Page 1       TOP OF DOC
[H.A.S.C. No. 107–5]



FOR FISCAL YEAR 2002—H.R. ????







 Page 2       PREV PAGE       TOP OF DOC

MAY 17, 2001


For sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: (202) 512-1800  Fax: (202) 512-2250
Mail: Stop SSOP, Washington, DC 20402-0001



CURT WELDON, Pennsylvania, Chairman
WALTER B. JONES, North Carolina
BOB RILEY, Alabama
 Page 3       PREV PAGE       TOP OF DOC
HOWARD P. ''BUCK'' McKEON, California
J.C. WATTS, Jr., Oklahoma
DON SHERWOOD, Pennsylvania

LANE EVANS, Illinois
JAMES H. MALONEY, Connecticut
MIKE McINTYRE, North Carolina
ROBERT A. BRADY, Pennsylvania
BARON P. HILL, Indiana
SUSAN A. DAVIS, California

Peter M. Steffes, Professional Staff Member
Joseph F. Boessen, Professional Staff Member
Mary Ellen Fraser, Professional Staff Member
Diane W. Bowman, Staff Assistant


 Page 4       PREV PAGE       TOP OF DOC


    Thursday, May 17, 2001, Fiscal Year 2002 National Defense Authorization Act—Examining Vulnerabilities of Department of Defense Networks

    Thursday, May 17, 2001

THURSDAY, MAY 17, 2001


    Ortiz, Hon. Solomon P., a Representative from Texas, Ranking Member, Military Readiness Subcommittee

    Weldon, Hon. Curt, a Representative from Pennsylvania, Chairman, Military Readiness Subcommittee


 Page 5       PREV PAGE       TOP OF DOC
    Bryan, Maj. Gen. James D., Commander, Joint Task Force-Computer Network Operations, U.S. Cincspace, and Vice Director, Defense Information Systems Agency, U.S. Army

    Cuviello, Lt. Gen. Peter M., Director of Information Systems for Command, Control, Communications, and Computers (DISC4), U.S. Army

    Kellogg, Lt. Gen. Joseph K., Director for Command, Control, Communications and Computers Systems, Joint Staff, U.S. Army

    Mayo, Vice Adm. Richard W., Director, Space, Information Warfare, Command and Control, Office of the Chief of Naval Operations, U.S. Navy

    Meyerrose, Brig. Gen. Dale W., Director, Command and Control Systems, U.S. Space Command, U.S. Air Force

    Shea, Brig. Gen. Robert M., Director, Command, Control, Communications, and Computers Headquarters, U.S. Marine Corps

    Wells, Hon. Linton, II, Assistant Secretary of Defense for Command, Control, Communications and Intelligence (Acting), and Department of Defense Chief Information Officer

    Woodward, Lt. Gen. John L., Jr., Deputy Chief of Staff, Communications and Information, U.S. Air Force

 Page 6       PREV PAGE       TOP OF DOC

[The Prepared Statements submitted can be viewed in the hard copy.]

Bryan, Maj. Gen. James D.
Cuviello, Lt. Gen. Peter M.
Kellogg, Lt. Gen. Joseph K.
Mayo, Vice Adm. Richard W.
Meyerrose, Brig. Gen. Dale W.
Shea, Brig. Gen. Robert M.
Wells, Hon. Linton, II
Woodward, Lt. Gen. John L., Jr.

[There were no Documents submitted for the Record.]

[The Questions and Answers are pending.]


House of Representatives,
Committee on Armed Services,
 Page 7       PREV PAGE       TOP OF DOC
Military Readiness Subcommittee,
Washington, DC, Thursday, May 17, 2001.

    The subcommittee met, pursuant to call, at 10:02 a.m. in room 2212, Rayburn House Office Building, Hon. Curt Weldon (chairman of the subcommittee) presiding.


    Mr. WELDON. The subcommittee will come to order.

    Before we begin our hearing today, I have to stop and pause and ask you all to join with us in remembering our good friend and the late Congressman, Norm Sisisky. Norm was on this subcommittee, but, more importantly, he was a close personal friend of both Solomon and myself. He was a tireless advocate for our Nation's military personnel.

    I have traveled with him, I have been to his district; and I can tell you there is no finer human being that served this country than Norman Sisisky. He just was a real, genuine person who I think if you had to pick a role model of what a Member of Congress should be like and the way they should act, you couldn't find a better example than Norman.

    So, Solomon, I know that you join with me. I would ask that we pause for a moment of silent reflection on our good friend and colleague, Norman Sisisky.

 Page 8       PREV PAGE       TOP OF DOC
    If you would like to make any comments on Norman's behalf before we get into the substance of the hearing, I recognize you for that.

    Mr. ORTIZ. I appreciate your kind and thoughtful comments regarding our former colleague, Mr. Sisisky.

    I sat next to him for at least 19 years in different committees, and I know that we here in Congress will mourn his departure for many years. I am confident that we will all grow a lot as a result of his presence with us, and the world is a better place because of his contributions. He was very well loved, as you well know, by both sides of the aisle. He contributed a lot not only to the committee but to the welfare of this great country by giving us a lot of input and a lot of wisdom in these committee hearings. So I share with you this moment.

    Mr. WELDON. Thank you, Mr. Ortiz.

    I would also, just for announcement purposes, announce that this subcommittee will hold a field hearing on Monday morning at 10 a.m. In Philadelphia at the Philadelphia Naval Yard. We have confirmed 10 Members of Congress and at least one Senator, if not two, are coming with us on the V–22 program. So we would invite the public and everyone in attendance and interested in that program to travel to Philadelphia with us on Monday morning.

    Today, the subcommittee meets to receive testimony on the status of Department of Defense (DOD) Information Assurance programs and the measures being taken to maintain security on the Department's information technology infrastructure.

 Page 9       PREV PAGE       TOP OF DOC
    Let me just say at the beginning here that I am new to this subcommittee but the past six years chaired the Research and Development Subcommittee. Each year we did at least one major hearing on the research side of our information technology work. It was a major issue for us on the Research and Development (R&D) Subcommittee, and I will tell you it will be a major issue on the Readiness Subcommittee.

    On this subcommittee we have oversight of the ongoing operations of such systems. We will be aggressively and intensively involved in overseeing and supporting and encouraging our work in the information technology and information assurance and information dominance area.

    I consider cyberterrorism to be one of the four biggest threats we face as a Nation. The other three being the threat of narco drug trafficking, the other being weapons of mass destruction involving chemical, biological or small nuclear devices, and the fourth being missile proliferation and the need for missile defense.

    But, as I give speeches around the country, I have consistently said that cyberterrorism and the threat to our smart technology, the ability of an adversary to compromise our smart systems and our logistic systems is really probably the most dominating concern that I think we face in the 21st century.

    But there is a second side to this equation we will be looking at later on. I will be asking some questions about this today. But that is also the issue of using information systems to do massive data mining to be able to help our war fighters and our policymakers and decision-makers in analyzing and assessing emerging threats.
 Page 10       PREV PAGE       TOP OF DOC

    So there are two primary functions that I see.

    And having visited our Land Information Warfare Activity (LIWA), having spent time out in San Diego with the Navy and being very closely aware of the Navy, Marine Corps and Air Force programs, I think we are on the right track in DOD. I think we can do more; and I think DOD can, in fact, provide a process that goes far beyond the Defense Department.

    As you all know, I have put a proposal into the defense bill last year, which I discussed at length with John Hamre when he was deputy, to establish a national operations and analysis hub that DOD would fund and operate but would have nodes of all 28 major information intelligence systems through our federal agency network.

    No such capability exists today, and to me that is a real shortcoming of our capability and needs in the 21st century.

    That will not be the primary focus of today's hearing. Today's hearing will focus on our vulnerability and the attacks.

    There was just an article that I clipped on Wednesday, yesterday, ''Hackers Cripple a State Department Computer System.'' You all know this better than I. You know the hits that we are taking. And that will be the subject of today's hearing.

    Essential to the information age is understanding inherent risks associated with network military force. We must not just protect our essential information but also the critical infrastructure upon which information use, transport and availability depends. Today, DOD estimates its information infrastructure includes two to three million computers, 100,000 local area networks and 100 long distance networks, all of which must be protected.
 Page 11       PREV PAGE       TOP OF DOC

    Information assurance is the essential element of operational readiness and is based on a need for accurate and timely exchange of information.

    This whole topic falls under the responsibility of the Assistant Secretary of Defense for Command, Control Communications and Intelligence. In 1998, DOD announced its plans for a Defense-Wide Information Assurance Program, or DIAP, with reporting being authority three levels down from the ASDC(3I).

    A recent GAO report, ''Information Security Progress and Challenges to an Effective Defense-Wide Information Assurance Program,'' reveals that DIAP lacks a clear mission, has no authority, and does not have the support from DOD leadership. The GAO report concludes that the DIAP's limited progress leaves DOD unable to accurately determine the status of information assurance across the Department, the progress of its improvement efforts or the effectiveness of its information assurance and issues.

    Finally, our subcommittee today will take advantage of the topic of this hearing to get an update from the Navy and the Marine Corps Internet (NMCI) program.

    I can tell you, I had a briefing for Members two weeks ago. I was a skeptic. When I came out of the briefing, I was convinced. The Navy and Marine Corps, in my opinion, are doing a fantastic job; and, in addition, they are saving significant amounts of public dollars for the taxpayer.

    The contract that appears to have been negotiated to me is one of the finest examples of our federal agency effort under way to save money and provide state-of-the-art information technology systems and updates that otherwise we would not be able to afford.
 Page 12       PREV PAGE       TOP OF DOC

    Hopefully, my high expectations will be lived up to if this contract is, in fact, completed as it is laid out to be; but I can tell you initially I am impressed.

    I am looking forward to hearing the other services give us similar visions and operational details about their efforts to streamline and standardize their IT systems and at the same time guarantee information dominance and assurance.

    The key success I think of Desert Storm, as I look back on that effort, and General Schwarzkopf's success was obviously due to his outstanding leadership and the outstanding support of the men and women of this Nation and the allied nations, but under all of this and providing untold stories of outstanding success was the work being done by our information technology assets that allowed General Schwarzkopf to make the right decisions. Those who are involved in these disciplines in the military understand the role that they played.

    I want to make sure that, in any future combat situation or any future threat that we face, information technology is state-of-the-art; it is updated on a regular basis, we are getting the best value for our dollar, and that we are, in fact, continuing to train and bring into the service a cadre of young people that can, in fact, perform as cyberwarriors and as information dominance experts able to maintain the integrity of our systems.

    Our witnesses today are the leadership of the DOD in this area. Before I turn to them and identify them, I would like to ask my good friend and colleague, Mr. Ortiz, to make any comments he would like to make.

 Page 13       PREV PAGE       TOP OF DOC

    Mr. ORTIZ. Thank you, Mr. Chairman.

    I also would like to welcome the witnesses this morning to this hearing.

    During the last decade, we have heard many Department officials, both uniformed and civilian, talk about the military's concern about situational awareness gained through information superiority. We all recognize the importance of getting the right information to the right people at the right time and in the right format so that it can be useful. Because of our dependence on information, the networks composing the defense information infrastructure must provide protected, continuous and dependable service in support of both warfighting and business missions.

    Today, we are here to gather more information about how the Department is meeting the significant challenges presented by the need for information superiority and information assurance. Because of the potential impact on the readiness of both the military and supporting activities, I am particularly interested in understanding how the Department plans to ensure the ability of different DOD organizations and systems to share and utilize information. It would be also useful if at some time during the testimony, the appropriate witnesses will address the actions being taken by the Department to ensure a continuous and secure capability with our allies.

 Page 14       PREV PAGE       TOP OF DOC
    Mr. Chairman, I also look forward to receiving the update information on the status of the Navy and Marine Corps Internet program. I agree with your sentiment that NMCI offers significant potential as a method for infusing technology into the process of providing information services in a large and diverse organization.

    Again, Mr. Chairman, thank you.

    Mr. WELDON. Thank you, Mr. Ortiz.

    Taking advantage of the few moments we have left before we both have to go run for a vote, let me introduce our panels of witnesses. We have two panels today.

    Our first panel consists of the distinguished Assistant Secretary for Defense for Command, Control, Communications and Intelligence, acting in that capacity, Honorable Linton Wells—welcome, Secretary; Lieutenant General Joe Kellogg, Director, Command, Control, Communications and Computers, Systems Directorate, at the Department of the Army; Brigadier General Dale Meyerrose, Director of Command and Control Systems, Headquarters, U.S. Space Command, from the Air Force; Major General James Bryan, Commander of the Joint Task Force on Computer Network Operations—I had the pleasure of Solomon and I spending two hours with you last week at DISA and were very impressed—from U.S. Marine Corps.

    Our panel two will be from the various services.

    Unfortunately, we have been called to vote on the House floor for the Journal. So it will be a quick five minutes over; and again, and we will be ready to go and take—your statements will be entered into the record, so we would just ask you to make whatever comments you would like and keep them as brief as possible so we can ask questions. But certainly you are free to make whatever comments and statements you want for us. If there are questions you want to answer in advance to those that perhaps staff have given you, you are welcome to do that.
 Page 15       PREV PAGE       TOP OF DOC

    The hearing stands in recess.


    Mr. WELDON. The subcommittee will reconvene.

    Again, we apologize for the delay; and we will now ask our first panel to provide their presentations.

    So Secretary Wells, welcome; and the floor is yours.


    Secretary WELLS. Mr. Chairman, Mr. Ortiz, thank you very much.

    What I would like to do is to highlight some of the progress we have made over the past year and some of the challenges that are ahead. As you say, the written statement is here, so I will be brief in my remarks.

    But one of the points is we increase our conductivity. This brings both opportunities and risks and network centric warfare, if you will.

 Page 16       PREV PAGE       TOP OF DOC
    As you look at the way we are going with Joint Vision 2020, information superiority is really the bedrock of all of this. If we don't have that information assured, we don't have the network secure, then we are building our entire strategy on a foundation of sand. So we certainly concur with the importance of this issue.

    The other point is that as we get to globally interdependent networks and increasing use of commercial tools, it has a tendency to level the playing field; and so the capabilities that once were uniquely the province of governments, and probably the U.S. Government better than others, are now available in the private sector.

    One of the things you can look at is the distributor denial of service attack, which, when it appeared for the first time in 1999, since then has gone through three generations. The tools that are out there in the wild, if you will, have gone through three generations in 18 months; and we have to find a way to keep pace with that evolution of the threat.

    Some people have said information superiority is not a destination, it is a journey; and this will always be an ongoing race between attack and defense. So we can give you a snapshot of where we are today. We can give up an idea of how far we have come, but just know there are always going to be challenges out there in the future.

    The Department is particularly moving towards research and development and training. Our strategy is based, as you know, on defense and depth; and we will also in this model take an increased look at the cleared insider. We have had this model for a long time, that the real threat is outside. Increasingly, we see that we need to be able to guard against the cleared insider, the Ames and Hanssens, whatever, of the world.
 Page 17       PREV PAGE       TOP OF DOC

    In this model we are then looking at intrusion detection and understanding what is happening, who is trying to get into the networks. There is a lot of research and development going on in this area, understanding better that kind of attacks.

    When you hear General Bryan's presentation, one of the big breakthroughs I think we have had is in the better classification of types of attempted penetrations. People in the past have talked about so many thousand attacks. We can now group those into so many thousand root directory accesses, so many thousand, so many hundred, so many tens root directories, so many denials of service, so many security improper practices. So it gives us a much better picture of what is actually happening in the nets.

    We also need to coordinate cyberevents better and responses. Solar Sunrise in February of 1998 found us with virtually no means to address the kind of problems we are facing. By the end of 1998, the Joint Task Force Computer Network Defense had been stood up on an interim basis reaching full operational capability the following year. By October of 1999, the network attack mission had been passed to Space Command (SPACECOM). And in April of this year, the Joint Task Force Computer Network Operations was put together. So there really has been a significant amount of progress in not a very long period of time.

    We now have a four-star general in charge; and the coordination, I think, between the Space Command (SPACECOM) efforts and the National Infrastructure Protection Center gives us a much better effort to address on a national basis.

    There has recently been a study done of Computer Network Defense. What we have found is a large difference in philosophies about the way people were thinking about how to defend the networks. The specifics of what we are doing is in my written statement; but basically each entity will have a computer emergency response team, and there are clean lines of authority and responsibility between DISA and NSA for actions taken in this.
 Page 18       PREV PAGE       TOP OF DOC

    You mentioned earlier the DIAP, and this is the Defense-Wide Information Assurance Program, this was stood up in response to the sense that we needed to be able to take a horizontal look across the Department at how our information assurance efforts were organized and not just look at the individual stovepipes.

    The GAO report found the DIAP has not lived up to the—some of the promise in its initial charter. We think a large measure of that has been the staffing issues. We are slow on getting it staffed up. Those are being aggressively addressed. I believe that most of the issues in the GAO report are under—are being addressed. So I think we should see some progress in that.

    Despite this, the DIAP has produced a number of useful products. You may have seen the DOD Chief Information Officer (CIO) Report and Information Assurance for the Year 2000. If not, we will be glad to provide. This is the first time we have been able to put something like that together.

    The DIAP has also been able to produce a program base line for information assurance for the first time in the Department. We see this as being about $1.57 billion for fiscal year 2001. So it is a significant effort.

    In addition, they are working a policy framework to begin to link in a coherent manner the policies and processes.

    Some of the work that was—some of the tasking that came in, the Floyd D. Spence Authorization Act of 2001, the implementing of the Government Information, Security and Management Reform provisions, certainly we see the comprehensive enterprise-wide security plan, the evolution of security controls and the increased fiscal authorities as strengthening the role of the CIO and look forward to using those authorities to strengthen our information assurance postures.
 Page 19       PREV PAGE       TOP OF DOC

    The final point I would like to make then is on people. A lot of times we think about Information Assurance and the whole information operations as being a technology problem. It is not. It is a mix of people, of operations and of technology. We need to balance those together.

    We did, with the Under Secretary of Defense for Personnel and Readiness and Integrated Process Team, look at how to better attract, train and retain the kinds of information assurance professionals we are going to need. And the recommendations of that study are being worked and implemented. In addition, this Information Assurance Scholarship Program that we are setting up should provide additional resources for that.

    So let me close, Mr. Chairman; and I look forward to taking your questions.

    Mr. WELDON. Thank you very much.

    [The prepared statement of Mr. Linton can be found in the Appendix.]

    Mr. WELDON. General Kellogg.


 Page 20       PREV PAGE       TOP OF DOC
    General KELLOGG. Thank you, Mr. Chairman and members of the Military Readiness Subcommittee.

    I am Lieutenant General Keith Kellogg, Director for Command, Control, Communications and Computer Systems of the Joint Staff; and I welcome the opportunity to appear before you today and talk about the challenge of defending the Defense Department networks and the role the Joint Staff plays in executing this mission.

    My job as the director for C–4 systems is to provide the Chairman of the Joint Chiefs of Staff with advice and recommendations on C–4 matters, which include network availability; and I also act as the principal Joint Staff Advisor to the Assistant Secretary of Defense for Command, Control, Communications and Intelligence on Information Assurance matters. I represent the warfighting commanders in the field and the service.

    What I would like to do briefly is address the overall strategy we are implementing to ensure the network availability to our warfighters.

    The rapid proliferation of advance technologies throughout the global environment requires us to be flexible, proactive and vigilant. At the advent of the 21st century, we are a military that has fully embraced information technology. Along with increasing our capability to conduct warfighting missions, information technology also increases our connectivity both within and outside the military community. The result is an unquestioned need for information assurance. Our warfighters must have complete confidence in the accuracy, authenticity and integrity of their information to achieve information superiority, a fundamental enabler for achieving Joint Vision 2020.
 Page 21       PREV PAGE       TOP OF DOC

    There is no silver bullet to defend our networks from attack. Rather, a strategy that involves defense at different levels throughout the network provides the best opportunity to ensure the availability and integrity of our systems. We codify this approach to information assurance as Defense in Depth, a system that compels an adversary to fight through numerous barriers to achieve his mission.

    The three components of Defense in Depth are people, operations and technology. With people, we use technologies to conduct operations. And they are the central tenet of Defense in Depth. It takes qualified people to design, build, install, operate, evaluate, and maintain protection in our systems. A comprehensive program of education, practical experience, and awareness is absolutely essential.

    The trained system administrator working on the job is the first and foremost vital line of defense protecting DOD information and information systems. These system administrators are the cornerstone of our information network defense. They are, in fact, our front-line cyberwarriors of the 21st century. Properly trained system administrators are the primary key to protecting our information systems.

    Operations are driven by information assurance policies that establish goals, actions, procedures and standards.

    And the third and final leg of the Defense in Depth concept is technology. To conduct an effective network defense we depend on a well-stocked arsenal of technological weapons and the skills of people to use them. Our items in our arsenal for network defense include the Information Assurance Program, the Information Assurance Vulnerability Alert (IAVA) Program that notifies DOD elements of significant computer security vulnerabilities. Another tool is the Information Condition, INFOCON, System, which allows us to raise awareness in information assurance standards of affected or threatened commands to meet and to establish an appropriate level of readiness to meet expected cyberattacks or threats.
 Page 22       PREV PAGE       TOP OF DOC

    We have made significant progress in this year in our ability to protect, defend and react to attacks on our networks. But there is still work to be done. We realize the information assurance highway does not end. It has many curves, potholes and dangerous drivers that require us to be vigilant and watchful to assure network availability.

    Please accept my thanks for the opportunity to address this distinguished committee.

    I would at this time like to introduce Major General Dave Bryan, the Deputy Director of the Defense Systems Agency and the Commander of the Joint Task Force for Computer Network Operations.

    [The prepared statement of General Kellogg can be found in the Appendix.]

    Mr. WELDON. General Bryan.


    General BRYAN. Thank you, Mr. Chairman, for the opportunity to address this committee on this very important topic.

    To facilitate my remarks, I would like to show about a dozen slides that will flow along with some of my comments to illustrate the points; and, in doing so, I will very briefly characterize the threat, describe the why, the what and the how of the Joint Task Force Computer Network Operations and our Defense in Depth strategy, its organization, its partnerships with the services, the agencies and law enforcement organizations upon which we depend for our capabilities and a brief characterization of the activity levels as we have seen them defined in the last couple of years.
 Page 23       PREV PAGE       TOP OF DOC

    Finally, sir, to touch on a point that you have asked us about, where we need to improve in order to stay ahead of the power curve in this most vital operational mission.

    The threat is real. The threat extends all the way from the juvenile hacker all the way up to and including sophisticated criminals and terrorist organizations as well as some nation-states-sponsored activities. Their activity levels are increasing, as are their sophistication and capabilities overall.

    In 1997 and 1998, the Department of Defense realized that it needed to organize itself more centrally in order to address the threat. In 1998, then, authorized by the Secretary of Defense, Joint Task Force (JTF) Computer Network Defense was established, reporting to the Secretary of Defense. At the same time, the Unified Command Plan was modified, and in UCP 99 the Commander in Chief of Space Command was assigned the military responsibility for this mission and JTF–Computer Network Defense (CND) was then operationally assigned to U.S. Space Command. So at that point in time, my second job, if you will, my second hat as JTF–CND, I now report to Commander in Chief Space Command (CINCSPACE).

    In UCP 99 it also said that on 1 October of 2000 that U.S. CINCSPACE would assume computer network attack responsibilities for DOD as well. And on April 2nd of this past month, just six weeks ago, CINCSPACE assigned those responsibilities to JTF–CND and, in fact, redesignated us as JTF–CNO in recognition that we are now the central one-stop operational command in DOD for both Computer Network Defense and Computer Network Attack. Today, I will be primarily talking about Computer Network Defense.

 Page 24       PREV PAGE       TOP OF DOC
    In combining these two, the primary intent was to provide unity of effort in this very complex and sensitive area; and, in doing so, U.S. CINCSPACE is demonstrating the leadership that it is exercising in this mission area.

    The relationships upon which the JTF depends are its most important characterization. We have, as you can see, the Computer Emergency Response Teams of each of the four services and the Defense Information Systems Agency as the tactical components of our CND mission. We execute direction of the defense of the networks through these organizations. Without them, we would not be able to do our job.

    But we also couldn't do our job if it were not for the relationship we have with the intelligence agencies and the law enforcement agencies. Because in our Defense in Depth strategy we treat every event as a criminal act. Being able to turn to them immediately and appropriately involve them as necessary allows us to respond much more quickly on either the intelligence side or on the law enforcement side—very, very important relationships.

    Also, our relationship with the National Infrastructure Protection Center, NIPC, which is headquartered in the Department of Justice, actually in the FBI building, is a very important relationship. This is how we coordinate with them our Defense Department domains across all of the national domains.

    One of the relationships we are building on right now and, in fact, improving, Mr. Chairman, one of the points that we had just done, in fact showed to you, was that on our watch floor, recognizing we need to share information with our industry partners and, to a greater extent, the National Communications Systems, NCC watch is now co-located on the floor with us in our operational center. So we are doing a better job, and over time this will continue to improve dramatically our ability to provide information to our industry partners. These are the telephone and network providers of the United States.
 Page 25       PREV PAGE       TOP OF DOC

    On that floor, then, you have the JTF watch directing, guiding, advising, consulting, coordinating and information sharing; and on that floor we now have the Global Network Operation Security Center that provides us our total 100 percent network awareness across all of DOD's networks and the Computer Emergency Response Team where we get the deep analysis. I love referring to them as our ''virus busters.'' We have now the NCC watch all on the floor together, coordinating in this integrated information-sharing environment.

    One of the great successes—it was a necessary step, and we have managed to do it—is we actually speak the same language in DOD when defining what is an incident, what is an intrusion and what is an event. In order to—I will not go into that in detail with you; but I wanted to make this point, because on the next slide you will see that, as we characterize what is an intrusion, you will see that what looks like a giant leap in 1999 really simply reflects that in 1998 the Department of Defense invested itself in this mission area.

    We, frankly, don't know what the activity levels were before 1998 because we were not—we did not have our Defense in Depth strategy employed at that time. We now have a fairly accurate and improvingly accurate count of what that intrusion flow looks like. You can see by these numbers that it continues to grow.

    Again, in our definitions that we have agreed upon in the Department, you can see that most of those are Category 6 probes and scans into our networks and that we have been fairly successful in blocking most other serious intrusions. Nevertheless, sir, I must report that between 200 and 250 times a year we do have successful intrusions into the unclassified networks of the Department. To my knowledge, we have not had any successful intrusions into our classified networks.
 Page 26       PREV PAGE       TOP OF DOC

    Where are we right now? The national intelligence estimate produced by the Central Intelligence Agency and the intelligence community confirms our own analysis that the threat continues to grow in both complexity and capability. We view job one as being network defense. CINCSPACE has made that very clear to me that, even as we continue to grow in our Computer Network Attack capabilities, it is the risk—the security of the Nation is at risk in Computer Network Defense (CND); and, therefore, that remains my number one priority.

    Where are the areas where we can continue to improve? Well, many are technical, many are in training and in certification. This is a very important area. I would point out to the committee that, as General Kellogg said, the system administrator is really at the point of the sphere on the leading edge but also the users. Fully 96 percent of the successes that have occurred in our networks could have been prevented if we had all of the measures applied properly that we know about. This means training and certifying that training will need continued emphasis in the future.

    There are also some policy issues. For example, in active defense, we are looking for ways in which we cannot only find the intruder once they get to our outer boundaries but perhaps see them coming through some sort of reconnaissance. This will require some policy changes. So we are looking at ways to improve in this area. Not to improve is not an option. We would—we have to continue to improve because the threat continues to improve.

    As I said, CND is my number one priority. Challenges do remain: Finding the qualified, deep expertise personnel; recruiting and training and maintaining those skill sets.

 Page 27       PREV PAGE       TOP OF DOC
    CNA is a new mission area. We are plowing new ground there every day. We are playing a very important role in plowing that doctrinal and policy ground, but we are treating this with the sensitiveness that it deserves. This is a very complex policy as well as technologically, and it is a sensitive issue. We are approaching that in a very professional manner.

    CNO—the JTF for CNO is a pathfinder organization in that regard. The JTF could, in fact, become something else in the future, a subunified command or beyond. Those options are all on the table.

    And CINCSPACE has tasked us with additional duty of, as we continue to improve and progress and learn about Computer Network Defense and Computer Network Attack, we are also tasked to advise him and make recommendations as to what that future organization ought to look like.

    Sir, Joint Task Force-CNO is, in fact, that one-stop operational command for the Department of Defense for both offense and defense. It is important to remember that we may be a one-stop shop for operational coordination; but without the cooperation of the services and the agencies to include law enforcement as part of one team, the JTF could not do its job as well as we do. But it certainly answers the question as to who is in charge, and this operational accountability now flows from the President to the Secretary of Defense to General Eberhardt, who is CINCSPACE, to me.

    Mr. Chairman, thank you for your time and the committee's time in presenting these thoughts.
 Page 28       PREV PAGE       TOP OF DOC

    Mr. WELDON. Thank you, General Bryan.

    [The prepared statement of General Bryan can be found in the Appendix.]

    Mr. WELDON. General Meyerrose.


    General MEYERROSE. Yes, sir. Thank you, Mr. Chairman, members of the subcommittee, for this opportunity to appear before you. I am very honored.

    As you have my formal statement and my colleagues have outlined many basics, I will be very brief in discussing the subject of information assurance as it relates to United States Space Command's responsibilities in defending DOD computer networks.

    As Major General Bryant previously stated, the President's Unified Command Plan assigned United States Space Command to be the military lead for Computer Network Defense. Computer Network Defense provides the overarching operational integration necessary to coordinate defensive activities, while information assurance provides the critical foundation and technical means essential to protect and defend our networks.

    With our subordinate commands, the Joint Task Force for Computer Network Operations and the Joint Information Operations Center, we work closely with the other commanders in chiefs, services, agencies, DOD Computer Emergency Response Teams (CERTs) and the National Infrastructure Protection Center to coordinate and implement operational processes across the Department.
 Page 29       PREV PAGE       TOP OF DOC

    Through many joint exercises, audits, assessments, demonstrations and tiger teams, we have made rapid progress in every area of Computer Network Defense and Information Assurance Command and Control since the Computer Network Defense mission was assigned to us 19 months ago.

    And, as all of them said, there is much to do. In that vein, I would like to highlight just two points from the written statement which I prepared for the subcommittee.

    First, as cited by Lieutenant General Kellogg, the most cost-effective means to protect DOD information and information systems is to invest in our people, giving them the knowledge, training and experience necessary to meet both today's and tomorrow's challenges.

    Second, the architectures, processes and standards built into our networks predetermine our ability to defend them. The cyberbattlefield is one that, to a degree, we can shape and mold to our own advantage.

    In closing, I would again commend the subcommittee for its strong support of information assurance initiatives; and I stand by ready to answer your questions, sir. Thank you.

    Mr. WELDON. Thank you, General.

    [The prepared statement of General Meyerrose can be found in the Appendix.]
 Page 30       PREV PAGE       TOP OF DOC

    Mr. WELDON. Thank each of you for your statements.

    We are going to operate on the five-minute rule because we have another panel. So I will start off with a couple of questions. Then we will move to all the Members so everyone gets a chance to ask, based on their arrival time at the committee.

    General Bryan, we talked about this when we were out at DISA last week, and I want to get this on the record because it is a concern of mine, having also served on the Cox Committee which looked at technology transfers to the People's Republic of China and specifically focusing on security at our labs which do not come under direct DOD control.

    I am concerned about our labs. I think many of our colleagues are concerned about our labs. And you made a very positive statement that I have no reason to doubt, that we have never had our classified systems or network compromised. But the question I asked you I am going to ask you again, and I assume you can answer it in the public, what if someone at one of our labs who had access, in fact, was able to use that information? We would not know that, correct?

    General BRYAN. Sir, that is a distinct possibility, that an insider's identity, once compromised, can, in fact, become a vulnerability to the entire network. And, yes, at certain critical network junctures, the labs—the national labs are hooked to our classified networks. Although we still have a number of barriers and gates and we still have vigilance, it is certainly theoretically possible that an insider's successful intrusion in one of the laboratories could get the intruder inside our classified network. We have not seen any evidence of that to date.
 Page 31       PREV PAGE       TOP OF DOC

    Mr. WELDON. Do you have the level of confidence that you have for your entire system with the labs and the control of them based on some of the stories that have evidenced over the past several years? Do you have as much confidence for the lab security since they do have nodes into our dark systems? Do you still have that same level of confidence as compared to the rest of our military system that you oversee?

    General BRYAN. Sir, I don't have any direct knowledge of how they defend their internal enclaves or nodes. My point of vigilance begins at the point in which theirs hooks into our network, and that is where I have my electronic guards posted. So I beg your patience. I would not want to characterize their defensive strategy since I am not that familiar with how they do it.

    Mr. WELDON. I thank you, and I appreciate that. You won't, but I will. I do have confidence in our lab, support our labs, but I think they are the weak link. And I think if someone were going to attack our systems, I wouldn't try to go to any of the nodes controlled directly by the military. I would go through the labs.

    With the changes that occurred over the past ten years in changing access for scientists and doing away with FBI background checks and all of the other things that have been well documented in the public media, I am very concerned about the vulnerability of our systems. Not because of anything you have or haven't done, but because I don't think the labs have, in fact, kept the same level that perhaps we have had. And, therefore, I think it has become a weak link.

 Page 32       PREV PAGE       TOP OF DOC
    That is just my own personal opinion.

    The CERTs that you have established I think are outstanding and are doing a good job, and they have been established over the past several years. Are all of our CERTs able to do threat profiling?

    General BRYAN. Sir, some are better able to do that than others. But if a requirement for threat profiling is funneled through the JTF, we are in a position to take advantage of the strengths where they lie.

    As you know, the Army's CERT at LIWA and the Air Force CERT at San Antonio are particularly well equipped because they are co-located with their service intelligence organizations to assist us in developing appropriate threat profiles. But, yes, sir, they are all capable of that; and they all have strengths in that area.

    Mr. WELDON. I would commend both of the services for outstanding capabilities that I think should be used as a national model.

    This question is either for you or Secretary Wells. As you know, I have a strong interest and conviction that we don't have the kind of collaborative capability that we should have. I think DOD is, in fact, doing a good job with our own systems. I think the CIA and the FBI do decent jobs with their systems. CI–21, as I understood it last year, was designed to bring those systems together. But you are all aware there are 28 agency intelligence systems in the Federal Government; and if we are going to be able to profile threats in the 21st century, they are not going to all come from the FBI, CIA or DOD. They may involve intelligence or information being collected by the drug interdiction effort or by the Customs Service or by the State Department. It may be a proliferation case where a State Department's records or commerce records, including in some cases public information, corporate reports, would need to be accessed.
 Page 33       PREV PAGE       TOP OF DOC

    Do we have the capability today in one collaborative center to do a complete profile if it were ordered by the President or the Chairman of the Joint Chiefs that would in fact access all of those classified systems that the Federal Government currently operates?

    Secretary WELLS. I think clearly not. We have been doing a lot of work, Mr. Chairman, with collaborative tools; and you know, of course, what is happening at LIWA; and you cited the Joint Operation Planning & Execution System (JOPES) Network Operation Control Center (JNOCC). In fact, we just certified a collaborative tool set for the Defense Department here through the CIO channels a few months ago.

    There are a couple of things, though, to be balanced. We are working carefully with the IC and the other agencies on this. One is the insider threat I mentioned before. What we see time and time again is that tools are rolled out with functionality and with security that is not comparable to the tools—to the functionalities provided. So we need to make sure as we introduce this collaborative capability that an Ames or Hanssen or someone like that won't have dramatically increased access to do enormous damage that could potentially outweigh the benefits.

    Now, certainly we need to be able to tie our data together. We understand that. We are working with the IC, the intelligence community, and as well as the FBI and other agencies.

    I had a meeting just two days ago with the CIO of the intelligence community. I am looking to find architectures that will allow our secret and sensitive compartmented information (SCI) level networks to be more operable. So where we are at is how you balance the security versus functionality.
 Page 34       PREV PAGE       TOP OF DOC

    The other piece is the privacy aspects of the American citizens and the legal constraints on the intelligence community about collecting data on American citizens. So as we go out—we found several opportunities where we would like to go out and collect data, for example, against some hacking activities in the public domain, yet we have to be very careful we don't cross this line. So we are working to be more collaborative, and we are trying to find the right balance.

    Mr. WELDON. I appreciate that.

    My questioning time is up. I will end by saying I am going to continue to push this issue, as you well know. I have spoken, as you know, at Art Money's conference each year for the past year—years, and have raised this issue with the Intelligence Internet Agency reps of all of our agencies.

    I don't see how we can have the most capable threat assessment possible if we don't have a possibility of collaboration among all of those systems. I share your concern. But there are ways to do that by establishing nodes in each of the systems and having a person assigned to allow or not allow access to those nodes only when it has been authorized by someone at the level of the President or the Vice President or the Chairman of the Joint Chiefs or Secretary of Defense but allow agencies to go in when they have legitimate reason and need and access that data under very tightly controlled situations.

    I think that is absolutely imperative for us, and I know you are working in that direction, and you have done that with CI–21, I guess it is, with FBI and the CIA. But I think we have to go beyond that. I know those agencies not too happy about that, either. But I think this is for the national interest of our country; and, therefore, I think it is something certainly above their ability to call that should come—I am also working closely with the White House in this effort as well.
 Page 35       PREV PAGE       TOP OF DOC

    Secretary WELLS. I look forward to continuing to work with you, sir.

    Mr. ORTIZ. General Bryan, when you testified, you said about 250 intruders were able to break into the unclassified but not into the classified.

    General BRYAN. That is correct, sir.

    Mr. ORTIZ. Why is that? Is that because the difference in programming, the difference—I am just curious.

    General BRYAN. We have a number of locations that are carefully controlled; nevertheless, there are direct hooks from our unclassified networks from the Internet itself, and it is from the Internet that the threat approaches us. So most of my battle space, if you will, our combat falls in that area, that cyberspace between the Internet and what we call NIPRNET, Unclassified but sensitive Internet Protocol Router Network. That is controlled in terms of sensors, it is controlled in terms of intrusion detection systems, but we don't really have a wall up that prevents someone—because in fact we have our own Web pages that are publicly accessible and we cannot get into our military mission if our NIPRNET is not hooked to the Internet. So we try not to block or prevent access. So we watch it very carefully. That is how we are able to count those intrusions when they are successful.

    On the other hand, our connections to our classified networks are very heavily guarded. We have barriers there, and there are only certain ways that you can get through those gates, and they require sophisticated authorities in order to get through them, both technical as well as policy. So our classified networks are much more difficult to get to than our unclassified networks are from the Internet.
 Page 36       PREV PAGE       TOP OF DOC

    Mr. ORTIZ. You know we have been relying on the, in fact, everybody on computer, the Internet and methods of communication through the computer system that we have. And I think that you are going to be relying—you know, the readiness of our troops will depend on what you are able to give to them. So what will happen if your computer breaks down to the troops way out in harm's way? I mean is that a possibility that that might happen; and if it does happen, how would they be able to fight a war when they don't have any communication with you?

    General BRYAN. Congressman, if I might address that in two parts. You will recall we recently went through a major year 2000 exercise and, in fact, the question that we ask ourselves is if because of year 2000 our computer networks stopped working as they are designed to work, how do we continue to provide for our nation's defense; and we learned a lot from that exercise. This was not just a technical exercise; this was a command responsibility. It involved the Secretary of Defense personally, the Chairman of the Joint Chiefs of Staff, and every Commander in Chief and every service chief, every civilian as well as military commander and official was involved in that.

    So we learned that we have to maintain the ability in the absence of technical computer information systems to always be able to continue the fight in what the cost of that and what the procedures and processes would be. So we haven't forgotten that.

    The second answer I would give you, we never are single threaded in our command and control systems. We always provide for alternative means, alternative methods and backup systems wherever possible. We never have a single power source; we never have a single radio net. The same is true in our computer networks. So we back ourselves up. We plan for inevitability of attacks that will have destructive as well as degrading impacts on us in combat, and we apply those same kinds of principles and philosophies to our information systems as well.
 Page 37       PREV PAGE       TOP OF DOC

    Mr. ORTIZ. So you feel very confident that in case something does happen that those in harm's way, those in the battlefield will be able to—one way or another will be able to communicate with you, is that correct?

    General BRYAN. Yes, sir. I believe that is true, sir.

    Mr. ORTIZ. I just have one more question and I know we have a vote, Mr. Chairman. What are your priorities for fiscal year 2002, and what is the estimate of the funding that you are going to require? And I know when we talk about computers there is something new coming up almost on a daily basis. So, Mr. Secretary, anybody that can comment.

    General BRYAN. I will defer to the secretary on that. I believe you are asking a broader DOD question.

    Secretary WELLS. As you know, sir, the secretary has been conducting a defense strategy review, and that appears to be coming to closure, and I think in terms of priorities for fiscal year 2002 we need to see what the overall priority guidance is going to be from the secretary for that. Certainly each of us has all our things that we want to talk about. I cannot say how it will fit in the secretary's overall picture until we see that rollout. So I would like to take that question for the record.

    Mr. ORTIZ. I am assuming you are not in need of a supplemental, are you?

 Page 38       PREV PAGE       TOP OF DOC
    Secretary WELLS. Let me allow the Office of Management and Budget of the President to answer that, sir.

    Mr. WELDON. Mr. Underwood.

    Mr. UNDERWOOD. Thank you, Mr. Chairman, and thank you for the hearing. Much of the discussion on the information warfare that you have given is talking about defending against attacks, but obviously we also, I assume, must be cultivating our own capacity to carry out attacks on the information systems of our potential adversaries. So would you care to characterize that effort in some way and how much effort we are devoting and how much resources we are devoting to carrying out that capacity, developing that capacity, and how would we rate against some of our potential adversaries?

    General BRYAN. Congressman, if I might, this is a very sensitive area and if we could address that perhaps better in a closed session where we can fully explore some very sensitive and classified areas to fully answer your question either in a closed session, Mr. Chairman, or perhaps take it for the record and get a classified response.

    Mr. WELDON. Will the gentleman yield?

    Mr. UNDERWOOD. Sure.

    Mr. WELDON. We had planned to have a classified portion of this hearing but had to postpone that because of the time problem. We will have that, and that is an excellent question that you need to ask again, and we would ask you to provide that for us in a classified session.
 Page 39       PREV PAGE       TOP OF DOC

    General BRYAN. Yes, sir.

    Mr. WELDON. Is that it?

    Mr. UNDERWOOD. That is it.

    Mr. WELDON. Mr. Chambliss.

    Mr. CHAMBLISS. Actually General Bryan is becoming an expert in testifying and we had him yesterday in the Intelligence Committee, and that question has been answered on the record in the Intelligence Committee. I have one question I would like to get on this record, and this is with respect to recruiting and retention of your personnel who have the capability of operating these systems. Would you address that please sir, General Bryan?

    General BRYAN. Thank you sir, for that opportunity. I really truly believe they are the secret to our success. The men and women who are working in the Department of Defense in the computer network operations area are truly a national resource. They are at the leading edge and yet they are also our deep expertise of our defense in depth strategy. Recruiting them is a challenge. Therefore, we are actively seeking the best and brightest men and women to join us in this mission area.

    You may have noticed, Mr. Chambliss, yesterday in my diagram that went by you very quickly, unfortunately, but a third of our JTF, in fact, are civilians. So we are looking at this as having a civilian equation factor as part of this total equation, not just military. But we are actively seeking the best and brightest and we are developing a formal individual training and professional development program for each of those because as we have found in dealing with these deep expert men and women to the degree to which we continue to invest in training and challenge them, we are able to retain them. Retention is a function of continuing their professional development and challenging them with good and meaningful work, and that is what we intend to do, sir. It is, though, a major challenge that we are addressing every day.
 Page 40       PREV PAGE       TOP OF DOC

    Mr. CHAMBLISS. Thank you, General. I just want to say to the chairman that it is really encouraging to think that we have got young folks out there now who have a great esprit de corps not just about carrying guns and flying airplanes and whatever, but they have that same feeling about operating computers, which is kind of exciting to think about. Thank you.

    Mr. WELDON. I thank the gentleman. In our hearings on the R&D Subcommittee this issue was brought up every year and we suggested that the services even look at the possibility of doing what we did when we had a shortage of medical doctors. That was establishing a commissioned officer program and bring young people in and give them their undergraduate and graduate degrees with the requirement they serve in an officer capacity for a certain period of time as a way to have a permanent kind of cadre of people come in who are top experts because of the pressure that your people are seeing from the private IT community. You came back with kind of a step on the way, which is the scholarship program and the use of ROTC and we supported that; but I think you ought to keep in mind down the road if that is something we need to look at that we are prepared to look at that.

    I think this is the greatest threat. I think a lot of our colleagues share this concern. The other thing we need to do and you have already started to do that, three years ago, four years ago, there was only one university in America offering a graduate and post-doc program in information assurance, and that was Purdue. Now I understand we have the Navy post-graduate school and two or three other schools. In fact, I am working with two universities up in my state to develop a teacher training program in information security. We train people on how to use IT, but there needs to be the next level and that is how to have our companies and our businesses and hospitals and our government operations maintain information dominance and security for their systems.
 Page 41       PREV PAGE       TOP OF DOC

    So I would ask and, secretary, you will respond to the point, are we doing anything else to encourage more schools to establish these kinds of graduate and post-doc programs in the area of information dominance, information assurance?

    Secretary WELLS. This is one of the purposes of the information assurance scholarship program that is being—actually we are working out right now. A series of requests for proposals have been sent out to schools asking them to come back, institutions to come back and see if they will be willing to establish such organizations. So, yes, we are doing that.

    Mr. WELDON. That was just sent out?

    Secretary WELLS. It has gone out within the last couple of weeks. We don't have the answers back.

    Mr. WELDON. Excellent. Did you have another point?

    Secretary WELLS. I did. Two things. As we build these networks which we're trying to secure, there are really several different parts of it. There is kind of a foundation layer that has things like appropriate laws and policy. There is a computing layer, a communications layer, an application layer. The part of that bedrock foundations layer is making sure we have enough spectrum in order to carry out the warfighting, the mobile warfighting missions we need to do, and in some respects some of the challenges to remove the spectrum from DOD represents a threat to the ability to operate just as much as some kinds of information warfare attacks do. So I solicit your support.
 Page 42       PREV PAGE       TOP OF DOC

    Mr. WELDON. We are aware of that. We have supported you, as you know, in the past because you have the same problem with public safety in general in terms of frequency spectrum allocation, but we are well aware and have been supportive in the Congress of setting aside the spectrum for DOD and for public safety.

    Secretary WELLS. We appreciate your support.

    Mr. WELDON. We are again going to have to recess this hearing. We thank this panel. We thank you for your testimony and we thank you for your service to the country and we would ask the next panel to come to the table while we go and vote. Thank you.


    Mr. WELDON. The hearing will reconvene. Our second panel, representing the services, includes and we welcome General Peter Cuviello, Department of the Army, Admiral Richard Mayo from the Navy, General John Woodward from the Air Force, and General Robert Shea from the Marine Corps. Gentlemen, we welcome you here. We have your statements in the record.

    We, unfortunately, have a lot of conflicts going on at the same time right now. There is a briefing for the full committee. That is with Paul Wolfowitz and the team that just went to Europe and Russia on missile defense. But I am committed to stay here as long as it takes to allow you to make your statement and to ask some questions. I welcome you all here. I thank you for your service. I will open up with General Cuviello.

 Page 43       PREV PAGE       TOP OF DOC

    General CUVIELLO. Thank you, Mr. Chairman. It is great to be here. I am the Chief Information Officer (CIO) of the Army and I want to assure you that as the Army goes through its transformation, that it, in fact, has its goal of becoming a knowledge-based organization. That entails both the warfighting entity and also the business entity.

    In bringing together some of the things that others have said today, the warfighting part is moving along pretty well. On the business side is where our real challenge is, and it gets into the challenges of classifications and security. Information superiority is not only on the battlefield, but it is also information superiority on to do our business right. And in order to become a Web-based organization, which is where we are moving on the business side of the house along with the warfighting side of the house, there are a lot of challenges out there and we understand that and we are up to it.

    My written testimony has all the things that we are doing. It all has to do with not only technologies, as has been said, but culture, governance and processes have to be dealt with, the human capital aspects have to be dealt with along with what we call our infostructure, which is the C4 IT infrastructure, and how we are going to do business in that area. We do know that the current way of doing business is not quite efficient and we do need to do something different; and we are up to it and we are building the business case and implementing best business practices as we speak today, and I thank you for having us here today.

 Page 44       PREV PAGE       TOP OF DOC
    [The prepared statement of General Cuviello can be found in the Appendix.]

    Mr. WELDON. Thank you, General. Admiral.


    Admiral MAYO. Good morning, Mr. Chairman. I am Dick Mayo. I am the Navy's Director for Space Information Warfare Command and Control and also the Navy CIO.

    Very quickly, sir, with respect to Navy-Marine Corps Intranet, since October we have gone to 42 sites and fielded 40,000 seats. We are getting ready to put on line our network operating centers in San Diego and Norfolk and then getting ready later this summer for contractor and operational testing of the first increment. I say that because you were interested in an update on NMCI, and more importantly for the Navy, the Navy-Marine Corps Intranet is a bedrock piece of Navy's information assurance strategy because NMCI will give us that look across the Navy of our whole network. It is going to be our strategy for implementing Peace Keeping Operation (PKO) in the Navy. We are going to be doing red teaming across the network in NMCI and our Network Operations Centers (NOCs) can back up one another.

    Most importantly, Mr. Chairman, I will just end by saying that we have incentivized the contractor for information assurance in NMCI.

    [The prepared statement of Admiral Mayo can be found in the Appendix.]
 Page 45       PREV PAGE       TOP OF DOC

    Mr. WELDON. Thank you. General Woodward.


    General WOODWARD. Thank you, Mr. Chairman. It is great to be with you. I stand before you for the third time on this subject. I also extend my thanks to you personally and professionally for making this subject matter what it is and where we have come to certainly for this country and in helping us in the Department of Defense.

    The Air Force's philosophy right now is that information assurance is absolutely integral to everything in the network operations business. First and foremost is security, security, secure at all times and at all levels. So the philosophy, the concept and the actions we are employing is one Air Force, one network, we think end to end.

    We believe in the global information grid. We respond to that. We are putting out the guidance, the policies, the doctrine, governance type documents. It is an enterprise level activity now throughout the whole of the Air Force. We are dealing with service level agreements which we, in fact, have extracted from the NMCI initiative that is going on. We leverage commercial technologies wherever we have server consolidations going on. We have total cost of ownership, reengineered our processes, built an Air Force portal in the last eight months. We have a developmental handbook on-line, a content manager's handbook on-line, so we have a fully integrated framework that we are dealing with.
 Page 46       PREV PAGE       TOP OF DOC

    I am more than happy to talk in detail in regards to our information assurance and look forward to your questions, and thank you very much.

    [The prepared statement of General Woodward can be found in the Appendix.]

    Mr. WELDON. Thank you, General. General Shea.


    General SHEA. Good morning. I am Brigadier General Bob Shea. I am the Director for C4 for the Marine Corps and I am also the CIO; and I echo the comments made by my colleagues here at the table. Information assurance I want you to know is a major focus of the C4 campaign plan which we are about to publish. We have a unique situation in the Marine Corps where we have our computer network defense component to the JTF that General Bryan commands co-located with our network operations center down at Quantico. So we have combined the defense along with the daily operations of the network, and we look forward to transitioning that same type of capability at the Navy-Marine Corps Intranet when we come on-line with that in fiscal year 2002.

    We also look to leverage the opportunities that are out there. We work closely with Carnegie Mellon as well, as we are involved with the internship program. As General Woodward said, the Marine Corps is focused on an end-end solution here because vulnerability to one in our networks is a vulnerability to all. We recognize that and we recognize the significance; and the thing that I think we all struggle with, and certainly I struggle with personally, is trying to find the right balance between providing the information that the users want and at the same time provide security that we need to protect our network. To me that is a major focus of the challenge that lies before us.
 Page 47       PREV PAGE       TOP OF DOC

    I thank you for the opportunity to sit before you on the committee today, and I look forward to your questions.

    [The prepared statement of General Shea can be found in the Appendix.]

    Mr. WELDON. Thank you, General. Thank each of you for your testimony and your service to the country. On the Navy-Marine Corps Intranet program, the briefing that we received, we understood that it is not really an expenditure of new money but rather a five-year commitment to a certain fixed price contract which will guarantee a fixed amount of savings to the Navy and Marine Corps with the anticipation that the contractor could, in fact, earn benefits if certain milestones are met.

    If you could not today, but for the record, the other services, give me kind of a—maybe you have already done that in your statements and I have not gone through them all—but a similar type of assessment over the next five years, the standardization process, savings you anticipate, the upgrading that is built into the Navy-Marine Corps program with new terminals and new systems as they become available so I can do a comparison; and I have asked Mary Ellen, our staff Counsel, to kind of do a matrix for the Members as to how each of the services are approaching the standardization process.

    The second question I have, which I will ask the Navy and Marine Corps today, is in my discussions with both you and looking at cost comparisons I got the impression that you were saying that it is significantly—maybe not significantly but increased to use the backbone lines of DISA. I should have asked General Bryan when he was here. I will ask him for the record to respond to that. Can you tell me approximately how much cheaper you could provide service nationwide as opposed to having used lines available to the DISA organization, and I understand DISA will have some response probably based on the availability of their lines which go much further than just Navy installations. But I think we have to understand that, and the question I would also ask General Bryan to respond to is would there be a security problem if, in fact, the Navy and Marine Corps went out and shot up their own backbone lines nationwide?
 Page 48       PREV PAGE       TOP OF DOC

    So, Admiral, can you tell me what the cost difference is using the DISA backbone lines as opposed to perhaps what you could acquire on your own?

    Admiral MAYO. Sir, I cannot specifically talk to the costs. The agreement that the Department of Navy and the DOD reached prior to the release of the Request for Proposal (RFP) and the signatures on the contract was the stipulation that the Department of Navy would use the Defense Information Systems network, DISA's long haul backbone, as its primary wide area network; and we are doing that.

    Mr. WELDON. Could you get backbone capability cheaper?

    Admiral MAYO. Sir, I would have to take that for the record and respond to you, because our contractor is incentivized and has signed a contract and the contract has service level agreements guaranteeing that end-to-end performance in terms of latency, packet loss and those kinds of things. The contractor, where necessary and only where necessary, would put in some additional connectivity in case and only in case DISA suffers a momentary outage. And before they come back on-line then our contractor would provide that end to end. But the primary provider for the Department of the Navy is DISA.

    Mr. WELDON. No, I understand that. I am not disputing that. What I am saying is perhaps there is an opportunity to achieve some savings; and if there is I would like to know what that is and what vulnerabilities would be incurred if, in fact, we had that flexibility for the Navy-Marine Corps, if there were in fact savings, which I understand there is a possibility of.
 Page 49       PREV PAGE       TOP OF DOC

    Admiral MAYO. A very good question, sir, and I will take it for the record if I may and get back to you.

    [The information referred to can be found in the Appendix.]

    Mr. WELDON. I would also ask for the record for General Bryan to give me a response from yourself as well on that issue as well.

    We have talked about information dominance and the importance to our military, and I agree with everything you are saying and I will continue to, as I said, make it one of top issues because in my mind it is the greatest threat that we possess along with the other three I have mentioned in the 21st century. But we have not talked about a concern of mine; and I just want you to comment on it, but about the threat of an adversary acquiring our perhaps design specifications or our research capabilities, not necessarily through our military systems, but through the contractor base on its building our military systems. Is there any way that you have the ability through contractors providing platforms to each of your services to make sure that systems that prime contractors are using to build new platforms or updated platforms and are interconnected with subcontractors who might not have the level of security that the prime contractor would have; do we have ways of assessing the security of those contractor networks that are providing in some cases very much state-of-the-art technology for new platforms, say, for instance, like the Joint Strike Fighter or perhaps missile defense or other cutting edge systems? So even though you do not control that system are there efforts in each of the services to have an assurance from the contractor base of those IT systems going down to the very lowest subcontractor level? Whoever wants to go first.
 Page 50       PREV PAGE       TOP OF DOC

    General CUVIELLO. Sir, on the developmental side we absolutely do have that because those are the contracts we can write and we can negotiate on that. The challenge is that in the IT world we are moving more and more to a commercial off-the-shelf capability. We are just buying commercial equipment out there. That becomes a real challenge, and working with our industry partners on how they do their business—that I would not be able to comment on on how we could do that and continue to move to more commercial off-the-shelf. If we put more additional requirements on there, which we do some time and we call it then GOT, government off-the-shelf, then the price continues to rise. I am making it just a little bit more specialty.

    Mr. WELDON. Admiral.

    Admiral MAYO. Sir, I was going to mention the so-called common criteria, the guidance criteria that are put out by the National Institute for Standards of Technology that provide guidance this year and direction next year on what kind of cuts, equipment to buy. And I am pretty sure in that guidance there is some specifics with respect—you know, that take into account the kinds of security, integrity authentication that our organizations would have to count on. So that is what I would offer to you in response to that question.

    Mr. WELDON. General.

    General WOODWARD. Yes, sir. I believe another item to bring up is we are hiring the contractors for very specific purposes. And it is to do levels of installation and things of that nature inside the network itself. The architecture is very much owned by us in the Air Force. Anyway, it is owned by us in the uniformed, business and civil servants that are there. So you really control that aspect from that standpoint, and then the contractors are really doing the work; but, in fact, all of those technologies are literally commercial technologies except for the cryptologies that you are well aware of. And I would suggest that—and you certainly have the same thing on the software side because that is really directly as best you can all the tool sets, the suites of tools we have coming around in the commercial world. Just as if they would apply it themselves, you know, all the way from the NASDAQ world to any of the companies that are out there selling their product base. The same thing applies to the way we do the electronic commerce aspects of life, too.
 Page 51       PREV PAGE       TOP OF DOC

    Mr. WELDON. My concern would be an adversary or would-be adversary or perhaps even a friendly nation acquiring a financial interest through perhaps a second or third party that would acquire small subcontractors doing very, very specific work on key technologies for new weapons systems, not necessarily in the information technology area. It could be a design criteria; it could be a materials technology. What way do we have to ensure that that same subcontractor who may have been acquired by a foreign financial institution, that that technology is not then available to the foreign entity, whoever that might be, to acquire that. That is my concern.

    General SHEA. Sir, from our perspective while those users or subcontractors are working for us and are using our network, we have a very limited capability. But the real issue I think that you are getting to is their ability to get access to that information, remove that information and then send it on to somewhere else; and in the Marine Corps we don't have the capability to prevent that.

    Mr. WELDON. That is really the question, and it is a tough challenge. It will not be easy to do that. But proliferation in the 21st century is not going to be what it has been over the past 100 years. If I want to get American technology, yes, I can grease the skids and buy technology as we have seen over and over again; but I am going to use the Internet and I am going to find a way to acquire a company that may be doing critical component technology development work for one of our key new platforms and I am going to try through their own system to get access to other information that can help me perhaps make your system more vulnerable.

 Page 52       PREV PAGE       TOP OF DOC
    General SHEA. That is really what needs to be involved in a total end-to-end vulnerability assessment.

    Mr. WELDON. Very good.

    General WOODWARD. Mr. Chairman, my staff advised me, and this is a key point too, all of us follow a prescribed process called DITSCA, which you are well aware of, the Defense Information Technology Security Capability Assessment Program. I think that is what that is. Besides following that discipline that we do within each of our services, the Air Force is also doing a certificate of networthiness for the technologies for the information content as well. So you cannot plug into the network until you have gone through that process. So you get networthiness and then you also have a certificate to operate that to find some of these items that you are referring to; and then security is the number one issue, by the way, that we are dealing with. Are you going to introduce a vulnerability or not? Then we issue the certificates.

    Mr. WELDON. Very good. I appreciate your comments. The gentlelady from California, Mrs. Davis.

    Mrs. DAVIS OF CALIFORNIA. Thank you very much. I am sorry I missed the bulk of your comments. I am certainly very pleased that most of this work is going to be done in San Diego. So I look forward, in fact, to having time to meet with folks there and talk about some of the issues that they are facing. One of, I know, your goals is to guarantee the interoperability of the systems among the joint forces. What are you going to be looking for to suggest to you that that is not working? How are you going to guarantee that?
 Page 53       PREV PAGE       TOP OF DOC

    General WOODWARD. Can I start? Nice to meet you. I will start from the joint level, the Department of Defense Director and the joint level if I can do that. And that is, there is prescribed directives right now. You bring a new requirement to the table; you have to do a key performance parameter in regards to interoperability. So to go through a joint requirements process, key performance parameter, interoperability, it is based on information exchange requirements. So you have to meet that off the bat. That is part of what is called the C4 ISP support, right, C4 Intelligence Support Plan. That is one, and it is now a directive to all of the services. I believe that is successful at the moment and you will have to go back to the Joint Staff and ask them for more on that. But I think that is a real good one.

    In the Air Force, we have adopted the exact same process for the Air Force level requirements that don't go pure joint. They go Air Force only. We are now doing exactly the same thing. It is all capability based and it is based on information exchange requirements so we can guarantee meeting the joint technical architectures, which all of us have as directives as well to meet that. So I think that gives us some pretty good assurances.

    Admiral MAYO. Ma'am, if I may give you a specific example relative to a topic of interest today, the Navy-Marine Corps Intranet, which is where we are getting civil industry in a world class organization to provide a service end to end in the Navy and Marine Corps, we have had a lot of oversight with respect to that very issue that you raised about interoperability with joint forces supporting the CINCs. And with reference to the Navy-Marine Corps Intranet, it was built into the contract. The contractor has to meet certain standards. So when we test later this summer, there is going to be a number of applications that we test. The Joint Interoperability Test Center in Fort Huachuca, Arizona is going to be involved in this test of the Navy and Marine Corps. So we have that kind of oversight, that kind of testing. And also in the contract are the provisions that we will be able to support the Defense Information Infrastructure Common Operating Environment, DIICOE, which is a joint standard at various levels where we all meet and talk and pass information.
 Page 54       PREV PAGE       TOP OF DOC

    So that is a specific example of the topic of interest today where we are going right at that issue you raise.

    General SHEA. Ma'am, I would just tell you that from a Marine Corps perspective we are a joint force and we really depend on that; and my colleagues here will tell you that I make a lot of noise about that from time to time. As the Commandant has said, we will fight shoulder to shoulder with the Army. We will fly with the Air Force and the Navy and we will come from the sea. So that is absolutely critical to what we do.

    And I would agree that the joint technical architecture that stood up there; and, as a matter of fact later on this month, the Marine Corps and the Army are getting together to discuss what is referred to as warfighting talks to discuss interoperability issues from a C4 perspective. That is one of the things that is asked to be briefed to the group. So that is an item that is certainly critical to all of the services here. We have not done as well as we probably should have in the past, but certainly we are trying to push for it right now. And I think the Navy-Marine Corps Intranet by virtue of the fact that we have got to comply with the joint technical architecture and we have to have the ability to move that information, it is written into the contract, that that will happen.

    Mrs. DAVIS OF CALIFORNIA. So does that mean folks don't get paid if it does not work?

    General SHEA. It means I don't get paid.

 Page 55       PREV PAGE       TOP OF DOC
    Mrs. DAVIS OF CALIFORNIA. What do you see as the major obstacles of that? Is it a communication problem or does it go beyond that?

    General CUVIELLO. It is a culture and process problem. If you talk to the functionals, the personnel, the logisticians, the financial folks, they know they have to talk to each other because there is no island. I mean, logistics is logistics, finance is finance. And they are realizing now. When I sit and listen to the visions of all the functionals, they understand there has to be interoperability. Actually, I would like to classify it more as interdependence than interoperability. So they also understand that the sneaker net, that is carrying disks, the swivel chair, going from the personnel computer to the logistics computer is not the wave of the future. So they are playing with us to understanding that the digits do need to talk to each other. So that is part of our assurance that the user of this technology really wants it.

    Mrs. DAVIS OF CALIFORNIA. Thank you. What role do you think we can play in furthering that mission or that interest?

    General CUVIELLO. Keep doing what you are doing. Keep harping, Mr. Chairman. We need help. I mean, I would like to classify us as attempting to be agents of change. We fit in this process of and this culture of the way we have done business for a long time. So the outside help really does help. People look at themselves. I believe the new civilian leadership of the Department of Defense is taking a real hard focus on the business side of the house, and that is the business of warfighting but, more importantly, where most of the digits flow and that is on the business, the real business, the small ''b'' business side of the house. And I think we are going to get some help from them. And I know some of the questions that you have been asking of them are focusing them also.
 Page 56       PREV PAGE       TOP OF DOC

    Admiral MAYO. I would like to ask for your help in a couple of areas. The first is the continued support of the Navy-Marine Corps Intranet because that will give us that backbone across our services in the joint world to really get to that web-based environment like the civilian world has where things are interoperable. That is the kind of environment we want to get to, and NMCI is going to do that for us. I would ask for your continued support on the NSA's cryptographic roadmap because we need to continue to protect our information, and that is a pretty important series of events coming up to refresh our cryptographic network across the services. And then perhaps, if I may, I would ask for any kind of Congressional help that might help the DOD and the services really pursue those kinds of people or organizations that attack our networks and bring them to justice.

    General WOODWARD. I will continue with that approach if I might do that. That is along the lines of network confirmations, information assurance, and the specific question you asked in regards to interoperability, which can all be put together, I think, certainly supporting the initiatives we have got going with information technology within our service; and, more precisely, of the information assurance piece of that and you see that, that will be very visible to you. It comes through our exhibits that we offer once it all gets puts together here as time and the defense review goes through. But strengthening the laws to investigate and prosecute, as Admiral Mayo brought up, prosecute computer intrusion, computer vandalism and computer crime—I know that is focused, because I believe somebody has some legislation being worked right now. I think that is crucial for all of us.

    I think another one is to promote commercial industry produced analysis software tool sets. I think that was referred to earlier in the first portion of the testimony that was being done. We need more of those kinds of tool sets. This is a tough business and this is complex, and we have people coming in to work for us and they are 20 years old and they need help in that regard. So those pieces of software would really help us if you can drive that. Science technology, R&D, those aspects of life. I think that will help us.
 Page 57       PREV PAGE       TOP OF DOC

    There is some thought process in regards to additional compensations, and I think you ought to keep asking that question and then keep focusing on that because we are anxious to retain that intellectual capital. Whatever that is, whether that is contract or manual equivalents I deal with in the Air Force, about 14 percent of my workforce is that right now, an integrated part of the workforce. You have to keep it all one way or another. We would love to have you visit. We would love to have you be part of what we have got going all the way, CERT and higher, and that activity that is going on. We offer to brief certainly the staffers as well as yourselves and the principals on the activities that are going on in-depth inside of our Air Force, and we offer that to you too.

    General SHEA. I would agree with my colleagues and in addition, ma'am, we have got—as I said earlier, we have got—our operation center as well as our component commander for the computer network operations task force is located down at Quantico, and I would offer you or your staff the opportunity to come down there and see how we do business. It kind of a microcosm of the way things will be done under NMCI. I would invite you and your staffs down there to see how we operate down there.

    Mrs. DAVIS of California. Thank you. I know when I have had an opportunity to meet with folks in my office or out in San Diego, the issue of retaining qualified high tech people in the military is a big issue. And I know that we have a lot of industries in San Diego that are very happy to fly them away, and we need to do some things to keep them. We need them in the private sector as well because of all the contracting going on obviously, but I think we also need to find ways that they agree to stay and we have to compensate them for that.

 Page 58       PREV PAGE       TOP OF DOC
    Mr. WELDON. I thank the gentlelady and as a follow-up on the one point made by General Woodward when we were out with General Bryan, we asked about legislation and he advised us and had an attorney give us a brief overview of a package that was being vetted that would assist you with some of the legal changes that need to be made, and we are prepared to look at that and support it as soon as you finish it and get it to us. And I would ask the services if they have any additions to that. We stand ready to assist you because we are going through a very fluid process. America has not yet come to grips with the whole operation of the Internet and the first amendment issues and the other issues that go along with it. But we want to give you the tools that you need, so give us the legislative changes that you recommend and we will work to assist you.

    Now, our Counsel, Ms. Fraser, had a question she wanted to ask. She doesn't want to ask it. We will put it in the record. They usually have all the good questions. So for the record we will ask you to respond to some questions for the record. I would just close by repeating what John Hamre said three years ago when he came in before my committee and testified on this very issue after a one-hour closed hearing, and we were briefed on an attack that was underway at that time. A very provacative statement. The Deputy Secretary of Defense at the time said, ''It is not a matter of if America has an electronic Pearl Harbor, but when.''

    You are our front-line of defense from preventing and preempting an electronic Pearl Harbor. You have a huge task. I am aware of that. My colleague, Mr. Ortiz, is aware of that. We want to give you every possible tool or resource you need to prevent that electronic Pearl Harbor from happening.

    Thank you for serving. Thank you for your efforts and we look forwards to working with you. The hearing stands adjourned.
 Page 59       PREV PAGE       TOP OF DOC

    [Whereupon, at 12:04 p.m., the subcommittee was adjourned.]


May 17, 2001

[The Appendix is pending.]