[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


                                 

                         [H.A.S.C. No. 114-19]

                    CYBER OPERATIONS: IMPROVING THE

                   MILITARY CYBERSECURITY POSTURE IN

                    AN UNCERTAIN THREAT ENVIRONMENT

                               __________

                                HEARING

                               BEFORE THE

           SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES

                                 OF THE

                      COMMITTEE ON ARMED SERVICES

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              HEARING HELD

                             MARCH 4, 2015


                                     
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


                              ____________
                              
                              
                          U.S. GOVERNMENT PUBLISHING OFFICE
94-221                            WASHINGTON : 2015
______________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].  
 
                                     
  


           SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES

                  JOE WILSON, South Carolina, Chairman

JOHN KLINE, Minnesota                JAMES R. LANGEVIN, Rhode Island
BILL SHUSTER, Pennsylvania           JIM COOPER, Tennessee
DUNCAN HUNTER, California            JOHN GARAMENDI, California
RICHARD B. NUGENT, Florida           JOAQUIN CASTRO, Texas
RYAN K. ZINKE, Montana               MARC A. VEASEY, Texas
TRENT FRANKS, Arizona, Vice Chair    DONALD NORCROSS, New Jersey
DOUG LAMBORN, Colorado               BRAD ASHFORD, Nebraska
MO BROOKS, Alabama                   PETE AGUILAR, California
BRADLEY BYRNE, Alabama
ELISE M. STEFANIK, New York
                 Kevin Gates, Professional Staff Member
              Lindsay Kavanaugh, Professional Staff Member
                          Julie Herbert, Clerk
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page

              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS

Langevin, Hon. James R., a Representative from Rhode Island, 
  Ranking Member, Subcommittee on Emerging Threats and 
  Capabilities...................................................     2
Wilson, Hon. Joe, a Representative from South Carolina, Chairman, 
  Subcommittee on Emerging Threats and Capabilities..............     1

                               WITNESSES

Cardon, LTG Edward C., USA, Commander, U.S. Army Cyber Command...     4
O'Donohue, MajGen Daniel J., USMC, Commanding General, U.S. 
  Marine Corps Forces Cyberspace.................................     6
Rogers, ADM Michael S., USN, Commander, U.S. Cyber Command.......     3
Tighe, VADM Jan E., USN, Commander, U.S. Fleet Cyber Command/U.S. 
  10th Fleet (FCC/C10F)..........................................     5
Wilson, Maj Gen Burke E., USAF, Commander, Air Forces Cyber and 
  24th Air Force.................................................     8

                                APPENDIX

Prepared Statements:

    Cardon, LTG Edward C.........................................    53
    O'Donohue, MajGen Daniel J...................................    79
    Rogers, ADM Michael S........................................    35
    Tighe, VADM Jan E............................................    66
    Wilson, Hon. Joe.............................................    33
    Wilson, Maj Gen Burke E......................................    87

Documents Submitted for the Record:

    [There were no Documents submitted.]

Witness Responses to Questions Asked During the Hearing:

    Mr. Langevin.................................................   101

Questions Submitted by Members Post Hearing:

    Mr. Ashford..................................................   106
    Mr. Wilson...................................................   105


 
                CYBER OPERATIONS: IMPROVING THE MILITARY

                 CYBERSECURITY POSTURE IN AN UNCERTAIN

                           THREAT ENVIRONMENT

                              ----------                              

                  House of Representatives,
                       Committee on Armed Services,
         Subcommittee on Emerging Threats and Capabilities,
                          Washington, DC, Wednesday, March 4, 2015.
    The subcommittee met, pursuant to call, at 3:33 p.m., in 
room 2118, Rayburn House Office Building, Hon. Joe Wilson 
(chairman of the subcommittee) presiding.

  OPENING STATEMENT OF HON. JOE WILSON, A REPRESENTATIVE FROM 
SOUTH CAROLINA, CHAIRMAN, SUBCOMMITTEE ON EMERGING THREATS AND 
                          CAPABILITIES

    Mr. Wilson of South Carolina. Ladies and gentlemen, I call 
this hearing on the Emerging Threats and Capabilities 
Subcommittee of the House Armed Services Committee to order.
    I am pleased to welcome everyone here today for the very 
important hearing of the fiscal year 2016 budget request for 
cyber operations programs of the Department of Defense [DOD].
    One need only read the headlines of almost any newspaper on 
almost any day by way of the media to see the challenges we 
face as a Nation when it comes to hacking and cyber threats. 
The array of threats both from state and non-state actors pose 
significant challenges to our military forces, our economic 
well-being, and our diplomatic activities worldwide.
    The recent government accountability report on the 
vulnerabilities to our air traffic control networks vividly 
illustrate the need to work across departments, agencies, and 
even internationally to ensure our security. We recognize that 
the Department of Defense capabilities will be critical to 
those efforts, but must be provided the resources and the 
authorities to be effective. As we look at this budget request 
and as the witnesses describe their plans for how they will 
execute their activities in fiscal year 2016, I ask that you 
address the following questions. What specifically are you 
requesting in the budget, and what major initiatives do you 
expect to fund? If defense sequestration caps are enforced in 
the budget request, what impacts do you expect this year? How 
are you measuring or assessing the cybersecurity posture of the 
Department of Defense networks, and what vulnerabilities do you 
see?
    Today we have invited a panel that represents the top 
military leadership for cyber operations across the Department 
of Defense. Our witnesses include Admiral Michael Rogers, 
Commander of the U.S. Cyber Command [CYBERCOM]; Lieutenant 
General Edward C. Cardon, Commander, U.S. Army Cyber Command; 
Vice Admiral Jan Tighe, Commander at Navy Fleet Cyber Command, 
10th Fleet; Major General Daniel J. O'Donohue, Commanding 
General Marine Forces Cyber [MARFORCYBER]; and Major General 
Burke E. Wilson, Commander, 24th Air Force.
    Now I would like to invite the subcommittee ranking member, 
Mr. Langevin of Rhode Island, to make any comments that he 
might have.
    [The prepared statement of Mr. Wilson can be found in the 
Appendix on page 33.]

  STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM 
RHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON EMERGING THREATS 
                        AND CAPABILITIES

    Mr. Langevin. Well, thank you, Mr. Chairman.
    And I want to thank our witnesses for being here today, and 
I look forward to hearing your testimony, and, as always, I 
thank you for the work you are doing on behalf of our country. 
Thank you all for your service.
    The 2014 Quadrennial Defense Review stated that, and I 
quote, ``The importance of cyberspace to the American way of 
life and to the Nation's security makes cyberspace an 
attractive target for those seeking to challenge our security 
and economic order,'' end quote. I could not agree more. Last 
year the Director of National Intelligence placed cyber threats 
number one on the list of strategic threats to the United 
States.
    Most recently, the National Security Strategy cites the 
danger of destruction and even destructive cyber attack is 
growing. The cyber domain is complex. We all understand that. 
Threats in this space continuously evolve based on emerging 
technologies and techniques to counter our efforts. Threats are 
carried out by a diverse set of actors. Securing, defending, 
and operating freely in this space presents a nontraditional 
challenge requiring an immediate but thoughtful response.
    Since the creation of U.S. Cyber Command, the Department 
has made substantial strides in understanding and enabling 
freedom of action in the cyber domain, as well as understanding 
and protecting Department of Defense networks. Significant 
investments have been made. In fact, cyberspace is the only 
area of growth in the Department of Defense's budget in the 
last few years. I commend the Department's efforts, and I am 
proud of what has been achieved so far, yet there is still much 
to be done. Confronting this challenge will continue to require 
dialogue between the Department and Congress on the policies, 
capabilities, and other resources needed to appropriately and 
successfully operate in the cyber domain. That is why this 
hearing is so important.
    Together we can build and maintain a ready cyber force for 
the Nation. I look forward to receiving an update from the 
witnesses on the buildout of our cyber capacity and the fiscal 
year 2016 budget request. I hope the services will provide us 
an understanding of total force requirements for cyber 
operations, both service-specific and for the U.S. Cyber 
Command to enable the subcommittee to better understand all 
resources needed and provide for a ready force.
    Specifically, I am eager to hear about how the services are 
recruiting and retaining qualified military and civilian 
personnel, managing cyber as a career field, and any challenges 
associated with those fields. I look forward to hearing how the 
services are incorporating the Reserve Components into the 
cyber mission forces. Additionally, I would like to understand 
how science and technology investments are being leveraged now 
and in the future to deliver the latest and best capabilities.
    I would also like the witnesses' perspective on whether the 
current acquisition process delivers tools in time to meet and 
stay ahead of the threat, which as we know as technology 
changes so quickly, that is a significant challenge on our 
hands. So there is much to discuss on this issue, and in order 
to allow for dialogue, I am going to end my remarks here.
    And again I want to thank our witnesses for appearing 
before the subcommittee and to you, Mr. Chairman, for holding 
this hearing, and I yield back.
    Mr. Wilson of South Carolina. Thank you, Mr. Langevin.
    Before we begin, I would like to remind our witnesses that 
your written statements will be submitted for the record, so we 
ask that you summarize your comments to 5 minutes or less.
    Admiral Rogers, we begin with you.

STATEMENT OF ADM MICHAEL S. ROGERS, USN, COMMANDER, U.S. CYBER 
                            COMMAND

    Admiral Rogers. Thank you, sir.
    Chairman Wilson, Ranking Member Langevin, and distinguished 
members of the committee, I am honored to appear before you 
today to discuss our military cybersecurity posture, and I 
would like to thank you for convening this forum.
    I am equally pleased to be sitting alongside my colleagues 
from each of the four service components of the United States 
Cyber Command. It gives me great pride to appear before you 
today to highlight and commend the accomplishments of the 
uniformed and civilian personnel of U.S. Cyber Command and its 
components, and I am both grateful for and humbled by the 
opportunity that I have been given to lead this cyber team.
    The current threat environment is, as you have just 
described in your opening remarks, uncertain. That said, we are 
certain of one particular thing, and that is the pervasive 
nature of these cyber threats and the sophistication of the 
adversaries we face. Our military networks are probed for 
vulnerabilities literally thousands of times a day. The very 
assets within our military that provide us formidable 
advantages over adversaries are precisely the reason that our 
enemies seek to map, understand, exploit, and disrupt our 
global network architecture.
    The cyber intruders of today not only want to disrupt our 
actions, but they seek to establish a permanent presence on our 
networks. Quite simply, threats and vulnerabilities are 
changing and expanding at an accelerating and significant pace. 
Compounding this threat is the fact that we are dependent on 
cyberspace. Operating freely and securely in cyberspace is 
critical to not only our military and our government, but also 
to the private sector, which is responsible for maintaining 
much of our Nation's critical infrastructure to including that 
of key parts of the Department of Defense.
    The bottom line is weakness in cyberspace has the potential 
to hold back our success in every field where our [Nation] is 
engaged. And I would like to focus in our comments today on the 
progress we have made so far, the achievements that we are 
doing in the operational arena, and what I think is the way 
ahead, and I look forward to that discussion.
    With that, I will conclude my opening remarks.
    [The prepared statement of Admiral Rogers can be found in 
the Appendix on page 35.]
    Mr. Wilson of South Carolina. Thank you very much.
    And General Cardon.

 STATEMENT OF LTG EDWARD C. CARDON, USA, COMMANDER, U.S. ARMY 
                         CYBER COMMAND

    General Cardon. Chairman Wilson, Ranking Member Langevin, 
members of the committee, it is an honor to be here on behalf 
of the U.S. Army Cyber Command and Second Army alongside 
Admiral Rogers and my fellow commanders.
    We appreciate the work of this committee to protect the 
American people from emerging threats and ensure our military 
has the capabilities we need to defend the Nation. Over the 
last few years we have had tremendous momentum, both within the 
institution and operationalizing cyberspace, but a lot of work 
remains. For the institution, we have consolidated cyberspace 
under one commander. We have created the Cyber Center of 
Excellence in Fort Gordon, Georgia, and the Army Cyber 
Institute at the United States Military Academy.
    The Army is currently establishing the necessary frameworks 
to build capabilities for the Army, and by extension, the Joint 
Force. Operationally, we are making progress with mission-
focused approaches supporting Army and combatant commanders. We 
made progress this year developing the Army's portion of the 
Cyber Mission Force with 25 of 41 teams on mission now, and we 
expect to have all 41 on mission by the end of fiscal year 2016 
as planned.
    In the face of determined adversaries, though, we are 
employing these teams as they reach initial operating 
capability and will continue to bring forces and capabilities 
online through 2017. The threat, vulnerabilities, and missions 
set, demand this sense of urgency. This also includes bringing 
online 21 U.S. Army Reserve and Army National Guard Protection 
Teams that will be trained at the same standards as the Active 
Component cyber force.
    We are going to need more personnel beyond the Cyber 
Mission Force to build out the support required to fully employ 
the Cyber Mission Force and to build capabilities for Army 
formations. To better manage our people, the Army created a 
cyber branch, and we are exploring the creation of a cyber 
career field for civilian personnel.
    For training, we have a centrally funded joint model for 
individually training, but we are working to also build 
collective training capabilities and their associated 
facilities within a joint construct. For equipping the forces, 
we are developing and refining the necessary framework to give 
us the agility that we will need in programming, resourcing, 
and acquisition for infrastructure platforms and tools. And for 
a more defensible architecture and network, we are partnered 
with the Army's Chief Information Officer and Defense 
Information Systems Agency [DISA] in the Air Force for an 
extensive network modernization efforts.
    These are essential for the security, operation, and 
defense of our Department of Defense networks. We have made 
tremendous progress, and with your support we have the 
necessary program resources to continue our momentum, but we 
cannot delay for the struggle is on us now.
    Thank you, and I will be happy to answer your questions.
    [The prepared statement of General Cardon can be found in 
the Appendix on page 53.]
    Mr. Wilson of South Carolina. Thank you very much, General.
    Admiral Tighe.

  STATEMENT OF VADM JAN E. TIGHE, USN, COMMANDER, U.S. FLEET 
            CYBER COMMAND/U.S. 10TH FLEET (FCC/C10F)

    Admiral Tighe. Chairman Wilson, Ranking Member Langevin, 
and distinguished members of the subcommittee, thank you for 
your support to our military and the opportunity to appear 
before you today.
    Since my Fleet Cyber Command predecessor, Admiral Mike 
Rogers, last testified before this subcommittee in July of 
2012, the Department of Defense, U.S. Cyber Command, and the 
service components have significantly matured our operations 
and cyber operational capabilities. I appreciate the 
opportunity to outline Navy-specific progress over the past 2 
years, where we are headed to address an ever-increasing 
threat, and how budgetary uncertainty is likely to impact our 
progress and operations.
    Fleet Cyber Command directs the operations to secure, 
operate, and defend Navy networks within the Department of 
Defense Information Network [DODIN]. We operate Navy networks 
as a warfighting platform which must be aggressively defended 
from intrusion, exploitation, and attack. The Navy network 
consists of more than 500,000 end user devices, approximately 
75,000 network devices, and nearly 45,000 applications and 
systems across 3 security enclaves.
    We have transformed the way we operate and defend over the 
past 2 years based on operational lessons learned. 
Specifically, beginning in summer of 2013, we, with Admiral 
Rogers at the helm at the time, fought through an adversary 
intrusion into Navy's unclassified network.
    Under the named operation known as Operation Rolling Tide, 
Fleet Cyber Command drove out the intruder through exceptional 
collaboration with affected Navy commanders, U.S. Cyber 
Command, the National Security Agency, the Defense Information 
Security Agency, and our fellow cyber service components. 
Although any intrusion upon our network is troubling, this 
operation served as a learning opportunity that has both 
matured the way we operate and defend our networks and 
simultaneously highlighted gaps both in cybersecurity posture 
and in our defensive operational capabilities.
    As a result of this operation and other cybersecurity 
initiatives inside of the Navy, we have already made, proposed, 
or planned for a nearly $1 billion investment between the years 
of fiscal year 2014 and fiscal year 2020 that will greatly 
reduce the risk of successful cyberspace operations against 
Navy networks. Of course, these investments are built on the 
premise that our future budgets will not be drastically reduced 
by sequestration.
    Specifically, if budget uncertainty continues, we will have 
an increasingly difficult time addressing this very real and 
present danger to our national security and maritime 
warfighting capabilities. Operationally, and on a 24-by-7 and 
365 days a year, Fleet Cyber Command is focused on configuring 
and operating layered defense in-depth capabilities to prevent 
malicious actors from gaining access to our Navy networks in 
collaboration and cooperation with our sister services, U.S. 
Cyber Command, Joint Forces Headquarters-DODIN, DISA, and the 
National Security Agency. Additionally we are driving towards 
expanded cyber situational awareness to inform our network 
maneuvers and reduce risk in this space.
    As you know, Navy and other service components are building 
the maneuver elements in the Cyber Mission Force for U.S. Cyber 
Command by manning, training, and certifying teams to the U.S. 
Cyber Command standards. The Navy is currently on track to have 
personnel assigned for all 40 teams, all 40 of the Navy-sourced 
Cyber Mission Force teams in 2016, with full operational 
capability in the following year.
    Additionally, between now and 2018, an additional 298 cyber 
Reserve billets will also augment the cyber force manning plan. 
In delivering on both U.S. Cyber Command's and the U.S. Navy's 
requirements in cyberspace, I am fortunate to have these 
component commanders as partners in addition to the many 
organizations who are not represented here but are every bit a 
member of team cyber.
    Thank you again, and I look forward to your questions.
    [The prepared statement of Admiral Tighe can be found in 
the Appendix on page 66.]
    Mr. Wilson of South Carolina. Thank you, Admiral, very 
much.
    And General O'Donohue.

   STATEMENT OF MAJGEN DANIEL J. O'DONOHUE, USMC, COMMANDING 
          GENERAL, U.S. MARINE CORPS FORCES CYBERSPACE

    General O'Donohue. Thank you, sir.
    Chairman Wilson, Ranking Member Langevin, and distinguished 
members of this subcommittee, it is an honor to appear before 
you today. On behalf of your Marines, our civilian Marines, and 
their families, I thank you for your continued support as we 
pursue a multi-year joint cyberspace strategy.
    Marines have a legacy of operating in any clime or place. 
Whether at sea with the Navy, or working shoulder to shoulder 
with our joint, interagency, and coalition partners, we are 
standing ready to respond to crises around the globe, bringing 
to employ combined arms across the air, land, and sea domains. 
We are now entering an era of transition where the cyber domain 
will be fully integrated in the same way.
    Our Commandant has laid out a clear vision to increase the 
capacity and capability of the Marine Air-Ground Task Force to 
fully integrate cyberspace operations. MARFORCYBER [U.S. Marine 
Corps Forces Cyberspace] is leading the effort to ensure that 
we institutionalize this vision across the Marine Corps, to 
include by participating in over 30 exercises last year. As a 
service component to U.S. Cyber Command, MARFORCYBER in 
conjunction with its service partners, conducts full-spectrum 
cyberspace operations to enable freedom of action across the 
cyberspace domain and deny the same to our adversaries. 
Additionally, MARFORCYBER provides direct support to United 
States Special Operations Command's missions worldwide.
    To support these operations, we are building the Cyber 
Mission Force, and these forces are achieving operational 
outcomes today. These achievements are helping us to shape the 
vision for the future of cyberspace operations for the Marine 
Corps, as part of the joint, interagency, and combined force.
    Last June, U.S. Cyber Command certified our first Cyber 
Mission Team and our first national Cyber Protection Team. 
During this time our second Cyber Mission Team reached its 
initial operation capability. MARFORCYBER is on track to have 
over 75 percent of its teams resourced by the end of 2015. To 
expedite this force build, the Marine Corps has dedicated 16 
percent of its retention bonuses for our cyberspace 
professionals. And based on lessons learned, we have 
streamlined our personnel and training pipeline as we deal with 
the surge requirements of a startup force.
    In addition, we have expanded the opportunities and 
developed procedures for our teams to work with increasing 
effectiveness across the joint and interagency force. This has 
been a combat multiplier. At the bottom line, we are fielding 
the cyber forces required by our strategy and provided by the 
President's budget, ready, on time, and with increasing 
operability in ways that we had not imagined. As we build the 
force, MARFORCYBER is achieving operational outcomes in stride 
by supporting joint, interagency, and coalition partners at 
home and overseas. Every day we are planning cyberspace 
operations, defending the network, and standing ready when 
directed by U.S. Cyber Command to conduct offensive cyberspace 
operations. Increasingly, combatant commanders and special 
operation forces now see cyberspace operations not as a special 
staff function, but essential to everything that warfighters 
do.
    Currently, we are pursuing a considered joint and service 
strategy for the multi-year development of a unified network 
that will facilitate command and control, provide real-time 
situational awareness, and assist with decision support to 
commanders at all levels. For the Marine Corps, this network 
will be optimized for operational support to forces as they are 
deployed across the globe and as they train for crisis 
response. In an unstable and unpredictable security 
environment, the Marines provide a ready, forward, 
expeditionary extension of cyber capability for the joint, 
interagency, and combined force.
    Thank you for the opportunity to appear before you today, 
and thank you for your continued support to our national 
treasure, our Marine civilians and their families, I look 
forward to answering your questions.
    [The prepared statement of General O'Donohue can be found 
in the Appendix on page 79.]
    Mr. Wilson of South Carolina. General, thank you very much.
    And General Wilson.

  STATEMENT OF MAJ GEN BURKE E. WILSON, USAF, COMMANDER, AIR 
                FORCES CYBER AND 24TH AIR FORCE

    General Wilson. Chairman Wilson, Ranking Member Langevin, 
and distinguished members of the subcommittee, thank you for 
the opportunity to appear before you today with my fellow 
commanders.
    It is an honor to represent the outstanding men and women 
of Air Forces Cyber and 24th Air Force. I am extremely proud of 
the work our airmen, officers, enlisted, and civilians do each 
and every day to field and employ cyber capabilities in support 
of combatant and Air Force commanders. In the interest of time, 
let me share just a few examples to highlight how our airmen 
are making positive lasting impacts to our Nation.
    Since we last briefed the subcommittee, the Air Force 
completed migration of our unclassified networks from many 
disparate systems into a single architecture. We transitioned 
over 644,000 users across more than 250 geographic locations to 
a single network and reduced over 100 Internet access points 
into a more streamlined 16 gateways. The end result has been a 
more reliable, affordable, and most importantly, defensible 
network.
    The Air Force has also championed the fielding of next-
generation technology by partnering with the Army and Defense 
Information Systems Agency to support the transition to a Joint 
Information Environment [JIE]. Together we are implementing 
Joint Regional Security Stacks and making enhancements to our 
networks in order to achieve a single DOD security 
architecture. The combined team achieved a critical milestone 
last September when they fielded their first security stack, 
and we have continued to push hard on these efforts, which will 
benefit the entire Department by reducing our network attack 
surface and increasing network capacity and capabilities.
    Like the other services, we have made significant progress 
towards fielding and employing our initial Cyber Mission 
Forces. Today, Air Forces Cyber has 15 teams that achieved 
initial operating capability, and 2 teams have reached full 
operating capability. In addition to providing unprecedented 
support to joint and coalition combat forces in Afghanistan and 
Syria, these cyber forces are wholly engaged in support of 
combatant and Air Force commanders around the world, as well as 
in defense of the Nation.
    I am proud to report our Air Reserve Component is a full 
partner in the Cyber Mission Force build, in addition to our 
other day-to-day cyber operations. We are leveraging 
traditional reservists, Air Reserve technicians, and Air 
National Guardsmen across the command to meet our warfighting 
commitments. Whether it is commanding and controlling cyber 
forces from one of our operation centers, deploying as part of 
our combat communications team, installing cyber infrastructure 
around the world, or any other task, each of our total force 
members meet the same demanding standards and serve alongside 
our Active Duty counterparts. In my humble opinion, it is a 
tremendous example of total force integration in action.
    The Air Force has also instituted several key initiatives 
to better recruit, develop, and retain our cyber forces. Most 
recently, we approved a Stripes for Certifications Program 
which provides the opportunity for candidates to enlist at a 
higher grade when entering the Air Force with desired cyber-
related certifications. We have also continued our selective 
reenlistment bonus program to provide additional incentives for 
enlisted members to continue to serve in the demanding cyber 
and intelligence specialties.
    For our officers, we have complemented the cyber warfare 
operations career track which we established several years ago 
with a new cyber intermediate leadership program. The objective 
is to identify qualified cyber and intelligence officers and 
provide them the right professional growth opportunities. We 
held our first board just recently and competitively selected 
83 majors and senior captains from across the cyber fields to 
serve in key command and operational positions, many as 
integral members of the Cyber Mission Force.
    And finally, we continue to support a host of initiatives 
aimed at improving the outreach to our Nation's youngest 
generation. I would like to highlight just one that will be 
culminating here in DC on March 12. It is called CyberPatriot 
and sponsored by the Air Force Association in partnership with 
local high schools and middle schools around the country, 
several industry partners, as well as cyber professionals from 
the Air Force.
    CyberPatriot's goal is to inspire students to pursue 
careers in cybersecurity or other STEM [science, technology, 
engineering, and mathematics] career fields. At the beginning 
of the school year in September, over 2,100 teams, 2,100 teams, 
involving nearly 10,000 students in the U.S., Canada, United 
Kingdom, and our DOD schools overseas, participated in cyber 
training and competitions. We have seen a 40 percent increase 
in participation this year. As I mentioned, CyberPatriot will 
culminate here locally at the National Harbor with 28 teams 
competing in the national finals. Students will earn national 
recognition and scholarships. Without a doubt, the program is 
an exemplar of how public-private partnership can make a real 
difference. Personally, it has been rewarding to see our airmen 
giving back to our younger generation.
    These are just a handful of examples to share how our 
airmen are pushing hard to increase cyber capability and 
capacity across the command. Believe me, Air Forces Cyber and 
24th Air Force are all in and fully committed to the mission.
    Our cyber force is more capable than ever before and 
continues to get better every day. None of this would be 
possible without your continued support. As you have heard from 
my counterparts, the need for the support will only increase in 
importance as we move forward. It is clear resource stability 
in the years ahead will best enable our continued success in 
developing airmen and maturing our capabilities to operate in, 
through, and from the cyberspace domain. Simply put, our cyber 
warriors truly are professionals in every sense of the word, 
and they deserve our full support.
    Along with my fellow commanders, it is an honor to be here 
today. Thank you again for the opportunity. I look forward to 
your questions.
    [The prepared statement of General Wilson can be found in 
the Appendix on page 87.]
    Mr. Wilson of South Carolina. Thank you very much, General, 
and that was fascinating to find out about the involvement of 
students. What a great opportunity. And I know it has to be 
reassuring to the American people, your service, your 
personnel, the families that are supportive of your personnel, 
and I just thank each of you for protecting American families 
and advancing our national security.
    We will now go into our round of 5 minutes of each member. 
Kevin Gates, who is our professional staff person, will keep 
the time. Members of Congress need timekeepers more than other 
people, beginning with me.
    And so as we begin, Admiral Rogers, given the increasing 
and evolving cyber threats, what are critical steps that 
Congress can do to enable CYBERCOM accomplish your mission?
    Admiral Rogers. My first comment would be ensure a steady 
resource stream here. If you look at sequestration, the 
implications of the Budget Control Act for us, if you executed 
that, would have significant impact on our ability to execute 
the operational vision and would have impact on our ability to 
defend our own Department's networks, the expectation from the 
rest of the Nation that the Department of Defense is going to 
be there to provide capability to defend critical U.S. 
infrastructure.
    It will slow and in some cases stop our ability to generate 
teams. It will lead us into contractual default issues. For 
example, we are in a MILCON [military construction] project 
right now that you have funded to actually create physical 
infrastructure for U.S. Cyber Command. Because we are new, we 
have only funded two out of the three years of that, so if we 
have another issue with that we will have contractual issues.
    Bottom line, though, our ability to defend the Nation and 
our Department from a cyber perspective in the world that we 
are facing, with the threats we are facing, is significantly 
impacted if we can't sustain the resource budget picture that 
we have developed.
    Mr. Wilson of South Carolina. And I share your concern to 
the point it would be very helpful to me, Admiral, if you could 
provide a written response to that question which specifically 
would address specific delays and levels of confusion. Our 
colleagues need to know this because it is not as appreciated, 
I think, as it should be. So that would be very helpful.
    Admiral Rogers. Yes, sir.
    [The information referred to is for official use only and 
retained in the committee files.]
    Mr. Wilson of South Carolina. Admiral Tighe, in your 
testimony you mentioned designing resiliency in programs 
through common standards and protocols. Could you give us an 
example of what you mean by that?
    For the others, how do you think that we will be able to 
measure the resiliency of your programs?
    Admiral Tighe. Yes, Chairman.
    Our approach to building in resiliency runs the gamut from 
technological innovation in our networks to the notion of 
fighting through cyber attacks when we are under attack. The 
people, the processes that we have, the method by which we 
fight through a cyber attack, is really a very large part of 
our warfighting approach to how we defend our networks.
    And so when we talk about the technological side, that is 
about getting the capabilities from the boundary of the 
Internet all the way down to our individual host systems in a 
way that we can monitor and understand our own networks, and 
monitor and understand any threats that may be traversing 
through our networks. And so having that built in, which many 
of those new capabilities are coming in as a result of 
Operation Rolling Tide, we have learned where we had gaps and 
are instituting some of those defense-in-depth capabilities and 
standardizing interfaces across systems and networks that talk 
to each other.
    Beyond our corporate networks that I am responsible for 
operating and defending, as you know, we have many 
applications, weapons systems, and other types of systems in 
the Navy that are necessary to accomplish our mission that hang 
off of our networks. And so making sure we understand how we 
are interfacing with those networks, how we are extending our 
protections to them, is a big part of our program and budget 
subnet in building those capabilities in and codifying across 
all of the acquisition commands who build systems for the Navy, 
building on technology, building on operating systems, all 
coming potentially with cyber vulnerabilities if we haven't 
built it into the front end of that acquisition process.
    So in summary, I think the resiliency that we are looking 
for includes both the technological advances we have planned 
into our system and how we organize and defend with the 
personnel and the analytic capability to understand what is 
going on in our network so we can respond quickly.
    Mr. Wilson of South Carolina. Well, we certainly appreciate 
your professionalism. And this is going to be a really quick 
question, General Cardon. What is the status of establishing 
the Cyber Command in the district, in the community next door 
to me at Fort Gordon, Georgia?
    General Cardon. Sir, we have a $90 million appropriation 
that should break ground here October, November of this year. 
So we are really excited about that. That will be the focal 
point for cyber for the Army.
    Mr. Wilson of South Carolina. Central Savannah area is 
really looking forward to your presence.
    I now proceed to Congressman Langevin.
    Mr. Langevin. Thank you, Mr. Chairman.
    Again, thanks to all of our witnesses. Admiral Rogers, I 
would like to start with you if I could, on your perspective on 
initiatives become more and more acute in recent years. I don't 
think anyone would argue that we as a Nation have developed and 
continue to develop some exquisite capabilities in cyberspace. 
It is without question.
    However, I am concerned that we are developing capabilities 
faster than we develop the doctrine and policy that guides 
their use. And, we all would agree that cyber operations 
obviously are critical to how we operate now and in the future, 
but there appears to be a real need for greater definition of 
legal structures for cyber activities and operations in defense 
of the Nation.
    And there appears to even more of a gray area around 
support of civil authorities when it is not under a Title 10 
construct with a Title 32, 50, 18 or 5 drill status, or how we 
utilize our Reserve Components and many of the ways that our 
service men and women can interface outside the DOD.
    So my question for you, can you speak to your command's 
efforts to work through these policy challenges?
    Admiral Rogers. So, I think you raised some significant 
issues. Clearly they are much broader than just U.S. Cyber 
Command, although we are an important part of this dialogue, we 
are an important part of this process. If I could, I will start 
with the second half first and then work my way back.
    In terms of how we make sure that we are maximizing the 
capabilities that we are building across the total force from 
the Reserve, the Guard, and the Active Component, particularly 
as you have indicated, when are applying it outside the Title 
10 framework, the argument, you know, my part of the discussion 
is, look, we have a very competent, mature structure in the 
form of defense support to civil authorities that we currently 
use already in many other mission areas in the Department.
    I think that is a good starting point for us when we look 
at how we are going to apply capability in Title 18, Title 5, 
Title 52. So I think there is a good framework for us to build 
around, and that is kind of the starting position, if you will, 
that we are taking as a Department, broadly speaking.
    The first part of the question that you raised about how do 
we make sure that even as we are generating capability we are 
also thinking about the doctrine and the legal authority, if 
you will, that helps frame how we apply it in a way that 
maximizes outcomes and it does it in a framework that we are 
all comfortable with.
    I think on the doctrinal side, I am pretty comfortable that 
we have got a broad vision. If you look, we have got 
publications. We have got a broad dialogue about how we are 
going to do it. I think the biggest challenge in some ways that 
we are still trying to wrestle our way through here is if we 
are going to generate or apply these capabilities outside the 
DOD framework, let's say in defending critical U.S. 
infrastructure, that is an area that we still have to work 
through the details.
    Okay, so what is the legal and policy framework that we are 
going to use? I am comfortable that in a crisis we will work 
our way through it, but the point I am trying to make is we 
don't want to wait until a crisis to do this. You want to have 
this all laid out. You want the private sector to understand 
it. You want the rest of our governmental partners, because we 
are going to do this teaming with others in the government, DHS 
[Department of Homeland Security], FBI [Federal Bureau of 
Investigation], other partners, and we want to make sure that 
we have laid that all out in advance.
    So there is a variety of steps we are taking between 
exercises, between ongoing policy deliberations, and through 
the legal frameworks we are trying to create, for example, what 
the Congress is looking at for cyber information-sharing 
legislation. That is all a part of the efforts we are trying to 
move forward to address the important issue that you have 
highlighted.
    Mr. Langevin. Well, thank you. I hope we can continue to 
work through those things. And that is something that I want to 
pay particular close attention to. So thank you for where we 
are right now, and I look forward to continuing this dialogue.
    Cybersecurity obviously is an incredibly important field, 
but it also has lots of synergies with other areas of DOD 
activities, SIGINT [signals intelligence], electronic warfare 
[EW], information operations, and many more.
    General, if I could ask you, I know the Army has recognized 
this in particular with their doctrinal recognition of the 
merging of cyber and EW, and certainly the Navy's Information 
Dominance community is in this as well, as our Navy witnesses 
know quite personally.
    So my question is, are the interactions between cyber and 
these communities clear or ad hoc, and how do training, 
manning, and equipping get balanced across these synergistic 
investments? Are we building cyber in concert with or on the 
shoulders of these other communities?
    General Cardon. In this case we have doctrine, we call it 
CEMA, cyber electromagnetic capabilities. And we built these 
organizations into our Army service component commands, corps, 
divisions, and brigades.
    Now, the capabilities to deliver all that don't fully exist 
yet, because we have recognized this convergence. But, for 
example, we already have experiences using this in some of the 
war zones, former war zones, such as Iraq, where you had CREW 
[counter radio-controlled improvised explosive device 
electronic warfare] devices to protect against IEDs [improvised 
explosive device], tactical SIGINT forces. And it is really how 
do you organize these in time and space to accomplish a 
specific mission?
    So we are trying to harness what we have learned in Iraq 
and Afghanistan, and what we are learning today and bring that 
forward. I think this is a journey, and we still have a lot of 
work to do on what are the additional capabilities we need at 
those levels.
    Mr. Langevin. Thank you.
    Mr. Wilson of South Carolina. Thank you very much, Mr. 
Langevin.
    We now proceed to Navy SEAL [Sea-Air-Land] veteran, 
Congressman Ryan Zinke of Montana.
    Mr. Zinke. Thank you Mr. Chairman.
    You know, from the perspective of a ground-pounder, you 
know, I was just a frogman, it seems to me when you say your 
ability to defend the Nation, and I am concerned about the 
chain of command. You know, we have had earlier discussions 
about, you know, what is the difference whether a missile 
attack is incoming or whether it hits a military facility or a 
piece of our major infrastructure or our banking system, it is 
an attack.
    And I am concerned that the chain of command doesn't allow 
you to quickly react to an attack because somehow we have to go 
through and determine whether it is a bank or whether it is a--
you know, what article it is under. And it seems to me that we 
need to take a fast look at this and so we are not responding 
to a crisis, but preparing for what we will, I think most in 
this room believe, is an eventual attack.
    So I guess my question is are you comfortable with the 
current--your current ability to defend this Nation and the 
shipyards and infrastructure and everything there is, the 
cyber? And if you are not, what are the benefits of looking at 
streamlining our chain of command and so we can have 
accountability, we can have, you know, cost and efficiency? 
What do you see as the path forward?
    Admiral Rogers. So if I could, Congressman, let me take a 
look at--give you an initial thought. The positive side, in my 
mind, is we have clearly delineated who has what 
responsibilities. And I say that, if we go back 2, 3 years ago, 
we literally spent years debating about who was going to have 
what role. And it literally probably took us 2 years to 
generate an internal consensus as to who was going to do what.
    The positive side for me--I have now been in command coming 
up on approximately a year. The positive side for me is, hey, 
we have moved beyond a discussion of who ought to do what to, 
okay, now we have clearly identified who has what 
responsibilities. Now let's roll up our sleeves and focus on 
how we are going to make this work. Clearly we are not where we 
want to be yet.
    The argument--not the argument--the point I try to make to 
my DHS because the vision as currently constructed is DOD will 
apply its capabilities in a supporting role, if you will, with 
DHS largely being the supported entity within the Federal 
Government as having the primary responsibility for 
cybersecurity outside the dot.gov domain, if you will, in the 
broader civilian infrastructure.
    The point I am making with my teammates at DHS and the FBI, 
for example, are my military culture teaches me you got to 
train, you got to exercise, you got to get down to the 
execution level of detail, and you got to do that all before 
the crisis. You know, as you have learned in your own life, 
discovery learning while moving to contact is an incredibly bad 
way to go about generating insights and getting more proficient 
at the mission.
    What I would suggest is we need to make this current. We 
need to wring this current system out, and before we go back 
again and spend more time on this, and one of the inputs I have 
provided is, hold us accountable for executing what we have 
created. And if in that experience we come to the conclusion 
that, hey, we made some assumptions that turned out to be 
flawed, then we ought to step back and relook at it. But for me 
at least, I am not there yet.
    Mr. Zinke. Thank you, sir.
    Mr. Chairman, I yield the remaining part of my time.
    I look forward to working with you on this and support you 
in any way I can.
    Mr. Wilson of South Carolina. Thank you, Congressman Zinke.
    We now proceed to Congressman Joaquin Castro of Texas.
    Mr. Castro. Thank you, Chairman, and thank each of you for 
offering your testimony today.
    Welcome to Washington. I know you all are here frequently.
    A special welcome to Major General Wilson, who is in from 
San Antonio, Texas, Lackland Air Force Base. We are very proud 
of the work you all are doing there.
    Let me ask you all a question about training people in 
cybersecurity in our country because this issue and the need 
for that skill is only going to become more pronounced in the 
coming years.
    This Congress is in the process of taking up our big 
education reauthorization bill for example, ESEA [Elementary 
and Secondary Education Act]. What programs in our school 
should we be expanding or growing, not only in our high 
schools, but also in our colleges, to prepare more students to 
take on roles in cybersecurity and so that you all have a 
pipeline of qualified people who can take on these jobs, a job 
that is becoming more in demand not just in the military or in 
government, but also in the private sector? And I will open it 
up.
    Admiral Rogers. Why don't you take that first cut because 
you have done some interesting work at the high school level.
    General Wilson. Thank you, sir.
    When you look at the young generation, really it's a STEM 
problem we have seen for years, no matter what the mission that 
we need in the DOD. And so when you take a look at it, you have 
got to get young folks excited about cybersecurity in this 
case. And what we find is is they yearn for interaction with 
people that are really doing the job. And it is fascinating to 
watch them in front of young airmen. It would be the same with 
a soldier, sailor, marine--it wouldn't make any difference--to 
be able to share, to put an 18-, 19-, 20-year-old in front of 
them because it is not hard for them to project themselves in 
the roles that we do every day.
    And so what we found, probably the most successful, is this 
CyberPatriot. There is others like it. We have a Troops for 
Teens program there in San Antonio, that you are familiar with, 
sir. When we are able to interact with the schools at the 
grassroots level, seems to be the most effective. I would argue 
the CyberPatriot is very effective because we bring private 
industry in to enable from a funding perspective, so they are 
able to partner in the private--public-private partnership. We 
find that to be very, very powerful.
    So in our case, I am proud to be wearing an Air Force 
uniform and that the Air Force Association sponsors the 
CyberPatriot program. We think we got a good thing going there. 
But the feedback from the local schools, teachers, mentors that 
we bring in to work with the kids, they just need more mentors. 
They need more attention.
    And so while we can put more curriculum in place, that is a 
wonderful thing, to get kids excited, and I will give you just 
a couple of statistics in some of the, you know, studies that 
we have looked at in terms of kids that are coming out of the 
CyberPatriot program, the national average is typically 9 to 15 
percent, depending, kids that are interested in cybersecurity 
or other STEM fields just across the student population.
    We are seeing about those numbers when kids come in, but we 
are seeing graduates out of CyberPatriot at the 80, 85 percent 
rate that are interested in cybersecurity or STEM degrees when 
they go off to college. You could argue maybe that is because 
of the people that are joining the program. But I would argue 
that when you look at the caliber and the content of what they 
know when they walk in the door--they don't know a lot about 
cybersecurity--and when they walk out the door, they know a lot 
about it. And so it is getting them motivated. I think they can 
see themselves in those career fields. And so that exposure--
the biggest reason we saw a 40 percent increase this year is we 
got into the middle schools. We incorporated the middle schools 
into the CyberPatriot program. Next year we are going to take a 
stab at the upper tiers of the elementary school and get them 
excited about doing cybersecurity.
    I would argue that all of the services have similar 
programs, you know, and sometimes it is about flying or space 
out in the Air Force. Cyber is one of those. It is an exciting 
career field, and people see themselves in it.
    And so I think that is the key, is to get our young folks 
excited about what the potential is for them.
    Mr. Castro. Sure.
    Admiral Tighe. Congressman, if I may, I think the point on 
the STEM is really, really important. And as early as we can 
get the STEM, get our young kids motivated in STEM, the better. 
We need them to be comfortable with technology and be 
comfortable as analysts, if you will.
    We have to connect the dots a lot of time. We need our 
workforce to be able to connect dots, not just understand 
technology but understand what is really happening when you 
don't have the full picture.
    And so the STEM programs tend to do that for our young 
people. I think at the same time--so puzzles and things of that 
nature. But I think at the same time there are also programs 
that we have been able to leverage sponsored by National 
Science Foundation and others. Scholarships For Service is a 
program that gets graduate-level education and college 
education and contributes to that education with a stipend, for 
example, but then they come into the Federal service in 
cyberspace. And so some of those kinds of programs are also, I 
think, very valuable in exposing our young people and our 
college-age students to cybersecurity challenges, but also sort 
of bringing them into the government as a first job.
    Mr. Castro. Thank you very much. I yield back.
    Mr. Wilson of South Carolina. Thank you, Congressman 
Castro.
    We now proceed to Congressman Doug Lamborn of Colorado.
    Mr. Lamborn. Thank you, Mr. Chairman.
    And I would like to build on this theme of education. 
Admiral Rogers, the University of Colorado at Colorado Springs 
in my district and the Army Reserve just announced a 
partnership to educate cyber warriors. Is this a good model, 
and should we support it?
    Admiral Rogers. Well, let me be honest, Congressman, I 
don't know the details of the model, so I am not in a good 
position to tell you is it good or bad. Having said that, one 
of my takeaways in this area is clearly this is all about 
partnerships, and those partnerships have to include the 
private sector but not just the corporate or network owners, if 
you will, the educational piece, the academic piece, the 
ability to generate insights to go to the doctrine and the 
policy kinds of issues we had talked before.
    I try to remind people, look, this has got to be a broader 
discussion. Look at, for example, some of the initial work we 
did in the nuclear world when we were first trying to develop 
deterrence theory that we take for granted now. The academic 
world played a huge role in that if you go back 50, 60 years. I 
would like to see us do the same thing.
    And the other thing that concerns me about the academic 
world is, and one reason why I as a commander, I spend a fair 
amount of time at academic institutions from collegiate level 
down to I was just at a charter school in Harlem yesterday, as 
a matter of fact, as a follow-on to some work I was doing in 
New York City. As I remind them, you are educating our 
workforce. I have a vested interest in partnering with you to 
help us do that because the technology we use is important. And 
clearly, we can't execute our mission without it, but where we 
really gain our advantage, our true strength, is in the men and 
women who apply that technology.
    Mr. Lamborn. Okay. Thank you. And obviously this is 
something I think we are all really excited about pursuing.
    General Wilson, recently I visited the 561st Network 
Operations Squadron which is in my district at Air Force Base 
Peterson, and they told me that their structure and approach to 
network cybersecurity could be a model for the other service 
branches. Is that something you would agree with, and if so, 
why?
    General Wilson. So, sir, I think you were with Lieutenant 
Colonel Rocky Rockwell and the team of the 561st.
    Mr. Lamborn. That's right.
    General Wilson. Thank you for visiting. They really enjoyed 
the visit.
    Sir, what they were referring to was this migration that I 
hinted at, getting the Air Force network, which is part of our 
larger DOD information network, to one centrally managed with a 
single architecture, which is really an early interim step 
towards the Joint Information Environment. So we are huge 
believers in it.
    Many of the lessons that we learned out of the migration 
actually have been incorporated with the Army and with DISA and 
with all the services as we look at the JIE, this Joint 
Information Environment architecture, and the way that we are 
transitioning all of our networks. And so, it is a model. I 
think there is a lot of good, hard lessons. The team that you 
met at the 561st, we have a sister unit that is the 26th down 
in Montgomery, Alabama, at Gunter Air Force Base, is actually 
formed, about 40 people are on the joint management team that 
are working to transition with JIE.
    And so we have taken the lessons from the people that have 
the bruises from going through a transition of that magnitude 
and trying to apply that to the JIE so that we are successful. 
So I absolutely believe that it is directly applicable, and we 
are excited about moving forward.
    Mr. Lamborn. Well, I know that there can be value with each 
service branch learning its own lessons and standing something 
up. But on the other hand, there is also on the other side of 
the balance, why reinvent the wheel? If one of the branches has 
really done forward work, maybe that should be a model for 
others to follow.
    General Wilson. So, sir, JIE, which we have all bought into 
in terms of the services, is really the next generation beyond 
where we are at today in the Air Force. And so it is really the 
interim step. So we shouldn't be satisfied with where the Air 
Force is. We need even a more defensible network. It is the 
best we can do with decades-old, 5-year-old technology. We need 
to move the DOD forward with the newer technologies, the next 
generation technologies, cloud architectures, single security 
stacks through our gateway, if that makes sense.
    Mr. Lamborn. Thank you. Thank you all for your service.
    Mr. Wilson of South Carolina. Thank you very much, 
Congressman Lamborn.
    We now proceed with Congresswoman Elise Stefanik of New 
York.
    Ms. Stefanik. Thank you, Mr. Chairman, and thank you to all 
of our witnesses here today for your service and the time you 
took to prepare for today's hearing.
    My question is for Lieutenant General Cardon. Last month at 
a conference you discussed the military's need for flexibility, 
it is something we hear quite often, and that the traditional 
top-down way of operating is a challenge in its organizational 
approach, especially as it relates to cybersecurity. Can you 
explain this further? And then I am also interested in how this 
is applicable to the current mission in Afghanistan.
    General Cardon. So I come at it from an operational 
approach, and so the challenge in operations is what level of a 
centralization do you need, and what level of decentralization 
do you need. And so some operations require a high degree of 
centralization, and some operations work best decentralized.
    The art is figuring out which one is most applicable. And 
in cyber, I think we have a centralized framework with a 
decentralized execution. But I will go further building on what 
Admiral Rogers talked about. It is when you start to bring 
coalition and private, because this affects--it affects all of 
us, so anything that happens to any one of us, all of us are 
talking to each other here, and with CYBERCOM it is going wider 
because everyone could have this same problem.
    So you create more like a fusion cell. I describe it as 
being mission focused, not organizationally focused. So 
everyone looks at the mission, everyone is working on the 
problem. So when you take an example something like Heartbleed, 
which was a severe vulnerability that affected everyone, not 
just in the military but in private industry, that is a fusion 
sort of approach. Looks different inside the military, but 
everyone was working on this problem across the country.
    In Afghanistan, operations are very decentralized. There is 
a limited amount of capability. It is prioritized by General 
Campbell, and then we use it accordingly. And so the 
decentralized nature of the operations there, often driven by 
the terrain, has I think been pretty effective.
    Ms. Stefanik. Thank you very much.
    My second question relates to sequestration and funding at 
Budget Control Act [BCA] levels. Can you talk about what the 
risks are to the Army networks campaign plans, network 
modernization efforts, should the DOD and the Army have to 
execute funding at BCA levels?
    General Cardon. So General Wilson just talked about the Air 
Force collapsing their networks, and the Army has not yet done 
that, and that is why we are partnered with the Air Force to do 
that.
    So the Army would take about a $6 billion reduction off the 
top. That is going to affect training. It is going to affect 
our network modernization. It is going to affect our 
installation support, and it is going to affect the procurement 
of weapon systems. More importantly, it is the software 
upgrades that we need to do to those weapons systems to reduce 
cyber vulnerabilities.
    If the cuts stay, the Army is also going to have to cut 
force structure. That is estimated to be 30,000. And while 
cyber is still ranked very high in the Department of the Army, 
I think it is fair to say that cyber will be part of that 
discussion. So this is very concerning. It is still very, very 
highly ranked in the departments, and it is a very high 
priority. But the nature of those two things together makes a 
very difficult problem for us.
    Admiral Rogers. Can I make one other comment on the 
sequestration piece? The other thing that concerns me is the 
longer term implication. I watched the way at U.S. Cyber 
Command, particularly our civilian workforce, reacted to the 
government shutdown in the beginning of fiscal year 2014. And 
as we said to them, trust us. We want you to stay with us, this 
is a burp. And now I watch us repeat this kind of scenario 
where this time it is just significant funding cuts.
    One of my concerns is, does our workforce start to believe, 
you know, I am not so sure that there is this long-term 
commitment, and given the skills that I have and the fact that 
I could make more money going elsewhere on the outside. The 
other concern I have, quite frankly, is that we are going to 
start to see elements of our workforce, civilian and potential 
military, start to walk away. And as I said, the technology is 
incredibly powerful, but the greatest edge that we have is our 
men and women. And when we lose them, we have got real 
problems.
    Ms. Stefanik. I agree with you, Admiral, and I also share 
your concerns. Particularly from my perspective representing 
New York's 21st District, home of Fort Drum, but we are also 
home to not only members of the military and service men and 
women, but many Federal employees in the district. So I share 
your concerns, and we are working very hard on this committee 
to address the negative implications of sequestration and these 
cuts which are so devastating to our readiness.
    Thank you.
    Mr. Wilson of South Carolina. And thank you very much, 
Congresswoman Stefanik. And Congresswoman Stefanik has been a 
real leader trying to address the issue of defense 
sequestration. We appreciate her extraordinary service.
    Additionally, we appreciate your extraordinary service. And 
the issues that you are dealing with are so important we have 
another round for anyone who would like to participate.
    And for each of you, in your testimony, the military and 
civilian personnel needed for the Cyber Mission Forces were 
discussed, but are there enablers out there in other 
communities not included in the workforce numbers which you 
rely on significantly?
    How are these enablers faring in the budget? What impact 
would you expect, again, with defense sequestration on these 
forces?
    And we can begin with the Admiral and proceed.
    Admiral Rogers. So one of my comments--and I, in fact, just 
raised this to the Joint Chiefs of Staff last week--was to 
remember cyber is much more than just the maneuver elements, 
the teams, if you will, that we are creating, that like every 
other mission set, cyber counts on a core set of enablers that 
we often tend to take for granted.
    So rather than take a lot of time, I will highlight one 
area to you, and that, for example, is the power of 
intelligence, the fact that we rely on a broader intelligence 
structure to generate knowledge and insight about what is going 
on in our cyber environment and we use that insight then to 
apply this capability we're generating.
    Without that kind of insight, we have real challenges, as 
we do in every other domain, about how do you maximize the 
effectiveness of the resources and the capabilities we have 
generated in this maneuver force.
    So I constantly try to remind the broader set of partners 
that we work with in and outside the Department to it is more 
than just this cyber maneuver force here that we need to be 
thinking about.
    General Cardon. Sir, enablers are really important. Often 
they are in high demand, low density in the Department. There 
is a lot of structures in place to work to prioritization. But 
it is truly combined arms. But I don't think we fully 
understand what we need yet.
    And here is what I mean. When I took command, we had two 
teams. Today we have 25. By summer, we will have 41. The 
demands are growing. And how to best organize the enablers to 
meet all the demands that the teams are generating as the teams 
grow, we are working. We know we need more. To put a finite 
number on that yet I think is a little premature, but it is not 
what it is today.
    Admiral Tighe. Chairman, I would say that, from the Navy 
perspective, we are building the teams just like the other 
service components at places where I have already got commands. 
So I have a command structure where we are growing teams, and 
there are enabling functions associated with growing a large 
number of military people, you know, personnel, inside of a 
command, and civilians.
    And so some of those kinds of enabling functions have not, 
you know, really been thought through in terms of how many 
career counselors do you need, how many SAPR [Sexual Assault 
Prevention and Response] counselors and victim advocates and 
those kind of things. And so certainly, when we added the Cyber 
Mission Force, it was all about that maneuver element.
    But, in some cases, we have placed burdens on commands that 
may not have had sufficient capacity to deal with that growth. 
And so that is an area that we are definitely looking at, where 
we go from here in terms of both the enabling and, as Admiral 
Rogers said, the command and control parts of it.
    General O'Donohue. Sir, from the Marine perspective, you 
know, enabling the whole force really is what cyber is. You 
have a certain amount of expertise represented in the 
specialized skills. We have folks down here with the ability of 
the force to train and exercise.
    This comes from the resiliency aspect of it and the idea 
that down to the network operator level or down to the end 
user, he is able to operate in a contested and degraded 
environment, in fact, compromised, and every level of command 
is integrated at cyber less [audio unclear] and not just what 
is specifically designated as a cyber force.
    So one aspect of that is the training exercises that gets a 
whole force and also provides an enabler to the specialists, 
who are the catalysts. But it has to be seen as a comprehensive 
capability across the force and integrated like any other 
combined arms.
    One help for that is a persistent training environment. 
This helps realistically fight a network without an adversary 
and enable to test the force and build resiliency. Also, it has 
another effect in terms of acquisitions, which is another area, 
not so much money, certainly an acquisition program that is 
tailored to this new capability that we are developing.
    Within the persistent training environment, you can get the 
collective skills across the force, but also you can test the 
vulnerabilities of things that we are going to acquire and 
bring into it in the overall operational context.
    General Wilson. Sir, I would just echo a couple of things 
and add a few.
    One is integrated command and control has been key. We have 
seen that today at the tactical level, if we are able to 
integrate our command and control elements. That has been a 
challenge because we have been resourcing the maneuver element. 
We have not resourced the command and control. So that has been 
a bit of a challenge. But we see that as a key enabler 
tactically.
    In addition, similar to the Navy, some of the support 
structure was not put in because of some of the sequestration 
cuts, if that stays. And so we have got those laid in in our 
current budget. So if we move back to BCA levels, that may put 
some stress on the support structure.
    The couple things I would add is we see tremendous leverage 
with a Reserve Component. So our Guard and Reserve partners--
they are conducting the mission every day for a couple of 
reasons.
    One, we see tremendous talent and unique skill sets that 
come in the door that complement the training that we give them 
and the types of operations we are doing. It also offers our 
Active Duty members that make a decision to leave the service 
some options on continuing to serve by wearing a uniform and 
coming back in the door on a bit limited basis from just a time 
perspective. But we get to retain that talent and the 
experience.
    So that has been a key enabler for us. We have been doing 
that for years. But we are seeing that magnified in the CMF, 
the Cyber Mission Force.
    I would echo also we really are going through a culture 
change. We have a very--it is a contested, degraded, and 
potentially operational limited environment. And so that 
culture of having to operate through that kind of environment 
is different. And so moving the whole force--not just the cyber 
experts, but everyone--into that and through those training 
exercises and exposing them to that is key.
    And then, finally, I would add it is quickly becoming a 
commander's business. Just like in industry, we are seeing in a 
C-suite business--CEOs [Chief Executive Officer], COOs [Chief 
Operating Officer], et cetera--it is not just the CIO's [Chief 
Information Officer] problem anymore. This is key. To have 
mission success, this has got be to a commander's business.
    So it is not just the commanders sitting here representing 
the cyber talent, if you will, in each of the services, but the 
operational commanders, and getting them involved in the 
decision process.
    What we are seeing in the Air Force is my counterparts in 
the other combat-numbered Air Forces are very interested and 
want to understand and want to be part of the solutions. And so 
we see that as a key enabler.
    Mr. Wilson of South Carolina. Well, I thank each of you.
    And we now proceed to Congressman Langevin.
    Mr. Langevin. Thank you, Mr. Chairman.
    And, again, thanks to our witnesses.
    I have got a couple of questions. I am hoping to get to at 
least a couple of them. I can't get through all of them. So I 
am going to go as quickly as I can.
    But going back to, if I could, retaining and recruiting 
qualified military and civilian personnel, obviously, it is 
critical to addressing the threat.
    So my question is: What challenges do you face in 
recruitment and retention? And, more specifically, how are 
these challenges being addressed? Are special authorities 
needed?
    For example, are enlistment bonuses, civilian hiring 
authorities, required to address shortfalls in recruitment and 
retention? And what incentives or methods have been used so far 
effectively to recruit and retain?
    Admiral Rogers. Let me start and then I will turn it over 
to my counterparts, because the services actually generate the 
capability, if you will, the workforce.
    When I looked across the entire Cyber Mission Force, the 
positive side to date is that both accessions, input, if you 
will, across all the services is meeting target and retention--
knock on wood--is actually higher in some ways than we had 
originally anticipated.
    I think that is because--the thing I try to remind people 
is we are not going to compete on the basis of money. Where we 
are going to compete is the idea of ethos, culture, that, ``You 
are doing something that matters, that you are doing something 
in the service of the Nation, and that we are going to give you 
the opportunity to do some really interesting and amazing 
things.'' I think that is how we are going to compete.
    And then I would turn it over to my service teammates for 
the specifics they are running into.
    General Cardon. Sir, to echo Admiral Rogers, we have not 
experienced problems with recruitment. For example, for our 
high-end operators, we recruited 75 percent of the year in the 
first quarter with no waivers and no bonuses. So there is a 
tremendous drive on this.
    The challenge will be retention. So if I could go down, 
officers----
    Mr. Langevin. How is that going so far on the retention 
side, just broadly.
    General Cardon. Well, we are headed into our first big bow 
wave because we started this about 3, 4 years ago and they are 
entering into the first window. I would say right now it is 
still unknown.
    But a few indicators gave us the idea that we have to 
manage this as a separate branch, because before we did not 
count cyber. You were part of another branch and you were 
selected for promotion or leader development opportunities 
based on your expertise on that branch, not in cyber. Now you 
will do this with a cyber focus.
    We have also recognized we need this same thing for our 
civilian workforce. For the civilian workforce, there is no 
cyber portion of this. So to advance in those, you have to 
advance where you were hired into as opposed to a cyber focus. 
So we think those will really help. We have the right tools 
with bonuses and all that right now to offer them, and the Army 
is very aggressive on this at this time.
    Admiral Tighe. I would say that the Navy is in a similarly 
situated position. As it pertains to recruiting, we have not 
been having any trouble recruiting to the numbers that we 
needed for all of our cyber-type missions. And on the retention 
side, we are doing very well, both officer and enlisted, in 
retaining the talent that we need.
    We have the tools that everyone else uses in the Navy to 
incentivize any particular ratings that are low on numbers, in 
particular, pay grades and things like that. We use that. But I 
agree with Admiral Rogers that, in this mission set, it is not 
about the money. It is about the mission.
    And so the best thing that we can do to improve retention 
in this space is give them the training and the tools and put 
them on mission because they--you know, what I am seeing in our 
young people and our workforce is very motivated, enthusiastic 
for the mission. And getting them on mission is the most 
important thing we can do.
    Mr. Langevin. I am going to hold the--General O'Donohue and 
General Wilson, if you can perhaps respond in writing, 
especially if there is something different that you are 
experiencing. But I wanted to get to the acquisition part.
    [The information referred to can be found in the Appendix 
on page 102.]
    Mr. Langevin. Let me ask: Is the current acquisition model 
adaptive and flexible enough to support cyber technology 
innovation and rapid utilization of cyberspace capabilities? As 
you may know, the committee is working on acquisition reform 
right now. And do you have recommendations on how to ensure the 
process allows for innovation and rapid acquisition 
capabilities?
    My other question, which you probably won't be able to get 
to, is going to be for Admiral Rogers. Are you reviewing 
allocation of resources in terms of--to meet the combatant 
commanders' requirements? How do you allocate the resources you 
need for these Cyber Mission Teams? So we can probably do that 
one for the record. But on acquisition.
    [The information referred to can be found in the Appendix 
on page 101.]
    Admiral Rogers. So let me start on acquisition. The short 
answer is no. My argument is we have to change the model we are 
using. The rate of change is such that, within the cyber arena, 
we have got to account for the fact that, as we are developing 
and acquiring capabilities in the Department, we have got to 
build into that process the idea of regular and recurring 
update and revision, that a set of capabilities that we lock 
into place and then build to over time--let's say, if you look 
at what it takes to put a satellite into orbit, if you look at 
what it takes to build a major warship, for example, I mean, we 
are talking 5 to 10 years. And the rate of change in the cyber 
dynamic in 5 to 10 years is just amazing to me.
    So we have to build into that program the idea that there 
will be a recurring refreshment rate required. We don't do that 
right now in the model at all. That is not the way we do 
business. But I think we have to get to that.
    Mr. Langevin. We are going through acquisition reform right 
now, and now would be a good time to help us to get this right.
    I know my time has expired.
    Mr. Wilson of South Carolina. Thank you, Mr. Langevin.
    And we will proceed now to Congressman Ryan Zinke.
    Mr. Zinke. Thank you, Mr. Chairman.
    I guess, as I watch the fleet numbers go down, I get 
concerned. I think we are all concerned. But, also, when the 
fleet numbers go down, we are asking our fleet to do more with 
less and it is much easier for our adversaries to target 
individual platforms.
    I guess the bottom line is, if further cuts occur, do you 
feel that those cuts could, in fact, put our ships and our 
fleet that are in harm's way at further risk being unable to 
detect and defend a cyber attack, particularly in the western 
theater?
    Admiral Tighe. Congressman, I believe that all of our 
maritime missions, particularly those that are forward, you 
know, projecting power around the globe, are critically 
dependent on our cyber capabilities.
    And we have spent the last 2 years building programs around 
closing the gaps in vulnerabilities and increasing our 
operational capabilities to assure missions around the globe 
that maritime commanders have to be able to do.
    And so certainly what the actual CNO [Chief of Naval 
Operations] said during his budget testimony is, if we are held 
at the BCA levels, he would be hard-pressed to recommend to the 
Secretary that we reduce any of those investments that we have 
already identified and made as a commitment to our mission 
assurance based on the cyberspace capabilities.
    But I think, as mentioned earlier, another key aspect of 
that is all of the modernization programs that we have across 
the board--aircraft, submarines, ships, all of those 
modernization programs--tend to upgrade systems that are 
dependent on operating systems.
    And when things like sequestration hits or we have a late 
budget, you know, getting to our acquisitions system, it ends 
up throwing a monkey wrench in the modernization plans. Those 
modernization plans are very critical to closing 
vulnerabilities.
    So even beyond what we would call strict cyber investments, 
our acquisition process and focus on ensuring that our programs 
are not delivering vulnerable systems across the board--not 
just networks, but across the board--is contingent on those 
modernization programs going forward. So, yes, it certainly 
puts at risk not just the capability, but the overall mission, 
command and control, of Navy capabilities around the globe.
    Mr. Zinke. Thank you, Admiral.
    Mr. Chairman.
    Mr. Wilson of South Carolina. Thank you, Congressman Zinke.
    We now proceed to Congressman Jim Cooper of Tennessee.
    Mr. Cooper. Thank you, Mr. Chairman.
    Within the last 2 weeks, I think it was publicized that 
Lenovo computer company shipped laptops already equipped with 
malware called Spear Phishing or something.
    Isn't that kind of amazing, that a brand-new laptop would 
already be essentially booby-trapped that way?
    Admiral Rogers. Quite frankly, no.
    Mr. Cooper. That is not amazing?
    Admiral Rogers. Again, because what I generally find over 
time is--for example, most of the equipments and the 
capabilities that we will bring onboard as a Department, we 
don't automatically assume that it is perfectly secure. We have 
a series of tests and processes that we go through.
    I am not trying to imply it is for nefarious reasons. Many 
times we will find that, from the time it takes to actually 
generate and build the capacity to the time it is actually 
fielded, for example, you will find vulnerabilities.
    For example, if you have look at Heartbleed, probably the 
largest vulnerability we had over the course of the summer, was 
based on coding from the 1980s. You find these challenges. This 
is not unique to the nature of the cyber arena, sir.
    Mr. Cooper. Someone estimated--and I hope it is unduly 
pessimistic--that almost 95 percent of government IT 
[information technology] acquisitions were flawed or deeply 
flawed in some way.
    Are you able at NSA [National Security Agency] to make sure 
you have clean equipment when you buy it?
    Admiral Rogers. NSA is part of a broader team that helps 
work information assurance for the Department. Having said 
that, the service has the overall responsibility for the 
manned, trained, and equipped functions for their service and 
broadly for the Department. But we do it as part of a broader 
team.
    Mr. Cooper. But for your own NSA operation, you are able to 
make sure that all your computers are clean?
    Admiral Rogers. Yes. We spend a lot of time--as every 
organization does, we spend a lot of time making sure that we 
don't have vulnerabilities in the systems that we are counting 
on to execute our mission.
    Mr. Cooper. That would include system administrators like 
Mr. Snowden?
    Admiral Rogers. Yes. Clearly it is not a perfect system. 
You will never hear me say that, if that is the point we are 
trying to make. You will never hear me say that.
    Mr. Cooper. What is good enough for government work? What 
is clean enough to be safe?
    Admiral Rogers. I don't know that there is a particular 
number that I could give you. It all boils down to what is the 
level of risk that we are comfortable with, what are the 
different processes that we can put in place to try to mitigate 
that. There is no single silver bullet here, as it were.
    Mr. Cooper. It is risk for virtually every chip to be made 
overseas?
    Admiral Rogers. There is clearly an aspect of risk to it. I 
think that is a fair statement.
    Mr. Cooper. Is it worth mitigating that risk by having more 
domestic manufacturers?
    Admiral Rogers. You know, clearly within the Department, we 
try to take a look at that. One of the ways we do it is we try 
to tier some of our systems, if you will. And the standard, for 
example, that we will use within the nuclear infrastructure is 
different than the infrastructure we will use for the systems 
we use for morale, welfare, and recreation functions within the 
Department.
    Mr. Cooper. But a back door can come in from virtually 
anywhere. The Target hack was mainly the HVAC [heating, 
ventilation, air conditioning] contractor. Right?
    Admiral Rogers. So is it possible? Yes. There is no doubt 
about that.
    Mr. Cooper. I don't know how many transistors are in a 
phone like this or chips or whatever like that, but it is 
surely a large number.
    Admiral Rogers. It is a complex operating system.
    Mr. Cooper. So since everyone carries their own 
supercomputer with them, is anyone smart enough to figure out 
the hardware/software interface, even assuming that the 
hardware is perfect and clean and inviolable or----
    Admiral Rogers. Well, the way I put it is, hey, if it is 
designed by man, man is a flawed individual. And the idea that 
you are going to create something perfect in which you 
guarantee that there is no ability to penetrate is highly 
unlikely, which is why in the Department we do things like 
defense in depth, multiple looks at the same piece of gear many 
times.
    We try to account for the fact that a single solution--
whether it be technical, ``Hey, I can create the perfect 
system,'' whether it is, ``Hey, I can control my workforce and 
guarantee I am not going to have any issues,'' we try to use 
multiple layers.
    Mr. Cooper. I guess I am still trying to get at the 
question of good enough for government work. When are we safe? 
When have we done enough of that? Do you have to red-team 
everything? Do you have to practice your operation without 
using computers? How do we----
    Admiral Rogers. I think the answer is yes, we try to do all 
of that. You have heard today already we talk about the idea 
about, for example, how are we going to operate hurt within the 
Department.
    I think the reality of the world around us is, at least on 
the military dimension, it is not in our best interest to 
assume we will always have perfect connectivity, that we will 
never have any issues, we will never have any degradation. Far 
from it. I think quite the opposite, given the nature of the 
world that we are dealing with today. We have to think about 
how we are going to fight through things.
    Mr. Cooper. Should the Defense Committee be doing more to 
help?
    Admiral Rogers. Well, I can use all the partners that we 
can get in this. Because no one single entity here is going to 
have all the answers to this, which is one reason why, if you 
look at the resource piece that the Congress holds here, the 
legal frameworks that we talk about, you clearly have an 
important role to play in all this. It won't be just us.
    Mr. Cooper. Well, I hope you won't be shy about asking.
    Admiral Rogers. Yes, sir.
    Mr. Cooper. Thank you, Mr. Chairman. I see my time has 
expired.
    Mr. Wilson of South Carolina. Thank you, Mr. Cooper.
    As we conclude, I want to thank each of you. And it has to 
be reassuring to the American people to see such dedicated 
personnel. So thank you very much for your service on behalf of 
our country.
    We are adjourned.
    [Whereupon, at 4:51 p.m., the subcommittee was adjourned.]

     
=======================================================================


                           A P P E N D I X

                             March 4, 2015
      
=======================================================================


              PREPARED STATEMENTS SUBMITTED FOR THE RECORD

                             March 4, 2015

=======================================================================

      

      
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
    
         
=======================================================================


              WITNESS RESPONSES TO QUESTIONS ASKED DURING

                              THE HEARING

                             March 4, 2015

=======================================================================

      

            RESPONSES TO QUESTIONS SUBMITTED BY MR. LANGEVIN

    Admiral Rogers. In December 2012, the Department determined its 
initial set of resources required to man, train and equip of Cyber 
Mission Forces (CMF) based on operational requirements defined by the 
Joint Staff in coordination with the Combatant Commands and U. S. Cyber 
Command (USCYBERCOM). Based on those requirements, the Department of 
Defense (DOD) initiated a major investment in its cyber personnel and 
technologies for the Cyber Mission Force in 2013.
    From the initial 2012 assessment, the Services were required to 
meet the man, train and equip 133 teams with various levels of 
involvement using the traditional equitable allocation model (Army 30%, 
Air Force 30%, Navy 30%, Marine Corps 10%) with all teams being fully 
resourced by Fiscal Year (FY) 2016 Specifically, Army is to provide 41 
teams, Air Force is to provide 39 teams, Navy is to provide 40 teams, 
and Marine Corps is to provide 13 teams. The Department also included 
integration of Reserve and National Guard personnel in the Cyber 
Mission Force (primarily as protection forces and surge support) as 
described in its August 29, 2014 report to Congress in response to FY14 
NDAA Section 933 (d). USCYBERCOM looks forward to completion of the 
Department's effort to fully resource the required command and control 
structure approved in 2013 by the Chairman, Joint Chiefs of Staff.
    Based on Combatant Commanders' requirements expressed in approved 
plans and prioritized effects lists, the initial mission assessment 
included distribution of combat mission teams to Combatant Commands 
(CCMDs) under each of the Service allocations. The initial distribution 
was re-examined in late 2013 and an alignment adjustment was made to 
two teams to account for certain increased cyber activity within the 
133 team ceiling. Current plans are to complete the build out of the 
CMF and, once the 133 teams have reached full operational capability 
(FOC), reassess the force structure to determine what (if anything) 
should be adjusted based on lessons learned. Additionally, as described 
in The DOD Cyber Strategy, USCYBERCOM continues to work with Joint 
Staff to integrate cyber requirements into combatant command plans and 
may reassess allocation of the CMF based on the results of these 
activities.
    With regards to training, USCYBERCOM published the joint training 
and certification standards for the Services to follow to ensure 
consistent training of individuals and teams. While the Department 
works to develop an enduring Persistent Training Environment (PTE) for 
the cyber force, USCYBERCOM expanded its joint training exercises (e.g. 
Cyber Knight, Cyber Guard, and Cyber Flag) to increase certain 
capability and capacity to help Service personnel and teams obtain the 
training required and complete the exercises needed for teams to reach 
FOC. USCYBERCOM will continue to monitor the readiness of the Cyber 
Mission Force as the Department integrates the CMF into its overall 
planning and force development activities to recruit, retain, and 
provide appropriately trained cyber personnel.
    When it comes to equipping the force, CMF team needs are based on 
operational requirements that were initially established at the 
beginning of the team build outs and continue to evolve or expand as 
current real world involvement dictates. As described in The DOD Cyber 
Strategy, USCYBERCOM is working with the Department to develop a 
Unified Platform that will integrate and establish interoperability 
between disparate platforms. The Unified Platform will enable the CMF 
to conduct full-spectrum cyberspace operations in support of national 
requirements. As cyberspace requirements evolve and expand, the pace to 
equip the CMF is constrained by the deliberate processes within the 
acquisition system. The speed in which USCYBERCOM needs the CMF to be 
equipped with certain capabilities continues to stress the Department's 
acquisition system built primarily to reduce risks in developing 
aircraft, ships, and land vehicles and/or oversee major enterprise-wide 
Information Technology programs where acquisitions occur over a period 
of years. The pace in which cyber events unfold and adversaries adapt 
their cyber actions require an agile acquisition system and related 
acquisition authorities that enable rapid development and fielding of 
military cyberspace capabilities where USCYBERCOM and combatant command 
requirements are met in a period of days, weeks, or months.   [See page 
24.]
    General O'Donohue. The Air Force continues to meet all accession 
requirements within the cyber community with highly qualified 
individuals. To assist with recruiting highly qualified candidates 
within the cyber community, the Air Force offers Initial Enlistment 
Bonuses for members enlisting in one of four cyber specialty fields. 
The member must possess Security+ and/or A+ certification prior to 
enlistment and enlist for 6 years to be eligible for the bonus and 
receive an advance promotion to Airman First Class upon completion of 
specialty training.
    In terms of retention, our legacy enlisted cyber support 
specialties retain slightly better than the Air Force average. However, 
given the relative infancy of some of our core cyber operations 
specialties (half of our enlisted specialties are less than five years 
old and we created a separate officer sub-specialty within the past 
year), we lack sufficient retention history in cyber operations. As 
first tour enlistments continue to expire over the next couple of 
years, we will have a better understanding of longer-term Airmen 
retention behavior.
    Regardless of retention, we continue to be challenged in our newer 
cyber specialties due to the rapid growth in requirements, which 
exceeds our trained personnel inventory. It is crucial that we retain 
our cyber professionals to help close the current manning gaps. As 
noted, on the enlisted side, we have made concerted efforts to increase 
accessions and pay retention bonuses where these challenges are most 
acute. For officers, we are currently exploring how we can leverage the 
Critical Skills Retention Bonus to retain cyber leaders. Continued 
Congressional support for all of our special and incentive pays aimed 
at recruiting and retaining cyber operations airmen is appreciated. We 
will continue to monitor and assess but it is clear that retaining 
these professionals is essential.   [See page 23.]
    General Wilson. Currently, we are not experiencing any major issues 
in recruiting or retention. While we are competing within DOD, as well 
as within industry, for top talent, we have a number of advantages. 
Some of these advantages will only appeal to a small segment of people, 
but that is all we need. Each Service, or industry for that matter, has 
advantages and many of these will only appeal to certain people, and 
that diversity helps us all. Our civilian salary and annual bonuses may 
not measure up to what industry can offer for a more skilled and highly 
trained individual. For the civilian Information Technology (IT) 
personnel, we have limited monetary incentives that can be offered. 
What we see more than often is our cyber civilian positions offer a way 
for talented Marines that have trained and grown up in this domain, 
with hands on experience, but are leaving the service for various 
reasons; from family, to career, to retirement, a way to stay 
associated with the Marine Corps. They continue to be a part of the 
Marine Corps team and gain the stability (in terms of position and PCS 
moves) or flexibility that can be offered by a civilian position, and 
so these Marines apply for and earn these positions. We have a number 
of civilian personnel from other services as well, they too leave their 
service for some of the same reasons and apply to our civilian 
positions for similar reasons, and they are still associated with the 
military, but get to choose where they live and work. Sometimes our 
applicants have a desire to serve the military, but for various reasons 
were unable to in the past or now cannot be in the active duty 
component, so they apply to our positions. As for the Active Duty 
Marines, especially some of our younger Marines, see cyberspace as a 
new and exciting domain. We generally have more Marines wanting to come 
to MARFORCYBER than we have space. The younger Marines have been raised 
in this domain more than the past generations and for them, continuing 
to fight our enemies in a domain they are already comfortable with is 
something they are seeking. Additionally, once they arrive, they 
receive advanced training and the hands on experience that goes with 
work. The Marines see cyberspace as the future and want to be a part of 
it. Some will decide to get out, and as we stated above, some will get 
out but want to come back on as a civilian. Some go to industry and 
wish to keep that link to the Marine Corps, so they transition to the 
reserve component, bringing their industry experience back to the 
Marine Corps when it is needed and continue to build that knowledge and 
experience in both realms. Others will stay as long as the service 
allows them to continue to see this domain grow and mature.   [See page 
23.]

     
=======================================================================


              QUESTIONS SUBMITTED BY MEMBERS POST HEARING

                             March 4, 2015

=======================================================================

      

                   QUESTIONS SUBMITTED BY MR. WILSON

    Mr. Wilson. Several of you mentioned in your testimony something 
called Unified Platform? What is Unified Platform, and what 
capabilities will it provide for you? Will there be service-unique 
capabilities that you believe will be integrated in? From an 
acquisition perspective, how do you plan to proceed? Do you need any 
special acquisition authority or a special acquisition process in order 
to develop Unified Platform in a timeframe that will be useful for the 
cyber mission forces? How are you working with your service 
laboratories and program offices to develop the capabilities you will 
need as part of this initiative?
    Admiral Rogers. [No answer was available at the time of printing.]
    Mr. Wilson. What role, if any, do you see the Cyber Threat 
Intelligence Integration Center playing in your day to day operations?
    Admiral Rogers. [The information referred to is for official use 
only and retained in the committee files.]
    Mr. Wilson. Do you have adequate all-source and multi-intelligence 
fusion and analysis capabilities for cyber to support the cyber mission 
teams we are building?
    Admiral Rogers. [No answer was available at the time of printing.]
    Mr. Wilson. Several of you mentioned in your testimony something 
called Unified Platform? What is Unified Platform, and what 
capabilities will it provide for you? Will there be service-unique 
capabilities that you believe will be integrated in? How are you 
working with your service laboratories and program offices to develop 
the capabilities you will need as part of this initiative? From an 
acquisition perspective, how do you plan to proceed? Do you need any 
special acquisition authority or a special acquisition process in order 
to develop Unified Platform in a timeframe that will be useful for the 
cyber mission forces?
    General Cardon. The Unified Platform (UP) is USCYBERCOM's joint, 
unifying vision for full-spectrum cyberspace operations that in concept 
will provide the Cyber Mission Force the ability to seamlessly 
integrate defensive and offensive operations. In its essence UP is a 
network of computers, servers, data storage, and analytic capabilities 
leveraged to maneuver in and out of red space (adversary assets), and 
an access capability to enter the desired red space. It provides a 
suite of capabilities to actively defend our network and to project 
power in and through cyberspace if called upon to do so. While 
inherently Joint, the intent is that Service presented capabilities can 
be integrated into a common framework for Joint C2 and execution. While 
USCYBERCOM's UP vision is driving current and future investments within 
the service laboratories and program offices, several ongoing pilot 
efforts are further refining the development of specific requirements. 
Additionally, through the distribution of a small amount of USCC RDT&E 
funding we have been able to further the development of emerging 
technologies and concepts critical to what the Army would present in a 
Unified Platform construct. These efforts are informing the development 
of requirements in line with the agile requirements validation and 
acquisition models currently afforded by updated JCIDS and Defense 
Acquisition System.
    Mr. Wilson. Several of you mentioned in your testimony something 
called Unified Platform? What is Unified Platform, and what 
capabilities will it provide for you? Will there be service-unique 
capabilities that you believe will be integrated in? From an 
acquisition perspective, how do you plan to proceed? Do you need any 
special acquisition authority or a special acquisition process in order 
to develop Unified Platform in a timeframe that will be useful for the 
cyber mission forces? How are you working with your service 
laboratories and program offices to develop the capabilities you will 
need as part of this initiative?
    Admiral Tighe. The Unified Platform is a planned Department of 
Defense cyberspace operations platform that will enable the Cyber 
Mission Force to conduct full spectrum Cyberspace operations. The 
Unified Platform is important in enabling Cyberspace operations 
approved by the President and directed by the Secretary of Defense to 
support National and Department of Defense policy objectives in 
disrupting and denying adversary operations that threaten U.S. 
interests. It will provide the Navy Cyber Mission Forces an integrated 
capability that is synchronized with Joint combat operations across 
multiple geographic Combatant Commanders' AORs. Commander, U.S. Fleet 
Cyber Command/U.S. TENTH Fleet, through its research and development 
arm, the Navy Cyber Warfare Development Group, is coordinating 
development and acquisition with service laboratories, industry, and 
Commander, U.S. Cyber Command.
    Mr. Wilson. Several of you mentioned in your testimony something 
called Unified Platform? What is Unified Platform, and what 
capabilities will it provide for you? Will there be service-unique 
capabilities that you believe will be integrated in? From an 
acquisition perspective, how do you plan to proceed? Do you need any 
special acquisition authority or a special acquisition process in order 
to develop Unified Platform in a timeframe that will be useful for the 
cyber mission forces? How are you working with your service 
laboratories and program offices to develop the capabilities you will 
need as part of this initiative?
    General O'Donohue. Unified Platform is expected to be an 
operationally responsive infrastructure designed to improve information 
fusion into an effective, integrated approach that leverages developing 
cohesive solutions, a single architecture, and reduced infrastructure.
    A more detailed explanation will be provided to the Committee by 
separate correspondence.
    Mr. Wilson. Several of you mentioned in your testimony something 
called Unified Platform? What is Unified Platform, and what 
capabilities will it provide for you? Will there be service-unique 
capabilities that you believe will be integrated in? From an 
acquisition perspective, how do you plan to proceed? Do you need any 
special acquisition authority or a special acquisition process in order 
to develop Unified Platform in a timeframe that will be useful for the 
cyber mission forces? How are you working with your service 
laboratories and program offices to develop the capabilities you will 
need as part of this initiative?
    General Wilson. [No answer was available at the time of printing.]
                                 ______
                                 
                   QUESTIONS SUBMITTED BY MR. ASHFORD
    Mr. Ashford. Is there a role for USCYBERCOM in combating Islamic 
extremist propaganda and online recruiting?
    Admiral Rogers. [No answer was available at the time of printing.]
    Mr. Ashford. What role does the Reserve Component have in 
CYBERCOM's manning construct?
    Admiral Rogers. As part of its USCYBERCOM Cyber Mission Force 
(CMF), in addition to Air Force Reserve Cyber Personnel that support 
various staffs and units, the Air Force has tasked the Air National 
Guard to fulfill the requirements for two full time Cyber Protection 
Teams and the cyber operations element of one National Mission Team. 
These teams will be mobilized from fifteen Cyber Operations Squadrons 
either already in existence or being stood up. The Navy and Marine 
Reserves participation is based on individual augmentation to 
shortfalls in their parent service. Army Reserve Component teams are 
being built to support Army Service capability apart from USCYBERCOM's 
CMF.
    Mr. Ashford. Do we need more cyber capacity in Guard and Reserve 
units? Do you believe we need to have cyber-focused units in each of 
the States?
    Admiral Rogers.The question of whether or not to have capability 
within each State is a resourcing issue. The current resources 
allocated to USCYBERCOM require them to continue to be focused on 
training the nearly 6,200 Cyber warriors assigned to the Cyber Mission 
Force. Cyber Security is a team effort. Although it might be beneficial 
to have a DOD Cyber trained capability within each State, in today's 
fiscal environment, difficult fiscal conditions have USCYBERCOM 
focusing on building the approved 133 teams.
    Mr. Ashford. What role does the Reserve Component have in 
CYBERCOM's manning construct?
    General Cardon. The Army and Army Cyber Command, as the Army's 
service component to U.S. Cyber Command, continue to build a Total Army 
approach for our cyber forces that will include 21 Reserve Component 
Cyber Protection Teams. These teams will be trained to the same joint 
standards as the Active Component cyber force. The Army's plan includes 
one Army National Guard cyber protection team currently serving on 
Active Status, 10 Army National Guard cyber protection teams and 10 
United States Army Reserve cyber protection teams that are essential 
components of the Total Army cyber force.
    The Army Reserve Cyber Operations Group conducts Defensive 
Cyberspace Operations support and provides Department of Defense 
Information Network operations and Computer Network Defense Service 
Provider support to the Southwest Asia Cyber Center.
    United States Army Reserve provides U.S. Cyber Command with 
cyberspace planners, an intelligence fusion cell, and joint personnel.
    The Virginia Army National Guard Data Processing Unit conducts 
cyberspace operations in support of U.S. Cyber Command.
    The United States Army Reserve Military Intelligence Readiness 
Command, which will transition to the Army Reserve Intelligence Support 
to Cyberspace Operations Element, provides intelligence support and 
analysis products to U.S. Cyber Command.
    United States Army Reserve personnel serve within the Army's Joint 
Force Headquarters-Cyber to execute joint cyberspace operations for 
U.S. Cyber Command.
    The United States Army Reserve and the Army National Guard are 
integral to the Total Army approach to cyberspace operations.
    Mr. Ashford. Do we need more cyber capacity in Guard and Reserve 
units? Do you believe we need to have cyber-focused units in each of 
the States?
    General Cardon. Approximately 2,000 Army National Guard (ARNG) and 
United States Army Reserve (USAR) personnel are or will be trained and 
equipped to the same joint standards as the Active Component cyber 
force. Army Cyber Command and Second Army assess that the plan for 11 
Army National Guard and 10 United States Army Cyber Protection Teams, 
and the current and planned additional Reserve Component Cyber elements 
(which include the Army Reserve cyber Operations Group, Military 
Intelligence Readiness Command/Army Reserve Intelligence Support to 
Cyberspace Operations Element, Virginia Army National Guard Data 
Processing Unit, U.S. Cyber Command Army Reserve Element, and the Army 
Joint Force Headquarters-Cyber Reserve Component augmentation) do and 
will provide adequate Cyberspace capacity to the Total Cyber force 
through FY 2018.
    As these United States Army Reserve and Army National Guard units 
become fully manned, trained, and equipped, we will continue our 
assessment to determine the right number and mix of cyber capacity for 
the United States Army Reserve, Army National Guard, and Active units.
    Mr. Ashford. What role does the Reserve Component have in 
CYBERCOM's manning construct?
    Admiral Tighe. Navy has realigned 298 enlisted Reserve billets that 
will be phased in between FY2015 and FY2018 to directly support Navy 
Cyber Mission Forces. Of the 298 billets, 280 are assigned seven each 
to the Navy's 40 CMF teams, with the remaining 18 assigned directly to 
the Joint Forces Headquarters-Fleet Cyber staff at U.S. Fleet Cyber 
Command. The seven billets assigned to each team serve in an 
augmentation role allowing the teams to capitalize on the specific 
cyber-related expertise of individuals in these billets. Under this 
construct, the Navy CMF teams are afforded an opportunity to maximize 
their operational capabilities through the employment of Reserve cyber 
experts, many of whom possess very specific skillsets and knowledge via 
their civilian careers and training. This ``augmentation'' construct 
further allows the Navy to efficiently secure a highly proficient and 
flexible CMF cadre irrespective of budgetary limits and the constraints 
of the normal Active Component CMF training pipeline.
    Seven enlisted Reserve billets have been realigned to Navy 
Information Dominance Forces (NAVIDFOR) Command to support its cyber 
inspection requirements.
    Mr. Ashford. Do we need more cyber capacity in Guard and Reserve 
units? Do you believe we need to have cyber-focused units in each of 
the States?
    Admiral Tighe. Through ongoing mission analysis of the Navy Total 
Force Integration Strategy, we developed a Reserve Cyber Mission Force 
(CMF) Integration Strategy that leverages our Reserve Sailors' skill 
sets and expertise to maximize the Reserve Component's support to the 
full spectrum of Cyber mission areas. Within this strategy, the 298 
Reserve billets, which are phasing into service from FY15 through FY18, 
will be individually aligned to Active Duty CMF teams and the Joint 
Force Headquarters-Cyber (JFHQ-C). Accordingly, each Navy Reservist 
assigned to a CMF billet provides operational support to the team's 
respective operational commander, including Fleet Commanders, US 
Pacific Command, US Southern Command, US Cyber Command, and DOD/Defense 
Information Security Agency. As the Navy builds its Reserve CMF support 
structure, Fleet Cyber Command and TENTH Fleet conduct ongoing 
assessments to maximize the Reserve Force's support to CMF operational 
objectives.
    These ongoing assessments look at both the size as well as the 
location within the Navy's geographic footprint. Navy Reserve cyber 
assets (CMF billets), which are governed under Title 10 authorities, 
are located with their respective Active Component team. They are 
currently assigned to eight of the Navy Information Operations Command 
(NIOC) centers, which are located in Maryland, Norfolk, Georgia, 
Florida, Texas, California, Hawaii and Japan. (The Navy does not 
possess any Title 32 authorities or personnel.)
    Mr. Ashford. What role does the Reserve Component have in 
CYBERCOM's manning construct?
    General O'Donohue. For the Marine Corps we currently provide 
reserve component augmentation to the MARFORCYBER headquarters and to 
the Marine Corps Network Operations and Support Center. There is the 
potential to use the reserve component in less time-sensitive roles to 
augment the active component. We do not currently have plans for a 
reserve component role in the cyber mission force in the near term. We 
are reviewing options for individual augmentation where appropriate; 
however few in the reserve component possess the required high demand/
low density military occupational specialties which limits options for 
any degree of incorporation into the teams.
    Mr. Ashford. Do we need more cyber capacity in Guard and Reserve 
units? Do you believe we need to have cyber-focused units in each of 
the States?
    General O'Donohue. The Marine Corps has not identified a surge 
capacity required for the role of reserve augmentation to the active 
component beyond the current augmentation levels. Additionally, 
maintaining the required skills that are required would be difficult 
given the limited time to train available to the reserve component. We 
do not provide Guard units.
    Mr. Ashford. What role does the Reserve Component have in 
CYBERCOM's manning construct?
    General Wilson. The reserve component manning within USCYBERCOM is 
currently limited to Individual Mobilization Augmentees (IMAs) in 
support of the sub-unified command mission.
    AFCYBER/24 AF/JFHQ-C is has fully partnered with the Air Reserve 
Component as part of its current and future build-up of cyber 
operations, to support the Air Force's cyber mission and the DOD's 
Cyber Mission Force (CMF).
    From the outset, the Air Reserve Component, in support of AFCYBER, 
has been integrated into the Cyber Mission Force build-up of 39 teams. 
To meet the demand signal of the CMF construct, the Air Force Reserve 
Command (AFRC) is standing up one Classic Associate Unit in FY16, 
integrating into a Regular Air Force Cyber Protection Team (CPT) 
squadron, providing steady-state capacity of one CPT or 30% day-to-day 
mission share. If mobilized, it will be able to provide manning for 
three CPTs in a surge capacity.
    In addition to the team build in the CMF, the AFRC supports 
numerous other cyber missions under the 960th Cyberspace Operations 
Group. The 960 CyOG is comprised of nine squadrons. These units defend 
the Air Force Networks and key mission systems, train personnel, 
develop new weapon systems and tools, and provide command and control 
of cyber operations. In addition to the 960 CyOG, there are Individual 
Mobilization Augmentees (IMAs) under the AFCYBER/24 AF/JFHQ-C that 
support various cyber missions.
    Between FY16-FY18, the Air National Guard (ANG) is building 12 
unit-equipped squadrons to sustain two steady-state CPTs, with each 
organized into the 30/70 full-time/part-time ratio. The ANG is also 
standing up a National Mission Team (NMT) unit in FY16. These units 
will align under two ANG Cyberspace Operations Groups.
    In addition to the build-up within the CMF Teams, the Air National 
Guard support to cyber operations includes five cyber units. These 
units support Defensive Cyber Operations and Command & Control. 
Additionally, the Air Guard has one of only three of the Network 
Operations Squadrons in the Air Force.
    Finally, the Air Reserve Component plays a significant role in our 
Engineering and Installation and Combat Communications. There are 38 
AFRC and ANG units supporting these missions and in the last 2 years 
the Air Reserve Component deployed over 800 personnel supporting the 
warfighter with these capabilities.
    Mr. Ashford. Do we need more cyber capacity in Guard and Reserve 
units? Do you believe we need to have cyber-focused units in each of 
the States?
    General Wilson. TThe Air Force is wholly committed to Total Force 
Integration across the full spectrum of cyberspace operations. The Air 
Reserve Component is a full partner in the Cyber Mission Force build in 
addition to our other day-to-day cyber operations. We are leveraging 
Traditional Reservists, Air Reserve Technicians and Air National 
Guardsmen throughout the command to meet our warfighting commitments. 
Whether it's commanding and controlling cyber forces from one of our 
operations centers, deploying as part of our Combat Communications 
team, installing cyber infrastructure around the world, or any other 
task, each of our Total Force members meets the same demanding 
standards and serve alongside their Active Duty counterparts.
    Today, the Air Reserve Component provides approximately 9,000 
personnel to support the Air Force's cyber missions. The majority of 
the personnel support the Combat Communications and Engineering & 
Installation missions. An additional 1,300 will be added to support the 
DOD's Cyber Mission Force. We believe growth in the Air Reserve 
Component is an effective and efficient option to reduce risk and meet 
Combatant and Air Component Commander's requirements as the demand for 
cyber capabilities increases.
    It's important to remember operations in the cyberspace domain are 
not constrained by physical geography. Similar to traditional air 
operations, the Air Force has few needs that demand a force 
distribution model across the 54 states and territories. Cyber missions 
are a case in point. We understand the National Guard Bureau is also 
considering the cyber requirement for each of the Governors. One of the 
force structure strategies under consideration is the alignment of Army 
and Air National Guard units by FEMA region with the appropriate inter-
state support agreements.

                                  [all]