Hearing of the Terrorism, Unconventional Threats and Capabilities Subcommittee of the House Armed Services Committee - Cyberspace As a War-Fighting Domain: Policy, Management and Technical Challenges to Mission Assurance
Chaired By: Rep. Adam Smith (D-WA)
Witnesses: Lieutenant General William Shelton, Chief Of War-Fighting Integration, Chief Information Officer, Office Of The Secretary Of The Air Force; Robert Lentz, Deputy Assistant Secretary Of Defense For Cyber, Identify And Information Assurance And Senior Information Assurance Official, Department Of Defense; Lieutenant General Keith Alexander, Commander, Joint Functional Component Command Network Warfare, Director, National Security Agency, Department Of Defense; Rob Carey, Chief Information Officer (Doncio), U.S. Navy; Mike Krieger, Deputy Chief Information Officer/G-6, U.S. Army
Copyright ©2009 by Federal News Service, Inc., Ste. 500, 1000 Vermont Ave, Washington, DC 20005 USA. Federal News Service is a private firm not affiliated with the federal government. No portion of this transcript may be copied, sold or retransmitted without the written authority of Federal News Service, Inc. Copyright is not claimed as to any part of the original work prepared by a United States government officer or employee as a part of that person's official duties. For information on subscribing to the FNS Internet Service at www.fednews.com, please email Carina Nyberg at email@example.com or call 1-202-216-2706.
REP. SMITH: (In progress.) And then I got waylaid by a conversation on my way over here. But I do want to thank all of you for being here today. Appreciate your presence on this very important topic and look forward to hearing from all of you.
I will keep my opening statement very, very brief except to say that cyber security is an incredibly important element of our national security with many, many complex pieces to it. It obviously involves a multiagency process, also involves the private sector and a variety of different challenges that are very complicated and complex.
And our goal in this committee is to help work with the new administration and all of the appropriate agencies to try to develop a comprehensive strategy to approach our network security needs and our broader cyber-security interests to try to get us to the point where we have at least some idea of what the plan is and are working closely together on how to implement that with all the different pieces out.
And I look forward to the testimony. We have a very, very distinguished panel that will help shed some light on this issue and help let us know what the pathway forward is.
And with that I will yield to our ranking member, Mr. Miller, for any opening statement that he might have.
REP. JEFF MILLER (R-FL): Thank you very much, Mr. Chairman. I have a full statement that I would like submitted into the record. I associate myself with your remarks.
And as we all know, breaches in our security have taken place time and time again. The Joint Strike Fighter Program highlights the vulnerability that currently exists today. Our charge is to help you get the job done, and that's what we are here for. So thank you.
REP. SMITH: Thank you.
And just -- one further thought. It's not just a matter of cyber security preventing attacks. We need to look at our entire systems, our entire IT infrastructure in terms of what we need to get out of it and how to best make that system work on a variety of different needs, including, of course, making sure that it is protected from our adversaries or those who wish to do us harm.
With that, I will introduce the panel. I will go -- introduce all of you, and then we'll just start with Mr. Krieger and work our way across the panel. As you've noticed there's five of you, and try to keep testimony between five and 10 minutes at most. We don't want to go on too long before we get into the interaction. I know that's very difficult on a subject this complex, but appreciate your cooperation so we can get into the questions from the members.
So I will introduce the panel. First we have Mr. Mike Krieger, who is the deputy chief information officer for the U.S. Army; Mr. Rob Carey, who is the chief information officer for the U.S. Navy; and we have Lieutenant General William Shelton, United States Air Force, chief of war-fighting integration, chief information officer, Office of the Secretary of the Air Force. We have Mr. Robert Lentz, who is the deputy assistant secretary of Defense for Cyber Identity Management and Information Assurance. That sounds like a complicated job, and it is. And last, we have Lieutenant General Keith Alexander, who is the director of the National Security Agency.
We appreciate all of you being here. Look forward to your testimony and to the Q&A that follows.
MR. KRIEGER: Good afternoon, Chairman Smith, Congressman Miller and distinguished members of the subcommittee.
As the United States Army's deputy chief information officer and deputy G-6, I am pleased to appear before the subcommittee this afternoon to discuss the Army's activities to address the challenges to enhance mission assurance in cyber space as a war-fighting domain.
The Army believes that our enterprise network, known as LandWarNet, must be viewed as a critical enabler for the warfighter. This requires a change in our culture for which the Army is revising policies, management of people in the network and enhancing technical capabilities to better detect, assess and respond to cyberspace attacks.
The Army is transitioning to a continental U.S.-based expeditionary force. To support this force, the Army is adapting our institutions and LandWarNet. General Casey recently signed a memorandum to transform LandWarNet to a new Global Network Enterprise Construct, or GNEC, that is more secure, economical and seamless. General Casey also designated the Network Enterprise Technology Command reporting to the chief information officer as the single command for network operations of the Army's generating force networks.
The Army is implementing many new policies to improve cyber security. These policies concentrate on protecting information, defending systems and creating an empowered work force.
Addressing the management challenges of training our cyber warriors and protecting our network remain top priorities in the Army. The Army is reviewing the development and tracking of its overall work force and looking to update the career management fields for conducting cyber space operations.
Successfully mitigating cyber space attacks and vulnerabilities requires unity of command and effort not only between the Army, other services and the combatant commands but within the Army staff. We have realigned organizations to streamline the command and control over the network and are creating an Army cyber task force to better define and oversee cyber space operations.
To meet the many technical challenges the Army faces we have taken many initiatives, which include a data-at-rest encryption solution, a secure two-way wireless capability, and we are working with the defense industrial base to protect technologies used to build our future networks and major weapons systems.
In conclusion, the Army is taking action to mitigate persistent cyberspace threats. Using GNEC, the Army is addressing the challenge of changing the culture to view the network as a critical enabler for the warfighter. The Army's commitment to transforming LandWarNet will ensure commanders have the ability to control, defend and fight the network as one enterprise.
I thank the subcommittee for affording me the opportunity to share the Army's activities to operate an enhanced mission assurance in cyberspace as a war-fighting domain. This concludes my remarks and I look forward to answering your questions.
REP. SMITH: Thank you very much.
MR. CAREY: Thank you, Mr. Chairman.
Chairman Smith, Congressman Miller, distinguished subcommittee members, thank you for the opportunity to appear before you today. I have provided a written statement and request that it be entered into the record.
I'd like to use this time to briefly highlight some of our key initiatives that will ensure the Department of Navy's success in the cyberspace domain.
It is a time of great change. And as the Department of the Navy chief information officer, I have the honor to work across the entire Navy Marine Corps team, harnessing the power of information technology for our sailors, Marines and civilians.
Our efforts in the cyberspace domain span our mission sets and mandate that we defend the information for the warfighters as well as protect the privacy of our naval team. The cyberspace domain is one in which we must prevail.
The department remains on a course for interoperable net-centric operations that will link warriors, sensors, networks, command and control platforms, weapons and commanders into a networked, distributed combat force. Key to our success will be the ability to balance the polarity between the need to share information and our requirement to protect it against cyber threats.
We have made great strides in the areas of policy, management and technical challenges that are enabling us to achieve this balance. Together with our industry partners we've created an enterprise network structure comprised of the Navy Marine Corps Intranet, the department's shore-based network; Information Technology 21 for our float forces; ONE-NET for our Navy outside of CONUS forces; and the Marine Corps Enterprise Network as our contribution to the DOD vision of a trusted, dependable, ubiquitous network.
We have seen the power of a single enterprise network improving access, control, interoperability, and information security. And as we move toward the Naval Network Environment 2016, our continued consolidation using the next-generation enterprise network and a defense in depth and breadth will further enable our ability to serve the warfighters with assured information.
Our computer network defense efforts are comprised of a broad array of initiatives to ensure a defense in depth. And while we are making progress, much work remains. We leverage industry best practices and standards such as public key infrastructure encryption, data-at-rest encryption, and host-based security systems to strengthen our cybersecurity.
Our brave sailors and Marines deployed far from home in harm's way are the heart and soul of our organization. What they know and how they translate that knowledge through sound decisions into action will define how successful we are. And so we are committed to providing them the information and tools they need to stay current and defend the cyberspace domain in an increasingly complex technology- based environment.
Thank you for your support of our information technology initiatives and our efforts to achieve net-centric operations and decision superiority. I'm happy to answer any questions that you may have.
REP. SMITH: Thank you very much.
GEN. SHELTON: Good afternoon, Chairman Smith, Congressman Miller, distinguished members of the subcommittee. I'm pleased to be here today along with members of the DOD's cyber leadership team to appear before you and address our efforts to meet the challenges in the cyberspace domain.
Several years ago the U.S. Air Force recognized the growing importance of cyberspace. On December 7th, 2005, we took the unprecedented step of adding cyberspace to our mission statement and placed that domain on an equal footing with our more traditional operating environments of air and space. Since that time, we have been moving forward to organize, train and equip our Air Force for defensive and offensive capabilities in cyberspace for joint operations.
As we have continued our study of cyberspace, we are finding that the most significant challenge we face is the constantly evolving nature of the threat in cyberspace. Threats in cyberspace move at the speed of light, and we are literally under attack every day as our networks are constantly probed and our adversaries seek to exploit vulnerabilities in our network enterprise.
I'd like to thank the committee for its support and for this opportunity to highlight the outstanding efforts of the dedicated men and women of the United States Air Force to help secure the nation in cyberspace. This domain is both highly complex and extremely challenging, but it is one that the Air Force is fully embracing.
Thank you again and I look forward to your questions.
REP. SMITH: Thank you, General.
MR. LENTZ: Good afternoon, Chairman Smith, Congressman Miller and members of the subcommittee. I am pleased to appear before the subcommittee to discuss initiatives to enhance the department's and the nation's information assurance cybersecurity posture. This is a critical priority for the Department of Defense.
With information and information technology assets distributed over a vast enterprise and with diverse domestic and international partners, we know that we cannot execute operations without the GIG, the Global Information Grid, or the DOD networks. The GIG is where business goods and services are coordinated, where medical information resides, where intelligence data is fused, where weapons platforms are designed, built and maintained, where commanders plan operations and control forces, and where training, readiness, morale and welfare is sustained.
Maintaining freedom of action in cyberspace is critical to the department and to the nation. Therefore, the department is focused on building and operating the GIG as a joint global enterprise. This enterprise network approach coupled with skilled users, defenders and first responders and in partnership with the intelligence and homeland security communities will allow us to more readily identify and respond to cyber attacks.
The DOD information assurance cybersecurity program is thus aimed at ensuring that DOD missions and operations continue under any cyber situation or condition and the cyber components of DOD weapons systems perform as expected.
There are many examples of current initiatives in my statement for the record. I will quickly highlight a few today.
To protect sensitive data on mobile and portable devices like laptops, we helped make discounted encryption products available to all federal, state, local and tribal government agencies and to NATO. Since July of '07 the resulting the U.S. government cost avoidance has exceeded $98 million.
To address cybersecurity risks to the defense industrial base we have put in place a multifaceted pilot for threat and vulnerability- sharing incident reporting and damage assessments.
For the global supply chain the department has launched a program to protect mission-critical systems. This year we are establishing four centers of excellence to support program executive offices and supply chain risk mitigation throughout the system life cycle. Additionally, we are executing vulnerability assessments in accordance with the '09 National Defense Appropriations Act.
We continue to rely on the National Centers of Academic Excellence in IA Education for critical cybersecurity skills. There are currently 94 centers in 38 states and the District of Columbia. One of the centers, the University of Nebraska at Omaha, co-sponsored and hosted last year's fifth annual international cyber defense workshop.
In 2008, the department helped bring cybersecurity to the Wounded Warrior Program. Wounded, disabled and transitioning veterans are receiving no-cost vocational training in digital forensics, a critical technical shortfall for the nation and for the department. The program started at Walter Reed and is being expanded to other DOD and VA hospitals.
In conclusion, the DOD CIO is working towards a resilient and defendable core network for the department and for the nation in the face of the daunting security challenges. We are preparing the GIG and the GIG-dependent missions to operate under duress, and we are doing so under conditions of rising hostilities.
I'm happy to take questions. Thank you.
REP. SMITH: Thank you very much.
GEN. ALEXANDER: Well, that was quick, Mr. Chairman.
REP. SMITH: I was going to say I was astonished. We moved very, very quickly through that.
GEN. ALEXANDER: I won't slow it down.
REP. SMITH: No, that's quite all right.
GEN. ALEXANDER: Mr. Chairman, Ranking Member --
REP. SMITH: We're ahead of schedule at this point.
GEN. ALEXANDER: (Laughs.) Well, I don't know enough to fill it up, so I'll talk briefly here.
I'd like to just give you a little bit of background about what NSA, the National Security Agency, but, more importantly, what the Joint Functional Component Command for Net Warfare is doing in network operations, where we are, where we're going, and the way ahead, because I think it leverages off of what my colleagues have already brought up. It has to be a team to work this across the services within DOD to set up the right apparatus. So I'll end on that.
Let me go back to the beginning and, if I could, just hit briefly on World War II. And in World War II just hitting on some of the key things that happened in World War II, specifically Enigma and Red and Purple, the Japanese encryption systems and the German encryption systems.
The reason I bring those up, as you may recall, the Germans had Enigma. We broke it. Actually the Poles and the Brits broke it. And in the 1941 Admiral Doenitz understood that it was broken and added a fourth rotor to make the decrypting of those communications more difficult. From January to March of 1942 the United States lost 216 ships off the coast -- off the East Coast, and our efforts in Europe were going down rapidly.
We were able to break that collectively with industry, Army, Navy working together with our allies. And it changed the balance of that war. And if you think about it, we broke their encryption, we broke the Japanese encryption and they didn't break ours. And that was huge for war fighting.
The network that we have today has taken what was an analog network to a digital network. And the consequence of that changed. Going from analog to packets is huge. It allows us to leverage things like iPhones, the iTouch. I have 11 grandchildren and they have these little iPod Shuffles. They are hooked to the network so they can do things. At seven years old they are Googling on the network. They are linked -- the same network, one network.
Great things are possible. Our military leverages that today for great good -- for command and control, for integration of our intelligence with operations, with logistics, with everything we have on the battlefield -- great opportunities, great vulnerabilities. And with those vulnerabilities comes the reason we really have to focus on a team on cybersecurity. The way we're approaching it today does not work.
Recently, commander of STRATCOM delegated to myself under Net Warfare the responsibility for directing the defense and operations of the GIG as well as our current role for Net Warfare so that we have all those missions together, so that we could put the defense and the offense together for the good of the Defense Department.
As you saw in my written statement for the record, the Defense Department is considering an option to stand up a sub-unified command that would allow us to leverage the defense and the offense for the good of our forces around the world, to ensure that we have the communications, availability, the integrity of our communications and the reliability that we need to conduct our missions abroad. In order to do that, the services and the joint community has to work together to support our regional combatant commands.
So I think what each of the services have said and where we are, now we're looking at the steps of what we have to put together in a sub-unified command as an option or in a joint functional component command, how we'd put these capabilities together to ensure our networks are secure and provide us freedom of maneuver in cyberspace.
So with that, a lot of work to be done ahead of us. I think where the Defense Department is today is in a good place in moving out. We understand the problem. It doesn't mean that there aren't issues with training, with equipping and with the tactics, techniques and procedures that we have to do. But I do think that we've come up with a way of working together to face these and to come up with a good plan for the future.
So with that, Mr. Chairman, I'd turn it back over to you.
REP. SMITH: Thank you. And we will -- on questions will observe the five-minute rule. Hopefully -- we've got great, very brief statements by our witnesses -- we'll have time to go around more than once. But just to keep it flowing we'll make sure we keep everybody to five minutes, including me.
My first question is just to sort of follow up on that last point about how coordinated the effort is in the Joint Functional Component Command.
So when you look out across DOD, and certainly we have many of the key components here -- Army, Navy, Air Force -- and if you are in your position or STRATCOM's position or even higher up and you're going how secure is my network, how compartmentalized is that and how coordinated is that? You know, how much do you guys get together on a regular basis so that you as the person in charge of that or the secretary of Defense or somebody higher up can say with confidence our network is secure and we're paying attention to the different pieces of it? Or I guess the better question is to know the vulnerabilities, to know in a coordinated fashion so that it's not stovepiped, because as you know, in the situation in many cases you are only as strong as your weakest link into the network. How do you do that, that coordination, within DOD?
And then I have a follow-on question about how you handle the interagency piece. But just starting in DOD, and you touched on that a little bit, but if you could give more specifics about how coordinated that effort is.
GEN. ALEXANDER: I'll hit the first part, and then I'll let Bob and some of the others --
REP. SMITH: Okay.
GEN. ALEXANDER: -- pick up on that. We direct the defense of the network to the Joint Task Force-Global Network Operations. Lieutenant General Carroll Pollett from the Defense Information Systems Agency is the commander of the Joint Task Force-Global Network Operations and works for me in that regard. And his day-to-day guy is Brigadier General John Davis.
They've put out written guidance of how to defend the network, the unclassified and the classified networks. I would like to say that our networks are secure, but that would not be correct. We do have vulnerabilities. And the issue and one of the things that we've wrestled with over the last six months is a strategy for closing those vulnerabilities very quickly.
I think we're making good progress on that because the level of problems that we've had with things like Conficker and others have been greatly diminished because of the great steps that have been taken by Global Network Operations but implemented by the services.
REP. SMITH: And what are some of those steps if you could walk through the specifics there?
GEN. ALEXANDER: Well, let's see. In an unclassified forum, that becomes very difficult. It would be the way that you use removable media would be a great case in point, how you have to use removable media or not use it in a network, what the restraints are, dictating those restraints. How you have your information assurance vulnerability analysis, IAVA, compliance out there, which means do you have your McAfee or Symantec antivirus software up to date, are you using the latest date, have you scanned your system for these things, and ensuring that those kinds of things are done.
How do we tell that at a global scale? Well, others' mission is to look on the periphery and see if we see problems on the network.
I'd like to give you one key element here I think is crucial to it. If we try to defend our networks like we do a castle, the moat, we will never be successful. We have to defend it on the network globally because that's how it exists on the network. And so that means we and our allies, industry and government have to work together in this enterprise. That's going to be key to our success.
Bob, anything you want to add?
MR. LENTZ: I'll give you two examples, Chairman, to your question. First of all, one unclassified example of the cooperation at the technical level is the federal desktop core configuration. The fact that we lock down the computers so tightly that are -- at our endpoint within the DOD network working with the services. In fact, the Air Force led that effort, and Microsoft, which is our most ubiquitous product throughout the Department of Defense, is locked down in terms of this stable configuration. And that has allowed us to defend the network much more effectively. I think that's a technical example.
To your first question regarding the cooperation within the Department of Defense, one of the things, we have a DOD CIO policy that has been fully implemented is we align every single service and agency within the Department of Defense to a -- what we call a computer network defense service provider or a computer emergency response team. So every entity in the Department of Defense from our schools to our main military operations are aligned to certified C&D service providers. And those C&D service providers work together under the leadership of STRATCOM and the JTF-GNO working in partnership with NSA and the law enforcement community part of our infrastructure to work on these cyber events. So I think that's an example of the cooperation that goes on within the DOD.
REP. SMITH: Okay. I will yield back the point, and I yield to Mr. Miller.
REP. MILLER: Thank you, Mr. Chairman.
Could you talk about the role that you think the federal government should play in securing the networks of our defense industry partners? Mr. Lentz?
MR. LENTZ: Clearly it is absolutely essential in terms of having a robust capability in the face of a cyber attack is we need a partnership in every tier. From our international partners we have found on one cyber event after another cyber event that they have insights that are very critical for us. Plus, just because the nature of the geography, our international partners oftentimes will have an advanced warning to give us insight into cyber events.
At the domestic level we team with the major centers across the cyber landscape to include the counterintelligence and law enforcement communities and of course all the CERTs. And at the industry level it is absolutely essential we team with the ISPs. We team with Carnegie Mellon. We team with all the industry leaders in this area to gain insight into cyber events, particularly when it comes to vulnerabilities of which we have to have advanced notice in today's cyber environment.
REP. MILLER: General, would you like to answer?
GEN. ALEXANDER: So the role that -- just to take up where Bob left off -- so one of the roles that the intelligence community and the Defense Department is going to have is how do I make those identifications of the vulnerabilities and the signatures, and how do we work those with industry and other government entities so that they know how to defend their system?
I think if you take the analogy that I was talking about this -- we're defending a castle today but we want to defend our network and perhaps our allies' networks, then you're going to have to have an early warning capability that exists between networks to tip and queue problems that are coming. I think that's going to be key for future problems that we face -- for example, some of these robot networks, or "botnets," that are out there and things like that. How do you defend against them? It's going to take our country and our allies to work together and tip and queue at network speed to defeat them.
REP. MILLER: How does the DOD ensure that we -- you'd mentioned the word robust -- have a robust computer network, defense and information assurance structure in place but we don't replicate across the service lines?
MR. LENTZ: Well, I think we actually do have a very robust capability working with the services. As I mentioned earlier, the C&D service provider program that we have, we have 23 different C&D service providers across the Department of Defense, of which the services make up a good share of those. And each one of those C&D service providers coordinate constantly in real time what's going on in cyber events.
REP. MILLER: That's all I have.
REP. SMITH: Thank you.
Then I'll yield to Mr. Marshall for five minutes.
REP. JIM MARSHALL (D-GA): Thank you, Mr. Chairman.
Now, I wonder what the limits of the effective partnership between DOD or the nation generally and business might be -- the private sector might be?
I was involved in an enterprise at one point that decided it was going to acquire a bunch of laptops that each individual employee would then use to enter data while they were out. We had a range of possible laptops that we could pick, and some of the more expensive laptops were less vulnerable to damage if they were dropped, if, you know, they were exposed to water, to heat, et cetera. And then there was a question of weight. And typically the ones that were less vulnerable were also heavier, and so we ultimately decided that we were going to go with a lightweight one because we could in our circumstances not have to worry too much about things being dropped or subjected to water or heat.
I assume that for some of the applications that we might use laptops for where the Army is concerned and the services are concerned you're going to go with a heavier version that can handle that. And I wonder if those -- I'm sure that those same kinds of decision-making differences between the private sector and the public sector exist with regard to the issues that you all deal with that are way above my pay grade. And I'm wondering if you can describe where it is that your interests diverge or your objectives diverge in ways that will make the partnership more difficult.
GEN. ALEXANDER: I'll take a first whack at that, sir. Let me just give you my thoughts, and that is where they converge are where it's in our nation's interest to ensure those networks exist and can function and they're reliable -- our power grid, our critical infrastructure at large. We have, I think, there a responsibility to partner with industry to assure that our nation can operate in time of crisis.
And the government has some kind of role there and I think we've got to determine -- I think some of the stuff coming out of this 60- day review and other studies will look at so how do we partner with industry to do that. Our partnership might be giving them early warning; sharing with them threat data and helping them secure their networks were some of the standards that Bob talked about in terms of how you'd set up your desktop configuration to active tipping and queuing to defend their networks.
One of the key things that industry has on the network is their intellectual secrets, their financial wealth, all that stored on the networks -- their personal data. Much of that is an industry, I think, responsibility to secure, and government would support in some way. So I think that's where it starts to diverge as you get industry that's out there on its own. There are some things, you know, our own personal communications from my wife to myself, that doesn't need government. And if that goes down, well, then I won't buy the milk and bread tonight. I'll be good.
But, you know, our personal communications aren't a national priority. So I think you're going to have that range from those things that are -- how do we insure the security of our nation so that if a network attack blossoms into a warfare we know where that line is.
REP. MARSHALL: There's no question a tremendous opportunity for synergy here and for taking advantage of the private sector's obvious interest in protecting data. I mean, literally billions or trillions of dollars are at stake, you know, besides personal private information. And so the private sector is paying top dollar to the best possible minds to protect the infrastructure that holds access to those kinds of money flows to that kind of private information.
I'm wondering where it diverges in any substantial way.
GEN. ALEXANDER: Well, I think part of the divergence is that, you know, they're going to harden like a shell for theirs. But the government is going to operate across a global thing with our allies, so we have a global responsibility. You can harden a network for an industry within a network and almost sever it completely and have that almost ensured security.
Where we have to have an Army in the field, or an Air Force in the field, or a Navy out there, they're going to have communications that are both wireless and wired, and as a consequence they're going to have vulnerabilities that are far different than that industry might have. Now, having said that, it doesn't necessarily mean that there aren't things that we couldn't work together with, or should work together with. I think there will be.
So I think you'll have all the way from the far -- you know, all the way over here on the far right, those things that we're not worried about and even if somebody loses them, to those things that we're worried about as a national interest. And then take the other access that you were doing -- the economic access -- from those things you don't worry about somebody hitting over here, perhaps in one level of industry all the way over to the banking industry and the security of those.
And both of those at the far end of that, the banking industry and our national military command authority, both have to be secured with the best that we have. And I think there's great synergy here and great divergence at the other end. That's one way --
REP. SMITH: Sorry. Thank you. If you have something quick, I want to make sure we keep moving to other members.
REP. MAC THORNBERRY (R-TX): Thank you, Mr. Chairman.
If we are literally under attack every day and are to treat cyber as a domain of warfare, like we have treated others, it seems to me we have to have the legal and policy and doctrine discussions, as well as funding and training and equipping and all the things that go with domains of warfare that we're serious about.
General Shelton, you mention Air Force kind of being in front on this. Does the Air Force have a specific plan to implement what Secretary Gates talked about in quadrupling the number of people trained in cyberwarfare?
GEN. SHELTON: Yes, sir. We are moving out on adapting courses -- adopting courses. There are joint courses we're pursuing that are already in place. There are new ones that are standing up. We are changing the way we train at our training centers, both officer and enlisted. We are also creating training opportunities for our civilians.
So the answer is absolutely, we're trying to expand our universe in terms of trained people in this area.
REP. THORNBERRY: But is there -- is that down to the point where there's a piece of paper that shows we're going to ramp up our training to meet this specific number that he talked about that has been signed off on?
GEN. SHELTON: We aren't there yet, sir, to the actual numbers. But we do have a way ahead in terms of concept. But is it numerically in place? It is not.
REP. THORNBERRY: I'm just trying to understand how far we've gotten towards being serious. And I'm not picking on you particularly --
GEN. SHELTON: I understand.
REP. THORNBERRY: -- but just how far we've gone to being serious about some of these tough issues.
General Alexander, to pick on you a little bit -- not really pick on you --
GEN. ALEXANDER: Sure, thank you.
REP. THORNBERRY: But what are the policy and legal issues that we need to be thinking about? I mean, a lot of this is the stuff that is in you all's bailiwick and we got to oversee the funding and so forth, but it seems to me there are some legal policy issues that are our responsibility.
What are they?
GEN. ALEXANDER: I think one of the clear ones, what you would expect us to do is to defend our networks and we have the right to defend our networks and to keep adversaries from getting into our networks, to secure our classified networks and all that. And I think there's inherent right and we have the legal framework to go ahead and do that.
Here's where it starts to break down and where I think you, the administration and others -- the discussion that we're now going to enter into I think once the 60-day review has come up. So now going back to the earlier question, so what is that role and responsibility, primarily with DHS because they'll have the lead for the rest of the dot-gov networks and for that partnership with industry. So what is the legal framework for sharing threat signatures with industry that are classified? How do we do it at network speed so that it's defensible? Now, what's that legal framework and what's that operational framework?
And those are areas that technically are easier to do than they are to set the legal framework up because you have industries -- for example, your antivirus community. If we give them a classified signature, how do we ensure it's not given out so widely that our adversaries have it when they're a global antivirus community? Things like that we're going to have to look at. There is a whole series of issues, I think, in those realm.
REP. THORNBERRY: Well, for example, when the Constitution says Congress has the responsibility to declare war, what does that mean when we're under attack every day? How do we deal with warfare in cyberspace?
GEN. ALEXANDER: Well, I think the loose use of the word "under attack" and "warfare" is probably more accurately described as people probing our network. We call that -- I think others loosely call that an attack on your network, but it falls short of what I think we would legally look at. And I've got the head lawyer back there right behind me, so he'll raise his hand and make sure I say this right. But --
REP. SMITH: He was nodding his head -- let the record reflect.
GEN. ALEXANDER: This way? Or this way? (Laughter.)
REP. THORNBERRY: Well, was Estonia or Georgia under attack? I mean, was their infrastructure under attack in a way that, you know, gets closer to that declaration of war? I just --
GEN. ALEXANDER: No, I think you're starting to -- on those you're starting to get close to what would be. The problem that you have there is who -- the attribution. And so I think what you have is the inherent right to defend first, and attribute, and preferably to do those at network speed.
So what we just agreed on, I think if you agree with those two statements, to do those both at network speed, is the reason that we need the defense, the exploit and the attack to work synonymously as a team at network speed to do just that, because if we don't, if we leave the (defend ?) to defend itself and they're getting hit over here and somebody says, hey, do you know they're getting hammered, the Air Force is getting hit on the network? We'd say no, we didn't. It's happened to our industry players. And so if you're not aware of it, you can't help mitigate it, you can't help attribute it. So that partnership has to come in.
I think in the legal framework it starts to go up to when is it going from exploit to damage? And in that change is where you go from what I'll call spying operations into warfare. And there is, I think, a more specific set of terms that would define those and -- (aside) -- did I hit all of that right, Bill?
REP. SMITH: Mr. Langevin.
REP. JAMES LANGEVIN (D-RI): Thank you, Mr. Chairman.
Gentlemen, thank you for your testimony here today.
To continue on on that line, General Alexander, clearly the tools available to us in cyberspace are very powerful. I know the NSA, in particular, is very good at what we do. How far down the road are we in really setting the rules of engagement? And who and when do those decisions get made?
Clearly, modern warfare has forever changed. We will never have a conflict in the future that doesn't have a cyber component to it. And where are we on that stage, you know, in terms of where it escalates to the fact to where we would attack and cause great damage in response to an attack on our own networks? Where are the rules of engagement at this point, and who's going to make those decisions along the way?
GEN. ALEXANDER: I think if you start out within the defense community, those rules for defending, exploiting and attacking on the networks as part of war fall within the Defense Department. I think we can easily envision -- there was a Chinese PLA statement in 1996 that said something to the effect, you want to attack the United States, attack its banking system.
Now, the issue -- this complicates it and it puts this -- into answering your question more accurately -- it gives you a understanding that it may not be the Defense Department that's attacked. But if we assume symmetrically that they would attack us -- the Defense Department -- and the Defense Department would respond back, you're now into one form.
The issue I think that realistically faces us though is that it would be asymmetrical. It would go against our industry and it might be our critical infrastructure. And then the question of the partnership between the Defense Department, Homeland Security and the intel community has to be clear. We have to have laid out those rules and walk through that. We are walking our way down there. We're not far enough.
I think within the DOD we have laid out the legal framework for what constitutes an attack -- how we defend our networks, what we do in that specific to the Defense Department for DOD operations, for example, on the war on terror. But that's very limited and a very focused set. I think to really get to the heart of your question, you have to have that partnership and we have to operate seamlessly across all of those if we're going to be successful. And that's going to take some work.
REP. LANGEVIN: In the CSIS report -- the commission that I co- chaired with -- and worked on with a number of others -- one of the things, the conclusions that we came up with was that the president should make clear that cyberspace and our cyber assets are a national asset and that we will use all assets of national power to protect it.
Do you agree that it's time that we have, perhaps, a cyber Monroe Doctrine that lays out clearly what our response would be in terms of protecting our cyber assets?
GEN. ALEXANDER: I do.
REP. LANGEVIN: Let me ask you --
GEN. ALEXANDER: There's four others that -- if you want to -- I do. I think they do too, but I don't want to speak for everybody.
REP. LANGEVIN: Would anyone else care to comment?
REP. SMITH: I guess the follow-up to that -- what would be involved in making sure that that's clear? Is there an executive order that is needed? And following up a little bit on what Mr. Thornberry was asking about in terms of your authority to act --
GEN. ALEXANDER: Yeah.
REP. SMITH: -- is that understood, or is there more action that's needed to allow you to have that authority?
GEN. ALEXANDER: Well, I think what the 60-day review is looking at is taking right from your study and others and saying, so how do we start that at the top. What's the White House role in doing that? And I think they're going to set that up and say here's the White House role and lay that out.
So that's yet to be fully disclosed and I think they've got a couple of more steps to complete that. But my gut reaction is that they'll do essentially where you are. So we'll have to set up a national leadership for it out of the White House, roles and responsibility to the Defense Department, DHS. Our partnership with industry and our partnership with allies needs to be clearly (documented ?). And I think we have to start walking down that road.
The follow-on question is, okay, so you have these. You have the legal framework that we talked about that's got to up. You have to have the operational framework. And I would submit that first we've got to lay out operational frameworks that will work. There are operational frameworks that people can put on the table that just don't make technical sense.
So that's where our partnership with industry really has to come to the forefront.
What technically can we do to secure those networks with the Defense Department, the intelligence community and DHS and industry? And then how do we take that -- what do we need legally to make that work? And I think we have to yet walk through those. And I think the first step will be when the White House puts out that 60-day study.
REP. SMITH: You know, ask a little bit about acquisition issues, and maybe have the three individual services speak to their ability to acquire what they need technologically, because there's the challenge in the IT world that basically -- Moore's Law runs headlong into the acquisition process. You know, things update very rapidly, and yet it takes a couple of years to go through the ability to acquire systems.
Now, I know reforms have been made to a certain extent within IT to give greater flexibility, to enable you to purchase more equipment more quickly. How well is that working? And what more do we need to do to make sure you're able to buy the equipment that you need?
And just if each one of you could sort of give a little vignette from your experiences within your individual service.
General Shelton, go ahead.
GEN. SHELTON: Glad to start.
You're exactly right. We have a real challenge of what I would call an industrial age acquisition process, trying to operate in IT space, which is not adequate.
We have vehicles that we can use to acquire IT solutions. And in many cases those are commercial off-the-shelf products or commercial off-the-shelf products that we slightly modify and adapt to our purposes.
In some cases the question is scalability, but beyond that, those solutions are there.
So I think we're in reasonably good shape from the overall capability to acquire. It's that we don't often exercise that capability the way we should.
REP. SMITH: Why not?
GEN. SHELTON: We sometimes revert to the way we've always acquired things. And so we're forcing that inside the Air Force.
REP. SMITH: Right.
GEN. SHELTON: We're forcing that toward a much different solution. And we're forcing an architecture that would allow much different solutions on that now.
REP. SMITH: Well, Mr. Carey, could you talk a little bit about Navy's experience with the Navy/Marine Corps Intranet, which was a big transition system, in terms of the software being put in place? How difficult was that to acquire? Or just more broadly, within the same acquisition area, what challenges are you facing? What do you think needs to be done to overcome them?
MR. CAREY: NMCI, sir, was a huge culture change to the department and the IT space. To move from a system of lots and lots of networks controlled by individual unit commanders or organizational commands into a homogenous, centrally controlled network apparatus was just a huge culture change. So it took some time to get there.
The acquisition process allowed us to get there --
REP. SMITH: Okay.
MR. CAREY: -- in a reasonable amount of time. But imagine, it's now the largest intranet in the world. So we grew from having hundreds of networks -- we're now subsumed by one -- using the process.
REP. SMITH: Okay.
Do you have anything you want to add?
MR. KRIEGER: Sir, I think your discussion on the acquisition process not being agile is really a cultural issue.
REP. SMITH: Okay.
MR. KRIEGER: So I think within the acquisition process, both legislatively and "regulatorally," the agility is there. This is a cultural change for the department. Can we deliver spiral capabilities, not a full capability, quicker and spiral it out, versus the culture's been you deliver a completed product over time.
REP. SMITH: Well, is that -- does that feed also into sort of how personnel are rewarded and/or punished depending on how they do things, that basically there's a culture that says, "Hey, as long as I'm following the process, as long as I'm going through the acquisition process there, I'm good, if I step outside of it I'm in real danger"? Because it strikes me that it would really take, you know, creative personnel who understand IT to say, "Hey, I need this solution now, I'm going to go do it, not go through the normal process as empowered."
And I can see where you might be limited within the military concept people saying, look, if I do this, you know, I'm not going to be rewarded for it if it goes well, and I'm sure as hell going to be punished for it if it doesn't go well.
Is there a problem with that, in terms of changing how we promote and reward behavior?
MR. KRIEGER: Sir, I know within the Army in the current global war on terrorism, that -- we're at the point in the Army now that when we generate a requirement from the field -- a JUONS -- and we document it, we're delivering capability real quick now.
And so I think that culture is changing.
REP. SMITH: Okay.
MR. KRIEGER: And we certainly have soldiers and sailors and airmen in need now, but we're discovering, culturally, that it's possible to deliver IT quicker and outside -- within the system but not the traditional way that we build airplanes and ships and tanks.
And certainly there is lots of examples in the current war -- we've identified a problem, we've documented the requirement, and we've delivered the spiral-out capability.
REP. SMITH: Thank you. Very much appreciate that.
I'll go to Mr. Miller, and then I'll go to Mr. Conaway, who walked in right at the end of the questioning there, but we don't want to get you out of the loop there. So we'll go to Miller, Conaway and then back to the other order.
REP. MILLER: Thank you, Mr. Chairman.
One brief question to General Alexander, if you would, in reference to the new idea of the new sub-unified four-star.
Will DISA and NSA be rolled into the command, and how will the relationship between DISA and ODNI be affected?
GEN. ALEXANDER: It's not clear in my mind that it -- it will not be rolled in, per se. I think that part -- it will be leveraged in the foundation for it. I think we have to have the synergy map between what NSA does for the intel community and what NSA does for the cyber community. And those are inextricably linked.
So specifically today, we have net warfare at NSA. And as a consequence of having them there at NSA, they can leverage the different officers that look globally to do their mission. I see that -- we growing that connective tissue between what NSA is doing and what this command is doing.
I think there are some things that will be in common that we're going to have to put in both -- in the concept that's being looked at. And that is, how do we see cyberspace -- an integrated cyber operations facility? What is is that you see for your defense? How do you see your network boundaries? What do you see globally? What do our allies see? What's going on on the network? And how do you mitigate and attribute -- going back to the question -- because if you can't see it you're not doing it in real time. So how are you doing that in real time? How are you bouncing those back and forth?
So what I imagine will happen is we'll put the pieces together at Fort Meade, at least in the recommendations and the thing that's under consideration, and then look at how you build the command to specifically do cyber operations leveraging what NSA brings in network exploitation. And I think that's the key part is to have them coexist.
In that respect, the DNI is comfortable and a proponent for it, because it does both. I think it's good for both of us, and we can do both in that regard.
The second question -- the logical question that stems out of that -- what's your relationship with DHS? Because they need some of the same support. And we see that that is a foundation that DHS can lean on, a technical foundation, while DHS takes on its missions to operate and defend the rest of the dot-gov networks.
REP. SMITH: Thank you.
REP. MIKE CONAWAY (R-TX): Thank you, Mr. Chairman. Since I just got here I'll not re-plow ground you've already plowed, so I'll --
REP. SMITH: Okay. Thank you.
REP. MARSHALL: Thank you, Mr. Chairman.
I'd like to return to the line of questioning that I had when I was -- just a minute ago.
And it's again -- where is it that you perceive the private sector's interest, motivation diverging from ours?
And General Alexander, you described, you know, a private sector company that might be able to -- it had a similar interest, because billions of dollars are at stake, or very, very sensitive information was at stake, so they wanted to protect that information -- and being able to harden itself -- and its use, probably more so than we could, practically speaking, given the costs associated -- given the kind of uses that we have to make of information technology across the military.
Can you give other examples that would help me understand how they diverge? And would -- this is a question to all members of the panel, not just General Alexander.
I know, Mr. Lentz, you were about to say something and I'd run out of time.
MR. LENTZ: That's fine.
Well, I can give you a couple examples of that. I think the biggest challenge we're going to have -- and I think the laptop example that you alluded to in the beginning is a good example of that.
When we did our data-at-rest encryption policy we went out to industry, established a standard. We worked with industry to figure out where that bar for security needs to be and where they can meet that bar at the cost and operational effectiveness that meet both entities' standards -- for them to make a profit, but also for us to be able to get the most secure capability out in the field.
We did that very quickly over the course of several months. We developed the standard. We have 12 companies that bid competitively for that process. The cost for a data-at-rest piece of software license -- would normally cost you $200 if you went, got it yourself. Because of this competitive, standard-based process, we dropped the cost to less than $10 per software license. Now, that's an example where we had convergence.
Now, as the bar goes higher in cyberspace -- because the cyber threat is increasing exponentially -- we have to work with industry to build in much more robust capability. That's not just dealing with encryption but all the aspects that go around hardware and software.
And that's where industry is going to have a more difficult time, because as that bar gets raised, their profits start to decrease. And that's where we have to look as a government-private sector partnership -- figure out how we can get that bar raised in a cooperative way, at the same time maintain a competitive acquisition process.
GEN. ALEXANDER: My experience with industry, though, is there's more convergence than there is divergence. They see the obvious rationale for securing the networks, just like we do.
More importantly, they also see that they, in part -- many of the industry folks that I've talked to said we need government support here. I don't think they want governments compelling them to do things on the network, but I think they need government support in securing it, in developing a framework, a technical framework that's securable.
That's probably going to be impossible. So how do we get as close to that as we can? I think industry is absolutely looking for a partnership with government and with our allies, setting up some solution like that.
So my experience has been almost completely convergent in that regard. I've not seen -- I asked one industry, I said, why don't we give you this problem? And they said we can't afford to do it without government support. That was the only divergence. We said, well, this would be one that we'd throw over critical infrastructure. That's an industry thing; why don't you take care of it? They said --
REP. MARSHALL: So industry interest is not broad enough to justify the cost, is in essence what you're saying.
And so, to the extent that we've got to have a certain level of security or capability, industry is not necessarily going to generate it for us, because either there are too many diffuse characters competing with one another with different products and, consequently, different companies looking at those different products, or there are just not enough companies that are that interested in that level of security or capability?
GEN. ALEXANDER: Banking industry clearly has a compelling need to create that existing secure infrastructure. And they're working hard to do that. There are things that government and industry -- and that industry could work together to make it even better.
There are -- electrical power grid and some of your other ones are low cost when you look at the network. So the power companies that are going to have to go out and change the configuration of their networks -- that's a cost that if you take what Bob was saying one further step -- now to upgrade their networks to make sure they are secure is a jump in cost for them. And now you're going to have to work through their committees to the regulatory committees to get the rate increases so that they can actually secure their networks.
So when you talk to the power industry, as an example, that's one where you going to look at so how does government, because we're interested in perhaps having reliable power, how do we ensure that that happens as a critical infrastructure? So DHS and that critical infrastructure would have to work together to walk through that.
REP. MARSHALL: Thank you.
REP. SMITH: Mr. Thornberry, any more?
REP. THORNBERRY: Let me give the Army and Navy a chance to answer kind of what you all's services are doing to train, equip, develop career paths for cyber warfare. Do you have cultural difficulties there too, particularly in whether you see cyber as an enabler for the things that you're already doing or a domain of warfare on its own?
MR. KRIEGER: Sir, you raise a very good issue. And the Army is trying to come to grips with that right now in studying it, and we've got a study going on by our Training and Doctrine Command to figure out what we want to do both at the officer level and at the warrant officer level and the soldier at (NCO ?) level.
The question is exactly on target -- don't have an answer yet. That's what we're trying to figure out.
MR. CAREY: We believe that everyone that engages the network becomes a cyber warrior at some point. If you're going to touch the network, you are involved in something that is greater than you might have actually thought. So changing that culture, as my colleagues have said, is something that we're working on very diligently right now.
As we move into our next-generation network environment and we're bringing on more people to operate in this domain, both in unified -- our uniform side and the civilian side to allow ourselves that span of control that we don't have right now inside the department.
REP. SMITH: Thank you.
I had one more line of questioning, but Mr. Conaway, go ahead.
REP. CONAWAY: Thank you, Mr. Chairman.
A few of us are working on an acquisitions panel issue and just wondering, Mr. Lentz, can we use the acquisition regulations and practices to incent defense contractors to be -- their cyberwarfare posture to make sure they're compliant or that they are as protected as they need to be to handle our data and handle our work? Is that an appropriate use of those?
MR. LENTZ: Yes, we are working with AT&L to look at the --
REP. CONAWAY: AT&L?
MR. LENTZ: I'm sorry. The acquisition organization in DOD.
REP. CONAWAY: Okay.
MR. LENTZ: -- to look at modify the defense acquisition reg and the federal acquisition regs for including stronger language in there regarding meeting certain security benchmark standards in terms of protecting information that resides on their networks. That's something we're doing right now.
REP. CONAWAY: Do you think you'll get pushback from the contractors on this deal?
MR. LENTZ: No, we're not. In fact they're asking for that language. No problem.
REP. CONAWAY: Okay. All right.
And then, General Shelton, when you guys set up your cyber command, can you walk us through the rationale between why it was at numbered air force versus a four-star command?
GEN. SHELTON: Sure. As we first started looking at this, we said a major command seemed appropriate because that's how we organize, train and equip in the Air Force, but then as we thought more about it, we said we're really about how do we operate? And the way we operate in the Air Force and present forces in the Air Force is through numbered air forces. So if we're really all about trying to provide cyber operations for joint employment, it's more appropriate for a numbered air force. And then the organize, train and equip aspects can be subsumed by Air Force Space Command.
So that was the rationale.
REP. CONAWAY: Okay. And your -- the Air Force is comfortable, so far, that that was the right decision?
GEN. SHELTON: Absolutely, very comfortable.
REP. CONAWAY: Thank you, Mr. Chairman.
REP. SMITH: Just (a couple ?) of other things: In terms of personnel, we talk in this committee each year about the challenges in making sure that you have the best and the brightest folks who understand the IT infrastructure because it's a constantly evolving thing. Whatever the systems, it really comes down to people and their ability to adapt.
Just, you know, if anyone has initial thoughts -- I don't know who would be best to comment on this, so I'll throw it open to all of you. How are you doing in terms of recruiting the personnel that you need to do the IT work that you need to get done?
MR. LENTZ: I can start out and then -- first of all -- and I know, Congressman Thornberry, your interest is on target regarding the fact that within the Department of Defense we have over 90,000 personnel that we've identified working with the services and agencies that are deemed to be cyber warrior-type individuals. These are sysadmins that monitor the system and network administrators that have part-time jobs both to defend the network as well as to administer. You can't separate those functions.
Ninety thousand -- we have a plan that we're two years into to certify all 90,000 and we're right now -- have a goal by the end of this year to be at 45 percent. And so that is a major goal.
The other thing we're doing is we're adding highly specialized skills on top of them, in light of the cyber events that we've talked about. And that will add another layer of more highly skilled cyber warriors that will go to schools like in Pensacola and Maxwell and Fort Gordon possibly to be able to get more in-depth training working with the national cryptologic -- with NSA and other institutions.
The fill rate overall, I'll let the services comment on that, but what we're seeing right now is the fill rate for those cyber warriors is at a fairly good rate. We're seeing over 90 percent in terms of those positions that we're talking about right now, which, by the way, are contractors, civilians and military personnel.
REP. SMITH: All right.
Just in general -- go ahead, General. Sorry.
GEN. SHELTON: Sir, I was just going to say in terms of technical expertise, we have certainly a concern, along with everyone else in the nation, that there's just not that many people coming out of our schools that are prepared for technical type work. They don't have the educational background. They haven't studied math, engineering, science, those sorts of things.
So we join the chorus of many that says this is a real problem for us.
REP. SMITH: Gentlemen, do you have anything to add to that?
MR. CAREY: All I would add is that we're all competing for that limited resource. It's industry, Army, Navy, Air Force, Marines -- we're all competing for that, and so there has not been a challenge that we've seen yet, but our -- we will be ramping up for the coming months. We will have more information in the summer and the fall.
REP. SMITH: Sure. Thanks.
And General Alexander, I just want to follow up with you on the interagency aspect of cybersecurity. And I think from this panel we've got a pretty good idea what the DOD is doing. How do you interact -- you touched on it a little bit. I mean, Homeland Security, theoretically is the lead agency for the interagency piece of cybersecurity. Does DOD sort of, you know, exist in their own world and work on their own systems while Homeland Security is dealing with the other aspects of it? What's the integration? How's that working?
GEN. ALEXANDER: Well, for offensive operations we have a joint task force -- Joint Interagency Task Force which brings in all the players. We have great partnerships with FBI, CIA and others, DHS. They sit on these panels -- State Department -- and look at the options and where we are, and I think that's well run.
Where I think there's work to be done, the US-CERT is growing rapidly, which is the DHS element that would actually do the computer emergency response team stuff for the rest of the dot-gov, taking that on in a way analogous to what the joint task force global network ops and the certs under it does with the services.
So there's some room to grow in the rest of the dot-gov to catch up where I think the Defense Department is today. Within the intel community I think they have a strong network security program so that that's running pretty good.
What is lacking today is a integrated defense where you can tip and queue between the different government entities and agencies at network speed to defend elements of it. And that's one of the things you're going to have to grow, which I think DHS would leverage what the intel community and the DOD has today, both technically and the real-time alerting and queuing. Think of that as a radar system for cybersecurity.
REP. SMITH: Got one more question, but I want to see if any of my colleagues have anything further.
REP. MARSHALL: I do.
REP. SMITH: Go ahead, Jim.
REP. MARSHALL: Thank you.
Continuing the same line: So different possibilities here -- we've got a requirement that needs to be met that we've identified. Industry has already met that requirement so we go out and we acquire either the software or the hardware and that takes care of that.
We have a requirement that has not been met by industry as well and it's the banking industry. And the banking industry recognizes this need to secure billions and billions and billions of dollars of exposure that it would otherwise have. Or it's the up -- you know, hardening the defense and electrical grid, which has all these collateral public and private possible consequences if, in fact, there's a failure and an attack is successful.
Could you -- is there a difference in the way we go about trying to figure out the partnership and who carries what load in -- here's the banking system. It's going to get there and you know it's going to get there because there's just too much at stake. It's the brightest people in the world they are able to hire and they're going to pay them big bucks, and they are going to get there.
But they'd love to have us step up to the plate and pay for it. You know, that just makes more money for them. So there's obviously a give and take as we discuss with the banking system or banking industry who's going to do this.
And then where the electrical grid is concerned, they kind of go, well, you know, we don't need the -- we don't need that kind of level of security; that requirement is not one that we want to meet; we'll take a chance on the grid going down and we'll just send our guys out there and fix it. You know, actually, we might make some money. It might be better for us, in a sense, if the grid goes down.
Could you describe how you deal with those two different kinds of circumstances in order to figure out who carries the load? Well, that's a poor reference in a -- where we're talking about electrical grid, but who winds up paying the freight, okay?
GEN. ALEXANDER: I think DHS would have the lead in orchestrating that, with the critical infrastructure protection advisory committees that they have, the SciPACs (sp) that go across each of those. And in the banking industry it would be a DHS-Treasury partnership to look at how we do it with other players in the community.
So I think you've got DHS in the lead. The interesting part that you've put on the table is that there may be things that the government technically knows that would be useful to industry to secure their networks a degree beyond where they are today. How do we do that without risking some of our nation's crown jewels but ensuring their protection? And that's one of the things where I think the partnership between DHS and DOD is going to have to be laid out and I think is being worked.
So there is right now -- DHS has set up a good framework for critical infrastructure protection and they have a framework for cyber throughout that, but they work and they actually partner with DOD and the intel community in those regards and I think they would draw on that.
I don't know that anybody's come down clearly and said the different roles -- I don't think they're at that point where they could define specifically the roles.
I'll pass it over to Bob.
MR. LENTZ: I think that's exactly the answer. I think where DHS has set the framework up under their National Infrastructure Protection Plan and they're working and we are supporting. As an example, with the financial sector, we work through Treasury and we compare technologies and techniques and procedures that we're using and trying to raise that bar. And then as you work some of these other sectors, the interesting challenge is going to be, like you addressed, is going to be at some point they may say, that's enough, I can't subsidize this level of protection any longer, especially against a nation-state, and therefore, we have to have a mutual dialogue at the highest levels of the government with industry to determine how are we going to get that bar to a level we're all comfortable with.
And that's going to be the interesting discussion in the future.
REP. MARSHALL: Thank you, Mr. Chairman.
REP. SMITH: Thank you.
Just one final question: Mr. Thornberry had mentioned the attacks on Estonia and Georgia which really sort of got everyone's attention about what can go beyond, you know, some of the more basic stuff that we face. And obviously, you know, I think our main concern right now is data mining, people accessing our network and pulling out information out of it as opposed to affirmatively attacking the network.
But in look at what happened in those two countries, how vulnerable are our DOD networks to similar attacks? How confident are you that we have the system set up to withstand that type of an attack?
GEN. ALEXANDER: I think a distributed denial of service attack from botnets like you saw in Estonia, if large enough, would really hamper any network today, including the Defense Department. And the issue is how do we grow a defense in depth to ensure that we don't have that? And so that's where our allies and partnership with our allies is going to become crucial.
If you try to defend it at your gateway, you surely will lose on that. And so you're going to have to have a defense in depth for that type of attack specifically.
REP. SMITH: Forgive my ignorance here. Walk me through a "defense in depth," what that means exactly in terms of what you try to do to prepare.
GEN. ALEXANDER: Well, so you would have -- if you just look globally at the global network instead of trying to stop all the stuff here, you might want to shut them down at the point of origin --
REP. SMITH: Got you.
GEN. ALEXANDER: -- or somewhere in between, and that means that your offense and your defense are going to have to be partnered together to do that. I think that's the only way you're ever going to -- I think we're going to be forced into operating like that in the future and the consequences of that jump, that intellectual jump, is developing the tactics, techniques and procedures that I briefly discussed earlier.
REP. SMITH: All right.
Gentlemen, anybody else want to comment on that, in terms of security of your systems?
GEN. SHELTON: Yes, sir, just one comment. What we're trying to do is implement some tight security on our networks so when somebody comes on to the network we make them put a card in. We make them enter a code and in the future will probably have some sort of biometric. So we know exactly who that is and we know exactly what permissions they've got, what data they've got access to. And somebody outside that realm can't have that access. So you're defending inside as opposed to defending at the wall. That's the architecture that we're trying to build.
REP. SMITH: All right. And how -- I mean, that's really hard, with all the different people on the network. There are so many different access points to the network. But I guess that's more of a statement than a question, but you are working on it.
Anybody else have anything they want to add?
All right. Well, thank you very much. It was very, very informative. Look forward to working with you on this issue going forward. Thank you all for your testimony and for answering our questions. Thanks.
We're adjourned. (Sounds gavel.)