WILLIAM H. CAMPBELL, USA
DIRECTOR FOR COMMAND,
CONTROL, COMMUNICATIONS, AND COMPUTERS (DISC4)
HEARING ON INFORMATION
SUPERIORITY AND INFORMATION ASSURANCE
Mr. Chairman and members of the Subcommittees, thank you for the opportunity to testify on these important matters. I will make a brief oral statement of about three minutes duration and submit my written comments for the record.
As the Secretary of the Army and Chief of Staff of the Army have testified, our Army today has the world’s best heavy forces and the world’s best light forces. But to respond effectively to 21st Century requirements, we must change. We must transform the Army. Our heavy forces need to lighten up, and our light forces need more staying power. Our transformation plans and the formation of brigades equipped with Interim Armored Vehicles will address these needs.
The Army will continue to change, but throughout the process the requirement for Information Superiority and Information Assurance will remain an imperative across the entire force.
On the battlefield our tactical forces must be digitized with modern computers and data transport networks to allow us to operate inside the enemy’s decision cycle. The Warfighter Information Network program and Tactical Command and Control System programs are designed to ensure our warfighters have information dominance. Battlefield Digitization remains a top priority. We will continue to give priority to the First Digitized Division and First Digitized Corps at Fort Hood, and we intend to equip the new Interim Brigade Combat Teams at Fort Lewis with the same digital systems being deployed at Fort Hood.
In the Institutional Army we must continue building a modern digital backbone on our installations. Our Installation Information Infrastructure Modernization Program is designed to be the enabler for providing power projection support from the sustaining base to deployed forces as well as the foundation needed to import best business practices from the commercial sector.
These initiatives, along with the information technology embedded in other programs, support the Defense-wide Global Information Grid requirements. We are committed to achieving seamless end-to-end connectivity from our installations to our deployed warfighters via the Defense Information Systems Network, which is the data transport and switching capability that ties it all together. We are committed to Joint interoperability and ensuring that our Corps are equipped to serve as Joint Task Force headquarters. We also remain committed to the Joint Tactical Radio System, which will enhance interoperability among Joint warfighters at the tactical level.
Information technology will enable the Army and our sister Services to dominate future battlefields. But this technology is also vulnerable to attack and exploitation. Consequently, we must build and sustain a robust Information Assurance program to provide Defense-in-Depth. We have made major improvements in protecting our networks. We monitor our networks on-line 24 hours per day. We have computer emergency response teams. Our Land Information Warfare Activity and its Information Dominance Center are world class. But this is a competitive environment and we must make continuous improvements to be able to respond effectively to actions that would exploit our networks or degrade them.
We are very grateful for the committee’s support for our Information Superiority and Information Assurance programs and solicit your continued support for our budget request in these critical areas. Thank you. I’ll submit the remainder of my testimony for the record.
Digitizing the Army
The Army must develop and deploy the enabling architecture and programs to achieve and maintain Information Superiority. We are using information technology to provide commanders at all echelons situational awareness through a common operational picture. With the answers to the most common questions about friendly and enemy force disposition visually depicted, the battlefield commander can focus on staying inside the enemy commander’s decision cycle and rapidly mass combat power at the critical time and location. Key features of the Army vision, such as power projection, split-based operations, reach back capabilities, and a reduced logistical footprint rely upon information superiority being delivered by our modernization programs. We will achieve Digitization of the Army by simultaneously Digitizing the Battlefield and modernizing the Installations with digital infrastructures, to provide end-to-end connectivity from the sustaining base to deployed forces at the pointed edge of the spear.
Digitizing the Battlefield
Digitizing the Battlefield is the application of information technologies to establish networks that will allow us to acquire, exchange, and employ timely digital information throughout the battlespace, tailored to the needs of each decider (commander), shooter, and supporter. This allows each to maintain a clear and accurate vision of the joint/combined battlespace necessary to support both planning and execution. The 4th Infantry Division at Fort Hood, our First Digitized Division (FDD), will be largely digitized by the end of calendar year (CY) 2000, followed by 1st CAV Division by the end of CY03, followed by 3rd ACR and the remainder of 4th ID, located at Fort Carson, CO, by the end of CY04.
The Horizontal Technology Integration Program continues to use technology to enhance unit interoperability. The Army Battle Command System (ABCS) is central to this effort. It is capable of integrating and delivering a common operational picture to the maneuver commander as well as serving as the integrator between higher level operational and strategic command posts and tactical field units. In addition to providing a common operational picture from subordinate and lateral units, the ABCS system gives commanders automated tools to plan and execute all aspects of a military operation and provides seamless connectivity to the supporting installation.
All this data requires extensive bandwidth to move the information where it is needed on the battlefield. Our current battlefield technology can only push a meager 16 Kilobits of data to a brigade Tactical Operations Center (TOC). The Warfighter Information Network (WIN) will use military and commercial technology to move the data from supporting installation to the deployed warfighter. We require additional resources for the WIN system to convert three ARNG Mobile Subscriber Equipment (MSE) Signal Battalions from Digital Group Multiplexer configuration to Transmission Interface Module configuration. The conversion makes these battalions fully interoperable with the rest of the Army’s Signal Battalions and is required prior to the fielding of the Tactical High Speed Data Network upgrade. This upgrade significantly enhances the data hauling capacity of these battalions. The WIN system integrates communication platforms from the strategic to tactical level. It is comprised of Power Projection Platforms, Satellite Transport, Tactical Information Systems, and Network Management.
Expanded satellite bandwidth is essential to the Warfighter Information Network. Commercial satellite systems alone cannot meet the military’s unique requirements. The Defense Satellite Communications System (DSCS) will be accessed through ground station terminals, providing worldwide high data rate throughput. The MILSTAR system with its anti-jam capabilities will provide assured connectivity in high threat and jamming scenarios. The 4th MILSTAR satellite is required to provide protected communications coverage needed to support deployed warfighters and training. The Global Broadcast System terminals will receive a continuous flow of data from higher echelons. The deployed warfighter will access these robust reach-back communications platforms via ground-based terminals such as Secure Mobile Anti-Jam Reliable Tactical Terminal (SMART-T), SHF Tri-Band Advanced Range Extension Terminal (STAR-T), and Single Channel Anti-Jam Manportable Terminal (SCAMP). These tactical terminals are multi-service satellite access platforms that will provide the requisite bandwidth to link the warfighter and their information systems to the sustaining base. The deployed JTF backbone bandwidth will be managed by Integrated System Control (ISYSCON) and the follow-on Joint Network Management System (JNMS).
The Force XXI Battle Command Brigade and Below (FBCB2) system is the device that brings situational awareness to the boots-on-the-ground warfighter. This system, accompanied by the Tactical Internet that provides connectivity, is the center of gravity for situational awareness in Force XXI. It provides soldiers in individual weapons platforms, tactical vehicles, and Tactical Operations Centers (TOC) with real-time situational awareness across the entire Brigade Task Force, as well as providing Joint and Multinational capabilities.
FBCB2 generates and transmits position location reports, distributing them to friendly forces throughout the battlefield. It receives similar reports from other friendly units equipped with FBCB2 and posts them to a digital situation map in each platform or facility. The system sends and receives spot reports on the enemy as well as logistics and command and control messages. Collectively, these data provide a common picture of the battlefield. Even in its most basic mode, it provides real time answers to the questions: “Where am I? Where is the enemy? Where are my buddies?”
FBCB2 is also being integrated with other on-board systems to enhance performance. For example, an interface to laser range finders will enable it to automatically compute and disseminate spot reports on the enemy and send Calls for Fire to bring artillery on the target.
The Tactical Internet is the glue that ties FBCB2 systems together digitally. It is formed by the integration of tactical digital radios, combat net radios, and commercial Internet technology. Primary components are the Single Channel Ground and Airborne Radio System (SINCGARS) radio used in a data mode, the Enhanced Position Location Reporting System (EPLRS), and the Near Term Digital Radio (NTDR). We will continue to optimize the Tactical Internet and accelerate the development of the Joint Tactical Radio System (JTRS). JTRS, a secure, multi-band, multi-mode digital radio, will replace existing radios at the tactical level and is the last leg in the link to the warfighter to provide internetted Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance (C4ISR) capabilities from installation to foxhole. It will provide the waveform commonality and increase in bandwidth necessary to implement Network Centric Warfare.
Digitizing the Installation
The corollary to Digitizing the Battlefield is Digitizing the Installation. It is essential to link deployed forces to the installation that supports them. The Army’s name for installations that serve as the Corps rear boundary is Power Projection Platform. For these installations to be effective, they must have major improvements in automation, communications, and business practices as we build Force XXI.
A key initiative that will enable the Army to achieve economies in our day-to-day core functions and support power projection is called the Installation Information Infrastructure Modernization Program (I3MP). I3MP is essential to the entire digitization process because it provides linkage to deployed forces, enables split based operations, provides connectivity to the Global Combat Support System (GCSS) and Global Command and Control System (GCCS), and links directly into the ABCS system of a Brigade TOC when required. This project expands the digital infrastructure of Army installations and enables us to "import best commercial practices.” I3MP consists of four components: (1) The Outside Cable Rehabilitation (OSCR) program which installs a high capacity fiber network on our installations, similar to the main roads; (2) The Common User Installation Transport Network (CUITN) which provides the ‘branch networks’ off the main fiber backbone; (3) the Army DISN Router Network (ADRN) program that links the installation into the Army networks; and (4) the MACOM telephone modernization program that provides modern digital telephone systems to the installations. We require additional resources to accelerate fielding the infrastructure at Anniston Army Depot, Ft Eustis, Ft Dix, Ft. McPherson, Ft. Sill, Ft. Lee and Ft. Knox.
The new Army Vision calls for a “reduced logistics footprint” through the effective use of information technology. The Revolution in Military Logistics depends on the next generation digital infrastructure on our installations to achieve the vision of a seamless logistics system with Electronic Commerce, Total Asset Visibility, Rapid Force Projection, just-in-time supply, and Distribution-based Logistics. Programs such as the Joint Computer-aided Acquisition and Logistics Support (JCALS) program, will help us realize the efficiencies required by the Defense Reform Initiatives. Global Combat Support System-Army (GCSS-A) provides the Army link to the DoD-wide standardized logistics systems and serves as a business and tactical automation enabler for the total Army Combat Service Support mission area. With all these systems, we must have the digital infrastructure that these areas require to import commercial best practices.
Keeping up with Technology
To maintain Information Superiority, the digitized systems must stay current with technology. We have to be able to insert modern technology into existing systems rapidly. With Moore’s Law accurately predicting a doubling of processing power every 18 months, this demands a revision our acquisition methods. The development cycle itself must be in short spirals with “Beta” releases of software for user assessments in operational environments before full system maturity is reached.
The FBCB2 program is addressing this situation in an innovative Low Rate Initial Production (LRIP) process. During the LRIP, we are building 5,952 ruggedized FBCB2 appliques on two production lines over a three-year period. We will prove out the production lines with competitive sources, using a common chassis in all years, but differing “then-year” commercial technology will be used inside these chassis. The LRIP will validate the ability to build systems that can effectively use the same software even though the hardware and firmware inside the chassis changes as time and technology progress. If the LRIP is successful, we will be able to execute the program over many years without fear of technological obsolescence and without the need for a separate technology refresh program, because we will modernize through spares when maintenance actions are required. The LRIP systems will be fielded to the digitized forces as soon as they are available to support training the development of doctrine, training, tactics, techniques, and procedures, and operational testing. These are all essential elements toward a full rate production decision. The ability to modernize through spares will also help to reduce the logistics footprint because obsolete parts will no longer need to be stocked. On December 21, 1999, OSD approved the FBCB2 Acquisition Program Baseline, authorizing LRIP for 5,952 units through FY02. First delivery of systems from the LRIP production lines will occur in June 2000.
The benefits realized by our networked system of systems provide us with the synergy of collaboration and rapid dissemination of information in a low-cost, reconfigurable environment. However, this environment, by its open, shared nature is vulnerable – the Internet exposes connected networks to malevolent actors on a global scale, where solutions become a race against time. We are fully engaged to support and expand existing initiatives and to implement programs necessary to ensure a robust Information Assurance (IA) program for the future.
In two years, the department has moved from having no systematic capability to detect and respond to incidents and intrusions to being able to document and respond to 3,077 incidents and 58 intrusions during FY99. Another example of our robust IA program is that at the end of FY00 the IA training base will have provided 2,760 training seats to train and certify System Administrators.
The overarching Army IA program is titled the Network Security Improvement Program (NSIP). The NSIP is a comprehensive agenda of innovative policies and procedures, state-of-the-art hardware/software technological security solutions, and new training initiatives designed to protect the Army’s critical information infrastructure from the sustaining base to the deployed force. In addition to establishing the Army’s Perimeter Defense posture, the NSIP implements a Defense-In-Depth strategy that uses technical solutions where possible to defend the networks and infrastructure, the enclave boundaries, and the computing environment down to the workstation.
The Army NSIP is consistent with guidance in the OSD Defense-Wide Information Assurance Program (DIAP), DoD IA Guidance and Policy Memorandum No 6-8510, and DISA and Joint Staff IA efforts, as well as direction provided in the Army Modernization Plan and from the Vice Chief of Staff, Army (VCSA). The Army NSIP implements a Defense-in-Depth strategy to establish and maintain an overall IA posture across the Army portion of the Global Information Grid (GIG).
Major Program Elements
Awareness of Cyber Attacks
We have developed a plan to ensure department-wide awareness of cyber attacks. The Army fielded a Perimeter Defense capability consisting of security routers and centrally monitored Intrusion Detection Systems (IDS) at all 168 Army gateways to the Defense Information Systems Network (DISN). Centrally monitored host-based IDSs are also installed on approximately 500 critical servers. The Army’s Regional Computer Emergency Response Teams (RCERT) and Network Operations Centers (NOC), located in Mannheim, GE; Ft. Shafter, HI; Camp Walker, ROK; and Ft. Huachuca, AZ provide synergistic 24 hour centralized monitoring of the status of all networks and systems. Intrusions into Army networks and systems are reported to the Army CERT/Coordination Center (ACERT/CC) at Ft. Belvoir, VA for follow on reporting to the Joint Task Force – Computer Network Defense.
“Positive Control’ Reporting System
We have an advisory and reporting system that ensures Positive Control. Initially defined in a June 1998 SECDEF policy message, “Positive Control” was formally promulgated in a December 30, 1999 DEPSECDEF memorandum and is now called the Information Assurance Vulnerability Alert (IAVA) process. Army has made IAVA a command responsibility and directed that each Major Command (MACOM), Program Executive Office (PEO), and Program Manager (PM) appoint an Information Assurance Officer (IAO) responsible to the commander for implementing IAVA. Each MACOM IAO has made an IAVA “chain-of-command” with IAOs at each echelon creating a list of all network managers and system administrators responsible for implementing DoD directed IAVA corrective actions. The ACERT/CC receives DoD directed IAVA messages, tailors them to Army specific situations, and disseminates them to IAOs Army-wide. MACOM, PEO, and PM IAOs acknowledge receipt of the IAVA messages and report compliance. Starting in the 1st quarter FY00, the Army started a program to verify compliance with IAVA directed actions. The Office of the Director of Information Systems for Command, Control, Communications, and Computers (ODISC4) is responsible for the program. The Army Audit Agency (AAA) and the Army Criminal Investigation Command (CID) provide frameworks for executing the compliance verification process. After a short transition period, the Army Reserve will start providing support to ODISC4 in 3rd Quarter FY00, providing technical scanning expertise to IAVA verification and compliance.
The Army has implemented a series of actions to institutionalize threat/risk analysis. We began this process by establishing priorities for conducting vulnerability assessments of all systems comprising the First Digitized Division (FDD). Primary emphasis was placed on Command, Control, Communications, and Intelligence (C3I) systems. These C3I systems are undergoing rigorous Information Operations Vulnerability/Survivability Assessments. The Army further established and implemented a Vulnerability Assessment policy for information technology to evaluate real or potential Information Assurance (IA) vulnerabilities for all centrally procured information technology-based systems. A series of synchronization events (a.k.a. developmental Red Teaming) are used to identify vulnerabilities of “system of systems” throughout the spiral development process for FDD. To document the results of testing for future use in network and materiel developments, the Army is developing a centralized vulnerability database. This database will serve as a repository for generic software and system-specific vulnerabilities and corrective actions.
Land Information Warfare Activity (LIWA)
Our Land Information Warfare Activity has set priorities for operations that complement our overall IA program efforts. They support contingency operations such as the Balkans, Force XXI initiatives such as the Army Experimentation Campaign Plan, combat training center exercises at service schools such as the Command and General Staff College, as well as operational Computer Network Defense Issues. LIWA has established Field Support Teams that provide full-spectrum Information Operations (IO) support for contingency and exercise operations to Army units.
Information Dominance Center (IDC)
The Information Dominance Center, a facility within the LIWA, provides for a collaborative, multi-sensory, operational environment for simultaneously planning, synchronizing, and executing information operations. It employs nontraditional approaches (e.g., a unique open physical work environment and state-of-the-art technology to enhance intellectual creativity) to portray information that is contextually relevant to decision makers in near real time.
employs nontraditional processes to continually harvest structured (e.g.,
multi-disciplined intelligence feeds, multiple network and system sensor
data, and open source material) and unstructured (e.g., video, audio, and
content within text) data to identify information centers of gravity.
Data is organized by thematic content matched to world events
within a temporal context to make sense (contextual relevance) out of what
may appear to be anomalous data.
IA Funding Considerations
Currently, our funding supports the areas mentioned by providing encryption devices, firewalls, secure routers, intrusion detection systems and other key pieces of security equipment. It provides for training of IA personnel, vulnerability assessments, modeling and simulation, and tool development for the tactical environment. We test the integration of all our tactical systems through network synchronization events.
While no level of funding for the Information Assurance program will eliminate all risks, we need continued support to ensure that we do not increase those risks. Our current concerns include life-cycle support for tactical IA tools, engineering support for security architecture, and support for certification and accreditation of emerging architectures. We will continue to need tools, personnel, training, and response infrastructure that stay current with the technology and the threat. We need additional resources for Secure Terminal Equipment, and to support the full scope of requirements at the COMSEC Logistics Activity (CSLA) and Tobyhanna Army Depot to manage, support, sustain, and maintain INFOSEC and COMSEC systems. Other resource requirements will support assessment of vulnerabilities in our tactical systems and networks and broaden our current focus beyond assessing Command, Control, Communications, and Intelligence (C3I) systems. It would include vulnerabilities imposed by the remaining systems comprising the digitized force, and those imposed by legacy systems in our tactical environment. Lastly, it will be used to hire additional computer security incident handlers to enhance LIWA’s response capabilities.
The Road Ahead
Not only must we continue to support current initiatives, but we must also look at the road ahead. It is important to realize that Information Assurance requires a holistic approach and that it requires continual maintenance. We must continue to develop the synergy between the policies, personnel, procedures, and tools in the future. To this end, we have several initiatives underway to ensure the sanctity of Army networks into the future.
The Army has been active in pursuing biometric technologies as an identification and authentication access device into Army computer networks and information systems in place of passwords. This would deter unauthorized network access. We recently received reports from our contractors on the social/legal and ethical implications of using Biometrics technologies and the potential need for a facility to house a Biometrics Repository and a COTS Biometrics Sensors Test and Evaluation Center. These reports are under Senior Management Review, which will solidify our programmatic focus.
The current Biometrics effort was initiated through a Congressional add-on of $15 million in FY00. This money is being used to establish initial program direction and a long-term funding profile. For that reason, we will depend upon additional Congressional add-ons in FY01 to ensure the program’s success.
Public Key Infrastructure (PKI)
The DEPSECDEF identified the use of Public Key technology to safeguard and protect our information assets in open networks. The Army’s Public Key Infrastructure (PKI) will be an integral component of the DoD PKI. PKI will be one of the key components of the Army’s Information Assurance program and an enabling technology in the Army’s Electronic Commerce/Electronic Business program. The foundation of the Army PKI initiative is the May 6, 1999 DEPSECDEF memorandum outlining the DoD PKI program. That memorandum establishes a very aggressive schedule to achieving an integrated DoD wide Public Key Infrastructure supporting a broad range of security-enabled applications, and providing for secure interoperability with other Federal, Allied, and commercial entities. Within the past nine months, the Army has identified its initial infrastructure requirements, and obtained funding to satisfy those requirements. An Army Implementation Plan has been developed. We have validated a requirement for a PKI Product Manager and are now in the process of staffing that organization. In November 1999, the DEPSECDEF directed the merging of the DoD Common Access Card Program with the PKI initiative. We are now in the process of determining the impact of that merger.
Additional funding is necessary to accelerate the implementation of PKI and PKI enabled applications across the Department; procurement of Secure Terminal Equipment (STE) to replace aging and outdated STU-III equipment; procurement of Secure Wireless Communications; and development/purchase of tools for real-time detection, collection, and analysis of attack sensing and warning data.
There is an urgent need for development and clarification of a legal framework that reflects the realities of the Information Age and the nature of cyber attacks. Deterrence, detection, tracking and identification of perpetrators will be very difficult unless the current legal framework changes. Currently, the laws do not favor the defender and greatly favor the attackers.
Electronic Commerce/Electronic Business
Conducting business on the Internet will only increase. We must ensure that the provisions have been put in place to provide consistent and timely common user services, architectures, and standards, and to encourage insertion of commercial best practices. E-commerce will be key to redesigning our business processes and providing seamless information flows and application of information technologies.
IT Personnel Shortage
In July 1999, the Army’s Senior Information Operations Review Council proposed an IT/IA Workforce Issues study of manpower recruiting, retention, training, and career field challenges and actions needed to enhance these areas. The results of the survey led to specific recommendations and the development of Program Objective Memorandum (POM) requirements, including: the creation of military/civilian recruiting and retention professional development incentives; training and certification requirements for specific career fields; and expansion of IT training capacity in CONUS and OCONUS locations. Key to future training initiatives will be the ability to establish and maintain a modern curriculum of IT/IA educational opportunities and to make those opportunities available via the latest distribution techniques. Additionally, we must receive support for establishing a professional pay differential if we are to be competitive with industry in maintaining quality personnel.
Information Superiority and Information Assurance are imperatives. The Army has given both a very high priority. Both require strong support for continuous evolution to give our warfighters the critical edge needed to defend the Nation’s interests in the 21st Century. Thank you for your continued support and for the opportunity to address these critical requirements today.