IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled


STATEMENT OF:  

LIEUTENANT GENERAL JOHN L. WOODWARD, JR, USAF
Deputy Chief of Staff, Communications and Information
United States Air Force
Information Assurance

May 17, 2001

Mr. Chairman, distinguished members of the committee, thank you for your continued interest in this nationally important issue.   This is the Air Force's fourth opportunity to provide testimony on this important subject.  Through the support of Congress, our journey over the last four years has continued to strengthen our network protection posture.  As an aerospace force, information and decision superiority remain critical to Air Force's global vigilance, reach, and power.  As our Air Force Chief of Staff, Gen Ryan states, "Our information systems and networks go to war with us-and because they are part of the fight-we must treat them as weapon systems." 

In 1997, the Air Force began its work to create a strong network protection posture as it transformed its doctrine to establish Information Superiority as a critical warfighter-enabling tool.  At that time, we had plans in place to provide every Air Force base with an intrusion detection system.  Although we began to field firewalls, they were the exception. In addition to prototyping base network control centers, we developed a Defense in Depth security concept, known as Barrier Reef, and our Air Force Computer Emergency Response Team  (AFCERT) was starting its fourth year of operation.  

In 1998, with Congressional funding support, we completed an aggressive program to install an initial suite of network management capabilities and base information protection (NMS/BIP) tools at 109 bases.  We also installed firewalls, scanning tools, and network management tools at our main bases.  We were in full swing with our concept of "Operationalizing and Professionalizing the Networks", in other words, we were treating networks like the weapon systems they had become.  To maximize the effectiveness of our deployable networks and ensure the skills to manage them are widely available, the tools fielded with our Theater Deployable Communications suites (our go-to-war communications package) mirror the core tools installed at our fixed bases.

By 1999, the AFCERT became the Air Force component to the Joint Task Force for Computer Network Defense and we published our initial Information Operations Doctrine.  Every Air Force base had a Network Control Center with an initial network protection tool set and we began establishing Network Operations and Security Centers at our Major Commands. Following Operation DESERT FOX we shored up our cyber defenses as intrusion attempts into our base networks continued to grow. 

By the year 2000, intrusion detection systems were protecting every Air Force base, actively scanning our networks for malicious activity and vulnerabilities.  We upgraded our information protection tool sets and we operationally tasked our Network Control Centers to report their readiness, like every major weapon system, through the Status of Resources and Training System.  We are running a world class weapon system, our network, but the threats to it are real and dangerous.  Operation ALLIED FORCE tested our mettle and we withstood what many refer to as the first "cyber war" effort.

In my testimony today, I will focus my remarks on our operational Information Assurance successes, the network environment we work in, and the Air Force way ahead with Information Assurance.

Operational Successes

The Air Force has adopted and directed an exciting concept called One Air Force-One Network.  This concept revolves around an enterprise, or corporate networking environment, and capitalizes on industry best practices.  The Air Force is leveraging the power of the net and is putting that power in every airman's hand.  In fact, we continue to leverage information superiority for combat success even though our communications networks are repeatedly subjected to probing, barrages of E-mail, and the "virus of the week" program.  However, mission operations continue unaffected.  Let me illustrate with a few examples:

- Our integrated information enterprise captured over 315 million suspicious connection attempts last year on our AF sensor grid which resulted in one unauthorized connection by an outsider for every 20 million suspicious connection attempts.  In all, no mission impacts occurred.  This is information assurance.

- The Air Force recently raised our Information Condition (INFOCON) to a higher state of readiness because of the advertised hacker activity after the EP-3 incident.  We have successfully combated increased hacking incidents against our mission capability.  

-  Critical to the success of any Expeditionary Aerospace Force is the previously mentioned Theater Deployable Communications (TDC).  To date, we fielded over thirty-three lightweight multi-band satellite terminal providing long haul reachback capability.  Our integrated communications access package that provides deployed base communications infostructure similar to the fixed bases was certified for joint interoperability. 

- The reachback concept continues to work well for our Global Reach and Power missions.  Our information systems, consisting of both commercial off-the-shelf and military communications equipment, enabled reliable, timely reachback to the continental United States for intelligence, logistics and people support that otherwise would have had to deploy forward to Joint Task Force-South West Asia. 

-   Our response to viruses has also improved.  In the recent past, the "ILOVEYOU" and the "Melissa" viruses infected e-mails were opened by many users.  Today, as a result of training, awareness, policy and procedures, virus infected e-mails like "Naked Wife" and "Anna Kournikova" were not opened.

Despite our successes, we can't underestimate the dangers facing us in the information age.  Just because we've had little trouble defending ourselves does not mean we are safe from cyber attack.  The cyber attacks we continue to experience are real and dangerous.  In the final analysis, our information assurance posture has ensured cyber attacks are nothing more than a nuisance with little impact on combat operations, but we must continue to learn and improve to remain ahead of the threat.

Information Enterprise Environment and Air Force Posturing

Powerful and sophisticated threats continue to change, thus challenging our ability to maintain an information superiority posture.  We work to prevail over these challenges through a Defense in Depth strategy that integrates the capabilities of people, operations, and technology.  This strategy ensures we deliver accurate information to the warfighter anytime, any place.  Our philosophy is simply that security is everyone's business and that we treat every computer incident as a potential attack until proven otherwise.  To that end, we are aggressively pursuing awareness and training programs.

- To emphasize that Information Assurance is the responsibility of every Air Force member, the Air Force Chief of Staff initiated a year long IA awareness and implementation campaign that began in January 2001.  As an Air Force-wide campaign, each Major Command and Air Force agency sponsors a month and develops the specific program for that month for the entire Air Force.  The campaign is designed to win battles and win wars by ensuring all users are aware of and executing their IA responsibilities.

- Commanders are involved at all levels to maintain awareness over threats to and attacks against our networks. We've established firm guidelines in conjunction with DoD, for implementing Information Conditions (INFOCONs) which assure commanders are correctly postured day-to-day as well as being prepared for network attacks at anytime.  In addition, the Air Force modifies its operational reporting process and now requires mandatory reports for all network intrusion incidents.

- The AF participates fully in DoD's Information Assurance Vulnerability Alert process and further compliments it with our AF Time Compliance Network Order system.  Our effort ensures vulnerabilities are identified and the risks mitigated through network patches, and a commensurate command and control reporting system that is in place at all levels and is auditable.

- The Air Force's centralized computer emergency response organization is the 33rd Information Operations Squadron (a.k.a., the Air Force Computer Emergency Response Team).  At the Forward Edge of the Cyber Battle Area, our frontline warriors are the communications professionals in the Major Commands' Network Operations and Security Centers and base level Network Control Centers.  Together they monitor Air Force networks in real-time to identify malicious activity.  The 33rd IOS will downward-direct defensive actions and initiate up-channel reporting to the Joint Task Force-Computer Network Operations.  They are also responsible (in conjunction with the DoD CERT) for identifying network vulnerabilities and directing their mitigation and follow-up compliance reporting.  Our network professionals assure day-to-day mission communications while countering malicious activity. 

- We test our IA security policy and procedures through compliance inspection activities.  Compliance testing is done through policy directed, mission based inspections similar to our Operational Readiness Inspections and Nuclear Surety Inspections that exercise our installations' ability to survive-to-operate in an operational environment.  The Air Force Inspector General also focuses on specific IA management activities through the use of Special Inspection Items.  The Air Force Information Warfare Center also conducts several technically based IA assessments to include: Red Teaming, Computer Security Engineering Assessments, Multi Disciplinary Vulnerability Assessments, and Information Assurance Assessment and Assistance Program Assessments.  Red Teams regularly probe our networks, augmenting scans performed by the AFCERT and our network control facilities. We obtain independent validation through Air Force Audit Agency and Inspector General inspections.

-  We continually exercise and test our networks to ensure user information is available at the right time and in the right format.  Scenario events are crafted to allow people to practice using our processes and tools in a realistic environment.  We recently participated in CJCS Exercise POSITIVE FORCE 2001, which included the largest Computer Network Defense exercise to date--the players included nearly every CINC, all Services, and many Agencies.  Additionally, annual exercises such as the Joint User Interoperability Communications Exercise (JUICE) allow us to specifically test deployable communication configurations and their interfaces to the Global Information Grid.  Besides providing great training opportunities, these types of events allow us to refine our equipment configurations, monitor the applicability of tool sets, and evaluate our reporting procedures.  

-  As a complementary function, the Air Force deploys several Scope Network support teams to Air Force bases to fine-tune base-level networks.  These highly skilled, focused teams will completely baseline the Air Force network's performance by visiting every Air Force installation this year.  Their enterprise approach will assure standardization, security configuration, and standard Air Force-wide network performance.  Scope Network's mission is to optimize and tune networks to ensure the network and firewalls are properly configured.  Scope Net teams also provide hands-on measurement, analysis, training, and mentoring to keep Defense in Depth at its strongest possible capability.  Information content experts complement these two functions by detecting and directing the efficiencies of information assets.

We face a considerable challenge, as does industry, on the people front to recruit, train, and retain qualified network technicians able to build, run, and sustain the information technologies that enable us to be so effective.  While there are no simple and quick solutions to the people challenge, we continue to operate at a high state of readiness. Let me give you some examples:

-  Just as aircraft operators and maintainers must be certified before working on an aircraft, network operators and maintainers must be certified before working on a network.  A Mission-Essential Task List was developed to ensure strict enforcement of network "mission" qualifications and that only mission-ready people deploy.  This improves our support for combat operations.  When called, these licensed professionals deploy in Information Warfare flights consisting of an integrated Information Operation team to include a deployed Network Operations Security Center.

-  We recognize that, not only is training our key IA people important, but we must also find ways to incentivize people to stay in the Service.  A Gartner Group study determined that retention comes from both monetary and psychological compensation.  Monetary compensation for our military members comes through Selective Reenlistment Bonuses for 17 of our 21 enlisted career fields (including the highest available bonus for 3 critical career fields).  Air Force leadership is pursuing a critical skills retention bonus, and a thrift savings plan that matches funds for critical skills. For our civilian people, OPM implemented a special salary rate basis for Information Technology workers.  Psychological compensation is provided via several initiatives that target training, professional development, and personnel actions.  They include Aerospace Communications-and-Information Expertise (ACE) officer accession and development strategy, the Operationalizing and Professionalizing the Network (OPTN) program includes officer continuing education, the Keesler Air Force Base Center of Excellence, investing in basic and advanced communications technical training, supplemental courses, network training centers and structured on-the-job (OJT) training, the SCOPE Champion senior civilian development initiative, and self service information available on the Air Force portal.  

These efforts inwardly focus on what we're doing to enhance our people strengths.  We must also maintain our focus on mitigating the external threats to our networks.  Individual hackers and hacker groups have proliferated over the last year and we must always remain vigilant against the potential of these attacks every day.  Good networks, good procedures, good training, and good protection tools are the bedrock of our defense.

As I said earlier, viruses remain a potential threat.  In the recent past, "I LOVEYOU" and "Melissa" virus infected e-mails were opened by many and it resulted in significant number of our e-mail servers being isolated from the network to either prevent infection or to clean the systems due to infection. Today, as a result of training, awareness, policy and procedures, virus infected e-mails like "Naked Wife" and "Anna Kournikova" inoculated and not opened.  As computer systems users received suspect e-mails, they took appropriate actions not taken before.  However, these examples provide a stark reminder that we CANNOT ever let our guard down. 

Let me point out what we are doing or have done to mitigate threats to our information systems:

-        network lock downs 

-        known vulnerabilities closed

-        standardized base information protection and firewall configurations

-        installed automated anti-virus software and altering all units when a new virus appears

-        using intrusion detection systems

-        standardizing internet scanning tools

-        network consolidation actions and building 9 Network Operations and Security Centers

We also developed and fielded a suite of defensive tools for our deployed Network Control Centers and Network Operations and Security Centers.

Way Ahead--Roadmap

We've accomplished a lot over the past year, but we must continue to raise the bar.  Just as Congress saw the need for stronger information system security by passing the Government Information Security Reform within the FY2001 Defense Authorization Act, the Air Force is and will continue to push for greater security.  Several key initiatives are highlighted below.

- Technology/Architectures. The Air Force continues to upgrade the information technology components at all operating locations.  Our Combat Information Transport System (CITS) Network Management System and Base Information Protection Program is entering its third phase, as described in the beginning of this testimony.  In the first two phases, the Air Force provided the hardware needed to protect our base network boundaries, including firewalls, intrusion detection systems, standardized network management systems at active duty and reserve AF bases, and virtual private networks to geographically separated units.  Phase three provides toolsets needed to manage and protect the Air Force Enterprise through Major Commands' Network Operations and Security Centers and the Air Force Network Operations Center.   

-  In conjunction with the fielding of these toolsets, we are creating an Air Force Intranet to limit our exposure to the Internet.  We are reducing our gateways from 109 base enclaves to 9 Network Operations and Security Centers.  In addition, we are establishing a common user virtual private network to secure and protect all network traffic among Air Force sites.  We are also establishing community of interest virtual private networks to protect specific functional users.

-  We benchmarked corporate Info Tech concepts with industry IT leaders and are now on the fast track to implement an Air Force Enterprise as part of the Global Information Grid.  We are moving from a system of stand-alone information systems supporting individual functional communities to "network-centric" operations using web-enabled applications supporting multiple users.  

- Public Key Infrastructure (PKI).  Another technology we are incorporating into our Defense in Depth strategy is the use of a common, integrated, interoperable DoD Public Key Infrastructure to enable security services at multiple levels of assurance.   

- Common Access Card (CAC). We are adopting smart card technology throughout the USAF.  The CAC will replace the standard identification card for military, civilian and eligible contractors.  This smart card will be used to enable physical access to buildings and controlled spaces and will be used to gain access to the Department's computer network capabilities.  

-  Biometrics. Thanks to Congressionally provided monies, the AF has moved out smartly to implement biometrics initiatives in support of DoD efforts.  Our strategy is to evaluate technologies to support the Information Assurance Roadmap along with Force Protection, Medical Readiness, Nuclear Surety, and Weapons Systems Protection.  We established a formal partnership with the Army's Biometrics Management Office and their Biometrics Fusion Center.  We are developing our own pilot program at the Air Force Communications Agency.

- Cryptographic Modernization Roadmap.  Air Force supports the National Security Agency and OSD effort to modernize our cryptographic capabilities.  We have partnered with our operational and acquisition communities to identify our most critical requirements.

- Presidential Decision Directive 63 (Critical Infrastructure Protection).  The Air Force is marching lockstep with the broad federal and DoD efforts to protect our critical infrastructures.   We have functional community representatives for each critical sector developing their Defense Infrastructure Sector Assurance Plans.  Additionally, we are working with DoD and looking for ways to improve on-going functional assessment processes toward an integrated vulnerability assessment approach.

- Leadership and Organizational Initiatives. 

- Information Operations General Officer Steering Group (IO GOSG). In March 2000, a cross functional senior Air Force steering group reviewed how we organize, train, equip and sustain IO forces; provided guidance and direction to ensure successful integration of the significant investments we made and were projected to make. The next IO GOSG is scheduled for June 2001.  That meeting will address a wide range of issues to include: depiction of our tactical, operational and strategic information, network protection, and architecture defense, and finalization of Air Force Doctrine 2-5. 

- Information Assurance Steering Group.  The Air Force also established a cross-functional IA Steering Group to review, develop, coordinate and recommend IA positions.  The steering group is composed of senior-level officers and key civilians from throughout the Air Force.  Representatives from across the research and development, acquisition, policy and operations communities meet to review Air Force IA strategy, policy, architectures, technology, programs and associated funding requirements.  The steering group's intent is to provide a clear and consistent IA policy, mitigate duplication of efforts, and coordinate organizational efforts to ensure that the Air Force has the resources to implement its IA strategy.

- Information Operations Numbered Air Force (IO NAF).  On 1 February 2001, the Air Force realigned our IO warfighting forces under existing Numbered Air Force (NAF) command and control structure.  Our Air Intelligence Agency (which was previously a Field Operating Agency subordinate to the HQ USAF, Deputy Chief of Staff for Operations) was realigned under the Air Combat Command's 8th AF strengthening the Air Force's command and control capabilities for Information Assurance and Information Operations. 

- Air Force Network Operations and Security Center (AFNOSC).  The USAF is developing an AFNOSC to fully integrate network security and operations functions under a single commander with tactical control to direct enterprise-level actions.  This unified capability should result in an integrated, common operational picture with a rapid response and surge capacity and a high level of survivability for continuity of operations.  The AFNOSC will be the "tip of the spear" for all USAF network management, information assurance, and computer network defense.

- Military Communications Electronics Board (MCEB).  Communications among the Services and Agencies is critical to warfighter success.  We participate in the MCEB functionally oriented panels.  The functions included are C4I and Data Systems Interoperability, Frequency Management, IA, Military Communications Procedures and Publications, Standards, Networks Operations, and Interoperability Testing.  The MCEB coordinates on operational guidance and direction to the CINCs, Services, and Agencies.

The Air Force is focused on the right issues and building the programs that provide the best information service and information protection possible. Our Air Force Posture Statement highlights the importance of Information Superiority and Information Assurance and our programs demonstrate our commitment to that goal.  We need support for all levels for our Information Assurance and base infostructure programs.  Our Information Technology Exhibit will support the Air Force effort to leverage networked information systems that guarantee our Information Superiority.  Information Assurance is my highest priority, and the Air Force is committing resources to provide it, but we could still do more.  We're ready to put any additional resources to work, whether it is funding additional Combat Information Transport System capabilities, accelerating implementation of the base infostructure, securing all internet connections including our telephone switches, or for training and retaining people for the future.

We need to explore avenues to successfully investigate and prosecute computer intrusion, computer vandalism, and computer crimes.   The foundation of our Information Technology laws owes its legacy to telecommunications law and specifically links back to the Communications Act of 1934.  It was good and appropriate for its time.  However, the cyber world is moving at light speed and we need laws that deal with today's reality.  The ability to track down or search for hackers who vandalize web pages or organized hacking groups that infiltrate information systems and extract sensitive information CANNOT hinge upon outdated criminal or civil legal processes.  The law needs to catch up with the realities of cyber crime and investigative needs by "out of box thinking" such as use of verbal search requests and dedicated IT-trained approval magistrates.  It is our understanding that the Department of Justice is considering legislation to address these issues, and any such effort warrants your fullest attention.  We also need to send a clear and hard-hitting public message--you violate the computer network laws, we will hunt you down and hold you accountable. 

As presented earlier, any and all additional compensation opportunities for our communications and information warriors--our intellectual capital--is welcomed and encouraged.  We will use this, for example, for critical skills training and to fund additional communications officer and enlisted continuation education.  

Our Nation and our Air Force can be very proud of our communications and information warriors.  Throughout the spectrum of conflict and in the competency of Information Superiority and Decision Superiority, the US military has no peer.  The United States Air Force is organized to win, prepared for the now and the future, and committed to supporting our nation's security needs--anytime, anywhere.

House Armed Services Committee
2120 Rayburn House Office Building
Washington, D.C. 20515