[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
[H.A.S.C. No. 113-17]
INFORMATION TECHNOLOGY AND CYBER OPERATIONS: MODERNIZATION AND
POLICY ISSUES TO SUPPORT THE FUTURE FORCE
__________
HEARING
BEFORE THE
SUBCOMMITTEE ON INTELLIGENCE, EMERGING THREATS AND CAPABILITIES
OF THE
COMMITTEE ON ARMED SERVICES
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
HEARING HELD
MARCH 13, 2013
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
----------
U.S. GOVERNMENT PRINTING OFFICE
80-187 PDF WASHINGTON : 2013
SUBCOMMITTEE ON INTELLIGENCE, EMERGING THREATS AND CAPABILITIES
MAC THORNBERRY, Texas, Chairman
JEFF MILLER, Florida JAMES R. LANGEVIN, Rhode Island
JOHN KLINE, Minnesota SUSAN A. DAVIS, California
BILL SHUSTER, Pennsylvania HENRY C. ``HANK'' JOHNSON, Jr.,
RICHARD B. NUGENT, Florida Georgia
TRENT FRANKS, Arizona ANDRE CARSON, Indiana
DUNCAN HUNTER, California DANIEL B. MAFFEI, New York
CHRISTOPHER P. GIBSON, New York DEREK KILMER, Washington
VICKY HARTZLER, Missouri JOAQUIN CASTRO, Texas
JOSEPH J. HECK, Nevada SCOTT H. PETERS, California
Kevin Gates, Professional Staff Member
Tim McClees, Professional Staff Member
Julie Herbert, Clerk
C O N T E N T S
----------
CHRONOLOGICAL LIST OF HEARINGS
2013
Page
Hearing:
Wednesday, March 13, 2013, Information Technology and Cyber
Operations: Modernization and Policy Issues to Support the
Future Force................................................... 1
Appendix:
Wednesday, March 13, 2013........................................ 27
----------
WEDNESDAY, MARCH 13, 2013
INFORMATION TECHNOLOGY AND CYBER OPERATIONS: MODERNIZATION AND POLICY
ISSUES TO SUPPORT THE FUTURE FORCE
STATEMENTS PRESENTED BY MEMBERS OF CONGRESS
Langevin, Hon. James R., a Representative from Rhode Island,
Ranking Member, Subcommittee on Intelligence, Emerging Threats
and Capabilities............................................... 1
Thornberry, Hon. Mac, a Representative from Texas, Chairman,
Subcommittee on Intelligence, Emerging Threats and Capabilities 1
WITNESSES
Alexander, GEN Keith B., USA, Commander, United States Cyber
Command........................................................ 6
McGrath, Hon. Elizabeth A., Deputy Chief Management Officer, U.S.
Department of Defense.......................................... 5
Takai, Hon. Teresa M., Chief Information Officer, U.S. Department
of Defense..................................................... 3
APPENDIX
Prepared Statements:
Alexander, GEN Keith B....................................... 62
Langevin, Hon. James R....................................... 31
McGrath, Hon. Elizabeth A.................................... 54
Takai, Hon. Teresa M......................................... 33
Documents Submitted for the Record:
[There were no Documents submitted.]
Witness Responses to Questions Asked During the Hearing:
Mr. Thornberry............................................... 77
Questions Submitted by Members Post Hearing:
Mr. Franks................................................... 87
Mr. Langevin................................................. 84
Mr. Rogers................................................... 85
Mr. Thornberry............................................... 81
INFORMATION TECHNOLOGY AND CYBER OPERATIONS: MODERNIZATION AND POLICY
ISSUES TO SUPPORT THE FUTURE FORCE
----------
House of Representatives,
Committee on Armed Services,
Subcommittee on Intelligence, Emerging Threats
and Capabilities,
Washington, DC, Wednesday, March 13, 2013.
The subcommittee met, pursuant to call, at 3:46 p.m., in
room 2212, Rayburn House Office Building, Hon. Mac Thornberry
(chairman of the subcommittee) presiding.
OPENING STATEMENT OF HON. MAC THORNBERRY, A REPRESENTATIVE FROM
TEXAS, CHAIRMAN, SUBCOMMITTEE ON INTELLIGENCE, EMERGING THREATS
AND CAPABILITIES
Mr. Thornberry. The subcommittee hearing will come to
order. I appreciate our witnesses and guests and their
patience. There are some days that just don't work very well,
and this is certainly one of them.
I will ask unanimous consent to put my opening statement in
the record and yield to the gentleman from Rhode Island for any
comments he would like to make.
STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM
RHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON INTELLIGENCE,
EMERGING THREATS AND CAPABILITIES
Mr. Langevin. Thank you, Mr. Chairman.
I want to thank our witnesses for appearing before the
subcommittee today. This is obviously an important hearing as
our national security is dependent on our information systems,
and those networks are critical to all aspects of our defense.
Yet, one only needs to look at recent headlines, even of the
day, to understand the unrelenting and sophisticated threats
that we face in the cyber domain.
Now we continue to see just how vulnerable such networks
are in other sectors of our society, at a potential cost of
billions lost to cybercrime, and we know our defense networks
are at even greater risk. So obviously, though, they must be
fail-proof and secure.
Now we are still waiting for this year's budget, but I
believe it is safe to say that IT [information technology]
represents a large piece, $33 billion last year for that
matter, and that is a significant figure. And we must be ever
mindful of our responsibility to make the most effective use of
taxpayer's investments in these capabilities.
Now we are aware that the Department has experienced some
challenges in acquiring certain IT systems and services in the
past. So today, I would like to hear what steps we are taking
to tackle those challenges in order to get the connectivity we
need at a reasonable price.
DOD [Department of Defense] cyber operations are quite
literally a growth business, and it is one of the rare portions
of the DOD that will be growing indefinitely into the future;
and there have been significant developments in just one year
since our last posture hearing.
Now we are starting to get answers to some of the questions
about how and when the United States might conduct the full
range of military cyber activities, and I would like to discuss
that today to the extent that this forum allows.
And I understand that Cyber Command [CYBERCOM] is beginning
to organize itself into mission teams, which is an exciting
step. But the manpower cost is enormous and the education and
training requirement significant. This is going to take,
obviously, a lot of work to get right.
I would be greatly interested to hear how, to hear our
panelists' thoughts on how we refine the education,
recruitment, retention and training of the highly specialized
personnel that we need. And I would also like to hear how
CYBERCOM is interfacing with combatant commanders to provide
its unique capabilities wherever and whenever they are needed.
Lastly, there are two other areas of vulnerability that I
want to address today. The first is supply chain security for
our IT systems. Now we could get IT functionality perfect and a
robust defense of networks in place and still be at risk of
compromise from counterfeit components as well as unknown
design specifications within an approved component,
particularly, also looking at things like zero-day exploits
which we know our adversaries make extensive use of.
So the second is the vulnerability of our critical
infrastructure to cyber attacks. DOD relies on these services
but they are defended by other Federal agencies or departments,
or not at all. So I mention this frequently because I want to
make progress in the effort to close these gaps. And today is
another opportunity to see where we are on this matter.
So with that, again, I want to welcome our witnesses here
today. Before turning it over to you--back to you, Mr.
Chairman, I just want to take this opportunity to congratulate
General Alexander in particular. This is grandchild number 15
was born today. A grandson. And General, I just want to
congratulate you and your family on the addition to your
family.
[The prepared statement of Mr. Langevin can be found in the
Appendix on page 31.]
General Alexander. It is probably more than----
Mr. Langevin. Thank you. And congratulations again,
General. And I yield back, Mr. Chairman.
Mr. Thornberry. And then what State was he born?
General Alexander. Texas.
[Laughter.]
Mr. Thornberry. Thank you. I just want to get that on the
record.
Mr. Langevin. Point well taken.
Mr. Thornberry. And I appreciate the gentleman's comments.
And just as an administrative note, I want to remind members
that next week, we have our first quarterly cyber operations
briefing which is similar to the counterterrorism quarterly
updates that we have been receiving. This is a new provision in
the Defense Authorization Act, and we will have that classified
briefing next week.
Without objection, all of your statements will be made a
part of the record. And we would appreciate your summarizing
them. We again appreciate our witnesses, the Honorable Teresa
``Teri'' Takai, Chief Information Officer of the Department of
Defense; the Honorable Elizabeth McGrath, Deputy Chief
Management Officer at the Department of Defense; and General
Keith Alexander, Commander of USCYBERCOM.
Thank you all for being here. Ms. Takai, you may summarize
your statement.
STATEMENT OF HON. TERESA M. TAKAI, CHIEF INFORMATION OFFICER,
U.S. DEPARTMENT OF DEFENSE
Ms. Takai. Good afternoon, Mr. Chairman and distinguished
members of the subcommittee. Thank you so much for giving us
the opportunity to testify today on the importance of
information technology to the transformation of the Department
of Defense.
I am responsible for ensuring the Department has access to
the information, the communication networks, and the decision
support tools needed to successfully execute our warfighting
and business support missions. The Department's IT investments
support mission critical operations that must be delivered in
both an office environment and the tactical edge.
Just to give you some perspective on the size and scope of
what we cover, we operate in over 6,000 locations worldwide.
And we support the unique needs and missions of three military
departments and over 40 defense agencies and field activities,
and our services are used by 3.7 million people.
Included in the overall IT budget are the Department's
cybersecurity activities and efforts that are designed to
ensure our information systems and networks are protected
against the ever-increasing cyber threats the Department and
the Nation face.
We are undertaking an ambitious effort to realign and
restructure our ability to provide better access to
information, improve our ability to defend and keep pace. This
effort is the Joint Information Environment [JIE].
The Department is aligning its existing IT networks into a
Joint Information Environment that will define how we are
restructuring not only our networks but our computer centers,
our computing networks and cyber defenses to provide a singular
joint cybersecurity approach that is common across the
classified, secret, and coalition networks. This is in contrast
to today's networks in which each military department differs
in its approach and design in cyber defense.
The ultimate beneficiary is the commander in the field. The
consistent network in IT and security architecture will enable
innovative information technologies that keep pace with today's
fast-paced operational requirements.
Our standard security architecture will enable cyber
operators at every level to see who is operating on our
networks and what they are doing. This will enable a
synchronized cyber response. And I am sure General Alexander
will be speaking more to you about this in his words.
The consolidation of data centers, operations centers and
help desks will enable timely and secure access to the
information and services needed to accomplish their assigned
missions, regardless of the location.
As we have refined the JIE concept, we have concluded that
we can achieve all of the Department's cybersecurity goals but
just as importantly, still have better joint warfighting
decision support, better operational and acquisition agility,
and also importantly, better efficiency. On cybersecurity we
are focused on ensuring that the essential DOD missions are
dependable and resilient in the face of cyber warfare. The
first of the efforts that we will embark on as I have mentioned
is JIE. The second effort is our deployment and use of
cybersecurity identity credentials for all users of our secret
network. We are currently deployed on our unclassified network
and we will complete the classified network this year.
The next is continuous monitoring. This will allow us much
faster detection and remediation of mission vulnerability
across the millions of computers that are in our networks, give
us a chain of command and accountability tool, and will give
the Cyber Command better ability to set remediation priorities.
The fourth effort as was mentioned is our supply chain risk
management. Globally sourced technology provides real benefits
to the Department but it also provides the opportunity for
potential adversaries to compromise our missions through
subversion of the supply chain. The Department recently issued
policy that makes permanent the Department's efforts to
minimize the risk to DOD missions from this vulnerability.
And lastly is our successful voluntary cyber information-
sharing efforts with the Defense Industrial Base. We have 78
participating companies which represent a majority of our
acquisition spending in the Department.
We share classified and unclassified cyber threat
information and companies that have been participating said
that the program has significantly improved their cybersecurity
efforts. We are also partnering with security service
providers, for those companies that choose to use that service,
they will have additional classified threat information.
I would like to conclude by mentioning a few other efforts
that we are working on. We have a new focus on the development
of secure communications for Presidential and senior leader
comms [communications], nuclear command and control, and
continuity of government. We are working with other Federal
agencies to ensure that we have the ability to communicate at
all times. We are also working to ensure that the Department's
position, navigation and timing infrastructure is robust.
Next, my office recently issued the DOD commercial mobile
device strategy and implementation plan which allows us to use
commercial mobile devices in both a classified and unclassified
environment.
And finally, spectrum has become increasingly important not
only to the Department's mission but to consumers and the
economy of the Nation. While fully committed to the President's
500 megahertz initiative, it is important that we balance the
use of our finite radio spectrum to meet national security
requirements as well.
Thank you so much for your interest in our efforts and I
look forward to taking your questions.
[The prepared statement of Ms. Takai can be found in the
Appendix on page 33.]
Mr. Thornberry. Thank you, Ma'am.
Ms. McGrath.
STATEMENT OF HON. ELIZABETH A. MCGRATH, DEPUTY CHIEF MANAGEMENT
OFFICER, U.S. DEPARTMENT OF DEFENSE
Ms. McGrath. Thank you, Mr. Chairman. Good afternoon. We
really appreciate the opportunity to discuss with you the
progress that we have made in the defense business operations.
We feel they are critical enablers of our national security
mission and our goal is to ensure we have effective, agile and
innovative business operations that support and enable our
warfighters.
This work spans every organization in all functional areas.
Our goals are to optimize business processes and identify key
outcome-based measures. Here, information technology is a key
enabler. Over the past number of years, attention to this issue
has steadily increased and Congress has been instrumental in
shaping the governance framework and supporting processes the
Department uses to oversee these efforts. And we thank you for
that.
My written statement provides updates on our integrated
business environment framework; therein you will see evidence
of the maturation of our Business Enterprise Architecture and
some of the recent successes and challenges in the
implementations of our largest IT systems.
I will take a few moments to highlight a few of the points.
First, Section 901 of the 2012 National Defense Authorization
Act included significant changes to the Department's investment
management process for defense business systems. We established
a single Investment Review Board which we execute through a
Defense Business Council which replaced five separate
functionally based boards.
It also significantly expanded the scope of the systems to
be reviewed by the board to include those in sustainment.
Previously, it was simply modernization and development. This
new investment process allows the Department for the first time
to holistically manage the entire portfolio of business systems
in a deliberate and organized manner.
This legislation is truly serving as a catalyst for
dramatic improvements across the defense enterprise. We now
have functional strategies that articulate goals, outcomes,
expectations, standards, mandatory solution across business
lines.
Military departments and defense agencies all must align
with execution plans to these imperatives across their IT
portfolio. As an example of the Investment Review Board's
value, we identified approximately 10 percent of the systems
reviewed as legacy systems that will be retired over the next 3
years. And we are using this process to both ensure
architectural compliance and business process reengineering.
Second, I would like to highlight the ongoing work to
improve the implementation of some of the Department's most
visible defense business systems, our Enterprise Resource
Planning systems or ERPs. The Department is committed to
learning from its successes and failures as well as learning
from the findings from the Government Accountability Office and
the Inspector General.
In addition to a number of ongoing initiatives to improve
specific aspects of our implementations, I have over the last 6
months undertaken a substantial effort to work with industry
leaders to fully understand and define the leading root causes
of program successes and failures across the dimension of cost,
schedule and performance.
Our findings reinforce the need to focus the Department on
quality upfront work extremely early in a program's life cycle
to include ensuring clarity of requirements, quantifiable
business cases. As a result of this work, I have directed a
number of actions across the Department.
While we have certainly faced challenges, the Department is
making steady progress in this area including having now
successfully fielded a number of Enterprise Resource Planning
systems.
In closing, the Department remains committed to improving
the management and acquisition of IT systems as well as our
overarching business environment. These issues receive
significant management attention and are a key part of our
enterprise strategy to build better business processes that
will create lasting results for our men and women in uniform
and the American taxpayer.
I look forward to your questions.
[The prepared statement of Ms. McGrath can be found in the
Appendix on page 54.]
Mr. Thornberry. Thank you.
General Alexander.
STATEMENT OF GEN KEITH B. ALEXANDER, USA, COMMANDER, UNITED
STATES CYBER COMMAND
General Alexander. Chairman, Ranking Member, I would read
my statement but you know I can't read so I am just going to
give you the highlights from that. And I know both Ms. Takai
and Ms. McGrath can read really well. Perhaps you should read
my part.
What I want to hit is a few things that I think it is
important for the committee to know. First, you all know we
have great people. We are getting great people both in our
staff and the service components that have--that are building
the teams that we need. And issues come up with sequester
especially for the civilian folks; having to furlough those
people that we are bringing in sends a wrong message.
Further, the continuing resolution compounds our ability to
actually conduct the training missions that we need to bring
these teams on board. We talked a great deal about the threat.
You know what is going on in Wall Street, what has happened
over the last 6 months. What happened in Saudi Arabia with
Saudi Aramco, the threat is real and growing.
From our perspective, we need to be prepared for attacks
against our Nation in cyberspace. In order to do this, we do it
as a team. And that team includes DHS, Department of Homeland
Security, FBI [Federal Bureau of Investigation] and, of course,
DOD.
DHS has the resilience and recovery just like it would in a
kinetic operation. And it is the public interface for our
industry. FBI would lead investigations, look at who is doing
this inside the United States; they are the domestic handler.
And DOD has responsibility to defend our Nation from an attack,
to support the combatant commands and their operations in
planning, defend the DOD networks and other networks as
authorized.
We have created roles and responsibilities between
Secretary Napolitano, myself and Director Bob Mueller, we all
agree on that, it has gone to the White House. I think that
helps lay out the plan for how we can work with you in
establishing legislation for the future. And I can talk to
legislation and questions if that comes up.
When is civil liberties and privacy upfront here? We know
how important that is. We can protect civil liberties and
privacy in our networks. This isn't one or the other, it is
both. And I think we can do both. And to understand that, I
think we need to get into technical details. I won't do that
here, but you know we have the capacity to do that.
And I just encourage you to look at the facts in this as we
go forward. Five things that we are looking at from my
perspective in setting up Cyber Command and the teams that we
have. First and most important are people, building and
training a ready workforce. The second thing, command and
control and doctrine, we are establishing that and how we work
with the combatant commands that I can answer more, Congressman
Langevin, to your question later on about how we work with the
combatant commands. Situational awareness--how do you see what
is going on in cyberspace and how do you react to it. A
defensible architecture, I think this is absolutely vital,
especially for the Defense Department. Today, we have 15,000
enclaves. It is very difficult to defend and get situational
awareness around that. We need to go the Joint Information
Environment, something that we work very closely with Ms. Takai
and her folks. And finally the authorities, policies and
standing rules of engagement. Those are vital for the future
and we need to work with you to get those right.
That is a quick summary of my 26-page written--and so, Mr.
Chairman, I turn it back to you.
[The prepared statement of General Alexander can be found
in the Appendix on page 62.]
Mr. Thornberry. Thank you. I think that may be a record on
shortness of your testimony.
Let me just start by asking about a couple of things.
General Alexander, I think the statements you just made that
there is a role for the military, especially Cyber Command, to
defend the country in cyberspace. I think that is a step beyond
where we have been in previous years' hearings.
Can you tell us a little bit more about how that--where we
are in that discussion? Exactly what should we expect the
military to defend us against and what sort of circumstances?
And then what are the sort of circumstances that industries or
us as individuals are required to defend ourselves?
General Alexander. So there is two parts to this, to your
question. And I will give it to you as accurately as I can from
my perspective and then show you where the range of options
that the administration and the Defense Department have to look
at.
First, I think it is reasonable that we the American people
know that when our Nation is under attack, whether it is
physical attack or cyber attack, that the Defense Department
will do its part to defend the country.
It is not going to just defend itself. Our job is to defend
the country. And the focus would be, obviously, on critical
infrastructure just as it would in kinetic and other things.
The issue becomes when does an exploit become an attack and
when does an attack become something that we respond to?
Those are policy decisions and the red lines that goes to
those would be policy decisions. Our job would be to set up the
options that the President and the Secretary could do to stop
that. And as you may recall, both the former President and the
current President have both said that they would keep the
options open in this area.
I mean, I think that is reasonable, from using State
Department to demarche all the way over to kinetic options or
cyber. So they have that whole range. What we are building is
the cyber options that would fit that tool kit for the
administration and policymakers to determine exactly what to
do.
As an example, it is reasonable to expect that we would
have the ability to stop a distributed denial of service
attack, and so creating the tools and capabilities of that,
which would get into the classified area, you would expect that
we would actually go and work with our teams to do that. And
those are the kinds of things that we do. So how do we defend
the country in that? What kinds of capabilities that we need?
We have laid that out in great detail. And I think the training
on that is superb.
Mr. Thornberry. Just to make an editorial comment. I
appreciate your point that the authorities, policies, rules of
engagement are key to deciding how to use the tools that your
folks have evolved. My opinion is that the more the
administration consults with Congress, the more we can make
these decisions out in the open, the better result we will have
and in addition, the more you will have the support of the
American people.
The more that is kept secret with some White House meeting
or White House paper that is hard to access to, the more
suspicions there will be about what the government is really
doing. So I know that is kind of a different realm from yours
but I think the circumstances under which the government will
act and how it will act and who will act are important to be as
public and transparent as we possibly can.
Finally, let me ask, Ms. Takai, I have got this Defense
Science Board study that came out in January that basically
concludes, we cannot be confident that our critical information
technology systems will work under attack from a sophisticated
actor.
I mean, I am sure you have seen it. Can you just make a
comment about whether you think this Defense Science Board
study got it right about our vulnerabilities?
Ms. Takai. Well, I think, first of all, any independent
report like that is useful because it does give us an
independent view of a way of looking at our vulnerabilities.
The report is a year old at this point in time and it really
is--it does precede several of the actions that General
Alexander has taken in terms of looking to remediate.
It also does not consider some of the actions that we have
been taking to change our cyber defense approach from looking
at how we protect the perimeter and how we just protect
networks to actually how we look at it from a mission
perspective.
So what we have done is ahead of actually the Defense
Science Board report coming out, those are the same areas that
we have been looking at. Those are the same areas that we are
looking for remediation actions and some of the things that I
described in my testimony are really a step toward actually
moving forward to address some of those issues.
Now, the challenge is you are never 100 percent. And so, I
think the point around, really, looking at it from a mission
perspective is important because we need to be sure that we are
prioritizing from the standpoint of where we put our resources,
looking at it from the most critical areas and making sure they
are secure.
Mr. Thornberry. If your folks look at this and think it
appropriate, I would appreciate in a written answer some more
updates as to how far you think we have come in addressing the
shortfalls that they identified here.
Ms. Takai. Yes, sir. Absolutely. General Alexander and I
are actually working on that document, so we would be happy as
we get that developed to provide that to the committee.
[The information referred to can be found in the Appendix
beginning on page 77.]
Mr. Thornberry. Thank you.
Mr. Langevin.
Mr. Langevin. Thank you, Mr. Chairman. Again, thank you to
our witnesses. General Alexander, I would just start with you,
if I could. More of a follow-on on to the chairman's question.
Can you speak to the role of CYBERCOM as defender of last
resort in the event upon civilian--in the event of an attack on
civilian critical infrastructure?
As we know, these attacks move at network speed. And what I
want to know is what the, you know, the processes that are put
in place in terms of establishing rules of the road so that you
know how and when you can respond--if there is an attack on
critical infrastructure and CYBERCOM has to step in as the
defender of last resort?
General Alexander. So we are working with the Defense
Department, the White House, and the interagency to set up
those standing rules of engagement, put forward what I will
call the way in which we would actually execute some of these.
Right now, those decisions would rest with the President,
the Secretary. And they would tell us to execute. I think as we
go down the road, we are going to have to look at what are the
things that you would automatically do, think of this as the
missile defense, but missiles in real time.
And I think that is an education and learning process that
changes fundamentally the way that we have defended the Nation
from a kinetic perspective to how we are going to have to
defend the Nation in a cyber perspective.
So there is a lot to learn there. Most important on that,
one is the team that I talked about. But two is the partnership
with industry. And that is where the legislation is going to be
important.
We cannot see attacks going against Wall Street today.
Somebody has to tell us, and if we are going to be able to
react to it in time to have favorable results, we need to know
that at network speed so that we can react at network speed. So
those types of information-sharing and the liability of
protection that goes with them is key to this. The other part,
you know, you could put under building up standards and helping
people get to this, the executive order takes a great step in
that direction.
I think getting incentives would really help. So I think
there is a partnership here, one within the administration for
how we set this up and the rules of engagement, I take the
chairman's comments that you put about working together in a
transparent way. And the second part is we have got to have
that same discussion with industry.
Mr. Langevin. And let me use this as an opportunity to talk
about the information-sharing, and give you an opportunity to
talk about the, you know, the concerns that people have in
terms of information that would be shared with the government.
I understand--you and I understand that we are not actually
looking at information that would be shared, it is more the
bits and bytes, the ones and zeros, the attack signatures that
we would be looking for.
But I would like to again give you the opportunity for the
public to reassure them of what this is, what information would
be shared.
General Alexander. Thank you, Congressman, because I do
think this a key point.
The issue would be if somebody were throwing an attack at
Wall Street, as an example, what we would want to know is the
fact of the attack and the type of attack. We don't need to
read people's email or see their communications to get that
information.
The Internet service providers would actually see that. So
we could tell them the types of attacks, the types of exploits
and those things that the government needs to know. That
includes DHS, FBI, NSA [National Security Agency] and the
Defense Department, all together need to know that.
What we are talking about is, for example, I use the car
going up the New Jersey Turnpike on its way to Rhode Island and
it would go through an E-ZPass lane--well, in E-ZPass what
happens is the car is scanned. You don't read what is inside
the car. You just get the metadata.
In a similar way, if a packet were going forward, what the
Internet service providers need to tell us is there was a
packet, we saw bad software, malicious software in that packet,
of the type you were looking for. We stopped that packet. It
was coming from this IP [Internet protocol] address, going to
this IP address.
And it would be up to FBI if it was domestic to work with
the courts to do that or to Cyber Command if it were coming
from outside the United States. And so, the bottom line, there
is a way to do this that ensures civil liberties and privacy
and does ensure the protection of the country.
And I think we ought to work towards that and help educate
the American people on what we are trying to do here.
Mr. Langevin. I agree and I appreciate you getting that out
there.
General, if I could, I would also turn our discussion to
the new mission teams that are forming within your command. In
testimony before the Senate Armed Services Committee on
Tuesday, you noted the creation of 13 teams within--with an
offensive focus. Can you lay out for us what authority these
teams would be operating under and how will they interface with
their Intelligence Community colleagues?
General Alexander. Sure, Congressman. The key is we
organize the teams into groups. So the teams that you are
referencing, those 13 are what I will call the National Mission
teams, that would have the mission to counter an adversary who
is attacking our country.
They are the counter-cyber force. I call that offensive
because their job is to stop--like a missile coming into the
country, their job would be to stop that and provide options
for the White House and the President on what more to do.
So they are the folks that would counter any cyber
adversary. We also are creating teams to support combatant
commanders and their missions and operations, and then we are
building teams to operate and defend our networks within DOD
and work with DHS and FBI as required.
So those are the three sets of teams and the three general
missions that they have. And then, we have supporting them,
what we call direct support teams that provide the analytic
support that we would need for that.
All of this is integrated and works seamlessly with the
Intelligence Community and with FBI to ensure we don't have
duplication of effort and we are not all operating on the same
place in cyberspace so that that is deconflicted.
Mr. Langevin. My time is expired. I will have more
questions for the witnesses in round two. I yield back.
Mr. Thornberry. I thank the gentleman. And I think it is
helpful that explanation of what offensive means in this
context because there is a variety of definitions that people
use for that.
Dr. Heck.
Dr. Heck. Thank you, Mr. Chairman. I thank all of you for
being here.
General Alexander, there have been some discussions about
the roles of Cyber Command and protecting domestic critical
infrastructure. How would that role differ if the attack was
coming from OCONUS [outside the contiguous United States]
versus CONUS [contiguous United States] and do you have the
Title 10 authorities necessary to respond to a domestic attack
in real time since you are really the only entity that can
defend in real time.
General Alexander. Congressman, thanks, because I think for
clarity, from my perspective, the domestic actor would be the
FBI. And the FBI, we share our tools with the FBI.
They would work through the courts to have the authority to
do what they need to do in domestic space to withstand an
attack. We have worked very closely together.
Director Mueller and his teams are absolutely superb to
work with. And we have come up with a way that he would do
inside, we would do outside. Now, there may be points in time
where you have different--you know, significant attacks where
we need to change parts of that.
But the key thing is to have him do inside the country. We
can support back and forth and do this at network speed. So we
are practicing that. I think that is something that we can do.
He would work with the courts as appropriate to do his
portion of the mission. Outside the country, that is where we
would operate.
Dr. Heck. So you would be comfortable if there was a Saudi
Aramco kind of attack that originated from within the United
States at U.S. infrastructure, that the FBI would be able to
respond and thwart that attack in real time?
General Alexander. Assuming that we could see it because
that kind of an attack is a whole different issue. And on that,
where we would really depend is on working with the Internet
service providers. They would stop that packet initially by
some signature that we gave them.
And so, that is something that would go to a domain
controller that we could stop. I think that is a different set
of tactics that you would use versus the distributed denial of
service attack where you are trying to take out the bots and
the command and control infrastructure.
Dr. Heck. Okay. And then, how is the IC [Intelligence
Community] supporting the cyber intelligence needs of DOD? I
mean, beyond NSA, what IC organizations are the primary
intelligence providers for CYBERCOM?
General Alexander. Well, there are several, of course, the
Central Intelligence Agency [CIA], the Defense Intelligence
Agency [DIA] and NGA, the National Geospatial Agency. Tish Long
and her folks have done a superb job, too.
It is kind of interesting. You say, ``Well, what can you
see from imagery?'' But there are some great things that you
can do by bringing the actual physical infrastructure and
overlaying the cyber infrastructure--so all those work.
And within the military, DIA has, within our J2, people, at
Cyber Command that work at--and of course, NSA has a great
foundation of folks that really provide the best support that
we have across that technical layer.
Dr. Heck. Thank you, Mr. Chairman.
Mr. Thornberry. Thank you.
Mr. Kilmer.
Mr. Kilmer. Thank you, Mr. Chairman.
I am particularly interested in workforce issues and how we
prepare the workforce to meet the needs within the cyberspace.
And I have a number of questions in that regard.
And I guess, Ms. Takai, I will start with you. As CIO
[Chief Information Officer] you oversee the Information
Technology Exchange Program that is set to expire on September
the 30th, which seems like a good opportunity to leverage
talent that is already in the workforce to bring industry and
the Federal Government together, to knowledge share and learn
best practices in cybersecurity.
I was hoping you would give a little update on that
program's success and then I have a few specific questions
therein. Do you feel like enough private companies know about
the program and have been able to take part? Can you speak to
the advantages of extending and/or expanding the program?
Have there been any problems with any aspects of the
program that you think, if we looked at continuing it, should
be addressed? And then, finally, I know to be eligible, an
employee must be a GS-11 or the equivalent or above. Do you
think that is an appropriate level or would you think there
would a value in adding additional--involving additional
workers in the mix?
Ms. Takai. Well, let me see if I can take all those
questions in turn.
First of all, I think, we probably do need to expand our
communications on that program. The program has been, I think,
a great opportunity for us to bring industry technology experts
into DOD and likewise, be able to look at where DOD employees
can go out into industry to get experience.
But to date, we really do need to think about how we expand
the program and from a communication perspective. However, I
think it is important to note that right now, we have a key
individual who has just recently joined my department from
Cisco.
He is a very skilled, highly capable architect and one that
is always difficult to grow. That kind of technical knowledge
is something that just takes time. And so, the ability to bring
that individual in and have them take a look at the work we are
doing on the Joint Information Environment has really been
valuable.
So we are really seeing the benefit of the program and
therefore it is very important to us to continue the program. I
think in terms of some of the challenges that we have had in
terms of moving the program forward, it has really been
understanding how to get the companies to understand the
security requirements and for us to be able to get them in
through our fairly long security process.
And I think some of that is just a part of it. But I think
also we need to be in a position where we can better educate
the companies on the kinds of security requirements that we are
going to be asking about. And so, we are looking very much to
take the lessons learned from the program, to be able to expand
it. I think from a level perspective, I think starting at the
GS-15s is sort of the--you know, the first level is actually a
good place because it does give us the opportunity to go from
the GS-11 level up through various levels, you know, into
actually an SES [Senior Executive Service] level, which is the
more highly skilled folks.
So I think starting there is a good place and the program
does give us the flexibility then to bring people in at
different levels. So we are very excited about the program. As
I say, we appreciate the industry participation we have had so
far and would very much like to continue the program past the
sunset date in September.
Mr. Kilmer. Thank you. Maybe just in follow-up, I would
just like to ask more generally what you feel collectively we
can do as Members of Congress to help you recruit an adequate
number of workers in the cybersecurity realm?
Ms. McGrath. So I can say from a--again, I am more in the
business space within the Department and it is always
challenging to find skill sets even with the Enterprise
Resource Planning and the more modern technological capability.
So we are buying commercial-off-the-shelf. It is really
educating the workforce to get there. The Congress has passed
legislation to enable us to hire highly qualified experts. I
feel the Department has not leveraged the opportunity that we
have so far, or to date, as much as we could have, really
bringing folks in for a term.
It can be 1 to 5 years to work on some of these really sort
of hard problems that we have, to ensure that our outcomes are
what we need. But we do have actually a very good model in the
SECDEF [Secretary of Defense] Corporate Fellows Program where
we take our military and send them out to industry for a year
at some of the, I would say, best and brightest companies like
Cisco and Caterpillar and Google and--so we are not leaving
anybody out, but I couldn't possibly mention them all.
Because they are already cleared, they have, I will say
those kinds of requirements already met and it seems to be an
easier transition from within the Department for our military
externally, but I would wholeheartedly welcome, you know,
anything we could do to advance the communication because I
think it helps certainly in the business space with the
activities we have under way.
Mr. Thornberry. Mr. Peters.
Mr. Peters. Thank you, Mr. Chairman.
Just maybe a follow-up on that. I think, General, it was
you who may have told us a few weeks ago about some of the
difficulties you were having recruiting talented individuals in
light of the budget uncertainty that we had.
That perhaps, people are coming to you and saying--I heard
this at one testimony I think it was you--saying, ``Gee, you
know we can't really depend on this for a career if we don't
think that Congress is behind it.''
Last week, we took an action to relieve some of the
pressure, perhaps, on the military side at the House level and
that is working its way through Congress. But, do you want to
update us, just to follow on Mr. Kilmer's question, how is the
uncertainty around the budget or how is the budgeting
continuing to affect your ability to recruit the kind of people
we need to be our warriors?
General Alexander. So, you have hit it right on the head,
Congressman, that what we are getting from some of our people
especially those who come from industry, they already take a
pay cut coming to the government. And they do this because they
are patriots.
The issue is they have taken a pay cut and now we are
saying, ``Well, you might get a pay cut again and this pay cut
will be furlough and we are not sure how that is going to go,
or where that is going to be.''
That uncertainty is something that truly complicates their
willingness to stay with us. And we don't--we should not do
this to them. You know, we are trying to get the great people
into cyber. These are technically qualified people.
You go out to Google, they are looking for people today.
You know, I sat down with the Google HR [human relations]
folks. They said, ``Look, we are paying, you know, probably
twice as much as you are paying folks'' and they are having
trouble getting them.
We get them because they want to do something good for the
Nation. So as a consequence, I do think we have to, one, give
them the certainty. I would just say, two, they are our most
valuable assets. You know, it is the people. That is the talent
that we need and we need to let them know we care about them,
all of us, and we need your support in that.
Mr. Peters. Thank you.
Thank you, Mr. Chairman. I yield back.
Mr. Thornberry. Thank you.
Mrs. Davis.
Mrs. Davis. Thank you, Mr. Chairman.
And I would certainly appreciate that comment because
sometimes we have a perception out there that somehow Federal
workers are not necessary to make everything work in this
country. And I think that we know that that isn't true on just
about every level. And so, I appreciate your comments.
I wanted to ask about the electronic health records. I know
that is not exactly on the agenda right now. But I wonder if I
could do that because we know that recently it was announced
that the Department of Defense was going to--no longer are we
going to have parallel efforts, I think, in trying to create an
interoperable system. And that the Department of Defense was
going to try and work with the Veterans Administration [VA].
Can you talk a little bit about that and what is going on? We
had had that strategy articulated that they were going to do
that, and it is just not clear now, exactly, what we are going
to do.
I know that the discussion was around trying to cut costs,
that we were going to create this common system, but in light
of the fact that we are not going to do that, how are we going
to create this interoperable system that is going to work?
Ms. McGrath. So I would be happy to take that question.
The Department of Defense and Veterans Affairs have been
working together over probably 10 years to enable greater
sharing of information between the two organizations. So when
our military members transition from defense to the VA, that
all their information comes with them and we could get out of a
more paper-based approach to medical treatment and history.
And I think we have made significant progress in terms of
sharing the information over big, I'll just say, pipes of
interfaces between the two organizations. Both DOD and VA were
looking to modernize their legacy environment.
And so, back in March of 2011, then Secretary of Defense
Gates and Secretary Shinseki of the VA decided to abandon, if
you will, either legacy system--so in VA it is VistA [Veterans
Health Information Systems and Technology Architecture] and DOD
it is AHLTA [Armed Forces Health Longitudinal Technology
Application]--and move together jointly for sort of a common
system, if you will, although it would probably be a family of
systems that enable this capability to happen.
And we moved out smartly and made sure that we were
approaching the solution, if you will, with a common
architecture, a common data standard which is really key toward
interoperability.
VA has moved their systems into our DISA [Defense
Information Systems Agency], so that we are collocating as much
as possible common business practices.
Because if you don't have all these things, you are still,
I will just say, the IT will only get you so far.
And so, the foundational aspects of all these things we
agreed to in 2011.
What you have heard recently, is the, in December of 2012
the Interagency Program Office had completed an engineering-
based or bottoms-up, if you will, lifecycle cost estimate which
really put the approach, the affordability of the approach, in
question.
So the question Secretary Panetta and Shinseki said to the
teams was, is there a more economical way to still deliver an
innovative electronic health record to our military members and
veterans, but it is done in a less risky way.
So you reduce the risk, decrease the cost and maintain the
schedule that we are on. And that is when the Departments
decided to instead of build, if you will, the system piece by
piece, to start from a core set of capabilities and build out
from a core.
So the VA decided to go back to their legacy system, again,
VistA. The DOD does not have, right now anyway, a desire to use
its legacy system and want to ensure that we have explored all
opportunities.
So when we are looking at what would our core capability--
would it be the VA's VistA core, VistA as our core? Would we
look at--would we have something commercial? The health space
has gone, has made tremendous leaps in terms of modernization
over years. We want to ensure that we are assessing the
capabilities that commercial market brings.
And we are right now--we issued a request for information
in February. We got all the answer, all the responses in. We
are evaluating them through our Cost Assessment and Program
Evaluation team has the lead for that and they will make a
determination whether or not we will go with a COTS
[commercial-off-the-shelf]-based solution or a government-based
solution by the end of March.
Mrs. Davis. Is it fair to say that we have kind of
abandoned, though, the joint strategy?
Ms. McGrath. I think the joint strategy still exists from a
data interoperability and integration. If I talk about a
military member's health record, I am populating that record
from data from different sources.
The change in the strategy is really the underlying IT
system. We still want to do as much joint as we can from the
various applications like immunization, lab, and all the other
health-related stuff.
And I think that the architecture, again all the handshakes
that we made in the beginning in terms of architecture data,
those are all still absolutely at the forefront.
So there has been certainly a change with the approach to
the underlying IT. But there has been no change to our----
Mrs. Davis. I guess what would be helpful to know about
that is how is that going to affect the service member. And if
they are--it sounds like you are looking at a new acquisition
strategy perhaps. And I think we would certainly be concerned
about costs involved and kind of, what have we lost I guess, in
that time that we were working on all that.
So I just wonder maybe we can follow up with those
discussions. But I appreciate it because I wanted to just take
this opportunity to try and understand better what has happened
and how we can move forward.
Ms. McGrath. Yes, ma'am, I would be happy to----
Mrs. Davis. We have spent a lot of time on that.
Ms. McGrath. We have and I would just say that all the
infrastructure, the very foundational things that we have been
working on since the agreement in 2011, all will be carried
forward. And so, we are not, I will just say, scrapping
anything from that perspective; we continue to use those
foundational pieces because they are key irrespective of the
applications that will ride on top of that infrastructure.
But I would be happy to give you more detail.
Mrs. Davis. Thank you. Thank you, Mr. Chairman.
Mr. Thornberry. I appreciate the gentlelady asking about
that because I remember very well the hearing we had in the
full committee with Secretary Panetta and Secretary Shinseki.
And this was the key thing they trumpeted. Never before would
we have this kind of cooperation between the VA and the
Pentagon with one health record that would follow a service
member from the day he enlisted all the way through.
And it is discouraging that under the best case scenario it
is going to be significantly delayed to have that available as
you all work through these various options. I don't understand
or underestimate the technical difficulty in doing so.
I don't know. It is just frustrating I guess when this was
trumpeted as such an achievement; that at least, there is a
change in strategy.
Ms. McGrath, I am really not trying to pick on you but let
me ask you about one other situation that maybe hadn't turned
out so well.
The Air Force's Expeditionary Combat Support System [ECSS],
what happened with that? And what have we learned from it?
Ms. McGrath. I would like to say--and I will very quickly
move to the ECSS question.
But the two things on the electronic health record. One is
the underlying system piece, and sort of the modernization.
What we are also focused on is accelerating data
interoperability. We have standard data in the Defense
Department across the entire organization. Because of the
mobility of our military members, the information must be
wherever the military member is--that is theater, East Coast,
West Coast, does not matter.
The VA--we are mapping the DOD health data dictionary to
the VA data so that by the end of this year we will be using
standard data between the two organizations and we will be able
to populate a military record, an integrated electronic health
record, with DOD and VA information.
And so I don't want to--I understand the concerns. I have
been----
Mr. Thornberry. That is helpful, I appreciate you
clarifying that.
Ms. McGrath. And so, we do. We are moving very smartly
forward.
With regard to the Air Force logistics transformation
program, true, not as positive a story. It was a story that
began in the 2005 timeframe, and it was laden with I will just
call them issues. We had a couple of protests along the way I
think that added at least a year-plus to the program. We
restructured it in 2009. They didn't meet a 5-year initial
operational capability in the 2010 timeframe. So then we put I
will just say stronger fiscal controls on the program to make
sure that we identified success criteria both from a government
perspective and a vendor performance perspective.
We also restructured the contract to be more outcome-
oriented. And frankly, the program overall was not delivering.
And, therefore, we cancelled it in the December timeframe of
last year.
We have this in terms of this program that has provided
many lessons learned as well as some of the other programs,
both--some successful--we still learn from these programs and
some not, in the area of size and scale this clearly was one of
those programs that was way too big.
We need to chunk these IT systems, if you will, into
smaller capability sets. And so, we are delivering and then
adding as opposed to trying to deliver the whole thing at once.
Buy in leadership skill sets. And we talked a little bit
about cyber skills and I mentioned the skill sets. Data, data
quality is huge. For any of these IT programs, you are really
trying to take really old data from old legacy systems, bring
them into the new modern, much more tightly controlled
environment. We have learned a ton with regard to data.
The infrastructure also can't be understated. The work that
Ms. Takai is doing with the Joint Information Environment so
that we have a much more holistic perspective on the network.
How it runs, it is optimized. We find in every program I will
just call it too much infrastructure, so it adds to latency and
all of these kinds of issues. We have captured all of these, if
you will, lessons learned along with some standardization of
leading indicators across programs; we weren't managing and
monitoring them in a similar way. And we have made those
changes so that the program office, us, and us together, can
look at really the health of each one of these programs as they
move throughout the life cycle.
Mr. Thornberry. Well, to state the obvious I realize, but
under the best case scenario we are going to have tight defense
budgets as far as the eye can see. And a large amount of money
goes to these various IT programs.
And obviously we have the same interest that you do, I
know, into making sure that the money we spend is spent well
and you get something for it.
It is particularly--I mean I appreciate the lessons
learned, which are important absolutely. But it is frustrating
also to spend money and then not have a system that works at
the end of the day.
Hopefully, the lessons will improve others but it is
something we are going to have to continue to get better about,
no doubt.
Ms. McGrath. Excuse me, sir, may I add just very quickly?
Mr. Thornberry. Of course.
Ms. McGrath. Because I mean we do share both the desire to
get it better and the frustration when it doesn't. And I am
constantly looking for ways in how you apply the lessons
learned from program A to program B or whatever the next one
is.
But I would also say that I don't want to lose sight of
some of the capability that has been delivered.
And the only data point that I will give you is that in
2009--and when we looked at the amount of money being spent on
really we have about 14 of these major business programs. We
were highly in a developmental stage.
The number of users in these main ERP [Enterprise Resource
Planning] programs was about 27,000. Today, those same
programs, we have 195,000 users. So we have delivered
capability without going through the--I will just say the [word
unclear] we tend to talk about, those that are sort of really
big, expensive and not go so well. But there has been progress
made in terms of delivering supply chain capability, financial
capability, and also contracting. And I just don't want to lose
that--and I appreciate you allowing me to share that.
Mr. Thornberry. Yes, ma'am. I appreciate it.
Kind of continuing on a theme of trying to spend smarter or
at least exploring ways, Ms. Takai, the Defense Business Board
made recommendations about satellite communications [SATCOM]
and recommended that we could make some capital leases in
multiple increments of up to 10 years. It has also been
suggested that we could lease these satellite services for more
than 1 year at a time which is what we have been doing and
probably the most expensive way to do it.
Can you comment on that suggestion? And is that not
something the Department should look at as a way of saving
money for the commercial satellite services that we, that the
Department depends so much on?
Ms. Takai. Yes, sir. We have seen the Defense Business
Board recommendations and we do believe that there is benefit
in looking at the cost recovery model that we are using for
commercial SATCOM. And it is a requirement that we actually
look at that over a multi-year period because of the nature of
the industry.
So one of the things that we are doing is to actually put
together a cost recovery model that takes into account a multi-
year acquisition, to look at what is the best approach so that
we can guide programs going forward.
We are implementing a converged SATCOM gateway architecture
that will help to standardize more on the way that we are
buying commercial SATCOM and actually our own SATCOM. We are
looking at a plan of action for our own nuclear voice
conferencing integration and then looking at--we are actually
conducting an analysis of alternative study as it relates to
that.
One of the challenges for us is that when we look at
commercial SATCOM, it is also important for us to look at the
security of that commercial SATCOM. And in many cases, we are
asking those commercial SATCOM providers to actually provide us
capabilities that aren't necessarily the demand from the rest
of their customers to the extent that we are looking at it.
So that requires some upfront investment for them, and if
we are not able to actually commit to a multi-year capability,
then we get into a couple of situations, neither of which is
good. One of which is we would ask them to take that on and yet
at the point in time we want to use it, we no longer have the
funding in order to be able to do it.
On the other side, we fund it upfront and we aren't
necessarily using the capability. That is why we need to look
at a different way of the cost recovery model from a multi-year
perspective in order to be able to manage the issue that was
raised by the Defense Business Bureau.
Mr. Thornberry. Well, if there are additional authorities
that you need to look at multi-year procurement of these
services, please come and talk to us because I don't see if you
are a satellite company how you can meet the Defense Department
needs a year at a time particularly given what you just said
about enhanced security requirements as part of that. I don't
see how that can ever be done cost-efficiently without looking
ahead several years.
General Alexander, I am going to take the other side of the
argument now. This is a brochure from one of your two hats
about commercial solutions for classified. And I guess it is
inviting commercial companies to submit their products to see
whether it could be used in a classified environment.
I mean--and I guess in a general way, is this a new
emphasis on making more use of commercial hardware and software
in a classified environment? And can we do that in a secure
way? Again, thinking back to the Defense Science Board saying
we got problems here.
General Alexander. Chairman, I think we can. A couple of
areas. If you think about encryption capabilities, going out
and getting commercial encryption and making sure that it meets
the standards, and we can set the standards based on different
encryption levels. We can if we know the company and the way
they actually create the capabilities, the tokens. And you can
look at some of the DOD cards and stuff that we actually use.
We can ensure that it is done right, then there is a great
opportunity for us to work with industry.
I think this is going to become hugely important as we grow
mobile devices that, you know, our spouses will use for
banking, need to be secured at a comparable level to the way
that we would need to do classified and sensitive operations.
So ensuring that the devices have that capability not only
helps industry, it helps the government, and I think there are
great ways to do it. We look at that in some of the encryption
stuff we work with NATO [North Atlantic Treaty Organization]
and elsewhere, so I do think it is a great step forward, and
industry does provide us some great capabilities.
Mr. Thornberry. Mr. Langevin.
Mr. Langevin. So maybe on that line of commercial, let's
talk a little bit about the cloud as where--we seem to be
moving more and more toward the cloud. You know, articles that
I have been reading recently have diminished my confidence in
the security of the cloud, at least it has called it into
question anyway.
There have been some high-profile thefts of information
from that, in that realm. And yet I know that certainly is
something that your operation, General, are looking at moving
more into, more in that direction.
Let's talk about the security of the cloud. And if we do
make a robust change in that direction, you know, what are we
doing about guaranteeing security? What is your level of
confidence in securing the cloud?
General Alexander. So this has several dimensions to answer
that question. I am going to try to hit each of those, and then
if you want more information, we can come back.
First, when we talk about cloud security versus what we
call legacy architectures, the problem that we have with legacy
architectures is if you look at the Defense Department's 15,000
enclaves with administrators for each of those enclaves, the
ability to patch those networks and set vulnerabilities is at
the manual speed.
And the problem that that creates if you say that the time
a vulnerability is publicly identified until it is done in the
Department, it takes way too long because it is done to those
15,000 network parts.
We are using the host-based sensor systems to help speed
that up but it is not where it needs to be. And your ability to
actually see into those enclaves is very difficult. So the
first thing that a cloud can give you is the ability to patch
those systems almost in real time. You can reach out and patch
that network there.
Now there are some issues that we have had with the cloud.
One of the things that we saw is the cloud systems as we saw
them did not have data element-level security tagging
capabilities. So in the one that we created, Accumulo, we
allowed it to have each element of data tagged and secured at
that level, and only accessible at that level.
And there are some exceptional things that we can do in
this area that I can go into more detail in another setting
that gives you how I think this is more securable than legacy
architectures. From our perspective, from our technical
perspective, it is much better. It is not perfect. The issue is
somebody who hacks into your networks over here, you don't know
where they are but they have free--they are free to roam around
once they are inside. You just don't know they are there.
As you may know, most companies that get hacked in the
legacy system don't know about it for 6 to 9 months. I think we
can go much further in the cloud and I think you will see that
that will far outstrip legacy architectures in security. Unless
you come up with an architecture that is completely
independent, nobody else can get into.
But for what we need it for the Defense Department, we need
mobile secure comms [communications]. And when you think about
it, think about our ships, our aircraft and our mobile teams
out there, they have to talk to something in the mobile
environment. They are going to end up talking to the cloud. So
we have to fix that cloud environment.
I will tell you that what Ms. Takai and her folks are doing
with the Joint Staff J6 and our folks on the JIE is a huge step
in that direction. It will address all of those types of issues
and there is more. You know, I feel like the Ginsu knife guy--
``wait, wait, wait, there is more''--because, you know, think
about what you can do in a cloud that you can't do in a normal
system, just to give you a couple of ideas.
You can jump your networks, you can jump your databases,
like frequency-hopping, that makes your ability to hack into
them very, very difficult; and each day down that can be
encrypted with a different algorithm depending on the security
levels of the people who need access to that data. That is a
huge step forward. We are having tremendous success in that
area. And I think you have seen some of the folks who are
working on that.
I think you may talked to some of them, Dave Hurry and some
of the others that are really good at that.
Mr. Langevin. Well, thank you for the answer. That helps
quite a bit. If I could, let me turn now to Ms. Takai. So
obviously this is, you know, all of these great technologies
that we have ultimately come down to the people.
How well they are trained, do they know the capabilities of
the systems and so--I know you touched on this a little bit but
can you speak further to us about how you are developing the
pipeline of cyber and IT professionals in the Department and
are there things that we can do better to support you? And I
know you have talked on this a little bit, I would like to give
you an opportunity to expand on this even further if you would.
Ms. Takai. Thank you very much. Well, first of all, let me
just give you a synopsis of the actions that we are taking
around growing the cyber workforce. The first steps are really
around being able to support General Alexander and making sure
that as we are growing the cyber capabilities, we are doing it
to the requirements of what he feels he needs from the cyber
workforce perspective.
So it is important that we recognize that the capabilities
that we are growing are going to be operational capabilities
and we are really focused on that partnership and making it
happen. We are putting together that strategy today. The first
grouping will be individuals that we have inside DOD and we
will need to update our certifications, we are going to need to
upgrade our capabilities.
And the other thing I think and General Alexander can speak
to this even more. It isn't just necessarily technical people
that are going to be on these teams. It is going to be a
breadth of experience and it is going to really need several
capabilities. Now, just to speak to the technical side of it,
we are going to be bringing in and growing the resources from
some of the technical people that we have today.
The plan is through the Joint Information Environment
really as we begin to implement it, we will be able to free up
individuals who can then be trained with some of the technical
background to be able to move into the cyber defense area much
more heavily than they are today. So that is one--number one.
And then secondly is we are going to step up our recruiting
and with that we are going to have to be more definitive around
the career path for the civilians that we hire. Clearly, the
military and General Alexander is addressing how the military
will be moving folks through. But one of our challenges is we
aren't going to be able to rotate people in and out of jobs in
the same way, because the skill sets that are required here
means we need to have a single career path for these
individuals to continue to grow.
And that will be an area that we will want to come back and
talk with you about because today the way that we do that
career development doesn't necessarily allow us to keep people
in a single path and move them up progressively, it tends to
move them around from position to position. So, that is an area
that we will be back to you.
The third area is that we are going to have to find a way
to be able to recruit individuals at the more senior levels to
be able to supplement. We are not going to be able to grow
everybody from within. And that is an area where we are going
to have to look at our existing programs to see what we can do
from a competitive salary perspective.
We can get a lot of good people because the national
mission is important, but at the same time we are going to have
to look at what those sources of individuals would be and that
would be as I say not only looking at our university systems
and being able to grow them, but also what will it take to
recruit some of them from the outside.
Mr. Langevin. Thank you. Further, you know, to talk about
this issue of integration, how are you planning to integrate
our total force capability such as those resident in the
National Guard cyber units into a comprehensive CYBERCOM
approach, particularly with regard to command and control and
authorities?
Ms. Takai. Let me start and then ask General Alexander to
comment on this as well. We believe that the National Guard
does provide a great opportunity to actually look at being able
to look at other forces. So for instance, particularly in areas
like Washington, particularly around Redmond, and in the areas
of Silicon Valley, we know already that we have individuals
that are in the National Guard that are highly capable.
The key thing I think is to make sure that as we utilize
the National Guard, we are doing it in not only a uniform way
but we are doing it in a way so that we have the advantage in
two senses. One is that it is integrated with the entire cyber
approach that General Alexander is going to speak to. But
second of all, that as we are moving people through there and
as we are actually utilizing them in different settings, that
again they are going to be operating in the same way, they are
going to be able to be integrated rather than them having sort
of a separate approach to the way they are doing the training
and not be able to call them in when they are needed.
But General Alexander, let me have you also talk to how
they are going to fit within your teams.
General Alexander. Congressman, I would add also the great
teams in Rhode Island, Texas and Nevada, just to get all three
of them out.
Mr. Langevin. The 102nd in Rhode Island.
General Alexander. And of course, I know Ms. Takai wanted
me to mention those. We sat down with the National Guard a
couple weeks ago. We have had our first Guard exercise last
summer. We will have another one this summer. As Ms. Takai
said, we are training everybody to the same standard. My
comments to them is, look, your folks have to be trained and
certified to the same standards as the Active Force.
Our focus would initially be on the cyber protection teams
that they would create. And I think they will focus on regional
teams. The 10 regions of the Guard, create those teams first,
train them and operate them. See what their role and
relationship would be working with us, DHS, FBI and NORTHCOM
[Northern Command] defense support to civil authorities. There
are some great things that we can do.
We will also create some offensive teams and some of the
Guard units are already doing that. I talked to General Grass
today on this topic. He, General Jacobi and I will meet next
Tuesday and perhaps we are going to meet right now. That must
be him calling in.
We will meet next Tuesday to actually lay out a transparent
program so the service chiefs see what we are buying. We want
to make sure that this is a program the service chiefs sign up
to because parts of this are going to be in their budget and we
want to make sure that everybody is transparent in what we are
getting here.
So that is the process. There is a Cyber Guard exercise
coming up. I think those are some of the things that you and
some of the other members may be very interested in; you are
welcome to attend parts of that.
Mr. Langevin. Thank you. I am very impressed with the work
of the National Guard and as you have mentioned we have the
102nd in Rhode Island that is actively working with various
aspects of cyber, particularly with the 24th Air Force. I have
had the ability to get down to the 24th Air Force in Texas and
visit with General Vautrinot there. And I know that they are
working very closely with our Rhode Island National Guard in
that respect.
General, as always, we thank you for--and your team. Please
pass on our appreciation to the extraordinary men and women
under your command and also, Ms. Takai, at the Pentagon, for
the work that they are doing, how dedicated they are, it is
obviously very important. We want to do everything we can to
support you and before I yield back I just want to thank the
chairman for his partnership in this effort as well.
There are very few people in the Congress--not enough--that
focus on this issue of cybersecurity and I know, Chairman
Thornberry, how much you put a lot of time and effort into this
issue and there is not another Member of the Congress that has
worked as hard on this issue as you have, so thank you.
Mr. Thornberry. I appreciate it, Jim--obviously, the
gentleman has been a leader in this for some time. Dr. Heck, do
you have other questions?
I just had two more things I wanted to ask about. General
Alexander, to the extent you can talk about it in open session,
this subcommittee has been interested before on tactical use of
cyber in military operations. And I noted that part of your
teams, the teams you are creating in Cyber Command, are those
teams--some teams to support combatant commanders.
And can you in this forum describe how that will work, to
whom they will answer, how it will be decided what operations
to carry out and whatnot, that sort of thing?
General Alexander. Chairman, broadly speaking they are
going to work at the strategic level, those combatant command
[COCOM] mission teams will be directly focused on the COCOM
requirements and answer to those requirements.
We will have a deconfliction process that that combatant
commander and myself will work together to make sure that if
somebody else is working in that space we deconflict it, and
that is logical so that you don't have two people working in
the same space.
That is different than the tactical service teams that we
would create. So if you go into Iraq like in the past 10 years
and look at what we did for our intelligence teams that support
brigade combat teams, that was a huge success.
In the future, you can imagine that we will eventually
grow, at the tactical level, cyber teams that are part of those
intelligence teams or working together with them to provide
local cyber effects. They would have to be trained to the same
standard, deconflict through a theater and others, just as we
do other areas. But I think it would provide that.
And then you can see that the Air Force and Navy would have
tactical and operational level that would nest into what we are
building at the combatant command level. So I think they will
work as a team, think of that as a cryptologic architecture now
for cyber going all the way down. And I think this provides us
tremendous capability at the tactical edge.
Mr. Thornberry. I fully agree, it does. I guess, what I
haven't quite got my mind around is how you deconflict what you
think is a tactical operation when there really is not
geography in cyberspace. And so the equities that--part of
our--my concern has been that if you want to have a tactical
cyber operation, you basically have to have a full complement
of all the agencies in Washington to hash it all out. And that
is not very time efficient for cyberspace and just how that
would work on a practical basis. I think we got to work our way
through it. It is just something that I have been interested in
and we have worked on from time to time. Do you have one----
Ms. Takai, we could not have a hearing without me asking a
question about spectrum, because it is such an important part
of what goes on. I know there was a recommendation for sharing
spectrum as a possible, I don't know solution, but as a
possible step that could increase spectrum for anybody. Do you
have any comments on that recommendation?
Ms. Takai. Yes, sir, and I was wondering whether we would
get to the spectrum question or not, so here we are. We
actually feel very strongly that it is important that we look
at spectrum-sharing as a possibility.
I think the report that you are referring to is probably
the President's PCAST [President's Council of Advisers on
Science and Technology] report that suggested that we have to
look at spectrum-sharing going forward. We are participating
now in five different working groups that are being led by the
NTIA [National Telecommunications and Information
Administration] to look at different areas of spectrum-sharing.
And we actually have had success in spectrum-sharing. We
have had an instance where we have been able to actually use
and be able to share with a medical device, a medical alert
device for some of the areas. So we do believe that there are
opportunities.
But with that, spectrum-sharing has its challenges. It
isn't a new concept; it is certainly just coming to light now
because of the severe pressure on spectrum. There are several
different ways to do it. One of them is geographic, where you
look at exclusion zones.
The difficulty for us in certain bands, like the 1755 to
1850 band, is that the exclusion zones would actually be in the
same areas that the commercial providers are interested in. So
we have to look at that. The second thing is whether we could
do it from a time standpoint.
But again in 1755 to 1850 which we use very heavily for
training in CONUS, that becomes difficult because we can't
predict where in fact we are going to be in the timeframe we
are going to be using it.
So I think it is--there are great opportunities. I think we
do need to explore and we are working and have signed some of
the first ever MOUs [memorandums of understanding] with the
some of the commercial companies to actually do some
experimentation in certain geographic locations.
But I think it is a step beyond where we can, you know,
necessarily say we can go to say that spectrum-sharing is going
to solve the problem. It is really a combination of where do we
have to vacate, where will we need comparable spectrum, and
then where are the areas that we can share now and then going
into the future.
Mr. Thornberry. Thank you. And thank you all again for your
patience and for your brevity. We hit on a wide variety of
topics today and that was very helpful. And as the gentleman
from Rhode Island said, we appreciate each of you and the folks
who work with you and what they do for the country.
With that the hearing stands adjourned.
[Whereupon, at 5:05 p.m., the subcommittee was adjourned.]
=======================================================================
A P P E N D I X
March 13, 2013
=======================================================================
PREPARED STATEMENTS SUBMITTED FOR THE RECORD
March 13, 2013
=======================================================================
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
=======================================================================
WITNESS RESPONSES TO QUESTIONS ASKED DURING
THE HEARING
March 13, 2013
=======================================================================
RESPONSE TO QUESTION SUBMITTED BY MR. THORNBERRY
Ms. Takai. Response to DSB Report on Resiliency:
The Defense Science Board (DSB) report entitled, ``Resilient
Military Systems and the Advanced Cyber Threat'' makes a series of
recommendations. There is significant effort in the CIO, USCYBERCOM,
and NSA mission spaces already happening or planned in each
recommendation area. Below are short summaries of the major DSB
recommendations, and examples of ongoing and planned work to meet them.
This list does not include efforts outside of the CIO/USCYBERCOM/NSA
area of responsibility.
DSB Recommendation #1: Determine the Mix of Cyber, Protected-
Conventional, and Nuclear Capabilities Necessary for Assured Operation
in the Face of a Full-Spectrum Adversary (DSB report page 7).
Secretary of Defense assign United States Strategic Command the
task to ensure the availability of Nuclear Command, Control and
Communications ([N]C3) and the Triad delivery platforms in the face of
a full-spectrum Tier V-VI attack--including cyber (supply chain,
insiders, communications, etc.)
Examples of ongoing efforts
Multi-level human intervention and off-line launch code
authentications
NSA-produced NC3 Information Assurance (IA) materials
Stood up the Strategic and National C3 and Intelligence
(SNC3I) Joint Systems Engineering & Integration Office (JSEIO) to do
end-to-end engineering of NC3
CIO & USD(AT&L) signed DODI 5200.44 which
institutionalizes supply chain risk management in acquisition and
sustainment
CIO & USD(AT&L) assisting STRATCOM in application of
supply chain risk management (SCRM) to its key programs
DSB Recommendation #2: Determine the Mix of Cyber, Protected-
Conventional, and Nuclear Capabilities Necessary for Assured Operation
in the Face of a Full-Spectrum Adversary (DSB report page 7).
SECDEF and Chairman, Joint Chiefs of Staff (CJCS) designate a mix
of forces necessary for assured operation . . . . Segment Sufficient
Forces to Assure Mission Execution in a Cyber Environment
Examples of ongoing efforts
Established Cyber National Mission Force-trained and
certified teams
Implementing the Joint Information Environment (JIE) to
improve cyber defense and resilience of unclassified and secret
networks for better protected conventional capabilities
Increased funding for cyber capability development (on-
hold for sequestration and Continuing Resolution)
NSA collection and analysis critical to understanding
adversary
DSB Recommendation #3: Refocus Intelligence Collection and Analysis
to Understand Adversarial Cyber Capabilities, Plans and Intentions, and
to Enable Counterstrategies (DSB report page 8). SECDEF in coordination
with the Directors of CIA, FBI, and DHS, should require the Director of
National Intelligence (DNI) to support enhanced intelligence collection
and analysis on high-end cyber threats
Examples of ongoing efforts
Improving threat information sharing in real-time across
USG
Increased Intelligence Community (IC)/NSA focus on
cyberspace operations support
Increased ``hunting'' on blue networks
Cyber integrees from NSA/USCYBERCOM at FBI, CIA, and DHS;
and vice versa
DSB Recommendation #4: Build and Maintain World-Class Cyber
Offensive Capabilities (with appropriate authorities) (DSB report page
9).
United States Cyber Command (USCYBERCOM) develop capability to
model, game and train for full-scale cyber warfare.
Under Secretary of Defense for Personnel and Readiness (USD(P&R))
establish a formal career path for civilian and military personnel
engaged in offensive cyber actions.
Examples of ongoing efforts
Established Cyber National Mission Force (Cyber National
Mission Teams and Combatant Command Mission Teams)
Cyberspace operations-focused training exercises (Cyber
Flag, Cyber Guard, and Cyber Knight)
CJCS cyber emergency action conferences
DSB Recommendation #5: Enhance Defenses to Protect Against Low and
Mid-Tier Threats (DSB report page 9).
The DOD should establish an enterprise security architecture,
including appropriate ``Building Codes and Standards'', that ensure the
availability of enabling enterprise missions . . . . The DOD should
leverage commercial technologies to automate portions of network
maintenance and ``real-time'' mitigation of detected malware . . . .
USD(P&R), in Collaboration with the DOD CIO and the Service Chiefs
Establish a Formal Career Path for DOD Civilian and Military Personnel
Engaged in Cyber Defense
Examples of ongoing efforts
Developed JIE enterprise security architecture for
unclassified, secret, and coalition networks
Migrating all internet-facing servers into a separate
zone to isolate and contain attacks
Improving SIPRNET/Coalition/Federal gateways and NIPRNET/
Internet boundary defenses
Developing a Department-wide Cyber Workforce Strategy
that includes military and civilian qualifications and career paths
Automating continuous monitoring of cyber vulnerability
via use of the already deployed Host-Based Security System (HBSS)
DSB Recommendation #6: Change DOD's Culture Regarding Cyber and
Cyber Security (DSB report page 10). Commander, USCYBERCOM and the DOD
CIO establish a plan with measurable milestones and flow down to all
organization elements.
Examples of ongoing efforts
Creating a capstone Cyber Defense strategy document,
describing strategic imperatives that will change behavior, culture,
operations, and intelligence support (e.g., Defending DOD Networks,
Systems, and Data: Strategic Choices for 2020)
Conducting annual IA training across the DOD
Simulating ``Phish-me'' exercises and other real life
exercises
Providing each organization and its chain of command an
automated cyber risk score via continuous monitoring
DSB Recommendation #7: Build a Cyber Resilient Force (DSB report
page 11). DEPSECDEF should direct specific actions to introduce cyber
resiliency requirements throughout DOD force structure.
For programs not part of the segmented force, provide a cyber
standard set of requirements (expected to be a subset of the critical
program requirements list) to be applied to all DOD programs
(USD(AT&L), DOD CIO, SAEs))
Develop DOD-wide cyber technical workforce to support the build out
of the cyber critical survivable mission capability and rolled out to
DOD force structure (USD(AT&L), CIO, SAEs, DOT&E, USD(I), USD(P&R)).
Examples of ongoing efforts
DOD CIO and USCYBERCOM identifying key cyber terrain and
infrastructure that supports critical C4 systems and assets in order to
assure mission execution while under degraded cyber conditions
Developing Resiliency Framework criteria that helps
delineate requirements for contracts and that can be used in the
acquisition process
Creating Cyber security Implementation Guidebook to
assist acquisition program managers in successfully implementing cyber
security requirements (with AT&L)
Use of Cyber Ranges for simulated live fire cyber
security exercises with active Red Team participation
[See page 9.]
?
=======================================================================
QUESTIONS SUBMITTED BY MEMBERS POST HEARING
March 13, 2013
=======================================================================
QUESTIONS SUBMITTED BY MR. THORNBERRY
Mr. Thornberry. Will you comment on requirements and guidelines
being generated by CYBERCOM with respect to an insider threat program?
How do you prevent implementation of this policy devolving into a mere
``check the box'' requirement that does little to enhance our security?
The FY13 NDAA included language on next generation host-based security
solutions and mentioned insider threat mitigation as one of those
capabilities that needed to be addressed in this context. Are
CYBERCOM's guidelines going to specify that established host-based
solutions are required to satisfy the enterprise monitoring and audit
requirements? As a part of your overall risk mitigation strategy, which
networks will your requirements cover in terms of Insider Threat
Monitoring?
General Alexander. USCYBERCOM has developed requirements for
implementation of insider threat capabilities on DOD networks in
coordination with the National Insider Threat Task Force (NITTF) and
the Comprehensive National Cybersecurity Initiative to develop and
implement a government-wide Cyber Counterintelligence Plan (CNCI 6) to
achieve the objectives described in the FY13 NDAA. These insider threat
requirements include auditing and monitoring, insider threat awareness
and training, foreign travel and contact reporting, polygraphs,
personnel security, evaluation, analysis, and reporting and security
incident reporting and evaluation. This provides a comprehensive
defense-in-depth strategy for the detection of and protection from the
insider threat. In addition, these capabilities will deter malicious
insider activity. The comprehensiveness of this approach prevents the
policy from becoming a ``check the box'' requirement. USCYBERCOM
directives as spelled out in OPORD 12-106 specify that host-based
solutions are required to satisfy the enterprise monitoring and audit
requirements. All U.S. owned and operated DOD Non-secure Internet
Protocol Router Network (NIPRNET) and Secret Internet Protocol Router
Network (SIPRNET) networks are covered by these requirements for host-
based security and insider threat monitoring.
Mr. Thornberry. What progress has DOD made in improving the agility
and flexibility of the IT acquisition process?
Ms. McGrath. DOD has taken a number of important steps to improve
the agility and flexibility of our IT acquisition processes both
through policy and through proactive involvement with active IT
acquisition programs. A common theme of these efforts has been to
tailor the processes to the unique attributes of IT in a way that
speeds delivery of capability into the hands of our users.
One important development has been the adoption of an acquisition
model tailored for defense business systems. This alternative
acquisition model provides a comprehensive process that aligns
requirements, investment, and acquisition processes for defense
business systems under an integrated governance framework and focuses
on incremental delivery of capability, within eighteen months of
program initiation. This incremental approach improves control over
cost, schedule and performance requirements.
The Under Secretary of Defense (Acquisition, Technology &
Logistics) issued implementing policy for this model in the summer of
2011 and the guidance was incorporated into the Defense Acquisition
Guidebook in the fall of 2012. This policy is being incorporated into
the next update of the DOD 5000.02 acquisition instruction. The Defense
Enterprise Accounting and Management System (DEAMS), an Air Force
financial management program, was the first program to achieve an
acquisition decision under this new policy and we are in the process of
transitioning several other major IT programs to this new approach as
well.
Through the use of this approach, DEAMS has integrated
traditionally stove-piped processes and enabled tight integration
between the functional sponsor and the program office. We continue to
conduct targeted outreach with Program Managers, Functional Sponsors,
and Program Executive Officers on this new policy, and are working with
the Defense Acquisition University to embed the new process into
appropriate curriculum.
Mr. Thornberry. In the FY12 NDAA, this committee directed the
establishment of an insider threat detection program. Can you please
describe the current status of this effort, which is supposed to
achieve full operational capability later this year?
Ms. Takai. DOD has been actively participating in National Insider
Threat Task Force (NITTF) addressing government-wide insider threat
issue--consistent with EO 13587, ``Structural Reforms to Improve the
Security of Classified Networks and the Responsible Sharing and
Safeguarding of Classified Information.'' The NITTF issued
implementation guidance of EO 13587 via Presidential memo on Nov 21,
2012.
Internally, DOD has:
instituted read/write controls for external secret
computer access ports and restrictions and audits of removable media
(USBs, etc.,);
driven out anonymity and instituted access control
through public key infrastructure (PKI) implementation; and
improved our ability to detect anomalous or malicious
behavior on the DOD's secret network.
o Provides limited ability to discern data access that signal
exceptions to normal data access.
o Provides full packet capture in order to discern patterns of
malicious activity and allow for the investigation of
incidents.
Mr. Thornberry. How will the Joint Information Enterprise (JIE)
interact with other major IT related initiatives, like the Defense
Intelligence Information Enterprise or electronic health records
interoperability? Will it be interoperable with the networks of the
Intelligence Community?
Ms. Takai. The DOD CIO is leading the DOD's IT effectiveness effort
to achieve the Joint Information Environment (JIE) and the Director of
National Intelligence CIO is leading a similar effort of the
Intelligence Community Information Technology Enterprise. Both CIO's
share common objectives and end-states, and actively participate on
each other's governance boards, standards and architect forums, and
Identity Management and data framework forums. Both CIO's recently
established a Joint Information Standards Committee (JESC), and a
directed policy governing the reuse of standards and specifications
between the two communities to ensure interoperability and information
sharing.
The Defense Intelligence Information Enterprise (DI2E) is a
unifying construct between the Department of Defense, the Intelligence
Community (IC), and coalition Intelligence Information Enterprises, and
aligns with the Intelligence Community IT Enterprise (ICITE) and DOD
Joint Information Enterprise (JIE) policy and strategy.
The DI2E Governance Council oversees development and implementation
of a DI2E that is standardized, secure, optimized and interoperable,
that aligns with DOD, IC and Coalition IT Enterprises. The Council
coordinates on similar efforts by the IC Chief Information Officer
(CIO), the DOD CIO, and the Defense Information Systems Agency (DISA)
to ensure intelligence information integration across all security
domains, including top secret, secret, unclassified, and various
coalition fabrics. It enables seamless theater intelligence
architectures and achieves efficiencies across the Defense Intelligence
enterprise by recommending cost saving measures.
With respect to electronic health records interoperability, DOD is
establishing a Medical Community of Interest (Med-COI) virtual network,
under the auspices of JIE and its single security architecture. The
Med-COI, using the JIE architectural construct, will provide enterprise
services and operate within the secure and protected DOD Global
Information Grid (GIG). This capability will support unhindered and
timely data access of patient records for DOD and VA clinicians and
adjudication of VA Benefit claims.
Mr. Thornberry. What role does the Cyber Investment Management
Board (CIMB) play in decisions related to the JIE, especially with
decisions related to service-specific system and network acquisitions?
Ms. Takai. The CIMB is an advisory and management body, established
to facilitate cohesion across S&T, requirements, acquisition, R&D, T&E,
and sustainment efforts to ensure that cyber warfare investments are
effectively coordinated across the Department. In this capacity, the
CIMB is intended to provide a framework to make resourcing
prioritization recommendations consistent with established JIE
milestones.
Mr. Thornberry. In discussing the Joint Information Environment
(JIE), there seems to be a lot that is aspirational with this
construct, but you will be limited by the current network environment
that you have. How does DOD plan to get from the current ``as-is''
state to the ideal ``to-be'' state?
Ms. Takai. DOD is continually modernizing its IT infrastructure and
systems, and has several ``network'' initiatives on-going (i.e.,
LANDWARNET, AFNET, NGEN, etc.) that are focused on achieving the same
objectives as JIE for the individual Military Services. JIE effort will
leverage their already planned activities and technology refresh cycles
to optimize the current network environment to our desired ``to-be''
state from an enterprise perspective. At the enterprise level, DISA has
planned upgrades of the Defense Information Systems Network (DISN)
consistent with the target architecture for the JIE, to include the
replacement of circuit-based switches with IP-enabled technologies, and
replacement of legacy transport routing to Multiprotocol Label
Switching (MPLS). The detailed solution architectures for the JIE are
scheduled for completion in June 2013, and are being incorporated into
Component programming activities for FY15 and beyond. The Department's
JIE Technical Synchronization Office (JTSO) is developing a
consolidated synchronization plan in conjunction with other DOD
Components.
Mr. Thornberry. Last year, the House Oversight and Government
Reform committee introduced the Federal Information Technology
Acquisition Reform Act (FITARA). Are you familiar with this proposed
legislation? If so, what thoughts do you have on how this might affect
DOD equities?
Ms. Takai. I am aware of the some of the provisions of last year's
draft bill, as well as the current version that was introduced earlier
this year. I believe because of the complexity of the Department's
missions, we will need to examine the legislation carefully to ensure
that it does not undo important relationships we have developed between
the Office of the Secretary of Defense and the Services and Agencies as
well as introduce new or overlapping requirements for the Department
for its IT investments.
Mr. Thornberry. Following the termination of the Net-Enabled
Command Capability (NECC), what is the Department doing to modernize
its command and control capabilities?
Ms. Takai. The Department is executing a sustainment and
modernization plan to evolve the current Global Command and Control
System (GCCS) family of systems and related command and control
programs to improve mission effectiveness, achieve efficiencies, and
provide required command and control capabilities to the joint
warfighter. Our sustainment and modernization efforts will ensure
support to current operational priorities while migrating to objective
capabilities described in the recently updated Joint C2 Capability
Development Document (CDD).
Mr. Thornberry. How do you plan to address ``Bring-Your-Own-
Device'' (BYOD) policy and the use of cloud technologies? Also, how can
DOD keep up with the rate of technological change while using the DFAR?
Are current acquisition reform efforts sufficient?
Ms. Takai. Bring Your Own Device (BYOD) and portable cloud services
are emerging trends in commercial industry. Many issues must be
addressed before the DOD can embrace these technologies, such as
overcoming existing DOD policy constraints, understanding the various
operational use scenarios, examining potential security
vulnerabilities, and avoiding potential legal issues that surround BYOD
solutions. My office published the DOD Mobile Device Strategy on June
8, 2012, and the DOD Commercial Mobile Device Implementation Plan on
February 15, 2013, with the focus on improving three areas that are
critical to mobility: 1) the networking infrastructure to support
wireless mobile devices, 2) mobile applications, and 3) a framework
that will allow the Department to sustain a commercial mobile solution
that is reliable, secure, and flexible enough to keep pace with fast-
changing technology. The DOD CIO will continue to monitor BYOD efforts
across our Federal Government and, in conjunction with the Digital
Government Strategy, will continue to evaluate BYOD options.
Cloud Computing is becoming a critical component of the Joint
Information Environment (JIE) and the Department's Information
Technology (IT) modernization efforts and will enable users the access
to data anywhere, anytime on any approved device. One key objective is
to drive the delivery and adoption of a secure, dependable, resilient
multi-provider enterprise cloud computing environment that will enhance
mission effectiveness and improve IT efficiencies. Cloud services will
enhance warfighter mobility by providing secure access to mission data
and enterprise services regardless of where the user is located and
what device he or she uses.
My office recently issued the DOD Cloud Computing Strategy to
provide an approach to move the Department to an end state that is an
agile, secure, and cost effective service environment that can rapidly
respond to changing mission needs. There are two key components of the
Department's cloud strategy. The first component is the establishment
of a private enterprise cloud infrastructure that supports the full
range of DOD activities in unclassified and classified environments and
optimizes data center consolidation efforts. The second is the
Department's adoption of commercial cloud services that can meet the
Department's cybersecurity and other IT needs while providing
capabilities that are at least as effective and efficient as those
provided internally.
The Defense Information Systems Agency (DISA) is designated the DOD
Enterprise Cloud Service Broker to facilitate and optimize access and
use of commercial cloud services that can meet DOD's security and
interoperability requirements, and ensure that new services are not
duplicative of others within the Department while consolidating cloud
service demand at an enterprise level. In addition, DISA, as the DOD
broker, will leverage the Federal Risk Authorization and Management
Program (FedRAMP) standardized security authorization process,
including the accepted minimum security baseline for low and moderate
information security categorizations, and ongoing continuous monitoring
to ensure that appropriate security controls remain in place and are
functioning properly.
Current acquisition reform efforts offer opportunities to
accelerate the adoption of commercial technologies. In many respects,
despite their rapid evolution, mobility solutions are much like other
traditional IT systems that empower users and managers with the tools
and information they need to execute their missions. Our strategy of
integrating well-orchestrated limited deployment pilot implementations
allows users and managers to rapidly innovate, mature critical
technologies, and resolve integration challenges to swiftly address
mission challenges. The Implementation Plan incorporates many of the
Services technology development efforts in a spiral approach with an
18-month acquisition cycle. The Implementation Plan streamlines the
certification and accreditation (C&A) process for mobile devices,
operating systems, and applications. Sharing the workload with industry
will bring the timeline for C&A down from over 18 months to about 30
days with no reduction in security posture. Though the platforms will
continue to evolve, we have the same commitment to systematic
acquisition practices that serve the defense community most
effectively. We continue to review the mobility acquisition lifecycle
for efficiency opportunities.
Mr. Thornberry. Would you tell us how much funding has been set
aside to assist DOD organizations in establishing Insider Threat
Programs in accordance with the recent Presidential Mandate, Memo, and
National Insider Threat Standards? Further, who will be the
organization responsible for identifying and distributing the necessary
funding to each DOD entity? Who will be on point from your office to
ensure the funding is being appropriately spent on the Insider Threat
Mission within each DOD entity? Are there additional monies coming from
the ODNI or the Office of the National Counterintelligence Executive
(NCIX) for Enterprise Audit and Insider Threat missions?
Ms. Takai. The Department initially programmed $162M, FY12-16, in
order to satisfy the Executive Order 13587 requirements. The Department
is assessing the need for additional resources to address the insider
threat as part of our FY 15 budget deliberations. The Defense
Information Systems Agency (DISA) and the Defense Manpower Data Center
(DMDC) are the responsible implementing agencies for the initial $162M.
My office is overseeing implementation of the budgeted and programmed
funds provided to date. The Department is developing the necessary
policy and responsibilities required under the Presidential mandate
issued November 21, 2012. Regarding additional monies, there has been
limited funding provided to a number of our Title 50 elements by ODNI
and NCIX in FY 11 and 12. We don't anticipate any additional funding
from ODNI or NCIX.
Mr. Thornberry. Does the Department have a strategy to leverage
commercial cyber security solutions to enable it to benefit from such
capabilities as real time, global threat intelligence that has been
optimized to work in highly sensitive environments? Who in the
Department is responsible for the operational requirements, technical
requirements, funding and acquisition? When does the Department plan to
start executing against each of these requirements?
Ms. Takai. Yes, for instance, initial funding was secured beginning
in FY 14, under the program name ``Zero day Network Defense'' (ZND)
which consists of commercial tools to be acquired and deployed in
partnership between the Defense Information Systems Agency (DISA) and
NSA to provide this defensive capability at the DOD perimeter, and on
classified end point systems.
While unclassified systems are just beginning to use this
technology from commercial vendors, we are currently seeking funding to
expand the ZND capability to unclassified networks and develop a Global
Reputation Service that will be capable of ingesting information from
commercial vendors, as well as government sources.
The requirements for this capability were derived from multiple
sources, including the Cyber Situational Awareness Initial Capabilities
Document with input from all DOD components and agencies.
______
QUESTIONS SUBMITTED BY MR. LANGEVIN
Mr. Langevin. General Alexander, in testimony before the Senate
Armed Services Committee on Tuesday, you noted the creation of 13 teams
with an offensive focus. Given that cyber in many cases requires
preparatory work in order to access the full range of capabilities, how
forward-leaning will these teams be?
What training will you be providing to the identified mission teams
and to other personnel who are being assigned to cyber work? Do you
require additional authorities or resources in order to fully train the
men and women under your command, particularly with regard to language
skills, emulation and red-teaming?
General Alexander. USCYBERCOM identified 42 specific work roles and
the standards and skills required for planning and executing cyberspace
operations. We worked with the National Security Agency, Service
Departments, academia, and the private sector to leverage existing
training solutions and created new ones, as appropriate, to train the
personnel assigned to those work roles (see Exhibit A for additional
detail.) Over the next three years we will train the Cyber Mission
Forces that will perform world-class offensive and defensive cyber
operations as part of our Cyber National Mission Teams, Cyber Combat
Mission Teams and Cyber Protection Forces. We do not require additional
authorities or resources to train the currently identified cyber
professionals.
[Exhibit A is For Official Use Only and is retained in the
committee files.]
Mr. Langevin. Ms. Takai, what progress has DOD made in improving
the agility and flexibility of the IT acquisition process, and is there
additional Congressional action needed?
Ms. Takai. There are unique characteristics associated with the
acquisition of information systems that require the use of acquisition
approaches different from those normally used by the Department for
acquiring weapons systems. All acquisition approaches should be
tailored to the nature of the product being acquired. For example,
information systems (e.g. business systems) do not require significant
technology development like many weapons systems and they do not have
the long term operations and support challenges facing most weapons
systems. The Department has made steady progress in implementing
several of the key approaches for improving the agility and flexibility
of the IT acquisition process in the areas of requirements,
acquisition, testing and certification and human capital. Many of these
efforts will be captured in the next release of DODI 5000.02,
``Operation of the Defense Acquisition System'' including:
Requirements: The Joint Staff has updated the
requirements management process (Joint Capability Integration and
Development System (JCIDS) to include a more streamlined requirements
management and approval process for acquisition of information systems.
Acquisition: On June 23, 2011, a Directive-Type
Memorandum (DTM) on Business Capability Lifecycle (BCL) was signed and
issued by USD (AT&L). The BCL provides a framework for implementing
more flexible and streamlined processes for the acquisition of these
business information systems and has been incorporated into the next
release of DOD 5000.2.
Test and Certification: The Department's testing
community has been working in collaboration with USD (AT&L) to
incorporate an integrated testing, evaluation, and certification
approach into the DODI 5000.02, to reduce redundancies in system
testing activities and improve the efficiency and effectiveness of
testing the Department's information systems.
Human Capital: A comprehensive review of IT acquisition
competencies is also currently being conducted by the Department's
Chief Information Officer. This review will update the IT acquisition
competencies to better define DOD critical skill sets and assist in the
update of curricula at the Defense Acquisition University and the
Information Resources Management College.
______
QUESTIONS SUBMITTED BY MR. ROGERS
Mr. Rogers. Ms. Takai, could you please explain the Department's
decisionmaking process for when to use ``sole source'' and ``brand name
only'' solicitations, such as those run under the Air Force's NETCENTS-
1 and NETCENTS-2 contracts?
Ms. Takai. The vast majority of procurements through the NETCENTS
vehicles are accomplished via a competitive process. In the rare event
that a sole source or specific brand name is required, appropriate
Justification and Approval documentation is prepared and approved at a
level commensurate with the dollar value of the proposed procurement.
Mr. Rogers. What steps does DOD take to meet the statutory
requirements of FAR sec. 6.303 and/or FAR sec. 16.505, as applicable,
that are the prerequisites for a sole source and/or brand name product
procurement, single name product procurement, including the necessity
to conduct open procurements, determine minimum needs, and solicit the
interest of manufacturers or prospective offerors?
Ms. Takai. All DOD requiring officials must follow and adhere to
applicable procurement policies in accordance with the Defense Federal
Acquisition Regulation Supplement (DFARS), which is regularly revised
to ensure alignment with the Federal Acquisition Regulations (FAR) as
well as other regulations and statutes. DFARS subpart 216.5 requires
that all orders for supplies or services exceeding $150,000 that are
placed under multiple award contracts be awarded on a competitive basis
with fair notice given to vendors of the intent to purchase, and an
opportunity for all vendors to submit offers and receive fair
consideration. There are allowable exceptions that must be based on
justifications and/or determinations written and approved in accordance
with FAR 8.405-6; if a statute requires the purchase be made from a
particular source, or if one of the circumstances described in FAR
16.505 (b) (2) (i) through (iv) applies. DOD contracting officers must
always consider price or cost as factors when selecting a vendor for
award, and should also consider past performance of potential vendors.
As an overview, the steps followed to award in DOD include: 1) system
engineering analysis to determine requirements, 2) market research to
determine what products are available to satisfy those requirements,
and 3) written documentation via a determination or Justification and
Approval of anything less than full and open competition (including
specification of a particular brand name product). Even when a
particular brand name product is required and justified, there is an
expectation of competition if there are multiple competing resellers of
that same brand name product.
Mr. Rogers. When the requirements of FAR sec. 6.303 and/or FAR sec.
16.505, as applicable, are determined not to have been met, what
remedial steps are in place to make sure these requirements are
considered?
Ms. Takai. There are many stages at which such a determination
might be made, such as: by the program manager after market research
activities, by the contracting officer or the contracting activity's
Competition Advocate prior to solicitation and/or award or by the
Government Accountability Office after an unsuccessful vendor files an
appeal. There are different remedial steps for each scenario. Standard
DOD acquisition and procurement procedures contain safeguards and
checkpoints at multiple levels to ensure that any proposed exceptions
to the competition rules are fully vetted and adequately justified. DOD
contracting officers must make public the justification(s) required by
FAR 6.303-1 in accordance with FAR 5.3 and as required by law. If a
prospective (or unsuccessful) offeror believes that the procedures
described in the FAR and/or DFARS have not been followed, they will
generally contact the contracting officer who has responsibility for
the acquisition, or the contracting activity's parent organization. If
warranted, the contracting officer can then cancel the procurement
activity--or issue a ``stop work'' order to study the situation (if the
contract has already been awarded). In order to meet the requirements
of the requesting office, the contracting officer may reshape the
procurement into a competition among multiple vendors under a pre-
existing contract vehicle, or pursue full and open competition among
all vendors of a particular type/class of capability.
Mr. Rogers. What process does DOD use in deciding to standardize on
particular technology, and how does such standardization further the
goal of maintaining a competitive procurement process which is
essential to reducing costs in government procurements? Does that
process flow down to how the Services make similar decisions?
Ms. Takai. When there are clearly definable minimum functional/
technical standards that are available and necessary to attain a
required capability, the DOD CIO will assemble a cross-Component
``tiger team'' (including Acquisition personnel) to translate those
standards into requirements suitable for release of an Request for
Quotes (RFQ) or a Request for Proposals (RFP) to industry. For example,
when data-at-rest (DAR) software was initially identified as an urgent
requirement for all DOD laptops and portable computers, the Defense-
Wide Information Assurance Program (DIAP) assembled such a tiger team
to flesh out the applicable required specifications. Then they
partnered with the DOD ESI Software Product Manager team from USAF to
translate these specifications into an industry solicitation that
resulted in the creation of DOD ESI Blanket Purchase Agreements from 10
different publishers of DAR software. By DOD CIO policy, all DOD buyers
of DAR software were required to buy DAR software only through one of
these agreements. Competition among the resellers generally resulted in
lower prices, and the DIAP certified that all purchased products met
both the functional & technical standards.
______
QUESTIONS SUBMITTED BY MR. FRANKS
Mr. Franks. General Alexander, I want to thank you for your service
and leading such important missions with USCYBERCOM and the NSA. I am a
strong believer that our military is, and should always be, better than
the rest of the world's armed forces, and that we should never be
entering fair fights. With that in mind, and the introduction of these
new offensive cyber teams, and the fact that cyber threats are a
relatively new phenomenon, how much better are we on offense, and
defense in the cyber realm as compared to our enemies.
General Alexander. We believe our offense is the best in the world.
Cyber offense requires a deep, persistent and pervasive presence on
adversary networks in order to precisely deliver effects. We maintain
that access, gain deep understanding of the adversary, and develop
offensive capabilities through the advanced skills and tradecraft of
our analysts, operators and developers. When authorized to deliver
offensive cyber effects, our technological and operational superiority
delivers unparalleled effects against our adversaries systems.
Team Cyber is constantly increasing its operational and analytic
defensive capabilities through the adoption and use of standards to
facilitate domain knowledge representation and information sharing
across the community. In addition, the use of standards ensures
compatibility with technologies commonly available in the public domain
and allows for the rapid integration of new functional capabilities to
avoid long-term engineering and development cycles.
Potential adversaries are demonstrating a rapidly increasing level
of sophistication in their offensive cyber capabilities and tactics. In
order for the Department of Defense to deny these adversaries an
asymmetric advantage, it is essential that we continue the rapid
development and resourcing of our Cyber Mission Forces.
Mr. Franks. General Alexander, last year I asked you a question:
How prepared are we to carry out your mission if the power grid or
substantial part of it were to go down for an extended period of time?
For example, two weeks or longer due to severe space weather or a
manmade electromagnetic pulse.
Your answer included that fact that much of DOD's cyberspace is
served through commercial providers. Do you feel that the power and
electricity needed to carry out your mission is important enough to
require those commercial providers of the power grid to successfully
harden their grid from severe space weather or manmade electromagnetic
pulse? Can the DOD require that of commercial providers of the grid? Do
you feel that this issue is important enough that legislation is needed
to force the hand of industry to act?
General Alexander. While I absolutely agree with the criticality of
cyber hardening the power grid, I also believe any legislative solution
has to take into account the prohibitive costs associated with doing so
given its antiquated state. I believe the activities underway through
the President's EO 13636 ``Improving Critical Infrastructure
Cybersecurity'' and PPD-21 ``Critical Infrastructure Security and
Resilience'' are a good first step. Legislation which builds upon these
activities by providing the right set of incentives would be
invaluable.
From an NSA and CYBERCOM perspective, it is also critical that
Congress pass information sharing legislation that enables effective
two-way sharing of cyber threat information and countermeasures between
the private sector and the USG. By effective two-way sharing, I mean
that the government needs to know, in real time, when there are
indications of cyber intrusions or attacks against the nation's
critical infrastructure, and the government needs to be able to share
in real time, indications and warnings of attacks and associated
countermeasures that the private sector needs to protect their
networks. Given the authority to share information, the ISPs could act
as a domestic radar that can see cyber threats and tip and queue the
government to respond in real time.
�