The Honorable Linton Wells II
Secretary of Defense for
Command, Control, Communications and Intelligence (Acting)
DoD Chief Information Officer
you Mr. Chairman and members of the Subcommittee. I am honored to be here, and pleased to have the opportunity
to update your committee on many of the issues we discussed
roughly one year ago.
I believe we are making significant progress
in the quest to provide information assurance and defend
our computer networks.
These are absolute necessities if we are to truly
achieve information superiority.
Other testimony that you will receive today from
the US Space Command, Joint Task Force - Computer Network
Operations and Services will highlight the progress
we've made over the past year and the challenges ahead
in achieving both information assurance and computer
the information age, we have entered an era of increasing
interconnectivity and interdependency. This interdependence
brings both opportunities and risks, and the benefits
of the information revolution have proven to far outweigh
the risks. However, we must understand and manage these
risks to minimize their impact on our overall military
It is essential we do this because to achieve
revolutions in both military affairs and business affairs
-- the cornerstones of our DoD Global Information Grid
and Joint Vision 2020 -- we must actively accept and
embrace this new interconnected world.
We have seen this need demonstrated in both our
warfighting and peacekeeping mission areas, in Kosovo
and East Timor, as well as in our business operations
where our acquisition cycle time has been reduced to
15 months for key information technology systems and
even less for commercial-off-the-shelf technologies.
It is the capabilities offered by this new age that
are at the heart of how the U.S. military intends to
win future conflicts -- by massing the effects of our
highly mobile, widely distributed, self-synchronizing
military forces when and where desired - what we call
Information Superiority and it is the heart of Joint
Vision 2020. To
be successful in Joint Vision 2020 and network centric
warfare we must have information superiority, and to
have information superiority we must have interoperability
and information assurance.
set the stage for my remarks I'd like to say a few words
about the environment in which the Department of Defense
(DoD) conducts its daily operations-during peacetime,
crisis, and war.
The Department's steadily increasing dependence
on a global information environment, over which it has
little control, heightens its exposure and vulnerability
to a rapidly growing number of increasingly sophisticated
internal and external threats.
Globally internetworked and interdependent information
systems tend to level the playing field between
allies and adversaries, and offer adversaries access
to potentially high-value and (currently) low-risk information
These targets, if successfully attacked, have
the potential to impact the full spectrum of DoD operations.
To attack a large number of systems, an adversary
need only find and attack a single exploitable connection
to the system (through the use of a wide and growing
variety of commonly available and inexpensive hacker
inside a system, an adversary can exploit it and the
systems networked to it.
This global marriage of systems and networks
creates what has become a shared risk environment.
Further, with every advance in information technology,
new vulnerabilities are created that must quickly be
discovered and effectively neutralized.
Given the risks and the fact that weakness in
any portion of the Defense networks is a threat to the
operational readiness of all Components, the Department
is moving aggressively to ensure the continuous availability,
integrity, authentication, confidentiality, and non-repudiation
of its information and the protection of its information
Exercises and real-life events clearly demonstrate
that Defense-wide improvement in Information Assurance
is an absolute and continuous operational necessity.
We can no longer be satisfied with reactive or
after-the-fact solutions. As the Department modernizes its information infrastructure,
it must also continuously invest in the research, development,
and timely integration of products, procedures, and
training necessary to sustain its ability to defend
it. Achievement of Information Superiority in the highly
compatible, interconnected, interdependent, shared-risk
DoD environment requires that Information Assurance
capabilities be based on consistent risk management
decisions and a coherent strategy.
The technical strategy that underlies DoD Information
Assurance is Defense-in-Depth, in which layers of defense
are used to achieve balanced overall Information Assurance.
Defense-in-Depth strategy recognizes that no single
element or component of security can provide adequate
It invokes the use of layered security solutions
that allow us to maximize the use of commercial-off-the-shelf
(COTS) technology. The fundamental principal is that
layers of protection are needed to establish an adequate
For example, enclaves require a strong perimeter
to guard against malicious outsiders. Within the protected enclave, protection is needed against
malicious insiders as well as malicious outsiders who
have penetrated the protected enclave perimeter.
This concept is relevant, whether it is used
to protect against potential adversaries gaining access
over the Internet or enforcing community-of-interest
or need-to-know isolation within an otherwise protected
the area of Intrusion Detection, we are greatly accelerating
the development of technologies to detect and respond
to cyber attacks against critical infrastructures. Current
intrusion detection techniques are extremely limited
in their ability to identify attacks, particularly large
scale attacks against multiple points in the infrastructure,
such as Distributed Denial Of Service (DDOS) attacks
against internet service providers and e-commerce companies.
We have been conducting research into a broad
variety of concepts which offer the potential to identify
the most sophisticated kinds of cyber attacks, analyze
the attack method and source(s), and institute protective
measures in near real-time. Last year we began to characterize
this technology and test its effectiveness in a genuine
operational environment. This year we begin to put it into operation.
the DoD, we have established detailed procedures for
the coordination of all cyber events.
The Joint Task Force - Computer Network Defense
(JTF-CND) was formed on December 30, 1998 to provide
a single command with authority to coordinate and direct
the defense of the DoD computer systems and networks.
Originally formed as a separate JTF reporting
directly to the Secretary of Defense, JTF-CND became
a direct reporting command of U.S. SPACE Command on
October 1, 1999 when U.S. SPACE Command was assigned
the mission of computer network defense for the Department
of Defense. Recently
redesignated the Joint Task Force-Computer Network Operations
(JTF-CNO), the JTF provides DoD with a focal point for
dealing with cyber threats and answered the "Who's in
Prior to the formation of the JTF, no single
entity had the authority to coordinate and direct a
DoD wide response to a computer network attack.
The JTF-CNO and the National Infrastructure Protection
Center (NIPC), which serves as a focal point for the
Federal Government's efforts to detect, assess, warn
of, and respond to cyber attacks, form a strong collaborative
team for dealing with attacks on DoD systems
with the formation of the JTF, our study of CND activities
in the Department revealed that while we had significant
CND capabilities, we had no policy establishing requirements
for a Defense-wide CND capability. The existing capability had been developed from the ground
up to meet local or individual Component requirements. Among Components, there was significant variability in philosophy
and approach, organizational and functional construct,
CND capabilities were not extended to all networks,
and were unevenly applied where it was available. The
assessment also concluded that the current independent,
"bottom up" construct had reached its potential,
would soon be overcome by rapidly growing Component
demand, and would not scale to support the emerging
urgent requirement for a unified Defense-wide capability.
Many of these same issues were reflected in the
GAO report "Information Security: Challenges to Improving
DoD's Incident Response Capabilities (GAO-01-341)."
a result of our assessment, the Deputy Secretary of
Defense directed a defense-wide working group to identify
core CND functions and recommend an integrated, defense-wide,
enterprise CND policy and assignment of responsibilities.
We recently promulgated a DoD Directive and Instruction
establishing the policy, responsibilities and organizational
structure for CND within DoD.
The DoD Components to establish Component-level CND
Services (i.e., a CERT) to coordinate and direct Component-wide
CND operations for all Component information systems
and computer networks.
Establishment of CND Certification Authorities at DISA
and NSA. DISA and NSA are responsible for certifying the capabilities
of the Component CERTs and providing overall technical,
analytical and coordination of CERT activities.
DISA will provide these services for the unclassified
and collateral (TS and below) networks and NSA for "special
enclaves" processing intelligence, special access program,
or other especially sensitive information.
DISA to serve as the overall CND systems integrator,
insuring CND systems work together and that we begin
to design and build CND into our computer networks as
they are developed, rather than adding it on after the
NSA to serve as the CND research and technology Program
Manager as well as provide Attack Sensing and Warning
support to USCINCSPACE and the DoD Components through
the National Security Incident Response Center.
A Defense CND Law Enforcement & Counterintelligence
Center, which brings together the Defense Criminal Investigative
and Counterintelligence organizations, to be formally
established at the JTF-CNO to coordinate law enforcement
and CI investigations in support of CND.
In this area, we are also very excited about
the establishment of the DoD Computer Forensics Laboratory.
of these CND policies into CINC plans and operations
is underway with Joint Staff's preparation of a Chairman's
Instruction that mirrors these policy and organizational
to the Department's Defense in Depth strategy and computer
network defense capabilities is a strong Information
Assurance foundation. To better plan, monitor, coordinate,
and integrate the Department's IA activities, the Deputy
Secretary of Defense established the Defense-wide Information
Assurance Program (DIAP) under the Director of Information
Assurance in OASD(C3I).
The DIAP's overarching mission is to ensure that
DoD's vital information resources are secured and protected
by unifying and integrating IA activities to achieve
It provides a common management framework and
the central oversight necessary for improved coordination
of DoD IA efforts and ensures these efforts maximize
the Department's return on its IA investments.
recent GAO Review of the DIAP (Information Security:
Progress and Challenges to an Effective Defense-wide
Information Assurance Program; GAO-01-307) cited a number
of issues facing the DIAP as it begins to establish
itself as the IA community focal point.
These are due primarily to the lack of staffing
of the DIAP as described in the 1999 Implementation
in spite of the staffing shortfalls, the DIAP has been
able to achieve significant progress in ensuring a coherent
and cohesive IA effort across the Department, primarily
through the work of the Information Assurance Panel
(IAP) of the Military Communications Electronics Board.
That Panel, with the coordination and integration
of the DIAP supporting it, has provided a powerful mechanism
to bring the community together in a forum where an
open exchange of ideas and suggestions can be discussed,
evaluated, and a common approach agreed upon. The scope
of the community's efforts is documented in the DoD
CIO Annual Information Assurance Report for Fiscal Year
DIAP staffing shortfalls are being addressed and much
progress towards full staffing has been made, with both
government and contractor staff personnel.
Additionally, reorganization of the DIAP has
provided clearer direction for the efforts of the DIAP
staff and a focus on the Defense in Depth strategy missing
from the original organization.
pursuing its resource oversight role, a DoD IA Strategic
plan is under development that will provide greater
focus for the DIAP staff and the DoD IA community on
the priorities and objectives for the Department. In
addition, the DIAP has successfully developed an IA
program baseline of the DoD Components using the Department
of Defense's IA Defense-in-Depth strategy. The majority of identified funding (75%) is contained within
the Information Systems Security Program (ISSP), which
includes the Services, NSA, DISA, and DIA.
The remainder is spread throughout the Information
Technology (IT) programs of the DoD Components.
To gain better visibility into IA funding and
better identify the remaining 25% of IA not within the
ISSP Program, DIAP has developed IA Initiative categories
used for IT program/budget submissions to ASD(C3I).
These IA Initiatives fall under the IT Defense
Information Infrastructure Group category of "Information
Assurance Activities" and correspond to the ten IA Defense-in-Depth
and other efforts to develop cost models for major acquisition
programs will provide the necessary visibility into
the DoD IA program.
They are not included in the ISSP because they
are already more appropriately accounted for in other
programs directly associated with the basic functional
activity - for example, the weapon systems development
have also developed an IA policy framework to ensure
establishment of an integrated set of DoD IA policies.
The policy dimension is absolutely critical as IA technology
can only be successful if proper policies are in-place
and procedures followed.
Revision of existing outdated policies and issuance
of new policies where gaps and new requirements exist
is a constant on-going effort. In addition, the DIAP works with the DoD Components to assist
in the Component implementation of DoD policy.
A mechanism for determining compliance will be
developed as part of the IA metrics effort.
The DIAP is also leading, in partnership with
our Deputy Chief Information Officer, DoD's implementation
of the Government Information Security Reform provision
of the Floyd D. Spence National Defense Authorization
Act for Fiscal Year 2001.
We view these provisions of the Act as an important
enabler that will assist us in security oversight of
the Department's information systems and provide a basis
for new policy and procedures for assessing the security
posture of those systems and the Department.
we continue to work on the most critical component in
protecting the Department's information resources against
modern day cyber attacks -attracting and maintaining
a corps of appropriately trained and experienced IT
professionals. We have put a great deal of effort working
to resolve problems and issues in workforce management
and Information Technology and Information Assurance
education, training and certification.
We are implementing changes in the way the Department
manages its IT workforce and establishing of training
standards and certification requirements for key IT/IA
personnel. Our ability to recruit and retain highly
qualified information assurance specialists is critical
to achieving the Department's goal of information superiority.
The Information Assurance Scholarship Program
(IASP), authorized by the Floyd D. Spence National Defense
Authorization Act for Fiscal Year 2001, has the potential
to make a significant contribution towards enlarging
the pool of Information Assurance professionals by enabling
the development of future DoD information assurance
specialists and enhancing the skills of current employees
and military members.
Information assurance is essential to the processes
required for businesses to operate in today's information
environment, and is a necessary foundation for computer
DoD is probed on a daily basis by those who are
trying, or planning, to disrupt our nation's military
Constant vigilance over our networks is required,
and that includes skilled people and technology working
together, if we are to defend the infrastructures that
allow our information processes to work effectively.
progress has been made, but it is a journey, not a destination.
As new technology is created, new attacks will
be developed, and new countermeasures must be adopted.
There is a lot more that must be done to achieve
The major challenges continue to be in the areas
of information assurance, continuing to operationalize
computer network defense, and increasing our analytic
capabilities and response options.
Provides DoD-wide CND operational direction
or support to all DoD Components
Centrally coordinates and/or directs CND operations
that impact more than one DoD Component
Provides Defense-wide situational awareness
and attack sensing and warning through fusion,
analysis and coordinated information flows
Supports Component situational awareness and
attack sensing and warning
Coordinates CND related LE and CI investigations
and operations that cross DoD Component or Federal
Service Certification Authorities (CNDS/CA)
LE & CI Center
Responds to direction from Tier One
Provides DoD Component-wide operational direction
Supports Tier 1 situational awareness and attack
sensing and warning through coordinated reporting
and information flows
providers designated by Heads of Components to
coordinate Component-wide CND
Responds to direction from servicing Tier Two
Supports Tier 2 situational awareness and attack
sensing and warning through coordinated reporting
and information flows
control centers that manage and control information
systems, networks and services, either deployed
or fixed at DoD Installations