF VADM JAN E. TIGHE, USN, COMMANDER, U.S. FLEET
CYBER COMMAND/U.S. 10TH FLEET (FCC/C10F)
Admiral Tighe. Chairman Wilson, Ranking Member Langevin,
and distinguished members of the subcommittee, thank you for
your support to our military and the opportunity to appear
before you today.
Since my Fleet Cyber Command predecessor, Admiral Mike
Rogers, last testified before this subcommittee in July of
2012, the Department of Defense, U.S. Cyber Command, and the
service components have significantly matured our operations
and cyber operational capabilities. I appreciate the
opportunity to outline Navy-specific progress over the past 2
years, where we are headed to address an ever-increasing
threat, and how budgetary uncertainty is likely to impact our
progress and operations.
Fleet Cyber Command directs the operations to secure,
operate, and defend Navy networks within the Department of
Defense Information Network [DODIN]. We operate Navy networks
as a warfighting platform which must be aggressively defended
from intrusion, exploitation, and attack. The Navy network
consists of more than 500,000 end user devices, approximately
75,000 network devices, and nearly 45,000 applications and
systems across 3 security enclaves.
We have transformed the way we operate and defend over the
past 2 years based on operational lessons learned.
Specifically, beginning in summer of 2013, we, with Admiral
Rogers at the helm at the time, fought through an adversary
intrusion into Navy's unclassified network.
Under the named operation known as Operation Rolling Tide,
Fleet Cyber Command drove out the intruder through exceptional
collaboration with affected Navy commanders, U.S. Cyber
Command, the National Security Agency, the Defense Information
Security Agency, and our fellow cyber service components.
Although any intrusion upon our network is troubling, this
operation served as a learning opportunity that has both
matured the way we operate and defend our networks and
simultaneously highlighted gaps both in cybersecurity posture
and in our defensive operational capabilities.
As a result of this operation and other cybersecurity
initiatives inside of the Navy, we have already made, proposed,
or planned for a nearly $1 billion investment between the years
of fiscal year 2014 and fiscal year 2020 that will greatly
reduce the risk of successful cyberspace operations against
Navy networks. Of course, these investments are built on the
premise that our future budgets will not be drastically reduced
by sequestration.
Specifically, if budget uncertainty continues, we will have
an increasingly difficult time addressing this very real and
present danger to our national security and maritime
warfighting capabilities. Operationally, and on a 24-by-7 and
365 days a year, Fleet Cyber Command is focused on configuring
and operating layered defense in-depth capabilities to prevent
malicious actors from gaining access to our Navy networks in
collaboration and cooperation with our sister services, U.S.
Cyber Command, Joint Forces Headquarters-DODIN, DISA, and the
National Security Agency. Additionally we are driving towards
expanded cyber situational awareness to inform our network
maneuvers and reduce risk in this space.
As you know, Navy and other service components are building
the maneuver elements in the Cyber Mission Force for U.S. Cyber
Command by manning, training, and certifying teams to the U.S.
Cyber Command standards. The Navy is currently on track to have
personnel assigned for all 40 teams, all 40 of the Navy-sourced
Cyber Mission Force teams in 2016, with full operational
capability in the following year.
Additionally, between now and 2018, an additional 298 cyber
Reserve billets will also augment the cyber force manning plan.
In delivering on both U.S. Cyber Command's and the U.S. Navy's
requirements in cyberspace, I am fortunate to have these
component commanders as partners in addition to the many
organizations who are not represented here but are every bit a
member of team cyber.
Thank you again, and I look forward to your questions.
[The prepared statement of Admiral Tighe can be found in
the Appendix on page 66.]
Mr. Wilson of South Carolina. Thank you, Admiral, very
much.
And General O'Donohue.
STATEMENT OF MAJGEN DANIEL J. O'DONOHUE, USMC, COMMANDING
GENERAL, U.S. MARINE CORPS FORCES CYBERSPACE
General O'Donohue. Thank you, sir.
Chairman Wilson, Ranking Member Langevin, and distinguished
members of this subcommittee, it is an honor to appear before
you today. On behalf of your Marines, our civilian Marines, and
their families, I thank you for your continued support as we
pursue a multi-year joint cyberspace strategy.
Marines have a legacy of operating in any clime or place.
Whether at sea with the Navy, or working shoulder to shoulder
with our joint, interagency, and coalition partners, we are
standing ready to respond to crises around the globe, bringing
to employ combined arms across the air, land, and sea domains.
We are now entering an era of transition where the cyber domain
will be fully integrated in the same way.
Our Commandant has laid out a clear vision to increase the
capacity and capability of the Marine Air-Ground Task Force to
fully integrate cyberspace operations. MARFORCYBER [U.S. Marine
Corps Forces Cyberspace] is leading the effort to ensure that
we institutionalize this vision across the Marine Corps, to
include by participating in over 30 exercises last year. As a
service component to U.S. Cyber Command, MARFORCYBER in
conjunction with its service partners, conducts full-spectrum
cyberspace operations to enable freedom of action across the
cyberspace domain and deny the same to our adversaries.
Additionally, MARFORCYBER provides direct support to United
States Special Operations Command's missions worldwide.
To support these operations, we are building the Cyber
Mission Force, and these forces are achieving operational
outcomes today. These achievements are helping us to shape the
vision for the future of cyberspace operations for the Marine
Corps, as part of the joint, interagency, and combined force.
Last June, U.S. Cyber Command certified our first Cyber
Mission Team and our first national Cyber Protection Team.
During this time our second Cyber Mission Team reached its
initial operation capability. MARFORCYBER is on track to have
over 75 percent of its teams resourced by the end of 2015. To
expedite this force build, the Marine Corps has dedicated 16
percent of its retention bonuses for our cyberspace
professionals. And based on lessons learned, we have
streamlined our personnel and training pipeline as we deal with
the surge requirements of a startup force.
In addition, we have expanded the opportunities and
developed procedures for our teams to work with increasing
effectiveness across the joint and interagency force. This has
been a combat multiplier. At the bottom line, we are fielding
the cyber forces required by our strategy and provided by the
President's budget, ready, on time, and with increasing
operability in ways that we had not imagined. As we build the
force, MARFORCYBER is achieving operational outcomes in stride
by supporting joint, interagency, and coalition partners at
home and overseas. Every day we are planning cyberspace
operations, defending the network, and standing ready when
directed by U.S. Cyber Command to conduct offensive cyberspace
operations. Increasingly, combatant commanders and special
operation forces now see cyberspace operations not as a special
staff function, but essential to everything that warfighters
do.
Currently, we are pursuing a considered joint and service
strategy for the multi-year development of a unified network
that will facilitate command and control, provide real-time
situational awareness, and assist with decision support to
commanders at all levels. For the Marine Corps, this network
will be optimized for operational support to forces as they are
deployed across the globe and as they train for crisis
response. In an unstable and unpredictable security
environment, the Marines provide a ready, forward,
expeditionary extension of cyber capability for the joint,
interagency, and combined force.
Thank you for the opportunity to appear before you today,
and thank you for your continued support to our national
treasure, our Marine civilians and their families, I look
forward to answering your questions.
[The prepared statement of General O'Donohue can be found
in the Appendix on page 79.]
Mr. Wilson of South Carolina. General, thank you very much.
And General Wilson.
STATEMENT OF MAJ GEN BURKE E. WILSON, USAF, COMMANDER, AIR
FORCES CYBER AND 24TH AIR FORCE
General Wilson. Chairman Wilson, Ranking Member Langevin,
and distinguished members of the subcommittee, thank you for
the opportunity to appear before you today with my fellow
commanders.
It is an honor to represent the outstanding men and women
of Air Forces Cyber and 24th Air Force. I am extremely proud of
the work our airmen, officers, enlisted, and civilians do each
and every day to field and employ cyber capabilities in support
of combatant and Air Force commanders. In the interest of time,
let me share just a few examples to highlight how our airmen
are making positive lasting impacts to our Nation.
Since we last briefed the subcommittee, the Air Force
completed migration of our unclassified networks from many
disparate systems into a single architecture. We transitioned
over 644,000 users across more than 250 geographic locations to
a single network and reduced over 100 Internet access points
into a more streamlined 16 gateways. The end result has been a
more reliable, affordable, and most importantly, defensible
network.
The Air Force has also championed the fielding of next-
generation technology by partnering with the Army and Defense
Information Systems Agency to support the transition to a Joint
Information Environment [JIE]. Together we are implementing
Joint Regional Security Stacks and making enhancements to our
networks in order to achieve a single DOD security
architecture. The combined team achieved a critical milestone
last September when they fielded their first security stack,
and we have continued to push hard on these efforts, which will
benefit the entire Department by reducing our network attack
surface and increasing network capacity and capabilities.
Like the other services, we have made significant progress
towards fielding and employing our initial Cyber Mission
Forces. Today, Air Forces Cyber has 15 teams that achieved
initial operating capability, and 2 teams have reached full
operating capability. In addition to providing unprecedented
support to joint and coalition combat forces in Afghanistan and
Syria, these cyber forces are wholly engaged in support of
combatant and Air Force commanders around the world, as well as
in defense of the Nation.
I am proud to report our Air Reserve Component is a full
partner in the Cyber Mission Force build, in addition to our
other day-to-day cyber operations. We are leveraging
traditional reservists, Air Reserve technicians, and Air
National Guardsmen across the command to meet our warfighting
commitments. Whether it is commanding and controlling cyber
forces from one of our operation centers, deploying as part of
our combat communications team, installing cyber infrastructure
around the world, or any other task, each of our total force
members meet the same demanding standards and serve alongside
our Active Duty counterparts. In my humble opinion, it is a
tremendous example of total force integration in action.
The Air Force has also instituted several key initiatives
to better recruit, develop, and retain our cyber forces. Most
recently, we approved a Stripes for Certifications Program
which provides the opportunity for candidates to enlist at a
higher grade when entering the Air Force with desired cyber-
related certifications. We have also continued our selective
reenlistment bonus program to provide additional incentives for
enlisted members to continue to serve in the demanding cyber
and intelligence specialties.
For our officers, we have complemented the cyber warfare
operations career track which we established several years ago
with a new cyber intermediate leadership program. The objective
is to identify qualified cyber and intelligence officers and
provide them the right professional growth opportunities. We
held our first board just recently and competitively selected
83 majors and senior captains from across the cyber fields to
serve in key command and operational positions, many as
integral members of the Cyber Mission Force.
And finally, we continue to support a host of initiatives
aimed at improving the outreach to our Nation's youngest
generation. I would like to highlight just one that will be
culminating here in DC on March 12. It is called CyberPatriot
and sponsored by the Air Force Association in partnership with
local high schools and middle schools around the country,
several industry partners, as well as cyber professionals from
the Air Force.
CyberPatriot's goal is to inspire students to pursue
careers in cybersecurity or other STEM [science, technology,
engineering, and mathematics] career fields. At the beginning
of the school year in September, over 2,100 teams, 2,100 teams,
involving nearly 10,000 students in the U.S., Canada, United
Kingdom, and our DOD schools overseas, participated in cyber
training and competitions. We have seen a 40 percent increase
in participation this year. As I mentioned, CyberPatriot will
culminate here locally at the National Harbor with 28 teams
competing in the national finals. Students will earn national
recognition and scholarships. Without a doubt, the program is
an exemplar of how public-private partnership can make a real
difference. Personally, it has been rewarding to see our airmen
giving back to our younger generation.
These are just a handful of examples to share how our
airmen are pushing hard to increase cyber capability and
capacity across the command. Believe me, Air Forces Cyber and
24th Air Force are all in and fully committed to the mission.
Our cyber force is more capable than ever before and
continues to get better every day. None of this would be
possible without your continued support. As you have heard from
my counterparts, the need for the support will only increase in
importance as we move forward. It is clear resource stability
in the years ahead will best enable our continued success in
developing airmen and maturing our capabilities to operate in,
through, and from the cyberspace domain. Simply put, our cyber
warriors truly are professionals in every sense of the word,
and they deserve our full support.
Along with my fellow commanders, it is an honor to be here
today. Thank you again for the opportunity. I look forward to
your questions.
[The prepared statement of General Wilson can be found in
the Appendix on page 87.]
Mr. Wilson of South Carolina. Thank you very much, General,
and that was fascinating to find out about the involvement of
students. What a great opportunity. And I know it has to be
reassuring to the American people, your service, your
personnel, the families that are supportive of your personnel,
and I just thank each of you for protecting American families
and advancing our national security.
We will now go into our round of 5 minutes of each member.
Kevin Gates, who is our professional staff person, will keep
the time. Members of Congress need timekeepers more than other
people, beginning with me.
And so as we begin, Admiral Rogers, given the increasing
and evolving cyber threats, what are critical steps that
Congress can do to enable CYBERCOM accomplish your mission?
Admiral Rogers. My first comment would be ensure a steady
resource stream here. If you look at sequestration, the
implications of the Budget Control Act for us, if you executed
that, would have significant impact on our ability to execute
the operational vision and would have impact on our ability to
defend our own Department's networks, the expectation from the
rest of the Nation that the Department of Defense is going to
be there to provide capability to defend critical U.S.
infrastructure.
It will slow and in some cases stop our ability to generate
teams. It will lead us into contractual default issues. For
example, we are in a MILCON [military construction] project
right now that you have funded to actually create physical
infrastructure for U.S. Cyber Command. Because we are new, we
have only funded two out of the three years of that, so if we
have another issue with that we will have contractual issues.
Bottom line, though, our ability to defend the Nation and
our Department from a cyber perspective in the world that we
are facing, with the threats we are facing, is significantly
impacted if we can't sustain the resource budget picture that
we have developed.
Mr. Wilson of South Carolina. And I share your concern to
the point it would be very helpful to me, Admiral, if you could
provide a written response to that question which specifically
would address specific delays and levels of confusion. Our
colleagues need to know this because it is not as appreciated,
I think, as it should be. So that would be very helpful.
Admiral Rogers. Yes, sir.
[The information referred to is for official use only and
retained in the committee files.]
Mr. Wilson of South Carolina. Admiral Tighe, in your
testimony you mentioned designing resiliency in programs
through common standards and protocols. Could you give us an
example of what you mean by that?
For the others, how do you think that we will be able to
measure the resiliency of your programs?
Admiral Tighe. Yes, Chairman.
Our approach to building in resiliency runs the gamut from
technological innovation in our networks to the notion of
fighting through cyber attacks when we are under attack. The
people, the processes that we have, the method by which we
fight through a cyber attack, is really a very large part of
our warfighting approach to how we defend our networks.
And so when we talk about the technological side, that is
about getting the capabilities from the boundary of the
Internet all the way down to our individual host systems in a
way that we can monitor and understand our own networks, and
monitor and understand any threats that may be traversing
through our networks. And so having that built in, which many
of those new capabilities are coming in as a result of
Operation Rolling Tide, we have learned where we had gaps and
are instituting some of those defense-in-depth capabilities and
standardizing interfaces across systems and networks that talk
to each other.
Beyond our corporate networks that I am responsible for
operating and defending, as you know, we have many
applications, weapons systems, and other types of systems in
the Navy that are necessary to accomplish our mission that hang
off of our networks. And so making sure we understand how we
are interfacing with those networks, how we are extending our
protections to them, is a big part of our program and budget
subnet in building those capabilities in and codifying across
all of the acquisition commands who build systems for the Navy,
building on technology, building on operating systems, all
coming potentially with cyber vulnerabilities if we haven't
built it into the front end of that acquisition process.
So in summary, I think the resiliency that we are looking
for includes both the technological advances we have planned
into our system and how we organize and defend with the
personnel and the analytic capability to understand what is
going on in our network so we can respond quickly.
Mr. Wilson of South Carolina. Well, we certainly appreciate
your professionalism. And this is going to be a really quick
question, General Cardon. What is the status of establishing
the Cyber Command in the district, in the community next door
to me at Fort Gordon, Georgia?
General Cardon. Sir, we have a $90 million appropriation
that should break ground here October, November of this year.
So we are really excited about that. That will be the focal
point for cyber for the Army.
Mr. Wilson of South Carolina. Central Savannah area is
really looking forward to your presence.
I now proceed to Congressman Langevin.
Mr. Langevin. Thank you, Mr. Chairman.
Again, thanks to all of our witnesses. Admiral Rogers, I
would like to start with you if I could, on your perspective on
initiatives become more and more acute in recent years. I don't
think anyone would argue that we as a Nation have developed and
continue to develop some exquisite capabilities in cyberspace.
It is without question.
However, I am concerned that we are developing capabilities
faster than we develop the doctrine and policy that guides
their use. And, we all would agree that cyber operations
obviously are critical to how we operate now and in the future,
but there appears to be a real need for greater definition of
legal structures for cyber activities and operations in defense
of the Nation.
And there appears to even more of a gray area around
support of civil authorities when it is not under a Title 10
construct with a Title 32, 50, 18 or 5 drill status, or how we
utilize our Reserve Components and many of the ways that our
service men and women can interface outside the DOD.
So my question for you, can you speak to your command's
efforts to work through these policy challenges?
Admiral Rogers. So, I think you raised some significant
issues. Clearly they are much broader than just U.S. Cyber
Command, although we are an important part of this dialogue, we
are an important part of this process. If I could, I will start
with the second half first and then work my way back.
In terms of how we make sure that we are maximizing the
capabilities that we are building across the total force from
the Reserve, the Guard, and the Active Component, particularly
as you have indicated, when are applying it outside the Title
10 framework, the argument, you know, my part of the discussion
is, look, we have a very competent, mature structure in the
form of defense support to civil authorities that we currently
use already in many other mission areas in the Department.
I think that is a good starting point for us when we look
at how we are going to apply capability in Title 18, Title 5,
Title 52. So I think there is a good framework for us to build
around, and that is kind of the starting position, if you will,
that we are taking as a Department, broadly speaking.
The first part of the question that you raised about how do
we make sure that even as we are generating capability we are
also thinking about the doctrine and the legal authority, if
you will, that helps frame how we apply it in a way that
maximizes outcomes and it does it in a framework that we are
all comfortable with.
I think on the doctrinal side, I am pretty comfortable that
we have got a broad vision. If you look, we have got
publications. We have got a broad dialogue about how we are
going to do it. I think the biggest challenge in some ways that
we are still trying to wrestle our way through here is if we
are going to generate or apply these capabilities outside the
DOD framework, let's say in defending critical U.S.
infrastructure, that is an area that we still have to work
through the details.
Okay, so what is the legal and policy framework that we are
going to use? I am comfortable that in a crisis we will work
our way through it, but the point I am trying to make is we
don't want to wait until a crisis to do this. You want to have
this all laid out. You want the private sector to understand
it. You want the rest of our governmental partners, because we
are going to do this teaming with others in the government, DHS
[Department of Homeland Security], FBI [Federal Bureau of
Investigation], other partners, and we want to make sure that
we have laid that all out in advance.
So there is a variety of steps we are taking between
exercises, between ongoing policy deliberations, and through
the legal frameworks we are trying to create, for example, what
the Congress is looking at for cyber information-sharing
legislation. That is all a part of the efforts we are trying to
move forward to address the important issue that you have
highlighted.
Mr. Langevin. Well, thank you. I hope we can continue to
work through those things. And that is something that I want to
pay particular close attention to. So thank you for where we
are right now, and I look forward to continuing this dialogue.
Cybersecurity obviously is an incredibly important field,
but it also has lots of synergies with other areas of DOD
activities, SIGINT [signals intelligence], electronic warfare
[EW], information operations, and many more.
General, if I could ask you, I know the Army has recognized
this in particular with their doctrinal recognition of the
merging of cyber and EW, and certainly the Navy's Information
Dominance community is in this as well, as our Navy witnesses
know quite personally.
So my question is, are the interactions between cyber and
these communities clear or ad hoc, and how do training,
manning, and equipping get balanced across these synergistic
investments? Are we building cyber in concert with or on the
shoulders of these other communities?
General Cardon. In this case we have doctrine, we call it
CEMA, cyber electromagnetic capabilities. And we built these
organizations into our Army service component commands, corps,
divisions, and brigades.
Now, the capabilities to deliver all that don't fully exist
yet, because we have recognized this convergence. But, for
example, we already have experiences using this in some of the
war zones, former war zones, such as Iraq, where you had CREW
[counter radio-controlled improvised explosive device
electronic warfare] devices to protect against IEDs [improvised
explosive device], tactical SIGINT forces. And it is really how
do you organize these in time and space to accomplish a
specific mission?
So we are trying to harness what we have learned in Iraq
and Afghanistan, and what we are learning today and bring that
forward. I think this is a journey, and we still have a lot of
work to do on what are the additional capabilities we need at
those levels.
Mr. Langevin. Thank you.
Mr. Wilson of South Carolina. Thank you very much, Mr.
Langevin.
We now proceed to Navy SEAL [Sea-Air-Land] veteran,
Congressman Ryan Zinke of Montana.
Mr. Zinke. Thank you Mr. Chairman.
You know, from the perspective of a ground-pounder, you
know, I was just a frogman, it seems to me when you say your
ability to defend the Nation, and I am concerned about the
chain of command. You know, we have had earlier discussions
about, you know, what is the difference whether a missile
attack is incoming or whether it hits a military facility or a
piece of our major infrastructure or our banking system, it is
an attack.
And I am concerned that the chain of command doesn't allow
you to quickly react to an attack because somehow we have to go
through and determine whether it is a bank or whether it is a--
you know, what article it is under. And it seems to me that we
need to take a fast look at this and so we are not responding
to a crisis, but preparing for what we will, I think most in
this room believe, is an eventual attack.
So I guess my question is are you comfortable with the
current--your current ability to defend this Nation and the
shipyards and infrastructure and everything there is, the
cyber? And if you are not, what are the benefits of looking at
streamlining our chain of command and so we can have
accountability, we can have, you know, cost and efficiency?
What do you see as the path forward?
Admiral Rogers. So if I could, Congressman, let me take a
look at--give you an initial thought. The positive side, in my
mind, is we have clearly delineated who has what
responsibilities. And I say that, if we go back 2, 3 years ago,
we literally spent years debating about who was going to have
what role. And it literally probably took us 2 years to
generate an internal consensus as to who was going to do what.
The positive side for me--I have now been in command coming
up on approximately a year. The positive side for me is, hey,
we have moved beyond a discussion of who ought to do what to,
okay, now we have clearly identified who has what
responsibilities. Now let's roll up our sleeves and focus on
how we are going to make this work. Clearly we are not where we
want to be yet.
The argument--not the argument--the point I try to make to
my DHS because the vision as currently constructed is DOD will
apply its capabilities in a supporting role, if you will, with
DHS largely being the supported entity within the Federal
Government as having the primary responsibility for
cybersecurity outside the dot.gov domain, if you will, in the
broader civilian infrastructure.
The point I am making with my teammates at DHS and the FBI,
for example, are my military culture teaches me you got to
train, you got to exercise, you got to get down to the
execution level of detail, and you got to do that all before
the crisis. You know, as you have learned in your own life,
discovery learning while moving to contact is an incredibly bad
way to go about generating insights and getting more proficient
at the mission.
What I would suggest is we need to make this current. We
need to wring this current system out, and before we go back
again and spend more time on this, and one of the inputs I have
provided is, hold us accountable for executing what we have
created. And if in that experience we come to the conclusion
that, hey, we made some assumptions that turned out to be
flawed, then we ought to step back and relook at it. But for me
at least, I am not there yet.
Mr. Zinke. Thank you, sir.
Mr. Chairman, I yield the remaining part of my time.
I look forward to working with you on this and support you
in any way I can.
Mr. Wilson of South Carolina. Thank you, Congressman Zinke.
We now proceed to Congressman Joaquin Castro of Texas.
Mr. Castro. Thank you, Chairman, and thank each of you for
offering your testimony today.
Welcome to Washington. I know you all are here frequently.
A special welcome to Major General Wilson, who is in from
San Antonio, Texas, Lackland Air Force Base. We are very proud
of the work you all are doing there.
Let me ask you all a question about training people in
cybersecurity in our country because this issue and the need
for that skill is only going to become more pronounced in the
coming years.
This Congress is in the process of taking up our big
education reauthorization bill for example, ESEA [Elementary
and Secondary Education Act]. What programs in our school
should we be expanding or growing, not only in our high
schools, but also in our colleges, to prepare more students to
take on roles in cybersecurity and so that you all have a
pipeline of qualified people who can take on these jobs, a job
that is becoming more in demand not just in the military or in
government, but also in the private sector? And I will open it
up.
Admiral Rogers. Why don't you take that first cut because
you have done some interesting work at the high school level.
General Wilson. Thank you, sir.
When you look at the young generation, really it's a STEM
problem we have seen for years, no matter what the mission that
we need in the DOD. And so when you take a look at it, you have
got to get young folks excited about cybersecurity in this
case. And what we find is is they yearn for interaction with
people that are really doing the job. And it is fascinating to
watch them in front of young airmen. It would be the same with
a soldier, sailor, marine--it wouldn't make any difference--to
be able to share, to put an 18-, 19-, 20-year-old in front of
them because it is not hard for them to project themselves in
the roles that we do every day.
And so what we found, probably the most successful, is this
CyberPatriot. There is others like it. We have a Troops for
Teens program there in San Antonio, that you are familiar with,
sir. When we are able to interact with the schools at the
grassroots level, seems to be the most effective. I would argue
the CyberPatriot is very effective because we bring private
industry in to enable from a funding perspective, so they are
able to partner in the private--public-private partnership. We
find that to be very, very powerful.
So in our case, I am proud to be wearing an Air Force
uniform and that the Air Force Association sponsors the
CyberPatriot program. We think we got a good thing going there.
But the feedback from the local schools, teachers, mentors that
we bring in to work with the kids, they just need more mentors.
They need more attention.
And so while we can put more curriculum in place, that is a
wonderful thing, to get kids excited, and I will give you just
a couple of statistics in some of the, you know, studies that
we have looked at in terms of kids that are coming out of the
CyberPatriot program, the national average is typically 9 to 15
percent, depending, kids that are interested in cybersecurity
or other STEM fields just across the student population.
We are seeing about those numbers when kids come in, but we
are seeing graduates out of CyberPatriot at the 80, 85 percent
rate that are interested in cybersecurity or STEM degrees when
they go off to college. You could argue maybe that is because
of the people that are joining the program. But I would argue
that when you look at the caliber and the content of what they
know when they walk in the door--they don't know a lot about
cybersecurity--and when they walk out the door, they know a lot
about it. And so it is getting them motivated. I think they can
see themselves in those career fields. And so that exposure--
the biggest reason we saw a 40 percent increase this year is we
got into the middle schools. We incorporated the middle schools
into the CyberPatriot program. Next year we are going to take a
stab at the upper tiers of the elementary school and get them
excited about doing cybersecurity.
I would argue that all of the services have similar
programs, you know, and sometimes it is about flying or space
out in the Air Force. Cyber is one of those. It is an exciting
career field, and people see themselves in it.
And so I think that is the key, is to get our young folks
excited about what the potential is for them.
Mr. Castro. Sure.
Admiral Tighe. Congressman, if I may, I think the point on
the STEM is really, really important. And as early as we can
get the STEM, get our young kids motivated in STEM, the better.
We need them to be comfortable with technology and be
comfortable as analysts, if you will.
We have to connect the dots a lot of time. We need our
workforce to be able to connect dots, not just understand
technology but understand what is really happening when you
don't have the full picture.
And so the STEM programs tend to do that for our young
people. I think at the same time--so puzzles and things of that
nature. But I think at the same time there are also programs
that we have been able to leverage sponsored by National
Science Foundation and others. Scholarships For Service is a
program that gets graduate-level education and college
education and contributes to that education with a stipend, for
example, but then they come into the Federal service in
cyberspace. And so some of those kinds of programs are also, I
think, very valuable in exposing our young people and our
college-age students to cybersecurity challenges, but also sort
of bringing them into the government as a first job.
Mr. Castro. Thank you very much. I yield back.
Mr. Wilson of South Carolina. Thank you, Congressman
Castro.
We now proceed to Congressman Doug Lamborn of Colorado.
Mr. Lamborn. Thank you, Mr. Chairman.
And I would like to build on this theme of education.
Admiral Rogers, the University of Colorado at Colorado Springs
in my district and the Army Reserve just announced a
partnership to educate cyber warriors. Is this a good model,
and should we support it?
Admiral Rogers. Well, let me be honest, Congressman, I
don't know the details of the model, so I am not in a good
position to tell you is it good or bad. Having said that, one
of my takeaways in this area is clearly this is all about
partnerships, and those partnerships have to include the
private sector but not just the corporate or network owners, if
you will, the educational piece, the academic piece, the
ability to generate insights to go to the doctrine and the
policy kinds of issues we had talked before.
I try to remind people, look, this has got to be a broader
discussion. Look at, for example, some of the initial work we
did in the nuclear world when we were first trying to develop
deterrence theory that we take for granted now. The academic
world played a huge role in that if you go back 50, 60 years. I
would like to see us do the same thing.
And the other thing that concerns me about the academic
world is, and one reason why I as a commander, I spend a fair
amount of time at academic institutions from collegiate level
down to I was just at a charter school in Harlem yesterday, as
a matter of fact, as a follow-on to some work I was doing in
New York City. As I remind them, you are educating our
workforce. I have a vested interest in partnering with you to
help us do that because the technology we use is important. And
clearly, we can't execute our mission without it, but where we
really gain our advantage, our true strength, is in the men and
women who apply that technology.
Mr. Lamborn. Okay. Thank you. And obviously this is
something I think we are all really excited about pursuing.
General Wilson, recently I visited the 561st Network
Operations Squadron which is in my district at Air Force Base
Peterson, and they told me that their structure and approach to
network cybersecurity could be a model for the other service
branches. Is that something you would agree with, and if so,
why?
General Wilson. So, sir, I think you were with Lieutenant
Colonel Rocky Rockwell and the team of the 561st.
Mr. Lamborn. That's right.
General Wilson. Thank you for visiting. They really enjoyed
the visit.
Sir, what they were referring to was this migration that I
hinted at, getting the Air Force network, which is part of our
larger DOD information network, to one centrally managed with a
single architecture, which is really an early interim step
towards the Joint Information Environment. So we are huge
believers in it.
Many of the lessons that we learned out of the migration
actually have been incorporated with the Army and with DISA and
with all the services as we look at the JIE, this Joint
Information Environment architecture, and the way that we are
transitioning all of our networks. And so, it is a model. I
think there is a lot of good, hard lessons. The team that you
met at the 561st, we have a sister unit that is the 26th down
in Montgomery, Alabama, at Gunter Air Force Base, is actually
formed, about 40 people are on the joint management team that
are working to transition with JIE.
And so we have taken the lessons from the people that have
the bruises from going through a transition of that magnitude
and trying to apply that to the JIE so that we are successful.
So I absolutely believe that it is directly applicable, and we
are excited about moving forward.
Mr. Lamborn. Well, I know that there can be value with each
service branch learning its own lessons and standing something
up. But on the other hand, there is also on the other side of
the balance, why reinvent the wheel? If one of the branches has
really done forward work, maybe that should be a model for
others to follow.
General Wilson. So, sir, JIE, which we have all bought into
in terms of the services, is really the next generation beyond
where we are at today in the Air Force. And so it is really the
interim step. So we shouldn't be satisfied with where the Air
Force is. We need even a more defensible network. It is the
best we can do with decades-old, 5-year-old technology. We need
to move the DOD forward with the newer technologies, the next
generation technologies, cloud architectures, single security
stacks through our gateway, if that makes sense.
Mr. Lamborn. Thank you. Thank you all for your service.
Mr. Wilson of South Carolina. Thank you very much,
Congressman Lamborn.
We now proceed with Congresswoman Elise Stefanik of New
York.
Ms. Stefanik. Thank you, Mr. Chairman, and thank you to all
of our witnesses here today for your service and the time you
took to prepare for today's hearing.
My question is for Lieutenant General Cardon. Last month at
a conference you discussed the military's need for flexibility,
it is something we hear quite often, and that the traditional
top-down way of operating is a challenge in its organizational
approach, especially as it relates to cybersecurity. Can you
explain this further? And then I am also interested in how this
is applicable to the current mission in Afghanistan.
General Cardon. So I come at it from an operational
approach, and so the challenge in operations is what level of a
centralization do you need, and what level of decentralization
do you need. And so some operations require a high degree of
centralization, and some operations work best decentralized.
The art is figuring out which one is most applicable. And
in cyber, I think we have a centralized framework with a
decentralized execution. But I will go further building on what
Admiral Rogers talked about. It is when you start to bring
coalition and private, because this affects--it affects all of
us, so anything that happens to any one of us, all of us are
talking to each other here, and with CYBERCOM it is going wider
because everyone could have this same problem.
So you create more like a fusion cell. I describe it as
being mission focused, not organizationally focused. So
everyone looks at the mission, everyone is working on the
problem. So when you take an example something like Heartbleed,
which was a severe vulnerability that affected everyone, not
just in the military but in private industry, that is a fusion
sort of approach. Looks different inside the military, but
everyone was working on this problem across the country.
In Afghanistan, operations are very decentralized. There is
a limited amount of capability. It is prioritized by General
Campbell, and then we use it accordingly. And so the
decentralized nature of the operations there, often driven by
the terrain, has I think been pretty effective.
Ms. Stefanik. Thank you very much.
My second question relates to sequestration and funding at
Budget Control Act [BCA] levels. Can you talk about what the
risks are to the Army networks campaign plans, network
modernization efforts, should the DOD and the Army have to
execute funding at BCA levels?
General Cardon. So General Wilson just talked about the Air
Force collapsing their networks, and the Army has not yet done
that, and that is why we are partnered with the Air Force to do
that.
So the Army would take about a $6 billion reduction off the
top. That is going to affect training. It is going to affect
our network modernization. It is going to affect our
installation support, and it is going to affect the procurement
of weapon systems. More importantly, it is the software
upgrades that we need to do to those weapons systems to reduce
cyber vulnerabilities.
If the cuts stay, the Army is also going to have to cut
force structure. That is estimated to be 30,000. And while
cyber is still ranked very high in the Department of the Army,
I think it is fair to say that cyber will be part of that
discussion. So this is very concerning. It is still very, very
highly ranked in the departments, and it is a very high
priority. But the nature of those two things together makes a
very difficult problem for us.
Admiral Rogers. Can I make one other comment on the
sequestration piece? The other thing that concerns me is the
longer term implication. I watched the way at U.S. Cyber
Command, particularly our civilian workforce, reacted to the
government shutdown in the beginning of fiscal year 2014. And
as we said to them, trust us. We want you to stay with us, this
is a burp. And now I watch us repeat this kind of scenario
where this time it is just significant funding cuts.
One of my concerns is, does our workforce start to believe,
you know, I am not so sure that there is this long-term
commitment, and given the skills that I have and the fact that
I could make more money going elsewhere on the outside. The
other concern I have, quite frankly, is that we are going to
start to see elements of our workforce, civilian and potential
military, start to walk away. And as I said, the technology is
incredibly powerful, but the greatest edge that we have is our
men and women. And when we lose them, we have got real
problems.
Ms. Stefanik. I agree with you, Admiral, and I also share
your concerns. Particularly from my perspective representing
New York's 21st District, home of Fort Drum, but we are also
home to not only members of the military and service men and
women, but many Federal employees in the district. So I share
your concerns, and we are working very hard on this committee
to address the negative implications of sequestration and these
cuts which are so devastating to our readiness.
Thank you.
Mr. Wilson of South Carolina. And thank you very much,
Congresswoman Stefanik. And Congresswoman Stefanik has been a
real leader trying to address the issue of defense
sequestration. We appreciate her extraordinary service.
Additionally, we appreciate your extraordinary service. And
the issues that you are dealing with are so important we have
another round for anyone who would like to participate.
And for each of you, in your testimony, the military and
civilian personnel needed for the Cyber Mission Forces were
discussed, but are there enablers out there in other
communities not included in the workforce numbers which you
rely on significantly?
How are these enablers faring in the budget? What impact
would you expect, again, with defense sequestration on these
forces?
And we can begin with the Admiral and proceed.
Admiral Rogers. So one of my comments--and I, in fact, just
raised this to the Joint Chiefs of Staff last week--was to
remember cyber is much more than just the maneuver elements,
the teams, if you will, that we are creating, that like every
other mission set, cyber counts on a core set of enablers that
we often tend to take for granted.
So rather than take a lot of time, I will highlight one
area to you, and that, for example, is the power of
intelligence, the fact that we rely on a broader intelligence
structure to generate knowledge and insight about what is going
on in our cyber environment and we use that insight then to
apply this capability we're generating.
Without that kind of insight, we have real challenges, as
we do in every other domain, about how do you maximize the
effectiveness of the resources and the capabilities we have
generated in this maneuver force.
So I constantly try to remind the broader set of partners
that we work with in and outside the Department to it is more
than just this cyber maneuver force here that we need to be
thinking about.
General Cardon. Sir, enablers are really important. Often
they are in high demand, low density in the Department. There
is a lot of structures in place to work to prioritization. But
it is truly combined arms. But I don't think we fully
understand what we need yet.
And here is what I mean. When I took command, we had two
teams. Today we have 25. By summer, we will have 41. The
demands are growing. And how to best organize the enablers to
meet all the demands that the teams are generating as the teams
grow, we are working. We know we need more. To put a finite
number on that yet I think is a little premature, but it is not
what it is today.
Admiral Tighe. Chairman, I would say that, from the Navy
perspective, we are building the teams just like the other
service components at places where I have already got commands.
So I have a command structure where we are growing teams, and
there are enabling functions associated with growing a large
number of military people, you know, personnel, inside of a
command, and civilians.
And so some of those kinds of enabling functions have not,
you know, really been thought through in terms of how many
career counselors do you need, how many SAPR [Sexual Assault
Prevention and Response] counselors and victim advocates and
those kind of things. And so certainly, when we added the Cyber
Mission Force, it was all about that maneuver element.
But, in some cases, we have placed burdens on commands that
may not have had sufficient capacity to deal with that growth.
And so that is an area that we are definitely looking at, where
we go from here in terms of both the enabling and, as Admiral
Rogers said, the command and control parts of it.
General O'Donohue. Sir, from the Marine perspective, you
know, enabling the whole force really is what cyber is. You
have a certain amount of expertise represented in the
specialized skills. We have folks down here with the ability of
the force to train and exercise.
This comes from the resiliency aspect of it and the idea
that down to the network operator level or down to the end
user, he is able to operate in a contested and degraded
environment, in fact, compromised, and every level of command
is integrated at cyber less [audio unclear] and not just what
is specifically designated as a cyber force.
So one aspect of that is the training exercises that gets a
whole force and also provides an enabler to the specialists,
who are the catalysts. But it has to be seen as a comprehensive
capability across the force and integrated like any other
combined arms.
One help for that is a persistent training environment.
This helps realistically fight a network without an adversary
and enable to test the force and build resiliency. Also, it has
another effect in terms of acquisitions, which is another area,
not so much money, certainly an acquisition program that is
tailored to this new capability that we are developing.
Within the persistent training environment, you can get the
collective skills across the force, but also you can test the
vulnerabilities of things that we are going to acquire and
bring into it in the overall operational context.
General Wilson. Sir, I would just echo a couple of things
and add a few.
One is integrated command and control has been key. We have
seen that today at the tactical level, if we are able to
integrate our command and control elements. That has been a
challenge because we have been resourcing the maneuver element.
We have not resourced the command and control. So that has been
a bit of a challenge. But we see that as a key enabler
tactically.
In addition, similar to the Navy, some of the support
structure was not put in because of some of the sequestration
cuts, if that stays. And so we have got those laid in in our
current budget. So if we move back to BCA levels, that may put
some stress on the support structure.
The couple things I would add is we see tremendous leverage
with a Reserve Component. So our Guard and Reserve partners--
they are conducting the mission every day for a couple of
reasons.
One, we see tremendous talent and unique skill sets that
come in the door that complement the training that we give them
and the types of operations we are doing. It also offers our
Active Duty members that make a decision to leave the service
some options on continuing to serve by wearing a uniform and
coming back in the door on a bit limited basis from just a time
perspective. But we get to retain that talent and the
experience.
So that has been a key enabler for us. We have been doing
that for years. But we are seeing that magnified in the CMF,
the Cyber Mission Force.
I would echo also we really are going through a culture
change. We have a very--it is a contested, degraded, and
potentially operational limited environment. And so that
culture of having to operate through that kind of environment
is different. And so moving the whole force--not just the cyber
experts, but everyone--into that and through those training
exercises and exposing them to that is key.
And then, finally, I would add it is quickly becoming a
commander's business. Just like in industry, we are seeing in a
C-suite business--CEOs [Chief Executive Officer], COOs [Chief
Operating Officer], et cetera--it is not just the CIO's [Chief
Information Officer] problem anymore. This is key. To have
mission success, this has got be to a commander's business.
So it is not just the commanders sitting here representing
the cyber talent, if you will, in each of the services, but the
operational commanders, and getting them involved in the
decision process.
What we are seeing in the Air Force is my counterparts in
the other combat-numbered Air Forces are very interested and
want to understand and want to be part of the solutions. And so
we see that as a key enabler.
Mr. Wilson of South Carolina. Well, I thank each of you.
And we now proceed to Congressman Langevin.
Mr. Langevin. Thank you, Mr. Chairman.
And, again, thanks to our witnesses.
I have got a couple of questions. I am hoping to get to at
least a couple of them. I can't get through all of them. So I
am going to go as quickly as I can.
But going back to, if I could, retaining and recruiting
qualified military and civilian personnel, obviously, it is
critical to addressing the threat.
So my question is: What challenges do you face in
recruitment and retention? And, more specifically, how are
these challenges being addressed? Are special authorities
needed?
For example, are enlistment bonuses, civilian hiring
authorities, required to address shortfalls in recruitment and
retention? And what incentives or methods have been used so far
effectively to recruit and retain?
Admiral Rogers. Let me start and then I will turn it over
to my counterparts, because the services actually generate the
capability, if you will, the workforce.
When I looked across the entire Cyber Mission Force, the
positive side to date is that both accessions, input, if you
will, across all the services is meeting target and retention--
knock on wood--is actually higher in some ways than we had
originally anticipated.
I think that is because--the thing I try to remind people
is we are not going to compete on the basis of money. Where we
are going to compete is the idea of ethos, culture, that, ``You
are doing something that matters, that you are doing something
in the service of the Nation, and that we are going to give you
the opportunity to do some really interesting and amazing
things.'' I think that is how we are going to compete.
And then I would turn it over to my service teammates for
the specifics they are running into.
General Cardon. Sir, to echo Admiral Rogers, we have not
experienced problems with recruitment. For example, for our
high-end operators, we recruited 75 percent of the year in the
first quarter with no waivers and no bonuses. So there is a
tremendous drive on this.
The challenge will be retention. So if I could go down,
officers----
Mr. Langevin. How is that going so far on the retention
side, just broadly.
General Cardon. Well, we are headed into our first big bow
wave because we started this about 3, 4 years ago and they are
entering into the first window. I would say right now it is
still unknown.
But a few indicators gave us the idea that we have to
manage this as a separate branch, because before we did not
count cyber. You were part of another branch and you were
selected for promotion or leader development opportunities
based on your expertise on that branch, not in cyber. Now you
will do this with a cyber focus.
We have also recognized we need this same thing for our
civilian workforce. For the civilian workforce, there is no
cyber portion of this. So to advance in those, you have to
advance where you were hired into as opposed to a cyber focus.
So we think those will really help. We have the right tools
with bonuses and all that right now to offer them, and the Army
is very aggressive on this at this time.
Admiral Tighe. I would say that the Navy is in a similarly
situated position. As it pertains to recruiting, we have not
been having any trouble recruiting to the numbers that we
needed for all of our cyber-type missions. And on the retention
side, we are doing very well, both officer and enlisted, in
retaining the talent that we need.
We have the tools that everyone else uses in the Navy to
incentivize any particular ratings that are low on numbers, in
particular, pay grades and things like that. We use that. But I
agree with Admiral Rogers that, in this mission set, it is not
about the money. It is about the mission.
And so the best thing that we can do to improve retention
in this space is give them the training and the tools and put
them on mission because they--you know, what I am seeing in our
young people and our workforce is very motivated, enthusiastic
for the mission. And getting them on mission is the most
important thing we can do.
Mr. Langevin. I am going to hold the--General O'Donohue and
General Wilson, if you can perhaps respond in writing,
especially if there is something different that you are
experiencing. But I wanted to get to the acquisition part.
[The information referred to can be found in the Appendix
on page 102.]
Mr. Langevin. Let me ask: Is the current acquisition model
adaptive and flexible enough to support cyber technology
innovation and rapid utilization of cyberspace capabilities? As
you may know, the committee is working on acquisition reform
right now. And do you have recommendations on how to ensure the
process allows for innovation and rapid acquisition
capabilities?
My other question, which you probably won't be able to get
to, is going to be for Admiral Rogers. Are you reviewing
allocation of resources in terms of--to meet the combatant
commanders' requirements? How do you allocate the resources you
need for these Cyber Mission Teams? So we can probably do that
one for the record. But on acquisition.
[The information referred to can be found in the Appendix
on page 101.]
Admiral Rogers. So let me start on acquisition. The short
answer is no. My argument is we have to change the model we are
using. The rate of change is such that, within the cyber arena,
we have got to account for the fact that, as we are developing
and acquiring capabilities in the Department, we have got to
build into that process the idea of regular and recurring
update and revision, that a set of capabilities that we lock
into place and then build to over time--let's say, if you look
at what it takes to put a satellite into orbit, if you look at
what it takes to build a major warship, for example, I mean, we
are talking 5 to 10 years. And the rate of change in the cyber
dynamic in 5 to 10 years is just amazing to me.
So we have to build into that program the idea that there
will be a recurring refreshment rate required. We don't do that
right now in the model at all. That is not the way we do
business. But I think we have to get to that.
Mr. Langevin. We are going through acquisition reform right
now, and now would be a good time to help us to get this right.
I know my time has expired.
Mr. Wilson of South Carolina. Thank you, Mr. Langevin.
And we will proceed now to Congressman Ryan Zinke.
Mr. Zinke. Thank you, Mr. Chairman.
I guess, as I watch the fleet numbers go down, I get
concerned. I think we are all concerned. But, also, when the
fleet numbers go down, we are asking our fleet to do more with
less and it is much easier for our adversaries to target
individual platforms.
I guess the bottom line is, if further cuts occur, do you
feel that those cuts could, in fact, put our ships and our
fleet that are in harm's way at further risk being unable to
detect and defend a cyber attack, particularly in the western
theater?
Admiral Tighe. Congressman, I believe that all of our
maritime missions, particularly those that are forward, you
know, projecting power around the globe, are critically
dependent on our cyber capabilities.
And we have spent the last 2 years building programs around
closing the gaps in vulnerabilities and increasing our
operational capabilities to assure missions around the globe
that maritime commanders have to be able to do.
And so certainly what the actual CNO [Chief of Naval
Operations] said during his budget testimony is, if we are held
at the BCA levels, he would be hard-pressed to recommend to the
Secretary that we reduce any of those investments that we have
already identified and made as a commitment to our mission
assurance based on the cyberspace capabilities.
But I think, as mentioned earlier, another key aspect of
that is all of the modernization programs that we have across
the board--aircraft, submarines, ships, all of those
modernization programs--tend to upgrade systems that are
dependent on operating systems.
And when things like sequestration hits or we have a late
budget, you know, getting to our acquisitions system, it ends
up throwing a monkey wrench in the modernization plans. Those
modernization plans are very critical to closing
vulnerabilities.
So even beyond what we would call strict cyber investments,
our acquisition process and focus on ensuring that our programs
are not delivering vulnerable systems across the board--not
just networks, but across the board--is contingent on those
modernization programs going forward. So, yes, it certainly
puts at risk not just the capability, but the overall mission,
command and control, of Navy capabilities around the globe.
Mr. Zinke. Thank you, Admiral.
Mr. Chairman.
Mr. Wilson of South Carolina. Thank you, Congressman Zinke.
We now proceed to Congressman Jim Cooper of Tennessee.
Mr. Cooper. Thank you, Mr. Chairman.
Within the last 2 weeks, I think it was publicized that
Lenovo computer company shipped laptops already equipped with
malware called Spear Phishing or something.
Isn't that kind of amazing, that a brand-new laptop would
already be essentially booby-trapped that way?
Admiral Rogers. Quite frankly, no.
Mr. Cooper. That is not amazing?
Admiral Rogers. Again, because what I generally find over
time is--for example, most of the equipments and the
capabilities that we will bring onboard as a Department, we
don't automatically assume that it is perfectly secure. We have
a series of tests and processes that we go through.
I am not trying to imply it is for nefarious reasons. Many
times we will find that, from the time it takes to actually
generate and build the capacity to the time it is actually
fielded, for example, you will find vulnerabilities.
For example, if you have look at Heartbleed, probably the
largest vulnerability we had over the course of the summer, was
based on coding from the 1980s. You find these challenges. This
is not unique to the nature of the cyber arena, sir.
Mr. Cooper. Someone estimated--and I hope it is unduly
pessimistic--that almost 95 percent of government IT
[information technology] acquisitions were flawed or deeply
flawed in some way.
Are you able at NSA [National Security Agency] to make sure
you have clean equipment when you buy it?
Admiral Rogers. NSA is part of a broader team that helps
work information assurance for the Department. Having said
that, the service has the overall responsibility for the
manned, trained, and equipped functions for their service and
broadly for the Department. But we do it as part of a broader
team.
Mr. Cooper. But for your own NSA operation, you are able to
make sure that all your computers are clean?
Admiral Rogers. Yes. We spend a lot of time--as every
organization does, we spend a lot of time making sure that we
don't have vulnerabilities in the systems that we are counting
on to execute our mission.
Mr. Cooper. That would include system administrators like
Mr. Snowden?
Admiral Rogers. Yes. Clearly it is not a perfect system.
You will never hear me say that, if that is the point we are
trying to make. You will never hear me say that.
Mr. Cooper. What is good enough for government work? What
is clean enough to be safe?
Admiral Rogers. I don't know that there is a particular
number that I could give you. It all boils down to what is the
level of risk that we are comfortable with, what are the
different processes that we can put in place to try to mitigate
that. There is no single silver bullet here, as it were.
Mr. Cooper. It is risk for virtually every chip to be made
overseas?
Admiral Rogers. There is clearly an aspect of risk to it. I
think that is a fair statement.
Mr. Cooper. Is it worth mitigating that risk by having more
domestic manufacturers?
Admiral Rogers. You know, clearly within the Department, we
try to take a look at that. One of the ways we do it is we try
to tier some of our systems, if you will. And the standard, for
example, that we will use within the nuclear infrastructure is
different than the infrastructure we will use for the systems
we use for morale, welfare, and recreation functions within the
Department.
Mr. Cooper. But a back door can come in from virtually
anywhere. The Target hack was mainly the HVAC [heating,
ventilation, air conditioning] contractor. Right?
Admiral Rogers. So is it possible? Yes. There is no doubt
about that.
Mr. Cooper. I don't know how many transistors are in a
phone like this or chips or whatever like that, but it is
surely a large number.
Admiral Rogers. It is a complex operating system.
Mr. Cooper. So since everyone carries their own
supercomputer with them, is anyone smart enough to figure out
the hardware/software interface, even assuming that the
hardware is perfect and clean and inviolable or----
Admiral Rogers. Well, the way I put it is, hey, if it is
designed by man, man is a flawed individual. And the idea that
you are going to create something perfect in which you
guarantee that there is no ability to penetrate is highly
unlikely, which is why in the Department we do things like
defense in depth, multiple looks at the same piece of gear many
times.
We try to account for the fact that a single solution--
whether it be technical, ``Hey, I can create the perfect
system,'' whether it is, ``Hey, I can control my workforce and
guarantee I am not going to have any issues,'' we try to use
multiple layers.
Mr. Cooper. I guess I am still trying to get at the
question of good enough for government work. When are we safe?
When have we done enough of that? Do you have to red-team
everything? Do you have to practice your operation without
using computers? How do we----
Admiral Rogers. I think the answer is yes, we try to do all
of that. You have heard today already we talk about the idea
about, for example, how are we going to operate hurt within the
Department.
I think the reality of the world around us is, at least on
the military dimension, it is not in our best interest to
assume we will always have perfect connectivity, that we will
never have any issues, we will never have any degradation. Far
from it. I think quite the opposite, given the nature of the
world that we are dealing with today. We have to think about
how we are going to fight through things.
Mr. Cooper. Should the Defense Committee be doing more to
help?
Admiral Rogers. Well, I can use all the partners that we
can get in this. Because no one single entity here is going to
have all the answers to this, which is one reason why, if you
look at the resource piece that the Congress holds here, the
legal frameworks that we talk about, you clearly have an
important role to play in all this. It won't be just us.
Mr. Cooper. Well, I hope you won't be shy about asking.
Admiral Rogers. Yes, sir.
Mr. Cooper. Thank you, Mr. Chairman. I see my time has
expired.
Mr. Wilson of South Carolina. Thank you, Mr. Cooper.
As we conclude, I want to thank each of you. And it has to
be reassuring to the American people to see such dedicated
personnel. So thank you very much for your service on behalf of
our country.
We are adjourned.
[Whereupon, at 4:51 p.m., the subcommittee was adjourned.]
=======================================================================
A P P E N D I X
March 4, 2015
=======================================================================
PREPARED STATEMENTS SUBMITTED FOR THE RECORD
March 4, 2015
=======================================================================
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
=======================================================================
WITNESS RESPONSES TO QUESTIONS ASKED DURING
THE HEARING
March 4, 2015
=======================================================================
RESPONSES TO QUESTIONS SUBMITTED BY MR. LANGEVIN
Admiral Rogers. In December 2012, the Department determined its
initial set of resources required to man, train and equip of Cyber
Mission Forces (CMF) based on operational requirements defined by the
Joint Staff in coordination with the Combatant Commands and U. S. Cyber
Command (USCYBERCOM). Based on those requirements, the Department of
Defense (DOD) initiated a major investment in its cyber personnel and
technologies for the Cyber Mission Force in 2013.
From the initial 2012 assessment, the Services were required to
meet the man, train and equip 133 teams with various levels of
involvement using the traditional equitable allocation model (Army 30%,
Air Force 30%, Navy 30%, Marine Corps 10%) with all teams being fully
resourced by Fiscal Year (FY) 2016 Specifically, Army is to provide 41
teams, Air Force is to provide 39 teams, Navy is to provide 40 teams,
and Marine Corps is to provide 13 teams. The Department also included
integration of Reserve and National Guard personnel in the Cyber
Mission Force (primarily as protection forces and surge support) as
described in its August 29, 2014 report to Congress in response to FY14
NDAA Section 933 (d). USCYBERCOM looks forward to completion of the
Department's effort to fully resource the required command and control
structure approved in 2013 by the Chairman, Joint Chiefs of Staff.
Based on Combatant Commanders' requirements expressed in approved
plans and prioritized effects lists, the initial mission assessment
included distribution of combat mission teams to Combatant Commands
(CCMDs) under each of the Service allocations. The initial distribution
was re-examined in late 2013 and an alignment adjustment was made to
two teams to account for certain increased cyber activity within the
133 team ceiling. Current plans are to complete the build out of the
CMF and, once the 133 teams have reached full operational capability
(FOC), reassess the force structure to determine what (if anything)
should be adjusted based on lessons learned. Additionally, as described
in The DOD Cyber Strategy, USCYBERCOM continues to work with Joint
Staff to integrate cyber requirements into combatant command plans and
may reassess allocation of the CMF based on the results of these
activities.
With regards to training, USCYBERCOM published the joint training
and certification standards for the Services to follow to ensure
consistent training of individuals and teams. While the Department
works to develop an enduring Persistent Training Environment (PTE) for
the cyber force, USCYBERCOM expanded its joint training exercises (e.g.
Cyber Knight, Cyber Guard, and Cyber Flag) to increase certain
capability and capacity to help Service personnel and teams obtain the
training required and complete the exercises needed for teams to reach
FOC. USCYBERCOM will continue to monitor the readiness of the Cyber
Mission Force as the Department integrates the CMF into its overall
planning and force development activities to recruit, retain, and
provide appropriately trained cyber personnel.
When it comes to equipping the force, CMF team needs are based on
operational requirements that were initially established at the
beginning of the team build outs and continue to evolve or expand as
current real world involvement dictates. As described in The DOD Cyber
Strategy, USCYBERCOM is working with the Department to develop a
Unified Platform that will integrate and establish interoperability
between disparate platforms. The Unified Platform will enable the CMF
to conduct full-spectrum cyberspace operations in support of national
requirements. As cyberspace requirements evolve and expand, the pace to
equip the CMF is constrained by the deliberate processes within the
acquisition system. The speed in which USCYBERCOM needs the CMF to be
equipped with certain capabilities continues to stress the Department's
acquisition system built primarily to reduce risks in developing
aircraft, ships, and land vehicles and/or oversee major enterprise-wide
Information Technology programs where acquisitions occur over a period
of years. The pace in which cyber events unfold and adversaries adapt
their cyber actions require an agile acquisition system and related
acquisition authorities that enable rapid development and fielding of
military cyberspace capabilities where USCYBERCOM and combatant command
requirements are met in a period of days, weeks, or months. [See page
24.]
General O'Donohue. The Air Force continues to meet all accession
requirements within the cyber community with highly qualified
individuals. To assist with recruiting highly qualified candidates
within the cyber community, the Air Force offers Initial Enlistment
Bonuses for members enlisting in one of four cyber specialty fields.
The member must possess Security+ and/or A+ certification prior to
enlistment and enlist for 6 years to be eligible for the bonus and
receive an advance promotion to Airman First Class upon completion of
specialty training.
In terms of retention, our legacy enlisted cyber support
specialties retain slightly better than the Air Force average. However,
given the relative infancy of some of our core cyber operations
specialties (half of our enlisted specialties are less than five years
old and we created a separate officer sub-specialty within the past
year), we lack sufficient retention history in cyber operations. As
first tour enlistments continue to expire over the next couple of
years, we will have a better understanding of longer-term Airmen
retention behavior.
Regardless of retention, we continue to be challenged in our newer
cyber specialties due to the rapid growth in requirements, which
exceeds our trained personnel inventory. It is crucial that we retain
our cyber professionals to help close the current manning gaps. As
noted, on the enlisted side, we have made concerted efforts to increase
accessions and pay retention bonuses where these challenges are most
acute. For officers, we are currently exploring how we can leverage the
Critical Skills Retention Bonus to retain cyber leaders. Continued
Congressional support for all of our special and incentive pays aimed
at recruiting and retaining cyber operations airmen is appreciated. We
will continue to monitor and assess but it is clear that retaining
these professionals is essential. [See page 23.]
General Wilson. Currently, we are not experiencing any major issues
in recruiting or retention. While we are competing within DOD, as well
as within industry, for top talent, we have a number of advantages.
Some of these advantages will only appeal to a small segment of people,
but that is all we need. Each Service, or industry for that matter, has
advantages and many of these will only appeal to certain people, and
that diversity helps us all. Our civilian salary and annual bonuses may
not measure up to what industry can offer for a more skilled and highly
trained individual. For the civilian Information Technology (IT)
personnel, we have limited monetary incentives that can be offered.
What we see more than often is our cyber civilian positions offer a way
for talented Marines that have trained and grown up in this domain,
with hands on experience, but are leaving the service for various
reasons; from family, to career, to retirement, a way to stay
associated with the Marine Corps. They continue to be a part of the
Marine Corps team and gain the stability (in terms of position and PCS
moves) or flexibility that can be offered by a civilian position, and
so these Marines apply for and earn these positions. We have a number
of civilian personnel from other services as well, they too leave their
service for some of the same reasons and apply to our civilian
positions for similar reasons, and they are still associated with the
military, but get to choose where they live and work. Sometimes our
applicants have a desire to serve the military, but for various reasons
were unable to in the past or now cannot be in the active duty
component, so they apply to our positions. As for the Active Duty
Marines, especially some of our younger Marines, see cyberspace as a
new and exciting domain. We generally have more Marines wanting to come
to MARFORCYBER than we have space. The younger Marines have been raised
in this domain more than the past generations and for them, continuing
to fight our enemies in a domain they are already comfortable with is
something they are seeking. Additionally, once they arrive, they
receive advanced training and the hands on experience that goes with
work. The Marines see cyberspace as the future and want to be a part of
it. Some will decide to get out, and as we stated above, some will get
out but want to come back on as a civilian. Some go to industry and
wish to keep that link to the Marine Corps, so they transition to the
reserve component, bringing their industry experience back to the
Marine Corps when it is needed and continue to build that knowledge and
experience in both realms. Others will stay as long as the service
allows them to continue to see this domain grow and mature. [See page
23.]
=======================================================================
QUESTIONS SUBMITTED BY MEMBERS POST HEARING
March 4, 2015
=======================================================================
QUESTIONS SUBMITTED BY MR. WILSON
Mr. Wilson. Several of you mentioned in your testimony something
called Unified Platform? What is Unified Platform, and what
capabilities will it provide for you? Will there be service-unique
capabilities that you believe will be integrated in? From an
acquisition perspective, how do you plan to proceed? Do you need any
special acquisition authority or a special acquisition process in order
to develop Unified Platform in a timeframe that will be useful for the
cyber mission forces? How are you working with your service
laboratories and program offices to develop the capabilities you will
need as part of this initiative?
Admiral Rogers. [No answer was available at the time of printing.]
Mr. Wilson. What role, if any, do you see the Cyber Threat
Intelligence Integration Center playing in your day to day operations?
Admiral Rogers. [The information referred to is for official use
only and retained in the committee files.]
Mr. Wilson. Do you have adequate all-source and multi-intelligence
fusion and analysis capabilities for cyber to support the cyber mission
teams we are building?
Admiral Rogers. [No answer was available at the time of printing.]
Mr. Wilson. Several of you mentioned in your testimony something
called Unified Platform? What is Unified Platform, and what
capabilities will it provide for you? Will there be service-unique
capabilities that you believe will be integrated in? How are you
working with your service laboratories and program offices to develop
the capabilities you will need as part of this initiative? From an
acquisition perspective, how do you plan to proceed? Do you need any
special acquisition authority or a special acquisition process in order
to develop Unified Platform in a timeframe that will be useful for the
cyber mission forces?
General Cardon. The Unified Platform (UP) is USCYBERCOM's joint,
unifying vision for full-spectrum cyberspace operations that in concept
will provide the Cyber Mission Force the ability to seamlessly
integrate defensive and offensive operations. In its essence UP is a
network of computers, servers, data storage, and analytic capabilities
leveraged to maneuver in and out of red space (adversary assets), and
an access capability to enter the desired red space. It provides a
suite of capabilities to actively defend our network and to project
power in and through cyberspace if called upon to do so. While
inherently Joint, the intent is that Service presented capabilities can
be integrated into a common framework for Joint C2 and execution. While
USCYBERCOM's UP vision is driving current and future investments within
the service laboratories and program offices, several ongoing pilot
efforts are further refining the development of specific requirements.
Additionally, through the distribution of a small amount of USCC RDT&E
funding we have been able to further the development of emerging
technologies and concepts critical to what the Army would present in a
Unified Platform construct. These efforts are informing the development
of requirements in line with the agile requirements validation and
acquisition models currently afforded by updated JCIDS and Defense
Acquisition System.
Mr. Wilson. Several of you mentioned in your testimony something
called Unified Platform? What is Unified Platform, and what
capabilities will it provide for you? Will there be service-unique
capabilities that you believe will be integrated in? From an
acquisition perspective, how do you plan to proceed? Do you need any
special acquisition authority or a special acquisition process in order
to develop Unified Platform in a timeframe that will be useful for the
cyber mission forces? How are you working with your service
laboratories and program offices to develop the capabilities you will
need as part of this initiative?
Admiral Tighe. The Unified Platform is a planned Department of
Defense cyberspace operations platform that will enable the Cyber
Mission Force to conduct full spectrum Cyberspace operations. The
Unified Platform is important in enabling Cyberspace operations
approved by the President and directed by the Secretary of Defense to
support National and Department of Defense policy objectives in
disrupting and denying adversary operations that threaten U.S.
interests. It will provide the Navy Cyber Mission Forces an integrated
capability that is synchronized with Joint combat operations across
multiple geographic Combatant Commanders' AORs. Commander, U.S. Fleet
Cyber Command/U.S. TENTH Fleet, through its research and development
arm, the Navy Cyber Warfare Development Group, is coordinating
development and acquisition with service laboratories, industry, and
Commander, U.S. Cyber Command.
Mr. Wilson. Several of you mentioned in your testimony something
called Unified Platform? What is Unified Platform, and what
capabilities will it provide for you? Will there be service-unique
capabilities that you believe will be integrated in? From an
acquisition perspective, how do you plan to proceed? Do you need any
special acquisition authority or a special acquisition process in order
to develop Unified Platform in a timeframe that will be useful for the
cyber mission forces? How are you working with your service
laboratories and program offices to develop the capabilities you will
need as part of this initiative?
General O'Donohue. Unified Platform is expected to be an
operationally responsive infrastructure designed to improve information
fusion into an effective, integrated approach that leverages developing
cohesive solutions, a single architecture, and reduced infrastructure.
A more detailed explanation will be provided to the Committee by
separate correspondence.
Mr. Wilson. Several of you mentioned in your testimony something
called Unified Platform? What is Unified Platform, and what
capabilities will it provide for you? Will there be service-unique
capabilities that you believe will be integrated in? From an
acquisition perspective, how do you plan to proceed? Do you need any
special acquisition authority or a special acquisition process in order
to develop Unified Platform in a timeframe that will be useful for the
cyber mission forces? How are you working with your service
laboratories and program offices to develop the capabilities you will
need as part of this initiative?
General Wilson. [No answer was available at the time of printing.]
______
QUESTIONS SUBMITTED BY MR. ASHFORD
Mr. Ashford. Is there a role for USCYBERCOM in combating Islamic
extremist propaganda and online recruiting?
Admiral Rogers. [No answer was available at the time of printing.]
Mr. Ashford. What role does the Reserve Component have in
CYBERCOM's manning construct?
Admiral Rogers. As part of its USCYBERCOM Cyber Mission Force
(CMF), in addition to Air Force Reserve Cyber Personnel that support
various staffs and units, the Air Force has tasked the Air National
Guard to fulfill the requirements for two full time Cyber Protection
Teams and the cyber operations element of one National Mission Team.
These teams will be mobilized from fifteen Cyber Operations Squadrons
either already in existence or being stood up. The Navy and Marine
Reserves participation is based on individual augmentation to
shortfalls in their parent service. Army Reserve Component teams are
being built to support Army Service capability apart from USCYBERCOM's
CMF.
Mr. Ashford. Do we need more cyber capacity in Guard and Reserve
units? Do you believe we need to have cyber-focused units in each of
the States?
Admiral Rogers.The question of whether or not to have capability
within each State is a resourcing issue. The current resources
allocated to USCYBERCOM require them to continue to be focused on
training the nearly 6,200 Cyber warriors assigned to the Cyber Mission
Force. Cyber Security is a team effort. Although it might be beneficial
to have a DOD Cyber trained capability within each State, in today's
fiscal environment, difficult fiscal conditions have USCYBERCOM
focusing on building the approved 133 teams.
Mr. Ashford. What role does the Reserve Component have in
CYBERCOM's manning construct?
General Cardon. The Army and Army Cyber Command, as the Army's
service component to U.S. Cyber Command, continue to build a Total Army
approach for our cyber forces that will include 21 Reserve Component
Cyber Protection Teams. These teams will be trained to the same joint
standards as the Active Component cyber force. The Army's plan includes
one Army National Guard cyber protection team currently serving on
Active Status, 10 Army National Guard cyber protection teams and 10
United States Army Reserve cyber protection teams that are essential
components of the Total Army cyber force.
The Army Reserve Cyber Operations Group conducts Defensive
Cyberspace Operations support and provides Department of Defense
Information Network operations and Computer Network Defense Service
Provider support to the Southwest Asia Cyber Center.
United States Army Reserve provides U.S. Cyber Command with
cyberspace planners, an intelligence fusion cell, and joint personnel.
The Virginia Army National Guard Data Processing Unit conducts
cyberspace operations in support of U.S. Cyber Command.
The United States Army Reserve Military Intelligence Readiness
Command, which will transition to the Army Reserve Intelligence Support
to Cyberspace Operations Element, provides intelligence support and
analysis products to U.S. Cyber Command.
United States Army Reserve personnel serve within the Army's Joint
Force Headquarters-Cyber to execute joint cyberspace operations for
U.S. Cyber Command.
The United States Army Reserve and the Army National Guard are
integral to the Total Army approach to cyberspace operations.
Mr. Ashford. Do we need more cyber capacity in Guard and Reserve
units? Do you believe we need to have cyber-focused units in each of
the States?
General Cardon. Approximately 2,000 Army National Guard (ARNG) and
United States Army Reserve (USAR) personnel are or will be trained and
equipped to the same joint standards as the Active Component cyber
force. Army Cyber Command and Second Army assess that the plan for 11
Army National Guard and 10 United States Army Cyber Protection Teams,
and the current and planned additional Reserve Component Cyber elements
(which include the Army Reserve cyber Operations Group, Military
Intelligence Readiness Command/Army Reserve Intelligence Support to
Cyberspace Operations Element, Virginia Army National Guard Data
Processing Unit, U.S. Cyber Command Army Reserve Element, and the Army
Joint Force Headquarters-Cyber Reserve Component augmentation) do and
will provide adequate Cyberspace capacity to the Total Cyber force
through FY 2018.
As these United States Army Reserve and Army National Guard units
become fully manned, trained, and equipped, we will continue our
assessment to determine the right number and mix of cyber capacity for
the United States Army Reserve, Army National Guard, and Active units.
Mr. Ashford. What role does the Reserve Component have in
CYBERCOM's manning construct?
Admiral Tighe. Navy has realigned 298 enlisted Reserve billets that
will be phased in between FY2015 and FY2018 to directly support Navy
Cyber Mission Forces. Of the 298 billets, 280 are assigned seven each
to the Navy's 40 CMF teams, with the remaining 18 assigned directly to
the Joint Forces Headquarters-Fleet Cyber staff at U.S. Fleet Cyber
Command. The seven billets assigned to each team serve in an
augmentation role allowing the teams to capitalize on the specific
cyber-related expertise of individuals in these billets. Under this
construct, the Navy CMF teams are afforded an opportunity to maximize
their operational capabilities through the employment of Reserve cyber
experts, many of whom possess very specific skillsets and knowledge via
their civilian careers and training. This ``augmentation'' construct
further allows the Navy to efficiently secure a highly proficient and
flexible CMF cadre irrespective of budgetary limits and the constraints
of the normal Active Component CMF training pipeline.
Seven enlisted Reserve billets have been realigned to Navy
Information Dominance Forces (NAVIDFOR) Command to support its cyber
inspection requirements.
Mr. Ashford. Do we need more cyber capacity in Guard and Reserve
units? Do you believe we need to have cyber-focused units in each of
the States?
Admiral Tighe. Through ongoing mission analysis of the Navy Total
Force Integration Strategy, we developed a Reserve Cyber Mission Force
(CMF) Integration Strategy that leverages our Reserve Sailors' skill
sets and expertise to maximize the Reserve Component's support to the
full spectrum of Cyber mission areas. Within this strategy, the 298
Reserve billets, which are phasing into service from FY15 through FY18,
will be individually aligned to Active Duty CMF teams and the Joint
Force Headquarters-Cyber (JFHQ-C). Accordingly, each Navy Reservist
assigned to a CMF billet provides operational support to the team's
respective operational commander, including Fleet Commanders, US
Pacific Command, US Southern Command, US Cyber Command, and DOD/Defense
Information Security Agency. As the Navy builds its Reserve CMF support
structure, Fleet Cyber Command and TENTH Fleet conduct ongoing
assessments to maximize the Reserve Force's support to CMF operational
objectives.
These ongoing assessments look at both the size as well as the
location within the Navy's geographic footprint. Navy Reserve cyber
assets (CMF billets), which are governed under Title 10 authorities,
are located with their respective Active Component team. They are
currently assigned to eight of the Navy Information Operations Command
(NIOC) centers, which are located in Maryland, Norfolk, Georgia,
Florida, Texas, California, Hawaii and Japan. (The Navy does not
possess any Title 32 authorities or personnel.)
Mr. Ashford. What role does the Reserve Component have in
CYBERCOM's manning construct?
General O'Donohue. For the Marine Corps we currently provide
reserve component augmentation to the MARFORCYBER headquarters and to
the Marine Corps Network Operations and Support Center. There is the
potential to use the reserve component in less time-sensitive roles to
augment the active component. We do not currently have plans for a
reserve component role in the cyber mission force in the near term. We
are reviewing options for individual augmentation where appropriate;
however few in the reserve component possess the required high demand/
low density military occupational specialties which limits options for
any degree of incorporation into the teams.
Mr. Ashford. Do we need more cyber capacity in Guard and Reserve
units? Do you believe we need to have cyber-focused units in each of
the States?
General O'Donohue. The Marine Corps has not identified a surge
capacity required for the role of reserve augmentation to the active
component beyond the current augmentation levels. Additionally,
maintaining the required skills that are required would be difficult
given the limited time to train available to the reserve component. We
do not provide Guard units.
Mr. Ashford. What role does the Reserve Component have in
CYBERCOM's manning construct?
General Wilson. The reserve component manning within USCYBERCOM is
currently limited to Individual Mobilization Augmentees (IMAs) in
support of the sub-unified command mission.
AFCYBER/24 AF/JFHQ-C is has fully partnered with the Air Reserve
Component as part of its current and future build-up of cyber
operations, to support the Air Force's cyber mission and the DOD's
Cyber Mission Force (CMF).
From the outset, the Air Reserve Component, in support of AFCYBER,
has been integrated into the Cyber Mission Force build-up of 39 teams.
To meet the demand signal of the CMF construct, the Air Force Reserve
Command (AFRC) is standing up one Classic Associate Unit in FY16,
integrating into a Regular Air Force Cyber Protection Team (CPT)
squadron, providing steady-state capacity of one CPT or 30% day-to-day
mission share. If mobilized, it will be able to provide manning for
three CPTs in a surge capacity.
In addition to the team build in the CMF, the AFRC supports
numerous other cyber missions under the 960th Cyberspace Operations
Group. The 960 CyOG is comprised of nine squadrons. These units defend
the Air Force Networks and key mission systems, train personnel,
develop new weapon systems and tools, and provide command and control
of cyber operations. In addition to the 960 CyOG, there are Individual
Mobilization Augmentees (IMAs) under the AFCYBER/24 AF/JFHQ-C that
support various cyber missions.
Between FY16-FY18, the Air National Guard (ANG) is building 12
unit-equipped squadrons to sustain two steady-state CPTs, with each
organized into the 30/70 full-time/part-time ratio. The ANG is also
standing up a National Mission Team (NMT) unit in FY16. These units
will align under two ANG Cyberspace Operations Groups.
In addition to the build-up within the CMF Teams, the Air National
Guard support to cyber operations includes five cyber units. These
units support Defensive Cyber Operations and Command & Control.
Additionally, the Air Guard has one of only three of the Network
Operations Squadrons in the Air Force.
Finally, the Air Reserve Component plays a significant role in our
Engineering and Installation and Combat Communications. There are 38
AFRC and ANG units supporting these missions and in the last 2 years
the Air Reserve Component deployed over 800 personnel supporting the
warfighter with these capabilities.
Mr. Ashford. Do we need more cyber capacity in Guard and Reserve
units? Do you believe we need to have cyber-focused units in each of
the States?
General Wilson. TThe Air Force is wholly committed to Total Force
Integration across the full spectrum of cyberspace operations. The Air
Reserve Component is a full partner in the Cyber Mission Force build in
addition to our other day-to-day cyber operations. We are leveraging
Traditional Reservists, Air Reserve Technicians and Air National
Guardsmen throughout the command to meet our warfighting commitments.
Whether it's commanding and controlling cyber forces from one of our
operations centers, deploying as part of our Combat Communications
team, installing cyber infrastructure around the world, or any other
task, each of our Total Force members meets the same demanding
standards and serve alongside their Active Duty counterparts.
Today, the Air Reserve Component provides approximately 9,000
personnel to support the Air Force's cyber missions. The majority of
the personnel support the Combat Communications and Engineering &
Installation missions. An additional 1,300 will be added to support the
DOD's Cyber Mission Force. We believe growth in the Air Reserve
Component is an effective and efficient option to reduce risk and meet
Combatant and Air Component Commander's requirements as the demand for
cyber capabilities increases.
It's important to remember operations in the cyberspace domain are
not constrained by physical geography. Similar to traditional air
operations, the Air Force has few needs that demand a force
distribution model across the 54 states and territories. Cyber missions
are a case in point. We understand the National Guard Bureau is also
considering the cyber requirement for each of the Governors. One of the
force structure strategies under consideration is the alignment of Army
and Air National Guard units by FEMA region with the appropriate inter-
state support agreements.
[all]