LIEUTENANT GENERAL JOHN L. WOODWARD, JR, USAF
Deputy Chief of Staff, Communications and Information
United States Air Force
Chairman, distinguished members of the committee, thank
you for your continued interest in this nationally important
is the Air Force's fourth opportunity to provide testimony
on this important subject.
Through the support of Congress, our journey
over the last four years has continued to strengthen
our network protection posture.
As an aerospace force, information and decision
superiority remain critical to Air Force's global vigilance,
reach, and power.
As our Air Force Chief of Staff, Gen Ryan states,
"Our information systems and networks go to war with
us-and because they are part of the fight-we must treat
them as weapon systems."
1997, the Air Force began its work to create a strong
network protection posture as it transformed its doctrine
to establish Information Superiority as a critical warfighter-enabling
that time, we had plans in place to provide every Air
Force base with an intrusion detection system.
Although we began to field firewalls, they were
the exception. In addition to prototyping base network
control centers, we developed a Defense in Depth security
concept, known as Barrier Reef, and our Air Force Computer
Emergency Response Team
(AFCERT) was starting its fourth year of operation.
1998, with Congressional funding support, we completed
an aggressive program to install an initial suite of
network management capabilities and base information
protection (NMS/BIP) tools at 109 bases. We also installed firewalls, scanning tools, and network management
tools at our main bases.
We were in full swing with our concept of "Operationalizing
and Professionalizing the Networks", in other words,
we were treating networks like the weapon systems they
had become. To
maximize the effectiveness of our deployable networks
and ensure the skills to manage them are widely available,
the tools fielded with our Theater Deployable Communications
suites (our go-to-war communications package) mirror
the core tools installed at our fixed bases.
1999, the AFCERT became the Air Force component to the
Joint Task Force for Computer Network Defense and we
published our initial Information Operations Doctrine.
Every Air Force base had a Network Control Center
with an initial network protection tool set and we began
establishing Network Operations and Security Centers
at our Major Commands. Following Operation DESERT FOX
we shored up our cyber defenses as intrusion attempts
into our base networks continued to grow.
the year 2000, intrusion detection systems were protecting
every Air Force base, actively scanning our networks
for malicious activity and vulnerabilities.
We upgraded our information protection tool sets
and we operationally tasked our Network Control Centers
to report their readiness, like every major weapon system,
through the Status of Resources and Training System. We are running a world class weapon system, our network, but
the threats to it are real and dangerous.
Operation ALLIED FORCE tested our mettle and
we withstood what many refer to as the first "cyber
my testimony today, I will focus my remarks on our operational
Information Assurance successes, the network environment
we work in, and the Air Force way ahead with Information
Air Force has adopted and directed an exciting concept
called One Air Force-One Network.
This concept revolves around an enterprise, or
corporate networking environment, and capitalizes on
industry best practices.
The Air Force is leveraging the power of the
net and is putting that power in every airman's hand.
In fact, we continue to leverage information
superiority for combat success even though our communications
networks are repeatedly subjected to probing, barrages
of E-mail, and the "virus of the week" program.
However, mission operations continue unaffected.
Let me illustrate with a few examples:
Our integrated information enterprise captured over
315 million suspicious connection attempts last year
on our AF sensor grid which resulted in one unauthorized
connection by an outsider for every 20 million suspicious
In all, no mission impacts occurred.
This is information assurance.
The Air Force recently raised our Information Condition
(INFOCON) to a higher state of readiness because of
the advertised hacker activity after the EP-3 incident.
We have successfully combated increased hacking
incidents against our mission capability.
Critical to the success of any Expeditionary
Aerospace Force is the previously mentioned Theater
Deployable Communications (TDC).
To date, we fielded over thirty-three lightweight
multi-band satellite terminal providing long haul reachback
integrated communications access package that provides
deployed base communications infostructure similar to
the fixed bases was certified for joint interoperability.
The reachback concept continues to work well for our
Global Reach and Power missions.
Our information systems, consisting of both commercial
off-the-shelf and military communications equipment,
enabled reliable, timely reachback to the continental
United States for intelligence, logistics and people
support that otherwise would have had to deploy forward
to Joint Task Force-South West Asia.
Our response to viruses has also improved.
In the recent past, the "ILOVEYOU" and the "Melissa"
viruses infected e-mails were opened by many users.
Today, as a result of training, awareness, policy
and procedures, virus infected e-mails like "Naked Wife"
and "Anna Kournikova" were not opened.
our successes, we can't underestimate the dangers facing
us in the information age.
Just because we've had little trouble defending
ourselves does not mean we are safe from cyber attack.
The cyber attacks we continue to experience are
real and dangerous.
In the final analysis, our information assurance
posture has ensured cyber attacks are nothing more than
a nuisance with little impact on combat operations,
but we must continue to learn and improve to remain
ahead of the threat.
Enterprise Environment and Air Force Posturing
and sophisticated threats continue to change, thus challenging
our ability to maintain an information superiority posture.
We work to prevail over these challenges through
a Defense in Depth strategy that integrates the capabilities
of people, operations, and technology.
This strategy ensures we deliver accurate information
to the warfighter anytime, any place.
Our philosophy is simply that security is everyone's
business and that we treat every computer incident as
a potential attack until proven otherwise.
To that end,
we are aggressively pursuing awareness and training
To emphasize that
Information Assurance is the responsibility of every
Air Force member, the Air Force Chief of Staff initiated
a year long IA awareness and implementation campaign
that began in January 2001.
As an Air Force-wide campaign, each Major Command
and Air Force agency sponsors a month and develops the
specific program for that month for the entire Air Force.
The campaign is designed to win battles and win
wars by ensuring all users are aware of and executing
their IA responsibilities.
Commanders are involved at all levels to maintain awareness
over threats to and attacks against our networks. We've
established firm guidelines in conjunction with DoD,
for implementing Information Conditions (INFOCONs) which
assure commanders are correctly postured day-to-day
as well as being prepared for network attacks at anytime.
In addition, the Air Force modifies its operational
reporting process and now requires mandatory reports
for all network intrusion incidents.
The AF participates fully in DoD's Information Assurance
Vulnerability Alert process and further compliments
it with our AF Time Compliance Network Order system.
Our effort ensures vulnerabilities are identified
and the risks mitigated through network patches, and
a commensurate command and control reporting system
that is in place at all levels and is auditable.
The Air Force's centralized computer emergency response
organization is the 33rd Information Operations Squadron
(a.k.a., the Air Force Computer Emergency Response Team).
At the Forward Edge of the Cyber Battle Area,
our frontline warriors are the communications professionals
in the Major Commands' Network Operations and Security
Centers and base level Network Control Centers.
Together they monitor Air Force networks in real-time
to identify malicious activity.
The 33rd IOS will downward-direct
defensive actions and initiate up-channel reporting
to the Joint Task Force-Computer Network Operations. They are also responsible (in conjunction with the DoD CERT)
for identifying network vulnerabilities and directing
their mitigation and follow-up compliance reporting.
Our network professionals assure day-to-day mission
communications while countering malicious activity.
We test our IA security policy and procedures through
compliance inspection activities.
Compliance testing is done through policy directed,
mission based inspections similar to our Operational
Readiness Inspections and Nuclear Surety Inspections
that exercise our installations' ability to survive-to-operate
in an operational environment.
The Air Force Inspector General also focuses
on specific IA management activities through the use
of Special Inspection Items.
The Air Force Information Warfare Center also
conducts several technically based IA assessments to
include: Red Teaming, Computer Security Engineering
Assessments, Multi Disciplinary Vulnerability Assessments,
and Information Assurance Assessment and Assistance
Red Teams regularly probe our networks, augmenting
scans performed by the AFCERT and our network control
facilities. We obtain independent validation through
Air Force Audit Agency and Inspector General inspections.
We continually exercise and test our networks
to ensure user information is available at the right
time and in the right format.
Scenario events are crafted to allow people to
practice using our processes and tools in a realistic
recently participated in CJCS Exercise POSITIVE FORCE
2001, which included the largest Computer Network Defense
exercise to date--the players included nearly every
CINC, all Services, and many Agencies.
Additionally, annual exercises such as the Joint
User Interoperability Communications Exercise (JUICE)
allow us to specifically test deployable communication
configurations and their interfaces to the Global Information
providing great training opportunities, these types
of events allow us to refine our equipment configurations,
monitor the applicability of tool sets, and evaluate
our reporting procedures.
As a complementary function, the Air Force deploys
several Scope Network support teams to Air Force bases
to fine-tune base-level networks.
These highly skilled, focused teams will completely
baseline the Air Force network's performance by visiting
every Air Force installation this year.
Their enterprise approach will assure standardization,
security configuration, and standard Air Force-wide
Scope Network's mission is to optimize and tune
networks to ensure the network and firewalls are properly
configured. Scope Net teams also provide hands-on measurement, analysis, training, and
mentoring to keep Defense in Depth at its strongest
Information content experts complement these
two functions by detecting and directing the efficiencies
of information assets.
face a considerable challenge, as does industry, on
the people front to recruit, train, and retain qualified
network technicians able to build, run, and sustain
the information technologies that enable us to be so
there are no simple and quick solutions to the people
challenge, we continue to operate at a high state of
readiness. Let me give you some examples:
Just as aircraft operators and maintainers must
be certified before working on an aircraft, network
operators and maintainers must be certified before working
on a network.
A Mission-Essential Task List was developed to
ensure strict enforcement of network "mission" qualifications
and that only mission-ready people deploy.
This improves our support for combat operations.
When called, these licensed professionals deploy
in Information Warfare flights consisting of an integrated
Information Operation team to include a deployed Network
Operations Security Center.
We recognize that, not only is training our key
IA people important, but we must also find ways to incentivize
people to stay in the Service.
A Gartner Group study determined that
retention comes from both monetary and psychological
Monetary compensation for our military members
comes through Selective Reenlistment Bonuses for 17
of our 21 enlisted career fields (including the highest
available bonus for 3 critical career fields).
Air Force leadership is pursuing a critical skills
retention bonus, and a thrift savings plan that matches
funds for critical skills. For our civilian people,
OPM implemented a special salary rate basis for Information
Technology workers. Psychological compensation is provided via several initiatives
that target training, professional development, and
They include Aerospace
Communications-and-Information Expertise (ACE)
and development strategy, the Operationalizing
the Network (OPTN) program includes officer continuing
education, the Keesler Air Force Base
Center of Excellence, investing
and advanced communications technical training,
network training centers and structured on-the-job (OJT)
training, the SCOPE
Champion senior civilian development initiative, and
self service information available on the Air Force
efforts inwardly focus on what we're doing to enhance
our people strengths.
We must also maintain our focus on mitigating
the external threats to our networks.
Individual hackers and hacker groups have proliferated
over the last year and we must always remain vigilant
against the potential of these attacks every day.
Good networks, good procedures, good training,
and good protection tools are the bedrock of our defense.
I said earlier, viruses remain a potential threat. In the recent past, "I LOVEYOU" and "Melissa" virus
infected e-mails were opened by many and it resulted
in significant number of our e-mail servers being isolated
from the network to either prevent infection or to clean
the systems due to infection. Today, as a result of
training, awareness, policy and procedures, virus infected
e-mails like "Naked Wife" and "Anna Kournikova" inoculated
and not opened.
As computer systems users received suspect e-mails,
they took appropriate actions not taken before.
However, these examples provide a stark reminder
that we CANNOT ever let our guard down.
me point out what we are doing or have done to mitigate
threats to our information systems:
network lock downs
known vulnerabilities closed
standardized base information protection and
installed automated anti-virus software and altering
all units when a new virus appears
using intrusion detection systems
standardizing internet scanning tools
network consolidation actions and building 9
Network Operations and Security Centers
also developed and fielded a suite of defensive tools
for our deployed Network Control Centers and Network
Operations and Security Centers.
accomplished a lot over the past year, but we must continue
to raise the bar.
Just as Congress saw the need for stronger information
system security by passing the Government Information
Security Reform within the FY2001 Defense Authorization
Act, the Air Force is and will continue to push for
greater security. Several key initiatives are highlighted below.
The Air Force continues to upgrade the information technology
components at all operating locations.
Our Combat Information Transport System (CITS)
Network Management System and Base Information Protection
Program is entering its third phase, as described in
the beginning of this testimony.
In the first two phases, the Air Force provided
the hardware needed to protect our base network boundaries,
including firewalls, intrusion detection systems, standardized
network management systems at active duty and reserve
AF bases, and virtual private networks to geographically
Phase three provides toolsets needed to manage
and protect the Air Force Enterprise through Major Commands'
Network Operations and Security Centers and the Air
Force Network Operations Center.
In conjunction with the fielding of these toolsets,
we are creating an Air Force Intranet to limit our exposure
to the Internet.
We are reducing our gateways from 109 base enclaves
to 9 Network Operations and Security Centers.
In addition, we are establishing a common user
virtual private network to secure and protect all network
traffic among Air Force sites.
We are also establishing community of interest
virtual private networks to protect specific functional
We benchmarked corporate Info Tech concepts with
industry IT leaders and are now on the fast track to
implement an Air Force Enterprise as part of the Global
We are moving from a system of stand-alone information
systems supporting individual functional communities
to "network-centric" operations using web-enabled applications
supporting multiple users.
Public Key Infrastructure
technology we are incorporating into our Defense in
Depth strategy is the use of a common, integrated, interoperable
DoD Public Key Infrastructure to enable security services
at multiple levels of assurance.
Card (CAC). We are adopting smart card technology
throughout the USAF. The CAC will replace the standard identification card for military,
civilian and eligible contractors.
This smart card will be used to enable physical
access to buildings and controlled spaces and will be
used to gain access to the Department's computer network
Thanks to Congressionally provided monies, the AF has
moved out smartly to implement biometrics initiatives
in support of DoD efforts.
Our strategy is to evaluate technologies to support
the Information Assurance Roadmap along with Force Protection,
Medical Readiness, Nuclear Surety, and Weapons Systems
established a formal partnership with the Army's Biometrics
Management Office and their Biometrics Fusion Center.
We are developing our own pilot program at the
Air Force Communications Agency.
Modernization Roadmap. Air
Force supports the National Security Agency and OSD
effort to modernize our cryptographic capabilities.
We have partnered with our operational and acquisition
communities to identify our most critical requirements.
Decision Directive 63 (Critical
The Air Force is marching lockstep with the broad
federal and DoD efforts to protect our critical infrastructures.
We have functional community representatives
for each critical sector developing their Defense Infrastructure
Sector Assurance Plans.
Additionally, we are working with DoD and looking
for ways to improve on-going functional assessment processes
toward an integrated vulnerability assessment approach.
Leadership and Organizational Initiatives.
General Officer Steering Group (IO GOSG). In March 2000, a cross functional senior Air Force
steering group reviewed how we organize, train, equip
and sustain IO forces; provided guidance and direction
to ensure successful integration of the significant
investments we made and were projected to make. The
next IO GOSG is scheduled for June 2001.
That meeting will address a wide range of issues
to include: depiction of our tactical,
operational and strategic information, network protection,
and architecture defense, and finalization of Air Force
The Air Force also established a cross-functional
IA Steering Group to review, develop, coordinate and
recommend IA positions.
The steering group is composed of senior-level
officers and key civilians from throughout the Air Force.
Representatives from across the research and
development, acquisition, policy and operations communities
meet to review Air Force IA strategy, policy, architectures,
technology, programs and associated funding requirements.
The steering group's intent is to provide a clear
and consistent IA policy, mitigate duplication of efforts,
and coordinate organizational efforts to ensure that
the Air Force has the resources to implement its IA
Numbered Air Force (IO NAF).
On 1 February 2001, the Air Force realigned
our IO warfighting forces under existing Numbered Air
Force (NAF) command and control structure.
Our Air Intelligence Agency (which was previously
a Field Operating Agency subordinate to the HQ USAF,
Deputy Chief of Staff for Operations) was realigned
under the Air Combat Command's 8th AF strengthening
the Air Force's command and control capabilities for
Information Assurance and Information Operations.
Air Force Network
Operations and Security Center (AFNOSC).
The USAF is developing an AFNOSC to fully integrate
network security and operations functions under a single
commander with tactical control to direct enterprise-level
unified capability should result in an integrated, common
operational picture with a rapid response and surge
capacity and a high level of survivability for continuity
The AFNOSC will be the "tip of the spear" for
all USAF network management, information assurance,
and computer network defense.
Electronics Board (MCEB).
Communications among the Services and Agencies
is critical to warfighter success.
We participate in the MCEB functionally oriented
functions included are C4I and Data Systems Interoperability,
Frequency Management, IA, Military Communications Procedures
and Publications, Standards, Networks Operations, and
The MCEB coordinates on operational guidance
and direction to the CINCs, Services, and Agencies.
Air Force is focused on the right issues and building
the programs that provide the best information service
and information protection possible. Our Air Force Posture
Statement highlights the importance of Information Superiority
and Information Assurance and our programs demonstrate
our commitment to that goal.
We need support for all levels for our Information
Assurance and base infostructure programs.
Our Information Technology Exhibit will support
the Air Force effort to leverage networked information
systems that guarantee our Information Superiority.
Information Assurance is my highest priority,
and the Air Force is committing resources to provide
it, but we could still do more.
We're ready to put any additional resources to
work, whether it is funding additional Combat Information
Transport System capabilities, accelerating implementation
of the base infostructure, securing all internet connections
including our telephone switches, or for training and
retaining people for the future.
need to explore avenues to successfully investigate
and prosecute computer intrusion, computer vandalism,
and computer crimes. The foundation of our Information Technology laws owes
its legacy to telecommunications law and specifically
links back to the Communications Act of 1934.
It was good and appropriate for its time.
However, the cyber world is moving at light speed
and we need laws that deal with today's reality.
The ability to track down or search for hackers
who vandalize web pages or organized hacking groups
that infiltrate information systems and extract sensitive
information CANNOT hinge upon outdated criminal or civil
legal processes. The law needs to catch up with the realities of cyber crime
and investigative needs by "out of box thinking" such
as use of verbal search requests and dedicated IT-trained
It is our understanding that the Department of
Justice is considering legislation to address these
issues, and any such effort warrants your fullest attention.
We also need to send a clear and hard-hitting
public message--you violate the computer network laws,
we will hunt you down and hold you accountable.
presented earlier, any and all additional compensation
opportunities for our communications and information
warriors--our intellectual capital--is welcomed and
will use this, for example, for critical skills training
and to fund additional communications officer and enlisted
Nation and our Air Force can be very proud of our communications
and information warriors.
Throughout the spectrum of conflict and in the
competency of Information Superiority and Decision Superiority,
the US military has no peer. The United States Air Force is organized to win, prepared for
the now and the future, and committed to supporting
our nation's security needs--anytime, anywhere.