Statement of The Honorable John J. Hamre

Deputy Secretary of Defense

Information Superiority is essential to our capability to meet the challenges of the 21st Century. It is a key enabler of Joint Vision 2010 and its four fundamental operational concepts of dominant maneuver, precision engagement, full dimensional protection and focused logistics – because each demands obtaining, processing, distributing and protecting accurate information in a timely manner while preventing our adversaries from doing so. Without achieving Information Superiority we will, very simply, not be able to achieve the goals established in Joint Vision 2010.

The other witnesses here today will provide the details, particularly with respect to developments in our information infrastructure and the warfighting capabilities that depend on these information systems. What I would like to do is emphasize the importance of the defensive efforts necessary to maintain the basis for Information Superiority.

Information technology has provided us with a means to insure a military advantage over our adversaries while actually reducing our force structure. These technologies have made precision strike and focused logistics possible. They allow us to hit a target with one missile, and manage our logistics requirements so efficiently that we can move forces much farther and quicker – and sustain them – than we have ever been able to do before. Similarly, information systems are essential to the situational awareness needed to achieve dominant maneuver and full dimensional protection. But our dependence on these systems, and their ubiquity in every aspect of our operations, has made us vulnerable should they be disrupted. The same technologies we employ to such advantage are readily and cheaply available to our adversaries. And because they are so inexpensive and accessible, the range of adversaries that can potentially cause great disruption has broadened considerably. We no longer have the luxury of focusing our defense, as we once did, on just our peer competitors. We now have to establish defenses that will defeat attacks by our major adversaries as well as the terrorist, hacker, and disaffected insider – and the latter is a significant challenge. In the past much of our defensive efforts were to protect our offensive capabilities. Now we have to protect an extensive DoD information infrastructure – virtually all of which depends upon the commercial communications networks – as well as the other critical Defense infrastructures it supports, because we simply cannot conduct and sustain offensive operations without these critical infrastructures.

I am not at all concerned about our ability to develop and employ the information technologies needed to achieve the offensive goals of Joint Vision 2010. But I am very concerned about our ability to defend the information systems that make actual offensive operations possible.

I have talked to you in the past about many of our efforts that focus on information assurance. We established a Defense-wide Information Assurance Program to bring a comprehensive approach to this almost overwhelming challenge of building and sustaining a secure information infrastructure. After ELIGIBLE RECEIVER, SOLAR SUNRISE and other such events, I think everyone in the DoD now understands that because of our interconnected information systems we are in a shared-risk environment.

ELIGIBLE RECEIVER was the first large-scale exercise designed to test our ability to respond to an attack on our information infrastructure. Designed to test DoD planning and crisis-action capabilities, it also evaluated our ability to work with other branches of government to respond to an attack on our National Infrastructures.

ELIGIBLE RECEIVER revealed significant vulnerabilities in our Defense information systems and the interdependence of the defense and national information infrastructures. It showed that we had little capability to detect or assess cyber attacks and that our "indications and warning" process for cyber events was totally inadequate.

SOLAR SUNRISE was not an exercise. It was a series of attacks during the month of February in 1998 that targeted DoD network Domain Name Servers, exploiting a well-known vulnerability in the Solaris Operating System. The attacks were widespread, systematic and showed a pattern that indicated they might be the preparation for a coordinated attack on the Defense Information Infrastructure. The attacks targeted key parts of Defense Networks at a time we were preparing for possible military operations against Iraq.

SOLAR SUNRISE validated the findings from ELIGIBLE RECEIVER and served to focus the legal issues surrounding cyber attacks. Because of the world situation it was a high interest incident that significantly increased pressure for a quick response. It also demonstrated the need to establish a standing response team.

Because of the ELIGIBLE RECIEVER/SOLAR SUNRISE experience, we have taken the following defensive actions:

Increased our situational awareness by establishing a 24 hour watch.

Established positive control over the identification and repair of information systems at risk

Installed intrusion detection systems on key system nodes.

Expanded computer emergency response teams to perform alerts, critical triage and repair.

Developed contingency plans to mitigate the degradation or loss of networks.

Improved our ability to analyze data rapidly and assess attacks.

Are working with the NIPC, teaming with law enforcement agencies and developed procedures to share information with the private sector.

Increased red team exercises to improve our operational readiness.

Dependence on these interconnected information systems and networks will only increase as we move into the 21st Century and towards Joint Vision 2010. We cannot eliminate this "networked dependence," so we have to meet the challenges of Computer Network Defense, even as we change our systems to make them less susceptible to attack. Defending a computer network is a significant challenge and the challenge is increasing daily. Actually, it is a set of very significant technical challenges and associated legal and social issues. There are significant technical problems with characterizing and attributing attacks in complex networks that have no real borders. And as we develop technical solutions, we inevitably find ourselves immersed in a host of policy and legal issues – law enforcement versus national security interests, domestic versus foreign intelligence – while trying to work significant operational problems requiring the most urgent attention.

To address the operational response problem in a coherent and integrated manner we recently activated a Joint Task Force for Computer Network Defense. Established in December 1998, it is directly responsible to the Secretary of Defense. The Joint Task Force is, in conjunction with the CINCs, Services and Agencies, responsible for coordinating and directing the defense of DoD computer systems and computer networks. Its mission includes the coordination of DoD defensive actions with non-DoD government agencies and appropriate private organizations. This is a major first step in restructuring the Command and Control regime in the Department to address the incredible importance of computer network defense in both our warfighting and business operations. It is Washington-based to provided interagency access and leverage established relationships with the FBI, CIA, DIA and NSA. It provides a single, accessible DoD point of contact with the NIPC. And it is co-located with DISA so that it can leverage their technical and operational capabilities: their network management center, an established 24 hour operations center, and regional operations centers with CINC liaison. Co-location with DISA also facilitates coordination with the National Communications System.

It is important to understand that we will always have to deal with a network of interlocking and interdependent information infrastructures that serve an ever-expanding set of interrelated communities. We cannot avoid this global interaction. And we, DoD and the US Government, will have relatively little effect on its evolution. We must take advantage of it, understand its perils, and design an appropriate level of security into our systems and procedures. We have to learn to adapt our security practices to the global environment.

The world is an increasingly dangerous place. As we’ve improved our ability to monitor network activities, the number of probes, intrusions, and cyber events we can observe continues to increase. We now are detecting 80 to 100 events daily. Of these approximately 10 will require detailed investigation.

We also must recognize that the interconnected nature of the information infrastructure, and the increasing availability and sophistication of hacker tools, places any information improperly secured immediately at risk. We are increasingly concerned about those who have legitimate access to our networks – the trusted insider.

We have taken significant steps to increase our internal security and security awareness. Internet exploitation operations can be executed remotely, from any country. They can be completely anonymous, done in real time and automatically. There are extraordinary resources available to the data "miner." Our own "red team" assessment of DoD information available on the Internet revealed some very sensitive material. We recently completed a major examination of all the information the Department has on the Internet and have instituted stringent procedures to insure that classified or sensitive material is not inadvertently accessible.

The Secretary has also instituted a policy to insure that every individual in the DoD with access to Top Secret or a specially controlled access category or compartment make an oral attestation that they will conform to the conditions and responsibilities imposed by that access. We are using this as a means to reinforce to DoD personnel the significance of the responsibilities associated with access to this information.

We have taken significant steps to improve our counterintelligence posture by moving to a risk-based model for counterintelligence and security. We have undertaken three notable actions in this regard.

First is the establishment of a Defense Joint Counterintelligence Program (DJCIP). The DJCIP will focus on mitigating risks posed by foreign intelligence service and terrorist threats to the Department’s critical information systems, critical infrastructure, and critical technologies.

Second is the establishment of the Joint Counterintelligence Evaluation Office (JCEO). The JCEO will ensure that the senior DoD leadership is informed, in a timely manner, of significant counterintelligence investigative activity. Significant activity includes foreign intelligence threats to DoD critical technologies, information infrastructure, U.S. military operations and personnel. The JCEO brings focus to the counterintelligence/insider threat that we have not had before. I cannot emphasize strongly enough the seriousness of the insider threat to our information systems and, through those systems, to the Department’s operations. Over the past year, the JCEO has ensured that the senior DoD leaders were kept informed, on a regular basis, of the investigations involving the insider threat. The JCEO has also increased the sharing of information, where appropriate, with agencies that have equities in the investigations.

Third is the establishment of the Defense Computer Forensics Laboratory (DCFL) under the Defense Reform Initiative. The DCFL is responsible for counterintelligence, criminal and fraud computer evidence processing and analysis in the Department. An associated training program provides computer investigation training for the above disciplines and for Information Assurance specialists. The DCFL works in close cooperation with the National Security Agency and the FBI.

We also recognize that our dependence on the information infrastructure extends into our other critical infrastructures. We have reorganized within OSD to bring information assurance and critical infrastructure protection together. We have developed and are now implementing our Critical Infrastructure Protection plan. We’ve identified a discrete set of critical infrastructures such as logistics, financial services, space, and transportation. These are DoD infrastructures upon which the warfighter, and our business operations that sustain the warfighter, are completely dependent. All of which are also completely dependent upon the defense information infrastructure. We have, as part of our plan, identified Lead Components responsible for coordinating the overall assurance of these infrastructures. For just as the information systems they depend upon, these critical infrastructures are networked structures that are interconnected and interdependent, making them highly susceptible to disruption. We can no longer treat them as independent Service or Agency entities – they too are part of the shared risk environment.

So where do we go from here? What is the way ahead? There is no simple or single solution. Our strategy is a multidimensional approach. We must have trained and disciplined personnel. We must improve our operations. And we must be innovative technologically. We have to recognize that information technology is critically important to all the DoD critical infrastructures. And we must implement this strategy through a comprehensive, coherent, and integrated Defense-wide information assurance program.

We are employing a defense in depth security model and changing our basic approach to constructing networks. A major effort is underway to fundamentally restructure the Defense Information Infrastructure into a defendable Global Networked Information Enterprise (GNIE) – a new concept of how the Department will meet its information needs. We are moving forward towards a robust, multi-level DoD Public Key Infrastructure that can provide the required range of assurance and data integrity services as well as permitting segregation of the network into communities of interest. This will allow us to limit the extent of the damage an intruder can inflict. We are increasing our deployment of more sophisticated intrusion detection and monitoring technology. We are strategically partnering with industry to foster an open security framework and development of security enabled products. We are investing our R&D dollars for highly assured products and systems and for real-time monitoring, data collection, analysis and visualization.

We have activated the JTF and are expanding our CINC, Service and Agency Computer Emergency Response Teams. We are instituting a real-time network monitoring and reporting structure. We have established positive control through our information assurance vulnerability alert process. We are establishing a continuous vulnerability analysis and assessment program, and are increasing our red team assessments capability. We have much improved our ability to perform long-term trend analysis, thereby identifying certain types of sophisticated attacks.

We are increasing our information assurance training and awareness effort. We are looking closely at certification and retention issues for personnel performing key functions – the system administrators and system maintainers. And we are examining an expanded use of military reserves.

Substantial progress has been made, but it’s a journey, not a destination. There is a lot more that has to be done in virtually every area that I’ve mentioned today. But only by recognizing this challenge, and meeting it, can we realize the military potential afforded by achieving Information Superiority.