IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled


STATEMENT OF

MAJOR GENERAL JAMES D. BRYAN, U.S. ARMY
COMMANDER, JOINT TASK FORCE-COMPUTER NETWORK OPERATIONS
U.S. CINCSPACE
AND VICE DIRECTOR, DEFENSE INFORMATION SYSTEMS AGENCY

 MAY 17, 2001

Thank you, Mr. Chairman, for this opportunity to testify before your subcommittee on the Department of Defense responsibility for the protection of its computer networks from cyber attack.  I am Major General David Bryan, Vice Director of the Defense Information Systems Agency and the Commander of the Joint Task Force Computer Network Operations. I will address some of the critical elements of our Information Assurance program, and how they serve to protect essential Department of Defense data networks. However, before I discuss the specifics, I would like to take a moment to give some background information, and set the stage as to how we got to where we are today.

In 1997, a series of exercises and real-world cyber events targeted at critical Department of Defense networks by both traditional and non-traditional sources demonstrated that the mission essential networks of the Defense Department were at risk. While various organizations within the Department were keeping pace with the advances being made in network security, no one organization had overall authority for directing defensive actions across the entire Department. By early 1998, it was clear that the Department of Defense needed a completely new organization, one responsible for coordinating the defense of computer networks, as well as exercising appropriate operational authority to direct the actions necessary for that defense. There was general agreement that this mission would be assigned to one of the Department's nine Combatant Commands. However, given the time required to execute the necessary decision process, the Joint Task Force for Computer Network Defense (JTF-CND) was chartered in December 1998, as an interim solution, achieving full operational capability in June 1999.  As the Commander-in-Chief, United States Space Command (CINCSPACE) assumed overall responsibility for the Defense Department's computer network defense (CND) mission, the Task Force was assigned to CINCSPACE in October 1999. CINCSPACE has elected to keep the Task Force in place as his CND operational arm. 

The Task Force headquarters, located in the metropolitan Washington, DC area, is collocated with the Defense Information Systems Agency's Global Network Operations and Security Center (GNOSC) and the Department of Defense Computer Emergency Response Team (DoD-CERT).  In addition, three of the four Service CERTs are also located in the Washington area.  The original headquarters element consisted of approximately 40 uniformed and civilian personnel from a variety of backgrounds, including individuals with a wide range of operational and technical expertise.  They included a cadre of professional intelligence specialists and a team of Defense Department law enforcement and counter-intelligence special agents who are focused on computer-related criminal activity.

In addition to a headquarters staff, the Task Force was assigned five Component Commands from across the Department: one from the Defense Information Systems Agency (DISA), and one from each of the four military Services.  Each of these Components is responsible for monitoring their respective network segments for malicious activity, analyzing that activity, taking corrective action whenever possible, and reporting incidents. These incident reports from the Components provide critical technical information to the Task Force, which is then able to leverage existing CND capabilities, including an enterprise-wide intrusion detection sensor grid network, provided by the DoD-CERT and the four Service CERTs, linked by common reporting processes and technology.  Technical information is fused with details concerning ongoing operational missions, as well as with information from imbedded intelligence, counter-intelligence, and law enforcement channels.  This fused information is then correlated and assessed for strategic importance.  Using the results of this strategic analysis, the Task Force, in conjunction with the Components, develops an operational impact assessment, identifies appropriate courses of action, coordinates the necessary actions with appropriate organizations, prepares a plan to execute and, with the approval of CINCSPACE, executes that plan through the Components.

The same deliberative process that assigned the network defense mission to CINCSPACE in 1999, also assigned responsibility for the computer network attack (CNA) mission to CINCSPACE, effective on 1 October 2000. Due to the many similarities between both mission areas, CINCSPACE elected to expand the role of JTF-CND to include this new mission area, rather than creating a new organization solely for CNA.  Accordingly, on 2 April 2001, CINCSPACE redesignated the Commander, Joint Task Force - Computer Network Defense to the Commander, Joint Task Force - Computer Network Operations (JTF-CNO). This new command is now the CINCSPACE operational entity for both network defense and network attack. Over the next two years the JTF-CNO command headquarters staff will grow from the original 40 to approximately 144 personnel.  CINCSPACE believes that the synergy resulting from combining both operational missions under one commander will significantly enhance both mission areas for the Defense Department, providing world-class operational support to warfighters globally.  I would also like to mention here the partnership that the JTF-CNO has established with DISA and the National Security Agency (NSA) that the JTF-CNO is able to leverage.  DISA and NSA have also established excellent working relationships at all levels, cooperating in the establishment and maintenance of information security architectures that DISA is then able to operationalize in support of the JTF-CNO.  The JTF-CNO also has developed a partnership with the National Communications System (NCS).  The NCS is a confederation of 22 Federal Departments and Agencies tasked with ensuring the availability of a viable national security and emergency preparedness telecommunications infrastructure.  The assets of these organizations comprise the bulk of the Federal Government's telecommunications resources.  The NCS supports a Presidential advisory committee composed of up to 30 industry chief executives representing major communications, network service and information technology providers and users.  This advisory committee provides industry-based analyses and recommendations to the President on a wide range of policy and technical issues related to national security and emergency preparedness communications.  The NCS also now includes the National Coordinating Center (NCC) for Telecommunications, a unique structure designed to provide emergency response capabilities to both Government and industry.  The NCC also includes the Telecommunications Information Sharing and Analysis Center (ISAC) that facilitates the voluntary collaboration and information sharing among and between the Government and private sector.  With this in mind, I will now address some of the components of our Information Assurance program.

At the heart of our efforts are the Defense Information System Agency's Defense Information Systems Network (DISN) data networks, comprising the Unclassified But Sensitive Internet Protocol Router Network, or "NIPRNet" and the Secret Internet Protocol Router Network, or "SIPRNet."  The essentiality of these networks has developed over time, and has been accelerated by the increasing dependence of the Department of Defense on the Internet as a common business process infrastructure.  Taken together, these two data networks provide the essential information necessary to conduct and support the full range of military operations, and support our warfighters, the Office of the Secretary of Defense, the Joint Chiefs of Staff, the Commanders-in-Chief, the Military Services, the Defense Agencies, and other Federal Agencies.  In addition, these networks will continue to grow in importance to the Department of Defense as "Community of Interest" networks are developed and fielded.  These Service-specific networks will be using the NIPRNet and SIPRNet as the common data transport infrastructure.  The largest of these at the moment is the Navy and Marine Corps Intranet (NMCI), and I am sure that Admiral Mayo will be discussing it during his appearance before the Committee.

Our primary data network, the NIPRNet, currently serves in excess of 2.5 million users, through 1,503 post, camp and station connections.  Essential applications of the Department of Defense that are that being supported by the NIPRNet today include electronic commerce, personnel management, training and education, medical care and services, program management and financial applications, including pay and billing.  As you may imagine, the growth of the NIPRNet has been explosive.  Since 1996, this network has undergone a 20% growth in customers and a 400% growth in traffic.  I should also note that Internet and Internet-based traffic is a significant component of the NIPRNet.  Today, we employ 13 Internet gateways on the NIPRNet, and we estimate that fully 70% of the total traffic traversing the NIPRNet flows from and to the Internet.

 The SIPRNet is a United States-only Secret network, and has become the most critical data system supporting the warfighter today. It is used for the Global Command and Control System (GCCS), for force projection, for reporting situational awareness, for intelligence purposes, to distribute Air Tasking Orders, for support of drug enforcement operations and for nuclear assurance, among other applications.    Currently, the SIPRNet serves approximately 125,000 personnel over 901 post, camp and station connections, and growth has been even more significant than in the case of the NIPRNet - since 1996, a 200% increase in customers and over 600% in traffic. 

Both the NIPRNet and the SIPRNet are Wide Area Networks (WAN), consisting of routers, modems, encryption devices and other ancillary equipment interconnected by high capacity data links and distributed throughout the world.  All SIPRNET nodes are housed in US Military facilities protected to the Secret level.   

The Joint Task Force for Computer Network Operations (the JTF-CNO) is the DoD entity responsible for the operational direction and coordination in case of cyber attack on any DoD information system.  In response to established Secretary of Defense policy, the JTF-CNO exercises tactical control over the designated Service components providing defensive capabilities.  The JTF-CNO is also the single focal point within the Department of Defense for coordinating defensive actions.   These Component response and incident teams, operating under the unified direction, control and advocacy of the Commander, JTF-CNO, provide the first line of defense against cyber attack.  This relationship permits the JTF-CNO commander to leverage assets, contain threats, and take effective and rapid countermeasures to any cyber attack. Although each of these entities are uniquely tailored to meet the needs of their service, they are all charged with providing a set of common services on a 24 x 7 basis, to include:

            Coordination of vulnerability assessments.

            Maintenance of status information of Information Assurance Vulnerability Alert  (IAVA) compliance.

            Conducting preliminary assessments.

Analyzing threats to the Service computer network systems.

            Incident correlation.

            Recommending countermeasures to the JTF-CNO.

            Setting priorities for the restoration and maintenance of post-attack functionality.

If post, camp and station network perimeters are not properly protected, DoD systems are vulnerable to compromise, manipulation and destruction.  DISA is in a strong position to support the fielding of standard technical solutions for defending these networks.  To protect against attack, DISA and the Services have deployed an array of intrusion detection sensors.  The output of these sensors is primarily monitored in the Service Computer Emergency Response Teams and the DISA Regional Network Operations and Security Centers.  In addition, sensors deployed to critical network nodes are monitored in the DISA Global Network Operations and Security Center.  I might also add that the DoD-CERT has fielded an operational prototype system that provides a global perspective on attacks originating from the Internet and targeting NIPRNet systems.  This capability will also afford us the ability to identify attack trends, scope and methods, and to determine the extent of NIPRNet intrusions.  Under JTF-CNO direction, DISA has developed procedures for reacting to attacks detected by these sensors. 

The Army Component to the JTF-CNO is the Army Computer Emergency Response Team  (ACERT) Coordination Center of the Land Information Warfare Activity.  The ARCERT conducts Computer Network Defense operations in support of Army networks worldwide.  The ACERT is organized with a staff of four regional teams located in the Continental United States, Europe, Pacific and Korea.  

The Air Force Component is the Air Force Computer Emergency Response Team (AFCERT) of the 33d Information Operations Squadron.  The AFCERT conducts operations involving intrusion detection, incident response, computer security information assistance, and vulnerability assessments for Air Force automated information systems.

The Marine Forces Computer Network Defense (MARFOR-CND) provides the Marine Corps component to the JTF-CNO.  This activity is responsible for the protection and defense of Marine Corps computer networks, and carries out other computer network defense missions as directed by the JTF-CNO.  The MARFOR-CND is also responsible for collecting computer network attack data, formulating courses of action and coordinating and directing mission critical solutions.

The Washington DC-based Navy Computer Task Force (NCTF) for Computer Network Defense is the Navy component to the JTF-CNO.  This Command, in conjunction with the Navy Computer Incident Response Team, or NAVCIRT, in Norfolk, VA, carries out the Navy Computer Network Defense mission.

Each of these components will be providing additional information on their activities, so I will turn my attention to the DISA component to the JTF-CNO, the Global Network Operations and Security Center, consisting of the Network Operations Center and the Department of Defense Computer Emergency Response Team, the DoD-CERT.  This arrangement is significant-it affords the JTF-CNO the ability, unique within the Department of Defense, to both maintain current visibility of the operational status of the networks, and to defend them.

The DoD-CERT serves as the technical component of the JTF-CNO, providing technical guidance for both daily operations, as well as technical support for exercise planning and execution.    It represents the capstone DoD computer network defense capability for responding to significant cyber attacks and events directed against critical information networks. The DoD CERT, located at DISA headquarters, is responsible for global strategic event analysis, vulnerability analysis/management and investigation of incidents.  Working in concert with the JTF-CNO, Regional Computer Emergency Response Teams, Law Enforcement Agencies, Service Computer Emergency Response Teams and the Joint Staff, it integrates and provides global network and information assurance situational awareness.  In addition, DISA provides four functionally and organizationally aligned Regional CERTs embedded within the four DISA Regional Network Operations and Security Centers located in the Pacific, Europe, Southwest Asia and the Continental United States.   These RCERTS provide tactical computer network defense support to CINCs, Agencies and various Local Control Centers. 

The DoD-CERT, in coordination with the JTF-CNO, also administers the Department of Defense Information Assurance Vulnerability Alert process.   Current policy requires all Military Departments to establish points of contact, to distribute the alerts and bulletins to the systems administrators, and requires acknowledgement and compliance reporting.  We currently provide IAVA compliance reports monthly to the Information Assurance Panel of the Military Communications-Electronics Board, and we have provided similar reports to the Joint Staff J6 and to the Chairman of the Joint Chiefs of Staff.

The DoD-CERT maintains a close and effective relationship with the CERT-Coordinating Center (CERT-CC), located at Carnegie Mellon University and the General Services Administration's (GSA) Federal Computer Incident Response Center (FEDCIRC), participating in joint technical exchanges, working groups and countermeasure development teams.  DISA has also provided a significant portion of the total funding for the Carnegie Mellon facility, and has done so for the past several years.

Certainly, there is room for improvement in our capabilities, as was pointed out in a recent General Accounting Office Report on the "Challenges to Improving DoD's Incident Response Capabilities."  Six areas were noted as challenges requiring our attention, and we are certainly working these issues, most of which involve Department-wide coordination, integration, review, compliance reporting and performance.  However, as was also noted in this report, we are well aware of these challenges, and have begun to address the issues.  Current activities include:

               Development of a Department-wide incident response plan.  Currently each CINC, Service, and Agency develops their own internal processes for handling computer attacks.  The objective is to standardize reporting as well as response activities on industry and Government best practices.  This standardization will improve the quality, consistency, and effectiveness of DoD computer network attack responses.  Establishment of a Joint Computer Emergency Response Team Database (JCD) to centrally track cyber events.  The JCD is a central repository of successful and unsuccessful computer network defense activity on a global scale DOD-wide.  The DoD- CERT currently monitors the JCD as events are reported from around the world in near-real time.  Internal DISA, Army, Air Force, Navy, and Marine databases automatically feed the JCD as they report events in their respective organizations.     DoD-CERT analysts coordinate Component attack responses, correlate events across CINCs, Services, and Agencies, and correlate reported events to global sensor data.  The DoD-wide scale of attacks is crucial information that the DoD-CERT uses to effectively advise the JTF-CNO on countermeasures.  

  Coordination of response actions, assessment of incidents and identification and resolution of anomalies.

            Development of procedures to identify high-risk systems for independent security review.

           Championing of an enterprise-wide sensor grid structure.  Every Service

CERT and most of the CINCs monitor a number of intrusion detection sensors.  The configuration, types, and outputs of these systems are not properly correlated and fused.  Within each Service domain, the Components have made significant strides in correlating information within their sphere.  The next step is to globally correlate this sensor grid data.

               Efforts to institutionalize the Department of Defense Enterprise Vulnerability Management Program.  DISA conducts assessments, tracks the results, helps customers mitigate the highest priority risks, and provides additional assessments to help the customer measure progress.  This repetitive process has significantly improved the security posture of DISA organizations and the CINCs.   In addition, DISA provides a Vulnerability Compliance and Tracking System (VCTS).  This VCTS system custom delivers mandatory compliance notices when a new vulnerability comes out. 

I would also note that a strong and rigorous Connection Approval Process, mandated by the Office of the Secretary of Defense, is a critical component of the customer connection process for both data networks.  This program validates the security posture of individual customers and the network.  Customers submit accreditation documentation for review; to insure proper accreditation and that sound security procedures are in place.  If a customer does not successfully complete the Connection Approval Process, he/she cannot establish a connection to either network.  The SIPRNET connection approval process is designed to verify that users have completed the required accreditation process; validates that the network connection belongs to an authorized user; and provides one central repository for system information. 

In closing, I cannot emphasize strongly enough the unique synergy that the JTF-CNO is able to bring to bear in defense of our critical networks.  By bringing together network operations, network defense and computing as an integrated team under the aegis of the JTF-CNO, we have established a robust and powerful global capability that, we believe, is unique within the Federal Government:

 The Global Network Operations and Security Center affords us global situational awareness of the networks.

The DoD-CERT provides strategic intrusion analysis, vulnerability alerts and incident response.

The National Coordinating Center of the National Communications System provides the forum for Government-Industry coordination, to include hosting the Telecommunications Information Sharing and Analysis Center.

While I believe we have established an effective information assurance program, we also realize that we can never rest on past accomplishments.  As our capabilities improve and mature, so does the threat environment.  However, I am confident that we are up to the challenges that face us and, we can ensure that the warfighter has the right information, in the right format, in the right place at the right time.

House Armed Services Committee
2120 Rayburn House Office Building
Washington, D.C. 20515