Lieutenant General William J. Donahue, USAF
Communications and Information
States Air Force
distinguished members of the committee, I want to thank you for your
continued interest in this nationally important issue.
This is my third opportunity to provide testimony on this important
subject. Three years ago, the
Air Force had only begun its journey in establishing a strong network
protection posture. The Air Force was also in a transformation stage 3 years
ago--becoming an aerospace force--and Information Superiority was a
critical piece to making that vision a reality.
At the time of my appearance before you in 1997, every Air Force
base had an intrusion detection system; firewalls were new but they were
the exception; we were prototyping base network control centers; we
crafted our defense in depth security concept, known as the Barrier Reef;
and our Air Force Computer Emergency Response Team
(AFCERT) was a reality.
In 1998 with funding support from Congress, we undertook an
aggressive program to install network management systems and base
information protection (NMS/BIP) tools at 109 bases.
We installed firewalls, scanning tools, and network management
tools at our main bases. Our
concept of Operationalizing and Professionalizing the Networks was in full
swing--we were treating networks like the weapons systems they had become.
By the time of my 1999 appearance, we had established the AFCERT as
the Air Force component to the Joint Task Force for Computer Network
Defense and the Air Force had published its Information Operations
Doctrine. Every Air Force
base had a network control center with an initial network protection tool
set and we had begun establishing Network Operations and Security Centers
at our Major Commands. We
were wrapping up Operation DESERT FOX; and we were shoring up our defenses
as intrusion attempts into our base networks continued to grow.
Today, every Air Force base is protected by intrusion detection
systems and we scan our networks for malicious activity and
vulnerabilities. We have
upgraded our information protection tool sets with new technology and we
operationally task our Network Control Centers and report their readiness
through the Status of Resources and Training System.
We think we are running world class networks but the threats to
them are real and dangerous.
In my testimony today, I will focus my remarks on our operational
successes, the considerable threats we face daily, and the way ahead for
the Air Force.
Last year, US involvement in the Kosovo conflict illustrated
clearly the Air Force's ability to leverage information superiority for
combat success. Additionally, Operation ALLIED FORCE has been called the
first "Cyber War." Let
me illustrate with a few examples:
- Although our communications
networks were repeatedly subjected to probing, barrages of E-mail, and the
"virus of the week" program, our mission operations continued
Communications bandwidth requirements were not a significant limiting
factor for accomplishing mission objectives--we supported 40 contingency
sites in 15 countries with twice the capacity of that used during
Operation DESERT SHIELD/DESERT STORM.
- Reachback worked. Our information systems, consisting of both commercial
off-the-shelf and military communications equipment, enabled reliable,
timely reachback to the continental United States for intelligence,
logistics, and personnel support that otherwise would have had to deploy
- Predator unmanned aerial vehicle
images were transmitted to Beale Air Force Base in California, analyzed
and sent back to theater in finished form in less than 10 minutes. It also contributed to an extremely effective logistics
system where 93 percent of replacement parts were shipped to forward bases
in less than four days. This
allowed forces directly engaged in combat to average a 92 percent
mission-capable rate -- a rate higher than peacetime averages.
Despite our overwhelming success, we can’t underestimate the
dangers in the information age. Just
because we had little trouble defending ourselves last time does not mean
we are safe from cyber attack. Recall
that Serbian air defense systems knocked out two of our airplanes, they
were real, they were dangerous but in the final analysis they were not a
big player in combat operations. The
cyber attacks we experienced were also real and dangerous. But in the
final analysis, our information assurance posture caused the cyber attacks
to be nothing more than a nuisance and had little impact on combat
Similarly, we achieved a stunning victory in the Information
Assurance test of our lifetime--Y2K.
Our success in defeating the potential Y2K problem was a direct
result of senior leadership involvement and the hard work of all Air Force
members. Because of our
preparations, we came out of Y2K a better Air Force for the new
millennium. We tightened up
and tested continuity of operations plans, we eliminated over 390
non-mission essential systems and migrated others to less costly, more
efficient, common-use systems, upgraded our base-level computer and
telephone systems--the bottom line is we linked information assurance to
mission assurance in working Y2K and do so in our daily operations.
Threats and What We've Done
to Mitigate Them
Threats to Air Force information systems and our capabilities to
detect, prevent and defeat these threats are significant targets on my
scope. We are not only
implementing good information assurance tools, but we're emphasizing good
security policy and good business rules that ensure we deliver accurate
information to the warfighter anytime, anyplace.
We're facing a considerable challenge on the personnel front to
recruit, train, and retain qualified network technicians able to build,
run, and sustain the information technologies that enable us to be so
effective. The challenge is
compounded by the fact that this is a national problem--the shortage of
information technology talent is significant and impacts every
organization that is an information enabled, high performing enterprise.
While there are no simple and quick solutions to the people
challenge we must continue to operate.
Our program involves operationalizing and professionalizing the
network--organizing, training, and equipping Air Force network
professionals to do their jobs. From
the professionals who operate and maintain them to the users who depend on
them every day to accomplish their mission, we are holding everyone
responsible for information assurance.
Let me give you some examples:
- Over the past year, we developed a
standardized set of network Tactics, Techniques and Procedures designed to
incorporate rigor and discipline into operating, maintaining, and
reporting status of our networks. We
have established crew positions and identified the requisite training
requirements for those positions. Establishment
procedures instills even greater confidence in our operators' ability to
provide timely, reliable information to our warfighters.
- We have totally revamped initial
skills courses for our computer operators.
Today, we produce troops with good training on network operations
fundamentals who can dive into "on the job training" and rapidly
acquire a solid set of “journeyman” skills.
- We’ve funded Information
Assurance Computer-Based Training and Internet -Based Training courses
tailored to both users and system administrators.
Our first line of defense, our
network professionals and users, are well trained and poised to respond to
These efforts focus inward on what we’re doing to enhance our
personnel strengths. We must
also maintain our focus on mitigating the external threats to our
networks. Though the recent
highly publicized Distributed Denial of Service attacks did not affect any
Air Force systems, we are
just as susceptible to this kind of crippling attack as the commercial
sector. Individual hackers
and hacker groups have proliferated over the last year and we must remain
vigilant against the potential of these attacks every day.
Good networks, good procedures, good training, and good protection
tools are the bedrock of our defense.
Viruses also remain a potential threat.
Although we were able to stave off the "Melissa" virus
and sustained little damage, there are variants and new viruses that are
cropping up all the time. Again,
these examples provide a stark reminder that we CANNOT ever let our guard
We not only need to prepare for and protect ourselves from network
vandalism, but we must also treat our networks as the weapons systems
they’ve become. Whether
viewed offensively or defensively they are weapons systems.
I’d like to quote a recent news article that describes the target
“It is essential to have an
all-conquering offensive technology and to develop software and technology
for Net offensives so as to be able to launch attacks and countermeasures
on the Net, including information-paralyzing software,
information-blocking software, and information-deception software…
Modern high-tech warfare cannot win without the Net, nor can it be won
just on the Net. In the future there must be a coordinated land, sea, air,
space, electronic and Net warfare, and the state's determination will be
fully expressed in this mysterious theater space.”
reported in the 1 Nov 99 Washington Times, is from an article in China’s
Liberation Army Daily, the official daily newspaper of the People's
Liberation Army General Political Department.
Additionally, members of the PLA have laid out plans for Internet
insurgency in the People’s Daily. PLA
colonels wrote in Unrestricted Warfare, “A planned stock market crash, a computer
virus attack, making erratic the exchange rate of the enemy’s currency
and spreading rumors on the Internet about enemy leaders can all be
considered new concept weapons.” My
point--information warfare is not hyperbole--its real.
These articles indicate the Chinese are aware of the capabilities
of computer networks in warfare. Let
me point out what we are doing to mitigate threats to our information
- we are locking down our networks
- closing known vulnerabilities
- standardizing our base information
protection and firewall configurations
- installing automated anti-virus
software and alerting all units when a new virus appears
- using intrusion detection systems
- standardizing Internet scanning
We also developed and fielded a suite
of defensive tools for our deployed Network Control Centers and Network
Operations and Security Centers.
Way Ahead--The Next Step
We've accomplished a lot over the past year, but we must continue
to raise the bar. The future
looks bright and we have a number of initiatives under way that I'd like
Assurance Awareness. Three
years ago we began an initiative called Information Assurance Awareness
Month. During the month of
February, we emphasize awareness of Information Assurance issues.
Our point is that Information Assurance is everybody's business.
Our users must all realize their obligation to “fly the
network” securely, get the necessary training, and practice good network
We established a Network Center of Excellence at Keesler AFB for
training our network professionals and just recently graduated our first
class of skilled professionals. Training
is critical and in the information age it involves a continuous life of
We are working to complete our Phase II upgrades to our bases by
improving base information protection tools--installing additional
firewalls, upgrading software, and providing added training.
We have begun fielding an improved Intrusion Detection system that
will fill in the gaps of our current system.
Key Infrastructure (PKI). We
recently awarded an Air Force-wide PKI contract and have already begun the
first phase of issuing certificates to our members. This is just the beginning of increased security measures
across the board, using technology to enhance our security.
Information systems are more and more integrated into our command
and control and weapons systems. The
acquisition process must include planning for information assurance as a
fundamental step. Our
proposal for C4I support planning will ensure that information assurance
planning is embedded in the total system acquisition and sustainment
Decision Directive 63 - Critical Infrastructure Protection.
The Air Force is marching lockstep with the broad federal efforts
to protect our critical infrastructures.
We have functional community representatives for each critical
sector developing their Defense Infrastructure Sector Assurance Plans.
Additionally, the Air Force has taken on the task of protecting not
only the Global Positioning System (GPS) but also the whole national space
launch and range infrastructure vital to our nation.
I believe the Air Force is focused on the right issues and building
the programs that provide the best service and protection possible. Our
Air Force Posture Statement highlights the importance of Information
Superiority and Information Assurance; our programs demonstrate our
commitment. You can help us by supporting our Information Assurance and
base infrastructure programs. Our
Information Technology Exhibit (Exhibit 53) supports the Air Force effort
to leverage networked information systems that guarantee our Information
assurance is a high priority, and the Air Force is committing resources to
provide it, but we could still do more. Information infrastructure is number three on the Air Force
unfunded priority list. If
you have more top line resources, we’re ready to put the money to work.
The second thing you can do is strengthen the laws that relate to
computer intrusion, computer vandalism, and computer crime. The foundation of our Information Technology laws owes
its legacy to telecommunications law and specifically links back to the
Communications Act of 1934. It
was good and appropriate for its time.
However, the cyber world is moving at light speed and we need laws
that deal with this reality. The
ability to track down or search for hackers who vandalize web pages or
organized hacking groups who infiltrate information systems and extract
sensitive information CANNOT hinge upon outdated criminal or civil legal
processes. The law needs to catch up with the realities of cyber crime
and investigative needs by “out of box thinking” such as use of verbal
search requests and dedicated IT-trained approval magistrates.
It is our understanding that the Department of Justice is
considering legislation to address these issues, and any such effort
warrants your fullest attention. We
also need to send a clear and hard-hitting message--you violate the
computer network laws and we will hunt you down and hold you accountable.
In closing, let me say that this Nation has every reason to be
proud of its military. Throughout
the spectrum of conflict and in the competency of Information Superiority,
the US military has no peer. The
United States Air Force is organized to win, prepared for the future, and
committed to supporting our nation's security needs--anytime and anywhere.