|
STATEMENT
OF
LIEUTENANT
GENERAL JOSEPH K. KELLOGG, USA
DIRECTOR FOR
COMMAND, CONTROL, COMMUNICATIONS,
AND COMPUTER SYSTEMS
JOINT
STAFF
MAY
17, 2001
Thank
you Mr. Chairman and members of the Subcommittee - I
welcome the opportunity to come before you today and
talk about the challenge of defending the Defense Department
networks and the role the Joint Staff plays in executing
this mission. I am Lieutenant General Keith Kellogg, the Director Command,
Control, Communications and Computer Systems Directorate,
the Joint Staff.
I will address the overall strategy we are implementing
to ensure the protection and availability of our warfighting
networks and also speak to some of the areas in which
we still need to improve.
The rapid proliferation of advanced technologies
throughout the global environment demands that we be
flexible, proactive and vigilant.
Before I discuss the specifics, I would like
to present an overview of the environment in which we
are conducting our operations.
At
the advent of the 21st century we find ourselves to
be a military that has fully embraced information technology
- it has been incorporated into all our mission areas. Along with increasing our efficiency to conduct a myriad of
missions - it has also increased our connectivity both
within the military community and outside it as we do
increasing amounts of business in the commercial sector.
The result of this is the unquestioned need for
Information Assurance.
Without reliable information; information that
the warfighter has complete confidence in its accuracy,
authenticity, and integrity then today's commander will
be unable to achieve Information Superiority.
Information
Superiority is a central tenet for the Joint Vision
2020 and a fundamental enabler of warfare.
Information Superiority ensures the right information
reaches the right warfighter at the right time.
It is manifested in the Global Information Grid
the Joint Staff effort to provide a globally interconnected,
end-to-end set of information capabilities, associated
processes and personnel necessary to provide information
on demand to the warfighter.
The Global Information Grid is to the Department
of Defense what the Internet is to the Commercial sector.
With our increased reliance on networks, their
availability to the warfighter is critical.
Malicious incidents, such as the Melissa and
ILOVEYOU viruses have demonstrated what can happen when
access to information networks is impeded.
There is no silver bullet to defend our networks
from attack. Rather,
a strategy that involves defense at different levels
throughout the network provides the best opportunity
to ensure the availability and integrity of our systems.
This approach is codified in our approach to
Information Assurance known as Defense in Depth.
Defense in Depth takes information assurance
to the warfighter enabling them to protect, defend and
react to attacks on the network.
The
three components of Defense in Depth are People, Operations
and Technology.
I would like to elaborate on each of these topics.
People,
using technologies to conduct operations are the central
element of Defense in Depth.
It takes people to design, build, install, operate,
evaluate and maintain protection mechanisms.
To gain and maintain the knowledge and expertise
to perform these vital tasks, a comprehensive program
of education, training, practical experience and awareness
is needed. The
trained and aware individual, whom we call the system
administrator, working on his or her job is the first
and most vital line of defense protecting DOD information
and information systems.
These system administrators are the cornerstone
of our information network defense, our front line cyber
warriors of the 21st century.
They are the network infantrymen, manning the
virtual foxholes using technical weapons to defend the
integrity of our networks.
We have an obligation to train them in fighting
on the cyber battlefield much as we do with the mud
and boots infantryman.
Properly trained system administrators are the
primary key to protecting our information systems.
Undersecretary of Defense, Personnel and Readiness
(USD (P&R)) and Assistant Secretary of Defense,
Command, Control, Communications and Intelligence (ASD
(C3I)) recently established the requirement for U.S.
Government departments and agencies to implement training
programs for system administrators to achieve specific
skills. At
the Joint Staff, we are in the process of standardizing
cyber skill sets against experience and levels of responsibility.
Information
Assurance Operations are driven by IA policy that establishes
goals, actions, procedures and standards.
Current Joint Staff guidance targets the issue
of information assurance procedures and standards. The
recently published Chairman's instruction
"Information Assurance through Defense in Depth"
and it's follow-on implementation manual, provides joint
policy, component responsibilities and a minimum set
of network protection requirements that outlines a common
protection baseline throughout DoD along with detailed
guidance to commanders on how to satisfy these requirements.
Efforts to quantify "how much information assurance
is enough" resulted in IA metrics guidance - measurable
standards that allow commanders to evaluate their current
situation, providing a current "as is" picture.
Through a coordinated effort, DOD now has a policy
in place that mitigates the risk to defense networks
presented by malicious mobile code.
As the Director J6, I am one of the 4 Designated
Approval Authorities (DAAs) for the Defense Information
Systems Network (DISN) - the DoD's primary communications
backbone. My central responsibility in this role, as
designated by the Director Joint Staff, is to ensure
network security.
Acting in coordination with the other DISN DAAs
(Directors of National Security Agency, Defense Information
Systems Agency and Defense Intelligence Agency), we
ensure this security with a standardized certification
and accreditation process. Codified in a DoD instruction
(Defense Information Technology Certification and Accreditation
Process), its objective is to optimize network security
through the establishment of a standard infrastructure-centric
approach. Standardizing
the process minimizes risk associated with nonstandard
security implementations.
This is a dynamic process that is involved in
all phases of technology development and provides the
Designated Approval Authority (operating at various
levels) information with which to make educated decisions
concerning the connection of information systems to
their networks.
Stressing
process improvement, another initiative currently underway
is an extensive review of the policies and procedures
detailing connection criteria to the Secret Internet
Protocol Router Network (SIPRnet).
This effort will further strengthen the stringent
standards that are required to be met prior to being
connected to our primary warfighting network.
A
means to ensure timely, community wide notification
and dissemination of network vulnerability information
exists in the form of the Information Vulnerability
Assessment Alert (IAVA) process.
Administered by the Defense Information Systems
Agency and under the oversight of United States Space
Command (USSPACECOM), the IAVA process is used to notify
the military services and Defense Agencies about significant
computer security vulnerabilities that pose an immediate
threat to the networks and require timely corrective
action. Components
are required to report on the status of their compliance-
providing a snapshot update on the integrity of DoD
networks.
DOD
has implemented the Information Condition (INFOCON)
system, which allows us to raise the awareness and information
assurance standards of affected or threatened commands
to an appropriate level of readiness to meet expected
cyber threats and/or attacks.
This system provides a hierarchy of protection
profiles that Commands
implement to defend their networks. It is a warning
system that raises situational IA awareness.
The
interconnectivity of our networks makes this an extremely
important and challenging endeavor.
Based upon lessons learned from our operations
in Kosovo and some timeliness issues with the DoD response
to recent denial of service attack a review is underway
to identify ways to improve this system.
Finally,
through the consolidated efforts of the Defense-wide
Information Assurance Program and the Joint Staff, the
Information Assurance Panel is actively working various
IA community issues.
This panel, which reports to the Military Communications
Electronics Board, has significantly heightened DoD-wide
awareness to information assurance issues and challenges.
It is a powerful forum where the IA community
can meet to discuss, evaluate and reach agreement on
ideas and suggestions.
It allows discussion among the services and agencies
of Information Assurance issues that have a commonality
within DoD.
In
order for Information Assurance through Defense in Depth
to be fully realized, the technology component must
be aggressively pursued. To conduct an effective cyber
defense we must have a well-stocked arsenal of technological
weapons and the skills to use them.
Increasingly, the use of commercial off the shelf
technology (COTS) is the means by which new capabilities
are introduced in the field. The importance of the integrity
of these solutions cannot be overstated.
Evaluation efforts such as those underway by
the National Information Assurance Partnership (NIAP)
are critical to ensure that the warfighter has confidence
in the equipment they employ to help them defend the
network. Partnership
with industry is paramount to ensure the COTS tools
and equipment DoD procures do the things we need them
to do. This
requirement is highlighted and codified in the National
Policy Governing the Acquisition of Information Assurance
(IA) and IA-enabled Information Technology (IT) products.
This guidance, issued by the National Security
Telecommunication and Information System Security Committee,
mandates that all IA and IA-enabled IT COTS products
used in national security systems be evaluated and certified
in accordance with accepted IA standards.
As technology continues to advance - new and
progressive means must be employed to ensure the availability
and integrity of our networks.
The Defense Department-wide efforts in the fielding
of Public Key Infrastructure, a means to ensure the
authenticity of network traffic will significantly strengthen
the networks.
Further,
the advancement of biometrics technology, an effort
being lead by the U.S. Army, holds the promise of increasing
both information and network security.
We
have made significant progress in the last year in our
ability to protect, defend, and react to attacks on
our networks - but there is still work to be done.
The
Vulnerability Alert process, while effective in disseminating
alerts and vulnerability solutions, lacks an effective
mechanism to ensure consistent and complete reporting
across the Department.
Vulnerability Alert status is now briefed on
a monthly basis to the Information Assurance Panel and
to the Chairman, Joint Chiefs of Staff as needed.
General Shelton has listed this as a priority
item and the increased visibility has resulted in favorable
results. The
process is being revised in a Chairman's manual 6510.01,
currently in final draft, placing greater emphasis on
operational commander participation and tightening the
standards by which a compliance extension can be granted.
Further
refinements contained in the draft manual include the
incorporation of Joint Monthly Readiness Reporting-like
(JMRR) metrics that operational commander's can use
to report their IAVA status.
This operationalizing of Information Assurance
in the well-understood and highly visible Joint Monthly
Readiness Reporting (JMRR) - a system that identifies
warfighting shortfalls, discrepancies and provides a
means for highlighting IA deficiencies that impact combat/mission
readiness increases the visibility of IA shortfalls
provided to senior leadership.
In
closing, let me stress that as we travel down the Information
Assurance highway, we must realize that it has no end
point, only many curves, potholes and dangerous drivers
that require us to be vigilant and watchful - else we
will be unable to navigate it safely.
We have made a lot of progress on our journey
but there is much more that can and must be done.
As technology and threats mature - we must refine
and improve our training, techniques and procedures
in order to protect our networks.
The challenges are many but our men and women
are up to the task - it is our job to give them the
proper resources and leadership support to do their
jobs.
|
