Statement by

The Honorable Linton Wells II
Assistant Secretary of Defense for 
Command, Control, Communications and Intelligence (Acting)
and
DoD Chief Information Officer
Hearing on
Information Assurance

May 17, 2001

Thank you Mr. Chairman and members of the Subcommittee.  I am honored to be here, and pleased to have the opportunity to update your committee on many of the issues we discussed roughly one year ago.  I believe we are making significant progress in the quest to provide information assurance and defend our computer networks.  These are absolute necessities if we are to truly achieve information superiority.  Other testimony that you will receive today from the US Space Command, Joint Task Force - Computer Network Operations and Services will highlight the progress we've made over the past year and the challenges ahead in achieving both information assurance and computer network defense.

With the information age, we have entered an era of increasing interconnectivity and interdependency. This interdependence brings both opportunities and risks, and the benefits of the information revolution have proven to far outweigh the risks. However, we must understand and manage these risks to minimize their impact on our overall military mission success.  It is essential we do this because to achieve revolutions in both military affairs and business affairs -- the cornerstones of our DoD Global Information Grid and Joint Vision 2020 -- we must actively accept and embrace this new interconnected world.  We have seen this need demonstrated in both our warfighting and peacekeeping mission areas, in Kosovo and East Timor, as well as in our business operations where our acquisition cycle time has been reduced to 15 months for key information technology systems and even less for commercial-off-the-shelf technologies. It is the capabilities offered by this new age that are at the heart of how the U.S. military intends to win future conflicts -- by massing the effects of our highly mobile, widely distributed, self-synchronizing military forces when and where desired - what we call Information Superiority and it is the heart of Joint Vision 2020.  To be successful in Joint Vision 2020 and network centric warfare we must have information superiority, and to have information superiority we must have interoperability and information assurance.

To set the stage for my remarks I'd like to say a few words about the environment in which the Department of Defense (DoD) conducts its daily operations-during peacetime, crisis, and war.  The Department's steadily increasing dependence on a global information environment, over which it has little control, heightens its exposure and vulnerability to a rapidly growing number of increasingly sophisticated internal and external threats.  Globally internetworked and interdependent information systems tend to level the playing field between allies and adversaries, and offer adversaries access to potentially high-value and (currently) low-risk information infrastructure targets.  These targets, if successfully attacked, have the potential to impact the full spectrum of DoD operations.  To attack a large number of systems, an adversary need only find and attack a single exploitable connection to the system (through the use of a wide and growing variety of commonly available and inexpensive hacker tools).  Once inside a system, an adversary can exploit it and the systems networked to it.  This global marriage of systems and networks creates what has become a shared risk environment.  Further, with every advance in information technology, new vulnerabilities are created that must quickly be discovered and effectively neutralized.

            Given the risks and the fact that weakness in any portion of the Defense networks is a threat to the operational readiness of all Components, the Department is moving aggressively to ensure the continuous availability, integrity, authentication, confidentiality, and non-repudiation of its information and the protection of its information infrastructure.  Exercises and real-life events clearly demonstrate that Defense-wide improvement in Information Assurance is an absolute and continuous operational necessity.  We can no longer be satisfied with reactive or after-the-fact solutions.  As the Department modernizes its information infrastructure, it must also continuously invest in the research, development, and timely integration of products, procedures, and training necessary to sustain its ability to defend it. Achievement of Information Superiority in the highly compatible, interconnected, interdependent, shared-risk DoD environment requires that Information Assurance capabilities be based on consistent risk management decisions and a coherent strategy.  The technical strategy that underlies DoD Information Assurance is Defense-in-Depth, in which layers of defense are used to achieve balanced overall Information Assurance.

The Defense-in-Depth strategy recognizes that no single element or component of security can provide adequate assurance.   It invokes the use of layered security solutions that allow us to maximize the use of commercial-off-the-shelf (COTS) technology. The fundamental principal is that layers of protection are needed to establish an adequate security posture.  For example, enclaves require a strong perimeter to guard against malicious outsiders.  Within the protected enclave, protection is needed against malicious insiders as well as malicious outsiders who have penetrated the protected enclave perimeter.  This concept is relevant, whether it is used to protect against potential adversaries gaining access over the Internet or enforcing community-of-interest or need-to-know isolation within an otherwise protected intranet.

In the area of Intrusion Detection, we are greatly accelerating the development of technologies to detect and respond to cyber attacks against critical infrastructures. Current intrusion detection techniques are extremely limited in their ability to identify attacks, particularly large scale attacks against multiple points in the infrastructure, such as Distributed Denial Of Service (DDOS) attacks against internet service providers and e-commerce companies.  We have been conducting research into a broad variety of concepts which offer the potential to identify the most sophisticated kinds of cyber attacks, analyze the attack method and source(s), and institute protective measures in near real-time. Last year we began to characterize this technology and test its effectiveness in a genuine operational environment.  This year we begin to put it into operation.

Within the DoD, we have established detailed procedures for the coordination of all cyber events.  The Joint Task Force - Computer Network Defense (JTF-CND) was formed on December 30, 1998 to provide a single command with authority to coordinate and direct the defense of the DoD computer systems and networks.  Originally formed as a separate JTF reporting directly to the Secretary of Defense, JTF-CND became a direct reporting command of U.S. SPACE Command on October 1, 1999 when U.S. SPACE Command was assigned the mission of computer network defense for the Department of Defense.  Recently redesignated the Joint Task Force-Computer Network Operations (JTF-CNO), the JTF provides DoD with a focal point for dealing with cyber threats and answered the "Who's in charge?" question.   Prior to the formation of the JTF, no single entity had the authority to coordinate and direct a DoD wide response to a computer network attack.  The JTF-CNO and the National Infrastructure Protection Center (NIPC), which serves as a focal point for the Federal Government's efforts to detect, assess, warn of, and respond to cyber attacks, form a strong collaborative team for dealing with attacks on DoD systems and networks.

Coincident with the formation of the JTF, our study of CND activities in the Department revealed that while we had significant CND capabilities, we had no policy establishing requirements for a Defense-wide CND capability.  The existing capability had been developed from the ground up to meet local or individual Component requirements.  Among Components, there was significant variability in philosophy and approach, organizational and functional construct, and capability.  CND capabilities were not extended to all networks, and were unevenly applied where it was available. The assessment also concluded that the current independent, "bottom up" construct had reached its potential, would soon be overcome by rapidly growing Component demand, and would not scale to support the emerging urgent requirement for a unified Defense-wide capability.  Many of these same issues were reflected in the GAO report "Information Security: Challenges to Improving DoD's Incident Response Capabilities (GAO-01-341)."

As a result of our assessment, the Deputy Secretary of Defense directed a defense-wide working group to identify core CND functions and recommend an integrated, defense-wide, enterprise CND policy and assignment of responsibilities.   We recently promulgated a DoD Directive and Instruction establishing the policy, responsibilities and organizational structure for CND within DoD.  These require

(1) The DoD Components to establish Component-level CND Services (i.e., a CERT) to coordinate and direct Component-wide CND operations for all Component information systems and computer networks.  

(2) Establishment of CND Certification Authorities at DISA and NSA.  DISA and NSA are responsible for certifying the capabilities of the Component CERTs and providing overall technical, analytical and coordination of CERT activities.  DISA will provide these services for the unclassified and collateral (TS and below) networks and NSA for "special enclaves" processing intelligence, special access program, or other especially sensitive information.

(3) DISA to serve as the overall CND systems integrator, insuring CND systems work together and that we begin to design and build CND into our computer networks as they are developed, rather than adding it on after the fact.

(4) NSA to serve as the CND research and technology Program Manager as well as provide Attack Sensing and Warning support to USCINCSPACE and the DoD Components through the National Security Incident Response Center.

(5) A Defense CND Law Enforcement & Counterintelligence Center, which brings together the Defense Criminal Investigative and Counterintelligence organizations, to be formally established at the JTF-CNO to coordinate law enforcement and CI investigations in support of CND.  In this area, we are also very excited about the establishment of the DoD Computer Forensics Laboratory.

Integration of these CND policies into CINC plans and operations is underway with Joint Staff's preparation of a Chairman's Instruction that mirrors these policy and organizational requirements.

Fundamental to the Department's Defense in Depth strategy and computer network defense capabilities is a strong Information Assurance foundation. To better plan, monitor, coordinate, and integrate the Department's IA activities, the Deputy Secretary of Defense established the Defense-wide Information Assurance Program (DIAP) under the Director of Information Assurance in OASD(C3I).  The DIAP's overarching mission is to ensure that DoD's vital information resources are secured and protected by unifying and integrating IA activities to achieve information superiority.  It provides a common management framework and the central oversight necessary for improved coordination of DoD IA efforts and ensures these efforts maximize the Department's return on its IA investments.

The recent GAO Review of the DIAP (Information Security: Progress and Challenges to an Effective Defense-wide Information Assurance Program; GAO-01-307) cited a number of issues facing the DIAP as it begins to establish itself as the IA community focal point.  These are due primarily to the lack of staffing of the DIAP as described in the 1999 Implementation Plan.  However, in spite of the staffing shortfalls, the DIAP has been able to achieve significant progress in ensuring a coherent and cohesive IA effort across the Department, primarily through the work of the Information Assurance Panel (IAP) of the Military Communications Electronics Board.  That Panel, with the coordination and integration of the DIAP supporting it, has provided a powerful mechanism to bring the community together in a forum where an open exchange of ideas and suggestions can be discussed, evaluated, and a common approach agreed upon. The scope of the community's efforts is documented in the DoD CIO Annual Information Assurance Report for Fiscal Year 2000.

The DIAP staffing shortfalls are being addressed and much progress towards full staffing has been made, with both government and contractor staff personnel.  Additionally, reorganization of the DIAP has provided clearer direction for the efforts of the DIAP staff and a focus on the Defense in Depth strategy missing from the original organization.

In pursuing its resource oversight role, a DoD IA Strategic plan is under development that will provide greater focus for the DIAP staff and the DoD IA community on the priorities and objectives for the Department. In addition, the DIAP has successfully developed an IA program baseline of the DoD Components using the Department of Defense's IA Defense-in-Depth strategy.  The majority of identified funding (75%) is contained within the Information Systems Security Program (ISSP), which includes the Services, NSA, DISA, and DIA.  The remainder is spread throughout the Information Technology (IT) programs of the DoD Components.  To gain better visibility into IA funding and better identify the remaining 25% of IA not within the ISSP Program, DIAP has developed IA Initiative categories used for IT program/budget submissions to ASD(C3I).  These IA Initiatives fall under the IT Defense Information Infrastructure Group category of "Information Assurance Activities" and correspond to the ten IA Defense-in-Depth categories.  This and other efforts to develop cost models for major acquisition programs will provide the necessary visibility into the DoD IA program.  They are not included in the ISSP because they are already more appropriately accounted for in other programs directly associated with the basic functional activity - for example, the weapon systems development program.

We have also developed an IA policy framework to ensure establishment of an integrated set of DoD IA policies. The policy dimension is absolutely critical as IA technology can only be successful if proper policies are in-place and procedures followed.  Revision of existing outdated policies and issuance of new policies where gaps and new requirements exist is a constant on-going effort.  In addition, the DIAP works with the DoD Components to assist in the Component implementation of DoD policy.  A mechanism for determining compliance will be developed as part of the IA metrics effort.

            The DIAP is also leading, in partnership with our Deputy Chief Information Officer, DoD's implementation of the Government Information Security Reform provision of the Floyd D. Spence National Defense Authorization Act for Fiscal Year 2001.  We view these provisions of the Act as an important enabler that will assist us in security oversight of the Department's information systems and provide a basis for new policy and procedures for assessing the security posture of those systems and the Department.

Finally, we continue to work on the most critical component in protecting the Department's information resources against modern day cyber attacks -attracting and maintaining a corps of appropriately trained and experienced IT professionals. We have put a great deal of effort working to resolve problems and issues in workforce management and Information Technology and Information Assurance education, training and certification.  We are implementing changes in the way the Department manages its IT workforce and establishing of training standards and certification requirements for key IT/IA personnel. Our ability to recruit and retain highly qualified information assurance specialists is critical to achieving the Department's goal of information superiority.  The Information Assurance Scholarship Program (IASP), authorized by the Floyd D. Spence National Defense Authorization Act for Fiscal Year 2001, has the potential to make a significant contribution towards enlarging the pool of Information Assurance professionals by enabling the development of future DoD information assurance specialists and enhancing the skills of current employees and military members.

Summary

            Information assurance is essential to the processes required for businesses to operate in today's information environment, and is a necessary foundation for computer network defense.  DoD is probed on a daily basis by those who are trying, or planning, to disrupt our nation's military capabilities.   Constant vigilance over our networks is required, and that includes skilled people and technology working together, if we are to defend the infrastructures that allow our information processes to work effectively.

Substantial progress has been made, but it is a journey, not a destination.  As new technology is created, new attacks will be developed, and new countermeasures must be adopted.  There is a lot more that must be done to achieve information superiority.  The major challenges continue to be in the areas of information assurance, continuing to operationalize computer network defense, and increasing our analytic capabilities and response options.