GENERAL JAMES D. BRYAN, U.S. ARMY
COMMANDER, JOINT TASK FORCE-COMPUTER NETWORK OPERATIONS
AND VICE DIRECTOR, DEFENSE INFORMATION SYSTEMS AGENCY
you, Mr. Chairman, for this opportunity to testify before
your subcommittee on the Department of Defense responsibility
for the protection of its computer networks from cyber
am Major General David Bryan, Vice Director of the Defense
Information Systems Agency and the Commander of the
Joint Task Force Computer Network Operations. I will
address some of the critical elements of our Information
Assurance program, and how they serve to protect essential
Department of Defense data networks. However, before
I discuss the specifics, I would like to take a moment
to give some background information, and set the stage
as to how we got to where we are today.
1997, a series of exercises and real-world cyber events
targeted at critical Department of Defense networks
by both traditional and non-traditional sources demonstrated
that the mission essential networks of the Defense Department
were at risk. While various organizations within the
Department were keeping pace with the advances being
made in network security, no one organization had overall
authority for directing defensive actions across the
entire Department. By early 1998,
it was clear that the Department of Defense needed a
completely new organization, one responsible for coordinating
the defense of computer networks, as well as exercising
appropriate operational authority to direct the actions
necessary for that defense. There was general agreement
that this mission would be assigned to one of the Department's
nine Combatant Commands. However, given the time required
to execute the necessary decision process, the Joint
Task Force for Computer Network Defense (JTF-CND) was
chartered in December 1998, as an interim solution,
achieving full operational capability in June 1999.
As the Commander-in-Chief, United States Space
Command (CINCSPACE) assumed overall responsibility for
the Defense Department's computer network defense (CND)
mission, the Task Force was assigned to CINCSPACE in
October 1999. CINCSPACE has elected to keep the Task
Force in place as his CND operational arm.
Task Force headquarters, located in the metropolitan
Washington, DC area, is collocated with the Defense
Information Systems Agency's Global Network Operations
and Security Center (GNOSC) and the Department of Defense
Computer Emergency Response Team (DoD-CERT).
In addition, three of the four Service CERTs
are also located in the Washington area.
The original headquarters element consisted of
approximately 40 uniformed and civilian personnel from
a variety of backgrounds, including individuals with
a wide range of operational and technical expertise.
They included a cadre of professional intelligence
specialists and a team of Defense Department law enforcement
and counter-intelligence special agents who are focused
on computer-related criminal activity.
addition to a headquarters staff, the Task Force was
assigned five Component Commands from across the Department:
one from the Defense Information Systems Agency (DISA),
and one from each of the four military Services.
Each of these Components is responsible for monitoring
their respective network segments for malicious activity,
analyzing that activity, taking corrective action whenever
possible, and reporting incidents. These incident reports
from the Components provide critical technical information
to the Task Force, which is then able to leverage existing
CND capabilities, including an enterprise-wide intrusion
detection sensor grid network, provided by the DoD-CERT
and the four Service CERTs, linked by common reporting
processes and technology.
Technical information is fused with details concerning
ongoing operational missions, as well as with information
from imbedded intelligence, counter-intelligence, and
law enforcement channels.
This fused information is then correlated and
assessed for strategic importance.
Using the results of this strategic analysis,
the Task Force, in conjunction with the Components,
develops an operational impact assessment, identifies
appropriate courses of action, coordinates the necessary
actions with appropriate organizations, prepares a plan
to execute and, with the approval of CINCSPACE, executes
that plan through the Components.
same deliberative process that assigned the network
defense mission to CINCSPACE in 1999, also assigned
responsibility for the computer network attack (CNA)
mission to CINCSPACE, effective on 1 October 2000. Due
to the many similarities between both mission areas,
CINCSPACE elected to expand the role of JTF-CND to include
this new mission area, rather than creating a new organization
solely for CNA. Accordingly, on 2 April 2001, CINCSPACE redesignated the Commander,
Joint Task Force - Computer Network Defense to the Commander,
Joint Task Force - Computer Network Operations (JTF-CNO).
This new command is now the CINCSPACE operational entity
for both network defense and network attack. Over the
next two years the JTF-CNO command headquarters staff
will grow from the original 40 to approximately 144
believes that the synergy resulting from combining both
operational missions under one commander will significantly
enhance both mission areas for the Defense Department,
providing world-class operational support to warfighters
would also like to mention here the partnership that
the JTF-CNO has established with DISA and the National
Security Agency (NSA) that the JTF-CNO is able to leverage.
DISA and NSA have also established excellent
working relationships at all levels, cooperating in
the establishment and maintenance of information security
architectures that DISA is then able to operationalize
in support of the JTF-CNO.
The JTF-CNO also has developed a partnership
with the National Communications System (NCS).
The NCS is a confederation of 22 Federal Departments
and Agencies tasked with ensuring the availability of
a viable national security and emergency preparedness
telecommunications infrastructure. The assets of these organizations comprise the bulk of the
Federal Government's telecommunications resources. The NCS supports a Presidential advisory committee composed
of up to 30 industry chief executives representing major
communications, network service and information technology
providers and users.
This advisory committee provides industry-based
analyses and recommendations to the President on a wide
range of policy and technical issues related to national
security and emergency preparedness communications.
The NCS also now includes the National Coordinating
Center (NCC) for Telecommunications, a unique structure
designed to provide emergency response capabilities
to both Government and industry.
The NCC also includes the Telecommunications
Information Sharing and Analysis Center (ISAC) that
facilitates the voluntary collaboration and information
sharing among and between the Government and private
this in mind, I will now address some of the components
of our Information Assurance program.
the heart of our efforts are the Defense Information
System Agency's Defense Information Systems Network
(DISN) data networks, comprising the Unclassified But
Sensitive Internet Protocol Router Network, or "NIPRNet"
and the Secret Internet Protocol Router Network, or
essentiality of these networks has developed over time,
and has been accelerated by the increasing dependence
of the Department of Defense on the Internet as a common
business process infrastructure.
Taken together, these two data networks provide
the essential information necessary to conduct and support
the full range of military operations, and support our
warfighters, the Office of the Secretary of Defense,
the Joint Chiefs of Staff, the Commanders-in-Chief,
the Military Services, the Defense Agencies, and other
In addition, these networks will continue to
grow in importance to the Department of Defense as "Community
of Interest" networks are developed and fielded.
These Service-specific networks will be using
the NIPRNet and SIPRNet as the common data transport
The largest of these at the moment is the Navy
and Marine Corps Intranet (NMCI), and I am sure that
Admiral Mayo will be discussing it during his appearance
before the Committee.
primary data network, the NIPRNet, currently serves
in excess of 2.5 million users, through 1,503 post,
camp and station connections.
Essential applications of the Department of Defense
that are that being supported by the NIPRNet today include
electronic commerce, personnel management, training
and education, medical care and services, program management
and financial applications, including pay and billing.
As you may imagine, the growth of the NIPRNet
has been explosive.
Since 1996, this network has undergone a 20%
growth in customers and a 400% growth in traffic. I should also note that Internet and Internet-based traffic
is a significant component of the NIPRNet.
Today, we employ 13 Internet gateways on the
NIPRNet, and we estimate that fully 70% of the total
traffic traversing the NIPRNet flows from and to the
SIPRNet is a United States-only Secret network, and
has become the most critical data system supporting
the warfighter today. It is used for the Global Command
and Control System (GCCS), for force projection, for
reporting situational awareness, for intelligence purposes,
to distribute Air Tasking Orders, for support of drug
enforcement operations and for nuclear assurance, among
Currently, the SIPRNet serves approximately 125,000
personnel over 901 post, camp and station connections,
and growth has been even more significant than in the
case of the NIPRNet - since 1996, a 200% increase in
customers and over 600% in traffic.
the NIPRNet and the SIPRNet are Wide Area Networks (WAN),
consisting of routers, modems, encryption devices and
other ancillary equipment interconnected by high capacity
data links and distributed throughout the world.
All SIPRNET nodes are housed in US Military facilities
protected to the Secret level.
Joint Task Force for Computer Network Operations (the
JTF-CNO) is the DoD entity responsible for the operational
direction and coordination in case of cyber attack on
any DoD information system.
In response to established Secretary of Defense
policy, the JTF-CNO exercises tactical control over
the designated Service components providing defensive
capabilities. The JTF-CNO is also the single focal point within the Department
of Defense for coordinating defensive actions. These Component response and incident teams, operating
under the unified direction, control and advocacy of
the Commander, JTF-CNO, provide the first line of defense
against cyber attack.
This relationship permits the JTF-CNO commander
to leverage assets, contain threats, and take effective
and rapid countermeasures to any cyber attack. Although
each of these entities are uniquely tailored to meet
the needs of their service, they are all charged with
providing a set of common services on a 24 x 7 basis,
of vulnerability assessments.
of status information of Information Assurance Vulnerability
threats to the Service computer network systems.
countermeasures to the JTF-CNO.
priorities for the restoration and maintenance of post-attack
post, camp and station network perimeters are not properly
protected, DoD systems are vulnerable to compromise,
manipulation and destruction.
DISA is in a strong position to support the fielding
of standard technical solutions for defending these
protect against attack, DISA and the Services have deployed
an array of intrusion detection sensors.
The output of these sensors is primarily monitored
in the Service Computer Emergency Response Teams and
the DISA Regional Network Operations and Security Centers. In addition, sensors deployed to critical network nodes are
monitored in the DISA Global Network Operations and
I might also add that the DoD-CERT has fielded
an operational prototype system that provides a global
perspective on attacks originating from the Internet
and targeting NIPRNet systems.
This capability will also afford us the ability
to identify attack trends, scope and methods, and to
determine the extent of NIPRNet intrusions.
Under JTF-CNO direction, DISA has developed procedures
for reacting to attacks detected by these sensors.
Army Component to the JTF-CNO is the Army Computer Emergency
(ACERT) Coordination Center of the Land Information
The ARCERT conducts Computer Network Defense
operations in support of Army networks worldwide.
The ACERT is organized with a staff of four regional
teams located in the Continental United States, Europe,
Pacific and Korea.
Air Force Component is the Air Force Computer Emergency
Response Team (AFCERT) of the 33d Information Operations
AFCERT conducts operations involving intrusion detection,
incident response, computer security information assistance,
and vulnerability assessments for Air Force automated
Marine Forces Computer Network Defense (MARFOR-CND)
provides the Marine Corps component to the JTF-CNO.
This activity is responsible for the protection
and defense of Marine Corps computer networks, and carries
out other computer network defense missions as directed
by the JTF-CNO. The MARFOR-CND is also responsible for collecting computer
network attack data, formulating courses of action and
coordinating and directing mission critical solutions.
Washington DC-based Navy Computer Task Force (NCTF)
for Computer Network Defense is the Navy component to
the JTF-CNO. This
Command, in conjunction with the Navy Computer Incident
Response Team, or NAVCIRT, in Norfolk, VA, carries out
the Navy Computer Network Defense mission.
of these components will be providing additional information
on their activities, so I will turn my attention to
the DISA component to the JTF-CNO, the Global Network
Operations and Security Center, consisting of the Network
Operations Center and the Department of Defense Computer
Emergency Response Team, the DoD-CERT.
This arrangement is significant-it affords the
JTF-CNO the ability, unique within the Department of
Defense, to both maintain current visibility of the
operational status of the networks, and to defend them.
DoD-CERT serves as the technical component of the JTF-CNO,
providing technical guidance
for both daily operations, as well as technical support
for exercise planning and execution.
It represents the capstone DoD computer network
defense capability for responding to significant cyber
attacks and events directed against critical information
networks. The DoD CERT, located at DISA headquarters,
is responsible for global strategic
event analysis, vulnerability analysis/management and
investigation of incidents.
Working in concert with the JTF-CNO, Regional
Computer Emergency Response
Teams, Law Enforcement Agencies, Service Computer Emergency
Response Teams and the Joint Staff, it integrates and
provides global network and information assurance situational
addition, DISA provides four functionally and organizationally
aligned Regional CERTs embedded within the four DISA
Operations and Security Centers located in the Pacific,
Europe, Southwest Asia and the Continental United States.
These RCERTS provide tactical computer network
defense support to CINCs, Agencies and various Local
DoD-CERT, in coordination with the JTF-CNO, also administers
the Department of Defense Information Assurance Vulnerability
Current policy requires all Military Departments
to establish points of contact, to distribute the alerts
and bulletins to the systems administrators, and requires
acknowledgement and compliance reporting.
We currently provide IAVA compliance reports
monthly to the Information Assurance Panel of the Military
Communications-Electronics Board, and we have provided
similar reports to the Joint Staff J6 and to the Chairman
of the Joint Chiefs of Staff.
DoD-CERT maintains a close and effective relationship
with the CERT-Coordinating Center (CERT-CC), located
at Carnegie Mellon University and the General Services
Administration's (GSA) Federal Computer Incident Response
Center (FEDCIRC), participating in joint technical exchanges,
working groups and countermeasure development teams.
DISA has also provided a significant portion
of the total funding for the Carnegie Mellon facility,
and has done so for the past several years.
there is room for improvement in our capabilities, as
was pointed out in a recent General Accounting Office
Report on the "Challenges to Improving DoD's Incident
Six areas were noted as challenges requiring
our attention, and we are certainly working these issues,
most of which involve Department-wide coordination,
integration, review, compliance reporting and performance.
However, as was also noted in this report, we
are well aware of these challenges, and have begun to
address the issues. Current activities include:
of a Department-wide incident response plan.
CINC, Service, and Agency develops their own internal
processes for handling
The objective is to standardize reporting as
as response activities on industry and Government best
standardization will improve the quality, consistency,
and effectiveness of DoD computer network attack responses.
of a Joint Computer Emergency Response Team Database
(JCD) to centrally track cyber events.
JCD is a central repository of successful and unsuccessful
computer network defense activity on a global scale
DoD- CERT currently monitors the JCD as events are reported
from around the world in near-real time.
Internal DISA, Army, Air Force, Navy, and Marine
databases automatically feed the JCD as they report
events in their respective organizations.
DoD-CERT analysts coordinate Component attack
responses, correlate events across CINCs, Services,
and Agencies, and correlate reported events to global
sensor data. The
DoD-wide scale of attacks is crucial information that
the DoD-CERT uses to effectively advise the JTF-CNO
Coordination of response actions, assessment
of incidents and identification and resolution of anomalies.
of procedures to identify high-risk systems for independent
of an enterprise-wide sensor grid structure.
and most of the CINCs monitor a number of intrusion
The configuration, types, and outputs of these
systems are not properly correlated and fused. Within each Service domain, the Components have made significant
strides in correlating information within their sphere.
The next step is to globally correlate this sensor
to institutionalize the Department of Defense Enterprise
Vulnerability Management Program.
conducts assessments, tracks the results, helps customers
mitigate the highest priority risks, and provides additional
assessments to help the customer measure progress.
This repetitive process has significantly improved
the security posture of DISA organizations and the CINCs.
In addition, DISA provides a Vulnerability Compliance
and Tracking System (VCTS).
This VCTS system custom delivers mandatory compliance
notices when a new vulnerability comes out.
would also note that a strong and rigorous Connection
Approval Process, mandated by the Office of the Secretary
of Defense, is a critical component of the customer
connection process for both data networks.
This program validates the security posture of
individual customers and the network.
Customers submit accreditation documentation
for review; to insure proper accreditation and that
sound security procedures are in place.
If a customer does not successfully complete
the Connection Approval Process, he/she cannot establish
a connection to either network.
The SIPRNET connection approval process is designed
to verify that users have completed the required accreditation
process; validates that the network connection belongs
to an authorized user; and provides one central repository
for system information.
closing, I cannot emphasize strongly enough the unique
synergy that the JTF-CNO is able to bring to bear in
defense of our critical networks. By bringing together network operations, network defense and
computing as an integrated team under the aegis of the
JTF-CNO, we have established a robust and powerful global
capability that, we believe, is unique within the Federal
Global Network Operations and Security Center affords
us global situational awareness of the networks.
The DoD-CERT provides strategic intrusion
analysis, vulnerability alerts and incident response.
The National Coordinating Center of the National
Communications System provides the forum for Government-Industry
coordination, to include hosting the Telecommunications
Information Sharing and Analysis Center.
I believe we have established an effective information
assurance program, we also realize that we can never
rest on past accomplishments. As our capabilities improve and mature, so does the threat
I am confident that we are up to the challenges that
face us and, we can ensure that the warfighter has the
right information, in the right format, in the right
place at the right time.