Page 1       TOP OF DOC
[H.A.S.C. No. 106–45]



FOR FISCAL YEAR 2001—H.R. 4205






 Page 2       PREV PAGE       TOP OF DOC

MARCH 8, 2000



CURT WELDON, Pennsylvania, Chairman
JOHN M. McHUGH, New York
HOWARD ''BUCK'' McKEON, California
 Page 3       PREV PAGE       TOP OF DOC
WALTER B. JONES, Jr., North Carolina
BOB RILEY, Alabama

GENE TAYLOR, Mississippi
MARTIN T. MEEHAN, Massachusetts
VIC SNYDER, Arkansas
BARON P. HILL, Indiana
JOHN B. LARSON, Connecticut

Stephen Ansley, Professional Staff Member
Robert Lautrup, Professional Staff Member
Jean Reed, Professional Staff Member
William Natter, Professional Staff Member
Erica Striebel, Staff Assistant

 Page 4       PREV PAGE       TOP OF DOC

HERBERT H. BATEMAN, Virginia, Chairman
WALTER B. JONES, Jr., North Carolina
BOB RILEY, Alabama
CURT WELDON, Pennsylvania

JOHN M. SPRATT, Jr., South Carolina
ADAM SMITH, Washington
JAMES H. MALONEY, Connecticut
MIKE McINTYRE, North Carolina

 Page 5       PREV PAGE       TOP OF DOC
Peter M. Steffes, Professional Staff Member
Joseph F. Boessen, Professional Staff Member
Mary Ellen Fraser, Professional Staff Member
Diane W. Bowman, Staff Assistant



    Wednesday, March 8, 2000, Fiscal Year 2001 National Defense Authorization Act—Information Superiority and Information Assurance—Meeting the Challenges of the 21st Century

    Wednesday, March 8, 2000



 Page 6       PREV PAGE       TOP OF DOC
    Pickett, Hon. Owen, a Representative from Virginia, Ranking Member, Military Research and Development Subcommittee

    Weldon, Hon. Curt, a Representative from Pennsylvania, Chairman, Military Research and Development Subcommittee


    Money, Hon. Arthur L. Money, Assistant Secretary of Defense for Command, Control, Communications, and Intelligence (C4I), Department of Defense; accompanied by: Lt. Gen. John L. Woodward, U.S. Air Force, Director for Command, Control, Communications, and Computer Systems, Joint Staff; Lt. Gen. William H. Campbell, Director for Command, Control, Communications, and Computers, U.S. Army; Rear Adm. Richard W. Mayo, Director Space, Information Warfare, Command and Control, Department of the Navy; Lt. Gen. William J. Donahue, Director, Communications and Information, U.S. Air Force; Brig. Gen. Robert M. Shea, Assistant Chief of Staff for Command, Control, Communications, Computers and Intelligence, Headquarters, U.S. Marine Corps

    Tritak, John S., Director, Critical Infrastructure Assurance Office; accompanied by: the Hon. Neal F. Lane, Assistant to the President for Science and Technology, and Director of the Office of Science and Technology Policy, the White House; the Hon. Arthur L. Money, Assistant Secretary of Defense for Command, Control, Communications and Intelligence (C4I) Department of Defense


 Page 7       PREV PAGE       TOP OF DOC
[The Prepared Statements submitted can be viewed in the hard copy.]
Bateman, Hon. Herbert H., a Representative from Virginia, Chairman, Military Readiness Subcommittee

Brock, Jack L., Jr., Director, Governmentwide and Defense Information Systems, Accounting and Information Management Division

Campbell, Lt. Gen. William H.

Donahue, Lt. Gen. William J.

Lane, Hon. Neal

Li, Allen, Assosicate Director, Defense Acquisitions Issues, National Security and International Affairs Division

Mayo, Rear Adm. Richard

Money, Hon. Arthur L.

Ortiz, Hon. Solomon P., a Representative from Texas, Ranking Member, Military Readiness Subcommittee

Pickett, Hon. Owen
 Page 8       PREV PAGE       TOP OF DOC

Shea, Brig. Gen. Robert M.

Tritak, John S.

Weldon, Hon. Curt

Woodward, Lt. Gen. John L.

[The were no Documents submitted for the Record.]

[The Questions and Answers are pending.]


House of Representatives, Committee on Armed Services, Military Research and Development Subcommittee, Meeting Jointly with Military Readiness Subcommmittee, Washington, DC, Wednesday, March 8, 2000.

    The Committee met, pursuant to call, at 4:15 p.m. in room 2118, Rayburn House Office Building, Hon. Curt Weldon presiding.

 Page 9       PREV PAGE       TOP OF DOC

    Mr. WELDON. The hearing will come to order. Today, the Subcommittees on Military Readiness and Military Research and Development meet jointly to receive testimony on the status of the Department of Defense (DOD) information superiority and information assurance programs. This is a continuation of a pattern of hearings that we have held over the past several years. The first, though, I might add, were our good friends on the Readiness Subcommittee because they have constant jurisdiction over a constant amount of dollars that impact our information assurance programs.

    We have just completed a classified briefing with Members that went a little bit longer than we thought. I apologize for that, plus we had votes. And I got into specific questions about some of the problems we have had directly and where we are and some of the directions we are moving in the future.

    In our hearings that have been held in the past we have had Deputy Secretary of Defense John Hamre, who has gone to great lengths in previous years to describe the potential for a cyber-attack. In fact, it was in this hearing room where Secretary Hamre first mentioned that it is not a matter of if we have an electronic Pearl Harbor, but when. In the subsequent hearings he briefed us on specific attacks that had been, in fact, underway involving both military and nonmilitary systems. In fact, in one of those briefings we had a classified session where he brought in the Department of Justice (DOJ) with him.

 Page 10       PREV PAGE       TOP OF DOC
    In the February 1999 hearing, he went into an expanded characterization of this threat and actually said that we were at that time at war against cyber terrorism. And we all saw evidence of those attacks unfold publicly in the media as we saw more and more indication that there were those individuals trying to bring down both the military and nonmilitary systems.

    In May of 1998, President Clinton signed Presidential Decision Directive 63, which set up some specific goals relative to our infrastructure. In January 7th of this year, the President announced the establishment of a national plan for information systems protection.

    Today, we are going to get an overview of the Critical Information Protection Program and the President's recently announced national plan for information systems protection. Now, I must add here, this Subcommittee and the Readiness Subcommittee and Members of our full Committee working together have been very much on top of this issue for the last six years.

    In fact, in each of the past five years we have increased money for cyber-terrorism, for information dominance, and information assurance over the President's request. And, in fact, one of the things that we did hear from Secretary Money this morning, which I am sure he will repeat in open session, is we need to do more to take this message, as John Hamre said frequently, to the public sector, that they have got to be part of the solution to the problem of protecting our critical information.

    But I want to add a criticism here. This criticism is not directed at my Democratic colleagues, because they have been equal partners, and it is not directed to people at the table. I think the President has been lax in not raising this issue in the annual, state-of-the-union speeches. I sat through eight speeches. In fact, I timed last year's speech. It was an hour and 17 minutes long. The total amount of sometime devoted to national security was 90 seconds. Of that 90 seconds there was a small mention to the American people of the issue of the potential for cyber-attack or terrorism using Internet capability.
 Page 11       PREV PAGE       TOP OF DOC

    If we want this issue to resonate with the American people, then the commander-in-chief, who has the bully pulpit, who once a year has had the attention of tens of millions of Americans, should have taken the time to outline in the state of the union, because it is the state of the union, that cyber-terrorism is a major issue that warrants the attention of every person in this country, including the Congress.

    So my point is directed not to you as the witnesses. Dr. Lane, I have been a big admirer of yours. You traveled to Philadelphia for us. You are on top of this issue from the science and technology standpoint. I know the fights you have been through in the budget office in the White House. Mr. Tritak, I do not know you as well, but I know of you by reputation, and Secretary Money, I have worked with very closely, along with his boss, Dr. Hamre, and I have the highest regard for the both of you.

    So my comments here at the beginning are, I wish the president would have used the bully pulpit, and I will use it today, to take more steps to raise this issue. In fact, after last year's speech, even though he did not make it a major issue, the following week he gave a major policy speech on cyber-terrorism. I forget where it was, but it was some place in the country. I wish that would have been a part of the state of the union when he had tens of millions of Americans listening, but it was not. It was a separate speech, which I happened to get a copy of that I think was given at a college campus or to a business group.

    But with those comments, we welcome you here. Our first panel will be John Tritak, Director of the Critical Infrastructure Assurance Office; the Honorable Neal Lane, Assistant to the President for Science and Technology and Director of the Office of Science and Technology Policy; and the Honorable Arthur Money, Assistant Secretary of Defense for Command, Control, Communications, and Intelligence.
 Page 12       PREV PAGE       TOP OF DOC

    They will be followed by a second panel, which will focus on the role that information technology plays in the readiness of today's armed forces, Herb Bateman's big issue. He is focusing on a continual basis and been a leader in the Congress on these issues, along with Solomon Ortiz, to provide an understanding of DOD defense policy, program, and plans to achieve and maintain information superiority and information assurance among our armed forces, the Fiscal Year 2001 budget request and supporting plans, and plans of the military departments and defense agencies. The panel will also discuss specific issues of interest to the Subcommittees, including the proposed Navy-Marine Corps Intranet, which I know Mr. Bateman has questions on.

    In addition to Secretary Money, members of that panel will include General John Woodward, Director of Command, Control, Communications, and Computer Systems, the Joint Staff; Lieutenant General William Campbell, Director, Information Systems for Command, Control, Communications, and Computers, Department of the Army; Admiral Richard W. Mayo, Director of Space Information Warfare Command and Control, Department of the Navy; General William J. Donahue, Director of Headquarters, Communications, for the Air Force. I want to get it right in case I missed—of the Department of the Air Force. I wanted to make sure I do not mess any of the titles up, so I apologize for that. And General Robert Shea, Assistant Deputy Commandant, Command, Control, Communications, and Intelligence, Headquarters, U.S. Marine Corps.

    Gentlemen, we welcome you all here today and look forward to your testimony. We will enter your written statements in the record, and the written statements submitted by the General Accounting Office, which provides the agency's observations on the Navy's plan to establish a Navy-Marine Corps Intranet. That also is entered into the record. And with that, I would like to turn to my good friend and chairman of the Readiness Committee, the distinguished gentleman from Virginia, Mr. Bateman.
 Page 13       PREV PAGE       TOP OF DOC

    [The prepared statement of Mr. Weldon can be found in the Appendix.]

    Mr. BATEMAN. Thank you, Mr. Chairman. I am going to ask unanimous consent that my prepared statement be made a part of the record, and I will simply make a brief comment.

    The Defense Department request has $19.9 billion to fund its information-technology initiatives for Fiscal Year 2001. Of that amount $7.7 billion lies within the Operations and Maintenance (O&M) accounts, which are the readiness-sensitive accounts and consequently become the focus of considerable interest by that Subcommittee.

    Next, let me make reference to the Navy-Marine Corps Intranet Initiative, something that I think is probably worthy of applause, but to indicate that I am very concerned at the emergence of what may be a $2 billion program in one fiscal year and may be a $16 billion program over a short period of years, when there has never been the first budgetary request for one dollar to fund such a program made to the Congress and which has not been kept informed and advised as to what was going on.

    Today, I am happy to say I have been furnished a memorandum of agreement that does much to satisfy my concerns that the Congress is going to have some minimal opportunity to exercise some oversight over this initiative, and certainly it is my intention that we exercise that oversight. So I applaud the existence of this memorandum of understanding, and I am certainly looking forward to its full and complete compliance.

 Page 14       PREV PAGE       TOP OF DOC
    Something that is not referred to in the memorandum of agreement and on which I want to insist that the Committee receive information is there being nothing in the budget for this program, where does the Department of the Navy contemplate obtaining the money to pay for such a program if it goes forward with it? I want to know the accounts that you are going to take the money from in order to put it here because when we authorized and appropriated money and it was allocated to those other accounts, that is where we anticipated it was needed and where it would stay. If other accounts are going to be hit for up to $2 billion in one fiscal year, we want to know what those accounts are and what effect it may have on the present readiness of our forces. Thank you, Mr. Chairman.

    [The prepared statement of Mr. Bateman can be found in the Appendix.]

    Mr. WELDON. Thank you, Mr. Bateman for those comments, and I look forward to a response to your questions today. We will now turn to the distinguished gentleman from Virginia, a ranking member of the R&D Subcommittee, Mr. Pickett.

    Mr. PICKETT. Thank you, Mr. Chairman. I know our hearing is commencing a bit later than we anticipated, and in the interest of moving this along as promptly as possible, I am going to submit my statement for the record, and I will save my questions to ask the witnesses. Thank you.

    [The prepared statement of Mr. Pickett can be found in the Appendix.]

    Mr. WELDON. Thank you, Mr. Pickett. And our other distinguished ranking member, a good friend and tireless advocate for the military, the ranking member of the Readiness Subcommittee, Mr. Ortiz.
 Page 15       PREV PAGE       TOP OF DOC

    Mr. ORTIZ. Thank you, Mr. Chairman. I, first of all, thank you for holding this hearing today, and I join you in welcoming our distinguished witnesses to this hearing today. The testimony should help us to understand more about information requirements and the strategies the Department is undertaking to meet those requirements. I also note that the O&M account bears a very large burden in this area. In exercising our oversight responsibility, we on the Readiness Subcommittee need to understand the tensions and trade-offs associated with the decisions being made.

    I, too, am concerned about the process the Navy is using to procure the Navy and Marine Corps Intranet. Whatever informed decision is made, it must be implemented in accordance with appropriate procurement practices, and I hope our witnesses will provide assurances that appropriate procedure will be followed. And, again, Mr. Chairman, I thank you, and I look forward to listening to the testimony.

    [The prepared statement of Mr. Ortiz can be found in the Appendix.]

    Mr. WELDON. I thank you, Mr. Ortiz, and with that we will turn to our witnesses, and I will begin by apologizing to Mr. Tritak for mispronouncing your name. Welcome. You will be our first witness and then Dr. Lane and Secretary Money. So the floor is yours, your statement is in the record, and you may make whatever comments you would like.

 Page 16       PREV PAGE       TOP OF DOC

    Mr. TRITAK. Thank you very much, Chairman Weldon, Chairman Bateman, distinguished Members of Congress. It is truly a pleasure and an honor to be here with you today and to have an opportunity to provide an overview of the administration's Critical Infrastructure Program.

    I have a number of slides. As director of the Critical Infrastructure Assurance Office, I am responsible for coordinating federal government initiatives on critical infrastructure protection.

    Mr. WELDON. Mr. Tritak.

    Mr. TRITAK. Yes, sir.

    Mr. WRIGHT. Do you want to put the plans more at an angle so the public can see, because we have copies of all of your slides up here? That way, the people in the audience can see them as well. So if you can turn it—all of the Members have a document in front of them with all of the slides on them. Thank you.

    Mr. TRITAK. My specific responsibilities as director of the Critical Infrastructure Assurance Office include working with federal departments to develop and integrate their agencies' and sectors' plans into a national plan, assisting departments and agencies in analyzing their dependencies on critical infrastructures, and supporting national education and awareness programs.

 Page 17       PREV PAGE       TOP OF DOC
    In my opening remarks I will present an overview of the administration's efforts to secure the nation's critical infrastructures and will summarize some of the key programs contained in the National Plan released by the president earlier this year. I intend to limit my remarks to the efforts being taken on the civilian side of the federal government and will defer to Assistant Secretary Money on efforts being undertaken by the Department of Defense.

    Before you is displayed a copy of the cover of the National Plan. It says a lot about what the National Plan is and is not. First, the plan focuses on the cyber dimensions of securing our critical infrastructure. You may ask why? Critical-infrastructure assurance is not new. It has been around as long as there have been electric power plants, telecommunications systems, airlines and railroads, banking and financial services. But what is new is the increasing reliance on information technology and computer networks to operate those infrastructures. This growing reliance introduces new complexities, interdependencies, and potentially vulnerabilities.

    Focusing on the cyber aspects of infrastructure assurance in the plan is meant to drive home this important, new development. That is not to say that physical infrastructure protection is no longer important. It is, and future versions of the plan will reflect that importance.

    The plan is designated Version 1 and subtitled ''An Invitation to a Dialogue,'' and for good reason. The plan is very much a work in progress. It concentrates on the federal government's efforts to secure the nation's infrastructures, but the plan acknowledges that this is not enough. Securing our critical infrastructures in the Information Age presents a national-security challenge that the federal government alone cannot solve. With over 90 percent of the infrastructures privately owned and operated, we must work closely with industry and include them in subsequent versions of the National Plan and involve them in the national planning process.
 Page 18       PREV PAGE       TOP OF DOC

    We must also deal with the fact that there is an international dimension to national infrastructure assurance as well as a domestic dimension. And, of course, we must work closely with the Congress to ensure that your concerns, ideas, and interests are reflected in subsequent versions. I view this hearing as the beginning of a constructive dialogue with your Committees. Next slide, please.

    The goal of the National Plan is set forth in PDD 63. It is admittedly an ambitious goal. It calls for a national capability to defend our critical infrastructures against deliberate attacks by the Year 2003. To meet this goal will require actions by federal, state, and local governments as well as private industry. You will note that we are expected to achieve this goal in full compliance with all existing laws protecting the civil liberties and privacy rights of Americans. Next slide.

    To meet the goal of PDD–63, the National Plan establishes ten programs for achieving three broad objectives. First, steps must be taken to identify the key elements and systems that constitute our critical infrastructures. Their vulnerability to attack must be assessed, and plans must be developed to address those vulnerabilities. In so preparing, we hope to prevent attacks from reaching their target in the first place.

    Next, should attacks occur, we must develop the means to identify, assess, and warn about them in a timely manner. The attacks must then be contained, disrupted services must be restored, and affected systems must be reconstituted.

    Finally, we must lay a strong foundation upon which to create and support the nation's commitment to achieving both Objectives 1 and 2. Those include coordinated research and development, education and training, raising of overall cyber awareness, as well as considering appropriate legislative and legal reforms, and, of course, doing all of this within the context of protecting privacy and civil liberties. Next slide.
 Page 19       PREV PAGE       TOP OF DOC

    The president has requested $2.01 billion for critical infrastructure protection (CIP) for fiscal year 2001. This represents a 15 percent increase over fiscal year 2000. Eighty-five percent of this request supports protection of agency infrastructures. Seventy-two percent goes to supporting CIP efforts within the national security agencies.

    The president proposes a number of key initiatives in his budget request. These initiatives seek to accomplish two broad aims: the establishment of the federal government as a model of infrastructure assurance and the further development of public-private partnerships. I will highlight a few of them for you now.

    The Federal Cyber Service Initiative seeks to address the shortage of information-security expertise in the federal government. This shortfall reflects a scarcity of college-level programs for information security. It also reflects the inability of the government to compete for highly skilled workers in this area. Our goal is to recruit, train, and retain a cadre of information-technology specialists for the federal service through a scholarship-for-service program, which would provide college education in return for a commitment to federal service for a certified period of time and establishing, certifying, and maintaining information-security competencies for current information technology (IT) work force in the federal government.

    The Federal Intrusion Detection Network, FIDNet, will serve as a centralized, burglar-alarm system for critical computer networks within the civilian federal government. Intrusion-detection systems will be installed and operated by civilian agencies. The alarm data indicating anomalous computer activity will be sent by the agency to the General Services Agency (GSA) for further analysis. Only if there is evidence of criminal behavior will data be sent to the National Infrastructure Protection Center and law enforcement for further analysis.
 Page 20       PREV PAGE       TOP OF DOC

    FidNet will not monitor any private-network traffic, and it will comply fully with all existing laws on privacy and civil liberties. In many respects, the FIDNet was inspired by a similar type of capability that was established in the Department of Defense: the Joint Task Force Computer Network Defense System.

    The Institute for Information Infrastructure Protection will identify serious research and development (R&D) gaps that neither the private sector nor the federal government would otherwise be able to address. Research priorities will be identified by government and industry working together, with the actual research being performed by existing institutions. I am aware that Dr. Lane will actually have more to say about this in a few minutes.

    Now, turning to the partnership side, the Partnership for Critical Infrastructure Security is intended to build on the efforts already underway between government and industry. PDD–63 designates certain federal lead agencies to work closely with the infrastructure sectors on critical infrastructure-planning and information-sharing arrangements. For example, the NTIA, the Department of Commerce, is a sector liaison for the information-technology and communication industry. The Department of Energy is the sector liaison for electric power, oil, and gas industries.

    The Partnership for Critical Infrastructure Security seeks to bring these individual sectors' efforts together to encourage a cross-sectoral dialogue and to address areas of mutual interest and concern, such as how to deal with the fact that there is a growing interdependence among and between the infrastructure sectors. The partnership will also provide a forum for infrastructure owners and operators to engage other interested stakeholders, including the auditing community, the insurance community, Wall Street, and other members of the investment community and mainstream business community.
 Page 21       PREV PAGE       TOP OF DOC

    The partnership is predicated on the belief that once industry recognizes the business case for action, economic self-interest and the market can go a long way toward addressing some of the challenges for critical infrastructure assurance. Now, that is not to say that economic self-interest and the market alone can solve all of the problems confronting our nation's security. They probably cannot. Where they cannot, and where the national security interests of the United States requires, the federal government must step in to address any systemic vulnerabilities and to fill any critical security gaps on behalf of the American public.

    Last month, over 200 representative from more than 120 companies met in Washington, D.C. to begin organizing industry's participation in that partnership. Working groups were formed to address such important issues as cross-sector vulnerability assessments, risk-management approaches and information-sharing arrangements, research and development, as well as industry's participation in the National Planning process.

    The partnership will also serve as a vehicle for industry to contribute to the work of the National Assurance Infrastructure Council. The NAIC, as it is called, was established by executive order. It will be comprised mainly of commanding officers (COs) from all of the infrastructure sectors. Its purpose is to advise the President of the United States on matters relating to critical infrastructure assurance, with particular emphasis being given to identify ways in which government and industry can work better together in addressing the common issues of critical infrastructure assurance.

    Securing the nation's critical infrastructures requires an ongoing commitment from government and industry at the highest levels where strategic decisions and investments are made. The NAIC is intended to ensure that that commitment is carried out on both sides.
 Page 22       PREV PAGE       TOP OF DOC

    Mr. Chairman, this concludes my remarks. I want to thank you for the opportunity to be here today, and I look forward to addressing any questions you may have.

    [The prepared statement of Mr. Tritak can be found in the Appendix.]

    Mr. WELDON. Thank you. Dr. Lane.

    Mr. LANE. Thank you, Chairman Weldon, Chairman Bateman, Members of the Subcommittees. This is my first opportunity to appear before these Subcommittees, and so I am especially grateful and appreciative of the chance to talk about R&D activities that the federal government is conducting to improve our ability to protect the nation's critical infrastructures.

    This is truly a national challenge, one that goes beyond the traditional bounds of national security. Research and development is and must be the key element of an integrated national agenda to protect our critical infrastructures. Accordingly, the president's 2001 budget contains $606 million for critical infrastructure protection R&D, an increase of $145 million, or 31 percent, from last year's enacted funding level.

    I would like to very briefly describe the breadth of this R&D program. I would like to explain the process by which the Administration ties the individual agency programs together into a unified interagency product and spend a few minutes on a particularly important initiative that the president is requesting, the Institute for Information Infrastructure Protection. Reflecting the breadth of R&D needed to protect our diverse critical infrastructures, federal CIP R&D funding is allocated across ten agencies. Four hundred sixty-three million, or 76 percent of the funding, goes to national-security programs, with the balance distributed among civilian agencies.
 Page 23       PREV PAGE       TOP OF DOC

    These R&D funds cover the gamut of infrastructure protection, ranging from how lower system vulnerabilities and the risk of attack, to how we detect and respond to ongoing attack and disruptions, to how we reconstitute and recover in the aftermath of a serious disruption. Five hundred and twenty-seven million dollars, or 87 percent of the total, addresses cyber security, and the remainder addresses physical security.

    Presidential Decision Directive 63 on critical infrastructure protection tasks the Office of Science and Technology Policy to coordinate the federal government's critical, infrastructure-protection R&D activities. We have established an interagency process to ensure that this R&D aims towards common goals and addresses critical, crucial vulnerabilities and threats. Critical infrastructure protection R&D programs are first tied to the vulnerabilities or the R&D shortfalls. We then ensure that each agency is aware of other's R&D programs. By leveraging existing investments and avoiding duplication of effort, we craft a unified interagency product.

    Third, we validate our R&D agenda by soliciting feedback and comment from technology experts in the government, the private sector, and academia. Through these outreach efforts we will ensure that our R&D programs head in the right direction, that they address the key technical issues and that they do not reinvent technology already on the shelf.

    In his Fiscal Year 2001 budget the President requested a major new initiative, the Institute for Information Infrastructure Protection. This concept originated with the President's Committee of Advisers on Science and Technology; PCAST, we call it. PCAST was concerned that the key information technologies needed to ensure the security of the nation's information infrastructure were simply not being addressed and that the federal government's mechanisms for funding and producing R&D might not be able to keep pace with the explosive pace of technological change.
 Page 24       PREV PAGE       TOP OF DOC

    The Committee believed that an independent, not-for-profit institute suitably designed could act flexibly and responsively enough to stay abreast of rapidly evolving information-infrastructure threats, vulnerabilities, and emerging technologies.

    Convinced of the need for such an institute, the president requested $50 million for it in his Fiscal Year 2001 budget. He has also requested a $4 million supplement appropriation for the current fiscal year to establish the institute and to start its first R&D projects. Based on preliminary work, the president has called for the institute to be funded through the Commerce Department's National Institute of Standards and Technology, NIST, which has the mission of working collaboratively with industry to develop technology measurements and standards.

    I want to emphasize that the planning, the establishing and the operating of this institute must be done collaboratively by government, industry, and academia. I have, therefore, asked PCAST, working with the additional experts in the private sector and academia, to conduct a short-term, rapid-turnaround study to advise me on the institute's organizational structure on operational activities, staff recruitment, and initial R&D priorities.

    This intensive effort is well underway. The panel met on Friday, February 18th, and it held a conference call last week to discuss its initial concepts for the institute operations, management, and R&D agendas.

    Mr. Chairman, ensuring the robust, reliable, and assured operation of our critical infrastructure presents a serious challenge. The president directed that critical infrastructure protection be a national priority in PDD–63. Advanced technology will help us meet this challenge, and for this reason the Administration has developed a comprehensive R&D program that will ensure our infrastructures continue to operate reliably, even in the face of new threats in the 21st century.
 Page 25       PREV PAGE       TOP OF DOC

    I thank you for this opportunity to discuss our overall R&D program. I am looking forward to working with you as we bring this technology agenda to fruition.

    [The prepared statement of Mr. Lane can be found in the Appendix.]

    Mr. WELDON. Thank you, Dr. Lane. Secretary Money.

    Secretary MONEY. With the sake of time here and that we have another panel of America's six finest officers, I will just defer and answer questions. I will have a statement, though, in the next panel.

    Mr. WELDON. Thank you, Mr. Secretary. That is very appreciated, and we appreciate the fact that you did answer a lot of questions during the closed session.

    I will start off with a couple of issues. First of all, I am pleased with what is happening in terms of the creation of the cyber-services. One of the recommendations that this Committee came up with, I guess it was two years ago, to the Administration was that we look at establishing a program similar to the way that we bring medical professionals into the military, where we pay for their education, commission them as second lieutenants, and require them to serve a period of time in the area of information technology.

    Now, this does not quite get there, as I understand it. I think you start off with an Reserve Officers Training Corps (ROTC) program, but I think with the need for information dominance, and the need to defend against cyber-terrorism in the future, that we really need to be supportive of this effort, and I would even encourage you to move quicker.
 Page 26       PREV PAGE       TOP OF DOC

    Mr. Tritak, as I understand it, you are starting off with what, an ROTC program in the military? Or perhaps, Secretary Money, you want to answer that. Is that what it is, an ROTC program to start off?

    Mr. TRITAK. It is an ROTC-like program, sir. That is exactly right. The idea here would be in the junior and senior years, once students have selected their majors, that the scholarship-for-service program would kick in with a view towards after the completion of their undergraduate education, they would then move into a program within the federal government for some certified period, which has not been identified as yet.

    There is also a need, as you had indicated in your statement, that once you are actually in the federal service you need to develop sort of a cadre that encourages people to stay in because however long your scholarship-for-service obligations are, you do not want to just recycle junior people who then after the two years they get out, and then you bring in another set. So there is clearly a recognition you need to build a strong and solid career path within this area to keep them once they are in. And there are some unique challenges and opportunities that the federal service can provide which could perhaps offset some of the enticements that are provided by private industry.

    Mr. WELDON. I appreciate that answer, and, again, I will ask for comments from our service officers when they come to the forefront, but I just think we have to do whatever we need to do to address the issue, especially within the military, which is our primary concern here, to develop that next generation of leadership and to make sure they are properly paid so that they are not being sucked out by the private sector into the information-technology industry.
 Page 27       PREV PAGE       TOP OF DOC

    Second question: On, Dr. Lane, your establishment of the institute, I do not disagree with that at all. My concern is that many of the problems that we are concerned with on this Committee relate to our national security, which involve highly classified systems and information.

    Now, I am a strong supporter of National Institute of Science and Technology (NIST), as you know. I am a senior member of the Science Committee, very close to NIST, and think they are an absolutely outstanding agency. I question why the ultimate decision was to put that over at NIST when in many cases they are going to have to have access and interact with the Defense Department on some very highly sensitive information systems and capabilities. So perhaps you could explain to me—I understand at one point in time it was going to be under your jurisdiction. What was the thinking that went behind recommending this agency to be an independent nonprofit, which does cause me some concerns?

    Mr. LANE. Mr. Chairman, as I mentioned earlier, this recommendation came out of PCAST, which I co-chair with John Young, and particularly out of the National Security Committee of the president's PCAST full Committee, which is chaired by Norm Augustine. Their view on this was that because most of the infrastructure is really owned and operated by the private sector, it is extremely important that whatever mechanism gets put in place, whatever organization gets established, that it have a very close working relationship with the private sector, and it is understood that that means we will have to exchange information with the private sector. They will have to be willing to share with us data bases, information of a sensitive nature, and we have to have the mechanism in place to do that.

 Page 28       PREV PAGE       TOP OF DOC
    I think the view of PCAST is simply that the issues at stake here are even larger than national security, and we should find an agency—NIST was viewed as the best agency for this purpose—that has a mission to work with the private sector broadly across all different kinds of companies and has a good working relationship with them. And the understanding is, of course, that all parts of government will work through this entity with all sectors of industry and business that have concerns about the infrastructure, and that is essentially, as you know, every sector that we can think of.

    So the thought was that NIST would have a wider sweep, if you like, in terms of its interaction with the private sector and a good record, I think, of interaction with the private sector.

    Mr. WELDON. Well, I do not disagree with what you are saying. I think, though, that I want to feel comfortable that DOD also feels comfortable with that arrangement. I am going to ask the service officers when they come up.

    John Hamre last October, I think it was, invited a small a number of Members over to the Pentagon for dinner with the senior leadership of many of the large, private companies, and that effort was a good start to what I hope will continue for direct DOD involvement with the key information companies and their leadership. They were very responsive at the dinner meeting. They were just very enthusiastic that Secretary Hamre had taken that leadership role.

    I would like to see that continue, where DOD is also directly involved. I am not saying that NIST may not be the appropriate agency, but also that DOD feels comfortable with the way the institute is finally established.
 Page 29       PREV PAGE       TOP OF DOC

    Mr. LANE. May I add, Mr. Chairman, that Defense Advanced Research Projects Agency (DARPA) in particular, but other parts of DOD have been very much a part of our planning activity? They are at the table with the Committees of the National Science Technology Council working on the planning of this activity, so we very much look forward to working very closely with the Defense Department.

    Mr. WELDON. Did you want to add something?

    Secretary MONEY. Yes, sir. Just to comment on your previous two or three questions, let me start with the latter. We support what Neal Lane and folks have been doing. However, we are still pursuing the events a la what we had on 5 October, with the CO meetings, and that has shown great benefit. One example is Microsoft now is building in defensive measures in their software, and I attribute a lot of that to having this interaction showing them the difficulties, the vulnerabilities, and so forth, and other companies. I am not just mentioning Microsoft.

    The second thing: We certainly support the National Plan relative to the Cyber Corps and all, but there is a more immediate need that I will invite my general friends here to address when they have their panel about their current training and the massive amount of training, back-to-readiness issues Mr. Bateman is interested in, that is going on today, and then retention. And as you remember last year, maybe a skilled-pay increase or look at people that have cyber-system administrators, things like that. We do that for pilots, lawyers and cryptologists, and things like that. I think we need to broaden that, knowing that this is a critical skill, and in the meantime help in the retention area. Thank you.
 Page 30       PREV PAGE       TOP OF DOC

    Mr. WELDON. Thank you. With that we will turn to Mr. Bateman to ask his questions for such time as you would like.

    Mr. BATEMAN. Thank you, Mr. Chairman. I am going to raise any at this point. I may submit some for the record, but for this afternoon I do not think we need to risk an information overload here with another panel to come.

    Mr. WELDON. Thank you, Mr. Bateman. Mr. Ortiz.

    Mr. ORTIZ. I feel the same way, that I would probably be submitting some questions for the record so that we, for the sake of time, we could move on, and I think we have another panel. Thank you, Mr. Chairman.

    Mr. WELDON. Thank you, Mr. Ortiz. One of our experts on information systems in the Congress, Mr. Smith.

    Mr. SMITH. Thank you. Actually, the next panel probably is best to answer this, but I want to give you gentleman an opportunity to comment on actually what Mr. Bateman raised at the outset, and that is the Intranet project that is going on with the Marine Corps and the Navy. I know that is not directly your purview, but obviously it is something you are interested in.

    I am just curious, if you would give us a little background on what you think of the project and where it is going because from my perspective, whereas I share some of the concerns and want to make sure obviously that it is funded and that, to some degree, Congress is informed, I applaud any effort on behalf of the military to go forth, even on their own, to some extent, to take advantages of new technology because I think one of the problems that I think you all would concur that we have had with the military is the existing bureaucratic structure has sometimes not been as fleet of foot as technology is.
 Page 31       PREV PAGE       TOP OF DOC

    And I think if there is evidence that we are breaking out of that and looking to the future and acting, for my part, go forth and do good. Consult us when you can, certainly, but do not fall behind trying to do that. So I am curious what your views are on that project and where it is going.

    Secretary MONEY. Mr. Smith, if we could, I would like to defer that until when Admiral Mayo is here with me, a short answer being the Critical Infrastructure Office (CIO) of the Defense Department, we are continuing to look for efficient, effective, modern acquisition, modern ways of instilling more efficiency, getting more modern IT into the area. So I support what the Navy is doing, and I have allowed, if you will, that Request for Proposal (RFP) to go out so we can, in fact, have a business such that we then can answer the basic tenets of the Clinger-Cohen Act, and then we will have a program. We will defer, if it is all right with you, any more discussion of that with Admiral Mayo, who has a fairly major presentation for you.

    Mr. WELDON. Great. And I guess what I would be interested also is the degree to which the current processes that you have to go through are an inhibiting factor to developing technologies like this. Is there some way that we in Congress could help change the structure to make it more likely for these things to happen, would be something else I would be interested in hearing from the next panel.

    Secretary MONEY. Again, a quick answer to that. I believe Congress has been very benevolent in giving the CIO authorities that we have. Frankly, it is a cultural issue now within the Department of Defense. We are working through and exercising the authorities we have been given. We are working on that, and I appreciate your support.
 Page 32       PREV PAGE       TOP OF DOC

    Mr. WELDON. Thank you, Mr. Smith. Mr. Andrews.

    Mr. ANDREWS. Thank you, Mr. Chairman. I want say in the public session what I said in the closed session, which is that you, Mr. Chairman, deserve an awful lot of credit for pioneering the efforts in this area, for asking these questions years before they were on the front page of the newspaper, and it is a privilege to work with you on this. And I wanted to commend Assistant Secretary Money and his colleagues for their very diligent, very outstanding work in this area and express my appreciation.

    I note from the 1989 National Research Council report entitled ''Realizing the Potential of C4I Fundamental Challenges,'' that one of the recommendations is that, I am quoting, ''in order to explore and develop or incubate new ideas for the use of information technology to support military needs, the Secretary of Defense should establish an Institute for Military Information Technology, either as a free-standing unit or by expanding the charter of an existing institution.''

    Secretary Money, as you know, your office and your staff has been instrumental in working with some of us on the Committee in pursuing that goal, and I just wonder if you could sketch out for us your vision as to what such a center might accomplish.

    Secretary MONEY. Well, I think there are several things that it could accomplish. Bringing together various research and technologies could be a great benefit, a focal point for some of the new intrusion devices, some of the new intrusion methods that we need to counter, those various types of things, so a research and development center would be appreciative.
 Page 33       PREV PAGE       TOP OF DOC

    In a meager sense, we are attempting that in an ad hoc, may be a better word, within the department today with the CIOs of the various departments and agencies coming together, at a broader sense what Dick Clark is doing with the CIP, the Critical Infrastructure Protection Committees.

    Mr. WELDON. Well, I appreciate your tutelage on this. It is self-evident to me that we need an institutionalized, systemic approach to thinking through the problem of leveraging commercial technological development in a secure and appropriate way, and, again, I commend you and your colleagues for your work on this.

    I want to echo the comments of Congressman Smith on the Navy/Marine Corps Intranet (NMCI) issue, and I want to hear the next panel talk about that. My view is that it is very important that we not confuse understandable administrative issues with the rather urgent need to take full advantage of the information resources that NMCI could make available to our services, and I look forward to what the next panel has to say, but I very much want to echo what he said.

    And then, finally, in the whole area of information warfare, I have had the benefit of hearing from the department what your needs are, but I would like you to talk about it here. I believe that the Department of Defense is well ahead of the curve in thinking through both defensive and offensive strategies in dealing with information warfare.

    I think our problem is figuring out how that fits in with the civilian world in a way that is consistent with our traditions of civil authority, certainly consistent with our constitutional protections for privacy, and consistent with the idea that the private sector should not be compelled to bear the cost of public defense.
 Page 34       PREV PAGE       TOP OF DOC

    Having said all of that, I believe we are most vulnerable in areas where we are least prepared, in our air-traffic control system, in our utility grids, in our financial-services system, and I guess I am interested in the panel's thoughts about ways we as a Committee might accommodate these civil traditions, the tradition of civil authority, might accommodate the constitutional imperative to respect the right of privacy but protect ourselves against what I think is a certain threat to the country's interests.

    Secretary MONEY. If I maybe start that out, and then the colleagues here come in as well. Let us see. Last year the DOD had 22,126 attacks. We know that because we have deployed intrusion devices and various methods, in fact, to measure those. The previous years we did not have that luxury.

    So the DOD, in fact, is putting into a lot of effort to understand what the threat is and, in fact, how to detect it, how to shunt it off, and that kind of thing. At the same time, the DOD does not stand alone anywhere. We are terribly dependent by design on—90 percent of our communications goes over commercial communication links, for example. Wherever we are we draw on the local economy for telephone, power, lights, water, sewage, and so forth, so the dependence is that we do not stand alone.

    Therefore, we would like the rest of the country, if you will, and where we are deployed overseas to be equally protected, so we have a higher degree, a higher assurance that that dependence, whatever that dependence is, is more protected. I will wait for my colleagues to answer what they are trying to do in that regard, but while I have the floor there are also some legal or legislative issues here.
 Page 35       PREV PAGE       TOP OF DOC

    I think we are operating on terribly arcane, passe, legal authorities. The act that we are operating under today is the 1934 Telecommunications Act. I will assert no one in 1934 even thought about wireless. Marconi had just almost invented the radio. I am exaggerating slightly. The times have moved on. The legal issues are huge. We talked about some of this at the classified session. Where an attack emanates is immaterial in a cyber sense, but our laws are predicated upon geography. That is an example.

    Mr. ANDREWS. I think one of the really striking and frightening ironies is that we are more vulnerable to a cyber-attack that is initiated within our borders than we are one initiated outside of our borders because of the different legal status that the attackers would have. I do not certainly call for a relaxation of our Fourth Amendment protections by any stretch of the imagination, but I think that we really have an immense problem in thinking through how this all fits in.

    The other point that I would make is that I commend the department for understanding the important financial relationships here. You have said publicly on a number of occasions, as have others in the Department and the Administration, that there needs to be some new approach to burden sharing here, that this is not a cost that can be fairly imposed upon the private sector, but it is a cost that has to be shared in some reasonable way.

    And I am interested in listening to your advice and working with my colleagues on the Committee to figure out a way that we can rapidly upgrade our preparation civilian sector, respect the legal principles and traditions that we have, but be prepared, because I have very little doubt that McGuire Air Force Base in my home state, New Jersey, would be very well prepared against this kind of attack in its own systems. I have very little doubt that the civilian utilities and civilian functions that serve that base, outstanding as they are in their given mission, are not prepared, not because of any fault of theirs because it is not their mission. And if you wanted to cripple McGuire Air Force Base, you could probably do it in ways that we should not talk about here, but it is a frightening thought. And, again, I commend the efforts of the department and the ladies and gentlemen who are working on this problem. Thank you.
 Page 36       PREV PAGE       TOP OF DOC

    Mr. WELDON. Thank you, Mr. Andrews. Before we dismiss this panel and bring the second panel up, just one final point. Did you want to add something? I am sorry. Dr. Lane, go right ahead, yes.

    Mr. LANE. Just one comment here. Obviously, the purpose of the R&D effort is to try to be sure we have the technologies that we then can use to protect ourselves, but the issue you raise of sort of the kind of inherent conflict between security and privacy, I think, is always going to be there. It is not just in this area of technology; it is there in medical research and in so many areas of technology they are moving rapidly.

    But the thing I would say about the R&D piece is that this whole area of interdependencies, a system of systems, transportation, power, information network, and other of these large systems, is one of the least well-understood aspects of this technology.

    We, for example, would like to know how you ensure that a system of systems like this under attack might degrade gracefully so that you kind of know where it is going, and you can come back for it rather than a catastrophic failure that we are generally not going to know how to deal with. These systems are complex. They are nonlinear, which to me as a physicist means you do not know what it is going to do, even if you tickle it a little bit. These are major R&D efforts.

    In the meantime we have immediate means, and we have immediate threats, and that is why it is so important that our agencies work together perhaps in an unprecedented way, in ways we have not done before, to assure that we can give attention to these threats and these vulnerabilities quickly, not later. But in the meantime we want to be sure that we are looking 10 years out and 20 years out to make sure that we always have the technologies to stay ahead of the threats.
 Page 37       PREV PAGE       TOP OF DOC

    Mr. WELDON. Thank you, Dr. Lane. Did you want to add something, Mr. Tritak?

    Mr. TRITAK. Just very briefly, Mr. Chairman, and it is really to underscore what the Congressman has just said. One of the biggest challenges in this area is really beginning to raise the awareness and appreciation of what it means to live in the Information Age and what it means when more and more of our infrastructures are basically being driven by an ever-expanding, digital nervous system that connects and interconnects in ways that we never could anticipate but affects our lives which we never expected.

    And it is more than just a hacker attack, as you suggest. It is something much deeper and more fundamental, and the resolution of this requires an ongoing dialogue at several levels of appreciation. And I could not agree more with the sentiments of what you said.

    In addition, the notion of burden sharing is to recognize that where the market can work, you want to encourage that, but we have to recognize that the market probably cannot do it all, and we have to recognize that, too, and be able to define the respective roles of government and industry in a collaborative manner to find out where those roles fit and who needs to be doing what and how.

    And that requires a dialogue not just between government and industry, but government and the American public because ultimately, to the extent that government has to step in, there has to be a broader buy-in on this issue than just simply industry. It requires allowing the American people to understand it.
 Page 38       PREV PAGE       TOP OF DOC

    It occurs to me when I think about in the old Cold War days you could ask any educated American what was the problem of the Cold War, what does ''nuclear dilemma'' mean, and they could give you an answer. There was an appreciation. There was a context and a familiarity with what the challenges were. We need to create that same sense of understanding and comprehension so that we can have a national dialogue that addresses these issues. We may not agree on policy, but at least we understand what the overall problems are. Right now, we have got our work cut out to do just that.

    Mr. WELDON. I agree with you fully, and that is why my suggestion is that the commander-in-chief, whoever it happens to be next year, should focus on this issue when he or she has the attention of the American people in our state of the union. If this is not the state of the union, I do not know what is.

    And that leads me to a point I want to make that came out in the classified session. I was somewhat surprised in the session this morning when we asked, earlier today, when we asked the question that we do not have a national intelligence estimate in this area. I mean, so I am putting on the record this Committee, and I assume my chairman agrees with me, that we urge you in the quickest possible time to challenge the intelligence community to come up with a National Intelligence Estimate (NIE), as they do for every other emerging threat, in this area of cyber-terrorism.

    I am surprised we have not asked them yet and do not have one, so I would ask you to do that as a result of this hearing. And we have some other questions we would like to submit for the record to each you. We want to thank you for coming in. Did you want to add something finally, Secretary Money?
 Page 39       PREV PAGE       TOP OF DOC

    Secretary MONEY. I will just take that on and get you a response on when that will occur.

    [The information referred to can be found in the Appendix.]

    Mr. WELDON. Thank you very much, and we thank you both for coming in. Secretary Money is going to stay. He likes to sit at that table so much, he wants to sit there all day, so we have reserved a special seat for him now for the third panel. But, Dr. Lane and Mr. Tritak, thank you for your work and thank you for your leadership.

    If the other panel could come up, Generals and Admiral, we would love to have you now.

    While they are sitting down, we have, again, Art Money. We have General Woodward from the Joint Staff, General Campbell from the Army, Admiral Mayo from the Navy, General Donahue from the Air Force, and General Shea from the Marine Corps.

    Secretary MONEY. Mr. Chairman.

    Mr. WELDON. Yes?

    Secretary MONEY. Just in the context of time, how is the schedule working for you?

 Page 40       PREV PAGE       TOP OF DOC
    Mr. WELDON. The schedule is going to be tight. Mr. Bateman and I are supposed to meet with the Speaker on the defense budget at 5:30. I will let Mr. Bateman leave when he has to, and I will stay around, but if you could condense your written statements, they are all submitted for the record, they will all be in the record, and just give us the highlights of what you want from your own individual services, that would be of great interest. And I know, Mr. Bateman, I wanted to defer to him for questions right away, so I am not going to ask any questions. When we get at that point I will defer right to Mr. Bateman.

    So I guess we will go right down the line, or I guess Art Money first and then General Woodward, and then we will go down the services. So, Art, it is yours again.


    Secretary MONEY. Again, in the sake of time, why don't I just submit the oral one for the record as well?

    [The prepared statement of Secretary Money can be found in the Appendix.]
 Page 41       PREV PAGE       TOP OF DOC

    Mr. WELDON. Thank you very much.

    Secretary MONEY. You bet.

    Mr. WELDON. General Woodward, welcome.

    General WOODWARD. Yes, sir. Thank you very much, again, Chairman Weldon and Chairman Bateman. I really appreciate the opportunity to come in and have a talk with you. I was here last year obviously and have a chance to do this again this year, and I cannot thank you enough for giving us an opportunity to have that voice.

    I guess probably the other things, I think, are much more important, though, is to thank you and the Committee's activities for the kind of work that has been done, and I mean that sincerely. I think our voices are heard by your Committees because there is action behind it. That speaks immediately to the quality of the pay issue, the redux, the pay-table reform, all of those activities and the fact that you are taking on the military health program as well right now. So we thank you. But great success in spectrum.

    You have listened to that discussion from testimony certainly from the commanders-in-chiefs from the field, from the service chiefs, from ourselves, and, in fact, we have successes in every neighborhood I can look at, and I think of one immediately right off the top of the head. You directed the movement of 50 megs of spectrum so that the Navy can work their Cooperative Engagement Capability (CEC) operation, and you all did that. We also have the legislation that you introduced that, in fact, now have the Chairman of Joint Chiefs of Staff and Secretary of Defense involved in the recommendation process. You have done some great, great work, so I thank you in a big way.
 Page 42       PREV PAGE       TOP OF DOC

    I come with a focus that is really on the joint and the coalition war fighter. That is really the person that you see when you are looking at me in terms of the Joint Staff working for the Chairman and thinking in those terms. So that really represents when, I speak warfighters, combat services, combat support, those kinds of things, that the vision is Joint Vision 2010. You are well aware of that. I know you have seen that document. It is very supported by the services and the Commander in Chiefs (CINCs) that are out there. That is the vision for the future. A piece of that is the information superiority, as you also know very, very well.

    It is the fundamental enabler, along with technology innovation, so that we can achieve this full-spectrum dominance that we talk about.

    Inherent within that is this concept, and maybe a template, if I can use that term, a vision, maybe a framework type, the Global Information Grid, which has taken on a prominence now through policy work that is being done by Secretary Money, and all of us are involved in it, to give us an opportunity for a framework.

    And I am going to mention what General Shelton has had an opportunity to say to you before, because I think it is important. He mentions that an important aspect of the future operations will be the development of a Global Information Grid to provide the network-centric environment required to achieve information superiority. ''The Global Information Grid is a globally interconnected, end-to-end set of information capabilities, associated processes, and personnel to manage and provide information on demand for warfighters, policy makers, and supporting people. It will enhance combat power through greatly increased battle-space awareness, improved abilities to employ weapons beyond line of sight, employment of massed effects instead of massed forces, and reduced decision cycles. It will contribute to the success of noncombat military operations as well.''
 Page 43       PREV PAGE       TOP OF DOC

    That was directly in the posture statement, and I want to enforce that because I think it is essential for all of us as we talk to the Committee that you know we have that kind of construct that we are dealing with.

    Inherent within that is the Defense-in-Depth and the aspects that we are doing associated with information assurance associated with that. At every level possible you are very aware of many of the activities that are going on. There are many more activities that are happening in codifying that through the Joint Staff direction from the Chairman's instructions all the way down to different policy matters at the Department of Defense level as well.

    There has got to be resource. We have got to work the training. We have got to work the people. We have had that conversation. We have got to work the tactics, techniques, and procedures, and certainly we have got to have the O&M levels of investment that are out there.

    Information assurance, as you can see by us being here, is everyone's business. It is not just the guys at the table here. It is everybody's responsibility as we take on this subject that is so very serious. One vulnerability is everyone's problem in our business, and we have got to make sure that we deal with it.

    So the transformation aspects that are going on in this help us get really engaged and use this concept of the grid through things like Pacific Command. The CINC out there has engineered a pilot program to do Theater Command, Control Communications, Computers and Intelligence (C4I) Coordination Center that, in fact, gives a CINC-level visibility into the network aspects that are going on and the kinds of activities that he needs to be aware of to fight the fight that he is asked to do on a day-to-day basis as well as certainly in any kind of contingency that was going on.
 Page 44       PREV PAGE       TOP OF DOC

    We have got to do that in a coalition world, too. What was recently pointed out, certainly from the Kosovo activities as well as the East Timor activities, that we are very much dependent on network activities with our coalition partners. We have got to understand that level of information protection as it applies to that responsibility as well—very, very important.

    The Joint Forces Command has taken on a responsibility to write a capstone requirements document, to spell this construct out, and then do the necessary coordination through the Joint Requirements Oversight Council process, which is the requirements process that we deal with. That is also be shored up. Most recently, the Chairman's instruction, which prescribes a key performance parameter interoperability, and in that we actually do a checklist called the C4I Support Plan that, in fact, will look at all requirements coming through for interoperability, for the information assurance, for the spectrum applications that are necessary to, in fact, try to make those things happen on the front end of the requirements process.

    That is new since we last talked last year, and we are excited about it. Additive to that is a construct that we are putting together on an instruction that gives more details for the services and all of us to follow and, in fact, to employ aspects of this Global Information Grid through network operations, information assurance. It is a 6510 Series document, including a manual to talk about tactics and techniques, to get right down to the procedure aspect, which we have had a chance to talk about as well.

    The Unified Command Plan has been looked at. You know that it was signed for 1999 and, in fact, had a piece in there to talk about for the future that will be debated this year, and the Unified Command Plan 01, which will look, in fact, at how do we really do this in an organizational sense to focus on operational matters in terms of potentially space-and-information type of business. I think that is a move that needs to be done as well. So we will work that aspect hard.
 Page 45       PREV PAGE       TOP OF DOC

    You have heard much from General ''Soup'' Campbell, who was here before, who has done some monumental things on computer-network defense and forming up a Joint Task Force, which is now under a CINC, in terms of their operational management. That is nothing but good news. We also are fielding a modeling-simulation capability called NETWars to do the levels of assessment for bandwidth management, and I think that is going to happen.

    Technology and fusion is part of this as well, an innovator, as you well know, for an enabler, and we are working those aspects very, very hard, too.

    The Joint Warrior Interoperability Demonstration; we did some things this past summer for coalition operations and shared information in a collaborative manner, shared information in what one would call an ability to share at coalition level. I did not say secret; I said coalition level, so that, in fact, all can share information together. We have got to move forward with that into the command and control arena so that we can do things.

    And the Joint Battle Center, which is connected down with the Joint Forces Command, has taken on all kinds of levels, including a look-see at millennium challenge and how the pieces fit together for all of the services' concepts and constructs that will be dealt with this summer.

    The challenges are huge. You know that well. We share communication pipes with the commercial sector, so we coexist well in that regard, but we are kind of mutually exclusive in the radio frequency spectrum industry, as you know, as well. And the international challenges for coalition operations, which was mentioned, is just huge, including technical capability, interoperability, and information releasability, as well as communications security, the things that we face in our own nation today as well.
 Page 46       PREV PAGE       TOP OF DOC

    Our focus is definitely on the interoperability, the capabilities aspect of life. We need to find the tools, the technical-information-assurance tools that are out there. We need to have the standardized activities that go on. We need to focus on the warfighter so that they can do it in a deployed arena.

    Defense-in-Depth is real. It is being worked on hard. You will hear it from our services. We do it together in a cooperative, coordinated sense, and we are fortunate enough to have the policy driver, Secretary Money, right here, trying to make the right things happen for all of us. And the chairman has taken on 22 policy instructions, five detail manuals since last we talked, and two doctrinal, joint publications as well to try and help this process.

    So I think that, in conclusion, which is also in the written testimony, 10 to 20 years from now I would like to believe that people will look back at us and our names and the times that we are in and see this as a time of tremendous opportunity. I think they will say we seized that opportunity, and we tried to succeed at what was necessary, and we took advantage of that combat power of that network business through the kinds of constructs that I have mentioned to you.

    So thanks again for giving me the opportunity to be here and do this kind of job. We are proud of what you do. Thank you.

    [The prepared statement of General Woodward can be found in the Appendix.]

    Mr. WELDON. Thank you very much. We are going to start from the left and go right down. General Campbell, you are first.
 Page 47       PREV PAGE       TOP OF DOC

    General CAMPBELL. Thank you very much, sir. I will cover this in 60 seconds or less and give you a written statement.

    Mr. WELDON. You just want to come back here again, don't you?

    General CAMPBELL. The Army is totally committed to information superiority and to information assurance. It is integral to the Global Information Grid that General Woodward discussed and to the Army's transformation. Digitization remains a top priority. Within battlefield digitization, the Warfighter Information Network and our command and control systems are critical. At the same time we are digitizing the installations, putting the fiber in the switches so we can import best business practices from the commercial sector. We are dependent on it so it has to be secure, and, therefore, we have submitted a Defense-in-Depth program for your approval.

    Despite the money that we have been able to put on this, we have about 35 or $40 million in unfinanced requirements that we would like to work with you on and see what we can do to increase the amount of money that we are spending on it.

    I applaud the research and development efforts that were discussed earlier, that $600 million, because I think the most critical problem that we have today is that we do not have the research and development to develop the tools to detect the intrusions beyond hackers, and we do not have the means to identify when a real espionage attack is there, and we need to have more R&D so that we can have tools for the government and tools that we can export to the commercial sector.
 Page 48       PREV PAGE       TOP OF DOC

    I would like to thank you personally for your support and for your advocacy for Army programs, in particular, the Land Information Warrior Activity (LIWAs) and the IDC. Thank you very much, sir.

    [The prepared statement of General Campbell can be found in the Appendix.]

    Mr. WELDON. It is easy to support something that is going so well. Admiral Mayo.

    Admiral MAYO. Thank you very much, Mr. Chairman. I would like to talk very briefly to you and the Members of the Committee about two key, entry fees that the Navy thinks we have to have to fight and to work in the Information Age. I am going to talk about information technology for the 21st century and Navy-Marine Corps Intranet in terms of information superiority and information assurance.

    I would like to thank you for your strong support for IT–21 over the last two years. We now have this capability fielded in five battle groups and in five amphibious ready groups and are on track to complete this by the Chief of Naval Operations (CNO's) goal, fall of fiscal year 2003.

    Here is what we saw in Operation Allied Force. Our fleet commanders in the Mediterranean had the opportunity via IT–21 and the collaboration, speed-of-command networks that it brings, classified and unclassified, and video teleconferencing, to communicate with their U.S. commanders, their joint counterparts, and their coalition partners, and IT–21 was absolutely vital, and here is an example.
 Page 49       PREV PAGE       TOP OF DOC

    As a result of a post-flight debrief we were able to disseminate target information of an aircraft on our runway to our planning staff staffs afloat and ashore. This allowed us to conduct a quick Tomahawk strike, signaling the employment of a strategic weapon in a tactical sense, shortening a process that can take hours or days to just more than an hour to plan and execute. This was truly significant, and IT–21 allowed us to do this.

    I can talk to you more but will not about IT–21 benefits from Operation Desert Fox and from our flagships with IT–21 off East Timor. Our operational commanders today count the ships that do not have IT–21. It is that important. They plan and schedule around ships that have it. IT–21 is a fleet network. We have tight firewalls and a strict security posture. We want to bring that tight security enclave and the operational benefits to the rest of the Navy, and I want to talk to you about Navy-Marine Corps Intranet.

    You can see in the top-left corner of this viewgraph, that is the current state of the Navy networks today. They are numerous. They have been purchased through numerous contracts, and because of that we have technical inefficiencies and interoperability problems. We also have many security vulnerabilities and seams.

    So what we want to do to fix this is to go to industry. Industry has the experts. Industry knows how to do this, and we want to procure our IT services as a utility, like water, like electricity, like telephone service. Our base commanders are paying for this today annually, but they are paying for it in their region or in their local area, and we are not doing it in a coherent way across the Navy enterprise. That is what has got to be done to eliminate those problems of lack of access, interoperability problems, and security concerns.
 Page 50       PREV PAGE       TOP OF DOC

    We want to get Navy-Marine Corps Intranet as an end-to-end, with the right kind of training, the right kind of software, the right kind of help-desk functions, and the right kind of hardware, completely end to end. We are not doing it today. We are going to be completely interoperable with the Defense Information Systems Network (DISN). In fact, DISN will provide our long-haul connectivity, and we will completely support the Global Information Grid, which is the evolving DOD communications strategy.

    So we are going to be able to get the interoperability, tight-security enclave we do not have ashore today, and the enhanced access to more than 360,000 seats that we need to get our job done. So this services contract is going to be across the Navy. We think we have an innovative way to get this. This is the most affordable way. A multiyear agreement and contract with industry is the most affordable way to do it and will keep us current—this is very important—it will keep us current with industry.

    The urgency is because of the security concerns I have talked about. You can see that today's situation, with the multiple networks, the various security vulnerabilities and seams that we have to be concerned with, we want to go to a tight enclave like we have afloat and experience the operational benefits and security benefits that we have afloat.

    And lastly, I would say the status quo is unaffordable. Thank you very much.

    [The prepared statement of Admiral Mayo can be found in the Appendix.]

 Page 51       PREV PAGE       TOP OF DOC
    Mr. WELDON. Thank you very much, Admiral. Mr. Pickett, if you do not object, Mr. Bateman and I were supposed to meet with the Speaker at about 5:30 about defense funding, which I am sure you are all interested in, whether we can give you any more money this year. Mr. Bateman is going to go, so I am going to let him interrupt and ask questions of Admiral Mayo right now before he leaves. I will stay with Mr. Pickett and Mr. Andrews and will continue the hearing, but, Mr. Bateman, the floor is yours.

    Mr. BATEMAN. Let me assure General Donahue and General Shea that I am certainly not disinterested in what you have to say, but in your interest I think I do need to be at this meeting with the Speaker.

    Admiral Mayo, you are going to get by very likely with me this afternoon. I have had, since I raised some concerns with the Department of the Navy, a memorandum of agreement, dated today, which addresses the oversight concerns which I have had and which, quite frankly, I think were very serious concerns at the way the program you describe was being proceeded with without any notification to the Congress as to what you were about, even though it had enormous cost associated with it and which may ultimately, indeed, represent a savings and a very sound investment, and in no sense am I seeking to undermine that program.

    In addition to having seen that memorandum of agreement, I have under today's date also a letter from the Secretary of the Navy, which is addressing my concerns. I will be responding to the Secretary of the Navy's letter, and perhaps by way of some questions for the record in order to get a better feel for how the Navy is going to pay for this program once you have gone through the hoops spelled out in the memorandum of agreement and which accounts are going to be surcharged in order to pay for it.
 Page 52       PREV PAGE       TOP OF DOC

    It makes some difference between whether or not you are getting it from an account that has immediate implications for the readiness of the Navy and whether or not you are getting it from some account where it does not have that same degree of sensitivity. We need to have a better feel of who are you going to be applying charges against in order to pay for your system once you have gone through the business analysis and gotten the authorization to proceed.

    So my questions will be ones that are better dealt with by my making them more specific and them being responded to in writing. With that, thank you, Mr. Chairman, and I will make the Speaker aware of your dilemma. I do not need any response from Admiral Mayo today. We will get this information.

    Admiral MAYO. Sir, if I may, I would just like to thank you for your comments and your concern, and we want to be very responsive to you and your staff, and we intend to be, and to address the accounts in 2001 as best we can, and we certainly intend to do that.

    Mr. BATEMAN. I believe we are getting there.

    Mr. WELDON. Secretary Money wants to respond to you, Mr. Bateman.

    Mr. BATEMAN. Yes.

    Secretary MONEY. Mr. Bateman, if I could just add on to that, as the Critical Infrastructure Officer (CIO) of the department, it is not just the Navy and the Marine Corps Intranet; it is the whole department's, and we are pulling that together as that document you just referred to. In fact, from a CIO standpoint, this is a step forward. Thank you.
 Page 53       PREV PAGE       TOP OF DOC

    Mr. BATEMAN. Thank you, Mr. Secretary.

    Mr. WELDON. Mr. Bateman, thank you for your attendance, and we understand he is fighting for you all, so we want to wish him well as he goes over. General Shea, it is all yours.

    General SHEA. Good afternoon, sir. Chairman Weldon and distinguished Members of the Committee, I, too, want to thank you for the opportunity to come up and discuss with the Committee how the Marine Corps is meeting the challenge for information superiority and information assurance as we move into the 21st century.

    The recent, well-publicized, denial-of-service attacks on Yahoo and other commercial Web sites highlights the inherent vulnerabilities associated with our rapidly evolving, network-centric world. These attacks also serve to remind us that we must continue our aggressive efforts to secure our networks and information stores. These attacks are most sobering if one accepts that they were not the deliberate, malicious work of a nation-state, but rather the effort of a loosely coupled coalition of hacker groups. Although we have made substantial progress in this area, our present capacity to counter such a threat is minimal.

    The ability to detect intrusions must be multifaceted, whether there is a frontal assault, such as that experienced by the commercial sites, or a slow probing of our boundary security or an internal threat to our information integrity. We cannot lose the situational awareness provided by a robust, intrusion-detection architecture.

 Page 54       PREV PAGE       TOP OF DOC
    With this capability in place, we can conduct an active defense of our networks and react decisively, effectively, and rapidly to possible intrusions. Our information-assurance architecture is not a static entity. It is a dynamic plan that allows us to respond to a wide range of attack methods, the ability to withstand a brute-force attack, and the robustness to speed reconstitution where necessary. Through the unique combination of centralized network management and an array of security assets, we have actively pursued an aggressive defense of our Marine Corps enterprise network.

    At the core of our information-assurance plan is a robust network infrastructure. A centrally managed and defended infrastructure allows us to coordinate an effective defense, in depth, to protect our information resources. We are also taking steps to better control our configurations through centralized policy and centralized procurement of network resources. Education and training to ensure that policies and practices are understood and exercised is another component of Defense-in-Depth. This training starts at the user level, and we have instituted a program where all Marines receive annual training designed to raise their level of security awareness and emphasize the critical role they play as individuals in this network-centric world.

    Training our information-system professionals is critical as well if we hope to implement a viable, information-assurance architecture in both the deployed and garrison environments. The Marine Corps is establishing a new occupation field within our enlisted ranks that focuses on information superiority and security. Additionally, our network operations center dispatches mobile-training teams whenever a new security capability is fielded. These teams provide just-in-time training to meet our operational requirement for security technology and provide a marine capable of sustaining that technology. In this manner we are able to respond to the dynamics of our changing environment.
 Page 55       PREV PAGE       TOP OF DOC

    The Marine forces component to the Joint Task Force for Computer Network Defense, of which General Campbell is the commander who spoke to you earlier, is collocated with our network operations center and is charged with defending the enterprise network. We have a single commander for both entities. This synergistic relationship provides the framework within which active computer network defense is integrated with network management.

    We continue to add to the capabilities of the Marine component of the Joint Task Force. Staffed completely with Marines from our reserve forces, we have established a Web risk-assessment cell. The focus of the cell is to test the vulnerability of our Web site. Through virtual drilling these reserves check our Web sites for inappropriate content and assess them for vulnerabilities that might leave them open to compromise.

    Our network also extends to our tactical forces via the Defense Information Systems Network and satellite communications. Our Deployed Tactical Networks also require a robust infrastructure and the capability to protect information from a cyber-attack. We currently have a team of Marines deployed with U.S. Forces in East Timor and Australia with a new employable-intrusion-detection capability to help protect the networks that they have deployed out there.

    Despite these efforts, we must acknowledge that our potential foes are learned and thinking adversaries. In a war-fighting context, it would be prudent to recognize that for most of the leaps we have taken in information technology, there is a small, relatively inexpensive yet effective counter to that technology. Our potential adversaries recognize this.

 Page 56       PREV PAGE       TOP OF DOC
    Even the least-developed nations have an interest in information operations and recognize it as a force multiplier. My experience is that they have studied the topic extensively through the Internet, and while many nations do not have a great depth and breadth of computer expertise, they all have a cadre of experts. This area of warfare and study is quickly expanding and is receiving serious foreign military thought throughout the world.

    With technology changing rapidly, we cannot become complacent. The combination of dynamic changes in technology, the increased complexity of the systems we are fielding, and the high turnover of our technically skilled Marines are a major challenge we must meet. Your continued support for our investments in our Marines as well as our tactical-systems, our base infrastructures, will help further the development of the capability we need to ensure information superiority and information assurance to the Marine Corps. Thank you very much, sir.

    [The prepared statement of General Shea can be found in the Appendix.]

    Mr. WELDON. Thank you, General Shea. General Donahue.

    General DONAHUE. Mr. Chairman, I will do this in 60 seconds. I want to thank you, first and foremost—

    Mr. WELDON. You are going to top the Army, huh?

    General DONAHUE. Absolutely.

    Mr. WELDON. Okay.
 Page 57       PREV PAGE       TOP OF DOC

    General DONAHUE. Thank you, first and foremost, for your interest in this nationally important subject. Let me say that we combat tested our information superiority divisions in Operation Allied Force. You can read about it about it in our posture statement, and I have provided that as part of our submission for the record. We used commercial products. We were Web enabled. We reached back to the United States. We used the Supernet, and we were, in fact, an information-enabled operation. We are good, but we cannot rest on our laurels because we absolutely need to be better.

    Allied Force was a cyber war. The threat was real. It resulted in nothing more than a nuisance to us, but it is dangerous, and we need to deal with that. Information warfare is not hyperbole; it is, in fact, real. Other countries have it as doctrine. We have it as our doctrine, and we intend to pursue it when the situation is right and in the correct legal framework.

    As for our budget, we have put a lot of investment in information superiority. We describe it very crisply in our preface to their IT budget exhibit, and if there is more top line, we can use it. It is number three in our unfunded priority list.

    The final request is we would like for you to put some teeth in the laws. The legal processes do not move at the speed of light, and we need to do that. The message we need to send to people who would break into our networks is that we will hunt you down and hold you accountable. We need the legal wherewithal to do that.

    We are good. We think we are without peer. We welcome your support in keeping it that way. This is one area where we cannot afford to forfeit that lead, and with your support we will continue to serve you well. I thank you for your interest.
 Page 58       PREV PAGE       TOP OF DOC

    [The prepared statement of General Donahue can be found in the Appendix.]

    Mr. WELDON. Thank you, General. You did a great job. General Campbell, you have got some competition over there in terms of time. I thank all of you. Your comments were right on the mark. We support enthusiastically in a bipartisan way everything you have been doing, and you have our full unequivocal support.

    In fact, I am going to ask each you—I am going to ask Secretary Money last so you do not feel the heat from him—your opinion about if you had more money, could you use it, and if you could use it—the reason why Herb Bateman left, as you know, is to go over and argue for more money in our budget process this year, which we are supporting.

    Suppose we came up with some additional money. Could you use additional money in your own service areas? And I am going to ask Dr. Money to highlight all of this at the end and General Woodward. But would you not only be able to use it? Could you give us a priority list of where you would like to have it placed for you? And we will go right down the list.

    I do not expect you to give us specific answers now, but could you use some extra money, General Campbell, and will you give us a list of your priorities after this hearing?

    General CAMPBELL. Yes, sir. We could use more money. We will give you priorities. If I could tell you one thing that we need three times, it is bandwidth, bandwidth, bandwidth. We have 16 kilobits at a brigade level. Most people in their houses have many multiples of that. I would also suggest, again, that somewhere we need to put more R&D money on the tools of the type that we mentioned earlier.
 Page 59       PREV PAGE       TOP OF DOC

    Mr. WELDON. And your comments were well taken in that area. Admiral Mayo, could you use some extra money in the Navy?

    Admiral MAYO. Yes, sir, definitely. We have a priority for IT and C4 investments, and the CNOs submitted an unfunded priority list, and the number-one C4–IT issue on there is for $300 million, 100 of which is for IT–21, the remaining 200 for Navy-Marine Corps Intranet, and both of them are to accelerate these needed capabilities.

    Mr. WELDON. Thank you. General Shea, could you use some money in the Marine Corps for this?

    Mr. SMITH. Yes, sir, and the Commandant has highlighted in his unfunded priorities where we would place that money, and I think he would welcome that, sir. Thank you.

    Mr. WELDON. And, General Donahue.

    General DONAHUE. Absolutely. Let me second General Campbell's comments. We need bandwidth in the most—the highest vulnerability we have are fragile networks. We have it number three in our unfunded priority lists—frequently use as bandwidth is good, more is better, and he with the most wins. So we can put it to good use, if you can provide it above top line.

    Mr. WELDON. Now, General Woodward and Secretary Money, it is your turn, and I am going to ask you to give us—you have already given us your professional opinion here. Now give us your personal opinion about if you had extra money available to you, could you use it, where would you like to use it, and also for the two of you, if you could for the record any legislative suggestions to help you. You have alluded to that in your comments. We would like to have them as we begin the markup of the authorization bill in April so that we can deal with them in that legislation. So, General Woodward and then Secretary Money.
 Page 60       PREV PAGE       TOP OF DOC

    General WOODWARD. All right. A couple of thoughts, both personal and professional. I agree obviously with what the service who has said because you cannot get the joint world done unless you get that operation kind of done, too. So enterprise-level solution sets, wherever we can find those for joint and coalition activities. In the network-operations arena the bandwidth business, for sure. It goes without the saying, the information assurance, which we have been so focused on today and every day, specifically in the computer-network-defense area.

    I would push pretty hard for money to be spent in modeling-simulation aspects from the standpoint of not the traditional senses, but, in fact, how do we make the right level investment decisions, how does the warfighter get the right accuracy or bandwidth management in a theater of ops that they have got to prosecute? And we have got to take what we have been talking about in the services right into that deployed arena so that Joint Task Force has that capability as well.

    I think I would push for the technologies, though, in the industrial sector, and that is Commercial Off The Shelf (COTS), COTS-based products that can, in fact, have security inherently built into them. I would push really, really hard for that. Information-management products, information-dissemination management, which we do not have enough, in my estimation, coming out of the industry sector.

    And then the intrusion detection, interpretation analysis in the information-assurance arena, we are very much lacking. We need roll-up level of tool sets that can, in fact, do that and give us that visibility at whatever level we are talking about. It does not matter if it is at the service level or Joint Task Force level or component level. All of those kinds of levels, those things are very, very necessary, I would say.
 Page 61       PREV PAGE       TOP OF DOC

    Mr. WELDON. Mr. Money.

    Secretary MONEY. Thank you, Congressman Weldon, for asking the question. The first thing I would ask is support the President's budget. And why is that? We have sat down, and these folks, in particular, with each of their services, in balancing various needs, come up with the best program they could. I then reviewed it and put some English on it from my standpoint. So the first thing is what is in the President's budget has been worked really hard. The second thing, it is not enough.

    As I alluded to earlier, I am worried that we are not accelerating fast enough in the deployment of information assurance in this Defense-in-Depth, so that is clearly an area that I feel we need. What Bill Campbell and Bill Donahue alluded to is what we affectionately call ''the last tactical mile.'' Today, Defense Information Security Agency (DISA) in its long haul can deliver 155 megabits per second anywhere in the world, and then we get to a point, sometimes it is a camp-post base station or a ship that Admiral Mayo referred to, where we go down to 9.6 or 2.4 or a very small bandwidth. For end-to-end, seamless flow of information, we need capability.

    So getting the last-tactical-mile equivalent to whatever is required is essential. That has been exacerbated by lessons learned in Kosovo. I doubt today if we will ever go anywhere again and fight another major, major war—maybe a 12-man team doing something does not fall into this category, but anything larger than that we will have video for the local commander to understand what the situation is. Video then requires even more bandwidth and further exacerbates the last tactical mile.
 Page 62       PREV PAGE       TOP OF DOC

    Fragile networks. What we talked about in the classified section, you recall that the attacks, the potential of attacks, for the unclassified world we had 22,126 last year alone in DOD. What was not mentioned was we also are having what we call ''storms.'' Our network is fragile. We are bringing it down on our own right based upon the capacity and so forth. We are starting to experience more in that. So the network has been laid in. It has been layered with additional use and capacity, so we are starting to have storms.

    The final thing that we are working hard on, and I want to give these folks recognition, is you are about to hear that we will have an enterprise license for all of DOD, not just for the Army, Navy, Air Force, Marine Corps, whatever, but across the whole DOD, and at that point then we are getting maximum leverage of buying wholesale vice retail. I, in fact, have a list of eight items that I coalesced after listening to each of the services, and put in a priority order, cyber-attack sensing and warning, secure wireless.

    Eventually we go wireless wherever we go, so the last tactical mile is likely to be our—what do we need there in the way of secure wireless? PKI. One of our basic tenets for the roll-out of this Defense-in-Depth, is having this Public Key Infrastructure (PKI). I am proud, very proud, of what we have done in the last year collectively, but we are still going too slow, so accelerate. And then I will be glad to add more as you requested.

    Mr. WELDON. Secretary Money and General Woodward, we would like you to give those suggestions for the record, but just for us today in the course of discussing with my colleagues this week and next, and the Democrats are doing the same thing on their side, what amount of additional defense funding we need above the President's request, because we are talking about that as a baseline. Can you give us a ball-park estimate summarizing what each of the leadership had said here? What would that be? Is it a billion dollars? Is it a half-billion? What would it be?
 Page 63       PREV PAGE       TOP OF DOC

    Secretary MONEY. We would be grateful for a billion. I would say the minimal essential is another $250 million.

    Mr. WELDON. Two hundred fifty million is absolutely essential over what, and a billion is more likely what you would need. Great. General, you wanted to add something.

    General WOODWARD. Yes, Mr. Chairman. You mentioned legislation, and I think, which is back to Mr. Andrews' couple of points, I think we need to re-emphasize here, and I think everybody will support it, and one of those is work the legal aspects of punishment when somebody violates, whatever that is, so that, in fact, that really hits the press the right way, and something happens for real, and we use that as the deterrence level of device. That has got to happen.

    I think another one which is interesting that has been very effective for us in the Department of Defense and could be effective other places is we have got a Defense Information Technology Security Capability Assessment (DITSCA) process that goes on to give us levels of assurance for ourselves for ourselves in an administrative standpoint that says this system is secure. Use it. You can be confident it will do the job for you. That is the Defense Information Technology Security Capability Assessment Program, I believe, is what it stands for. There may be an opportunity there.

    Certainly, any legislation, and, again, I sound like a broken record on this one, but it is protecting the national defense military spectrum. I cannot get off the stage without having an opportunity to say you have got to keep looking at that one. The auction has started up again in a very limited sense, but, in fact, it is very, very valuable, obviously, in terms of dollars. But we have got to constantly think about national defense as we deal with that.
 Page 64       PREV PAGE       TOP OF DOC

    And I think a last one, if you could ever figure this one out, is legislate out complexities in this business somehow. Yes, that is a joke.

    Mr. WELDON. You solve that one, and you can run for the top job. Secretary, did you want to add something?

    Secretary MONEY. Let me just foot stomp the spectrum issue. If there was ever a critical infrastructure asset, it is the spectrum. I will put Global Positioning System (GPS) right behind it. Let me also just add that we have, and I mentioned this at one of the previous panels, and, frankly, I forgot which one it is, the modernization of the Telecommunications Act.

    One quick vignette. If you recall, during SOLAR SUNRISE the average attack had seven or eight legs. Each one of those legs requires that we physically go before a judge and get a wiretap order for that leg. Those are moving in millisecond or second levels, but the physical showup before a judge with paper is an arcane process in a cyber-related world. So we need to catch up on those kinds of issues. We will submit to you all our ideas, and, in fact, Congressman Andrews has already asked for some of those.

    [The information referred to can be found in the Appendix.]

    Mr. WELDON. Thank you. Mr. Pickett.

    Mr. PICKETT. Thank you, Mr. Chairman. Mr. Money, did I understand you to say that the Navy-Marine Corps Intranet system is actually being considered for the entire Department of Defense and not just for the Navy-Marine Corps?
 Page 65       PREV PAGE       TOP OF DOC

    Secretary MONEY. Yes, sir, in the following respect. We are looking at how to do business in a new, efficient, more effective manner. I view that as part of the Chief Information Officer (CIO's) job is the business reform or the revolution in business affairs. We are looking at this as an example of how, in fact, to do that.

    My point, when I mentioned that earlier, was we are available and working with the Marines and the Navy, but we also think of the rest of the services. Interoperability is the essence across the whole department. I know I have been criticized, and some of the folks on the Committee have been critical, why would I have allowed the Navy-Marine Corps to go ahead.

    The issue is to get an honest business case, we need real proposals, real commitments from industry, then we will get the honest-to-God business case. Then that will then say can we go forth or not. Those things, those hoops, those hurdles have yet to be accomplished, but we are out getting their bids, so then we will look at it.

    So you will hear about this as a programmatic sense after the business case is done, and we are working with our colleagues across the whole department. We have got the program evaluation people, on the evaluation board as well as the people in DISA and the Joint Staff, so it is being approached from a department standpoint. It will clearly satisfy what the Navy and the Marine Corps are looking for, but we see that as a model for the rest of the department as well.

    Mr. PICKETT. I believe it was three years ago that each of the services had put on a demonstration here on the Hill showing their capability to have a secure network, a secure system to work with, and they were demonstrating how they could detect any interference in their system, and I know that they have not been standing still during this intervening three-year period. I know a lot of additional progress has been made.
 Page 66       PREV PAGE       TOP OF DOC

    Is it the job of your office to coordinate the activities of the different services in their efforts to develop unique ways to protect their data and to make certain that there is going to be interoperability across service lines in this regard?

    Secretary MONEY. Yes, sir. That is how I view my job, with two hats on: the Command, Control, Communications, and Intelligence (C3I) hat, but also the CIO hat. And working with these folks, we have all put that on the table. Parochialism has fallen by the wayside, so we have come up with a Defense-in-Depth for the entire Department of Defense, not just for one service or another.

    For us to operate wherever we operate, we go joint anyway. Jack Woodward mentioned coalition, but let me just stay with joint. So we need to have the right information at the right time to the right people in the right format. It is assumed to be instantaneous across the globe and protected, so that is what we are working on collectively.

    And I might just mention the two Bills on either end (General William Donahue and General William Campbell) here, the two bookends, are about to retire, both of them, but I want to recognize and acknowledge all of the good work they have done.

    Mr. PICKETT. Well, the Committee certainly wants to recognize and commend them for the fine work they have done, too. We know this is a difficult area, and we deeply appreciate what they have done for their country.

    And just a final matter dealing with the issue of funding that the Chairman has already, I think, more than adequately covered, but in allocating your resources, does the money come to your office and then get reallocated to the services, or does this money have to be divided up among the services as a part of what we do?
 Page 67       PREV PAGE       TOP OF DOC

    Secretary MONEY. Yes, sir. It is more the latter. You know how things are appropriated here. They are appropriated by line item and by service. Again, coming together, we work with each of the services to prioritize things so the whole will come together. Sometimes that has not been totally harmonious, but I stand before you here today to say we are better off today than we were before. I do not control resources.

    Mr. PICKETT. So if we wanted to make sure that the money—

    Secretary MONEY. You can send it all to me, and I will be glad to distribute it, though.

    Mr. PICKETT. I was going to ask you the other way around. As I understand it, you think that the better way is to have the money go directly to the individual service and let them—

    Secretary MONEY. That is the tried-and-true way. The thing that is new is information superiority cuts across, I think, in a horizontal sense, where the vertical is where each of the services and/or weapons systems have been. So the cultural change that we have espoused and we are living daily is, in fact, to cut across horizontally, there is a harmonious—there is a synchronization that is required, and good folks like these, we are making that happen. It is about as smooth as can be as an appropriations system is today.

    Mr. PICKETT. Okay. Thank you. Thank you, Mr. Chairman.

 Page 68       PREV PAGE       TOP OF DOC
    Mr. WELDON. Thank you, Mr. Pickett. Mr. Andrews.

    Mr. ANDREWS. I am going to be very brief because I want Chairman Weldon to get to that meeting so we can do all of these things. First of all, I want to associate myself with his questions about additional needs above and beyond what is in the President's budget and to emphasize Secretary Money's comment that we are not interested only in financial resources, but in language changes, statutory changes, that might facilitate the work that you are doing.

    Second, on Navy-Marint Corps Intranet (NMCI), and I expect this is best addressed to Admiral Mayo and General Shea, if all went optimally, what are we looking at with respect to a date for an award of a contract? And, secondly, I would like to be kept up to speed as the process unfolds if there are any issues that would arise that would preclude us from hitting that date. What would the optimal date be if all goes well?

    Admiral MAYO. Sir, I will take that question. The forecasted date for contract award right now is June, June of this year, if everything goes well. I certainly hope it does, and we would be very happy to keep your office and you informed on any difficulties or issues that come up.

    Mr. ANDREWS. Yes, sir. Thank you very much.

    Mr. WELDON. Thank you, Mr. Andrews. I have one final point I wanted to mention. In the public session, Secretary Money, and I did go over with you in the private session, and that is I have looked at the services and what we are doing in the information-superiority, information-dominance area, defense against cyber terrorism, and I am absolutely impressed with the work being done. It is state of the art, and it is working, and I applaud all of you for that, especially our two generals who are leaving, for the great job that you have done on behalf of the country.
 Page 69       PREV PAGE       TOP OF DOC

    In fact, I have had a chance, as I told Secretary Money, and he knows this well, to compare what you do because people think of what you do as protecting against cyber-attacks and maintaining our information superiority, but what you also do in your information-dominance centers is you provide for us the ability to do massive amounts of data mining of both classified and unclassified that gives us very valuable information for the command officer and for the warfighter. ''Data profiling'' is what you call it, and that is so critically important.

    And I am convinced, in having looked at the other branches of our federal government, that you are the best. You are better than either the Federal Bureau of Investigation (FBI) or the Central Intelligence Agency (CIA), and I do not say that lightly because I have a lot of high regard for both the FBI and the CIA, but the work that you are doing and the profiling that you are involved with is just absolutely impressive.

    Secretary Money, in the classified session I asked you about not only the consolidation that you are doing within the services, but as you know, I wrote to Dr. Hamre and you back in the summer about an idea based upon what I had seen in the Army's LIWA model to establish a government-wide fusion center that will take and have nodes for each of the 28 agency that have classified information that could be brought to bear on a given area, a given region, or a given leader that could help us, not just in the military, but in export controls and all of the other areas that we have an interest in.

    I would like you to give a public response as to what you are doing, where that stands. Dr. Hamre has been very responsive. You have been in the forefront of this. Can you give for the public record an overview of where you are and where you are going in that regard?
 Page 70       PREV PAGE       TOP OF DOC

    Secretary MONEY. Yes, sir. I would be glad to. We have taken one particular case as a pilot, and that is a combination of what CIA, FBI, and DOD do up until now more or less independently in the counterintelligence area. What we have used is the tools/process that is resident at LIWA to try a new approach. And just this afternoon—obviously I have been here, so I do not know how it turned out, but Dr. Hamre, George Tenet, the Director of the CIA, as well as Louis Freeh, the director of the FBI, presented what we call CI–21, Counterintelligence 21. It is the coming together of those three agency/departments to share all of the information relative to counterintelligence and use this correlation tool/process as a beginning.

    We see that as a pilot. We see having a unit set up probably collocated with the sharing of data. Once that starts showing promise, and I have already had enough evidence that that will show promise, then we see that as a model then to attack other issues.

    Right now our thinking is it will be more topical, like counterintelligence export control. LIWA has been doing this support to troops in Kosovo for a year, so as topical areas come up we see the proliferation of this kind of process in the making. We started with this one pilot.

    Mr. WELDON. Well, we thank you, and I will just say for the record, whatever you need, funding-wise, to make that happen, first as a pilot, as you said, and then to expand that, I will be one that will take that initiative in the Congress to get the funding for that because there is nothing more important in my mind than that, and I gave you the example that we saw with the Kosovo conflict.
 Page 71       PREV PAGE       TOP OF DOC

    Unless Mr. Pickett or Mr. Andrews have additional questions—do you have anything else, Mr. Pickett?

    Mr. PICKETT. Mr. Chairman, I just want to thank our witnesses today because I think they have done a really outstanding job in helping us better understand that problem, and we appreciate your candidness in telling us that you need to do a better job. Thank you.

    Mr. WELDON. Mr. Andrews. Thank you again. We have a number of questions for the record we would like to ask you to respond to. General Woodward, you looked like you wanted to respond.

    General WOODWARD. I would love to do one, and I think we need to do it because we need to thank you again as quality of life. Again, one more time, we are remiss if we do not talk about the recruiting, the retaining, the rewarding of those intellectual capital, our people out there, whether they are in uniform or civil service or whatever. Please keep helping us preserve that because you are working that one hard.

    Mr. WELDON. And we agree with you. That was a top priority of ours two years ago. This Committee suggested to the Administration that they look at establishing an officer corps, requesting extra funding for that, which we will provide, commissioning people in the service who have degrees in the information-technology areas. Whatever you need to compete with the private sector, we have to give it to you.

 Page 72       PREV PAGE       TOP OF DOC
    So in your wish list of items, whether it is technology or processes, give us what you need in the services to keep those quality people in uniform, because we have to face that issue. I mean, that is as important as a new system is to have the people to operate that system. So make sure in your wish list, and you have already given a partial wish list, add that in for each of the services so that we can respond. Thank you. Secretary Money.

    Secretary MONEY. If I could, what we did last year, we collectively had the questions and the answer. If you sit in one spot, I will be glad to be the focal point.

    [The information referred to can be found in the Appendix.]

    Mr. WELDON. That is fine.

    Secretary MONEY. We will combine them all because we will hash it out again as we come back to you, and, again, thank you for your interest.

    Mr. WELDON. Thank you very much. We appreciate it. The hearing stands adjourned.

    [Whereupon, at 6:00 p.m., the Subcommittee was adjourned.]


March 8, 2000
 Page 73       PREV PAGE       TOP OF DOC
[The Appendix is pending.]