[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
[H.A.S.C. No. 115-97]
HEARING
ON
NATIONAL DEFENSE AUTHORIZATION ACT
FOR FISCAL YEAR 2019
AND
OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS
BEFORE THE
COMMITTEE ON ARMED SERVICES
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
__________
SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES HEARING
ON
A REVIEW AND ASSESSMENT OF THE
DEPARTMENT OF DEFENSE BUDGET,
STRATEGY, POLICY, AND PROGRAMS
FOR CYBER OPERATIONS AND U.S. CYBER COMMAND FOR FISCAL YEAR 2019
__________
HEARING HELD
APRIL 11, 2018
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
_________
U.S. GOVERNMENT PUBLISHING OFFICE
30-571 WASHINGTON : 2019
SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES
ELISE M. STEFANIK, New York, Chairwoman
BILL SHUSTER, Pennsylvania JAMES R. LANGEVIN, Rhode Island
BRAD R. WENSTRUP, Ohio RICK LARSEN, Washington
RALPH LEE ABRAHAM, Louisiana JIM COOPER, Tennessee
LIZ CHENEY, Wyoming, Vice Chair JACKIE SPEIER, California
JOE WILSON, South Carolina MARC A. VEASEY, Texas
FRANK A. LoBIONDO, New Jersey TULSI GABBARD, Hawaii
DOUG LAMBORN, Colorado BETO O'ROURKE, Texas
AUSTIN SCOTT, Georgia STEPHANIE N. MURPHY, Florida
JODY B. HICE, Georgia
Pete Villano, Professional Staff Member
Lindsay Kavanaugh, Professional Staff Member
Neve Schadler, Clerk
C O N T E N T S
----------
Page
STATEMENTS PRESENTED BY MEMBERS OF CONGRESS
Langevin, Hon. James R., a Representative from Rhode Island,
Ranking Member, Subcommittee on Emerging Threats and
Capabilities................................................... 2
Stefanik, Hon. Elise M., a Representative from New York,
Chairwoman, Subcommittee on Emerging Threats and Capabilities.. 1
WITNESSES
Rapuano, Kenneth P., Assistant Secretary of Defense for Homeland
Defense and Global Security, U.S. Department of Defense........ 7
Rogers, ADM Michael S., USN, Commander, U.S. Cyber Command, and
Director, National Security Agency............................. 4
APPENDIX
Prepared Statements:
Rapuano, Kenneth P........................................... 46
Rogers, ADM Michael S........................................ 27
Stefanik, Hon. Elise M....................................... 25
Documents Submitted for the Record:
[There were no Documents submitted.]
Witness Responses to Questions Asked During the Hearing:
Mr. Langevin................................................. 67
Mrs. Murphy.................................................. 68
Ms. Stefanik................................................. 67
Questions Submitted by Members Post Hearing:
[There were no Questions submitted post hearing.]
A REVIEW AND ASSESSMENT OF THE DEPARTMENT OF DEFENSE BUDGET, STRATEGY,
POLICY, AND PROGRAMS FOR CYBER OPERATIONS AND U.S. CYBER COMMAND FOR
FISCAL YEAR 2019
----------
House of Representatives,
Committee on Armed Services,
Subcommittee on Emerging Threats and Capabilities,
Washington, DC, Wednesday, April 11, 2018.
The subcommittee met, pursuant to call, at 3:30 p.m., in
room 2212, Rayburn House Office Building, Hon. Elise M.
Stefanik (chairwoman of the subcommittee) presiding.
OPENING STATEMENT OF HON. ELISE M. STEFANIK, A REPRESENTATIVE
FROM NEW YORK, CHAIRWOMAN, SUBCOMMITTEE ON EMERGING THREATS AND
CAPABILITIES
Ms. Stefanik. The subcommittee will come to order.
Welcome, everyone, to today's hearing of the Emerging
Threats and Capabilities Subcommittee on the posture of cyber
operations and U.S. Cyber Command [CYBERCOM] for fiscal year
[FY] 2019.
This hearing is the second of three cyber events today.
This morning, we heard from former Secretaries of Homeland
Security Chertoff and Johnson, as well as former CYBERCOM
Commander Keith Alexander.
Adversaries such as China and Russia aggressively leverage
and integrate cyber information and communications technologies
for geopolitical and economic gain, and they do so in a
seamless way. Dictatorships have those advantages, and their
control over these technologies and information is as much
about exerting control over their own populations as it is
confronting free societies such as ours.
As discussed in the Worldwide Threat Assessment for 2018
from the Director of National Intelligence [DNI], Iran and
North Korea also continue to increase their offensive cyber
capabilities and techniques. Over the last few years, both of
these nations are believed to be behind cyber attacks that
demonstrate not only a capability to deploy a variety of
techniques and tools, but also a willingness to use cyber
attacks as a means to achieve their national objectives.
Needless to say, cyber threats today from state and non-
state adversaries are real, pervasive, and growing. Cyberspace
and the information domain writ large remains contested and
under continual stress. We are no longer peerless, and cyber
superiority is not assured.
Yet, while these adversaries continue to use cyber as a
means to achieve strategic objectives, I remain concerned that
we, as a government, do not have a strategy in place to
mitigate, deter, or oppose their advances. It is safe to say
that we have improved our military cyberspace and cyber warfare
capabilities and also improved our resilience in many areas,
but I am sure not the same can be said of the rest of our
government--most notably, the protection of our critical
infrastructure that preserves our economic security and ensures
our way of life.
Further work is needed to build interagency partnerships to
ensure a whole-of-government approach to countering the growing
cyber threat. The Department of Defense [DOD] plays an
important role in this area, certainly when considering a
significant cyber incident that may require their expertise
during a time-sensitive emergency.
From where I sit, a great deal of work remains to be done
to improve our ability to defend, fight, and win in this
critical domain, and also to improve and align our decision-
making processes and operational authorities so that we are
fast, agile, and relevant. Only then will our Nation be
prepared for the 21st-century challenges we face.
Our witnesses today are very well-qualified to help us
navigate these multidimensional challenges. Appearing before
our subcommittee, we have Admiral Mike Rogers, Commander of
U.S. Cyber Command and Director of the NSA [National Security
Agency], and the Honorable Kenneth Rapuano, Assistant Secretary
of Defense for Homeland Defense and Global Security and
Principal Cyber Advisor for the Secretary of Defense.
Thank you both for being here today.
Admiral Rogers, this will be your last appearance before
this subcommittee, and I want to extend my sincerest thanks and
appreciation for your decades of service to our country and for
the relationship that you have built with so many of our
members on the House Armed Services Committee [HASC]. We wish
you great success in your next chapter and wish your family
well. Thank you again for your service.
I would now like to recognize my friend and the ranking
member, Jim Langevin, for his opening remarks.
[The prepared statement of Ms. Stefanik can be found in the
Appendix on page 25.]
STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM
RHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON EMERGING THREATS
AND CAPABILITIES
Mr. Langevin. Thank you, Chairwoman Stefanik.
And thank you to both of our witnesses for being here
today. I look forward to your testimony. I have certainly been
studying cybersecurity issues now for over a decade, and I have
to say, I still learn something every day as the domain and the
actors in it continue to evolve.
Secretary Rapuano, it is good to see you once again. We
certainly appreciated your testimony on countering weapons of
mass destruction a few weeks ago, and I certainly look forward
to today's testimony that you will provide on cyber.
And, Admiral Rogers, it is a pleasure to have you back
before us again today, and I want to thank you for your service
to the Nation. It has been many years that you and I have had
the opportunity to interact, whether it is here on the HASC or
in my years on the HPSCI [House Permanent Select Committee on
Intelligence], and it has been an honor to work with you. And I
am just grateful for everything that you have done and all your
contributions to better protecting our Nation's cyberspace. I
certainly wish you and your family well as you start the next
chapter as well.
2018 is poised to be a notable year for U.S. Cyber Command.
Following the legislative action out of this subcommittee over
the past several years, CYBERCOM will be elevated to a new
unified combatant command [COCOM] after confirmation of the
next commander.
Additionally, a cyber posture review is being conducted for
the first time, and a legislative framework is in place for
notification of sensitive cyber operations. Cyber evaluations
of major defense systems continue to be conducted to mitigate
known vulnerabilities posing operational or other risk.
Furthermore, cyber activities supporting named and
contingency operations overseas have also matured, allowing the
Department to leverage lessons learned when it comes to
tactics, techniques, and procedures, as well as command and
control of our forces.
All teams of the Cyber Mission Force [CMF] are expected to
achieve full operational capability [FOC] by the end of the
year.
These are all excellent steps forward, toward maintaining
our superiority in an ever-changing domain, but, though
progress has been made, of course, these efforts and
achievements do not mean we have reached the finish line.
Instead, I would argue that we have just begun the race.
In addition to reaching FOC, we must ensure that the CMF
has the right people, continuous training and education, and
the best capabilities in our toolbox to perform against any
threats that may confront us. We must be able to measure the
readiness of these teams, define the requirements against which
they are being or may be employed, and the frameworks in place
to rapidly employ them and enable them to respond, when
appropriate, based on clear legal policy and operational
authorities.
Existing frameworks are too ambiguous to effectively,
clearly, concisely, and consistently employ the CMF against all
mission sets. Effective and comprehensive policies to deter and
respond to adversarial actors, as well as efforts to shape
international norms of state behavior, particularly regarding
use of military cyber capabilities outside of a combat zone,
are progressing more slowly than desired.
As I said at the outset, this domain continues to evolve
quickly, and it is simply not good enough to just keep up with
our adversaries. Instead, we must set the pace. However, we
must not compromise our morals and values when employing cyber
forces, for those qualities are what set us apart from those
who seek to do us harm.
We must also avoid a cyber cold war of sustained activities
carried out by proxies or below the level of armed conflict.
Instead, the U.S. must continue leading in crafting of sound
domestic and international policies and laws for cyberspace and
cyber warfare, working with our allies to assert and enforce
rules of the road, rather than letting malicious actors do it
for us.
With that, I would like to once again thank our witnesses
for being here.
Take care, Admiral Rogers. I thank you again for your
service and wish you well.
And, again, thank you for being here today to discuss such
an important aspect of our military's capabilities. I strongly
believe that each and every conflict we face in the future will
contain some element of cyber, and, as such, we must be
prepared for all activities in the cyber domain.
With that, I want to thank you all again, and Madam Chair,
I yield back.
Ms. Stefanik. Thank you, Jim.
I would also like to remind members that immediately
following this open hearing the subcommittee will reconvene
right next door--oh, upstairs for a closed, classified
roundtable with our witnesses.
Before we move to our opening statements, I ask unanimous
consent that non-subcommittee members be allowed to participate
in today's briefing after all subcommittee members have had the
opportunity to ask questions. Is there objection?
Without objection, non-subcommittee members will be
recognized at the appropriate time for 5 minutes.
Welcome again to our witnesses.
Admiral Rogers, the floor is yours.
STATEMENT OF ADM MICHAEL S. ROGERS, USN, COMMANDER, U.S. CYBER
COMMAND, AND DIRECTOR, NATIONAL SECURITY AGENCY
Admiral Rogers. Thank you, Chairwoman Stefanik, Ranking
Member Langevin, and distinguished members of the committee.
Thank you for your enduring support and the opportunity to talk
to you today about the hardworking men and women of United
States Cyber Command.
On behalf of those hardworking men and women, I am here to
discuss the command's posture and describe how we prepare for
and execute operations in the cyberspace domain to support the
Nation's defense against increasingly sophisticated and capable
adversaries.
The cyberspace domain that existed when we first
established Cyber Command 8 years ago has evolved dramatically.
Today, we face threats that have increased in sophistication,
magnitude, intensity, velocity, and volume, threatening our
vital national security interests and economic well-being.
Russia and China, which we see as peer or near-peer
competitors respectively in cyberspace, remain our greatest
concern. But rogue nations like Iran and North Korea have
growing capabilities and are using aggressive methods to
conduct malicious cyberspace activities. Further, several
states have mounted sustained campaigns against our cleared
defense contractors to identify and steal key enabling
technologies, capabilities, platforms, and systems.
Our adversaries have grown more emboldened, conducting
increasingly aggressive activities to extend their influence,
with limited fear of consequences. We must change our
approaches and responses here if we are to change that dynamic.
While the domain has evolved, Cyber Command's three mission
areas endure. Our first priority is the defense of the
Department of Defense Information Networks, or DODIN. Second,
we support other joint force commanders through the application
of offensive cyber capabilities. And, finally, when directed to
do so by the President or the Secretary of Defense, we defend
critical U.S. infrastructure against a range of significant
cyber consequences in support of the Department of Homeland
Security [DHS] and others.
In concert with the National Defense Strategy, we are
charting a path to achieve and sustain cyberspace superiority
to deliver strategic and operational advantage and generate
increased options for combatant commanders and policymakers.
Without cyberspace superiority on today's battlefield, risk to
mission increases across all domains and endangers our
security.
Since my last update, Cyber Command has achieved a number
of significant milestones.
First, Joint Force Headquarters DODIN, our subordinate
headquarters responsible for securing, operating, and defending
the Department's complex IT [information technology]
infrastructure, has achieved full operational capability.
Secondly, Joint Task Force-Ares [JTF], our warfighting
construct focused on the fight against ISIS [Islamic State of
Iraq and Syria], has successfully integrated cyberspace
operations into the broader military campaign to defeat ISIS.
And we will continue to pursue ISIS in support of the Nation's
objectives.
Third, we have enhanced our training in cyber operations to
prepare the battle space against our key adversaries.
This year will bring several additional accomplishments.
Cyber Command will be elevated to a unified combatant
command. As a combatant command, we will have the unique
responsibilities of being a joint force provider and a joint
force trainer, responsible for providing mission-ready
cyberspace operations forces to other combatant commanders and
ensuring that joint cyber forces are trained to a high standard
and remain interoperable.
In addition, this month, we will start moving in several
hundred people into our new, state-of-the-art integrated cyber
center and joint operations center at Fort Meade. This will be
our first fully integrated operations center that enhances a
whole-of-government coordination and improves planning and
operations against a range of growing cyber threats.
And within this dynamic domain, it is imperative to
continually evolve our training and our tools for our
operators. We have recently delivered the first of several
foundational toolkits, enabling the Cyber Mission Force to work
against adversary networks while reducing risk of exposure, as
well as equipping JTF-Ares with capabilities to disrupt ISIS's
use of the internet.
Innovation and rapid development demand competition and the
ability to leverage all partners, including that of small
businesses in the private sector. We intend to create an
unclassified collaboration venue where businesses and academia
can help tackle tough problems with us without needing to jump
through clearance hurdles, which are often very difficult for
some of them.
Of course, all of our tools require a talented and
sophisticated workforce to operate them. The Cyber Excepted
Service, which Congress has helped create, will help us
recruit, manage, and retain cyber expertise in a highly
competitive talent market.
Our success also hinges and remains entwined with continued
integration of the Reserve and National Guard. In our
headquarters, for example, we currently employ more than 300
full-time and part-time reservists. And, in addition, Reserve
and National Guard members are mobilized every day to lead and
execute cyberspace operations.
Perhaps most significantly, in the coming year, we are
nearing completion of the build-out of our Cyber Mission Force,
with all of our teams on a glide path to reach full operational
capability by the end of fiscal year 2018. And, in fact, we
will achieve this goal ahead of time.
And as the teams reach FOC, our focus is on shifting from
beyond the build, i.e., creating this force, to ensuring that
this force is ready to perform their mission and is optimized
to sustain mission outcomes year after year after year.
Now, I fully realize that cybersecurity is a national
security issue that requires a whole-of-nation approach that
brings together not only government departments like the DOD
and other agencies, but also the private sector and our
international partners. And over the last year, we have also
increased our interaction with critical infrastructure elements
within the private sector and the broader set of U.S.
Government partners supporting them.
And, as you know, I serve as both Commander of United
States Cyber Command and the Director of the National Security
Agency. This dual-hat appointment underpins the close
partnership between these two organizations. The fiscal year
2017 National Defense Authorization Act [NDAA] includes a
provision that describes the conditions for any potential split
of this dual-hat arrangement. And the Department is working its
way through this question. And, ultimately, the Secretary, in
conjunction with the Director of National Intelligence, will
provide a recommendation as to the way ahead here to the
President.
All of us are proud of the roles we play in our Nation's
cyber efforts and are motivated to accomplish our assigned
missions, overseen by the Congress, particularly this
committee.
And, finally, as you have already mentioned, after serving
for over 4 years as the Commander of United States Cyber
Command, and after nearly 37 years of service in uniform, I am
set to retire later this spring. And, as I do so, I am grateful
for the committee and its past and continued support and its
confidence in me and in the Cyber Command team.
And I look forward to answering your questions. Thank you
very much.
[The prepared statement of Admiral Rogers can be found in
the Appendix on page 27.]
Ms. Stefanik. Thank you.
Assistant Secretary Rapuano.
STATEMENT OF KENNETH P. RAPUANO, ASSISTANT SECRETARY OF DEFENSE
FOR HOMELAND DEFENSE AND GLOBAL SECURITY, U.S. DEPARTMENT OF
DEFENSE
Secretary Rapuano. Thank you, Chairman Stefanik, Ranking
Member Langevin, and members of the committee. It is an honor
to appear before you alongside Admiral Rogers, Commander of
U.S. Cyber Command, to discuss the Department of Defense's
priorities in cyberspace.
In these roles, I oversee the development and
implementation of the Department's cyber strategy and policy
with regard to cyberspace, leading the Department's interagency
cyber coordination efforts, advising the Secretary and the
Deputy Secretary on cyberspace activities, and ensuring that
the Department's cyber forces and capabilities are integrated
across the joint force to support the missions assigned by the
President and the Secretary of Defense.
The Department's primary mission is to defend the United
States and its interests. My focus from the outset has been on
ensuring we are organizing, resourcing, and posturing ourselves
to be ready to fight in and through cyberspace in a conflict
with great-power competitors.
To that end, we have prioritized the three themes of the
2018 National Defense Strategy: increasing lethality,
strengthening alliances, and reforming the Department's
practices.
The Department is pushing hard to ensure that we can deter
aggression and out-think, out-maneuver, out-partner, and out-
innovate our competitors and adversaries in cyberspace.
2018 will be a landmark year when U.S. Cyber Command will
elevate to a unified combatant command, welcome a new
commander, and complete the force-generation phase of the Cyber
Mission Force.
DOD's cyber forces are uniquely responsible for executing
both offensive and defensive cyber operations, but national
cybersecurity is inherently a team sport. Individuals,
corporations, and organizations that own and operate critical
networks must take appropriate steps to implement best
practices in configuring connected devices and systems to
mitigate known vulnerabilities, to harden the most critical
networks' systems and information, and to implement basic cyber
hygiene and security measurers.
Cybersecurity experts estimate that some 90 percent of
cyber attacks could be defeated by better implementation of
better cyber hygiene practices and best-practice sharing.
Therefore, an essential element of cyber deterrence must be to
minimize vulnerabilities that potential adversaries can exploit
with significant effects.
Through basic cyber hygiene and information sharing across
the government and private sector, we can drastically decrease
the opportunities for our adversaries to hold us at risk, and
the amount of time and resources we must spend responding to
malicious cyber activity directed against us.
We can then devote more capacity to developing and
maintaining capabilities to hold our adversaries at risk. The
Department is focused on preparations to defend the United
States by halting or degrading strategic cyber attacks using
cyber effects operations. We also seek to leverage the
Department's extensive information collection mechanisms to
provide timely indicators and warnings to public and private
owners and operators.
If a cyber attack of significant consequence should occur,
the Department of Homeland Security and the Department of
Justice, with other departments and agencies in support, would
take the lead in responding to, recovering from, and
investigating the different elements of a significant cyber
incident.
The DOD stands ready to provide additional support to DHS
and other Federal agencies upon request. The technical skills
possessed by the Cyber Mission Force can augment our
interagency partners when the magnitude of a cyber event calls
for a collaborative government response. We are currently
working with the Department of Homeland Security to determine
the most effective and efficient ways for DOD to enhance our
support to these efforts.
We must always keep in mind that the capabilities of the
Cyber Mission Force were developed and optimized for DOD's
warfighting mission. Offensive operations are the means by
which the military seizes and retains the initiative while
maintaining freedom of action and achieving decisive results.
If and when the Nation faces a large-scale cyber attack,
DOD cyber resources will be focused on and most effectively
employed in our adversaries' networks--detecting, preventing,
preempting, degrading, or defeating malicious cyber activities
at their source, as well as holding at risk other critical
equities and capabilities of the adversary.
DOD cyber forces must also protect our networks and weapons
systems against malicious cyber activity. The Department
conducts network defensive operations every day in order to
enhance our cyber resiliency. Defending DOD systems also
requires identifying and mitigating our own vulnerabilities. We
are moving forward to assess and redress major weapons
platforms and critical infrastructure vulnerabilities, as
mandated by the NDAAs for fiscal years 2016 and 2017.
As outlined in the National Defense Strategy, the
Department's weight of effort must be directed toward
preparedness for war. At all times we must be ready to respond
with both cyber and non-cyber capabilities to malicious cyber
activity that results in loss of life, major damage to
property, serious adverse foreign policy consequences, or
serious economic impact to the United States.
DOD must be prepared to compete and win in conflict below
the threshold of conventional war as well. This is commonly
referred to as the gray zone.
Our adversaries are adept at calibrating their actions in
both the physical and cyber domains so that no single event
rises to the level that would merit a significant United States
response. However, the cumulative effect of these actions can
be significant.
The Department's cyber forces must be prepared to respond
to malicious cyber activity in the gray zone by preempting
imminent malicious cyber operations, disrupting ongoing
malicious cyber activities, supporting other agencies with our
technical skills and capacity, and working with and through our
allies and partners to apply diplomatic and economic pressure
on these actors.
I am grateful for the support we have received from
Congress. The hiring authorities you have provided us have been
critical to creating the Cyber Excepted Service. And your
generous resourcing of DOD cyber activities has allowed us to
stand up the Cyber Mission Force and put U.S. Cyber Command on
the path to elevation.
The President's request for FY 2019 helps us sustain that
momentum and continue to strengthen DOD's ability to operate in
and through cyberspace. The request includes $8.6 billion for
cyber-related activities and represents an increase of roughly
$600 million over the FY 2018 budget request.
In closing, I would like to thank the subcommittee members
for your time and your assistance working alongside us to
develop the cyber force the Nation needs. The people in our
cyber community are the best in the world, and I am honored to
serve with them.
The Department is committed to approaching the development
of our cyber capabilities with the sense of urgency warranted
by the gravity of threats we face. Our strong relationship with
Congress has been a critical component of our success and will
remain vital as we continue our work to ensure that the
Department's cyber forces are prepared to compete, deter, and
win against any opponent.
I look forward to your questions.
[The prepared statement of Secretary Rapuano can be found
in the Appendix on page 46.]
Ms. Stefanik. Thank you for those opening remarks.
I am going to stick to the 5 minutes aggressively to make
sure we can get through all of our questions, but I gave you
guys some flexibility.
So my first question is: This morning, we heard from former
Secretaries Chertoff and Jeh Johnson, as well as General
Alexander, former Commander of CYBERCOM, about the importance
of continuing to improve interagency collaboration.
And, Assistant Secretary Rapuano, you just referenced in
your opening statement how we are currently working with DHS to
determine the best way forward, in terms of what DOD's role is.
What steps specifically are being taken by Cyber Command
and DOD to build this more integrated, whole-of-government
approach? So not broadly that we are working on it, but what
are the specific steps?
I will start with you, Assistant Secretary.
Secretary Rapuano. Thank you.
First, I think it is useful to quickly just review our
current activities in terms of working the interagency process.
We chair three of the six Federal centers associated with
cyber and cybersecurity. I won't walk through them all, but the
Defense Cyber Crime Center; the Cyber Command Joint Ops
[Operations] Center, the JOC; and the National Operations
Center that is run by NSA. And in all three of those centers,
we are engaging with them on a routine basis, all of the key
players in the interagency, as well as industry with some of
them, to understand both the threats and the areas for
collaboration and cooperation.
We are also part of the NCCIC [National Cybersecurity and
Communications Integration Center], which the DHS runs at DHS,
in terms of coordinating interagency with critical
infrastructure and other industry on response to specific cyber
threats.
So we have a very solid foundation in terms of relationship
and understanding. The issue really is what specific types of
capabilities and what thresholds of capacity other agencies
would need in different types of circumstances. And then we
need to assess that against what our warfighting requirements
are and how do we do that balance.
Ms. Stefanik. Admiral Rogers.
Admiral Rogers. So, in addition to the individuals
integrated from DHS, FBI [Federal Bureau of Investigation], and
other partners within my ops structure and my integration in
their ops structure, if you will, a series of specific
exercises.
We do two major exercises with our DHS and interagency
teammates twice a year--I am sorry. It is two exercises occur,
two times total for the year. In addition, a series of tabletop
exercises. You look at some of the things we have planned in
the next 90 days, for example, we are going to be doing some
election interaction at a tabletop kind of level with our DHS
partners.
The area that I have--you know, I am leaving, as you are
aware. The area that I have talked to the team about I really
want us to get into next is: Let's get down to the actual
center and sector level, because that is where it comes to the
day-to-day execution. Guys, if we want to get to speed, we want
to get to agility--because, as operational commander, those are
big to me. I want to get to speed, and I want to get to agility
to actually execute. Let's look at what we can do to actually
perhaps integrate at that level.
So that is kind of a future focus for us, as I am moving
forward.
Ms. Stefanik. And I want to build on that. One of the
statements this morning was that the lack of a common operating
picture impedes our ability to have this comprehensive cyber
strategy. What do we do to address this lack of a coherent
operating picture?
Admiral Rogers. For me--I apologize, Ken--first, it is a
common operating picture of what? You want an operating picture
of critical infrastructure? You want an operating picture of
all of private infrastructure?
Ms. Stefanik. Well, that is part of the question, is----
Admiral Rogers. Right.
Ms. Stefanik [continuing]. What is the role of Cyber
Command to drive those conversations? What is that interagency
process? I think we need to have the answer to all of those.
Admiral Rogers. So, for me, my input would be, the mission
set that I am directly responsible for within the broader DOD
effort is the critical infrastructure piece. So I am really
interested--so how do we get to an integrated, real-time
picture that enables us to have an accurate sense of what is
going on that enables decision making and helps to speed that
decision making?
So that would be my recommendation for a kind of first
focus, even though, as I acknowledge, that is not going to be
DOD's lead here. We are in a support team role. But I like to
think we need to be part of this discussion and we can help.
Ms. Stefanik. So how do we spur that, though? I think the
status quo is unsustainable. Obviously, we need to spur that
interagency integration.
Secretary Rapuano. I appreciate that you are familiar with
the National Cyber Incident Response Framework, but that really
does drive how we organize and operate within the Federal
Government in terms of our engagement with industry and other
players.
And in the DHS role, in terms of the asset response piece,
the FBI has the threat response piece, and then we have the
DNI, who has the intelligence integration function.
Ms. Stefanik. Okay. I am going to have to take the rest for
the record.
Mr. Langevin.
[The information referred to can be found in the Appendix
on page 67.]
Mr. Langevin. Thank you, Elise.
And I want to again thank our witnesses for being here
today.
Secretary Rapuano, as I mentioned in my opening statement,
I believe that U.S. policy on title 10 cyber operations needs
to be advanced both domestically and internationally in order
to effectively employ the force, deter adversarial actors,
respond to adversarial cyber actors, and shape international
norms for the military use of cyber capabilities.
So what actions are the Department and the administration
taking to advance the understanding of and the gaps in existing
laws, authorities, and policies relating to cyber operations to
develop standard frameworks and guidance?
Secretary Rapuano. Thank you for the question, Congressman.
As you all appreciate, the challenge associated with
defining traditional military activities in the cyber domain
is, typically, that is done by looking back historically at
what are traditional types of military operations.
In a domain that is so novel in many respects and for which
we do not have the empirical data and experience associated
with military operations per se, particularly outside zones of
conflict, there are some relatively ambiguous areas associated
with, well, what constitutes traditional military activities.
This is something that we are looking at within the
administration, and we have had a number of discussions with
Members and your staffs. So that is an area that we are looking
at, in terms of understanding what the trades are and what the
implications are of changing the current definition if that
were deemed to be warranted.
Mr. Langevin. Okay. That is certainly something the
committee is going to continue to provide rigorous oversight on
and work with you as we develop.
So how do you intend to ``defend forward,'' in quotes, as
is outlined in the new command vision? Do you envision this
defensive posture as using CYBERCOM capabilities and
intelligence to provide targeted assistance to national assets,
including, for example, critical infrastructure? Or would this
involve title 10 activities being used to disrupt platforms
potentially before an operation actually begins?
Secretary Rapuano. So, defending forward, in the DOD
context, is really looking at the source of the cyber attacks
or otherwise malevolent activities. And it is looking at how we
can get at it, how we can uproot it, and also how we can hold
other equities valued by the adversary perpetrating the act at
risk.
And, with that, I will just turn it to Admiral Rogers.
Admiral Rogers. So the vision you outline is--my goal as a
commander is to try to get ahead of problem sets before they
occur. Therefore, I am interested in asking myself within the
authorities granted to me and within the broad legal framework
that we use for the application of DOD capabilities, how can we
attempt to forestall activity before it even happens? Failing
that, how can we very quickly stop that activity before it has
the time or the ability to generate significant impact, if you
will, against our critical infrastructure?
And so our strategy is about, how do you tie--or vision is,
how do you tie together the power of intelligence and the
insights that generates with the operational capability that
DOD has invested in the Cyber Command structure in its mission
force teams?
And so that is our vision for the future. This capability
that we have invested, that we have built, how do we use it in
a way that attempts to forestall the opponent's ability to gain
advantage in the first place? And, failing that, how do we stop
that activity before they are able to have significant impact?
Mr. Langevin. I think it is important to be forward-
leaning. I like kind of the shift in focus. And I think the
American people, quite frankly, expect that we will be more
forward-leaning.
Admiral Rogers and Secretary Rapuano, leveraging the
lessons that we have learned to date is important to achieving
success in the cyber domain, especially since we are learning
as we go. We benefit, obviously, from every success and every
failure.
How are our lessons learned from CYBERCOM's mission and
operations being leveraged and instituted? And how is readiness
being defined for the CMF? And how is this readiness being
measured? How are training and recertification processes co-
evolving with the threat and the technology landscape?
We will probably run out of time, but I would like that for
the record.
Admiral Rogers. Yes, Sir. So, a lot in that question. Very
quickly, it doesn't matter if it is something we do
offensively, if it is something we do defensively; every time,
part of our mission structure is post-event debrief, analysis,
lessons learned, and then how do we tie this into what we are
doing next. So there is a cumulative impact there which, as a
commander, I really like. You learn----
Ms. Stefanik. We will have to take the rest for the record.
[The information referred to can be found in the Appendix
on page 67.]
Admiral Rogers. Okay. Got it.
Ms. Stefanik. We have to move along.
Ms. Cheney.
Ms. Cheney. Thank you, Madam Chairwoman.
And thanks, Admiral Rogers and Secretary Rapuano.
I am concerned, as is the subcommittee and the entire
committee, about the lack of any cyber strategy. We haven't
seen anything from the administration, despite the fact that we
made requests for it in the NDAA last year.
And I wonder if you could shed some light on why that is,
why there is no strategy, number one, and, number two, how we
can be in a position, in light of the threats we are facing, in
light of the action that we are seeing, the active measures by
our adversaries, to be engaged in any sort of effort to defend
or to act offensively without understanding what the overall
mission and goals and objectives are in the absence of a
strategy.
And I guess I would go to you first, Secretary Rapuano.
Secretary Rapuano. Thank you.
I think one of the reasons is it is very hard. There are a
lot of evolving dynamics at play. And we still have a
relatively new administration. And there are competing views as
to what the right trade space is associated with a variety of
equities and risks.
That said, it is at the White House, the national cyber
strategy, and I understand that it should be forthcoming in the
near future.
We are looking to then enhance our cyber posture approach,
which we will be providing by August, to sync with that
national strategy. DOD is one key member of the whole of
government, and we want to make sure that we are very
thoughtful in terms of very synthesized integration with the
national approach.
Admiral Rogers. And I would only add, I don't think you
should feel for 1 minute that that means the DOD, for example,
has stood pat and done nothing. We have got a National Security
Strategy and a National Defense Strategy in which cyber is a
component. As the operational commander, I have tried to take
that broad, strategic vision, and, as Representative Langevin
has articulated, I have laid out in writing to my team, here is
kind of the vision I think that we need to be building to that
reflects that broader strategic underpinning, even as I
acknowledge we have not yet completed a specific cyber
strategy, although that work is, we think, getting close.
So I would only--please don't think that we are just
standing still, waiting for someone to tell us, you know, what
we----
Ms. Cheney. No, I appreciate that. I was not under any
illusions that you were just standing still, and appreciate
very much the work you have done. We want to be helpful, but I
think it is also absolutely incumbent upon this administration,
in light of this threat, to provide some guidance.
And precisely, Secretary Rapuano, as you said, it is hard,
but it is hard because we are in a whole new world, and our
adversaries, in fact, are moving forward, and the lack of
ability for us, on our part, to say, look, this is what we have
to deal with, this is how we are going to operate, this is what
we have to guard against.
And, frankly, both in a public and classified setting,
being able to say to our adversaries, these are the kinds of
things that will result in a response from us, and laying that
out so we have a much more effective deterrent policy in place
is something that I think we as a subcommittee have got
tremendous oversight obligations in looking at it.
And the administration itself--now we have seen significant
turnover at the NSC [National Security Council]. I see just
news reports now that Nadia Schadlow has resigned. Obviously,
Mr. Bossert has moved on. We can't let those add to the amount
of time that is going to be dedicated now or taken up in
putting the strategy together.
So it is something we will continue to work on in a way so
we can ensure that the Nation is, in fact, got a strategy in
place to deal with one of the most important and dangerous
threats we face.
And I will yield back the balance of my time.
Ms. Stefanik. Mr. Larsen.
Mr. Larsen. Thank you, Madam Chair. I will yield my time to
Representative Murphy.
Ms. Stefanik. Mrs. Murphy, you are recognized.
Mrs. Murphy. Thank you, Admiral Rogers and Mr. Rapuano, for
being here.
I am encouraged that the Department is making progress on
fielding the Persistent Cyber Training Environment [PCTE],
which is, as you know, the training platform that allows cyber
forces to train in simulated network environments.
I represent Orlando, which is home to Army's Program
Executive Office for Simulation, Training, and Instrumentation,
or PEO STRI. PEO STRI was tapped to develop and acquire the
PCTE which will also incorporate the work of the National Cyber
Range in Orlando.
In your view, what do you think the value of a Persistent
Cyber Training Environment is for readiness? What kinds of
individual and collective training objectives do you think you
can support? And then, as you look into the future, what sorts
of capabilities and infrastructure do you foresee these PCTEs
requiring?
Admiral Rogers. So, for me, Cyber Command, we are the ones
who articulated the operational requirement, because my vision,
our vision, if you will, is I want to be able to, wherever our
cyber forces are garrisoned or stationed--we started early on
in this process large exercises, brought together literally a
thousand individuals, teams from across our force. Those are
all good things.
But when I said to myself, look at the time it takes to
build this network, the money it costs to do this, while this
should be a component of our training strategy, this does not
scale for a day-to-day effort. And we need a day-to-day
capability that you can train in garrison where, defensively, I
can create, I can mirror my own networks, I can simulate an
opposing force attempting to penetrate the network, and I can
use my defensive techniques to train against it.
Likewise, I can use this, I want to build this over time so
I can bring my allies into this so it is not just us, it is our
broader international partners, because if it is expensive for
us, imagine what it is with some of the work we are doing with
nations spread around the world in cyber right now, trying to
get them to bring their entire team structure to the United
States.
This is also good for me because I want to be able to
create network structures that, from an offensive standpoint, I
can model. So how am I going to penetrate this? What actions
might the defensive team take?
I can use offensive and defensive capability together in
head-to-head scenarios where, quite frankly, they are each
trying to get the better of the other. Never underestimate the
positive impact of competition and a little head-to-head
contest to keep teams motivated.
So those are all examples of why I think PCTE is so
important for us because that goes to the ability to retain
readiness and the ability to be ready now, not, well, if you
give me 3 months, if you give me 4 months, whatever. We can't
work that way.
Mrs. Murphy. And you just mentioned the idea of integrating
allies and partners into, you know, training together. Where do
you think there are some opportunities for enhanced training
and security cooperation activities in this space?
And then, do you have some examples of allies and partners
where this is already happening that are maybe benchmarks or
best practices for how we can move forward?
Admiral Rogers. So I haven't--most of our international
partners, quite frankly, are in the same place we are. They see
a need; they see a requirement. They don't yet have in place
the long-term solution that they would like.
There's three or four off the top of my head where I have
actually sat down with them and said, ``Hey, walk me through
your system. Can I see what you do?''
We participate in some foreign exercises as well. It isn't
just everybody comes to us. I want to learn from others. We
participate in foreign cyber exercises.
But I think the ability, particularly for our key--the Five
Eyes \1\ and a handful of other nations, where we are just part
of an ongoing coalition in cyber, if you will, focused on both
the defensive side and in some cases the offensive side, the
ability to put together an integrated training structure where,
again, I can have their units in garrison, we can model the
exact terrain that we think we are going to be dealing with
live, that is going to be so impactful for our ability to
actually execute mission.
---------------------------------------------------------------------------
\1\ An intelligence alliance comprising Australia, Canada, New
Zealand, the United Kingdom, and the United States.
---------------------------------------------------------------------------
Mrs. Murphy. Yeah. And do you envision that, as you run
these exercises and identify vulnerabilities, whether it is in
platforms that are ours or allies and partners and their
networks, that you will be able to----
Admiral Rogers. Right, that I would turn them around?
Mrs. Murphy [continuing]. Turn it around and get it to
the----
Admiral Rogers. Yes, ma'am.
Mrs. Murphy [continuing]. Folks who are building that so
that they can address them?
Admiral Rogers. Yep. That is part of the idea here.
Mrs. Murphy. Great.
And then you have stated in your testimony that CYBERCOM is
working to synchronize cyber planning and operations across the
entire joint force and that CYBERCOM is helping the combatant
commands improve command and control by establishing integrated
planning elements----
Admiral Rogers. Right.
Mrs. Murphy [continuing]. At each COCOM.
Can you provide a little more detail on exactly how
CYBERCOM is standing up--is it CO-IPEs [Cyber Operations-
Integrated Planning Elements]?
Admiral Rogers. CO-IPEs, yes, ma'am.
Mrs. Murphy [continuing]. At each COCOM?
Admiral Rogers. So there`s nine other COCOMs besides us. We
become the 10th one effective with the new commander being
confirmed and assuming the duties.
I thought one of the biggest shortfalls we had was--I
thought we did a great job with the Cyber Mission Force in
creating a higher headquarters in the form of Cyber Command.
But if you truly want to integrate cyber into the breadth of
operations across this Department, then you have to integrate
this capability at all the COCOMs. And so we----
Ms. Stefanik. Admiral Rogers, we will have to take the rest
for the record. It was a good question.
[The information referred to can be found in the Appendix
on page 68.]
Mrs. Murphy. Thank you.
Ms. Stefanik. Mr. Scott.
Mr. Scott. Thank you, Madam Chair.
Admiral, you mentioned authorities a little earlier. What
would CYBERCOM require to move from a defensive support posture
to an active deterrence posture, where you were actually
hunting and denying malicious operators before they inflicted
damage?
Admiral Rogers. So, for right now, if you look at day-to-
day authority that is currently granted to the commander of
Cyber Command, on the defensive side, I feel very good that I
have the authorities that I need to defend the DODIN, the DOD
networks.
But one of the questions I think we need to ask ourselves
is, for example, with the defense industrial base, or if DOD's
role is going to be to partner in defending critical
infrastructure, what level of ability to operate outside the
DODIN would be appropriate for the Cyber Mission Force. I think
that is a good conversation for us to have. Because, right
now--again, not a criticism; an observation. Right now, you
know, the current construct, I don't operate outside the DODIN.
So I would suggest we ought to take a look at that.
On the offensive side, I very feel very comfortable about
the authorities that we have currently put in place to apply
cyber in areas of designated hostility--the Syrias, the Iraqs,
the Afghanistans of the world. And we are doing operations
there almost every day.
The area where I think we still need to get to a little
more speed and agility--and, as Mr. Rapuano has indicated, it
is an area that is currently under review right now; we are
working our way through--is what is the level of comfort in
applying those capabilities outside of designated areas of
hostility and how could we potentially speed that up.
I don't believe that anybody should grant Cyber Command or
Admiral Rogers a blank ticket to do whatever they want. That is
not appropriate. The part I am trying to figure out is what is
an appropriate balance to ensure that the broader set of
stakeholders here have a voice in what we do but, at the same
time, we empower our capabilities with speed and agility to
actually have meaningful impact. And I think that is what we
are trying to work our way through right now.
Mr. Scott. And so that brings me to the next question,
which deals with the Guard as they establish cyber units. I
know you said you had 300 full- and part-time working with you
right now at U.S. CYBERCOM. These units, I mean, they will not
only be supportive of their home States, but I assume that we
would want them to have the authority to be supportive of other
States as well.
Admiral Rogers. A lot of it depends--so, first of all, I am
the son of a Guardsman, so I grew up--my father was in the
Illinois Guard for 27 years, so, as a kid--you know, so I feel
very strongly about the value of the Guard. I have lived this
personally, and I saw the difference my father made when he
served.
The challenge, I think, is: How do we view this as an
integrated whole? So one of the points I make to the Guard and
I make to the Governors when they ask me this question:
Remember, we are all competing for the same manpower pool, if
you will. There are only so many people out there with the
requisite skills and kind of background. So be leery of doing
solution sets where we try to replicate, for example, 50
different independent capabilities across every single State.
It is, how do we synchronize this?
The other point I try to make is: Remember, cyber doesn't
recognize geography. So I am a resident of the State of
Illinois. And if you are trying to protect infrastructure in
Illinois, the challenge might be that much of that
infrastructure physically doesn't even reside in Illinois. It
is the way that the digital backbone has been built.
So title 32 and the Guard's employment outside of title 10
is all based on legal authority that also has a key geography
component. You are acting in a title 32 capacity within your
State. What do we do when the cyber infrastructure that you are
trying to defend or impact doesn't reside in that physical
location?
So my only argument is: We need to work our way through
this, and we need to think more broadly and in a more
integrated approach. So I don't think it is only Guard and
Reserve. Likewise, I don't think it is only Active. We have to
get across the spectrum. And we have to ask ourselves, whatever
we create, how do we do it in a way that maximizes its ability
to be employed in potentially multiple different scenarios, not
just a scenario, if that makes sense.
Mr. Scott. Absolutely. It is complex.
And the city of Atlanta, as you know, was subject to a
ransomware attack. And, you know, I can see that--I mean, I
think the SamSam ransomware has been around for 8 years now. I
mean, I can see this as we talk about infrastructure; it is not
just going to be attacks on DOD and on U.S. Government
operations. It is going to be attacking State operations and
city operations.
And I, quite honestly, don't care where the person comes
from that stops the attack, nor do I think any other government
official would. And just, we will need help with how we draft
that language for you.
And, with that, I yield the remainder of my time.
Ms. Stefanik. Mrs. Murphy.
Mrs. Murphy. Thank you, Madam Chair.
I just wanted to use the rest of my time to let you finish
that question. Because you were talking about, you know, that
it needs to be integrated into the COCOMs.
Admiral Rogers. Right.
Mrs. Murphy. But, as you finish that, also, if you can talk
to me a little bit about how J5 will integrate with these CO-
IPEs and whether or not you have both the manpower and the
capacity to and a solid handle on the CYBERCOM plans in order
to make sure that they are synchronized.
Admiral Rogers. Right.
So one component was we have to get knowledge and
experience at the COCOM level on how you plan and execute cyber
operations.
Secondly, that capability has to be able to be integrated
not just within that particular COCOM--Honolulu, Stuttgart,
Tampa, fill in the blank--but it has also got to tie back to
Cyber Command so that we have one integrated approach to how we
are doing business here, particularly since the majority, all
of the offensive capability within the Department, for example,
remains under my, Cyber Command's operational control. We apply
it in support of the other combatant commanders. So we have got
to tie this together.
We are starting the build in 2018. It is going be finished
by 2023, so it is a 5-year build-out. We will have IOC [initial
operational capability] at all nine projected by the end of
2019, so by the end of the next fiscal year. That gets an
initial operating capability to all of the other nine combatant
commanders. And then we will flesh it out over the course of
the next 3 years.
A couple of COCOMs are a little further than others, and we
are using as kind of a test case then. I would highlight--and
no disrespect to any, but I would highlight PACOM [U.S. Pacific
Command] and CENTCOM [U.S. Central Command], probably the two
where, at the moment, we have started to get the initial
investments, and because of some of the broader activity in
their theaters that are of high interest, that are bringing our
cyber capability to bear, along with a lot of other
capabilities, we have kind of decided to use them as a bit of a
test case, if you will.
Mrs. Murphy. Uh-huh. Great.
And, I guess, are you going to be also providing the
training and resources to help people have the cyber fluency to
be able to engage even if that is not their primary mission?
Admiral Rogers. Right. So part of this is we will help
develop the training standards for every one of the billets.
This is also a good example of how, once--with each service
having created a core cyber competency, one of my visions is,
so you could do one tour at a combatant commander, you could do
another tour in one of our mission teams, you could do another
tour at Cyber Command, you could do another tour in ASD
[Assistant Secretary of Defense] in Cyber Policy, you could go
to the Joint Staff and do cyber work.
Mrs. Murphy. Uh-huh.
Admiral Rogers. One of the values of this
professionalization that, as a Department, we have put in place
now is that we will get recurring benefit by moving people so
we don't have to train every--so it is the first time you have
ever done this; we don't want to go through that every time.
There is always a first time, but I don't want to have to do
that every time, if I can avoid it.
Mrs. Murphy. Great. Thank you very much.
And I yield back.
Ms. Stefanik. Mr. Garamendi.
Mr. Garamendi. I will pass.
Ms. Stefanik. That concludes the open portion of this
session. We are now going to move to 2337.
I also want to just let the members know we are going to
have a quarterly cyber briefing. So if there are questions you
have that we didn't get to today, that will be scheduled in the
coming weeks.
So, with that, this is gaveled out, and we will hustle
upstairs.
[Whereupon, at 4:23 p.m., the subcommittee proceeded in
closed session.]
=======================================================================
A P P E N D I X
April 11, 2018
=======================================================================
=======================================================================
PREPARED STATEMENTS SUBMITTED FOR THE RECORD
April 11, 2018
=======================================================================
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
=======================================================================
WITNESS RESPONSES TO QUESTIONS ASKED DURING
THE HEARING
April 11, 2018
=======================================================================
RESPONSES TO QUESTIONS SUBMITTED BY MS. STEFANIK
Admiral Rogers. [The information is for official use only and
retained in the committee files.] [See page 11.]
Secretary Rapuano. A common operating picture requires the Federal
government and the private sector to share information rapidly. This
means improving processes so that DOD and the intelligence community
(IC) can push information to the Department of Homeland Security (DHS)
and out to private sector critical infrastructure partners, but also so
that those partners can share more threat data from their networks with
the Federal government. This information could be critical in helping
DOD conduct its mission to defend the homeland. By understanding the
threats facing critical infrastructure, we can better prioritize DOD's
operational activities. This is a collective responsibility to which
both the public and private sectors must contribute.
My staff and I work in close collaboration with the National
Security Council staff and our interagency partners at the State
Department, DHS, the Federal Bureau of Investigation (FBI), and other
departments and agencies to ensure that the Federal Government has the
necessary policies in place and is taking appropriate actions to
address critical issues and potential threats in cyberspace. Beyond
contractual relationships, and both the mandatory and voluntary
information-sharing programs DOD has with the Defense Industrial Base,
DOD works closely with DHS and the FBI to address threats to critical
infrastructure. [See page 11.]
______
RESPONSES TO QUESTIONS SUBMITTED BY MR. LANGEVIN
Admiral Rogers. [The information is for official use only and
retained in the committee files.] [See page 12.]
Secretary Rapuano. USCYBERCOM incorporates lessons learned into its
mission planning and operations by instituting a real-time review and
feedback mechanism during its operations as well as conducting larger
scale after-action sessions to identify strategic issues. All
individual operations are planned, reviewed, and approved prior to
execution by independent, senior-level technical advisors who provide
guidance and modifications based on their experience and extensive
knowledge.
Once an operation is complete, the same individuals review and
critique whether the operation was conducted according to plan and if
any unanticipated challenges arose during execution. If a mistake
occurs during the course of the operation, the senior technical
advisors have the opportunity to determine whether the operator
requires additional training or whether the mistake was due to a simple
error. USCYBERCOM personnel also often conduct ``hot washes''
(debriefing meetings) on their strategic operations with senior leaders
to identify the lessons learned and to propose recommendations for
improving future operations. These recommendations can include resource
shortfalls, process requirements, and decision-making efficiencies to
be gained.
Lessons learned from operational employment of the Cyber Mission
Force (CMF) are being routinely captured and integrated into ever-
evolving curriculum. The Department of the Army, for example, is
comparatively in the best position to ensure that it is able to
leverage and institute ``lessons learned'' from real-world Cyberspace
Operations and evolve curriculum, training, and recertification
processes rapidly. The Army's decision to have its institutional CMF
workforce collocated with a majority of its operational CMF workforce
gives the Army a significant advantage in accessing, educating,
training, developing, employing, and retaining this workforce.
The decision to establish the U.S. Army Cyber School at Fort
Gordon, Georgia, was made, in part, to co-locate the institutional and
the operational force. Benefits of this colocation include, but are not
limited to, gaining synergy across both workforces through shared
experiences, the ability to take lessons learned and turn them rapidly
into appropriate adjustments to the curriculum, an ability to ``re-
fresh'' instructors while they are still serving in instructor billets,
an ability rapidly to establish critical training that is more
immediately available to a large portion of the operational force, and
an ability to extend the ``Schoolhouse'' learning environment by
introducing students to the operational environment while they are
still in training. Additionally, as the U.S. Army Cyber School began
constructing curriculum specifically to meet the needs of its CMF, it
turned to cloud-hosted storage and synchronization solutions that allow
qualified members of the CMF to ``crowdsource'' on the curricula for
both rapid creation and continual maintenance. To date, more than 100
contributors have worked to provide almost 7,000 updates to courseware
through their chosen distributed version-control system.
During the establishment of the Joint Cyber Mission Force, the
initial emphasis was simply on building the 133 teams across the
Military Services and thus the Initial Operating Capability (IOC) and
then Full Operating Capability (FOC) of the Joint Cyber Mission Force.
Reporting by the units focused on rudimentary reporting of total
personnel assigned to the teams against a percentage of personnel
assigned to key work roles and their associated levels of training and
certification.
These teams are trained to deter and defeat strategic threats to
U.S. interests and infrastructure, ensure DOD mission assurance, and
achieve Joint Force Commander objectives. Accordingly, as we move
forward, DOD recognizes the need to work with USCYBERCOM and the
Military Services to effect joint standard reporting requirements and
standards for both ``Capacity'' and ``Capabilities.'' As the Department
resources and equips these teams with cutting-edge cyber tools,
accesses, and platforms to protect against sophisticated cyberattacks
and to ensure deterrence and military advantage in and through
cyberspace, enhanced CMF Readiness reporting that assesses ``Capacity''
readiness across the Military Services to a common joint standard by
measuring not only Personnel and Training, but also Equipment and
Supplies and Condition of Equipment, will result in more deliberate and
objective measures of force readiness. In addition, the Department
needs to work with USCYBERCOM and the Military Services to effect
``capabilities-based'' reporting against Mission-Essential Tasks that
reflect fundamentals based on unit design and organization. [See page
12.]
______
RESPONSE TO QUESTION SUBMITTED BY MRS. MURPHY
Admiral Rogers. [The information is for official use only and
retained in the committee files.] [See page 16.]