[Senate Hearing 115-448, Part 8]
[From the U.S. Government Publishing Office]
S. Hrg. 115-448, Pt. 8
DEPARTMENT OF DEFENSE AUTHORIZATION FOR APPROPRIATIONS FOR FISCAL YEAR
2018 AND THE FUTURE YEARS DEFENSE PROGRAM
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON ARMED SERVICES
UNITED STATES SENATE
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
ON
S. 1519
TO AUTHORIZE APPROPRIATIONS FOR FISCAL YEAR 2018 FOR MILITARY
ACTIVITIES OF THE DEPARTMENT OF DEFENSE, FOR MILITARY CONSTRUCTION, AND
FOR DEFENSE ACTIVITIES OF THE DEPARTMENT OF ENERGY, TO PRESCRIBE
MILITARY PERSONNEL STRENGTHS FOR SUCH FISCAL YEAR, AND FOR OTHER
PURPOSES
__________
PART 8
CYBERSECURITY
__________
MAY 23, 2017
__________
Printed for the use of the Committee on Armed Services
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov/
__________
U.S. GOVERNMENT PUBLISHING OFFICE
35-762 PDF WASHINGTON : 2019
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).E-mail,
[email protected].
COMMITTEE ON ARMED SERVICES
JOHN McCAIN, Arizona, Chairman
JAMES M. INHOFE, Oklahoma, Chairman JACK REED, Rhode Island
ROGER F. WICKER, Mississippi BILL NELSON, Florida
DEB FISCHER, Nebraska CLAIRE McCASKILL, Missouri
TOM COTTON, Arkansas JEANNE SHAHEEN, New Hampshire
MIKE ROUNDS, South Dakota KIRSTEN E. GILLIBRAND, New York
JONI ERNST, Iowa RICHARD BLUMENTHAL, Connecticut
THOM TILLIS, North Carolina JOE DONNELLY, Indiana
DAN SULLIVAN, Alaska MAZIE K. HIRONO, Hawaii
DAVID PERDUE, Georgia TIM KAINE, Virginia
TED CRUZ, Texas ANGUS S. KING, JR., Maine
LINDSEY GRAHAM, South Carolina MARTIN HEINRICH, New Mexico
BEN SASSE, Nebraska ELIZABETH WARREN, Massachusetts
LUTHER STRANGE, Alabama GARY C. PETERS, Michigan
Christian D. Brose, Staff Director
Elizabeth L. King, Minority Staff Director
(ii)
_________________________________________________________________
Subcommittee on Cybersecurity
MIKE ROUNDS, South Dakota, BILL NELSON, Florida
Chairman
DEB FISCHER, Nebraska CLAIRE McCASKILL, Missouri
DAVID PERDUE, Georgia KIRSTEN E. GILLIBRAND, New York
LINDSEY GRAHAM, South Carolina RICHARD BLUMENTHAL, Connecticut
BEN SASSE, Nebraska
(ii)
C O N T E N T S
_________________________________________________________________
May 23, 2017
Page
Cyber Posture of the Services.................................... 1
Lytle, Vice Admiral Marshall B., III, USCG, Director, Command, 4
Control, Communications and Computers/Cyber and Chief
Information Officer, Joint Staff, J-6.
Gilday, Vice Admiral Michael M., USN, Commander, United States 9
Fleet Cyber Command and Commander, United States Tenth Fleet.
Nakasone, Lieutenant General Paul M., USA, Commanding General, 17
United States Army Cyber Command.
Weggeman, Major General Christopher P., USAF, Commander, Twenty- 24
Fourth Air Force and Commander, Air Forces Cyber.
Reynolds, Major General Loretta E., USMC, Commander, Marine 33
Forces Cyberspace Command.
Questions for the Record......................................... 58
(iii)
DEPARTMENT OF DEFENSE AUTHORIZATION FOR APPROPRIATIONS FOR FISCAL YEAR
2018 AND THE FUTURE YEARS DEFENSE PROGRAM
----------
TUESDAY, MAY 23, 2017
U.S. Senate,
Subcommittee on Cybersecurity,
Committee on Armed Services,
Washington, DC.
CYBER POSTURE OF THE SERVICES
The subcommittee met, pursuant to notice, at 2:29 p.m. in
Room SR-222, Russell Senate Office Building, Senator Mike
Rounds (chairman) presiding.
Subcommittee Members present: Senators Rounds, Fischer,
Nelson, McCaskill, and Gillibrand.
OPENING STATEMENT OF SENATOR MIKE ROUNDS
Senator Rounds. Good afternoon. The Cybersecurity
Subcommittee meets today to receive testimony on the cyber
posture of the services.
We are fortunate to be joined this afternoon by an
impressive panel of witnesses. Let me begin by just saying
thank you very much for your service to our country. Vice
Admiral Marshall Lytle, Director, Joint Staff, Command,
Control, Communications and Computers, Chief Information
Officer; Vice Admiral Michael Gilday, Commander, Fleet Cyber
Command; Lieutenant General Paul Nakasone, Commander, Army
Cyber Command; Major General Christopher Weggeman, Commander,
Air Force Cyber; and Major General Loretta Reynolds, Commander,
Marine Forces Cyber Command.
At the conclusion of my remarks and those of Senator
Nelson, we will hear briefly from each of our witnesses. I ask
our witnesses to limit their opening statements to 5 minutes in
order to provide the maximum time for Member questions.
We are making historic progress in the construction of our
cyber force. There is nothing trivial about the standup of a
6,200-person force within the timelines that each of you must
meet. We are pleased that each of you seems to be on track to
meet the October 2018 full operational capability, or FOC,
deadline that the U.S. Cyber Command has established.
Part of that progress is also evident as we start to see
the deployment of capability and begin to get a sense of how a
cyber force can be integrated with air, land, sea, and space.
I want to congratulate and thank each of you for your
leadership in building this first of its kind U.S. military
capability.
Despite the many successes, there are a number of
challenges each of you are confronting. The purpose of today's
hearing is to understand both the good and the bad, to get a
sense of the areas where progress is sound and understand those
challenges that are impacting you, challenges, quite frankly,
that should be expected when undertaking the significant task
that has been put before each of you.
We all too often gravitate here in Congress towards
exposing and addressing the challenges and unfortunately fail
to applaud the successes. I specifically mentioned the progress
made in training the force, as that is by no means a trivial
task. I remain impressed by the progress.
However, I remain concerned about what happens next, what
happens after the cyber mission force reaches FOC. More
specifically, will each of you have the bench strength
necessary to sustain the tools, capabilities, and readiness
levels required to be effective in the cyber domain?
When Admiral Rogers testified before the full committee
earlier this month, it became apparent that our ability to
maintain training readiness will be impacted by numerous
variables, both within and external to your control. It was
mentioned during that hearing that out of the 127 Air Force
cyber officers who completed their first tour on the Cyber
Mission Force, none went back to the Cyber Mission Force. While
reasonable people can disagree about whether the jobs they went
to involved an aspect of cyber in one capacity or another,
given the low density and high demand of the Cyber Mission
Force, we must be especially vigilant in managing the few
resources which we have.
I am concerned that we will not generate and maintain the
expertise we need unless we can build upon experience and
develop the proficiencies required to stay ahead in cyberspace.
Maintaining that expertise will require, among other things,
the need to train personnel on new and perhaps rapidly evolving
technology. My concerns with retention are exacerbated by the
apparent lack of cohesive strategy for ensuring that the
pipeline of new people will be sufficient to maintain readiness
and keep those teams whole.
I look forward to hearing from each of you how we can
assure that you are able to recruit the people you need, train
them to the level of capability required, and retain them in
professionally viable cyber career fields. Do we need to
rethink entirely what it means to be a cyber operator? Do they
need to wear uniforms or meet the same physical requirements of
other fields?
While the initial demands for the cyber force were
personnel and training heavy, we are getting to the point where
unless we begin to see dramatic changes in the budget, the
forces we have trained will lack the tools required to be
effective. Thus far, billions of dollars have gone toward
service-level network infrastructure but far too little has
been requested for the mission forces themselves. I am
concerned that unless this changes immediately, we are heading
down the path to a hollow cyber force.
We have been told not to expect much of a change in the
fiscal year 2018 request which, if true, is something this
committee will need to scrutinize in the coming weeks. Every
service is constrained and each service has its own resourcing
challenges. As we examine how those constraints and challenges
impact the services' ability to resource cyber requirements, I
believe it appropriate that we at least ask if the current man,
train, and equip model is sufficient or if a new model should
be considered, whether it be a hybrid of the existing structure
or a cyber-specific service.
Senator Nelson?
STATEMENT OF SENATOR BILL NELSON
Senator Nelson. Mr. Chairman, to that I would say amen.
In the interest of time, I will insert my opening comments
in the record, and I am going to go kick off another committee
and I will be right back.
[The prepared statement of Senator Nelson follows:]
Prepared Statement by Senator Bill Nelson
Thank you Senator Rounds, and welcome to our witnesses. Thank you
for your service, and for the service of the men and women you
represent here today.
This is an important hearing. In addition to the recurring
challenges of cyber warfare, this year we must squarely meet the
extraordinary threat posed by Russia's cyberspace campaign to influence
and undermine our elections.
The Russian operation exposed a serious vulnerability on our part.
We created a Cyber Command and built the Cyber Mission Forces to
operate in cyberspace, but, as Admiral Rogers recently testified, we
have not trained or tasked these forces to detect, counter, or conduct
this kind of information operation. Our cyber forces are focused on the
technical aspects of cyber-security--defending our networks from
intrusions and penetrating adversary networks--and not on the content
of the information flowing through the Internet.
Russia and China, on the other hand, are manipulating and
weaponizing information. They're using cyberspace to amplify age-old
information operations to influence the perceptions and decisions of
their adversaries--and they're suppressed peoples, too.
The Defense Department has different organizations responsible for
all the various elements of what is collectively called ``information
warfare,'' but they seem to be scattered and not brought to bear in an
integrated way. These elements include cyber operations, military
information support operations, military deception and psychological
operations, public affairs, electronic warfare, and operations
security. The information operations that the Department does plan and
conduct appear largely support the tactical or operational level
objectives deployed forces, rather than strategic-level operations. The
whole-of-government is poorly integrated too, including the Departments
of Defense, State, Homeland Security, the FBI, and the Intelligence
Community.
Similar problems affect our interagency posture: we are very poorly
integrated across DOD, State, the IC, Homeland Security, and the FBI,
to detect, counter, and hopefully in the future deter Russian
aggression.
This brings me to the second major aspect of this problem that we
need to talk about today--deterring information operations and
cyberattacks conducted against us, especially our critical
infrastructure. The Defense Science Board Task Force on Cyber
Deterrence has urged us to develop and as necessary conduct information
operations that are specifically designed to threaten the things that
the leaders of adversaries value most highly. In the case of Russia,
that might be the illicitly obtained wealth of the ruling elite, and
the means by which they maintain power.
I would like our witnesses' opinions about these issues and the
role that Cyber Command could or should play in developing and
executing these operations.
Thank you Mr. Chairman.
Senator Rounds. Very good. Thank you, Senator.
Why do we not just begin with opening statements, Vice
Admiral Lytle?
STATEMENT OF VICE ADMIRAL MARSHALL B. LYTLE III, USCG,
DIRECTOR, COMMAND, CONTROL, COMMUNICATIONS AND COMPUTERS/CYBER
AND CHIEF INFORMATION OFFICER, JOINT STAFF, J-6
VADM Lytle. Good afternoon, Chairman Rounds. Thank you for
inviting us to talk about the Joint Force's efforts in
cyberspace. Vice Admiral Gilday, Lieutenant General Nakasone,
Major General Weggeman, Major General Reynolds, and I share
your keen interest in this topic.
I will focus my remarks on three primary missions in
cyberspace and describe the current approach to strengthen
cyber warfighting capabilities of the Joint Force.
The Joint Force executes the Department of Defense's three
primary cyber missions in support of the national defense
strategy: defend the DODIN [Department of Defense Information
Network], defend the Nation, and provide integrated cyber
capabilities in support of the combatant commands.
Joint Force's first mission is to defend the Department's
networks, systems, and information. The Joint Force must be
able to secure its networks against attack and recover quickly
if security measures fail. If our DOD [Department of Defense]
systems are not usable, our greater defense capability will be
diminished.
Second, the Joint Force must be prepared to defend the
United States and its interests against cyber attacks of
significant consequence when directed by the President. This
mission may be performed for significant cyber events that
include loss of life, significant damage to property, severe
adverse United States foreign policy consequences, or serious
economic impact on the United States.
Third, when directed by the President or the Secretary of
Defense, the Joint Force must provide integrated cyber
capabilities to support military operations and contingency
plans. These activities are conducted by U.S. Cyber Command
according to priorities set within the globally integrated
combatant command plans and in direct coordination with other
U.S. Government agencies. These activities may include actions
to disrupt adversary networks or infrastructure and prevent use
of force against U.S. interests.
These primary missions are underpinned by three main
cyberspace capability elements used to enable combatant
commands' ability to execute their operational plans. These
elements are defensible cyber terrain, cyber defenses, and the
cyber forces. Together, these elements factor heavily into our
ability to prevail against determined and capable nation-state
actors.
Information about offensive forces and capabilities is
classified, but please understand that these offensive
components are important and are coupled with our defensive
capabilities for maximum effect.
The first element of the Department's cyberspace
capabilities is defensible cyber terrain. Cyberspace is a
manmade domain and requires common standards to achieve
defensible, effective, and efficient operations. The Joint
Information Environment Initiative provides these common
standards for the protection of all network systems. Over the
past years, the Department made significant gains in hardening
our systems focused under the Department of Defense
Cybersecurity Scorecard effort, and we have increased endpoint
security and access control. We must continue to train all of
our personnel across the DOD until they have a working
knowledge of cybersecurity practices and hold leaders
accountable for instilling that culture of cybersecurity
discipline.
The second capability element dedicated to cyber defenses
are arrayed in a defense in-depth posture with a focused level
of tiered defenses. These defenses are broken into three tiers.
Tier-1 is the Department's outer boundary of Internet access
points defense suites. Tier-2 is the Joint Regional Security
Stacks, and Tier-3 consists of endpoint security systems like
host-based security systems on work stations. These tiered
defenses comprise our primary defense against external threats
in cyberspace and will be increasingly reliant on automation to
manage the threats.
The final element, cyber forces, are categorized in two
ways. The first are our fixed force defenders. Those are the
people that operate and protect assigned network enclaves and
associated systems. They are comprised of military cyber units
that form the backbone of secure network operations, including
service and agency network operations in security centers,
cybersecurity service providers, and cyber incident responders.
The other and more often discussed category of forces, the
Cyber Mission Force, is the Joint Forces maneuver force in
cyberspace. The CMF [Cyber Mission Force] is composed of 133
teams with objectives that directly align to the Department's
three cyber missions and are directed by U.S. Cyber Command and
its subordinate headquarters.
The Cyber Mission Force, all 133 teams, met their initial
operating capability milestone in October 2016. All teams are
also on track to meet their full operating capability in 2018,
October. More than half the teams have already met their full
operating capability milestone, and all of the teams are
actively performing missions defending U.S. networks, defending
DOD U.S. networks, protecting weapons platforms, and defending
critical infrastructure.
Despite these successes, there are still significant
readiness challenges that impact the cyber force. The Joint
Force completed a Cyber Mission Force training transition plan
in January of this year. The plan introduced the federated
joint training model and addresses the Cyber Mission Force
Active and a Reserve component training demand. Through the
institution of joint training standards and standardized
readiness reporting, the Joint Force is beginning to identify
trends that will help us better shape service policy and
resourcing requirements for the future. Each service is working
their unique cyber manpower challenges as part of their man,
train, and equip responsibilities. They have learned and
adapted over the past years instituting a number of changes to
ensure the success of the Cyber Mission Force and its
associated cyber tactical mission headquarters. You will hear
more from my colleagues on all of their efforts.
Equally important to manning and training, equipping the
Cyber Mission Force is evolving from the service platforms
currently employed by cyber operators to a standardized joint
capability that enables the force effectively and efficiently
while integrating into existing planning and force development
constructs. The framework for equipping the Cyber Mission Force
for both defensive and offensive missions is built upon a
family of interoperable systems from which the Cyber Mission
Force can operate and synchronize operations. Prototyping and
analysis of alternatives is underway to determine the best
composition of these systems under the unified platform of
effort led by the United States Air Force.
As the Cyber Mission Force continues to grow and mature, so
does the need to command and control and integrate the global
efforts of this complex and geographically dispersed
warfighting capability. The Joint Staff recently published a
revised command and control model that streamlines the command
relationships and synchronizes actions in support of the
combatant command campaigns. The Office of the Secretary of
Defense is currently working with the services to lay in
resourcing ramps over the FYDP [Future Years Defense Program]
for the needed manpower and O&M [Operations and Maintenance]
costs for this C2 model.
Thank you, Mr. Chairman and Members of the committee, for
the opportunity to be here. I am grateful for the committee's
interest and your support of our men and women in uniform.
[The prepared statement of Vice Admiral Lytle follows:]
Prepared Statement by Vice Admiral Marshall Lytle
introduction
Chairman Rounds, Ranking Member Nelson, and Members of the
Subcommittee, thank you for inviting us to discuss the Joint Force's
efforts in cyberspace. I appreciate the opportunity to explain the
progress made to improve America's cyber defense posture.
I will focus my comments on three primary missions in cyberspace
and describe the current approach to strengthening the cyber
warfighting capabilities of the Joint Force. Toward that end, I will
describe the state of our ongoing efforts to man, train, and equip the
Cyber Mission Force, as well as the Joint organizations needed to
Command and Control them. Finally, while I cannot discuss particulars
in an unclassified statement, I will broadly describe the cyber
capabilities needed to support both offensive and defensive teams.
joint staff role
As part of my duties as the Director for Command, Control,
Communications and Computers/Cyber, I work with our Joint Staff
Operations, Planning and Resourcing leaders to integrate strategic
cyberspace matters, including synchronization with national strategies,
readiness tracking of joint cyber forces, and development of
capabilities and concepts to support the Chairman's decision making. We
work closely with the Principal Cyber Advisor, the Office of the
Secretary of Defense staff and the Services to assess, address and
advocate for the Combatant Commands' cyber mission requirements and
priorities in support of the National Defense Strategy.
primary missions in cyberspace
The Joint Force executes the Defense Department's three primary
cyber missions in support of the National Defense Strategy. The Joint
Force defends the Department's networks, systems, and information. The
United States military's dependence on cyberspace for operations led
the Secretary of Defense in 2011 to declare cyberspace an operational
domain for purposes of organizing, training, and equipping United
States military forces. The Joint Force must be able to secure networks
against attack and recover quickly if security measures fail. To this
end, network defense operations are conducted on an ongoing basis to
securely operate the Department of Defense Information Networks. When
indications of hostile activity are detected within networks, the Joint
Force has capabilities to react, recover and return the networks and
systems to a secure posture. Accordingly, network defense operations on
Department's networks constitute the vast majority of the Joint Force's
efforts in cyberspace.
In addition to protecting Defense Department networks, the Joint
Force must be prepared to defend the United States and its interests
against cyberattacks of significant consequence when directed by the
President or his national security team. This second cyber mission is
performed on a case-bycase for significant cyber events that may
include loss of life, significant damage to property, serious adverse
United States foreign policy consequences, or serious economic impact
on the United States.
Third, when directed by the President or the Secretary of Defense,
the Joint Force must provide integrated cyber capabilities to support
military operations and contingency plans. Examples include cyber
operations that disrupt and adversary's military related networks or
infrastructure in order to terminate an ongoing conflict on United
States terms, or to disrupt an adversary's military systems to prevent
the use of force against United States interests. United States Cyber
Command, in coordination with other United States Government agencies,
may be directed to conduct cyber operations to deter or defeat
strategic threats in other domains. These primary missions are
underpinned by three main cyberspace capability elements used to assess
Combatant Commands' ability to execute their operational plans.
elements of cyberspace capability
This statement will not include information about offensive force
or capability due to its classification, however, offensive components
are important and are coupled with our defensive forces and
capabilities to achieve maximum effects.
Cyber forces, cyber defenses and defensible cyber terrain are the
three main elements that determine the Joint Force's our ability to
achieve the primary cyber missions. Together, these elements factor
into our ability to prevail against determined and capable nation-state
cyber threat actors.
Of the cyber forces, the first line of defense--``fixed force
defenders''--that operate and defend assigned network enclaves and
associated defenses. Sometimes referred to as ``cyber enterprise
defense forces'', they are composed of military cyber units that form
the backbone of secure network operations. They include Service and
Agency Network Operations and Security Centers, Cyber Security Service
Providers, and Cyber Incident Response Teams, among others.
The Cyber Mission Force (CMF) is the Joint Force's ``maneuver
force'' in cyberspace. The CMF is composed of 133 teams with objectives
that directly align to the Department's three cyber missions. These
tactical teams are command and controlled by a planning and execution
structure led by United States Cyber Command through its subordinate
Joint Force Headquarters.
The second capability element, dedicated cyber defenses, are
arrayed in a defense-in-depth posture with a focused level of tiered
defenses including the Department's Internet Access Point defense
suites, the Joint Regional Security Stacks, and Service and Agency
network security boundaries at the organizational and installation
levels. These tiered defenses comprise our primary defense against
external threats in cyberspace.
The final main element of the Department's cyberspace capabilities
is defensible cyber terrain. The nature of cyberspace means that
individual enduser machines are directly susceptible to compromise, and
that a single compromise can quickly proliferate laterally to other
machines. This inside threat coupled with the human factor introduced
by users necessitates the protection of all networked systems to a
specified minimum level of cybersecurity. Over the past year, the
Department made significant gains in hardening our systems under the
Department Cybersecurity Scorecard effort. Coupled with increased end
point security, we must continue to train all personnel until they have
a working knowledge of cybersecurity practices, and hold leaders
accountable for instilling a culture of cybersecurity discipline.
Further improving the defensibility of cyber terrain involves
systematically identifying ``Mission Relevant Cyberspace Terrain'' and
obtaining situational awareness of that terrain in support of critical
missions. Executing the DOD Cyber Strategy line of effort on mission
assurance, the Joint Staff led a Department-wide initiative to bring
together expert planners from the cyber defense and mission assurance
communities to forge and codify a new approach to identifying the key
cyber terrain that underpins the Joint Force's critical missions. This
approach was vetted and refined during exercises. A formal Planning
Order was sent out to all Combatant Commands last month toward that
end, the culmination of 18 months of effort.
As the senior Joint Staff cyber leader, my main focus is on the
manning, training and equipping of the cyber force. The remainder of my
statement will focus on the successes and unique challenges faced in
building and maintaining the world's premiere cyber force.
cyber forces
The Joint Force's ability to man the cyber force is predicated on
the assumption that the force is a net exporter of cyber talent. Much
like pilots, air traffic controllers and other highly technical
military specialties, the Joint Force does not compete with industry,
but rather is focused on building training programs and strategies to
grow talent, leverage Reserve Component expertise, and retain adequate
numbers of seasoned cyber operators to meet the growing demands in
cyberspace. By anchoring our personnel strategies in net production
vice competition, in addition to leveraging direct hires and native
talent, we will be better able to produce adequate numbers of cyber
experts while enhancing the collective cyber defense posture of our
Nation.
Developing a training program for cyber operators resembles the
challenge faced in training pilots and aircrew to operate the world's
most advanced aircraft, maintaining their skills on the latest aircraft
systems, and sustaining their numbers to ensure a constant sufficiency
of motivated and technically excellent personnel. Creating a
``pipeline'' in the United States military's air components took many
years. I am unsurprised by the challenges encountered while
constructing the training and personnel pipeline for the Cyber Mission
Force.
The Joint Force completed the Cyber Mission Force Training
Transition Plan in January of this year. The plan introduced a joint
training model and addresses the Cyber Mission Force Reserve Component
training demand. As part of this effort a training funding shortfall
was identified, and the Joint Staff is working with the Office of the
Secretary of Defense to mitigate this shortfall.
The make-up of the cyber force is unique in warfighting because
one-third of its composition is civilian. This poses a unique
recruiting and retention challenge. We appreciate the committee's focus
on this unique challenge and Congress' efforts to improve our ability
to address this issue with section 1107 of the fiscal year 2016
National Defense Authorization Act. The Department of Defense Chief
Information Officer's office is pursuing a permanent fix via the
implementation of the Department's Cyber Excepted Service program.
Equally important to manning and training the Cyber Mission Force
is evolving from the narrowly focused Service platforms employed by
cyber operators to a standardized joint capability that equips the
force effectively and efficiently with integration into existing
planning and force development constructs. The framework for equipping
the Cyber Mission Force for both defensive and offensive missions is
built upon a family of interoperable systems from which the Cyber
Mission Force can operate and synchronize operations. The Joint Force
is conducting an Analysis of Alternatives to determine how best to
equip the Cyber Mission Force with title 10 mission platforms.
The Cyber Mission Force--all 133 teams--met their Initial Operating
Capability milestone in October 2016. All teams are also on track to
meet their Full Operating Capability milestone by October 2018. More
than half of the teams have already met their Full Operating Capability
milestone and all 133 teams are actively performing their assigned
missions defending DOD networks, protecting weapons platforms, and
defending critical infrastructure. Despite these successes, there are
still significant readiness challenges that impact the cyber force.
Joint training standards have been published and instituted
standardized readiness reporting in the Defense Readiness Reporting
System in order to track and address these challenges. This nascent
tracking capability is beginning to identify trends that will help us
better shape Service policy and resourcing requirements in the future.
Each Service is working their unique cyber manpower challenges as
part of their man, train and equip responsibilities. They have learned
and adapted over the past four years, instituting a number of personnel
policy changes to ensure the success of the Cyber Mission Force and its
associated cyber tactical headquarters. For example, all of the
Services are leveraging their Reserve Components to augment Cyber
Mission Force teams, either in whole or in part, while adding Federal,
state and local cyber surge capacity allowing the nation to
collectively respond to major threat activity in cyber.
The Navy and Marine Corps continue to utilize individual augmentees
to fill gaps in their Active Duty Cyber Mission Force teams and are
looking at other ways to utilize their Reserve Components to address
critical skillsets and shortages. Also, the Air Force utilizes its
Reserve component to present three three full teams to the Cyber
Mission Force as part of their total force contribution. Behind these 3
``full-time equivalent'' teams are 15 rotating reserve teams comprised
of Air Force Reserve and Air National Guard members that provide 12
teams of surge capacity in addition to the 3 full time teams required
by United States Cyber Command. Finally, the Army Reserve Component
began building an additional 21 teams to augment the original 133 Cyber
Mission Force teams as well. Once fully built, the Reserve component
will be providing approximately a fifth of the total Cyber Mission
Force surge capacity of 166 teams. The build and training plan for
these additional Reserve Component forces is included in the Cyber
Mission Force Training Transition Plan referenced earlier should you
wish further details.
The Cyber Mission Force continues to grow and mature, as does the
increasing need to Command and Control and synchronize the global
efforts of this complex and geographically dispersed warfighting
capability. The Joint Staff recently completed a revised Command and
Control model that streamlines the command relationships and
synchronizes actions in support of Combatant Command campaigns. This
model, coupled with manpower assessments performed by a team of joint
manpower experts last summer and fall, informed a Joint Manpower
Validation effort completed last month. The Department is currently
working with the Services to review resourcing requirements for the
future.
conclusion
Thank you again, Mr. Chairman, Ranking Member Nelson, and Members
of the Committee for the opportunity to provide this statement. I am
grateful for the Committee's oversight and your support for our men and
woman in uniform.
Senator Rounds. Thank you, sir.
Vice Admiral Gilday?
STATEMENT OF VICE ADMIRAL MICHAEL M. GILDAY, USN, COMMANDER,
UNITED STATES FLEET CYBER COMMAND AND COMMANDER, UNITED STATES
TENTH FLEET
VADM Gilday. Chairman Rounds, Senator McCaskill, good
afternoon.
On behalf of the more than 16,000 sailors and civilians of
Fleet Cyber Command, thank you for the opportunity to appear
before the subcommittee today.
I also want to thank you for your leadership in helping
keep our Nation secure, particularly in the complex domain of
cyberspace.
It has been my privilege to command Fleet Cyber Command for
the last 10 months. Based at Fort Meade, Fleet Cyber is the
operational headquarters for a globally deployed cyber force
responsible for operating and defending Navy networks,
operating our global telecommunications architecture, including
satellites, and providing cryptology, signals intelligence,
space, and cyber warfighting capabilities to support fleet and
combatant commanders.
These are distinct but overlapping mission sets, and I wear
three hats as the Navy cyber component to U.S. Cyber Command
for cyberspace operations, NSA [National Security Agency] for
cryptologic operations, and U.S. Strategic Command for space
operations.
We are also designated as a Joint Force Headquarters-Cyber
supporting both U.S. Pacific Command and U.S. Southern Command.
In addition to our Cyber Mission Force teams, we ensure full-
spectrum cyber operations are considered within the joint
planning
environment.
In the maritime environment in which the Navy operates, it
has become increasingly more complex, and this is due in no
small part to the advancement and reliance on information
technology that is tightly interwoven within the cyber domain.
This growing integration of cyber into joint operations, as
well as the rise in threats against our systems, are two trends
that show no signs of slowing.
On those two points, the increased tempo in cyber
operations and the upward trend in malicious cyber activity, we
view our warfighting capability through a systems of systems
approach focusing on people, processes, and technology. Our
investments in people, processes, and technology, as well as
our operational focus, has been guided by three goals: first,
to operate our Navy networks as warfighting platforms; second,
to deliver effects through cyberspace; and third, to field and
sustain Navy's portion of the Cyber Mission Force. As of today,
we have 27 teams at full operational capability, and I expect
all of our teams to meet FOC before the October 2018 deadline.
Lastly, I still believe we have much room to grow. In
particular, we will continue to benefit from maturing
partnerships with the U.S. Military Services and our allies,
U.S. Government agencies, academia, and importantly, industry.
Greater cooperation through information sharing, whether it is
on common threats, new technologies, or best practices, is
critically important in this shared domain.
Thank you again, Mr. Chairman. I look forward to taking
your questions particularly, as you pointed out, those issues
associated with recruiting, retaining, and sustaining our cyber
force.
[The prepared statement of Vice Admiral Gilday follows:]
Prepared Statement by Vice Admiral Michael M. Gilday
Chairman Rounds, Ranking Member Nelson and distinguished Members of
the Subcommittee, thank you for your continued support of the men and
women of U.S. Fleet Cyber Command, the U.S. Tenth Fleet, and the United
States Navy. It is a privilege to represent those outstanding sailors
and civilians who comprise our Fleet Cyber/Tenth Fleet team, and I
appreciate this opportunity to update you on how our Navy's cyberspace
operations are evolving to remain competitive in a changing strategic
environment.
U.S. Fleet Cyber Command reports directly to the Chief of Naval
Operations as an Echelon II command and is responsible for operating
and securing Navy Enterprise networks, defending all Navy networks,
operating our global telecommunications architecture, and providing
Cryptology, Signals Intelligence (SIGINT), Information Operations,
Electronic Warfare, Cyber, and Space warfighting capabilities to
support fleet commanders and combatant commanders. With distinct, but
overlapping mission sets, U.S. Fleet Cyber Command serves as the Navy
Component Command to U.S. Cyber Command for cyberspace operations, the
Navy's Service Cryptologic Component Commander under the National
Security Agency/Central Security Service and the Navy's component for
space under U.S. Strategic Command.
Headquartered in Fort Meade, MD, U.S. Fleet Cyber Command exercises
operational control of globally-deployed forces through a task force
structure aligned to the U.S. Tenth Fleet. U.S. Fleet Cyber Command is
also designated as the Joint Force Headquarters-Cyber aligned to U.S.
Pacific Command and U.S. Southern Command for the development,
oversight, planning and command and control of full spectrum cyberspace
operations for assigned Cyber Mission Force teams.
U.S. Fleet Cyber Command's operational force comprises nearly
16,500 Active Duty and Reserve component sailors and civilians
organized into 24 Active commands and 32 Reserve commands around the
globe. The commands are operationally organized into a Tenth Fleet-
subordinate task force structure for execution of operational mission.
More than 35 percent of U.S. Fleet Cyber Command's operational forces
are directly aligned to execute our cyberspace operations missions.
In the two years since my predecessor VADM Jan Tighe last testified
before the Emerging Threats Subcommittee in April 2015, we developed
and released our Strategic Plan 2015-2020. This plan charts our course
to deliver on our responsibilities by leveraging our strengths and
shrinking the Navy's vulnerabilities to a cyber adversary, which I
detail throughout this statement. Across the wide-ranging
responsibilities, we identified 5 strategic goals:
1. Operate the Network as a Warfighting Platform: Defend Navy
networks, communications and space systems, ensure availability and,
when necessary, fight through them to achieve operational objectives.
2. Conduct Tailored Signals Intelligence: Meet the evolving SIGINT
needs of Navy commands, including intelligence support to cyber.
3. Deliver Warfighting Effects Through Cyberspace: Advance our
effects delivery capabilities to support a full spectrum of operations,
including cyber, electromagnetic maneuver, and information operations.
4. Create Shared Cyber Situational Awareness: Create a shareable
cyber common operating picture that evolves to full, immediate
awareness of our network and everything that happens on it.
5. Establish and mature Navy's Cyber Mission Forces: Stand up 40
highly expert Cyber Mission Teams and plan for the sustainability of
these teams over time.
Since that time, we, as a command, along with our fellow Service
Components, U.S. Cyber Command, and the Department of Defense (DOD),
have continued developing organizationally, as well as evolving
cyberspace capabilities and capacity. I thank you for opportunity to
discuss the Navy's progress in cyberspace, where we have made much
progress and are moving out smartly on the course ahead.
Operate the Network as a Warfighting Platform
We operate in an increasingly competitive environment where
information is the fuel of decision making and protecting that
information and our mechanisms for Assured Command and Control (C2) are
critical to successful maritime operations. Loss of this information
not only degrades our confidence and effectiveness of our C2, it also
leads to loss of intellectual property and dulls our competitive edge.
The margins of victory are razor thin, and we cannot afford to lose a
step. To help ensure we retain our competitive edge, the forces of
Fleet Cyber Command and the Tenth Fleet are highly integrated with our
Navy's regional fleet commanders they support and are fully integrated
to current and future Fleet operations so we may flex and adjust our
cyberspace capabilities to maximize success of any assigned mission.
Our leadership is fully supportive of U.S. Fleet Forces Command and
U.S. Pacific Fleet's focus on distributed maritime operations and
Fleet-centric warfighting.
U.S. Fleet Cyber Command directs operations to secure, operate, and
defend Navy networks within the Department of Defense Information
Networks (DODIN). I can most succinctly capture our approach to
cybersecurity by stating the Navy operates is networks as a warfighting
platform. This concept has many facets, including as a warfighting
platform it must be aggressively defended from intrusion, exploitation
and attack. As a warfighting platform, the network must be agile and
resilient and responsive to the C2, intelligence, logistics, and combat
support functions that depend upon it. As a warfighting platform, it
must be capable of and available to deliver warfighting effects in
support of combatant commander operational priorities.
The Navy Networking Environment currently consists of more than
500,000 end user devices; an estimated 75,000 network devices (e.g.,
servers, domain controllers); and approximately 45,000 applications and
systems across three security enclaves. Reflective of the larger
culture, the demand for interconnectedness continues to grow and
cybersecurity solutions must keep pace.
Today's Navy's Enterprise Networks have benefited greatly from the
nearly 1 billion dollar executed and proposed investments (through
fiscal year 2020) that reduce the risk of successful cyberspace
operations against the Navy Networking Environment.
The Navy took such aggressive actions implementing lessons learned
during Operation Rolling Tide, during which U.S. Fleet Cyber Command
fought through an adversary intrusion into the Navy's unclassified
network. Some of our best investments have not only been in technology,
but in the development of policies and Tactics, Techniques and
Procedures. This investment of time and focus enabled significantly
increased visibility into and more importantly increased awareness of
the state of Navy's Enterprise Networks.
It was through the lens of our post-Operation Rolling Tide efforts
that the Navy identified where immediate infusion of defensive network
capabilities was most critical and where accelerated modernization of
network infrastructure was most warranted.
Reducing the network intrusion attack surface
Opportunities for malicious actors to gain access to our networks
come from a variety of sources such as known and zero-day cyber
security vulnerabilities, poor user behaviors, and supply chain
anomalies. Operationally, we think of these opportunities in terms of
the network intrusion attack surface presented to malicious cyber
actors. The greater the size of the attack surface, the greater the
risk to the Navy mission. The attack surface grows larger with aging
operating systems and when security patches to known vulnerabilities
are not rapidly deployed across our networks, systems, and
applications. The attack surface also grows larger when network users,
unaware of the ramifications of their on-line behavior exercise poor
cyber hygiene and unwittingly succumb to spear phishing emails that
link and download malicious software, or use peer-to-peer file sharing
software that introduces malware to our networks, or simply plug their
personal electronic device into a computer to recharge it.
The Navy is taking positive steps in each of these areas to reduce
the network intrusion attack surface including enhanced cyber awareness
training for all hands, enhancements to how we monitor our networks for
compliance and vulnerabilities, and improving the process on how we
inspect the cyber readiness of our networks. Furthermore, we are
bolstering our ability to manage cyber security risks in our networks
through our certification and accreditation process, and through
working with industry partners and academia on ways to utilize data
analytics, machine learning, and other automation technologies.
Additionally, the Navy is reducing the attack surface with significant
investments and consolidation of our ashore and afloat networks with
modernization upgrades:
The Navy's Next Generation Enterprise Network-Recompete (NGEN-R) is
an evolution building on the successes of the current contract.
Incorporating lessons-learned from Operation Rolling Tide, a large-
scale network maneuver and operation to eradicate and adversary from
the Navy's unclassified network, and combining our overseas networks
into the Navy Marines Corps Intranet (NMCI), will offer improved
situational awareness, ability to C2, operate and defend the network.
Extending our CONUS NMCI to our OCONUS Network (ONE-Net) will leverage
the operational and security capabilities of the NMCI and the unique
requirements of our overseas warfighters, reducing the network attack
surfaces. The improved situational awareness capability in NGEN-R will
provide our headquarters and network defense subordinate forces the
ability to make better informed network operational decisions,
improving our network response actions, reducing the network intrusion
attack surface and decreasing response time.
Often times, people are viewed as the largest vulnerability in this
equation--by that same logic, we believe our people, each and every
person touching a keyboard, can make the network stronger. In addition
to cyber awareness training for all hands, we are working closely with
U.S. Cyber Command to develop an innovative and robust persistent
training environment for our network defenders. We are also working
closely with the U.S. Naval Academy, the Naval Postgraduate School, and
the U.S. Naval War College on ways to increase the relevance and
currency of their cybersecurity and cyberspace operations education
programs and initiatives.
Enhance our Defense in Depth Operations
The Navy is working closely with U.S. Cyber Command, NSA/CSS, our
Cyber Service counterparts, DISA, Inter-Agency partners, and commercial
cyber security providers to enhance our cyber defensive capabilities
through layered sensors and countermeasures from the interface with the
public internet down to the individual computers that make up the Navy
Networking Environment. We configure these defenses by leveraging all
source intelligence and industry cyber security products combined with
knowledge gained from analysis of our own network sensor data. As
information sharing improves, so does mutual defense.
We cannot and will not assure our mission in this domain alone. We
operate in and around an infrastructure that is largely commercially
owned. The rise of dual-use technology has created vulnerabilities, but
should just as well be leveraged for opportunity. Many of our
challenges are not unique to the .mil domain. We fend off the same
spectrum of adversaries, who are using the same playbooks against .govs
and .coms. We work to plug and patch the same legacy networks. Industry
is and will remain a critical mission partner through both technology
development and responsible information sharing.
We are also piloting and deploying new sensor capabilities to
improve our ability to detect adversary activity as early as possible.
This includes increasing the diversity of sensors on our networks,
moving beyond strictly signature-based capabilities to behavioral
sensing, and improving our ability to detect new and unknown malware.
We also have the need to be able to analyze this sensor data at
``machine speed,'' and are working with partners to investigate ways to
utilize emerging data sciences technologies to help with the analysis
of our networks.
I firmly believe the future lies in automation and machine learning
for defense. Not only does this change the dynamic of speed and scale,
but it allows us to use our people where they are most needed.
As my predecessor noted in her 2015 testimony, the Navy continues
to support the spirit and intent of the Joint Information Environment
(JIE), including the implementation of a single security architecture
(SSA) that begins with the Joint Regional Security Stacks. The Navy and
Marine Corps Intranet is our primary onramp into JIE, including
incorporating JIE technical standards into the acquisition of the Navy
Enterprise Networks as those standards are defined. In parallel, the
Navy is setting internal technical standards for implementation of a
Defense in Depth functional architecture across all our systems
commands and networks, afloat and ashore--from standard desktop
services to combat and industrial control systems. Additionally, the
Navy is transitioning along with the rest of DOD to the Risk Management
Framework, which is drawn from a solid basis using National Institute
of Standards and Technology practices. Most importantly, we are
integrating ways to better understand operational cybersecurity risk
and defensive posture throughout an information system's life cycle.
Operations in cyberspace are highly dynamic--we can only achieve a
truly defensible architecture by investing in automation of the
collection, integration, and presentation of data. This continuous
monitoring is critical to our understanding of how consistently our
systems are properly configured in accordance with standards. Only then
can operational commanders make cyber maneuver decisions with
confidence that they will deliver the intended results.
Together, these actions will help us to truly build cybersecurity
and resilience in at the beginning of system development and avoid the
pitfalls associated with trying to bolt it on at the end.
The Joint Information Environment's Joint Regional Security Stacks
will become part of our future defense in depth capabilities. As
described above, the Navy has already consolidated our networks behind
defensive sensors and countermeasures. We expect that Joint Regional
Security Stacks (JRSS) v2.0 will be the first increment connected to
the Navy Enterprise Networks. Accordingly, the Department of Navy is
planning to consolidate under JRSS 2.0 as part of the technical refresh
cycle for NMCI when JRSS meets or exceeds existing Navy capabilities.
Integrating the Navy Enterprise Network with the Joint Information
Environment's Joint Regional Security Stacks will allow shared
visibility into the boundary capabilities for Navy and DOD integrated
DODIN.
For our part, U.S. Fleet Cyber Command is operationally focused on
continuously improving the Navy's cyber security posture by reducing
the network intrusion attack surface, implementing and operating
layered defense in depth capabilities, and expanding the Navy's
cyberspace situational awareness.
Create Cyber Situational Awareness
Just like any other domain, success in cyberspace requires
awareness of both ourselves and our enemies: it requires that we
constantly monitor and analyze Navy platforms within both the classic
maritime system and global information system. To succeed, we must
understand both side's vulnerabilities and the potential consequences
within both systems. To that end, we work to mature our abilities to
detect, analyze, report, and take action in and through our Networks.
The Navy has started down the acquisition path to expand our Navy Cyber
Situational Awareness (NCSA) capabilities with a more robust, globally
populated and mission-tailorable cyber common operating picture (COP).
Additionally, we are working with our SPAWAR and NAVSEA acquisition
partners to improve the network sensor information we can collect
across our platforms into a single dedicated big data analytics
platform that will bring with it a new level of fidelity and agility to
our warfighting. This data strategy will enable us to work seamlessly
with all DOD network operations and maritime operations data. The
SHARKCAGE platform will allow for better overall situational awareness
and improved speed of response to the most dangerous malicious activity
by leveraging the power of machine learning and artificial intelligence
to harness existing knowledge more rapidly. Building cyber situational
awareness from the maritime tactical edge back, will bring with it a
superior Joint warfighting force that will be capable of maneuvering
through the electromagnetic spectrum and fight resiliently in the age
of informationalized warfare.
u.s. fleet cyber command operational forces
Status of the Cyber Mission Force
The Cyber Mission Force is designed to accomplish three primary
missions: National Mission Teams will defend the nation against
national level threats, Combat Mission Teams to support combatant
commander priorities and missions, and Cyber Protection Teams to defend
Department of Defense information networks and improve network
security.
Navy and other cyber service components are building these teams
for U.S. Cyber Command by manning, training, and certifying them to the
U.S. Cyber Command standards. Navy teams are organized into existing
U.S. Fleet Cyber Command operational commands at cryptologic centers,
fleet concentration areas, and Fort Meade, depending upon their
specific mission. Navy is responsible for sourcing four National
Mission Teams, eight Combat Mission Teams, and 20 Cyber Protection
Teams as well as their supporting teams consisting of three National
Support Teams and five Combat Support Teams.
The Navy is currently on track to have full operational capability
for all 40 Navy-sourced Cyber Mission Force Teams in 2018. As of 1
April 2017, we had 26 teams at final operating capability. We are in
the process of manning, training, and equipping our teams to be FOC
ahead to the October 2018 deadline. Additionally, by October 1st of
this year, 298 cyber reserve billets will augment the Cyber Force
manning plan.
Over the past year, we have focused on the integration of our
Fleet's efforts, capacity and capabilities across the Navy and Joint
force. In my role as the Joint Force Headquarters-Cyber commander
aligned to U.S. Pacific Command this was an area where organizationally
we have recently made progress. As a JFHQ-C Commander, I required an
extension of my staff at PACOM to integrate cyberspace planning and
force employment into Geographic Combatant Command operations alongside
forces from other domains. So in February of this year, I organized my
Cyber Mission Force teams in Hawaii to form an interim Cyber Forward
Element as a one-stop-shop for full spectrum cyberspace operations in
support of PACOM until permanent manning is available to support the
Geographic Combatant Command. This Fleet Cyber Command-Forward Element
is not a new command, but rather an extension of my staff to provide
Offensive and Defensive Cyberspace planning to PACOM on a permanent
basis. Our planning with PACOM must be robust enough to create cyber
support plans that are integrated into their operational plans. This
required a staff that is fully embedded into the supported daily battle
rhythm processes while relying upon reach back to, and support from, my
main staff at the Headquarters. This forward element has already
improved relationship with PACOM in the short time they have been
established, and it allows me to have the functionality and capacity I
require to effectively C2 my operational Cyber Forces, which include
three USAF CMF teams and two US Army CMF teams, as well as my Navy
Cyber Mission Forces.
Reserve Cyber Mission Forces
Through ongoing mission analysis of the Navy Total Force
Integration Strategy, we developed a Reserve Cyber Mission Force
Integration Strategy that leverages our Reserve sailors' military and
civilian skills and expertise to maximize the Reserve Component's
support to the full spectrum of cyber mission areas. Based on this
mission analysis, we like other services see the maximum value from our
Reserve element within the high-priority Defensive Cyber Operations
area. Accordingly the 298 Reserve billets, of which the final phase
will come into service in October, are being individually aligned to
Active Duty Cyber Protection Teams and the Joint Force Headquarters-
Cyber. Each of these Navy-sourced teams will maximize its assigned
Reserve sailors' particular expertise and skill sets to augment each
team's mission capabilities, rather than as a one-for-one replacement
of team workroles. In this way, we can ensure access to the unique
skillsets our Reserve sailors bring to the fight, while at the same
time building a cadre of highly trained personnel that can be called on
for surge efforts now and in the future.
As our Reserve Cyber billets are fully manned and these personnel
trained over the next few years, we will continue to assess our Reserve
Cyber Mission Force Integration Strategy and adapt as necessary to
develop and maintain an indispensably viable and sustainable Navy
Reserve Force contribution to the Cyber Mission Force.
Recruit and Retain
In fiscal year 2016, the Navy met officer and enlisted cyber
accession goals, and is on track to meet accession goals in fiscal year
2017. Currently authorized special and incentive pays, such as the
Enlistment Bonus, should provide adequate stimulus to continue
achieving enlisted accession mission, but the Navy will continue to
evaluate their effectiveness as the cyber mission grows.
Today, Navy Cyber Mission Force (CMF) enlisted ratings (CTI, CTN,
CTR, IS, IT) are meeting retention goals. Sailors in the most critical
skill sets within each of these ratings are eligible for Selective
Reenlistment Bonus (SRB). SRB contributes significantly to retaining
our most talented sailors, but we must closely monitor its
effectiveness as the civilian job market continues to improve and the
demand for cyber professionals increases. Additionally, we have
requested, and anticipate approval of Special Duty Assignment Pay
(SDAP) for one of most critical skills sets, Interactive On-Net
Operators (IONs). SDAP would provide a monthly stipend of $200-$500.
Cyber-related officer communities are also meeting retention goals.
While both Cryptologic Warfare (CW) and Information Professional (IP)
communities experienced growth associated with increased cyber
missions, we are retaining Officers in these communities at 93 percent
overall. Both CW and IP are effectively-managing growth through direct
accessions and through the lateral transfer process, thereby ensuring
cyber-talented officers enter, and continue to serve.
With respect to the civilian workforce, we currently have 91
civilian positions within the Cyber Mission Force. Forty-seven of these
positions are filling various workroles throughout the CMF and 44 are
our Computer Scientists/Tool Developers. Currently we have 27 of the 47
positions filled throughout CMF; are in the initial recruitment phase
for our 44 Tool Developers and have made 13 other selections to date.
We are aggressively hiring to our civilian authorizations consistent
with our operational needs and fully supported by the Navy's priority
to ensure health of the cyber workforce. We have also initiated a pilot
internship program with a local university to recruit skilled civilian
and military cyber workforce professionals. Navy will measure the
success of this approach as a potential model to harness the nation's
emerging cyber talent. Our primary challenges in recruiting are the
current compensation allowable and competition with industry and other
DOD entities. With this in mind, we are now offering various incentives
to potential candidates which includes higher step (step 7) on the GS
pay scale, 10 percent of salary as a one-time recruitment incentive, 10
percent of salary for relocation expenses, and several years of
assistance in student loan payback (5K per year). Even with these
incentives, we are not competitive with industry or NSA.
As the economy continues to improve, we expect to see more
challenges in recruiting and retaining our cyber workforce.
Educate, Train, Maintain
To develop officers to succeed in the increasingly complex
cyberspace environment, the U.S. Naval Academy offers introductory
cyber courses for all freshman and juniors to baseline knowledge.
Additionally, USNA began a Cyber Operations major in the fall of 2013,
and in 2016, 27 Midshipmen were the first to graduate with the degree.
This year, 46 Midshipmen will graduate with the degree and 72 have
entered the major. Furthermore, the Center for Cyber Security Studies
harmonizes cyber efforts across the Naval Academy.
Our Naval Reserve Officer Training Corps' (NROTC) program maintains
affiliations at 51 of the 180 National Security Agency (NSA) Centers of
Academic Excellence (CAE) at colleges around the country. Qualified and
selected graduates can commission as Cryptologic Warfare Officers,
Information Professional Officers, or Intelligence Officers within the
Information Warfare Community.
For graduate-level education, the Naval Postgraduate School offers
several outstanding graduate degree programs that directly underpin
cyberspace operations and greatly contribute to the development of
officers and select enlisted personnel who have already earned a
Bachelor's Degree. These degree programs include Electrical and
Computer Engineering, Computer Science, Cyber Systems Operations,
Network Operations and Technology, and Applied Mathematics, Operations
Analysis, and Defense Analysis. Naval War College is incorporating
cyber into its strategic and operational level war courses, at both
intermediate and senior graduate-course levels. The College also
integrates strategic cyber research into focused Information Operations
(IO)/Cybersecurity courses, hosts a Center for Cyber Conflict Studies
(C3S) to support wider cyber integration across the College, and has
placed special emphasis on Cyber in its war gaming role, including a
whole-of-government Cyber war game under Active consideration for this
coming summer or fall.
With respect to training of the Cyber Mission Force, U.S. Cyber
Command mandates Joint Cyberspace Training & Certification Standards,
which encompass procedures, guidelines, and qualifications for
individual and collective training. U.S. Cyber Command with the Service
Cyber Components has identified the advanced training required to
fulfill specialized work-roles in the Cyber Mission Force. Most of the
training today is delivered by U.S. Cyber Command and the National
Security Agency in a federated but integrated approach that utilizes
existing schoolhouses and sharing of resources. The Navy is unified in
efforts with the other Services to build Joint Cyber training
capability, leveraging Joint training opportunities, and driving
towards a common standard. These training events are not only aimed at
the individual sailors, but also provide operational team
certifications and sustainment training. Once certified, our team
training is maintained throughout the year via several key unit level
exercise events which allow individuals and the collective team to
demonstrate required skills against simulated adversaries.
Future Cyber Workforce Needs
The Navy's operational need for a well-trained and motivated cyber
workforce (Active, Reserve and civilian) will continue to grow in the
coming years as we build out the balance of Cyber Mission Force.
We will depend upon commands across the Navy to recruit, train,
educate, retain and maintain this workforce including the Chief of
Naval Personnel, Navy Recruiting Command, Naval Education and Training
Command and Navy's Institutions of Higher Education (United States
Naval Academy, Naval Postgraduate School, and Naval War College.)
Additionally, the establishment of Naval Information Forces (NAVIFOR)
in 2014 as a type commander has made a significant impact in generating
readiness for cyber mission requirements. NAVIFOR works closely with
the Man, Train, and Equip organizations across the Navy to ensure that
U.S. Fleet Cyber Command and other Information Warfare operational
commands achieve proper readiness to meet mission requirements. Navy is
now enhancing the NAVIFOR capability with the establishment of the
Naval Information Warfare Development Command (NIWDC), newly
established in 2017, to advance the maturing of Information Warfare,
including cyberspace operations, doctrine, training, Tactics,
Techniques & Procedures (TT&P).
Fleet Readiness
The Navy's 2018 budget continues to prioritize readiness alongside
the investments necessary to sustain an advantage in advanced
technologies and weapons systems. Ensuring the cyber resiliency of
networks is part of maintaining the readiness of warfighting platforms.
The budget continues funding to train and equip Cyber Mission
Forces, provides investments in Science and Technology and information
assurance activities to strengthen our ability to defend the network.
To maintain our advantage in advanced technologies and weapons, funding
is provided for engineering to improve control points and boundary
defense across Hull, Machinery & Electrical, Navigation and Combat
Control Systems and for Cyber Situational Awareness.
The Navy is requesting increased investment in Defensive Cyber
Operations forces ability to detect adversary activities and analyze
cyber attacks against Maritime Cyber Key Terrain (CKT) and to integrate
all-source intelligence and Navy data to assess adversary capabilities.
The goal of the investments are to improve the Navy's capacity to
deliver to operational commanders, cyber situational awareness at all
layers of the IT infrastructure and provide a cyber common operational
picture (COP) at our Fleet Maritime Operations Centers.
Funding for training is necessary to ensure operator proficiency as
Fleet systems are modernized and become more complex. I believe the
Navy's ability to appropriately fund training of our operators in these
new technologies will improve operational readiness.
Summary
Your Navy has recognized that we have not only witnessed a changing
and evolving cast of competitors, but the very nature of our strategic
environment has changed. We are witnessing a return to great power
competition. In the Chief of Naval Operations' Campaign Design for
Maritime Superiority, he points to the rise of the global information
system and the rate of technological creation and adoption as two of
the dominant global forces shaping the maritime environment our Navy
must operate, and if called upon, fight in. Cyberspace will be a
contested environment and we cannot take freedom of maneuver for
granted. It is clear that our reliance on our networks will not
diminish as we push toward distributed maritime operations.
U.S. Navy freedom of action in cyberspace is necessary for all
missions that our nation expects us to be capable of carrying out
including winning wars, deterring aggression and maintaining freedom of
the seas.
There is no individual success, at least not in the long term. We
will succeed by leveraging our strengths and shrinking our
vulnerabilities. Operational success will be built upon a strong
network of partners (DOD, Interagency, Industry and Academia), a
resilient, defensible infrastructure, and complemented by our greatest
resource and asymmetric advantage--our people.
Thank you again for this opportunity to update you on great work
being done by the men and women of Fleet Cyber Command, Tenth Fleet and
the U.S. Navy. I look forward to working closely with Members of the
subcommittee on cybersecurity and appreciate your support of these
cyber investments included in the Navy's 2018 budget request. I'm happy
to take your questions.
Senator Rounds. Thank you, sir.
Lieutenant General Nakasone?
STATEMENT OF LIEUTENANT GENERAL PAUL M. NAKASONE, USA,
COMMANDING GENERAL, UNITED STATES ARMY CYBER COMMAND
LTG Nakasone. Chairman Rounds, Senator McCaskill, good
afternoon. It is an honor to appear today on behalf of the men
and women of U.S. Army Cyber Command and alongside Vice Admiral
Lytle and my fellow service commanders.
My testimony today will focus on five different areas:
first of all, the Army's progress in operations; its progress
in readiness; its progress in resourcing; its progress in
training; and its progress in partnering.
Three key priorities are guiding our operations.
First, we are aggressively operating and defending our
networks, data, and weapon systems through network hardening,
modernization, and Active defense of Army networks.
Second, we are delivering effects against our adversaries,
as illustrated by Joint Task Force Aries, which is contributing
to the success of coalition forces against ISIS [Islamic State
of Iraq and Syria].
Third, we are designing, building, and delivering
integrated capabilities for the future fight, focusing on
defensive and offensive cyberspace operations.
Supporting readiness, the Army is building 62 total force
cyber mission teams. The 41 Active component teams are built
and supporting real-world operations today. The Army's Reserve
component is building 21 cyber protection teams, 11 in the Army
National Guard and 10 in the U.S. Army Reserve. The Army will
integrate the Reserve component teams into our Cyber Mission
Force.
The Army has also made strides improving network readiness.
As the recent ransomware/malware incident has demonstrated,
ensuring the security of our network must remain our number one
priority requiring constant vigilance.
In the area of resources, the Army is implementing two
talent management initiatives: first, a direct commissioning
program to bring talented and experienced individuals on board
at higher levels of responsibility and pay; secondly, a
civilian cyber effects career program to unify multiple
occupational specialties into one cross-disciplinary model for
training and management.
In regards to training, since September 2014, the Cyber
Center of Excellence has trained 1,500 soldiers. To ensure our
teams are trained to USCYBERCOM [U.S. Cyber Command] standards,
we will conduct approximately 80 collector training events and
48 internal mission rehearsals type training events during
fiscal year 2017 to build proficiency and prepare teams for
recertification, revalidation, and mission support operations.
To support training, DOD designated the Army as the
acquisition authority for a joint cyber range, which will
provide high quality scenarios for individual and team and
collective and mission rehearsal training for the joint cyber
force.
Finally, partnerships are integral to our efforts. Army
Cyber Command leverages the private sector and academic
partnerships under various DOD umbrella programs to collaborate
across the cybersecurity community.
Chairman Rounds, Ranking Member Nelson, Senators Fischer
and McCaskill, thank you very much today. Your Army teams are
actively protecting and defending Army and DOD networks,
securing Army weapons platforms, protecting critical
infrastructure, and conducting operations against global cyber
threats. With the continued support of Congress, the Army will
maintain its tremendous momentum building a more capable,
modern, ready force that is prepared to meet any adversary in
cyberspace today and tomorrow. Thank you.
[The prepared statement of General Nakasone follows:]
Prepared Statement by LTG Paul M. Nakasone
introduction
Chairman Rounds, Ranking Member Nelson, and Members of the
Subcommittee, thank you for your continued support of U.S. Army Cyber
Command (ARCYBER) and our efforts to operationalize cyberspace for our
Army. It is an honor to address this subcommittee on behalf of the
dedicated soldiers and Army Civilians of ARCYBER who work every day
defending the Nation in cyberspace. This testimony focuses on ARCYBER's
ongoing progress in the areas of Operations, Readiness, Resources,
Training, and Partnering,
The Army Cyber Enterprise has made significant progress
operationalizing cyberspace since my predecessor's testimony before the
Subcommittee on Emerging Threats and Capabilities in April 2015. Since
then, Army Cyber Command has completed the initial build of the Army's
Cyber Mission Force (CMF). All 41 Active Component Army teams are at
Initial Operational Capability or better and all are on track to be at
Full Operational Capability by the end of September 2017, a year ahead
of U.S. Cyber Command's (USCYBERCOM's) mandated timeline. The Army is
now building an additional 21 Reserve Component (RC) Cyber Protections
Teams (CPTs), trained to the same Joint standards as the Active
Component teams, which will be integrated into the Army's Total Cyber
Mission Force.
Additionally, the Cyber Center of Excellence (Cyber CoE) graduated
its first class of Cyber Branch Lieutenants in May 2016; its first
class of Cyber Warrant Officers in March 2017; and began training its
first class of new cyber enlisted recruits also in March 2017. The
Cyber CoE trained a total of 582 Cyber Branch Soldiers during fiscal
year (FY) 2016 and is scheduled to train another 1,200 soldiers during
fiscal year 2017. The Army cyber force now includes 2,331 soldiers with
career fields that include Cyberspace and Electronic Warfare
operations. (557 Officers, 305 Warrant Officers, and 1,469 Enlisted).
Furthermore, the Cyber Center of Excellence recently published Field
Manual (FM) 3-12, Cyberspace and Electronic Warfare Operations, which
provides overarching doctrinal guidance and direction to the Army for
conducting cyberspace and electronic warfare (EW) operations in unified
land operations. Army Cyber Command is continuing its Cyber
Electromagnetic Activity (CEMA) Support to Corps and Below pilot
program and is now working with our Army partners to determine enduring
support requirements at the combat training centers and ultimately,
cyber force structure and requirements at the tactical level within the
Army.
The Army also recently made several important organizational
changes to the Army Cyber Enterprise to improve our ability to conduct
cyberspace operations and support Joint and Army commanders. First, the
Army elevated ARCYBER to an Army Service Component Command (ASCC)
ensuring ARCYBER receives the same level of resourcing as other ASCCs
supporting combatant commanders. Second, the Army reassigned the
Network Enterprise Technology Command to ARCYBER to better align
responsibilities and authorities to support USCYBERCOM and Army
requirements and to better align roles and responsibilities for the
Army's portion of Department of Defense Information Network (DODIN).
Third, the Army established an Army Cyber Directorate within the
Headquarters Department of the Army (DAMO-CY), to advocate and
coordinate cyberspace doctrine, policy, organization, and resourcing
issues within the Pentagon. The DAMO-CY Directorate joins the Army's
Cyberspace Tetrad that includes the Army Cyber Institute, the Cyber
Center of Excellence, and ARCYBER. Finally, the Army broke ground for
the new Army Cyber Headquarters Complex at Fort Gordon, Georgia in
November 2016, and has committed to future investments in new Cyber
Center of Excellence facilities in which to train our soldiers.
Army Cyber Command is building on the Army's past progress while
focusing on three key priorities: Aggressively Operating and Defending
Our Networks, Data, and Weapons Systems; Delivering Effects Against Our
Adversaries; and Designing, Building and Delivering Integrated
Capabilities for the Future Fight. Today, Army cyberspace forces,
including Reserve Component forces, are improving the Army's
cybersecurity posture; protecting and defending Army and DOD networks,
systems, and critical infrastructure; supporting Joint and Army
commanders; and engaging our adversaries in cyberspace every day.
While ARCYBER has made significant advances building the Army's
cyberspace capacity and capabilities over the past six years, our
progress will be overshadowed by the inability to maintain overmatch
against near-peer competitors due to a lack of sustained, long-term,
and predictable funding. As evidenced by the recent threat of a year-
long continuing resolution, the Army would have been forced to stop
funding for Army National Guard Cyber Protection Teams. This would have
slowed the Army's ability to fulfill the congressional mandate to
integrate Army Reserve Component Cyber Protection Teams into the Cyber
Mission Force. The Continuing Resolution delayed the fielding of the
Joint Persistent Cyber Training Environment leading to greater costs
and delays in building DOD cyber capability and capacity. Further, a
major impediment to improving Army cybersecurity through network
modernization has been a lack of predictable funding. The Army needs an
end to the year-after-year continuing resolutions and relief from the
Budget Control Act of 2011 to help restore readiness levels and build
force capacity and capabilities to counter emerging threats, including
those in cyberspace.
Operations
Cyberspace operations encompass three interrelated areas:
Department of Defense Information Network (DODIN) operations, Defensive
Cyberspace Operations (DCO), and Offensive Cyberspace Operations (OCO).
Army DODIN operations are the most complex, most important mission
ARCYBER conducts. They include building, operating, defending, and
maintaining the Army's portion of the DODIN. Our five Regional Cyber
Centers conduct DODIN operations around-the-clock, serving as the
Army's Cybersecurity Service Providers (CSSP). The Army continues to
work with U.S. Strategic Command and the Joint Chiefs of Staff to
realign our DODIN force structure in accordance with the 2017 NDAA and
to gain better command and control over the global cyber theater.
To support DODIN operations and improve cybersecurity, the Army is
building a more reliable, secure and ready network through system
hardening and modernization. A new effort between ARCYBER and the
Army's Chief Information Officer/G6 (CIO/G-6), called the ``DODIN
Initiatives'' is key to our system hardening efforts. This initiative
focuses on information sharing to include tracking progress,
identifying gaps and issues with policies or resources to unify the way
ahead for the Army.
The greatest challenge and most critical aspect of a ready, secure,
and available network is a modern and resilient infrastructure. In the
Army we refer to our efforts to achieve this as Network Modernization
(NETMOD). The Army's NETMOD efforts include: Joint Regional Security
Stack (JRSS) migration, Multiprotocol Label Switching upgrades, and
Installation Campus Area Network upgrades. The Army is partnering with
the U.S. Air Force and the Defense Information Systems Agency (DISA) in
deploying JRSS to centralize the Army's existing perimeter security
infrastructure. The Army has completed the upgrade of 22 of its
installation's network infrastructure and migrated them to the JRSS.
The Army continues to upgrade its installation's network infrastructure
and migrate within the JRSS. The current plan is a phased approach
upgrading installations within CONUS, Southwest Asia and European
Theater, followed by the Pacific Theater, to include Korea and Alaska,
with main installations being complete by fourth quarter fiscal year
2019. At the next layer of Network Modernization, DISA has completed
upgrading the Army's fiber optics and Multiprotocol Label Switching
circuits of 18 installations and is focused on completing seven more
sites this year. These initiatives, in combination with the increased
capabilities of our operational force, will enable stronger cyber
protection, detection, and response to cyber threats across the DODIN.
In order to take advantage of these DOD network improvements at the
Army Base/Post/Camp/Station level, we must modernize our own
infrastructure through Installation Campus Area Network upgrades. This
is an enduring effort to stay current with technological advances. A
top DOD and Army priority, aimed at hardening our endpoints and
infrastructure, is the implementation of assuring appropriate upgrades
to our operating system and applications. The DOD-managed common secure
host baseline will allow the Army to strengthen our cybersecurity
posture while concurrently streamlining the IT operating environment.
Additional end-point efforts include one focused on security and one on
management. All these efforts combined enable us to provide the Army
with a ready, secure, and available network that supports Mission
Command and supports the projection of combat power. While the Army's
investment in network hardening and modernization has paid dividends,
ARCYBER would benefit from predictable funding for DODIN operations. A
lack of predictable funding is the major impediment to improving Army
cybersecurity through network hardening and modernization.
In addition to building a more defendable network, ARCYBER conducts
both passive and Active Defensive Cyberspace Operations to protect and
defend the Army portion of the DODIN. Defensive Cyberspace operations
are mission focused, prioritized on critical assets, and threat
specific. Our Cyber Protection Brigade, (CPB) and its Cyber Protection
Teams, conduct critical Active defense of the DODIN. The CPB's ability
to conduct Active recon for advanced persistent threats distinguishes
them from the functions of a CSSP that is dedicated to protecting our
network against known threats. Our CPTs are a maneuver element in
cyberspace that reinforce the protection mission of a CSSP based on
analysis of the mission relevant cyber terrain and threats provided by
national intelligence and our own internally-collected cyber
intelligence. The CPB also helps protect and defend the Army's critical
infrastructure and support both national requirements and Joint and
Army commanders around the globe. The Brigade includes 900 soldiers and
Civilians who make up 20 Active Component Cyber Protection Teams.
Importantly, our Cyber Protection Brigade supports Army Mission
Assurance, providing Critical Infrastructure Risk Management
assessments to identify potential vulnerabilities and threats. The CPB
works with Department of the Army, Army Material Command, U.S. Army
Corps of Engineers (USACE), and other stakeholders in an Army-wide
approach to ensuring the cybersecurity of critical Army systems and
infrastructure, including the Nation-wide systems of dams and
hydroelectric plants USACE manages. Our CPTs deploy worldwide
(including austere environments) with mobile capabilities within hours
of notification, employing platforms and tools across the breadth and
depth of our network. Our teams also provide ``reach-back'' support to
deployed forces that allows us to put the right person on the right
task at the right time.
The pace of operations and dynamic nature of the threats means our
cyberspace forces engage with our adversaries in cyberspace as they are
being built, usually before they achieve full operational capability.
Both defensive and offensive Army cyber forces are rapidly maturing and
building credibility with our combatant commanders in warfighting
operations every day; continually learning and innovating their
tactics, techniques, and procedures against determined, adaptive and
aggressive adversaries.
Our Army Cyber Mission Forces execute Offensive Cyberspace
Operations, to project power by the application of force in or through
cyberspace, under the authorities of combatant commanders and
USCYBERCOM. Established by USCYBERCOM in June 2016 and commanded by the
ARCYBER Commander, JTF-ARES is a Joint cyber operational headquarters
providing cyber capabilities in support of US Central Command's
counter-ISIS operations. The Task Force has brought cyber out of the
shadows and successfully demonstrated the value and capabilities of
cyberspace operations to the Joint Force when integrated as part of
broader coordinated military effort.
Readiness
Readiness is the Army's overriding priority. To support readiness,
the Army is building 62 Total Force CMF teams, all trained to the same
joint standards, to support Joint and Army commanders. The 41 Active
Component (AC) teams are built and conducting cyberspace operations
supporting real world operations today. They are also defending DOD
networks, protecting Army weapons systems, and defending critical
infrastructure. Currently, 33 of the Army's 41 AC teams are at full
operational capability, while eight teams remain at initial operating
capability. By 30 September 2017, all 41 teams will be fully
operational. With the completion of the CMF build, the Army is now
progressing from building its cyber force to measuring the readiness of
this force. Army Cyber Command is working with USCYBERCOM to implement
metrics to measure CMF readiness through the Defense Readiness
Reporting System.
reserve component cyber protection teams
The Army's Reserve Component (RC), comprised of the Army National
Guard (ARNG) and U.S. Army Reserve (USAR), is critical to Army
readiness. The RC is building 21 Cyber Protection Teams (11 ARNG, 10
USAR) creating a Total Force solution, all trained to the same Joint
standards as the Active Component. As required under section 1651 of
the National Defense Authorization Act of fiscal year 2017, the Army is
implementing a Total Army RC cyber strategy to integrate the 21 RC CPTs
into the Army's Cyber Mission Force to support Joint and Army
cyberspace requirements.
network readiness
Network readiness is a component of Army readiness. Today the Army
and the Joint Force depend on unimpeded access to the DODIN for
everything from business operations to missile defense. The network is
now not only a critical enabler, but also an operational capability for
cyberspace operations, vital to our operational readiness, and
therefore important to measure. The Army currently measures network
compliance with policy, regulation, and law through the Cybersecurity
Scorecard, Command Cyber Readiness Inspections, and Command Cyber
Operational Readiness Inspections.
Army Cyber Command partnered with JFHQ-DODIN to execute the next
evolution of Cybersecurity inspections under the Command Cybersecurity
Operational Readiness Inspection (CCORI), to replace the Command Cyber
Readiness Inspection. The CCORI moves cybersecurity inspections from a
compliance-based systems inspection to a risk-based Operational
Commander's Mission focused inspection. The CCORI highlights the risks
to operational missions within a Command by employing Active external
and internal threat actors against a commander's mission critical
systems. The CCORI outcome provides an operational risk measurement to
mission by mission critical task and a system to assist commanders in
prioritizing cybersecurity resources.
The DOD Cybersecurity Scorecard has brought basic cybersecurity
hygiene to the forefront at the DOD level and has forced the Army to
prioritize basic cybersecurity requirements. The Army has made strides
towards remediating identified critical vulnerabilities across the
enterprise and capturing the effectiveness of remediation efforts. The
Army continues to work with DOD CIO to refine the Scorecard metrics to
move from cybersecurity compliance to risk-based scorecard measurements
to provide a mission assurance focus.
Training
Army Cyber Mission Force training has three key components:
individual, collective, and mission rehearsal. Individual training is
focused on formal training, work role specific training, and job-
specific qualification and certification training conducted at the work
center. Individual training focuses on building individual core
competencies, proficiencies, skills and knowledge necessary to
accomplish assigned tasks.
During collective training, team members train in realistic
environments and to relevant threats. Army CMF teams will conduct
approximately 80 collective training events, throughout fiscal year
2017 to ensure they are fully trained to USCYBERCOM joint standards.
Live, virtual, and constructive scenarios are used to ensure that
training is holistic, repeatable, and measureable. Collective training
is used to increase team proficiency, certify teams for operations, and
allow leaders to build trust and confidence within their teams.
Participation in USCYBERCOM exercises, CYBER GUARD and CYBER FLAG,
helps achieve certification or revalidation.
Mission rehearsal training events are conducted to ensure that
leaders understand their missions, the threats and risks they will
face, and are prepared for contingencies. Army CMF teams are scheduled
to conduct 48 internal mission rehearsal type training events during
fiscal year 17 in order to build team proficiency, preparation for
recertification/revalidation and mission preparations to support
operations. These events occur at home station, training centers, and
in deployed areas. Army Cyber Command teams also participate with
Joint, interagency and coalition partners through Combatant Command
training exercises for operational mission sets.
The Cyber Center of Excellence (CCoE) located at Fort Gordon,
Georgia, operates the Army's Cyber School and trains Army Cyber Branch
Soldiers and members of the other Services. All three cohorts, officer,
warrant officer and enlisted, conclude their training by participating
in Joint exercises ensuring they are well prepared to support Army
units at all levels.
The CCoE is explicitly charged with incorporating Joint standards
into the curriculum. The Joint Cyber Training and Certification
Standards set work roles and training to a single joint standard
applied across multiple Services building like teams. It unites the
Services' efforts to train and certify their respective CMFs to perform
in a joint environment. The CCoE focuses on individual training and has
begun training key USCYBERCOM J7 pipeline courses including Cyber
Common Technical Core (equivalent to Intermediate Cyber Core), CPT Core
Methodologies, Cyber Operations Planner Course, and the Joint Advanced
Cyber Warfare Course. Since the Army established the Army Cyber Branch,
Career Field 17 in September 2014, the CCoE has trained 1,500 Cyber
Branch Soldiers. Fiscal year 2018 will see more soldiers trained in the
Army 17-series pipeline, and soldiers will continue to attend Military
Occupation Specialty qualification courses. Graduates of these courses
will provide a steady stream of trained 17-series soldiers, thus
decreasing the individual training burden on units and improving force
readiness.
Establishing a Persistent Cyber Training Environment (PCTE) is
central to training the Joint Cyber Mission Force and maintaining high
levels of proficiency. In support of section 1645 of the fiscal year 16
National Defense Authorization Act, DOD designated the Army as the
acquisition authority for the PCTE. The PCTE will provide high quality
scenarios and event management for individual, team/collective, and
mission rehearsal training for all four Services and USCYBERCOM. At
maturity, we envision the DOD Joint PCTE platform as a constellation of
federated, interoperable common training capabilities--enabling
training from individual competencies at the team, unit, group and
force training levels; including exercises, tactics, techniques, and
procedures development, up to mission rehearsal.
cema support to corps and below
In 2015 the Army initiated a Cyber Electromagnetic Activities
(CEMA) Support to Corps and Below (CSCB) pilot program. The CSCB effort
serves four primary purposes: Define what offensive and defensive cyber
effects to integrate at the echelon Corps and below; Determine
expeditionary Defensive Cyberspace Operations, Offensive Cyberspace
Operations, Electronic Warfare, and Information Operations capability
for deployed tactical forces; Leverage Combat Training Centers (CTCs)
and operational deployments to inform CEMA Doctrine, Organization,
Training, Materiel, Leadership and Education, Personnel, and Facilities
development (DOTMLPF); and Determine the enduring CEMA environment at
CTCs.
Army Cyber Command recently completed its sixth iteration of the
CSCB pilot and will conduct another one in June 2017. Lessons learned
from the pilot program are helping to inform CEMA requirements across
the Army's DOTMLPF and Policy development. Army Cyber Command is now
working with DAMO-CY to determine enduring support requirements at the
CTCs that would routinely embed cyber teams in combat brigades during
their CTC rotations to continue providing realistic training for our
cyber operators, Army units, and commanders.
The Cyber Center of Excellence published the Army's first
Cyberspace and Electronic Warfare doctrine in April 2017, FM 3-12,
Cyberspace and Electronic Warfare Operations. Army FM 3-12 is nested in
joint cyberspace and EW doctrine and provides the doctrinal context to
understand the fundamentals of integrating and synchronizing cyberspace
and EW operations. Through the planning and synchronization of
cyberspace and EW operations, Army cyberspace forces integrate CEMA
functions and capabilities across warfighting functions, defend the
network, and provide critical capabilities for commanders at all levels
during unified land operations.
Resources
People are the most important resource in cyberspace. To ensure we
will prevail over all adversaries in the cyber domain, the Army is
committed to executing a vigorous cyber talent management program built
on four talent management pillars: recruit, develop, employ, and retain
talent. The Army achieved a major milestone in cyber talent management
in 2014 when it became the first service to launch a dedicated career
field (Career Field 17) to centrally manage soldiers throughout a
career in cyberspace operations. This allows the Army to recruit,
develop, employ and retain soldiers specific to cyber skills and
operations.
To ensure we continue to maintain high levels of end strength in
the cyberspace force, the Army is now implementing several key talent
management initiatives to improve recruitment, training, and retention
across all components and all soldier and employee cohorts. First, the
Army is developing a direct commissioning program to find highly
talented individuals with industry experience and laterally enter them
into the force. Second, the Army has initiated a Civilian Cyber-effects
Career program. Additionally, ARCYBER is offering opportunities to many
members of our force, including the chance to train with industry and
opportunities for academic degrees through our Advanced Civil Schooling
program. Finally, we are partnering with the U.S. Digital Service and
the Defense Digital Service to help us look internally at our processes
and provide an outside perspective from a group of technical experts.
The Army direct commissioning program, authorized under section 509
of the National Defense Authorization Act for Fiscal Year 2017, will
bring in talented individuals with highly technical skills at ranks of
increased pay and responsibility. The Army hopes to attract individuals
with skills that include computer programming, mathematics, network
operations, cryptology, data science, or nanotechnology. Beyond
technical knowledge, we're looking for people with aptitude,
dedication, and desire for mission- and team-oriented problem solving.
The Army recently approved the new Civilian Cyberspace-effects
Career Program which will unify all Cyberspace Effects civilian
employees into a single cross-disciplinary model for training and
management of multiple Occupational Specialties This new career program
will align Army Civilians performing Cyberspace Effects with their
soldier counterparts in Cyber (17 series). The Cyberspace Effects work
role qualifications will be governed by USCYBERCOM Joint training
requirements. The Department of Defense is also finalizing work on a
new title 10 excepted service civilian cyber program similar to the
civilian intelligence career program.
integration of electronic warfare
To better manage its Electronic Warfare Soldiers, in 2014, the Army
approved the integration of cyber effects and electromagnetic spectrum
operations into the Army's new Cyber Branch. The Army Cyber Center of
Excellence is developing a phased approach to convert soldiers in the
Army Electronic Warfare Military Occupational Specialty, Functional
Area 29, into the Cyber Branch beginning in fiscal year 2018.
Concurrently, the Army is analyzing and developing an integrated
Electronic Warfare, Cyber, and Signals Intelligence capability that
will be capable of sensing and disrupting adversary systems that
operate within the electromagnetic spectrum while providing Electronic
Protection to Army systems.
equipping the cmf
Army Cyber Command is focused on equipping the Cyber Mission force
with integrated capabilities and organic development environments. To
ensure that our capabilities are dynamic and evolving to counter future
threats we are focusing on two mission areas of development: Defensive
Cyberspace Operations and Offensive Cyberspace Operations. These two
areas include the development of a scalable Big Data platform, building
advanced cyber analytics, development operations support for payload
development, malware analysis, threat detection, and infrastructure.
The Army has also invested in developing home station and
deployable platforms that will provide our Defensive Cyber Operations
CPTs with systems to support the defensive force with tools to prevent,
mitigate, and recover systems at risk from cyber threats at near real-
time speed. We are sprinting to build and institute a complete OCO
architecture purpose built to enable operational agility, reduce
training complexity, and maximize our ability to present multiple
dilemmas to our adversaries. This effort includes the integrated build
of a tool developer environment, operational infrastructures and
foundational tools that support current and future mission requirements
for the Army's Total Cyber Mission Force.
road to fort gordon, georgia
Army Cyber Command Headquarters is currently split-based at Fort
Belvoir, Virginia, Fort Meade, Maryland, and Fort Gordon, Georgia, in
overcrowded and inadequate facilities. The Army has begun building a
$180 million, state-of-the-art Army Cyber Headquarters Complex
alongside National Security Agency-Georgia at Fort Gordon, Georgia.
Occupation of the new facility is planned to begin in 2020 with the
full transition of ARCYBER Headquarters to Fort Gordon expected no
later than 2022. The colocation of these operational forces with the
Cyber Center of Excellence at Fort Gordon, will create significant
synergy, allowing for the immediate incorporation of lessons learned
and operational knowledge into our training curriculum.
Partnering
Partnerships are crucial to staying ahead of our adversaries in
cyberspace. The Army Cyber Enterprise partners with industry, academia,
the intelligence community, and our interagency partners to share
information and find solutions to cybersecurity challenges. The Army is
also adapting its acquisitions systems and reaching out to smaller
``non-traditional'' companies on the cutting edge of technology to keep
pace with cyber threats.
To better leverage private sector and academic partnerships the
Army has undertaken initiatives under DOD umbrella programs such as
Defense Innovation Unit Experimental, or DIUX, the Defense Digital
Service, and ``Hacking 4 Defense'' efforts to further reach-out and
collaborate with non-traditional partners. Through DIUX, Active and
Reserve soldiers collaborate with private industry in Silicon Valley to
quickly leverage commercial innovations into acquisition solutions.
During November-December 2016, working with a private sector
partner, the Army launched the ``Hack the Army'' initiative, to
crowdsource cyber vulnerabilities of selected Army websites and
databases. The Army paid a modest ``bug bounty'' to selected ethical
hackers which helped the Army discover dozens of vulnerabilities. Army
Cyber Command subsequently shared these vulnerabilities with the
Intelligence Community.
To help foster innovation and partnerships between the Army Cyber
Enterprise and the greater cybersecurity community, the Army Cyber
Institute (ACI) at West Point serves as the Army's bridge to academia,
government, and the private sector. The ACI facilitates state, local,
public, and private partnerships in the cyber domain across the United
States and Internationally. The ACI creates relationships that build
capacity within major metropolitan centers and through exercises
designed to integrate all levels of national cyber response. For
example, in October 2016, ACI partnered with the NATO Cooperative Cyber
Defence Centre of Excellence to develop a robust international
conference on cyber conflict that will be repeated in November 2017.
In all partnering activities, the Army Cyber Enterprise is
preparing for a future that includes machine learning, intelligent
systems, virtual/augmented reality, and Big Data; in conjunction with
ubiquitous computing, autonomous, and semi-autonomous robotic systems.
The Army's partnering activities help prepare forces that bridge the
military-civilian and peacetime-wartime boundaries needed to deal with
the gray space nature of cyber conflict.
conclusion
The Army has made significant progress operationalizing cyberspace
since it established Army Cyber Command a little more than six and a
half years ago. The Army now has 41 Cyber Mission Force teams and is
building an additional 21 RC teams. The Army also has a Cyber Branch to
support Cyber Soldiers throughout their careers and will soon have a
Civilian Cyberspace Effects Career Program, tailored to our unique
mission. The CyberCoE is training Cyber Soldiers and preparing to
integrate the Electronic Warfare force into the cyber career field. We
have broken ground on the Army Cyber Headquarters Complex on Fort
Gordon, Georgia which will transform the Fort Gordon region into a
cyberspace hub for the Army and the Nation. The Army has also
implemented important organizational changes to the Army Cyber
Enterprise that enhance our ability to conduct cyberspace operations
and support Combatant and Army commanders. These accomplishments have
happened because the Army, with the support of Congress, has made
protecting and defending the Nation in cyberspace a priority.
Our investments in the soldiers and civilians who carry out our
critical mission are paying off. Today our teams are actively
protecting and defending Army and DOD networks; securing Army weapons
platforms; protecting critical infrastructure; and conducting
operations against global cyber threats. These teams are delivering
effects against our adversaries, giving our ground commanders and the
Joint force the competitive advantage they need to win. With the
continued support of Congress, the Army will maintain its tremendous
momentum in cyberspace, building a more capable, modern, ready force
that is prepared to meet any adversary in cyberspace, today and
tomorrow.
Senator Rounds. Thank you, General.
Major General Weggeman?
STATEMENT OF MAJOR GENERAL CHRISTOPHER P. WEGGEMAN, USAF,
COMMANDER, TWENTY-FOURTH AIR FORCE AND COMMANDER, AIR FORCES
CYBER
Maj. Gen. Weggeman. Chairman Rounds, Ranking Member Nelson,
and distinguished Members of the subcommittee, thank you again
on behalf of the men and women and the audacious men and women
of 24th Air Force and Air Forces Cyber for the opportunity to
appear before you today, alongside all my esteemed cyber
colleagues. I look forward to discussing the Air Force's
progress in advancing full-spectrum cyberspace operations and
our contributions to joint operations globally.
Our headquarters is located at Joint Base San Antonio-
Lackland, Texas, and we have airmen on mission around the
world. Our warriors are operating globally as a maneuver and
effects force in a contested domain delivering cyberspace
superiority for our service and our joint partners.
Our forces exist to preserve our freedom of maneuver in,
through, and from cyberspace while denying our adversaries the
same. Our command places significant emphasis on
operationalizing cyberspace as a warfighting domain across the
range of military operations and continues to evolve our
tradecraft to provide ready cyber forces to combatant and Air
Force commanders across the globe.
Defense is our number one mission. We build, operate,
secure, and defend the Air Force networks every day to ensure
these networks remain secure and available in total providing
on-demand capabilities to approximately one million users
worldwide.
In collaboration with our service staff and our major
commands, we developed and have begun implementation of three
transformational efforts transitioning our cyber workforce
posture towards a 21st century commander and cyberspace
operator-driven cyber ecosystem centered on mission assurance.
The totality of these major Air Force efforts, plus our
ongoing cybersecurity campaign plan, provides the Air Force
with a full-spectrum framework for generating threat and risk-
based mission assurance across the totality of our cyber
terrain.
The Air Force is on track to achieve full operational
capability for all service Cyber Mission Force teams by the end
of fiscal year 2018. As of 1 May 2017, we have all teams at IOC
[Initial Operating Capability] and over 50 percent at full
operational capability.
While we remain laser-focused on building and delivering
our service teams to FOC, we have begun in earnest, along with
all the other service components, to focus on team readiness,
leveraging the Department of Defense's established
institutional readiness program and standards.
Our forces also support assigned combatant or joint force
commanders by providing full-spectrum, all-domain-integrated
cyberspace maneuver and effects in support of their assigned
missions around the globe.
We train and fight as one team or one force, as we like to
say, with all components: regular Air Force, Air National
Guard, and Air Force Reserve. We are delivering cyber forces
fully integrated with our total force partners in the Air
National Guard and Air Force Reserve. The Air Force total force
contribution to the cyber mission is comprehensive and
impressive.
As a new and rapidly maturing warfighting domain,
cyberspace operations continues to make huge advancements in
the operationalization of missions and forces. However, there
are challenges in our critical path. At the macro level, these
challenges fall into four broad categories: manpower and
training, cybersecurity of weapons systems, key enablers to
cyberspace operations, and professionalization of our
workforce.
I am proud of the tremendous strides made to operationalize
cyber capabilities in support of joint warfighters in defense
of the Nation. Despite the challenges of maturing and operating
in stride across the contested and diverse mission set, it is
clear Air Force networks are better defended, combatant
commanders are receiving more of the critical cyber effects
they require, and our Department's critical infrastructure is
more secure due to our cyber warriors' tireless efforts. They
truly are professionals in every sense of the word.
Congressional support was essential to the substantial
operational progress made and will only increase in importance
as we move forward. I am very glad to see the formation of this
subcommittee to help us along the way. Resource stability and a
formal national cyberspace strategy to guide force planning,
resources, and prioritization of effort within DOD in the years
ahead best enables our continued success in developing airmen
and maturing our capabilities to operate in, through, and from
the cyberspace domain.
I am honored and humbled to command this magnanimous
organization, and I look forward to your questions. Thank you.
[The prepared statement of Major General Weggeman follows:]
Prepared Statement by Major General Chris P. Weggeman
introduction
Chairman Rounds, Ranking Member Nelson, and distinguished Members
of the Subcommittee, thank you for the opportunity to appear before you
today, along with Vice Admiral Marshall Lytle from the Joint Staff and
my fellow Service Cyber Component Commanders. I look forward to
discussing the Air Force's progress in advancing full-spectrum
cyberspace operations and our contributions to joint operations
globally. I have the distinct honor to lead a triple-hatted
organization; 24th Air Force, Air Forces Cyber (AFCYBER), and Joint
Forces Headquarters (JFHQ)--Cyber AFCYBER. These three-hats encompass
service, component, and functional roles, responsibilities, and
authorities which I will expand upon shortly. Our headquarters is
located at Joint Base San Antonio-Lackland, Texas and we have airmen
and civilians on-mission around the world, diligently increasing our
capability to deliver full spectrum cyber effects in support of our
joint warfighters.
AFCYBER warriors are operating globally as a maneuver and effects
force in a contested domain, delivering cyber superiority for our
Service and our joint partners. Our forces exist to preserve our
freedom of maneuver in, through, and from cyberspace while denying our
adversaries the same. Our Command places significant emphasis on
operationalizing cyberspace as a warfighting domain across the range of
military operations and continues to evolve our tradecraft to provide
ready cyber forces to combatant and Air Force commanders across the
globe.
As Commander, 24th Air Force, I report directly to the Commander of
Air Force Space Command and am responsible within the Air Force for
classic title 10 organize, train, and equip functions. 24th Air Force
also serves as the Cyber Security Service Provider (CSSP) for our Air
Force networks and other designated key cyber terrain. Under the
AFCYBER hat, I am the Air Force's Cyber Component Commander who
presents and employs Air Force cyber forces to United States Strategic
Command, delegated to United States Cyber Command. These ready forces
plan and execute full-spectrum cyberspace operations across the Air
Force portions of the DOD Information Network (DODIN), and other cyber
key-terrain as directed. Finally, under my third hat, as Commander,
Joint Forces Headquarters (JFHQ)--Cyber AFCYBER, I lead a United States
Cyber Command subordinate headquarters with delegated Operational
Control of assigned cyber combat mission forces employed in a general
support role to both United States Strategic Command and United States
European Command. We execute assigned cyberspace operations missions
through six distinct but inter-related lines of effort--Build, Operate,
Secure, Defend, Extend, and Engage, or what we refer to as ``BOSDEE''.
defense is our #1 mission
In our 24th Air Force and AFCYBER roles, we build, operate, secure,
and defend the Air Force networks every day to ensure these networks
remain available and secure for assigned missions, functions, and
tasks. The broader mission includes base infrastructure, business, and
logistics systems, as well as mission and weapon systems; in total,
providing on-demand capabilities to approximately one million users
worldwide. The Air Force CIO designated 24th Air Force as the CSSP for
all systems within the Air Force enterprise. In this capacity we are
responsible for protecting, monitoring, analyzing, detecting, and
responding to malicious cyber activity across the Air Force network. We
are working with our Service Staff and Air Force Space Command, to
determine resource and manpower requirements to execute this expansive
mission-set. Earlier this year, we partnered with the United States
Army Research Lab to contract and provide a fee-for-service cyber
security framework for system cybersecurity similar to what they are
providing the United States Army. This partnership and approach aligns
the Air Force CIO delegated cybersecurity responsibilities with our
AFCYBER defensive mission forces and capabilities, generating coherent
mission coordination and integration across the enterprise.
cyber security and defense in the 21st century
The 24th Air Force, in collaboration with our Service staff and
Major Commands, developed and began implementation of three
transformational efforts which transition our force and Information
Technology posture towards a 21st century, commander and cyberspace
operator driven, threat and risk-based mission assurance cyber
ecosystem. These three major efforts include; 1) evolving towards the
Air Force Information Dominance Platform (AFIDP), 2) maturing and
resourcing our Air Force CIO Cyber Squadron Initiative and inherent
Mission Defense Teams, and finally 3) the development and fielding of
Air Force Material Command's Cyber Resiliency of Weapons Systems
(CROWS) Office capabilities. This last initiative was developed to
address last year's NDAA section 1647 weapon system cyber security
mandate. These three major endeavors, deliver a coherent approach to
cyber security, cyber defense, weapon system resiliency, and the ever
critical ``every airmen a sentry'' cyber hygiene culture across our Air
Force.
The AFIDP is a network reference architecture designed to smartly
divest the costly and manpower intensive network operations,
maintenance, and customer-service support demands of our Service's
dated, Information Technology infrastructure via outsourcing to
commercial and industry partners. This strategy allows us to improve
our network while repurposing portions of our legacy Information
Technology workforce to deliver essential services, data security, and
cyber-based mission assurance. The AFIDP moves the Air Force towards a
risk-managed, Network and/or Infrastructure as a Service model (NaaS/
IaaS). AFIDP, with Cloud Hosted Enterprise Services, which is currently
in operation under the moniker ``Collaboration Pathfinder'', is
securely hosting over 60,000 user accounts across ten bases. This
service delivery model will enable improved network performance,
reliability and scalability. It also fuels superior cyber security and
defense, while generating superior speed, agility and precision of
maneuver in, through, and from cyberspace.
The AFIDP roadmap leverages on-going Joint Information Environment
(JIE), Joint Regional Security Stack (JRSS) migrations and fielding in
close partnership with the United States Army and the Defense
Information Services Agency (DISA). All DOD components will ultimately
utilize JRRS with the United States Air Force and Army currently
undergoing migration. Combatant commands, Coast Guard, and other
Defense Agencies are scheduled to begin JRRS migrations later in fiscal
year 2017 and into fiscal year 2018. To date we have successfully
migrated two CONUS regions, to include 170,334 users across 32 bases.
JRSS provides state of the art security stacks and capabilities at our
Tier-2 gateway boundaries. AFIDP also employs the Automated Remediation
and Asset Discovery (ARAD) capability suite.
ARAD is an instantiation of the commercial Tanium product, enabling
operators to perform vulnerability management, incident response,
system health diagnostics, as well as asset identification and
optimization in a matter of seconds to minutes vice days to weeks using
current capabilities. ARAD achieved Initial Operational Capability on
the Air Force Network in December 2016, installed on nearly 600,000
end-points with powerful results and exceeding all expectations. The
ARAD team drove an unprecedented eight-month acquisition schedule to
deliver tools that enable operators to identify and fix network
vulnerabilities in seconds instead of weeks, and it provides the
ability to detect, track, target, engage, and mitigate adversarial
activities in near real time. The 24th Air Force ARAD team was awarded
the 2016 Department of Defense Chief Information Officer Award for
Cyber and Information Technology Excellence for their pioneering
innovation. The demonstrated potential of ARAD is truly revolutionary,
and we are diligently experimenting, evolving, and developing
operational concepts and applications to close key mission capability
gaps in close partnership with the Tanium experts. The intrinsic
operational value and potential of ARAD/Tanium was formally acknowledge
by the Air Force CIO, Lieutenant General William Bender, who recently
directed ARAD implementation across the Air Force network to include
mission systems and enclaves.
The second transformational effort is the Air Force Cyber Squadron
Initiative (CSI). It is centered on an Active cyber defense model
across all echelons of Air Force organizations, designed to deliver
enterprise mission assurance in a contested domain, in the presence of
a maneuvering adversary. Cyber Mission Defense Teams (MDTs), the
primary unit of action, are tailored, trained, equipped and task-
organized to survey, secure, and protect key cyber terrain in order to
deliver mission assurance. The Cyber Squadron Initiative is a commander
and mission-driven force employment model. Mission Defense Teams employ
a spectrum of cyber security and defense tactics, techniques, and
procedures in addition to their own suite of tailored cyber defense
sensors and tools to provide Active defense at the base level. In
fiscal year 2016 the Air Force executed fifteen Mission Defense Team
``pathfinder'' initiatives across a diverse set of Air Force missions
and organizations to test and validate the operational concept and tool
requirements. These designated units focused on functional mission
analysis, planning, and network characterization. fiscal year 2017
programming designates another fifteen Service-funded initiatives, as
well as sixteen Major Command-funded initiatives. Although the Mission
Defense Team concept is a nascent cyberspace defense capability, these
teams are already proving their worth; providing mission assurance for
operational commanders' priority missions and mission systems. Laying
the foundation, the 50th Space Communications Squadron's Mission
Defense Team provided the wing commander with an understanding of cyber
risk being accepted on the Air Force Space Control Network. The 52nd
Communication Squadron Mission Defense Team integrated with AFCYBER
Cyber Protection Teams to resolve a Combat Air Force cyber incident,
defending commander's key cyber terrain and allowing wing commanders to
understand the operational risk if cyber hygiene is not a priority.
The third transformational effort is Air Force Materiel Command's
Cyber Resiliency of Weapons Systems, or CROWS office. Their mission is
to increase cyber resiliency of Air Force weapon systems across our
acquisition and life cycle management processes to maintain mission
effective capability under adverse conditions. CROWS have two primary
objectives; first, to ``bake-in'' cybersecurity into developmental and
future mission and weapons systems, and second; to employ a prioritized
threat- and risk-based, cyber vulnerability assessment of existing
systems to best mitigate risk to missions and forces. Their roadmap to
cyber resiliency advances from systems assurance to the
institutionalization of cyber security, cyber hygiene, and resiliency
across all Air Force weapons systems. Their comprehensive strategy
includes sustainable and programmable tools, infrastructure, and a
skilled cyber workforce of operators, system engineers, and acquisition
professionals to deliver end-to-end mission and weapon system cyber
security.
The combined effects and capabilities of these three major Air
Force transformational efforts, plus our ongoing AFCYBER cyber security
campaign plan leveraging signals intelligence (SIGINT) and all-source
intelligence, industry, National Institute of Standards and Technology,
and DISA best practices, provides the Air Force with a full-spectrum,
coherent framework for generating threat- and risk-based mission
assurance from networks and infrastructure. This mission assurance
strategy is girded by an acquisition and life-cycle sustainment
enterprise empowered, organized, and resourced to deliver cyber
security and resilience for our Air Force.
cyber mission force: transitioning from build to readiness
The Air Force is on track to achieve Full Operational Capability
(FOC) for all Service CMF teams by the end of fiscal year 2018. As of 1
May 2017 we have all teams at Initial Operational Capability and over
fifty percent at FOC. The FOC criteria are designed to ensure
construction of all teams to a common standard and set of work roles.
While we remain laser-focused on building and delivering our Service
teams to FOC, we have begun, in earnest, to measure and review team
readiness across well-established institutional standards such as
Personnel, Training, Equipment and Supply. This ongoing road to formal
CMF Defense Readiness Reporting System (DRRS) integration will
normalize CMF force presentation and force management while generating
critical mission capability and capacity gap analysis needed for
commanders to drive force readiness.
At 24th Air Force we know the most critical element in cyberspace
operations is not copper or silicon, it's carbon. Our innovative and
audacious airmen are the centerpiece to our AFCYBER capabilities; they
have demonstrated time and again their agility and dedication towards
generating mission outcomes for our Service, the Joint Force and our
Nation. We have thrust them directly from build to battle throughout
the CMF build evolutions. Therefore, we remain committed to recruiting,
training, developing, and retaining the right cyber talent. We owe it
to the incredible men and women that make-up these teams to see they
are properly trained, equipped, and prepared for all assigned missions.
There must be an evolving dialogue centered on resourcing and procuring
the capabilities and capacity required for our CMF to be properly
postured for success beyond the build.
``one force'' in afcyber
In cyber, we train and fight as one team with all components;
Regular Air Force, Air National Guard, and Air Force Reserve. We are
delivering cyber forces in support of the Department's CMF framework
fully integrated with our Total Force partners in the Air National
Guard and Air Force Reserves. These ``One-Force'' teams are providing
United States Cyber Command with capabilities to defend the nation,
support combatant commanders, and defend the DODIN. The Air Force's
Total Force cyber mission contribution is impressive. They are
providing both National and Cyber Protection Teams, Cyberspace Command
and Control and a separate Continuity of Operations Ops Center
facility, a Cyberspace workforce training and skills validation course,
and niche Industrial Control System cyber-security and defense teams.
The Air National Guard has already completed two extremely
successful Cyber Protection Team six month mobilizations in support of
United States Northern Command air defense missions and associated key
cyber terrain security and defense.
These Total Force professionals bring a unique blend of experience
and expertise to the full spectrum of cyberspace missions. Many work in
prominent civilian positions within the Information Technology
industry, which bolsters our mission effectiveness. A prime example
from the Washington State Air National Guard is their ability to
harness their expertise to establish unique Industrial Control Systems
(ICS) and Supervisory Control and Data Acquisition (SCADA) threat
prevention and response packages or Unit Type Codes (UTCs) for
mobilization and deployment. These ten-person UTCs provide a capability
to detect, deter, degrade, and deny an adversary freedom of action
within Cyber Physical Systems, Industrial Control Systems, and Critical
Infrastructure and Key Resources Networks. Further, the Air National
Guard established two units to provide resident initial assessment and
cyber skills training as well as delivering on-line cyber training to
the Air Force. These vital capabilities allow us to refine training
capability requirements that drive future training curriculum design.
In addition, the Air Force Reserves, in coordination with our formal
cyber school house are focused on development of advanced resident and
distributed learning for the CMF.
Operational awareness focused on the mission, commanders'
priorities, and resources are key to forging a lasting partnership with
our Total Force brethren. On 26 April, 24th Air Force hosted 27 states
Adjutants General, Assistant Adjutants General, and wing commanders for
the first-ever TAG Cyber Symposium. This historical gathering enabled
critical collaboration and information flow regarding personnel,
equipment, requirements, and authorities and generated insights into
optimizing force presentation and harnessing our citizen airmen's
industry expertise to solve tough cyber operations problems.
Cyberspace operations are a ``team sport'' and 24th Air Force/
AFCYBER is wholly committed to strengthening our relationships with
other Air Force partners, our sister Services, interagency
counterparts, combatant commanders, coalition allies, as well as
civilian industry partners. Given the proximity of our headquarters and
close mission alignment, 25th Air Force continues to be a critical
strategic partner across all of our missions. The 25th Air Force
Commander, Major General B.J. Shwedo, has been a vital force provider
and steadfast supporter of the CMF build and operationalization of the
cyber domain.
joint forces headquarters-cyber (jfhq-c afcyber)
Cyberspace is an inherently global domain that impacts every
function of our Joint Force. This force is increasingly dependent upon
cyber capabilities to conduct modern military operations. JFHQ-C
AFCYBER supports assigned Combatant or Joint Force Commanders by
providing full-spectrum, all domain integrated cyberspace maneuver and
effects in support of their assigned missions. JFHQ-C AFCYBER delivers
Cyber IN War, not Cyber War, for our combatant commanders. As
commander, I retain Operational Control of assigned Service and joint
Cyber Mission Forces providing general support to both United States
European Command and United States Strategic Command. We recently
concluded a combined Joint, Tier-1 Combatant Command Exercise, Austere
Challenge/ Global Lightning 2017, supporting both of these Combatant
Commands. United States Cyber Command designated JFHQ-C AFCYBER as the
Cyber Component to the Joint Task Force Commander, enabling fully
integrated joint planning, maneuver, targeting and fires coordination
for cyberspace maneuver and effects operations. Our team effectively
integrated within existing, institutional planning, targeting and fires
processes to provide cyber effects across the full range of military
operations within the exercise. Our capabilities and effects were fully
synchronized with the timing and tempo dictated by the supported
commander. Cyberspace domain operations were employed using extant
processes, fully integrated with all other classic warfighting domains
propagating force awareness, comprehension and intrinsic value across
all participants, agnostic of professional pedigree or experience.
partnerships
The 24th Air Force also understands the cyberspace domain is
primarily provisioned by private industry and our ability to
collaborate with our industry partners benefits the nation's
cybersecurity posture. We have developed Cooperative Research and
Development Agreements with 25 industry leaders in Information
Technology, Defense, and Banking to share and collaborate on innovative
technologies and concepts. These collaborative efforts allow us to
advance science and technology in support of cyberspace operations, as
well as share best practices with industry partners. We continue to
leverage this program and are currently in the process of enhancing our
partnerships with academia.
In July 2015 the Cyberspace Multi-Domain Innovation Team (CMIT) was
established as a partnership between 24th and 25th Air Forces to meet
the CSAF's intent to optimize the rapid and cost effective generation
of operational all domain integrated effects. CMIT achieves this
through the integration and convergence of Cyberspace Operations;
Intelligence, Surveillance, and Reconnaissance; and Electronic Warfare
capabilities to deliver innovative multi-domain planning support and
capabilities. To date, this team has planned and delivered multiple
cyber capabilities to ongoing operations and has a number of multi-
domain initiatives underway to better enable operations in an Anti-
Access/Area Denial (A2/AD) environment.
We are also fortunate to have a long-standing close relationship
with San Antonio, Texas, also referred to as ``Cyber City USA.'' The
local community has committed significant resources to support the
growth of cybersecurity both locally and nationally. Our leadership
team participates in a variety of civic leader engagements to share
lessons related to cybersecurity. By partnering together, 24th Air
Force supports a broad array of programs designed to reach young
students, essential to our nation's success in this arena. A good
example is the Air Force Association's ``CyberPatriot'' STEM initiative
in which our airmen mentor cyber teams as part of a nationwide
competition involving nearly 10,000 high school and middle school
students.
We are also making gains in improving our acquisitions process to
support the ever changing technology of cyberspace. The Air Force Life
Cycle Management Center has worked diligently to streamline our ability
to provide solutions to support our cyber missions through ``Rapid
Cyber Acquisition (RCA)'' and ``Real Time Operations and Innovation
(RTOI)'' initiatives. RCA is part of Air Force Space Command's
Integrated Agile Acquisition Construct applied to meeting cyber needs
by providing faster solutions to cyberspace needs through traditional
acquisition channels. RTOI are activities that produce critical cyber
weapons system and platform modifications, capability improvements, and
related changes to operational procedures at the ``speed of need.''
To enable the execution of these efforts, in April 2016, in
partnership with the Air Force Lifecycle Management Center, we
established the Cyber Proving Ground (CPG). Its mission is to identify,
enable, and accelerate the fielding of innovative, operationally-
relevant concepts to improve Air Force, Joint, and Coalition cyberspace
operations capabilities. The CPG leverages 24th Air Force's innovation
and development capabilities and the existing cyber acquisition
capabilities of Air Force Lifecycle Management Center's Crypto and
Cyber Systems Division. The CPG is a foundry which brings together
cyber operators, air force acquisition and engineering professionals,
and private sector vendors with potential solutions to close capability
gaps. While CPG projects are small in scope and timeframe, they
comprise a broad spectrum of challenges, from complex development and
testing efforts, to simple technical evaluations of existing
technologies.
I want to highlight two recent efforts from the CPG. First, in just
six weeks the CPG developed and fielded the Service's first defensive
Solaris capability which enabled our Cyber Protection Teams to secure
and defend the Air Force Satellite Control Network. Second, the CPG
recently completed development, testing, and fielding of two unique
capabilities to support United States Cyber Command's ongoing Joint
Task Force Ares operations. Other CPG efforts fielded capabilities that
thwarted adversary exploitation of user authentication certificates,
the unauthorized release of personally identifiable information, and
the blocking of sophisticated intrusion attempts by advance persistent
threat actors. These technical solutions were forged, tested and
fielded in weeks to months, versus years.
challenges and opportunities
As a new and rapidly maturing warfighting domain, cyberspace
operations continues to make huge advancements in the
operationalization of missions and forces. However, there are
significant challenges in our critical path towards delivering required
capability and capacity for assigned missions. At the macro-level,
these challenges fall into four broad categories; manpower and
training, cybersecurity of weapons systems, key enablers to cyberspace
operations, and professionalization of cyberspace domain workforce.
These broad categories closely mirror Admiral Rogers' focus areas for
United States Cyber Command and the Service Cyber Components. His
charges direct us to secure and defend weapons and mission systems and
the data that resides on them, as well as increase speed, agility,
precision, readiness and lethality of an effectively manned and trained
cyber workforce in coordination with Guard and Reserve forces to
deliver all domain integrated effects across all phases of operations
that support DOD strategy and priorities.
Manpower and Training
Significant manpower shortages across our C2 elements at all
echelons hampers our ability to support geographic and functional
commands. Manpower deficiencies in our units that operate, secure, and
defend our networks force a constant high-pressure, deployed in place
operating environment of competing priorities and risk decisions with
insufficient force structure to meet critical operational demands. We
are actively examining our training pipeline to find smarter more agile
methods which get our operators to their units and on mission faster.
In 2015 we added a local San Antonio detachment to our cyber school
house to increase training capacity. The detachment is crucial in
enhancing formal training throughput and efficacy due to the proximity
to the majority of Air Force CMF units and their cyber weapon systems.
Since June 2015, the detachment has graduated 518 CMF operators and
saved one million dollars per year in TDY costs by collocating the
training with the operational units. Formal cyberspace operations
training must remain rigorous and comprehensive enough to meet
operational requirements but also agile and responsive enough to
accommodate the pace of change in the cyber domain.
The Service Staff in conjunction with Air Education and Training
Command are currently developing custom Air Force Specialty Code
training tracks based on a modular syllabus that utilizes the latest
training assessment innovations and provides placement flexibility
through the training pipeline. The concept allows airmen to ``test-
out'' of portions or modules of the curriculum. This methodology
provides incentives and opportunities to our airmen who possess an
advanced cyber aptitude, whether via formal or informal training or
education, to advance through the pipeline and arrive on station at an
operational unit in a significantly shorter time frame. In order for
this concept to be effective, resourcing is required to design and
validate assessment tools and develop an agile and responsive
curriculum development framework that keeps pace with the advancement
of technology, tradecraft, and our adversaries.
Cybersecurity of Weapons Systems
There are insufficient weapons system sustainment dollars going
towards system cyber security and defense. The majority of all
sustainment dollars today goes toward functional capability upgrades in
any mission or weapons system program. Our current process of ``bolting
on'' weapons system cyber security after the fact, levies excessive
mission-risk and is extremely manpower and resource intensive to
properly secure and defend the system. It is more complex and expensive
to defend mission systems where there is no inherent or ``baked in''
cybersecurity framework. As previously mentioned, the CROWS office is
getting after this today as directed by the NDAA, but much more needs
to be done from a resource and execution perspective.
Key Enablers
The Department has begun planning for and resourcing a multiple
phenomenology approach to access. Each Service is exploring multiple
pathways to get to the target and deliver effects against our
adversaries in cyberspace. The Air Force is also planning and
provisioning for its own organic platform and tool development
capabilities, separate and distinct from NSA. This will ensure assigned
cyberspace mission priorities and requirements are being met. Critical
to accessing the target with the appropriate tools to deliver the
desired effect is timely, relevant, domain specific, all-source
intelligence.
While achieving and maintaining a depth of knowledge in cyberspace
is technically challenging, all source Target System Analysis (TSA)s
that are domain agnostic is a proven approach to providing timely,
relevant intelligence support to operations. The Intelligence Community
(IC) must perform this function due to the vast amount of resources and
the ability to leverage existing partnerships outside the Department
and the United States Government. The methodology employed purposely
resembles target development in any other warfighting domain. A
thorough understanding of the commander's intent, specifically the
objectives and effect desired for a particular target set is required.
Center of Gravity analysis is conducted to analyze the functions and
interconnectivity of those components critical to the target. Systems
engineering and network analysis is developed to map out the key
terrain within the target, to enable operators to conduct Intelligence
Preparation of Environment (IPOE) and refined Target Development. Based
on the analysis and reporting from the IPOE, the operators develop a
strike package based on an understanding of the target environment and
the tools and capabilities they have developed in order to deliver the
desired effects. The current approach of contracting these cyber TSAs
has been successful, but we view it as a temporary solution until the
IC transforms their on-going intelligence support to cyber analysis and
resourcing challenges and takes on this critical intelligence
requirement in earnest.
Professionalization of the workforce
The Air Force established a Cyber Project Task Force to monitor
progress, identify challenges, and collaborate on manpower and
personnel efforts to ``get after'' building the Air Force portion of
the CMF. The Air Force also instituted a Service-wide policy to
encourage back-to-back CMF tours for our CMF-trained personnel, thereby
ensuring proper return on investment. Furthermore, the Air Force
recognized the positive value of embedding limited CMF-trained
personnel back into Service non-CMF cyber positions, in order to better
operationalize the total Service cyber enterprise. Although, these
cross-pollinated CMF-trained personnel may not have specific CMF-
related or associated jobs, they are assigned to cyberspace-related
positions growing their depth and breadth of operational expertise.
Finally, the Air Force also has the responsibility to develop our
portion of the CMF to meet Operational Commanders' requirements in a
method that also ensures Air Force Cyber Airmen stay competitive with
long-term career projections and a ``Path to Greatness'' for cyberspace
airmen. In addition, cyber airmen may attend professional developmental
opportunities such as Air Force Institute of Technology, Computer
Network Operations Development Program, or the Air Force Weapons
School, all of which will positively impact the operationalization of
the cyberspace domain within the Air Force and in turn, the future of
the CMF.
conclusion
I am proud of the tremendous strides made to operationalize cyber
capabilities in support of joint warfighters and defense of the nation.
Despite the challenges of growing and operating across a contested and
diverse mission set with a rapidly maturing work force, it is clear Air
Force networks are better defended, combatant commanders are receiving
more of the critical cyber effects they require, and our departments'
critical infrastructure is more secure due to our cyber warriors'
tireless efforts. They truly are professionals in every sense of the
word.
Congressional support was essential to the substantial operational
progress made and will only increase in importance as we move forward.
Without question, resource stability in the years ahead will best
enable our continued success in developing airmen and maturing our
capabilities to operate in, through and from the cyberspace domain.
Resource stability will also foster the innovation and creativity
required to face the emerging threats ahead while maintaining a capable
cyber force ready to act if our nation calls upon it.
I am honored and humbled to command this magnanimous organization
and look forward to a thorough and continuing dialogue.
Senator Rounds. Thank you, General.
Major General Reynolds?
STATEMENT OF MAJOR GENERAL LORETTA E. REYNOLDS, USMC,
COMMANDER, MARINE FORCES CYBERSPACE COMMAND
MajGen Reynolds. Chairman Rounds, Ranking Member Nelson,
Senators McCaskill and Fischer, on behalf of the marines,
civilian marines, and their families of U.S. Marine Corps
Forces Cyberspace Command, I thank you for your support to the
work that we are doing, and I welcome this opportunity to
highlight for you today what our marines are doing in
cyberspace as we shift our focus from building this command to
operationalizing, sustaining, and expanding capabilities in
this warfighting domain.
I am humbled every day by the tenacity, professionalism,
and commitment to mission success displayed by my team.
As the Commander of Marine Forces Cyber, I wear two hats. I
am the Commander of Marine Forces Cyber and I am the Commander
of Joint Force Headquarters-Cyber Marines. In these roles, I
command about 1,700 marines. We are a small force. Our force
includes civilian marines and contractors across our
headquarters and subordinate units. I organize operations along
three lines of effort that I will briefly highlight for you
today, and I use this framework to organize activities,
allocate resources, grow capabilities, and measure our
progress.
My first priority is to secure, operate, and defend the
Marine Corps portion of the DODIN, which we refer to as the
Marine Corps Enterprise Network, or the MCEN. The Marine Corps
views the MCEN as a warfighting platform, as you have heard
from my fellow commanders today. We must aggressively defend
this network from intrusion, exploitation, and attack.
Our priorities this year for improving our defenses include
actions to flatten the MCEN by collapsing domains and improving
our ability to sense the environment. We want to harden the
network through increased endpoint security, principally
through WIN 10 [Windows 10] deployment, and we want to
implement a comply to connect capability. Finally, we are
looking for ways to dramatically improve our continuity of
operations capability of our cybersecurity service provider in
Quantico.
My second priority is fulfilling our responsibility to
provide ready, capable cyber forces to U.S. Cyber Command. We
are on track to provide 13 fully operational capable Cyber
Mission Force teams to meet U.S. Cyber Command requirements.
We have experienced tremendous growth in operational
capability over the past year and have fully supported the
delivery of operational cyberspace effects within named
operations. I provide direct cyber support to U.S. Special
Operations Command, and we are actively beginning actions to
hire manpower in my Joint Force headquarters and in a forward
element embedded in SOCOM [Special Operations Command],
organizations which will directly support SOCOM and their
subordinate elements with cyber planning integration.
Across U.S. Cyber Command, marines are at the point of
friction, increasingly relevant, and eager to contribute to the
fight.
My third priority is to add cyberspace warfighting
expertise to the Marine Air Ground Task Force. Our Commandant,
General Neller, understands the necessity to move forward
quickly to build MAGTF [Marine Air-Ground Task Force]
capability to operate in all five domains. The first time this
fiscal year, we have supported a training exercise within every
Marine expeditionary force, which are our major warfighting
commands, as you know.
In addition, we recently concluded a mission in support of
a special purpose MAGTF in the CENTCOM [Central Command] AOR
[Area of Responsibility].
Across the board, the demand signal for marine cyber
operators and capability is very high, and it increases with
each successful mission.
Also this year we have participated in our service efforts
to improve our information warfare capabilities that are
organic to the MAGTF. Cyber will play a relevant part in that.
For all these missions, this year we are building a
cyberspace MOS [Military Occupational Specialty] to improve
readiness and retention of our operators, and we are also
participating in the cyber excepted service for our civilian
operators.
We have accomplished much in a short period working within
the construct of these three lines of effort, but we still have
a lot of work to do.
Thank you again, Mr. Chairman, Members of the committee,
for inviting me to testify before you today and for the support
that you and this new committee have provided our marines and
their families. I look forward to taking your questions and to
maintaining an open dialogue with you in the future. Thank you.
[The prepared statement of Major General Reynolds follows:]
Prepared Statement by Major General Loretta E. Reynolds
introduction
Chairman Rounds, Ranking Member Nelson, and distinguished Members
of this Committee, on behalf of the marines, civilian marines, and the
families of U.S. Marine Corps Forces Cyberspace Command (MARFORCYBER),
I thank you for your continued support of the important work we are
doing to secure, operate, and defend the Marine Corps Enterprise
Network (MCEN) and defend the nation in cyberspace. I welcome this
opportunity to highlight what our marines are doing in the cyberspace
domain and how we are shifting our focus from building the command to
operationalizing, sustaining, and expanding capabilities in this
warfighting domain. I am pleased to be sitting alongside my colleagues
from the other Service Cyber Components of the United States Cyber
Command (USCYBERCOM).
I am humbled everyday by the tenacity, professionalism, and
commitment to mission success displayed by my team. It gives me great
pride to highlight the many accomplishments of the marines and civilian
marines of MARFORCYBER, and the work they are doing in support of
warfighting and in defense of our nation.
It will come as no surprise to the Members of this committee that
we face a growing cyber threat--one that is increasingly persistent,
diverse, and dangerous. Malicious cyber activity from both state and
non-state actors continues to intensify and every conflict around the
world includes a cyber dimension. The traditional fight we have
envisioned across the domains of air, land, sea, and space has expanded
to the cyber domain. The United States' technical superiority is not
yet established in this domain: we have to earn superiority in each
fight. We can never take our superiority for granted. Our enemies will
test us.
This year we established MARFORCYBER's motto--Semper in Proelio. It
is Latin for ``Always in Battle.'' This is the reality of cyberspace.
The American people rightfully expect their marines to fight our
Nation's battles and win--always, including in the domain of cyber. We
work hard each and every day to ensure we are prepared to fulfill this
expectation.
mission and organization
As the marine service component to U.S. Cyber Command, MARFORCYBER
conducts full spectrum cyberspace operations. That includes operating
and defending the MCEN, DOD Information Networks (DODIN) operations,
conducting Defensive Cyberspace Operations (DCO) within the MCEN and
Joint Force networks, and when directed, conducting Offensive
Cyberspace Operations (OCO) in support of Joint and Coalition Forces.
We do this to enable freedom of action in cyberspace and across all
warfighting domains, and deny the same to our adversaries.
As the Commander, MARFORCYBER, I wear two hats. I am Commander,
MARFORCYBER, and I am the Commander of Joint Force Headquarters--Cyber
(JFHQ-C) Marines. In these roles, I command about 1,700 marines,
civilian marines, and contractors across our headquarters and
subordinate units. MARFORCYBER is comprised of a headquarters
organization, a JFHQ-C, and two colonel led subordinate commands:
Marine Corps Cyberspace Warfare Group (MCCYWG) and Marine Corps
Cyberspace Operations Group (MCCOG). Through the JFHQ-C construct, we
provide direct cyber operations support to U.S. Special Operations
Command (USSOCOM). We are currently in the process of developing and
manning a Joint Force Headquarters--Forward, which is part of an effort
to meet the growing demand of cyber operations throughout USSOCOM's
global operations.
Within the MARFORCYBER headquarters, we currently have 189
authorized billets for marines and 32 authorized billets for Government
civilians. We have an additional 65 authorized billets for contract
employees. In a field where technology is paramount, our people
continue to be our most valuable resource and greatest strength. Simply
put, they represent the very best our nation has to offer--they are
patriots, who are doing the arduous and necessary work to defend
against increasingly capable adversaries.
I organize operations along three lines of effort that I will
highlight for you today. I use this framework to organize activities,
allocate resources, grow capability, and measure our progress.
secure, operate, and defend the mcen
My first priority is to secure, operate, and defend the Marine
Corps' portion of the DODIN, the MCEN.
We accomplish this mainly through one of the two subordinate
commands mentioned previously--the MCCOG. The MCCOG is responsible for
directing global network operations and computer network defense of the
MCEN. It executes DODIN Operations and DCO in order to assure freedom
of action in cyberspace and across warfighting domains, while denying
the efforts of adversaries to degrade or disrupt our command and
control.
This past December, the MCCOG was activated during a re-designation
ceremony from the former Marine Corps Network and Operations Security
Center (MCNOSC). This re-designation was not simply a name change. The
missions and roles assigned to the MCNOSC transitioned from that of a
Supporting Establishment command to that of an Operational Force
command apportioned to U.S. Strategic Command (USSTRATCOM).
The Marine Corps views the MCEN as a warfighting platform, which we
must aggressively defend from intrusion, exploitation, and attack.
Cyberspace operations favor the attacker, and our operational
dependencies require us to conduct a formidable, continuous defense.
Real-world defensive cyberspace operations have informed and sharpened
our ability to detect and expel threats on the MCEN. Since May 2016,
the MCCOG has responded to 4,050 events on the MCEN. These events
include unsuccessful attempts to access the network, non-compliance
with security standards, reconnaissance of the network, and explained
anomalies (configuration errors). This number encompasses only the
events that require our attention and further analysis. There are
thousands of events that occur on the network daily that are blocked
and contained by our network defenses and filters.
Our priorities for improving our defenses this year include actions
to flatten the Marine Corps network and improve our ability to sense
the environment, harden the network through increased endpoint
security, and decrease incident response time. To do this, we are
aggressively seeking to consolidate legacy domains, implement a comply
to connect capability and the WIN 10-operating system, and collapse
regional service desks to an enterprise service desk. Each of these
priorities are described briefly below.
Network Access Control, Compliance, and Remediation (NACCR). NACCR
provides defense in depth by positively identifying devices that
attempt to connect to our networks, ensuring the device is compliant
with the latest set of security updates, and, if non-compliant, NACCR
initiates quarantine and remediation actions.
Enterprise Service Desk. We are transitioning eight regional
service desks into a central, standardized Enterprise Service Desk
(ESD) in Kansas City, Missouri. The ESD will be under the operational
control of MARFORCYBER. Users' requests for IT support and incident
response, once centrally managed, will provide valuable insights into
trends on the network. Long term benefits will include supporting a top
down governance structure, increased efficiency in supporting the
warfighter, and providing a holistic view of the network that informs
and complements defensive actions on the MCEN.
Domain Consolidation. In order to flatten, harden, and secure the
network, we must have full visibility of all networked assets. We are
undertaking efforts to bring remaining disparate legacy networks into a
homogenous and secure network. Legacy networks contribute to the Marine
Corps' cyber footprint and unnecessarily increase attack surfaces for
adversaries. This deliberate effort for domain consolidation will
provide much needed standardization and increase the cybersecurity
posture of the MCEN.
Windows 10. The Marine Corps is transitioning its Microsoft Windows
end user devices to the Windows 10 (WIN 10) operating system (OS). WIN
10 OS will improve the Marine Corps' cybersecurity posture, lower the
cost of information technology (IT), and standardize the Marine Corps'
IT operating environment. The WIN 10 OS has numerous embedded security
features that earlier Windows OS's lack. These features include
protection such as encrypting hard drive data while powered off or
preventing the execution of unknown system commands.
Like the Internet itself, many of our Programs of Record and
warfighting systems were not built with security in mind. To combat
these vulnerabilities, we are reviewing each one to determine how we
can improve security. We have also conducted a review of all vulnerable
end of life hardware and software on the network and developed
expedited strategies to upgrade, consolidate or remove systems that
cannot be adequately hardened. Projects that focus on auditing,
analysis and tracking of cyber events and anomalous activity have been
developed and implemented to improve our situational awareness of
system status and cyber monitoring capabilities. Programs that test and
audit our defensive posture are continuously reviewed for relevance and
improvement to address the changing cyber threat environment and
support the intelligence operations cycle on a shortened timeline.
Cyber is a dynamic, competitive environment, and we are continually
responding to the increasing capability and capacity of our
adversaries.
As we have built Cyber Protection Teams (CPT), we have employed
them across the MCEN. This year, our CPTs have conducted named cyber
operations to include focused internal defensive maneuver missions
(IDM), ensured security of Personally Identifiable Information (PII)
repositories, and completed security enhancement missions for cyber key
terrain, countering known threats to the network. In all DCO
activities, the Marine Corps consolidates findings and actionable
lessons for dissemination to the broader operational community.
We are making efforts to better understand system data, and have
employed Service aligned CPTs to harden Service PII repositories. In
2015, MARFORCYBER began efforts to secure PII repositories across the
service. The MCCOG and Service CPTs assessed the security posture of
our 40 largest PII repositories. While the overall security posture of
our systems was within established standards, we identified areas for
improvement we needed to address. Our Service aligned CPTs conducted
on-site visits to several repositories that were deemed critical high
risk. There, we identified and remediated vulnerabilities and trained
system owners and administrators. We continue efforts to ensure these
systems maintain the highest levels of security.
We have identified a requirement for a more robust MCCOG Continuity
of Operations (COOP) capability. The MCCOG COOP is effectively a MCEN
COOP capability. MCCOG lacks the ability to comply with DOD Directive
3020.26 of 9 Jan 2007 requiring up to 30 days Mission Essential
Services and Functions performance for no-notice events. The Marine
Corps IT Center (MCITC), located in Kansas City, Missouri, is the
recommended COOP site, allowing us to leverage available space and
integrate with other MCCOG operations already at MCITC. We have
conducted thorough analysis and research to develop an effective COOP
capability, but currently lack the financial resources to put our plan
into action.
We are participating in efforts to shape our battle space by
designing a more defensible architecture. As we move toward
implementing the Joint Information Environment, we are also working to
unify and centralize our network to better see, understand, and defend
the MCEN. We are integrating and standardizing cyberspace threat
reporting, intelligence production and analysis to better inform
commander's situational awareness and decision making. Our network must
be resilient, redundant and interoperable, and extend from garrison to
the tactical edge of battle. In other words, we need a seamless MCEN
that provides a defensible capability providing enterprise services
from ``fighting hole to flagpole.'' We are moving out in this
direction.
provide a cyberspace warfighting capability
My second priority supports our responsibility to provide ready,
capable cyber forces to USCYBERCOM. Creating this capability in a new
command is a tremendous undertaking. We are on track to provide our
Combat Mission, Cyber Protection, National Mission, and Combat Support
teams in time to meet USCYBERCOM Full Operational Capability (FOC)
requirements.
The Marine Corps is responsible for 13 of USCYBERCOM's 133 Cyber
Mission Force (CMF) teams: one National Mission Team (NMT), eight Cyber
Protection Teams (CPTs), three Combat Mission Teams (CMT), and one
Cyber Support Team (CST). These 13 teams are aligned against USCYBERCOM
(Cyber National Mission Force), USSOCOM, and Marine Corps missions.
Three of the eight CPTs are service retained and oriented to service
missions, (23 percent of the total Marine Corps CMF).
Of our 13 teams, nine teams have reached and four teams remain at
Initial Operating Capability (IOC). All 13 teams are scheduled to reach
FOC in fiscal year 2018. It's important to note, that all 13 teams
designated as having reached IOC are employed against real-world
problem sets and are fully engaged in supporting the mission. It is
also important to note that achieving FOC is also not an indication
that work is done. We must continually ensure we are training and
sustaining the force to ensure we remain agile, adaptable, and ready to
defeat all enemies.
To that end, we are moving forward with the creation of a
cyberspace occupational field. We have learned a great deal in the past
several years about the training, clearance, and experience
requirements across the cyber mission force. We know that in order to
be effective, we must retain a professional cadre of cyberspace
warriors who are skilled in critical work roles, and we know that many
of our marines desire to remain part of the cyber work force. The
Commandant has told us to move out, and we are planning with
Headquarters, Marine Corps (HQMC) to design a cyberspace occupational
field to address offensive and defensive team readiness requirements.
We intend to begin assigning marines to the cyberspace MOS in fiscal
year 2018. This will significantly improve both readiness and retention
of the force.
In the spring of 2016, we activated the MCCYWG. This new command is
a colonel led command with the responsibility for identifying
capability requirements, training, certifying, and sustaining readiness
for our CMF teams. In the future, my vision for this command is to
develop it into one of service as the Cyber Warfighting Center for the
Marine Corps, where it will provide standardized advanced cyber
training and certifications that support marine cyber training and
readiness across the Corps.
While building the CMF, members of MARFORCYBER were dual-hatted as
the Joint Force Headquarters staff. This year, the pace of cyber
operations demanded that we begin to man a standing JFHQ-C. The JFHQ-C
provides the planning, targeting, intelligence and cyber execution
support to supported commanders, and provides command and control for
CMTs and CST. This summer, we will begin hiring JFHQ staff who will be
positioned forward and integrated into USSOCOM planning and
intelligence processes in Tampa, Fort Bragg, and across Theater Special
Operations Commands.
This year the Marine Corps continued its initial investment in
specialized tools for defensive cyberspace operations. The Deployable
Mission Support System (DMSS) hardware and software tools comprise the
weapons system CPTs use to meet any mission they may be assigned, from
readiness and compliance visits to incident response or Quick Reaction
Force missions. This year, we championed an ability to conduct split
based operations with the DMSS, enabling the CPT lead to forward deploy
a small element and push information back to a home station ``war
room'' for remote analysis and remediation. This initiative and concept
of employment will reduce deployed time and costs and increase our
ability to collaborate more freely with other CPTs or across the
mission force.
We are rapidly establishing relevant operational capability in
support of the warfighter. We have experienced tremendous growth in
operational capability over the past year as we have fully supported
the delivery of operational cyberspace effects under Joint Task Force
Ares, a USCYBERCOM led effort designed to support C-ISIS efforts in
U.S. Central Command (USCENTCOM). Our Joint Force Headquarters is
providing relevant support to more fully integrate planning cyber
operations, intelligence and fires, and we continue to refine
procedures with each exercise and operation we support. On the defense,
our CPTs are contributing to Cyber National Mission Force priorities
around the globe, and at USSOCOM. Across USCYBERCOM, marines are at the
point of friction, increasingly relevant and eager to contribute to the
fight.
We are also Active participants with other Service components and
USCYBERCOM in a variety of new processes, infrastructure and tool
development, acquisition initiatives, training transition, and Tactics,
Techniques and Procedures (TTP) development for the CMF. We know we
must continually adapt, innovate, and change to meet future threats.
add value to the magtf
My third priority is to add cyberspace warfighting expertise to the
Marine Air Ground Task Force (MAGTF). Our Commandant, General Neller,
understands the necessity to move forward quickly to build MAGTF
capability to operate in all five domains. This is not the fight of the
future, but the current fight we are in right now. Consistent with our
Commandant's guidance, we want to develop the Marine Corps' cyber
capacity at the tactical level of war, so that in the future the Marine
Corps will more effectively preserve the ability to fight and win in a
contested environment and deliver effects in cyberspace.
Since our establishment in 2009, our marines and civilians have
implicitly understood the need to provide a high return on the Marine
Corps' investment in cyber. In 2010, we began participating in Service
training, exercises and concept development to institutionalize cyber
across the Service, and have built momentum ever since. Cyberspace
operations are now codified in scenarios at Marine Corps Tactics and
Operations Group, Marine Corps Logistics Operations Group, and Marine
Aviation Weapons and Tactics School, and the Marine Expeditionary
Forces (MEFs) better understand the integration of cyber through our
participation in MEF Large Scale Exercises. For the first time, this
Fiscal Year we will have supported a training exercise within each MEF,
our major warfighting commands. In addition, we recently concluded a
mission in support of a Special Purpose MAGTF in the USCENTCOM AOR.
Commanders across the Marine Corps and combat commands have seen the
capability our defensive teams bring to the fight. Across the board,
the demand signal for Marine Corps cyber operators and capability is
high, and increases with each successful mission.
The Marine Corps Operating Concept (MOC) describes a future
operating environment where marines will fight with and for
information, engage in a battle of signatures and be required to
maneuver throughout networks even as we design networks that are
maneuverable themselves. Last year, the Marine Corps developed a new
force design to meet the needs of the MOC. This effort, called Force
Design 2025, includes Defensive Cyber Operations-Internal Defensive
Measures (DCO-IDM) companies and electronic warfare companies for each
MEF. The DCO companies will provide MAGTF commanders with a trained and
organized capability to conduct activities as maneuver elements for
deployed networks, data stores and weapons system. As an element of the
MEF Communication Battalion, the DCO-IDM Companies will support the
defense of MAGTF communication networks and maintain a commander's
ability to command and control. Their primary function will be mission
assurance actions such as actively hunting for advanced internal
threats that evade routine security measures, performing incident
response actions, and performing digital forensics. MARFORCYBER is
leading the DCO-IDM Training Pilot Program this month, which will
inform the DCO-IDM Company concept of employment.
The Electronic Warfare companies, built inside our Radio
Battalions, will employ similar intelligence, targeting and effects
generation TTPs as offensive teams and will provide full spectrum
electromagnetic support capability to the MEF commander.
To increase cyber readiness across the Service, we have emphasized
the role of the commander in the security and defense of the MCEN, and
are conducting Cyber Readiness Visits at commands throughout the Marine
Corps to identify cyber key terrain, assess readiness and culture, and
bolster our defenses. As the Marine Corps establishes the cyber career
field for marines, we will aggressively build cyber operators to ensure
the MAGTFs, bases and stations have the expertise and capacity to
enhance cyber readiness not only at MARFORCYBER, but across the Marine
Corps.
As we have transitioned from building the CMF to sustain readiness
of the CMF, we are looking more carefully at how we retain manpower,
prioritize training, ensure that our tools are current and sufficient
to counter the growing threat, and whether we will have sufficient
infrastructure, tools and facilities available for the force. We look
forward to working more closely with Congress to address needs as we
identify them.
We have accomplished much in a short period working within the
construct of these lines of effort, but still have a lot of work to do.
cyber workforce management
MARFORCYBER is conducting a multi-year, Service-integrated, bottom-
up approach to grow both our headquarters element and the MCCYWG
headquarters, which includes growth within manpower, training,
facilities and equipment. Our growth is in-line with the Commandant's
vision and Future Force 2025.
Since our last testimony before the House Armed Services Committee
in March of 2015, we have initiated plans to significantly increase our
headquarters staff. While MARFORCYBER has seen manpower growth in
support of our CMF, as directed by the Secretary of Defense, we have
not seen growth for the headquarters element that supports the CMF.
Growth will require resources to hire personnel for the enabling
operational and strategic headquarters staff, and for facilities where
we can train and employ them.
MARFORCYBER was established with an initial staff of eight
personnel. In 2011, we received additional personnel when the Service
conducted a Force Structure Review. Since that time, the mission of
MARFORCYBER has changed several times, including the requirement to
grow a JFHQ-C, and our alignment to support USSOCOM. Concurrently,
USCYBERCOM has developed new processes, working groups and planning
teams to address the growing mission and relevance of cyberspace, while
we have seen a steady increase in capability of adversary nations. In
short, the scope of our mission has increased substantially, exceeding
our existing capacity, and we have identified significant growth
requirements to HQMC. One of the key requirements to grow and maintain
an effective CMF is our ability to hire and retain the highest quality
cyberspace professionals.
In workforce management, we are being challenged by the policy
issues discussed below as well as the increasing demand for workers
with cyber experience in industry and government. Private industry
remains an attractive prospect for our cyber personnel with salaries
and incentives we cannot compete with. On the uniformed side, we are
successfully leveraging our Reserve forces to help close manpower gaps.
This capability has given us a tremendous boost, with Reservists
agreeing to come on orders for anywhere from one to three years.
The establishment of the cyber career field outlined earlier is one
way we are addressing this challenge. We surveyed a sample of our CMF
and found that 54 percent of respondents indicated that his or her work
role was the most important consideration concerning re-enlistment with
only 38 percent of respondents indicating pay was the most important (8
percent were undecided). Marines want to stay cyber marines, and we
will soon allow them the opportunity to do that.
The Marine Corps also has other initiatives underway to help
address the manpower challenges identified above. We are scheduled to
brief HQMC in early June on manpower growth requirements for both the
MARFORCYBER and MCCYWG Headquarters. Our requirement is for additional
intelligence professionals, logistics and administration personnel,
network experts, acquisition and contract management teams and tool
development experts. The Service is conducting a holistic analysis to
ensure our growth is realistic, valid and complete.
On the civilian side, policy that exempted cyberspace positions
during the recent hiring freeze was helpful in supporting our civilian
workforce growth. However, the recruitment of recently retired or
separated servicemembers that are cleared and fully trained has become
substantially more difficult after the expiration of policy suspending
the 180-day cooling off period required before taking a government
position.
We are well into the development of a new headquarters building for
MARFORCYBER designed to meet the demands of our increased mission. I
want to thank you for the Military Construction funding that enabled
the East Campus Building--Marine Corps (ECB-MC) project. ECB-MC is a
148,000 square foot, 550 seat building that will provide full spectrum
cyber operation capabilities. The project broke ground in October 2015
and the steel work ``topped out'' in November 2016. MARFORCYBER and our
partners have developed a phased turnover plan to facilitate the fit-up
of the building's complex systems and we expect the final turnover of
spaces in December 2017. Assuming the construction and fit-up schedule
is maintained, we expect to move MARFORCYBER into the new building
during the 4th quarter of fiscal year 2018. This space is much more
than administrative offices. It will serve as the Marine Corps' premier
cyber warfighting platform.
conclusion
Thank you again, Mr. Chairman and Members of the Committee, for
inviting me to testify before you today, and for the support that you
and this Committee have provided our marines and their families.
I have outlined just a handful of examples that share how our
marines are leaning in to increase cyber capability and capacity across
this command and the Marine Corp through our lines of effort to secure,
operate, and defend the MCEN, provide a warfighting capability, and
provide value to the MAGTF. The success of these efforts depend on our
Marine Corps cyber team--a team made up of warfighters, who are
dedicated to their warrior craft. They are professional, competent, and
committed to mission success. Simply put, they represent the very best.
I look forward to continuing this dialogue in the future and would
be happy to take your questions.
Senator Rounds. Thank you, General Reynolds.
I would note that all of your written statements will be
included for the record of this meeting today.
Let me begin by addressing to all of you. According to
testimony we received from the Defense Science Board earlier
this year, for at least the next decade, the offensive cyber
capabilities of our most capable adversaries are likely to far
exceed the United States' ability to defend key critical
infrastructures. Do you agree with the Defense Science Board's
assessment, and do you agree that because of that imbalance, we
must have an effective cyber deterrence policy?
VADM Lytle. I believe that statement is based on if we do
not continue to invest in our cyber defensive capabilities of
our country, and that could come true. What we need to do is
really focus on increasing our capabilities to defend against
those adversaries because unlike the other domains, in the
cyber domain, there is a lot steeper learning curve for
adversaries to gain capability. It takes a long time to build
an army. It takes a long time to build an air force. It only
takes about 6 months or less to hire some contractors and get
capable as a cyber adversary in this domain. We need to be on
our game. We need to continue to look at ways to up the United
States' game and the DOD's game in the cyber defense capability
area.
VADM Gilday. Sir, thank you for the question.
So a couple of comments. I think broadly we are concerned
about the U.S. broad attack surface across a number of critical
sectors that cover 16 in total.
I do think a good first step is the EO [Executive Order]
that was just signed out a week or 2 ago that essentially gives
focus to those areas of critical infrastructure, the area of
federal networks in terms of resiliency, and lastly the piece
about cybersecurity for the Nation in terms of deterrence. I
think collectively the EO sets us off on a course of taking a
deeper look in many different areas to come up with a
collective strategy.
LTG Nakasone. Chairman, you know, as we have seen in this
domain of cyberspace, the advantage is with the attacker
obviously.
In terms of what I think we need to do in looking at this,
I do believe that there are three elements that we have to
consider. First of all, our Nation needs, obviously, strong
denial capabilities for its networks, its data, and its weapons
systems. Secondly, there needs to be a series of response
actions that we need to be able to provide to decision-makers
and the President if required. Thirdly, I think it is the idea
of resiliency. You cannot stop everything. You cannot defend
against everything. You have to have a degree of resiliency
that is built into your networks for this.
Senator Rounds. Any other thoughts?
MajGen Reynolds. Sir, I would just completely agree with
General Nakasone. I think what you heard all of us say is that
our number one priority is the defense of our networks. From a
deterrence perspective, ensuring that no matter what they send
our way, we can deter and, if necessary, build a new network
somewhere else when we need to. Resilience I think is what we
are all seeking.
Senator Rounds. I think the Defense Science Board made it
clear that at this stage of the game, as General Nakasone
indicated, the attacker has the advantage, furthermore that we
should be prepared here to make it as expensive as possible for
them to make that attack. Second of all, based upon having an
attack being successful, that we have to be able to rebuild and
that we have to have resiliency. Would anyone like to comment
on that and our capabilities today to provide that resiliency?
Where are we at with regard to resiliency within our systems
today?
Maj. Gen. Weggeman. I will dive into this one.
I think what I would like to see and where I think we are
going is we are focusing a lot more today than we were in the
past on mission system resilience. We are focusing on both risk
and threat-based resilience. Our commanders are now involved in
making sure that they can fight hurt, as we like to say in the
Department of Defense. All the things that all the services are
working on are those PACE [Primary, Alternate, Contingency, and
Emergency] plans to make sure that we have a primary and
alternate, contingency, and emergency capability on those key
systems. We are going to commanders first and helping them
translate their missions into the IT [Information Technology]
systems so that we can get a key functional analysis of what
cyber mission systems we need to prioritize our defenses
against.
I think that transformation of getting away from networks
in a COM [Command] focus to resiliency based upon commanders'
missions and the key things we have to do as the Department of
Defense for our Nation is paying huge dividends. Obviously,
there is a lot of ground ahead to hoe but I think we are making
the investments. I am seeing the commanders talk about
cybersecurity defense and resiliency far more now than they did
3 years ago.
Senator Rounds. Thank you.
Senator Nelson?
Senator Nelson. Thank you, Mr. Chairman.
So you know, the Russian operation created or showed--
``exposed'' is the word--a serious vulnerability on our part.
As you all have testified, we have created a Cyber Command and
built the Cyber Mission Forces to operate in cyberspace, but as
Admiral Rogers, the Commander, has recently testified, we have
not trained or tasked these forces to detect, to counter, and
to go on offense to conduct this kind of information operation
that the Russians did. Our cyber forces are focused on the
technical aspects of cybersecurity, defending our networks from
intrusions, as you all have stated that you are tasked to do,
and in some cases, penetrating adversary networks. We are not
focused on the content of the information flowing through the
Internet.
You know what Putin is up to. The Chinese are up to it as
well. What can we do to make Putin feel enough pain to cease
his aggression in cyberspace?
VADM Lytle. Sir, there are a lot of things we could do, and
it gets back to the deterrence topic we were talking about
earlier. We need to be able to make all of our systems--and
this is not just the DOD system, but across the Nation,
government systems--more defensible and more resistant to this
type of activity to keep the easy way in out of our systems.
Right now, we do not have that level of cybersecurity awareness
across the world.
We do have a number of efforts. We do not, obviously, focus
just on the defensive side from the Cyber Mission Force point
of view. There is a whole offensive capability that we could
talk about in a classified environment that looks for
activities, looks for ways, and sets up options for the
President to take in case he wants to do something about things
like this.
Senator Nelson. Describe in this open session what you can
about some of those offensive capabilities.
VADM Lytle. The capabilities that can be prepared to deny
adversary access, to manage adversary systems, to cause havoc
amongst adversary systems--those are a number of things you may
be able to do within cyber using cyber techniques that cause
kinetic effects on the other end of the wire.
Senator Nelson. Do you all see any natural specialization
in each of your forces, natural roles that you would play?
Maj. Gen. Weggeman. Senator, I cannot answer on behalf of
all of my colleagues. I think as an airman--and I hope I speak
on behalf of my colleagues. We have the air domain and the
space domain. We are air-minded. We are space-minded. I think
what we bring is the unique perspective in terms of the
application of cyber maneuver and effects related to air
systems and maneuver in, from, and through the air domain as
well. I think that air-mindedness on both our offensive and
defensive teams certainly supports very well our air component
commanders around the world, but also offers air-mindedness to
land, maritime, and space component commanders as well. I think
the Army does the same.
If you look across the totality of the Cyber Mission Force,
there is a service team represented in each of the combatant
commands there. We have air-minded teams representing every
combatant command in support of them with the exception, of
course, of Special Operations Command because the Marine Corps
has them all to themselves. I think that diversity of what each
service brings is actually being in play as the teams have a
diverse presentation to the combatant commands.
LTG Nakasone. Senator, if I might. The Department has been
open in terms of our actions against ISIS in cyberspace. We
have Joint Task Force Aries, which I command, stood up to take
on ISIS in a manner that Vice Admiral Lytle recently described.
To the point of your question, I think what we are learning
is the importance of being able to counter our message, being
able to attack a brand, in this case, attack the brand of ISIS.
Then the other thing is how do we do this with the speed and
accuracy that is able to get at an adversary that 6 months ago
was moving uncontested in cyberspace. I think we have learned
those things over the past 6 months, and I think that we as a
Department have done that much better.
Senator Nelson. Have you all thought, since you need a lot
of cyber talent, of putting Reserve cyber units located in
places like Silicon Valley, Boston, and Austin?
VADM Gilday. Yes, sir. In fact, we have that presence now
and continue to make additional investments through DIUx
[Defense Innovation Unit Experimental], which I know you are
familiar with, in terms of helping the acquisition process get
new technologies into the hands of the warfighters around those
typically slow moving acquisition processes that currently
exist. We do have a presence in those areas.
Senator Nelson. A Reserve presence?
VADM Gilday. Yes, sir. Navy has a Reserve presence.
LTG Nakasone. Senator, if I might add to that. The Army is
building 21 cyber protection teams, and what we have learned
and what we are attempting to do is to take places like
Adelphi, Maryland, take places like Boston, take places like
Pittsburgh and not only build teams there but bring the
training to them. This is a new, I think, lesson that we have
learned as the Services. We have to do training a little bit
differently for our Reserve component. Not everyone can take
off from their homes and leave for 6 months to do training in a
place like Fort Gordon, but if we can bring the training in a
mobile aspect to places like Maryland, places like Pittsburgh,
places like Massachusetts, we found it to have some success.
Senator Rounds. Senator McCaskill?
Senator McCaskill. I might add on that topic that we have
some really terrific National Guard cyber units. We have one in
Missouri that is now training across the country, a toolkit
that they developed. The guy who runs that unit does the
cybersecurity for Monsanto on a full-time basis. He really
knows what he is doing. I think we need to build on that.
On that topic, General Weggeman, at the full committee
hearing, Senator McCain brought up with Admiral Rogers his
concern that--and he confirmed this, by the way--that out of
127 Air Force cyber officers that completed their first tour on
CYBERCOM Cyber Mission Force, none went back to a cyber-related
job. Now, that is an alarm bell as far as I am concerned. Would
you address that briefly?
Maj. Gen. Weggeman. Yes, Senator, absolutely, and I was
expecting the question. I appreciate Senator McCain's inquiry
because it gets to a really, really important problem, which is
how do all the services effectively manage force management and
balance the weight of effort we have between growing and
specializing a Cyber Mission Force, which is in its growth
spurt right now, and balancing that against the broader
enterprise needs of our services for a cyber IT [Information
Technology] workforce in our cybersecurity service provider
roles, our cyber schoolhouses, and also balancing with the
professional development of our airmen and civilians that need
to attend professional military education, to go to advanced
cyber schools like the Cyber Network Operations Defense Program
at NSA and also our Cyber Weapons Instructor courses, two great
examples, which pays huge dividends when they come back. Those
are the cyber jedis when they get back. How do you properly
manage that balance?
I do not have a lot of insights into the number without all
the math that went into it, but I can tell you where we are at
now, and that is we have the policies and the strategic
framework in place where we are looking at two general officer-
led bodies that manage our force down to the airmen. What I can
tell you and what I know to be true now is about one-third of
the force is going from CMF to CMF each year, which is about
where we need to be to balance build in the broader operational
needs. If you think about a 3-year rotation, that is about all
you really want to do is one-third, one-third, one-third a
year. That allows us also then to get the rest of the bench in
cyber, across the enterprise, talent and experience so when
they come back, we have the force that we need on the CMF.
I do believe starting in fiscal year 2013, fiscal year
2014, we may have had our eye off the ball a little bit, I
think all the Services were just kind of sorting out how do we
stand up the enterprise that does the organize, train, and
equip.
Now the first thing I did when I took command, as an
example, is I put a directive in place that said every person
that is going to PCS [Permanent Change of Station] off a Cyber
Mission Force team that is not going to another Cyber Mission
Force team now comes to me personally for review and approval.
Senator McCaskill. Well, I am glad that you are aware of it
and working on it.
I got to tell you we are always blessed around here by our
military fellows, and that is for all the military fellows that
are in the room. I have got a really good one back here behind
me. He tried to chart the national cybersecurity structure.
Yikes. I mean, I have been studying it now for several
hearings, and every time I have to start over again.
Here is what I am really worried about. I am also worried
about how many vacancies we have in the sector-specific agency
structure. If you look at USD [Under Secretary of Defense]
policy, vacant. We have an acting. A principal USD policy,
vacant. Acting, none. You know, Principal Deputy ASD-HDGS
[Assistant Secretary of Defense-Homeland Defense and Global
Security], vacant. Acting, none. There are a lot of problems
with nobody home in a lot of these jobs.
What I am really worried about is where we are plugging in
the private sector. The only place we can find that the private
sector gets plugged in is this unified coordination group. Now,
I guess you guys are all familiar with that? Yes? No? Okay.
What is weird about that is we all know how we got to plug
in the private sector because we are likely to be attacked in
the private sector, not necessarily your all's networks. I
mean, that is the cyber warfare that I think probably keeps
some of you up at night in terms of the vulnerabilities in the
private sector.
The only way it gets stood up is if directed by the NSC
[National Security Council] or requested by two agencies. In
other words, it is kind of ad hoc. Well, that is not the way
they do it in the UK [United Kingdom], especially in light of
what we have seen in the last 24 hours. Obviously, we need to
be really on guard against what is going on cyber in terms of
preparing for even lone wolf attacks that the UK just suffered.
Can any of you address this structure where we do not have
a standing group where we get plug-in from the private sector
in terms of our cyber national security structure?
VADM Lytle. Senator, the DHS is really the responsible
player in that game through the end kick and their connections
with all the sector-specific agencies and managing that,
monitoring that. What we do is we work through DHS to the
private sector for the most part except for the defense
industrial base area for that particular sector. DHS has the
end kick, has the connections with all the major sectors of the
private sector, and that is the primary way to go through that.
Senator McCaskill. Okay. According to the NCIRP [National
Cyber Incident Response Plan], when a cyber incident affects a
private entity, the Federal Government typically will not play
a role in this line of effort, but will remain cognizant of the
affected entity's response activities.
I am ranking on Homeland Security. I get the different hats
here.
You know, you guys have a reputation of being rather
siloed. I know that is a shocking revelation to you in this
hearing. I am just worried about how siloed these charts are,
and that is the only alarm bell I am trying to sound today. It
is pretty siloed. I just worry that in this particular area of
defense and danger, that being siloed is really, really a
problem, much more so than in other areas where we have been
traditionally siloed. I am hoping that you all will take that
back and look at it and make sure that we are having even from
our military industrial base, if we have enough buy-in on
something other than an ad hoc basis.
Thank you, Mr. Chairman.
Senator Rounds. Senator McCaskill, before you leave, I just
wanted to make one--after we are done with the first round, I
am going to ask General Nakasone or one of the others to
explain how they are coordinating among themselves in terms of
that flow chart. It made sense when each of them has had a
chance to visit with me. I would like to have them share it
with the entire committee. If you have got the opportunity to
stay for a few minutes, when Senator Gillibrand has completed--
thank you. We will have them share it for the record for sure.
Okay?
Senator Gillibrand?
Senator Gillibrand. Thank you, Mr. Chairman.
Admiral Lytle and General Nakasone, what is the status of
the inclusion of the Army National Guard cyber protection teams
in the Cyber Mission Force? My understanding is that the Army
and CYBERCOM have signed off on this. If so, what is the
holdup?
VADM Lytle. I will just do a quick start-off. The National
Guard, Air Force and Army, and the Reserve teams are being
fully integrated into the Cyber Mission Force. We talk about
the 133 teams. Actually on top of that, there is the Guard and
Reserve that are added to that skill set.
You kind of alluded to earlier in a previous question the
Guard and Reserve folks bring some incredible talent to the
game. A lot of these folks are doing this in their civilian
jobs, and they are looking for a way to do it in their military
hat. From the Guard side, they offer that capability to not
only do it under their State authorities, but also, when called
up, to do it under the title 10 authorities of the DOD.
Paul, would you like to add?
LTG Nakasone. Senator, in terms of the 11 Guard teams that
the Army is building now, the Army has approved the request to
make them part of the Cyber Mission Force. It is our
understanding that the Department of Defense will meet on that
and likely approve that in the very near future.
In terms of the man, train, and equip piece, which I think
is even more important that you are asking about, so right now,
we have met with the Guard on several occasions. The last week
of January was our last total Army cyber summit. The next one
will be on the 5th of June. We have three National Guard teams
right now on Active Duty, 170, 171, and 172. They are training
for the next 400 days with us. We have already begun to build
teams such as 173, which you are very familiar with--that is
from the State of New York--will be next on that. We have a way
ahead for the training where we will have all the Guard teams
trained by the end of fiscal year 2022. We will have them all
to full operational capability by 2024. We have the ability to
man them. We have the ability now to train them, and now we are
working on the equipping piece as well, Senator.
Senator Gillibrand. They are officially part of the Cyber
Mission Force.
LTG Nakasone. They are officially part of the Army's
contribution to it. We are waiting for the Department of
Defense to give that okay.
Senator Gillibrand. Because is that not important so they
can receive their own equipment and they will be offered
training spots if there is availability? Is that not required
to like move them forward?
LTG Nakasone. No, ma'am. We have already started with the
training. We have the training there. We have training seats at
Fort Gordon. We are working the equipping piece of it. It is
more in terms of making them part of the broader force. Again,
we will continue to move forward with that.
Senator Gillibrand. Do you think we are using them to their
fullest potential right now? Do you feel like we are
integrating on a level that we ultimately want to be?
LTG Nakasone. I think there is always room for improvement,
Senator.
Let me go back to Joint Task Force Aries, which I command.
Ten percent of that force today is a Reserve component. Among
our best tool developers is from the U.S. Army Reserve. As we
take a look at the National Guard teams that we brought onto
mobilization today, some very high talent. The things that we
have to do is we have to capture that talent. Being able to
build a database, of which we are doing right now with the
leading university, very important. I think the last piece of
it is are we able to recognize the very unique skills that we
may need in our Nation's crisis.
Senator Gillibrand. Do you think that the Guard could ever
serve as a conduit on cyber between state, local, and Federal
Government, as well as the private sector, because of their
unique authorities?
LTG Nakasone. Senator, that is an excellent point, and I
certainly believe that. They have long-term presence in
communities. When you take a look at something like critical
infrastructure, who better than someone that lives in the
community to have an understanding of that? Who better to
understand the state? Who better to have the relationships that
have been developing there?
Senator Gillibrand. I want to ask you a bigger question
because I have been asking this in all our cyber hearings. I
asked it earlier today. We now believe our election
infrastructure is critical infrastructure. We were just hacked
by the Russians with the intent to undermine our democracy. I
believe there has to be a federal component for elections
moving forward. I believe although elections are run by states
and are part of the purview of states' rights, there needs to
be at least some level of certification that each state has a
capability and technological expertise to guarantee they cannot
be hacked.
Do you see the National Guard perhaps fitting in this role?
Because, obviously, this will be something you can consider
being under Homeland Security, but the capabilities in cyber
are really housed in DOD. We have the state of the art
technology. This is a foreign power trying to attack us. Some
believe, including Chairman McCain, that it is on par to a
declaration of war.
Would it be feasible or interesting or beneficial if
perhaps the Guard would be that conduit to being able to have
the most state of the art cyber defenses capable and available
to it to be able to use that expertise in each state?
LTG Nakasone. Senator, if the Nation was to decide that
there was a 17th sector for critical infrastructure, I think
that obviously the means are in place for the Department of
Homeland Security to request support from the Department of
Defense through the means that are there such as defense
support of civil authorities. I am sure that with that, that
would be considered at the time.
Senator Gillibrand. Would you specifically look to the
Guard maybe to perform that role?
LTG Nakasone. Again, I would leave that to the
policymakers. I think my role as the operational commander is
to make sure that whatever decision is made to the utilization
of the Guard, the Guard is very well trained and very well
equipped and ready to meet those needs.
Senator Gillibrand. Thank you, Mr. Chairman.
Senator Rounds. Thank you.
Let us go back a little bit. It seems to me that there may
be perhaps a lack of understanding in terms of how the entire
force is set up. When we are training 133 different teams and
we are doing it across the different forces, could you share
with us how they share, coordinate, work together side by side,
how the teams are made up, and how you are utilizing them and
the reasons for it?
Maj. Gen. Weggeman. Senator, I will take a stab at that.
I think we talked about it briefly in your chambers.
Senator Rounds. Yes.
Maj. Gen. Weggeman. I do not want to go too deep, but just
to set the stage, the three unified command planned missions
that we have in the Department of Defense for cyber that were
mentioned by all of our opening statements are to defend the
Nation in, from, and through cyber against an attack of
strategic consequence, to provide all-domain-integrated effects
in support of our combatant commanders, and then to defend our
networks but also to have defensive forces that defend our
mission systems and our own space against adversaries in our
own terrain.
The three cyber mission team types were then designed
against each of the mission types. You have national mission
teams, which are the cyber and cyberspace forces. If the
Russians, as an example, have a cyber force that are looking to
impose costs on us, like we have been talking about, then our
national mission team's job is to go into red space and cause
effects and impose costs against that force. Cyber v. cyber in
cyberspace.
The combat mission forces, the CMTs, are designed to
provide all-domain integrated effects for what the combatant
commands' problems are in their battlespace. A great example is
General Votel in the ongoing campaign in Joint Task Force OIR
[Operation Inherent Resolve] against things he needs to do in
Mosul and Iraq, et cetera. Aligned with his scheme of maneuver,
whatever we can do in cyber to help him achieve his objectives,
that is what the combat mission teams do. They are an offensive
force.
The last force and the majority of the force is our cyber
protection forces. They are an Active force that is designed
for Active defense to operate in our weapons systems and our
networks to pursue and hunt for adversary presence and then
clear and remediate that terrain and hold it so that they
cannot get back in. That is what those defensive forces do.
What we did back in 2013 is we said we are going to train
all three team types using people from all four services in the
standardized set of joint work roles and standards. Every team
has a standard unit of action and a standard unit of employment
that looks exactly the same whether it is manned by marines,
airmen, soldiers, or sailors. That is how they are--they are
fungible in terms of they are the exact same thing. If you have
a combat mission team, it is 68 people in the same work roles
doing the same things. That allows us to have the
interoperability amongst the soldiers, sailors, airmen, and
marines on the teams. They are all doing the same things. They
have been through similar schoolhouses, all trained and
certified to the same standards.
Senator Rounds. What is the benefit of having multiple
forces on the same team? What benefits does that bring?
VADM Lytle. It is the joint force concept, Senator. Having
all the services represented on the same team or have teams
made up of an entire service that are interchangeable, as with
our other joint forces, it brings the particular nature of the
service involved. We have Navy teams that could--we have the
same skill set built, but they apply that skill set to
different systems. The Navy teams may understand naval systems
better. The Air Force teams may understand Air Force systems
better. Even though the skill set and the makeup of the team
are designed to be exactly the same so they are interchangeable
and the initial training is the same, they can then branch off
and get specialized in particular systems because as with any
cyber defensive team, you start off with the basic level of
training. You start off looking the same. You start off being
able to defend whichever. Then you need to learn the system
that you are defending and know that system inside and out.
Having the ability of those people to move about--this also
creates a better career path for cyber warriors so that as they
move between service jobs and joint jobs, they can continue to
stay in that cyber field, and there is a broader space they can
work in.
Senator Rounds. You have to put together almost--well, more
than 6,000 members of these teams and you are going to do it in
a very short period of time. Part of that requires security
clearances. Can you share with us where you are at in terms of
getting security clearances? I know contractors are telling us
right now that there is a significant backlog for them. If we
are going to have them deliver work on a timely basis, they
have to have individuals who have security clearances. Do you
have that same challenge? Can you share that with us, please?
MajGen Reynolds. Sir, yes, we do. We are actually having to
adjust service manpower processes so that we can identify folks
who are coming to the Cyber Mission Force early enough so that
we can get them the top secret clearance and the poly and the
access that they need. It has been a challenge in growing the
force rapidly.
The other thing that I would just add to the previous
question, sir, is that part of our responsibility--I think all
of us--is that aside from what we contribute to the Joint
Force, we have a responsibility to teach cyber inside of our
service. It is not a small mission. Bringing that skill set
back, in my case, into the MAGTF--nobody is going to do that
better than another marine. That should not be lost because we
are only 133 teams, but we really need other folks throughout
the rest of the service to understand cyber in order to
properly integrate it, sir.
Senator Rounds. Senator Gillibrand?
Senator Gillibrand. I have no questions.
Senator Rounds. Let me just continue on for just a minute
here. I am just curious. Can you quantify the time which is
lost or the delay for bringing people on the team, allowing
them to move forward with their competencies based upon not
being able to get a security clearance in a timely fashion? Or
if you would like, I would take that for the record.
VADM Gilday. Sir, I think it depends on each person in
terms of whether there are complicating factors like foreign
contacts, for example, that lengthens the security process.
What we are trying to do is begin that clearance process as
early as we can, as soon as we bring those people on board in
the Services so we can get that lengthy process moving quickly.
The trades with that lengthy process, of course, are the
insider threat that we want to avoid. There is a balance there
that this process is methodical and it is deliberate for a
reason. It is just something that we have to deal with and
factor into our team growth.
Senator Rounds. Senator Gillibrand?
Senator Gillibrand. I do have one extra question for
Generals Nakasone and Weggeman.
Congress gave you authorization to direct commission
servicemembers with cyber experience. I understand that both of
your services are now using this authority. Please tell me
about how you are using this authority. It has come to my
attention that the Reserve components are not included in these
efforts perhaps because section 502 of the fiscal year 2014
NDAA [National Defense Authorization Act] regarding
constructive service credit for cyber warriors did not include
the Reserve component. Is that the case?
Maj. Gen. Weggeman. Ma'am, the first question is, yes, we
are working constructive service credit or what we call direct
accessions in the Air Force. Again, from what I know to be
true--it is a little outside of my lane as the operational
commander--I do not think we have a direct accession yet, but
we have an Air Force cyber talent management that is in work
with our headquarters Air Force A-1 and our SAFs [Assistant
Secretary of the Air Force], chief information officer, SAF-CIO
[Assistant Secretary of the Air Force-Chief Information
Officer]. That is in work.
I do not know the answer to your second question about the
reserve----
Senator Gillibrand. Why they were left out. Okay.
LTG Nakasone. Senator, in terms of the direct commission
program, so we have put a program together. It will be
announced later this summer. We anticipate our first direct
commission needs being announced this fall and into the force
by the spring.
As far as your second part of your question, I would like
to take that for the record just to come back.
Senator Gillibrand. That is fine.
[The information referred to follows:]
The NDAA for fiscal year 2017 granted the Service Secretaries the
authority to conduct a direct commissioning pilot program in order to
recruit unique talent and specialties into our cyber formations. Under
existing law (10 USC 533, as modified by section 502 of the NDAA for
fiscal year 2014, and 10 USC 12207), however, only Active component
officers with cyberspace related experience or advanced education are
eligible for constructive credit (up to three years). Thus, an
individual directly commissioned into the Reserves under the pilot
program would enter the service as a Second Lieutenant. We are working
closely with the Office of the Secretary of Defense in an effort to
extend constructive credit to the Reserve component.
Senator Gillibrand. I had a third related--was the
authorization issue resolved, and would you include them in
your direct commissioning efforts? Do you have the
authorization that you need to do this?
LTG Nakasone. Again, if I might, if I can take that for the
record.
Senator Gillibrand. You will do that. That will be helpful.
[The information referred to follows:]
The authorization issue was not resolved and the Office of the
Secretary of Defense is currently working with Congress to include
language in the NDAA for FY18 to address the issue.
Senator Gillibrand. Thank you, Mr. Chairman.
Senator Rounds. Thank you.
I want to just touch on something which several of these
Senators have brought up, and I just want to clarify it and
give you the opportunity to differentiate. Let us just take the
difference between infrastructure and identify election
infrastructure, which is out there, versus an electric grid
infrastructure. Homeland Security clearly would take the lead
with regard to an electrical grid, which is identified as a
critical infrastructure. Where would the DOD fit in with regard
to responding to an attack on an electrical grid as part of our
Nation's critical infrastructure versus Homeland Security?
VADM Lytle. The PPD-41 process for the Homeland Security
aspect would cover that initially. If the DHS or DOJ
[Department of Justice] required assistance from DOD, then they
can make their assistance up through the DSCO process and the
President would make the call as to whether the DOD responds
and assists in that.
Senator Rounds. You basically, under today's policy, would
not respond on a critical infrastructure attack unless
requested back up through the manual channels. There is no
preset, technically designed system which would automate a
response or a protection mechanism.
VADM Lytle. Correct, sir.
Senator Rounds. Is that a seam in the system which has to
be explored further or more deeply?
VADM Lytle. Yes, it could. Part of a cyber strategy to be
laid out could address that. Looking at the process to decrease
the cycle time to any response, if necessary, could be looked
at. There is a lot of process we have to go through to respond.
There are a lot of other issues that would need to be
addressed with the legality of DOD operating on a private
entity or the private entity would even allow the Department of
Defense to work on its network. There is a number of issues
that the administration should work out.
Senator Rounds. Once again, you are talking about a policy
which has to be developed yet.
There was a question earlier that I guess I was going to
talk about, and that is with regard to weapons systems
vulnerability. Section 1647 of the fiscal year 2016 NDAA had
required a cyber vulnerability assessment of all major weapons
systems by the end of 2019. I am just curious how each of your
commands are supporting those assessments, if you are, and if
you are not, are you aware of them and who is?
Maj. Gen. Weggeman. From the Air Force perspective, we have
begun in earnest on the cyber vulnerability assessments. Air
Force Materiel Command has stood up an office called Cyber
Resiliency of Weapons Systems, or the CROWS office. They are
what I would call our execution arm for the NDAA 1647
requirements. As Air Force cyber what we have done working with
the CROWS office is we kind of train the trainers. Our cyber
protection forces and our cyber service security protection
forces have begun training and educating them on how to do a
proper mission-based systems translation for what is key
terrain on a weapons system and how to do a vulnerability
assessment.
The CROWS office has two primary missions, which were in my
written submission. The first thing we want to do is they want
to figure out how to bake in cybersecurity and defense bolted
on an ongoing acquisition and future acquisition programs and
systems that they manage, our systems of record. The second
thing is they want to do a mission and threat-based
prioritization of shutting the doors and windows that are open
in existing mission systems in partnership with us and our
Service reallocated cyber protection teams. I believe the
number that we have in execution for fiscal year 2017 is 50
systems we are doing vulnerability assessments on in fiscal
year 2017, Senator.
LTG Nakasone. Senator, the Army is very aware of 1647. We
have moved out in terms of looking at our key weapons systems.
This is a point where I guess I would say we have also learned
a lot from looking at our service cyber components that are to
our left and our right, particularly the Navy where we have
looked at how the Navy has done this, their methodology, the
way that they have a governance structure set up because it is
more than just looking at the vulnerabilities. It is how do you
have a governance structure. How do you write the contracts?
How do you ensure that what you do identify is actually
mitigated in the future? This is one where I would say we have
tried to get out of our silo and look to our left and our right
to see what the other services are doing and share some
information.
Senator Rounds. Let me just move on. I am just going to ask
another one. Section 1650 of the fiscal year 2017 NDAA required
the cyber vulnerability assessment of the Department of Defense
critical infrastructure by the end of 2020. How are each of
your commands supporting those assessments, if you are, and is
there anything that you can share with us in this unclassified
forum?
VADM Lytle. Senator, I would add 1650--that is actively
being engaged with the OSD, AT&L [Aquisition, Technology, and
Logistics], and the Joint Staff, and the Services in terms of
identifying those installations as required by 1650, and that
process is definitely in play. It is being worked on.
Senator Rounds. Let me finish with this. I think sometimes
when we get together, you are expecting that there are certain
questions which are being asked. Are there certain points that
you would love to get across and sometimes in the forms that we
are using, particularly in these subcommittees, you do not have
that opportunity. I would like to take just a few minutes right
now, and if you have the specifics that either you feel need to
be addressed that have not been addressed with questions that
have occurred here, areas which you want to reemphasize or you
believe that should be emphasized that we have not taken into
account, this is an opportunity for each of you to--let me just
say--freelance somewhat. If you would care to, in terms of
additions to your statements and so forth, this would be the
opportunity for you to do so.
VADM Lytle. I will take an initial step.
Senator, one thing is on our Cyber Mission Force readiness,
we have initially been using measures of IOC and FOC based on
some percentages that we cannot get into in this forum. As we
mature that cyber force readiness measure, we are going to move
from just kind of a rote measure of people and training to
actual readiness. Our concern is as we get those initial forces
in place in the Cyber Mission Force and the rotations start to
occur, that we transition that from a full-out effort to get to
that first level to a level that we could sustain and maintain.
We do that by measuring readiness through the Defense Readiness
Reporting System, and it is based more on their mission roles
and their capability to do the mission than actually having
bodies in seats.
As we transition to that--and we just finished the cyber
training transition plan that moves the training responsibility
for the Cyber Mission Force over the next 2 years from U.S.
Cyber Command to the Services--we get into the more normalized
mode of man, train, and equip by the Services to provide for
the Joint Force. We need to make sure the services are online
and resourced and capable to keep that pipeline rolling on the
Cyber Mission Force, to keep that readiness up.
Senator Rounds. Anyone else?
VADM Gilday. Sir, I will make a few points.
Three points from my view what is going very well. I think
personally I would say in terms of standardization across the
force, in terms of cooperation across the Joint Force, and the
synergy of the Joint Force, I think we are headed in the right
direction and have been for a period of time.
I think in terms of the second point, the maturation of the
force, I think on the defensive side, 2 years ago we could not
stand on our own two legs to take on defensive incident
response missions on our own without significant help from, let
us say, NSA. We are now doing those missions on our own and
some pretty significant problem sets. I think that belies the
fact that we have been headed in the right direction.
Lastly, I would make a point about partnerships. I think
across the U.S. Government I think with industry and I think
across the services and again with allies and partners, we have
made significant gains in terms of leveraging those
relationships and improving the force.
Senator Rounds. Anyone else?
LTG Nakasone. Senator, I would offer, particularly as
Admiral Gilday said, a lot of progress. I would say within my
own service, a lot of momentum. Some decisions that were made
by my predecessors and by senior Army leaders that stood up a
branch, established a schoolhouse, invested in infrastructure
and capabilities, and also put money towards people--that has
really paid off for us.
The key piece at the end of the day for me is being able to
ensure that we do talent management right with all of that.
Foundational to us is to be able to keep our best people--not
all of our people, but our best people. That is where I think
that myself and all of the commanders are going to be held to
make sure that we continue to make this an attractive place for
our young people to continue to grow and contribute to this.
Maj. Gen. Weggeman. Just to pile onto that, Senator, I will
say it a little bit differently. The most critical element in
successful cyberspace operations is not copper or silicon. It
is carbon. We have to be really, really focused on the human
capital that it takes. We need manpower. We are fielding 6,000-
plus for a maneuver and effects force, but there are
operational levels of command and control. There are those that
do other security and defense operations. There are all of the
other carbon DNA [deoxyribonucleic acid] footprint we need
around that to make it work. If we do not have the proper
manpower at all echelons of a command and control framework,
then it is only as strong as its weakest link. I echo what
General Nakasone just said.
One other thing, just to highlight Senator Gillibrand's
point about the Guard, I want to give an example. You have been
talking about how do we do discovery learning on the role of
DOD and specifically our citizen airmen, citizen soldiers to
help in the private sector SCIR support. I will give you an
example that we can provide you some further information on.
The 262 cyber operations squadron of the Washington Air
National Guard has done discovery learning and has a process
for how they can do security and defense, partnering with their
domestic electric power companies, and they are now working
their way through how they do it with a private sector company
in the same state, working with a band of lawyers, of course,
and the title 32 status and what we are offering. I think that
is a great exemplar of the power to be.
I would offer a slide for the committee that I had printed
out. It is a slide that just shows--one of our cyber protection
teams is a Guard team already in the Active build, and they
have already been on two rotations. I had the team lead build a
slide of where all the citizen airmen came from in their
private sector jobs on that mission. The slide is pretty
powerful when you see the 18 to 21 cyber and IT companies and
power companies that are on it. I would just offer it to you.
It is kind of an inspirational slide.
[The information referred to follows:]
Senator Rounds. Thank you. Very good.
MajGen Reynolds. Senator, thank you for the question.
I think so much of this has already been said, but I think
that it has been important for us to realize that cyberspace is
a brand new warfighting domain. To General Weggeman's point,
starting with that 6,000-plus number was really just a start. I
want to thank the Congress for--some of the growth that we
recently got this year in the Marine Corps is going to fighting
in the information domain. It is information warfare. Some of
those are going to be cyber protectors in the MAGTF that I
would coordinate very, very closely with as Marine Forces
Cyber. Those are also offensive forces in electronic warfare.
How do you bring together electronic warfare, cyberspace,
information operations, fighting in the information domain? We
are investing in that in the Marine Corps, and I want to thank
you for the end strength that we got.
Inside Marine Forces Cyber, I was just thinking the agility
that we need to retain these very, very talented people--we
have to think of new ways to do that. It is very, very
difficult to compete with industry on this. We send these kids
to--I call them kids. They are a lot younger than I am. We give
them the best training. We give them top secret clearances, and
importantly, we give them phenomenal experience and they are
very, very highly recruited. Having the retention incentives
and not just for the uniformed but for the civilian marines as
well--so having more flexibility in retention incentives for
these folks is important to us because I think most of them, in
my experience--they want to stay a marine. Hence, the
cyberspace MOS I think is going to improve a lot for us in the
Marine Corps.
One of the things that we are dealing with right now is we
have to compete. There is no more direct hire of retired
marines. In the Department of the Navy, I got to compete. I
have to compete a job before I can direct hire somebody that I
know already has the clearance, already has the skill set,
already has the experience. I have to compete that job before I
can direct hire. We are working that. We have to work that in
the Department. It is a policy issue for us.
Then finally, sir, just contracting agility, being able to
quickly employ a tool on the network that we know is going to
provide us the greatest defense is so important.
Thank you, sir.
Senator Rounds. I appreciate all of your thoughts on this.
This is one step forward as we move not just into the oversight
but also into the legislative side of our responsibilities. I
understand the need that you have expressed with regard to
being able to move with agility with regard to contracting for
services and products.
We have got a small university in South Dakota, Dakota
State University at Madison. Several years ago, they began a
process that was specific to what they thought would be a
limited amount of interest in, which was Internet security for
financial institutions, which now has morphed into something
with basically 1,000 different students that have an interest
in that, but also with regard to cybersecurity itself and with
relationships with the government today, will continue to grow.
It is fascinating to see how these young people have an
interest not just in the private entity side of things, but
they do feel a sense of patriotism and a sense of desire to
learn and to move forward. If we can make something like that
happen, whether it be on Reserve component or on a National
Guard component, I think we should be exploring that as well as
an additive to the ongoing full-time force as well.
I most certainly appreciate your time today. Your service
to our country once again is greatly appreciated. I do not
think we can say that enough times.
Unless someone has anything to add at this point--yes, sir,
Admiral?
VADM Lytle. Senator, just one more add, just an offer. I
think it is already being worked, but this kind of relates to
how we do operations and how the National Guard operates is our
cyber guard exercise coming up. It is a day that we can bring
you all down and have the entire subcommittee or as many as
possible come down and actually see how the DOD works with DHS
and DOJ and the Guard and Reserve units in a large exercise
environment. I really look forward to having you down there,
sir.
Senator Rounds. We have been advised of that, and we are
looking forward to it. Thank you.
With that, I want to thank all of our individuals that are
here with us today. Thank you once again for your service, and
thanks for taking the time to come here prepared to answer our
questions.
At this time, we will adjourn this committee meeting.
[Whereupon, at 3:46 p.m., the subcommittee was adjourned.]
[Questions for the record with answers supplied follow:]
Questions Submitted by Senator Michael Rounds
security clearance backlog
1. Senator Rounds. For the Department of Defense: What is the
current estimate of the average backlog time for the following three
categories of personnel who have applied for an initial Top Secret
security clearance: military, government civilian, and contractors?
Mr. Robert Work*.
Current Inventory
--------------------------------------------------------------------------------------------------------------------------------------------------------
Contractor Civilian Military
-----------------------------------------------------------------------------------------------
Initial Top Secret Avg. Days Avg. Days Avg. Days
# Pending Pending # Pending Pending # Pending Pending
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total................................................... 29,804 255 days 7,886 259 days 56,953 288 days
--------------------------------------------------------------------------------------------------------------------------------------------------------
Timeliness measured from Received Date to Current Day (29 Nov)
Fiscal Year 2017 Closed Cases
--------------------------------------------------------------------------------------------------------------------------------------------------------
Contractor Civilian Military
-----------------------------------------------------------------------------------------------
Initial Top Secret Avg. Days Avg. Days Avg. Days
# Pending Pending # Pending Pending # Pending Pending
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total................................................... 11,565 413 days 4,327 384 days 31,700 333 days
--------------------------------------------------------------------------------------------------------------------------------------------------------
Timeliness measured from Received Date to Agency Delivery Date
Fiscal Year 2018 Closed Cases
--------------------------------------------------------------------------------------------------------------------------------------------------------
Contractor Civilian Military
-----------------------------------------------------------------------------------------------
Initial Top Secret Avg. Days Avg. Days Avg. Days
# Pending Pending # Pending Pending # Pending Pending
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total................................................... 1,990 488 days 713 458 days 5,230 436 days
--------------------------------------------------------------------------------------------------------------------------------------------------------
Timeliness measured from Received Date to Agency Delivery Date
* The Department of Defense determined that the Honorable Robert
O. Work, Deputy Secretary of Defense, was best qualified to respond to
this question. Data provided by NBIB 12/1/2017.
__________
Questions Submitted by Senator Richard Blumenthal
cybersecurity subcommittee hearing on cyber posture of the services
2. Senator Blumenthal. VADM Lytle, VADM Gilday, LTG Nakasone, Maj.
Gen. Weggeman, and MajGen Reynolds, former Director of National
Intelligence James Clapper has stated that he believes the biggest
threat to national security is cyber. The OPM hacks, 2016 election
interference, and WannaCry virus that impacted at least 200,000
computers this month demonstrate our weakness in this realm. As the
internet touches more and more aspects of our daily lives, the ways in
which a cyberattack can harm American citizens are growing. In
addition, our adversaries have repeatedly demonstrated a desire and
willingness to conduct offensive cyber operations. How do you define a
cyber-attack? What constitutes an act of war in the cyber realm?
VADM Lytle. At this time, there is no universally accepted
definition of cyber attack. Joint Publication 3-12 (Cyberspace
Operations) defines a cyber attack as ``Cyberspace actions that create
various direct effects in cyberspace (i.e., degradation, disruption, or
destruction) and manipulation that leads to denial that is hidden or
that manifests in the physical domains.'' In the February 2017 final
report of the Defense Science Board (DSB) Task Force on Cyber
Deterrence, cyber attack is defined as ``any deliberate action that
affects the desired availability and/or integrity of data or
information systems integral to operational outcomes of a given
organization'' These differing views--whether the loss of integrity of
data constitutes a cyber attack or whether a cyber attack must result
in a kinetic effect in the physical domain--highlight the disparity in
current definitions. Whether a particular attack is considered an ``act
of war,'' in or out of cyberspace, requires determination on a case-by-
case and fact-specific basis. Malicious cyber activities could result
in death, injury or significant destruction, and any such activities
would be regarded with the utmost concern and could well be considered
``acts of war''. The President retains discretion in this area and
reserves the right to use all appropriate means to protect the Nation
and its interests.
VADM Gilday. The term ``cyberspace attack'' is loosely defined in
our society. However, I am in agreement with the Department of Defense
joint doctrine definition for the term ``cyberspace attack,'' which is
described as ``cyberspace actions that create various direct denial
effects in cyberspace (i.e., degradation, disruption, or destruction)
and manipulation that leads to denial that is hidden or that manifests
in the physical domains.'' To better illustrate cyberspace attack
activities, it is helpful to contrast them with cyber collection
activities or espionage. Whereas cyber collection may degrade the
confidentiality of information, a cyberspace attack is intended to
remove the integrity and availability of relevant military information,
warfighting capabilities, networks, or support systems. A cyberspace
attack may manifest itself in degradation of operations on one end of
the attack spectrum and actual physical destruction on the other end of
the attack spectrum. Although the law of armed conflict applies to
cybersecurity, there remains a lack of international consensus over key
concepts such as what constitutes an armed attack, act of aggression,
or use of force in cyberspace. I believe it is important to consider
each event on a case-by-case basis, in the context of a variety of
factors, including scale, scope, duration attribution, and intent.
Ultimately, the President has the authority to determine what kinds of
acts in cyberspace constitute an act of war. As noted by previous
witnesses, an event would not need to be deemed an act of war to
warrant a response, and cyber events do not necessarily require a
response via cyberspace.
LTG Nakasone. How do you define a cyber-attack? The Department of
Defense defines cyberspace attacks as ``cyberspace actions that create
various direct denial effects in cyberspace (i.e., degradation,
disruption, or destruction) and manipulation that leads to denial that
is hidden or that manifests in the physical domains.'' What constitutes
an act of war in the cyber realm? Our elected leaders, informed by
senior political, military, and legal advisors, decide what constitutes
an act of war. Ultimately, it is highly situation dependent and
determined on a case-by-case basis by our Nation's leaders.
Maj. Gen. Weggeman. Defining a ``cyber-attack'' or an ``act of
war'' in cyberspace is a challenging endeavor and one that requires the
highest attention. While this is an essential task, it is strictly a
policy discussion that should occur and be decided at the National-
level.
It is not within my scope of responsibility to define what
constitutes a ``cyber-attack'' or an ``act of war'' in cyberspace. My
role is to ensure cyber superiority from an ``attack'' and present
ready and capable cyber capabilities and forces to our commanders and
national leadership.
MajGen Reynolds. In the broadest of terms, I believe an act of war
in cyberspace includes actions in or through cyberspace by a nation-
state or entity/organization capable of fighting a war or conducting
hostilities that produce effects comparable to those effects resulting
from a kinetic attack. However a broad consensus has not yet been
reached on what actions are sufficiently severe to cross that threshold
and constitute an act of war in the cyber domain.
There are some forms of cyber activity that I believe do not
constitute an act of war as described above, such as cyber-espionage
and, to some extent, even sabotage. Several instances of these
activities by nation-states and non-state entities have been disclosed
and discussed in the public domain recently. While these activities may
have been aggressive and disruptive, I do not believe any have crossed
the threshold for being considered an act of war.
A cyber-attack is described by the Department of Defense as
``cyberspace actions that create various direct denial effects in
cyberspace (i.e., degradation, disruption, or destruction) and
manipulation that leads to denial that is hidden or that manifests in
the physical domains.'' A cyber-attack, if severe enough, could be
viewed as an act of war as discussed above. Cyber-attacks or activity
may be governed by the same aspects of the law of armed conflict that
apply to traditional kinetic attacks in certain circumstances, such as
when the cyber activity is likely to produce similar results. Again,
however, there remains a lack of consensus over when an action in
cyberspace is sufficiently severe to cross that threshold, and each
event requires consideration on a case-by-case basis.
In conjunction with the threshold question, I believe there is an
imperative to continue developing normative behavior in the cyber
domain and clearly state what is and is not acceptable. Secretary
Mattis said as much during his confirmation hearing, noting the
importance of making clear to adversaries what cyber activities we
absolutely will not tolerate in order to avoid having somebody
``stumble into a situation'' and force an unintended conflict.
3. Senator Blumenthal. VADM Lytle, VADM Gilday, LTG Nakasone, Maj.
Gen. Weggeman, and MajGen Reynolds, earlier this month we heard a great
deal from former military and intelligence leadership about the need to
ensure our cyber capabilities are both more defensive and resilient. Do
you agree? What are you doing to improve your capabilities?
VADM Lytle. We agree. The Services are working diligently to
improve cyber survivability of our weapons systems. In response to the
FY16 NDAA, section 1647, we are undertaking cyber vulnerability
assessments and follow-on risk mitigation engineering plans for our
weapons systems. We are using a tiered approach in order to
methodically work through these systems based on criticality.
Additionally, to increase the cyber survivability of future weapons
systems, the Joint Staff also began implementing the Cyber
Survivability Endorsement (CSE). In Dec 2014, the Joint Staff
incorporated CSE in the Joint Requirements Manual. In June 2015, the
Joint Requirements Oversight Council (JROC) directed CSE in a JROC
memorandum. In January 2017, the Joint Staff provided a JROC-endorsed
implementation guide. The Joint Staff has reviewed 43 weapon systems
for the inclusion of cyber survivability requirements from the Services
as of 20 July 2017. These include a wide spectrum of programs like the
control system for the next-generation Global Positioning System ground
station and the MQ-25 refueling drone. This required the acquisition
community to incorporate cybersecurity elements into the design of
weapon systems much earlier in the development process.
VADM Gilday. From my perspective, our networks and supporting
infrastructure are part of a warfighting platform and need to as
defensible and resilient as any weapons system. While they were
originally designed for reliability and convenience, we need to shift
the design priority to cybersecurity and mission assurance as the
drivers for networks and information environment development.
Improvements are evident through the Navy Cyber Situational Awareness
(NCSA) and Sharkcage acquisition programs and increased funding that
provides Defensive Cyber Operations (DCO) forces the ability to: (1)
detect adversary activities and analyze cyber-attacks against Maritime
Cyber Key Terrain (M-CKT) via a protected, out-of-band enclave, and (2)
integrate all-source intelligence and Navy data to assess adversary
capabilities. It also provides DCO forces the ability to deliver
operational commander cyber situational awareness at all layers of the
IT infrastructure and combines blue, red, and white cyber common
operational pictures (COP) into an integrated Cyber COP at Fleet Cyber
Command (FCC) and the Numbered Fleet Maritime Operation Centers (MOC).
Additionally, continued efforts by the acquisition community to
transition our operating system baseline to a current generation of
software infrastructure will greatly enhance our ability to be ready
for today's cyber threats. We must be able to stay within one
generation of currency to be effective in defending our networks.
Further, the Navy is exploring the means to provision services via
cloud computing and cloud-based services to enhance security while
simultaneously reducing infrastructure costs. As I discussed during my
testimony, the Navy continues to support the spirit and intent of the
Joint Information Environment (JIE), including incorporating JIE
technical standards into the acquisition of the Navy Enterprise
Networks as those standards are defined. Lastly, the Navy is
transitioning along with the rest of DOD to the Risk Management
Framework, which is drawn from a solid basis using National Institute
of Standards and Technology practices.
LTG Nakasone. I agree that we need to ensure our cyber capabilities
are more defensive and resilient. We are addressing this through a
layered defense-in-depth approach that integrates the actions taken by
cybersecurity personnel and the employment of emerging capabilities and
modernized hardware. This approach spans the top layer internet access
point all the way to the end user. For example, the Army is connecting
all networks through the Joint Regional Security Stack (JRSS), which
will provide better, more consistent security, by reducing the number
of access points into our network. The Army is also working to
standardize our endpoint (computer device) security solution across
Army networks. In addition, we are fielding a new endpoint management
capability that will allow administrators and defenders to better view
the networks, and mitigate or remediate vulnerabilities. Army Cyber
Command is also building a ``Big Data Platform'' replete with data and
analytics to allow better visualization of information and to promote
faster, unified action. Finally, in 2013 the Secretary of the Army
established an Army insider threat program, and the Army's user
activity monitoring (UAM) capability achieved full operational
capability, monitoring user behavior at fixed sites on the Army's Joint
Worldwide Intelligence Communication System (JWICS) network. In 2017,
the Army G-3/5/7 assigned Army's UAM mission to Army Cyber Command. The
Command has established a UAM pilot program on the Secret Internet
Protocol Router Network (SIPRNet) and is working to achieve system-wide
coverage.
Maj. Gen. Weggeman. Yes, mission assurance, the ability to preserve
or ``fight through'' is essential. We absolutely must ensure our cyber
capabilities are more defensive and resilient. Going a step further, we
must ensure all of our Department of Defense capabilities are defensive
and resilient. Our number one priority remains defending our networks,
weapon systems, and key mission systems, and I don't foresee that
priority changing anytime soon.
The Air Force is aggressively improving our resiliency in
cyberspace. Major efforts include evolving towards the Enterprise
Information Technology as a Service (EITaaS) approach, maturing and
resourcing our SAF/CIO-piloted Cyber Squadron Initiative and inherent
Mission Defense Teams (MDTs), and finally the development and fielding
of the Air Force Materiel Command's Cyber Resiliency of Weapons Systems
(CROWS) Office capabilities. These endeavors deliver a coherent
approach to cyber security, cyber defense, weapon system resiliency,
and the critical ``every airmen a sentry'' cyber hygiene culture across
our Air Force. Our ultimate success hinges on a strong partnership and
support from our military commanders and industry partners.
MajGen Reynolds. Yes, I agree. The Marine Corps views the MCEN as a
warfighting platform, which we must aggressively defend from intrusion,
exploitation, and attack. Cyberspace operations favor the attacker, and
our operational dependencies require us to conduct a formidable,
continuous defense. Real-world defensive cyberspace operations have
informed and sharpened our ability to detect and defend threats on the
MCEN.
Our priorities for improving our defenses this year include actions
to flatten the Marine Corps network and improve our ability to sense
the environment, harden the network through increased endpoint
security, mitigate vulnerabilities inherent to Programs of Record
(PORs) and decrease incident response time. To do this, we are
aggressively seeking to consolidate legacy domains, implement a comply
to connect capability and the WIN 10-operating system, and collapse
regional service desks to an enterprise service desk. Each of these
priorities are described briefly below.
Network Access Control, Compliance, and Remediation (NACCR). NACCR
provides defense in depth by positively identifying devices that
attempt to connect to our networks, ensuring the device is compliant
with the latest set of security updates, and, if non-compliant, NACCR
initiates quarantine and remediation actions.
Enterprise Service Desk. We are transitioning eight regional
service desks into a central, standardized Enterprise Service Desk
(ESD) in Kansas City, Missouri. The ESD will be under the operational
control of MARFORCYBER. Users' requests for IT support and incident
response, once centrally managed, will provide valuable insights into
trends on the network. Long term benefits will include supporting a top
down governance structure, increased efficiency in supporting the
warfighter, and providing a holistic view of the network that informs
and complements defensive actions on the MCEN.
Domain Consolidation. In order to flatten, harden, and secure the
network, we must have full visibility of all networked assets. We are
undertaking efforts to bring remaining disparate legacy networks into a
homogenous and secure network. Legacy networks contribute to the Marine
Corps' cyber footprint and unnecessarily increase attack surfaces for
adversaries. This deliberate effort for domain consolidation will
provide much needed standardization and increase the cybersecurity
posture of the MCEN.
Windows 10. The Marine Corps is transitioning its Microsoft Windows
end user devices to the Windows 10 (WIN 10) operating system (OS). WIN
10 OS will improve the Marine Corps' cybersecurity posture, lower the
cost of information technology (IT), and standardize the Marine Corps'
IT operating environment. The WIN 10 OS has numerous embedded security
features that earlier Windows OS's lack. These features include
protection such as encrypting hard drive data while powered off or
preventing the execution of unknown system commands.
We consider our networks and information technology infrastructure
to be an integral part of a warfighting platform which must be as
defensible and resilient as any weapons system. The MCEN was not
originally designed around cyber security. However, as we progress with
the consolidation of legacy domains and the implementation of the Joint
Information Environment (JIE) our focus for information networks has
evolved from one of reliability and availability to integrated
cybersecurity and mission assurance. We continue to work on the
integration of open source intelligence, counter-intelligence, human
intelligence, geospatial intelligence and signals intelligence
collection with all-source intelligence analysis to provide improved
indications and warning (I&W) on adversary cyberspace activities on or
against Marine Corps networks and networked technology. Additionally,
we have prioritized the development of cyberspace situational awareness
capabilities and the integration of big data analytics to inform
planning and execution of full spectrum cyberspace operations.
This year the Marine Corps continued its initial investment in
specialized tools for defensive cyberspace operations. The Deployable
Mission Support System (DMSS) hardware and software tools comprise the
weapons system CPTs use to meet any mission they may be assigned, from
readiness and compliance visits to incident response or Quick Reaction
Force missions. This year, we championed an ability to conduct split
based operations with the DMSS, enabling the CPT lead to forward deploy
a small element and push information back to a home station ``war
room'' for remote analysis and remediation. This initiative and concept
of employment will reduce deployed time and costs and increase our
ability to collaborate more freely with other CPTs or across the
mission force.
4. Senator Blumenthal. VADM Lytle, VADM Gilday, LTG Nakasone, Maj.
Gen. Weggeman, and MajGen Reynolds, what do you see as the biggest
cyber threats to DOD? How are you countering them?
VADM Lytle. The biggest cyber threats to DOD are state and non-
state actors -most notably Russia, China, Iran, North Korea, and ISIS--
who plan to conduct disruptive and destructive cyber attacks on the
networks of our critical infrastructure and steal U.S. intellectual
property to undercut our technical and military advantage. To counter
these escalating threats, the DOD has put in place a formal strategy
and developed improved cyber capabilities. This includes the creation
of ready cyber forces capable of conducting cyberspace operations and
defending the DOD Information Network. These cyber forces are also
prepared to defend the U.S. Homeland and U.S. vital interests from
disruptive or destructive cyber attacks of significant consequence.
Additionally, DOD is developing and maintaining a series of viable
cyber options to shape conflict environments and control conflict
escalation. Finally, DOD is working to shore up international alliances
and weave compelling deterrence frameworks against shared threats, in
order to increase security and global stability.
VADM Gilday. The greatest cyber threats to DOD networks are Nation
State-Sponsored Advanced Persistent Threats (APTs). Nation states,
specifically Russia, China, Iran and North Korea represent the greatest
threat to DOD networks as they provide dedicated resources,
infrastructure, and technological sophistication toward offensive cyber
operations over long periods of time. Nation states likewise often seek
to establish a sustained discrete presence on our networks for
information gathering purposes. Non-State Cyber Actors, such as ISIS,
are the next greatest threat. These organizations also have resources
dedicated to offensive cyber operations although they lack the
infrastructure and technical capacity that a nation state can provide.
A third tier of threats center on hacktivists and organized crime.
Although threats to the DOD network are not limited solely to threat
actors, potential vulnerabilities within the DOD workforce are also
exploitable. Insider threats and poor cyber hygiene provide potential
avenues that adversaries can use to gain access to both secure and
unsecure networks. Unencrypted emails used to share sensitive files,
for example, may be utilized to access or identify pathways across
domains increasing the risk to multiple systems. State sponsored APTs
leveraging this type of information could exploit and move laterally
across our networks, and then potentially hide and collect sensitive
information while remaining undetected. As described earlier, ensuring
a defensible and resilient network is one critical component. This
includes the Joint Information Environment, Navy Cyber Situational
Awareness (NCSA) and Sharkcage acquisition programs, and Risk
Management Framework. Partnership across the DOD, as well as
interagency and with industry and academia provides valuable threat
data and keeps us on the leading edge of tactics, techniques and
procedures. Lastly, investing in our people, through recruiting,
training and retaining the best workforce provides an asymmetric
advantage.
LTG Nakasone. Russia, China, North Korea, and Iran pose the
greatest cyber threats to the Army. These actors are well-resourced,
focused on improving their cyber capabilities, and are expected to
continue along this trend into the future. Another significant concern
is the risk posed by insider threats. Non-state cyber actors, including
hacktivists and cyber criminals, currently pose a lesser threat to the
Army. Each of these threats are arrayed against the large, segregated,
and diverse Army network at multiple echelons. Given this, we are
working to counter threats by standardizing capabilities across our
defense-in-depth. The Army is migrating the outer defensive
infrastructure to the Joint Regional Security Stack (JRSS). The JRSS
will provide better, more consistent security, and decrease the attack
surface by reducing the number of access points into our network. The
Army is also working to standardize our endpoint (computer device)
security solution (Host Based Security System) across Army networks. In
addition, the Army is fielding a new endpoint management capability
that will allow administrators and defenders to better view the
networks and mitigate or remediate vulnerabilities. Augmenting and
connecting the layers of this layered defense, ARCYBER is building a
``Big Data Platform'' (BDP) which supports data retention and analytics
to allow better visualization of risk across the network. The BDP will
integrate multiple discrete data sources and provide commanders better
situational awareness. To counter insider threats the Army established
user activity monitoring (UAM) capability in 2013 and it has achieved
full operational capability, monitoring user behavior at fixed sites on
the Army's Joint Worldwide Intelligence Communication System (JWICS)
network. In 2017, the Army assigned the Army's UAM mission to Army
Cyber Command and a pilot program has been established on the Secret
Internet Protocol Router Network (SIPRNet) that is working to achieve
system-wide coverage. Finally, supplementing our defensive
capabilities, the Army is engaged in developing a range of offensive
cyberspace capabilities and options for senior policy makers to
consider. Such operations and capabilities would only be employed based
upon available authorities and the approval of the appropriate decision
makers.
Maj. Gen. Weggeman. Us, and our ability to quickly and decisively
mitigate known cyber vulnerabilities across our enterprise: networks,
data centers, weapon systems, acquisitions systems, cloud services,
etc. We are actively countering this threat through the use of the
Automated Remediation and Asset Discovery tool, data analytics as a
service, and the establishment of the Cyber Readiness of Weapon Systems
(CROWs) office.
MajGen Reynolds. Russia, China, North Korea, and Iran pose the
greatest cyber threats to the Marine Corps and the MCEN. These nation-
state actors are well-resourced, have advanced cyber capabilities, and
are expected to continue along this trend into the future. In addition,
they are unconstrained by laws or regulations to conduct unfettered
cyberspace operations against both private industry and other sovereign
nations. Another significant concern is the risk posed by insider
threats to the MCEN. Lesser threats to the Marine Corps include non-
state cyber actors, including hacktivists and cyber criminals.
5. Senator Blumenthal. VADM Lytle, VADM Gilday, LTG Nakasone, Maj.
Gen. Weggeman, and MajGen Reynolds, what role do you see the private
sector playing in enhancing our cyber security? What additional actions
are needed to ensure stronger public-private partnership?
VADM Lytle. The private sector can enhance the cybersecurity of the
DOD with its innovative, best-of-breed cybersecurity technologies that
enable DOD to better defend its networks and platform information
technology. It is important to remember that the Defense Industrial
Base (DIB) develops much of our advanced military technology. The DIB
and its private sector partners, in cooperation with the U.S.
Government, must protect those technologies throughout the development
cycle. The President's Cybersecurity Executive Order 13800 directed
DOD, DHS, and FBI, in conjunction with the DNI, to report on the
cybersecurity risks in the DIB and the risk to military technology
through the DIB. Though still in draft, the report will provide some
concrete recommendations to the President to increase the cybersecurity
of DOD information in the DIB.
VADM Gilday. The 2015 DOD Cyber Strategy, points out that over
ninety percent of all of the networks and infrastructure in cyberspace
is privately owned and operated. We rely on the private sector to
``build [our] networks, provide cybersecurity services, and research
develop advanced capabilities.'' Due to its size and exposure in
comparison to DOD, the private sector experiences a much wider attack
surface than DOD, but they are facing many of the same adversaries,
using the same methods. Many aspects of the private sector are
resourced, incentivized and agile enough to procure the latest, most
advanced capabilities, maintain peak cybersecurity posture. Continuing
to foster trusted relationships with the private sector can facilitate
information sharing, making the DOD more aware of emerging threats and
technologies and services. Additionally, such a partnership benefits
our private sector in helping them better prepare for adversaries who
seek to exploit their infrastructure and intellectual property.
Continuing to evolve acquisition to keep pace with technological
advancement would provide us the means to procure and deploy
technologies, identified though this information sharing, on DOD
networks.
LTG Nakasone. The private sector is critical to Army and DOD cyber
security efforts. Notwithstanding a handful of unique challenges within
the DOD, the cyber security challenge equally affects public and
private space, which affirms the critical nature of developing and
expanding public-private partnership. DOD processes must be flexible
and adaptable in order to leverage the extensive innovation that occurs
in the private sector. The Army has leveraged, and continues to
leverage, its Other Transaction Authority (OTA) through organizations
such as the Consortium for Command, Control, and Communications in
Cyberspace (C5), and the Army Defense Innovation Unit Experimental
(DIUx). The OTA has proven valuable to enabling the rapid solicitation,
evaluation, and procurement of technology from a wide range of private
industry partners. Beyond the OTA-based acquisition-centric
partnership, it is equally important that government science and
technology organizations partner and collaborate with the private
sector to optimize early stage technology development. University
Affiliated Research Centers (UARC) and the Federally Funded Research
and Development Centers (FFRDC) provide a critical role in facilitating
our partnerships with the private sector. Additionally, beyond cyber
security solutions, it is imperative that warfighting systems provided
to the DOD by the private sector come with the highest possible degree
of security. The DOD's ability to have confidence in supply chain
integrity and awareness of threats to the private sector--which could
have downstream effects on DOD systems--is limited. It is worth
exploring additional incentives to encourage the private sector to
deliver systems with embedded enhanced cyber security measures.
Stronger public-private partnerships will be achieved by improving how
we develop and link our gaps and requirements to the private sector
under the current structural requirements for DOD acquisition, and we
must exercise these processes frequently and aggressively to maintain
momentum.
Maj. Gen. Weggeman. To enhance our cyber security, a whole of
society approach is required. Leveraging the private sector is the only
way we can tackle the scope and scale of security and defense
requirements. To do so, we need an agile acquisitions process that
supports and enables innovation and rapid acquisition or consumption
``as a service'' approaches. The traditional acquisition model works
when you are talking about ACAT-I programs like the Joint Strike
Fighter and the Long Range Strategic Bomber, but the traditional
acquisition model simply doesn't work for cyberspace capabilities. The
current industrial age process is ill-suited to deliver the required
outcomes in an information warfare era.
In the past few years, Congress has provided the DOD additional
acquisition authorities to better leverage the private sector. We need
to take an in depth look at which echelon these authorities should
reside to ensure we take full advantage of a DOD and private-sector
partnership.
MajGen Reynolds. The private sector is vital to enhancing the
nation's cyber security posture. It is infeasible for one entity, be it
public or private, to adequately provide for the Active defense of our
nation's cyberspace. As cyberspace is inherently a shared resource
between the public and private sectors, so must the responsibility to
provide for cyber security.
The DOD, and each Service individually, has a mission to secure,
operate, and defend the DOD Information Network. In order to execute
this continuing mission, the DOD is reliant on the use of commercial
systems. There must be a shared responsibility for creating innovative
technologies with security as a foundation. This must be coupled with a
deliberate approach to supply chain risk management to ensure the
introduction of these new technologies only improves, not detracts
from, our cybersecurity posture. It must also be fed new ideas,
tactics, services, and products by scholars and entrepreneurs alike.
Continuing partnership with start-ups in innovative technologies
and encouraging the private sector to build security in from the start
is already integral to our successful defense, and will be so for the
foreseeable future. Efforts such as the DIUx are instrumental in
ensuring DOD requirements are met with a variety of potential
solutions. Continued and increased engagement with the nation's best
academic minds to solve our tough challenges and provide the framework
for future innovation is also vital. In the same manner, frequent and
increased support from Federally Funded Research and Development
Centers is required to continue to secure the ever-changing landscape
of cyberspace.
The private sector's role in enhancing our cyber security is not
singular, nor is the public sector role. Currently, there are de facto
public-private partnerships between law enforcement organizations and
major providers of services and products our nation uses in the conduct
of daily business. These interactions, while beneficial, have not been
codified to the point where we can accurately state what the roles and
responsibilities are of either the public or private sector. Greater
discourse with the public and subsequent direction from our elected
officials and policy makers is required to define the authorities that
allow us to execute our missions under the rule of law.
6. Senator Blumenthal. VADM Lytle, VADM Gilday, LTG Nakasone, Maj.
Gen. Weggeman, and MajGen Reynolds, there are 16 sectors of critical
infrastructure. DOD has primary responsibility for one -the defense
industrial base. The defense industrial base is well represented in CT
-from Sikorsky to UTC to EB and beyond. As our adversaries continue to
pose serious cyber threats to our country, I am particularly worried
about the risk of exfiltration from the defense industrial base. The
companies that develop America's premier technology and weapon systems
that power our military must be ever vigilant in protecting their
networks. While we maintain an edge over our adversaries for now, some
are not far behind. We must ensure that adversaries are not able to
catchup because of exfiltration -where adversaries steal and repurpose
developmental and design plans and secrets from companies to build or
improve their own aircraft, ships, and vehicles. The defense industrial
base is well represented in CT. How are you working with the defense
industrial base to prevent and protect against exfiltration of industry
data on our most advanced weapon systems? Which are most vulnerable to
being targeted?
VADM Lytle. Under DOD CIO direction, and through the Defense Cyber
Crime (DC3), DOD strives to protect its information in the Defense
Industrial Base (DIB) through both mandatory contractual stipulations
that require these companies to adhere to a high level of cybersecurity
as well as voluntary information sharing programs on threats.
VADM Gilday. As the Navy component, we support U.S. Cyber Command's
mission to, if directed by the president and secretary of defense,
provide capabilities to defend our nation's critical infrastructure
networks. While Fleet Cyber Command units are not directly assigned to
protect and defend defense contractor unclassified/proprietary networks
and systems, we do support DISA's DOD Information Networks (DODIN)
readiness and security inspections of defense contractor's classified
systems. Our support includes reviewing the results of inspections of
those classified systems and the defense contractor's adherence to DOD
Information Assurance policies, procedures and directives. Should DISA
find negative results during an inspection and that contractor is doing
work that supports the U.S. Navy, Fleet Cyber Command will provide an
operational assessment of the impact of disconnecting a contractor's
classified system and remediating the network. As a mission partner
with DISA, Fleet Cyber Command supports holding defense contractors to
a very high standard in Information Assurance compliance for classified
systems.
LTG Nakasone. The Army is implementing a comprehensive approach to
minimize the exposure of our advanced technologies to cyber threats
while that information is in the possession of the defense industrial
base (DIB). The Army's focus, in concert with the Department of Defense
(DOD), has been on implementing mandatory reporting under Defense
Federal Acquisition Regulation Supplement (DFARS) clause 252-204-7012
of cyber incidents that affect a covered contractor information system
or covered defense information on that system. Also, the Army is
implementing National Institute of Standards and Technologies (NIST)
Special Publication 800-171 for safeguarding DOD information on DOD
contractor networks. Further, the Army is actively participating in the
DOD's DIB Cybersecurity voluntary information sharing program, which is
available for all cleared defense contractors. The Army can provide
further information on vulnerabilities to data and systems in a
classified setting.
Maj. Gen. Weggeman. Our adversaries are taking the path of least
resistance, attacking DIB subcontractors, vice primes, in order to
quickly eliminate the technological advantage our nation currently
enjoys.
Using voluntary and mandatory reporting requirements, the
Department partners with DIB sector stakeholders to maintain a robust
cybersecurity and information assurance program to protect sensitive
defense information and protect DOD networks and system. However, the
onus of protecting proprietary data should fall directly on the company
itself. The DOD lacks the funding, manpower, and resources to fully
secure and defend the DIB.
Industry is incentivized by their financial bottom line, and until
there is a large enough incentive (either legally binding or hindering
their ability to earn future contracts) for them to increase their
cybersecurity posture, the behavior of these companies will likely not
change.
MajGen Reynolds. The DOD Cyber Crime Center, or DC3, is the
operational focal point for the Defense Industrial Base Cybersecurity
Program.
Any vulnerable data system, including those part of the defense
industrial base, are vulnerable to enticing opportunities for
disruption, manipulation, or destruction from both state and non-state
actors.
The 2015 DOD Cyber Strategy summarizes how DOD supports agencies
like the Department of Homeland Security and the Federal Bureau of
Investigation to share information and coordinate across a range of
cyber activities. Across the DOD we must work with the private sector
to help secure defense industrial base trade data, and be prepared to
assist other agencies in hardening U.S. networks and data against
cyberattacks and cyber espionage.
We work to secure and defend the MCEN and the Programs of Record
(POR) and weapons systems connected to it. We identify and coordinate
to mitigate vulnerabilities of advanced weapons systems when found.
7. Senator Blumenthal. VADM Lytle, VADM Gilday, LTG Nakasone, Maj.
Gen. Weggeman, and MajGen Reynolds, what are you doing to ensure
additional protection for these defense programs? What role should
Congress play?
VADM Lytle. The Defense Federal Acquisition Regulation (DFAR)
252.204-7008 was modified in late 2016 to require Defense Industrial
Base (DIB) companies to implement the cybersecurity controls outlined
in the National Institute of Standards and Technology (NIST) Special
Publication 800-171, Protecting Controlled Unclassified Information
(CUI) in Nonfederal Information Systems and Organizations. That
publication sets the minimum cybersecurity standards to be met by DIB
companies in protecting the DOD's sensitive Controlled Unclassified
Information and is required on all new DOD contracts. Congress may
consider supporting Defense Federal Acquisition Regulation 252.204-7008
and similar rules that mandate greater cybersecurity for defense
programs and extend this regulation to all federal contractors.
VADM Gilday. I believe we can best support these programs through
information sharing and accountability. The DOD's DIB Cybersecurity
Program administered by DOD CIO establishes a collaborative cyber
threat information sharing environment that informs the DIB about
adversary tactics, techniques and procedures and assists with
mitigation strategies. In addition, DOD encourages industry to adopt
the NIST Framework for Improving Critical Infrastructure Cybersecurity
framework as a methodology for managing cybersecurity risk. We support
DISA's DOD Information Networks (DODIN) readiness and security
inspections of defense contractor's classified systems. Our support
includes reviewing the results of inspections of those classified
systems and the defense contractor's adherence to DOD Information
Assurance policies, procedures and directives. Should DISA find
negative results during an inspection and that contractor is doing work
that supports the U.S. Navy, Fleet Cyber Command will provide an
operational assessment of the impact of disconnecting a contractor's
classified system and remediating the network. As a mission partner
with DISA, Fleet Cyber Command supports holding defense contractors to
a very high standard in Information Assurance compliance for classified
systems. One of the most important steps for improving the overall
cybersecurity posture is for the private sector, particularly those
within the defense industrial base, to prioritize the networks and data
that they must protect and to invest in improving their own
cybersecurity. Any support Congress can provide that enables
information sharing between the U.S. government and the private sector
will make us stronger and safer.
LTG Nakasone. The Army continues to partner with the Department of
Defense (DOD), prime contractors and subcontractors to promote the
successful implementation of Defense Federal Acquisition Regulation
Supplement (DFARS) provisions that aim to safeguard covered defense
information and ensure contractor reporting of cyber incidents, at all
levels of the supply chain. The Army is also supporting OSD's Joint
Acquisition Protection and Exploitation Cell (JAPEC) initiative, which
integrates and coordinates analyses of unclassified Controlled
Technical Information (CTI) losses. This initiative enables increased
efforts across the DOD to proactively mitigate future losses. It also
provides expertise to assist program managers' efforts to protect CTI
resident within the Defense Industrial Base and across the DOD
enterprise. Congressional support within the cyber realm has benefitted
the Army as we operate in this dynamic space. The authorities and
funding provided to date have been key in manning, training, and
equipping the force, and in safeguarding covered defense information
and improving contractor reporting of cyber incidents. As we fully
integrate these authorities we will not hesitate to reach back and work
together to fine tune them, nor will we hesitate to begin the dialogue
with Congress to address newly found challenges.
Maj. Gen. Weggeman. DOD has a range of activities that include both
regulatory and voluntary programs to improve the collective
cybersecurity of the Department and the Defense Industrial Base, to
include securing DOD's information systems and networks; codifying
cybersecurity responsibilities and procedures for the acquisition
workforce in defense acquisition policy; implementing contractual
safeguarding and reporting requirements through the Defense Federal
Acquisition Regulation Supplement (DFARS); sharing cyber threat
information through DOD's voluntary DIB Cybersecurity Program; and
leveraging security standards such as those identified in National
Institute of Standards and Technology (NIST) Special Publication 800-
171 ``Protecting Controlled Unclassified Information in Nonfederal
Information Systems and Organizations''
However, the onus of protecting proprietary data should fall
directly on the company itself. The DOD lacks the funding, manpower,
and resources to fully secure and defend the DIB. Industry is
incentivized by their financial bottom line, and until there is a large
enough incentive (either legally binding or hindering their ability to
earn future contracts) for them to increase their cybersecurity
posture, the behavior of these companies will likely not change.
MajGen Reynolds. Like the Internet itself, many of our Programs of
Record and warfighting systems were not built with security in mind. To
combat these vulnerabilities, we are reviewing each one to determine
how we can improve security. We have also conducted a review of all
vulnerable end of life hardware and software on the network and
developed expedited strategies to upgrade, consolidate or remove
systems that cannot be adequately hardened. The Marine Corps Risk and
Readiness Review Board (MCRRRB) is a threat informed, risk based
framework used to identify, prioritize, and address vulnerabilities.
This consists of a twice-a-month working group that culminates in a
board that is briefed at the GO level. Projects that focus on auditing,
analysis and tracking of cyber events and anomalous activity have been
developed and implemented to improve our situational awareness of
system status and cyber monitoring capabilities. Programs that test and
audit our defensive posture are continuously reviewed for relevance and
improvement to address the changing cyber threat environment and
support the intelligence operations cycle on a shortened timeline.
Cyber is a dynamic, competitive environment, and we are continually
responding to the increasing capability and capacity of our
adversaries. Congressional support within the cyber realm will continue
to be necessary in order to ensure our Nation is protected against our
adversaries across departments and private industry. Moving forward,
predictable funding is key in manning training, and equipping the Cyber
Mission Force teams and the demand to continually refresh and improve
network technologies.
recruiting
8. Senator Blumenthal. VADM Lytle, VADM Gilday, LTG Nakasone, Maj.
Gen. Weggeman, and MajGen Reynolds, there is an ever increasing need
for a properly trained, experienced cyber personnel, both in DOD and in
the civilian workforce. DOD seems to be having difficulty in recruiting
servicemembers with cyber and computer expertise that meet physical
standards. Are you concerned that there is a shortfall in the cyber
workforce? Do you think certain positions are harder to recruit for
than others?
VADM Lytle. The Department of Defense considers retention of
critical talent a high priority, and this includes the highly-technical
skillset found in our Cyber Workforce. All of the Services are
implementing and are continuing to build programs to retain cyber
talent, while also actively watching for indications of emerging
retention issues. The Joint Force is focused on building training
programs and strategies to grow talent, leverage Reserve Component
expertise, and retain necessary numbers of seasoned cyber operators to
meet the growing demands in cyberspace. Notably, one third of the Cyber
Mission Force is comprised of government civilians, who are recruited
on the basis of cyber and computer expertise and without regard for
physical standards. Those positions with specific market demand face
greater recruiting challenges. Therefore, in order to ensure best
practices for cyber recruiting, management, promotion, and retention
are shared across the DOD, the Principal Cyber Advisor is leading an
ongoing forum with the Joint Staff, Services, Service Cyber Components,
U.S. Cyber Command, DOD Chief Information Officer, and other key
stakeholders to ensure maximum dissemination of lessons learned across
the Department.
VADM Gilday. The Navy currently does not have issues with
recruiting or retaining military cyber personnel, and the first tranche
of fully trained Cyber personnel will be eligible for separation in the
next 12-24 months. The Navy is currently offering reenlistment bonuses
and anticipates a Special Duty Assignment Pay authorization in FY-18
specifically for Interactive On-Net Operators. The Navy is working
diligently to continue to grow a competent, educated and effective
Cyber workforce from within but many Cyber positions require experience
and years of formal education that is very difficult to fill with
military members, necessitating filling these positions with civilians.
The Navy has worked a plan and identified specific work roles, within
the Cyber Mission Force, that would be beneficial if civilianized. The
current government pay scale makes it extremely difficult to compete
with industry and hire the personnel required to fully man our Cyber
workforce with the talent needed. Cyber Tool Developers (programmers)
have been the hardest positions to fill due to their high demand within
all services, agencies and industry. DOD provides programs allowing
recruitment and retention incentives but these programs are typically
not funded and the processes are cumbersome.
LTG Nakasone. Military Cyber Talent: We are not currently
experiencing difficulty in recruiting service-members with cyber and
computer expertise who meet physical standards. The Army has not had
difficulty in meeting its military recruitment numbers for cyberspace
personnel. However, we often miss out on identifying highly technical
talent early in the recruitment and development process. If recruited,
soldiers are put on the traditional military training track before
their talent is recognized. We must do a better job in recognizing
talent early-on in the recruiting process. Civilian Cyber Talent: I am
concerned, however, about the shortfall in the combined civilian and
military cyber workforce. As emerging threats to our data and security
systems increase, the demand signal for an experienced cyber workforce
has never been greater. The reality is that we must compete for talent
from the same pools of personnel being recruited by the top private
sector companies outside of the defense mission. In both the civilian
and military cyber workforce we do find varying degrees of difficulty
in recruiting select skillsets for our cyber forces. The hardest
positions to recruit are interactive on-net operators, exploit
analysts, and software engineers. Software engineers are the primary
catalyst for enabling cyber missions conducted by the operators and
exploit analysists, so we must develop innovative ways to recruit these
highly talented individuals into the Army. Also, individuals with
skillsets associated with reverse engineering represent the smallest
portion of the current cyber workforce and are therefore challenging to
recruit. We view expanded recruiting efforts and partnerships with
leading universities and the private sector as essential to building a
successful pipeline for the future.
Maj. Gen. Weggeman. With the growing threat in cyberspace, it is
imperative that our nation, as a whole, matures its cyber workforce. I
would say I am more concerned with a shortfall in our overall national
cyber workforce. The skills we look for in the Air Force are also
highly sought-after throughout the United States Government and the
private-sector.
High-end software developers/coders are extremely competitive given
private sector demand and compensation.
MajGen Reynolds. Demands for a skilled cyberspace workforce have
outpaced supply, creating a very competitive environment. One of the
key requirements to grow and maintain an effective CMF is our ability
to hire and retain the highest quality cyberspace professionals.
In workforce management, we are being challenged by policy issues
as well as the increasing demand for workers with cyber experience in
industry and government. Private industry remains an attractive
prospect for our cyber personnel with salaries and incentives we cannot
compete with. Once implemented, the Cyber Excepted Service (CES)
civilian personnel system described in the NDAA FY2016, section 1107
will enhance the Department's cyber defense and offensive mission
effectiveness.
The recruitment of recently retired or separated service members
that are cleared and fully trained has become substantially more
difficult after the expiration of policy suspending the180-day cooling
off period required before taking a government position under the
National Defense Authorization Act of Fiscal Year 2017, typically
leading candidates to seek jobs in the private sector.
Recently, the Office of Personnel Management (OPM) approved an
increase in recruitment and retention incentives from 25 percent to 50
percent for MARFORCYBER Headquarters, MCCYWG, and MCCOG. OPM and DOD
worked with MARFORCYBER to better understand our hiring concerns and
issues related to losing highly trained cyber talent to private
industry. MARFORCYBER and NSA are the only two organizations in DOD
currently with this authority.
On the uniformed side, we are successfully leveraging our Reserve
forces to help close manpower gaps. This capability has given us a
tremendous boost, with Reservists agreeing to come on orders for
anywhere from one to three years.
To assist in our ability to retain our cyber talent, we are moving
forward with the creation of a cyberspace occupational field. We have
learned a great deal in the past several years about the training,
clearance, and experience requirements across the cyber mission force.
We know that in order to be effective, we must retain a professional
cadre of cyberspace warriors who are skilled in critical work roles,
and we know that many of our marines desire to remain part of the cyber
work force.
9. Senator Blumenthal. VADM Lytle, VADM Gilday, LTG Nakasone, Maj.
Gen. Weggeman, and MajGen Reynolds, what are your suggestions for
growing the cyber force? How can Congress assist?
VADM Lytle. We appreciate Congressional efforts in passing section
1107 (Cyber Excepted Service Program) of the FY16 NDAA to improve our
ability to tackle manpower issues. Further, each Service is working
their unique cyber manpower challenges as part of their man, train and
equip responsibilities. The Services have learned and adapted over the
past four years, instituting a number of personnel policy changes to
ensure the success of the Cyber Mission Force and its associated cyber
tactical headquarters. As many of the actions we have taken to fix our
recruitment, training, and retention issues have just begun, we are
closely evaluating progress and will adjust as needed to grow the cyber
force we require.
VADM Gilday. The Navy has taken aggressive measures to hire and
retain the cyber talent needed to operate and win in this threat
environment under current pay scales. However, as the Department of the
Navy identifies the revised missions and associated force structure
needed to reach a 355 ship Navy, the Navy will need to identify the
cyber manpower and capability requirements required to fully support
it. Additionally, the Navy will need to recognize the appropriate
military and civilian workforce mix as it matures to identify the
proper pay scales needed to most effectively support the mission. The
Navy will need to identify education and training requirements and
adequately plan for and implement the developmental programs needed to
ensure our personnel are technically and operationally proficient.
Congress can generally support this transition by ensuring the
expansion of cyber capabilities, educational/training opportunities,
and operational effectiveness through investments outlined in the
President's Budget.
LTG Nakasone. There is increasing competition between the DOD and
the private sector to recruit, train, and develop talent, and it is
critical that the DOD leverage the unparalleled impact of its mission
to recruit this talent. As we continue to build a successful cyber
workforce, we seek to adopt the best practices from the private sector
that are successfully recruiting top talent. Successfully growing the
cyber workforce requires improving how we conduct outreach to technical
talent, providing cutting edge training methodology that adapts quickly
to mission requirements, and implementing proven retention strategies
to keep our top talent. Army Cyber Command is currently exploring pilot
programs to address each of these areas in an effort to create an
environment that recruits and retains high caliber personnel.
Congressional support to date has been a key enabler in the cyber
domain. Specifically, section 509 of the National Defense Authorization
Act (NDAA) for Fiscal Year (FY) 2017 authorized a pilot program for the
Services to direct commission to cyber positions, and section 502 of
the NDAA for FY14 allowed the Services to grant up to three years of
constructive credit to Active component officers with cyberspace
related experience or advanced education. We are confident this will
enhance the Army's ability to attract and more appropriately compensate
individuals with unique cyber skill sets and experience. As we
implement these authorities and analyze the results, we will work
closely with Congress to determine their effectiveness. Further, the
implementation of the Cyber Excepted Service (CES), authorized by
section 1599f of title 10, United States Code, will assist in
recruiting and retaining quality civilian cyber professionals. CES will
allow DOD to pursue market-based pay initiatives to foster competitive
compensation for the recruitment and retention of quality talent. This
flexibility supports the design of incentives and special pay rates
that are necessary to target unique mission locations (e.g., rural or
foreign areas), and specialized skills, education, or certification
requirements. Finally, Congress also provided the DOD with authorities
to assist in the hiring and development of cyber personnel. For
example, the direct hire authority in section 1106 of the NDAA for FY17
allows us to fill vacancies faster without application of veteran
preference and by eliminating competitive examining procedures; section
1104 provides for public-private talent exchanges; and section 1103
expands civilian training authorities, allowing us to provide more
educational and training opportunities to that component of our
workforce. Once the implementation of CES is complete, we will be able
to better identify areas where Congress can assist.
Maj. Gen. Weggeman. The Air Force is currently undermanned relative
to the totality of the missions the nation expects us to execute. With
that said, cyber is a high-demand, low-density field where the demand
is only going to increase. You don't have to look far to see cyberspace
in the national and global conversation. Our nation is actively under
attack in/from/thru cyber from a multitude of adversaries today. My
focus for the future of the cyber force is to deliver a coherent,
integrated workforce laser-focused on lethality in the information
warfare domain supporting our service's missions as our nation's
sentinels for Air and Space.
Congress can assist by providing budget stability to ensure timely
and adequate resources for critical capabilities essential for cyber
force readiness across all mission areas.
MajGen Reynolds. On the civilian side, policy that exempted
cyberspace positions during the recent hiring freeze was helpful in
supporting our civilian workforce growth. However, the recruitment of
recently retired or separated servicemembers that are cleared and fully
trained has become substantially more difficult after the expiration of
policy suspending the 180-day cooling off period required before taking
a government position, typically leading candidates to seek jobs in the
private sector.
In order to grow the uniformed Cyber Mission Force long term, we
need to grow civilian cyber education across our population. Today's
generation of marines join with a superb knowledge of information
technology compared to the older generation however, they still lack
the understanding needed to operate within the Cyber Mission Force.
Incorporating cybersecurity, networking, and computer languages into
curriculum starting at a younger age will give the Services a pool of
highly skilled candidates to recruit. Those who choose not to serve
within the military will benefit the country as a whole.
Additionally, Congress can apportion for a targeted loan
forgiveness program for graduates of one of the National Center of
Academic Excellence in Cyber Operations or Center of Academic
Excellence in Cybersecurity who join any of the Services. These
graduates would fill our officer corps with the expertise needed to
operate in this difficult domain.
10. Senator Blumenthal. Maj. Gen. Weggeman, Admiral Rogers
specifically mentioned the Air Force is not where it needs to be
regarding cyber recruitment and retention when he testified before this
committee earlier this month. Admiral Rogers noted that he has
discussed this issue with General Goldfein who acknowledged the
problem. Why is this? What are you doing to improve? How are you
working with CYBERCOM to address the issue?
Maj. Gen. Weggeman. Across the Air Force, I have yet to see any
data that indicates we currently have a recruiting or retention issue.
Although, we have not seen any significant signs for concern, we must
remain vigilant and stay in-tune to our airmen's personal and
professional development needs and balance them against the operational
mission needs of our service.
As the Commander of Air Forces Cyber, we have focused intensely on
improving our human capital management within our Cyber Mission Force
(CMF) teams. Since 2015, we have seen a consistent reduction in
attrition out of CMF. In August 2016, I implemented an attrition policy
which required commanders to obtain my approval prior to removing a
member from a CMF team. We have also increased our reutilization by
instituting a back-to-back CMF tour policy. We are taking a
conscientious and deliberate approach to our force management to ensure
we have cyber-minded airmen who can effectively integrate cyberspace
capabilities and effects at the strategic, operational, and tactical
levels.
My current 24 AF command responsibilities do not extend to service
recruiting and retention policies/practices. These are HQ Air Force
functions (SAC-CIO A6/A1). CYBERCOM has no role in these service title
10 organization, train, and equip functions.
[all]