The Honorable John J. Hamre
Deputy Secretary of Defense
(accompanied by Mr. Linton Wells, II, Principal Deputy, Assistant Secretary of Defense for Command, Control, Communications & Intelligence, Department of Defense
Brigadier General John H. Campbell, USAF, Deputy Director for Information Operations (J-39), Department of Defense)
"The greatest threat to America today is not Iraq, Iran, North Korea, terrorism, or weapons of mass destruction. It is the potential that we will become too complacent during this time of peace."
General Henry Shelton, Chairman of the Joint Chiefs of Staff
Thank you Mr. Chairman and members of the Committee. I am honored to be here. I am pleased to have the opportunity to provide the Department of Defense perspective on the threats and challenges confronting our information systems in the future. These issues are key elements of the Department's preparedness for its National Security mission. Information assurance, infrastructure protection, encryption policy, and traditional security disciplines are intertwined in complicated ways. We must work in concert with both other agencies and the private sector to understand and address these areas. I don't think the sky is falling, but we must step up to meeting the challenges and threats these issues present to ensure that we can continue to execute our mission with success.
Mr. Chairman, you render a great service to America by providing a hearing to focus national attention on issues related to information assurance and critical infrastructure protection which directly affect the security of the nation and the quality of life of every American. This hearing will provide information that will raise public awareness and highlight the current and potential challenges in protecting our information and our critical infrastructures.
RELIANCE ON INFORMATION TECHNOLOGY
Worldwide, an estimated 15 billion microchips most of which contain timing devices -- are embedded in appliances and machines ranging from clock radios to ATMs. A new automobile today rolls onto the highway with at least 100 microchips. Microchips are embedded in thermostats, leak detectors, underground storage tank monitors, boilers, lighting systems, generators, elevators, alarms, smoke detectors, sprinklers, sewage systems, security systems and automatic locks, and all of the common office equipment, including the coffee maker.
The failure of an embedded microchip in a discrete, localized computer or machine, such as a wristwatch or the air-conditioning system in a building, can be merely inconvenient. However, failure of a microchip in a critical, large, or dangerous piece of machinery -- loss of air pressure in an F-15 or a submerged submarine -- can be devastating and even life threatening.
Virtually every week we see more and more examples of how failure in digital technology can have unanticipated and widespread repercussions. Failure in a networked computer system that is a hub or link in other computer or telecommunications systems can be catastrophic. Each one of these accidents is a warning about our the extent of our reliance on information technology and the vulnerability it has created. A recent incident vividly illustrates the extent of this problem for us:
Just a few weeks ago, the computer system in a communications satellite more than 22,000 miles above the state of Kansas malfunctioned, and the satellite began tumbling out of control. That malfunction disrupted the satellites ability to communicate with its customers and set off a cascade of communications failures of a magnitude never seen before. Indeed, it ranks as the worst outage in the history of satellite communications.
By conservative estimates, more than 35 million people lost the use of their pagers, including everyone from school children and repairmen to doctors, nurses, and other emergency personnel. Transplant recipients could not be notified when organs became available. Members of a bomb squad in New Jersey could not be paged to respond to an emergency call. Motorists nationwide could not use their credit cards to pay for gas at the pump. Television and radio broadcasts were broken off. Several Fortune 500 companies and news wires had their business operations impaired.
This is just one example of how reliant we as a nation have become on information technology services and the supporting information infrastructure. There are many others and the committee does a great service today by bringing attention to this issue and its associated incumbent risks and threats.
INFORMATION ASSURANCE -- A THREAT TO OPERATIONAL READINESS
Essential Information Assurance Services
Establishing trust in a highly distributed, network-centric computing environment is a fundamental issue today for the Department and its Defense Information Infrastructure (DII). Trust is the major issue for any organization conducting more of its operations in such an environment. At the heart of the issue are five essential information assurance (IA) services that are critical for ensuring trust in our systems: availability, integrity, authentication, confidentiality, and non-repudiation.
These IA services assure the readiness, reliability, and continuity of the DII and the information systems that are a part of it. They also protect functions against exploitation, degradation, and denial of service while providing the means for the rapid reconstitution and re-establishment of mission-essential elements of the DII. The importance of IA is increasing as technology moves toward integrated networks that support both classified and unclassified information, and as DoD increases its reliance on commercial off-the-shelf products and connections to public networks.
Defense-wide Information Assurance Program (DIAP)
Critical to achieving the objectives of these IA services is the implementation of a Department-wide program management framework. This January the Department established a Defense-wide Information Assurance Program (DIAP), which will provide the common management framework and central oversight necessary to ensure the protection and reliability of the DII. Part of the DIAP strategy is to change the culture that views IA as a primarily technical issue to one that understands IA is an operational readiness issue. We need to change the current view that information assurance and securing our information system are secondary considerations, rather than core readiness issues. Everyone -- from the highest senior levels of management to the soldiers and office workers -- must understand each is a stakeholder in the vitality and security of our information systems, how their individual actions can affect mission success or failure, and what they can do to assure network security.
A Shared Risk Environment
Availability and integrity -- and in some cases the confidentiality -- of information become critical to the operational readiness of our forces. If this capability can be denied or exploited, the advantage smart weapons provide can be adversely affected. Today, operational readiness relies increasingly on information systems and technology. Therefore, we must be much more concerned with assuring the integrity of our systems and networks, especially as we interconnect more of our systems.
In the past, the Department relied upon "stovepiped" systems, local area networks, and limited numbers of users -- therefore, limited access -- to protect information. Today, the Department is developing information infrastructures that support DoD systems and networks, including connections to networks such as the Internet. As the Departments Services and Agencies interconnect more of their networks, we are creating a shared risk environment. In a shared risk environment, the security posture of the interconnected systems is only as great as the system with the weakest assurance posture -- in effect, the weakest link in the chain. Given these risks and the fact that weakness in any portion of the DII is a threat to the operational readiness of all Components, the Department is moving aggressively to ensure the continuous availability, integrity, authentication, confidentiality, and non-repudiation of its information and the protection of its information infrastructure. Growing numbers of authorized users in a shared risk environment exacerbate a problem shared by government and industry: a malicious insider who really is authorized access to networks.
No single solution can solve these issues. Rather, a variety of layered defensive mechanisms and practices needs to be put in place to provide that kind of information assurance on an end-to-end basis. Within the Department, we have been developing what we call a "defense-in-depth" strategy. This strategy includes the development and implementation of new tools, technologies, and initiatives across the Department. I would like to share with you some of our efforts.
Public Key Infrastructure (PKI)
The Department established policies for creating a public key infrastructure (PKI) which will support identification and authentication functions through the use of digital signatures. The Defense Information Systems Agency (DISA) and the National Security Agency (NSA) are developing and implementing a PKI for the Department that provides both high assurance services for national security information protection, as well as medium assurance services for business and military operations. A pilot effort for the medium assurance element is currently underway and is based on commercial technology and software cryptography to support business re-engineering activities.
One activity using the PKI is the Defense Travel System, which is adopting the use of digital electronic signatures for travel. Digital signatures will allow travelers to receive electronic authorization prior to a trip and permit them to sign their vouchers after the trip. These electronic "John Hancocks" create a secure and legal association between the travel and voucher information. The Defense Travel System is a practical approach for digital signature certificates, including commercial infrastructures and services, which could eventually be used in Department-wide electronic commerce efforts.
We will also deploy those same pilot services within a command and control environment, the Global Command and Control System in particular, to begin providing community-of-interest separation capabilities, as well as data integrity capabilities beyond what is currently available on those type of networks. Department-wide implementation of a PKI capability will facilitate secure electronic commerce and allow controlled access to DoD information and resources. We are also looking at the medium assurance solutions emerging in the commercial marketplace. Many of these commercial solutions are based upon PKI and public key technology and may be viable solutions for the Department.
Secret and Below Interoperability (SABI)
Last year the Department started a Secret and Below Interoperability initiative that allows for the flow of information between secret and sensitive-but-unclassified networks while maintaining the integrity of both networks and minimizing the risk of classified information disclosure.
Intrusion Detection and Monitoring
I would like to highlight DoD initiatives that support intrusion detection and reaction. NSA and DISA are beginning to provide customers with tools to assess the robustness and readiness posture of systems and networks. Through the "hardening" of system components, DISA has taken steps to ensure network availability and to defeat denial-of-service attacks. DISA is procuring and installing network intrusion detection hardware and software, firewalls, and encryption hardware and software that provide improved network security.
Reaction and Recovery
The Department has in place efforts to respond to detected intrusions and attacks. DISAs Global Operations Security Center is providing around-the-clock protection, detection, and reaction capabilities in securing the DII against both network intrusion and virus, or malicious code, attacks. The Components Computer Emergency Response Teams (CERTs), NSAs Information Protect Cell at the National Security Operations Center, and DISAs Automated Systems Security Incident Support Team (ASSIST) also provide critical reaction and recovery capabilities for attacks against the DII. The Department recently programmed additional resources for the Services to operate their CERTs around-the-clock.
NSA is also establishing a Network Incident Analysis Cell (NIAC) to perform post network intrusion, forensic-style analyses. It will carry out comprehensive and systematic analyses of security incident data received from incident response centers. The objective is to establish a capability to provide incident trends, including forensic services, such as identifying electronic fingerprints, signatures, attack profiles, and attack scenarios. These analyses and incident trends will lead to the development of applied countermeasures, improved front-end filtering for intrusion detection, and support for indications and warnings of impending attack. In particular, these in-depth analyses will support efforts to design and develop pre-emptive defensive tools.
Readiness Assessments and Red Teaming
DoD is also increasing the use of readiness assessments and red teaming efforts to measure the operational readiness of our information systems, networks, and infrastructures. Readiness assessment activities include on-line surveys, assessments, and security evaluations. For example, the results from DISAs Vulnerability Analysis and Assistance Program (VAAP) provide customers with an assessment of their operational security posture and assist them in closing security holes before an incident occurs. The Department is also developing a standardized "red team" methodology and management process for use Department-wide. This methodology will address DII systems and networks as well as private sector products and services used by the Department. This approach to red teaming will be used during joint operations as a way to evaluate operational readiness postures of DoD Services and Agencies.
CRITICAL INFRASTRUCTURE PROTECTION
I would like to turn for the balance of this statement to the important topic of Critical Infrastructure Protection and highlight the current and potential challenges in assuring that infrastructure. I share your concerns that, without adequate assurance of the security and proper operation of our critical infrastructures, we are exposing the nation to increasing risk.
I would like to begin with an historical analogy. Every U.S. battleship that fought in World War II had its keel laid down before Pearl Harbor. Those battleships were available due to the foresight of naval planners, and their Congressional supporters, who took the steps throughout the 1930s to ensure that the ships, aircraft and facilities were ready when they were needed. Even though we suffered a grievous attack on Pearl Harbor, we had sufficient forces and infrastructure to recover and win.
Mr. Chairman, there will be an electronic attack sometime in our future. I don't think such an event is imminent, but when it comes, our ability to withstand it will depend in large measure on steps we take now and in years ahead. I am not warning that the sky is falling. We have time to prepare. But, just as our predecessors had the foresight to make the investments necessary to give us the robust forces and infrastructure that allowed us to prevail in World War II, so too must we take steps now to be ready.
However, there is an important difference today. Should an electronic attack come, it will likely not be aimed just at military targets, but at civilian sectors as well. Indeed, the Defense Department is rapidly shifting to private sector providers for goods and services and we can't afford to let our private sector partners be vulnerable. As a result, our preparations will have to be built through a series of partnerships: between the public and private sectors; among the executive branch departments and agencies; and between the executive and legislative branches.
As I noted above, DoD is very interested and involved in infrastructure protection issues and we are, and have been, taking steps accordingly.
In 1995 we created a directorate within the Office of the Secretary focused on infrastructure protection, specifically in anticipation of the growing importance of these issues.
We actively supported the President's Commission on Critical Infrastructure Protection and the Attorney General's efforts that gave rise to it.
We have established a Critical Infrastructure Protection Working Group to continue working and coordinating DoD infrastructure issues.
We are actively developing a Critical Asset Assurance Program focused on our own special structures, such as logistics, Space, and the Defense Information Infrastructure, as well as their interfaces to the related national infrastructures.
We have established crisis reaction centers to monitor our computer networks and react to indications of unauthorized penetration of our systems.
We have led the way in the Administration to seek stronger encryption tools to protect government computer networks.
We have created a classified Internet-like system and utilize state-of-the-art firewalls and protection features to protect that system.
We believe these efforts have laid the foundation for important progress and hope they can contribute to developing a "national" view. At the same time, I note that DoD is not directly responsible for the protection of any single infrastructure on a national basis. In emergencies, we primarily offer support to other Federal agencies, except for water, where the Army Corps of Engineers is the lead Federal agency under the Federal Response Plan. Nonetheless, we are dependent on all of the infrastructures - more dependent in many ways than most of the government because of the breadth of our activities. Thus, we are particularly interested in a coordinated approach to their protection.
In this context, I'd like to comment on the efforts of the recently concluded President's Commission on Critical Infrastructure Protection and its Chairman, Tom Marsh, who testified before you earlier today. The Commission has done a noteworthy job in raising government, industry and public awareness of the critical infrastructure assurance issues. Now that the Administration has received the Report, we have set about to conduct a thorough review of this significant issue for the President. This review, which will include Cabinet members of all the affected agencies, is looking at the recommendations of the Commission as well as other related studies. We are seeking to complete the review early next year and present a plan of action to the President at that time. We are look forward to working with the Congress during this process. I especially think that their recommendations to remove impediments to information sharing between government and industry will, if implemented, make significant contributions to increasing our ability to withstand attacks on the infrastructure. This will be an important part of the follow-up to the Commission's report.
I also want to reinforce the Commission's emphasis on building partnerships between the government and the owners and operators of the infrastructures. I believe DoD has much to offer in this relationship, through our understanding of security concepts and technology, along with the vulnerabilities of information technology and systems. We are strongly committed to share this knowledge with the private sector. Such partnerships are crucial, but there are some pitfalls, and we will need to build a balanced approach. For example:
We have to be careful not to give the impression that government wants to increase its involvement in the day-to-day operations of individual businesses. This is not at all the case, and few things will drive the private sector away like the potential for more government intrusion and regulation. "Government Knows Best" is not the message we want to send.
As a general principle, government should step in only when problems exceed the capabilities of the private sector and the remedies of the marketplace. However, in cases where there are no reasonable business reasons for companies to make preparations, such as to counter a coordinated, simultaneous attack against multiple infrastructures, then government should be prepared to provide economic incentives and support.
Even when threats are not imminent, government can use its purchasing power to help shape market place decisions. I will describe later some DoD efforts concerning encryption.
We need to involve state and local authorities in the partnership as well. This cannot be just a Federal effort.
I can't overstate how important it is to get the government- industry relationships right, because without them as a foundation, the value of all other efforts will be significantly diminished.
In searching for government-industry partnerships, DoD can offer one of the most successful examples: The National Communications System (NCS) and the President's National Security Telecommunications Advisory Committee (or NSTAC). For many years the senior industry executives of the NSTAC have offered sound advice on issues within the telecommunications sector, communicating their views directly to the President. This has been a particularly good working example of public-private sector cooperation, and might be used as a template in other areas.
While partnerships are developing within individual sectors, we also must explore whether new national structures are necessary to leverage those relationships to deal with infrastructure assurance problems on broader scales. The Commission's report and its recommendations regarding these national structures are being carefully considered by the government review process.
Turning away from structures, I would like to offer my observation that infrastructure assurance really must be addressed through several interlocking disciplines. These disciplines must be melded into a layered assurance strategy to provide the "protection-in-depth" required to deal with the complexity of both cyber and physical threats to our critical infrastructure elements.
First, of course, we must identify the infrastructures, their components, key nodes, interrelationships, and vulnerabilities. In itself, this requires extensive data gathering, analysis and information sharing. The Commission has compiled an extraordinary amount of material in this regard, and all of us will build on it in the days ahead.
We also must consider information assurance, which is not just information security, but rather the integration of functions to ensure that information is kept confidential, the sender and receiver can be identified and authenticated, and documents can be digitally signed with non-repudiation features. Furthermore, participants in a network must have confidence that information will be delivered reliably. In this context, denial of service can be just as devastating as manipulation of data or message content. Information assurance is crucial even in non- telecommunications networks because the control systems that run power grids, transportation systems, and most other infrastructures typically are digital and hence vulnerable to similar methods of attack. Within DoD we have conducted an extensive, yearlong examination of information assurance options, and expect to increase our R&D funding in this area. At the same time, however, I have not yet had the opportunity to analyze in detail the Commission's recommendations concerning increased funding for infrastructure protection in general.
Strong encryption is intimately linked to information assurance. I recognize that this is a very emotional public policy issue, and do not wish to make it the focus of this presentation. However, I would note that public key encryption requires a key management infrastructure (KMI) to be successful, and that the Administration is working hard to promote approaches which are interoperable internationally and which include key recovery features. Since I consider this to be the single most important thing we can do to protect our systems, I intend to use the Department's purchasing power to promote the use of key recovery-enabled encryption products in commercial applications dealing with DoD, and hope that this will help stimulate movements toward key recovery already underway in the marketplace. We are moving aggressively to implement digital signature and encryption technology throughout our Defense Information Infrastructure, addressing both our Command and Control and Combat Support needs. Digital Signature and Encryption, along with the Key Management Infrastructure that provides the services we need - including key recovery - are fundamental building blocks in our Information Assurance strategy for DoD Information Systems. Further, we will employ an increasing amount of commercial security technology within our DoD environment, as we partner with industry to enhance their products.
Traditional security disciplines, such as physical security, personnel security, and information security also are inextricably linked to infrastructure protection. While this discussion has focused mostly on cyber threats, physical damage resulting from everything from car bombs to natural disasters also can disable networks. This is exacerbated by the fact that the potential vulnerabilities inherent in networked systems are being magnified by several parallel trends. In particular the rapid evolution of technology, particularly information technology, has changed the way we do business in all sectors so rapidly that we do not always understand all the implications.
The proliferation of commercial off-the-shelf products may introduce security weaknesses, even as they allow us to add capabilities easily and cheaply.
Both government and industry are having difficulty recruiting and retaining technically qualified personnel in administering and assuring information systems. Together, these trends make it easier for the cleared insider or outside intruder, be they motivated by personal gain, disgruntlement, terrorism, or foreign allegiance, to cause significant disruptions on a broad scale. It also means that accidents or other random events may have much greater impacts than we have experienced in the past. Even absent an identifiable threat, these changes in infrastructures alone can magnify localized disruptions, which is what happened in the Western power grids in July and August 1996. Clearly, power outages are not new phenomena, but the point is that the fixes put in place to solve familiar problems may not be adequate for the more "closely coupled" world in which we now find ourselves.
In addition to these interlocking disciplines, we must consider the inter-dependencies of our infrastructures, which are not well understood. We all know that most sectors depend on telecommunications. But, for example, transportation is also highly dependent upon the financial system, many government services rely on transportation, all efforts ultimately are linked to energy, and so forth. Thus, we have to consider not only direct effects, but also secondary, tertiary and higher order impacts. Such potential disruptions are of particular concern to DoD because we must meet our operational commitments on very tight timelines across great distances, often outside the U.S. As such, we must focus special attention on those infrastructures related to executing our operational plans. I would note also that as we move forward with initiatives to make our infrastructure more robust, we must pay attention to making this transition in a coherent fashion. Because of the interdependencies in the infrastructure, we must "raise the bar" in a measured fashion across all of the related elements, making security improvement in a coordinated way that result in improved protection overall.
Because DoD has concentrated a great deal of attention on infrastructure issues, we feel we have much to share with others, both elsewhere in government and in the private sector. However, we believe we are essentially in a support role in most infrastructure emergencies. Other agencies, notably Treasury, Energy, Transportation and FEMA have lead agency responsibilities. Justice clearly has the lead for law enforcement issues, which are how many malicious infrastructure disruptions initially are characterized. Therefore we concentrate first on the compelling need to assure our own infrastructures and to pursue vigorously our own requirements, but we also are working with other agencies and related industries to improve collaborative procedures. For example:
We are working directly with Justice to provide technical support and assistance to assess the scope of infrastructure problems, develop analytical techniques and assist in responses.
We believe we must develop indications and warning capabilities and to find ways for other agencies to link into these capabilities. Indeed, we worked closely with the U.S. Intelligence Community in its first study on the indications and warning problems associated with cyber attacks.
We in DoD are working on a model for indications and warning and crisis management in a cyber environment. I consider this capability critical to meeting our national security mission. In developing this model, we will be working closely with the U.S. Intelligence Community, and law enforcement agencies, as they too have interests in this process. Since the problems we have encountered with indications and warning for telecommunications are similar to those we will have to deal with in protecting the other infrastructures, we are farther along than we might be otherwise in addressing this problem.
As Executive Agent for the National Communication System (NCS) the Secretary of Defense can expand on-going discussions with the telecommunications sector about defensive options.
Throughout the Government people are working to understand these issues, develop solutions, and then implement them. However, as we address these complex and interlocking areas, we can already see that infrastructure (and information) assurance issues have broad implications related to the strategic defense of the U.S. and the future roles for DoD.
One problem with cyber-attacks against infrastructure targets is that they may be the culmination of long-term, subtle, systematic intrusions. The preparatory phase could take place over several years, making it very hard to collate curious, seemingly unrelated events into a coherent picture. An attack also may take place over multiple jurisdictions, e.g., power grids or air traffic control nodes in several states. Our knowledge of the origin of such attacks, and their sponsorship, is likely to be imprecise. State, local and Federal authorities, as well as industry personnel and the general public, are each likely to have only part of the picture. In this context, the boundary between national security and law enforcement is blurred, as is the border between public and private sector responsibility.
In such an event, DoD must be very careful in the roles it plays, and for which it prepares. We have neither the authorities, nor the organization for police activities. Neither are we, nor do we want to become, an internal-security activity, though we do provide augmentation support to civil authorities and military support in cases of civil disturbance. Rather, DoD should be involved when an attack is targeted directly against national security assets, is more widespread and not localized, or when special technical expertise is required. However. unlike traditional attacks where DoD has had its own sensors and attack characterization capabilities, initial information about infrastructure attacks is likely to come through law enforcement or even private sector channels. Thus, solutions are needed on several levels:
We must find an appropriate way to link the various response communities so they can integrate their analytic procedures sufficiently to differentiate national security threats from law enforcement problems and then deal with them accordingly.
Regardless of whether it is Justice, DoD, or the private sector who should respond, a key weakness is our poor present ability to gather and correlate information from many sources and understand its implications (Indications and Warning).
An even more fundamental challenge in many cases is getting the information itself, and this simply cannot be done without the foundation of public-private sector information sharing I spoke of earlier. We cannot solve this by unilateral government efforts. We have to move together to solve this problem.
In conclusion, I would like to reiterate that I regard these issues as key elements of the Department's preparedness for its National Security mission. We cannot do it all, and need to work in concert with both other agencies and the private sector. Infrastructure protection, information assurance, encryption policy, and traditional security disciplines are intertwined in complicated ways. As I said before, I don't think the sky is falling, but we should proceed so that future historians, looking back, can say that we also were good stewards of our public trust in preparing to meet new challenges and threats. Our ability to execute our mission demands nothing less.
Again, I compliment the committee for increasing the awareness and attention to this critical issue in the era of information dominance and warfare. I thank you for the opportunity to present the Department's views.