Good afternoon, Mr. Chairman, Members of the Committee, and staff. I am Rear Admiral Dick Mayo, currently serving on the Navy staff as Director of Space, Information Warfare, and Command and Control.
I am pleased to be here to discuss what I believe are two of the
most important areas we are facing today in the Navy—Information
Superiority and Information Assurance.
The United States Navy is in the midst of a transformation that
capitalizes on the awesome potential of advanced information technology,
and the topics of this hearing go to the heart of all our basic
Information Age challenges. In
a strategic sense, this now includes the dimension of cyberspace.
We must use cyberspace well to influence events, and we must
protect our access to cyberspace. Operationally,
using networks to host this new medium provides a significantly increased
advantage to our warfighters. We
have made tremendous strides in the last several years realizing this
potential, and it is more important than ever that we maintain this
I would first like to offer our current perspective on Information
Superiority, then discuss Information Assurance, and finish with our
"entry fees" to both of these.
Network Centric Operations
Since the release of Joint Vision 2010 first focused awareness on
the subject, many new insights have been gained.
Navy is fully engaged in the pursuit of Network Centric Operations
as our capstone concept for bringing networked organizations and
technologies to bear in the battlespace.
It leverages the distributed networking of our people, information,
weapons, and sensors to achieve faster and significantly improved effects
with smarter, more adaptive performance.
As we have started fielding our networks, and experimented and
operated with them in the real world, we have brought additional insights
into our new concept for Knowledge Superiority, building upon our original
appreciation of Information Superiority.
provides a strong perspective on the value of organizational and human
dynamics, and how these networked organizations behave to yield truly
powerful benefits. Knowledge
Superiority focuses on people; what they know; how they bring that
knowledge together; and, how they put that knowledge into action to gain
the advantage and take the initiative.
This power comes primarily from three main network features: first,
the nearly universal access to information; second, the use of rich
collaboration venues among interested and knowledgeable parties; and,
third, smartly applied decentralized authority to act quickly and
knowledgeably at the local “points of tactical contact.”
These “points of tactical contact” are where we most want
adaptability, speed, precision, and agility.
By giving our Sailors the ability to access the nets, collaborate,
and innovate—and the trust to act professionally and appropriately to
achieve our goals—we ensure Navy's operational success.
Investment and Policy Choices Determine the Degree of
I want to emphasize this
point about empowered capability first because it is absolutely vital to
recognize that the choices we make about the connectivity and applications
available to our people will determine our approach to warfighting.
Where we place our network connections, what connectivity is
available, what network applications are provided, and how reliable they
are, will determine how our Sailors will be able to achieve their goals.
We should be careful not to lock out options, especially when our
greatest advantage is the battlefield innovation repeatedly demonstrated
by our own people who constantly impress us with new combinations of
actionable knowledge, followed by the unique and powerful application of
capabilities that we did not previously imagine.
Our momentum must be maintained in delivering tools to our Fleet for a highly distributed, generally decentralized, fully empowering capability to realize our innovative Information Age potential. This mentality must form our choices concerning connectivity, applications, and network control and management. We must enable our Sailors to the fullest extent possible so as to allow them to control their combat destiny. Indeed, we should always err on the side of empowerment because I am eager to let the Sailors themselves tell us what we need to win our future wars.
Here is what they are telling us. During Operation ALLIED FORCE in Serbia and Kosovo, the SIPRNET (Secure Internet Protocol Router Network) literally replaced regular naval messages as the primary means for communication and coordination among our staffs and ships. The medium is so much faster and more personal that it has become absolutely indispensable in the conduct of today's operations. Key planning events were conducted via e-mail and video-teleconferences. Commanding Officers had on-going dialog with their Task Force Commanders. Navy air strike planners afloat collaborated with joint intelligence cells around Europe and with strike planners at the air operation centers ashore, and with Tomahawk missile planners on other ships hundreds of miles apart. Pilots were on the net conducting live debriefs with intelligence collection managers. New combinations of intelligence analysis, coupled with the commander’s wisdom and experience and the intimate reality of the on-scene tactician, created new and relevant successes in this joint campaign.
In the heat of war, we were able to capture one such amazing event. On one occasion, a USAF aircraft over Serbia recognized a group of enemy mobile targets. This information was fed to the network, resulting in a significantly reduced response time and allowing a Navy Tomahawk missile to be used against these targets. Through the use of our networking, we were able to take a process that previously consumed days, and turn it into a truly tactically significant capability. We want to spread that capability throughout our forces. Our Information Technology for the 21st Century, or IT-21 capable Battle Groups continue to report operationally significant benefits like this. During Operation DESERT FOX strikes against Iraq, we conducted dual Carrier Battle Group strike coordination with the joint air commander almost exclusively over the SIPRNET. Recently, during a crisis over the incursion of North Korean fishing vessels into South Korean waters, SEVENTH Fleet sent IT-21 capable ships to monitor and respond, enabling these ships to share their situational awareness with the joint forces commander ashore. A true transformation is taking place, with organizational and operational overtones that are now just being recognized and understood.
Some additional examples come to us from our Fleet Battle Experiments. My Directorate sponsors the Navy Warfare Development Command (NWDC) in Newport, Rhode Island. NWDC coordinates live experimentation in our Fleets. In Fleet Battle Experiment (FBE) Delta conducted by SEVENTH Fleet, our networking technology enabled the planning and execution of an entirely new tactic—the coordinated employment of shore-based Army Apache helicopters against enemy maritime special operations forces (SOF). This previously untested and untried force combination was able to achieve a ten-fold increase in counter-SOF attacks. In FBE Echo conducted by THIRD Fleet in March 1999, our networks enabled new combinations of surveillance and strike platforms working against mobile targets ashore. Also in FBE Echo, our area anti-submarine forces successfully employed a SIPRNET site to maintain a common undersea picture and conduct collaborative planning via web-based chat. This web-based function has transitioned to successful real world operations in the Pacific theater. In FBE Foxtrot conducted by FIFTH Fleet in December 1999, our networks were used to accelerate all phases and dimensions of operations—air defense suppression, sea control, interdiction, and strike operations. This is known as rapidly decisive “parallel” or “simultaneous” operations. Our networks allow us to achieve new levels of performance.
Information Security and Information Assurance
I would now like to address Information Assurance (IA). Our approach to Information Assurance is known as “defense-in-depth.” We have adopted a layered, end-to-end approach to network defense. As I describe the measures, please keep in mind that these apply directly to our currently on-going IT-21 and projected Navy-Marine Corps Intranet (NMCI) efforts. With defense-in-depth, security protection mechanisms are employed in multiple locations in the network architecture. For example, depth could mean layering link encryption over network protocol encryption, and further layering it over e-mail (application layer) encryption. Another example would be to use two different anti-viral packages, one at the firewall/mail server and another at the end-user workstation. In addition to technical protection devices like these, our defense-in-depth takes into account trained personnel and an improved IA organizational infrastructure as well.
Firewalls, intrusion detection devices, and software tools are installed as technical defense measures throughout every network echelon. This means that at each and every layer of our network--from the individual desktop, to the LAN (Local Area Network) in each ship or building, to the next layer network throughout a set of buildings (such as a headquarters facility or a base), to the metropolitan area networks, and to the regional Network Operations Centers--these tools are in use simultaneously.
We have designated our Space and Naval Warfare Systems Command's (SPAWAR) IA program manager as the IA Technical Authority and Certification Authority on all technical security matters. This central authority provides network-wide high standards for quality control and compliance. Navy's central Technical Authority maintains a web site as a central up-to-date resource that includes an IA software toolkit (such as virus scanners and a secure copying program), IA policy and guidance, and certification templates. The Technical Authority also develops our IA technical publications which contain detailed incident reporting guidance, defensive system configuration guidance, and IA technical procedures in general. Most important, the Technical Authority works with acquisition program managers throughout the Department of the Navy to ensure that technical requirements are being met in all programs.
A significant part of our Information Systems Technician (IT) personnel and training efforts cover our needs for IA. All IT-rated personnel will be exposed to varying degrees of IA training over the course of their careers. Beyond initial system administration training, mid-career personnel working at Network Operations Centers are being trained as Network Security Vulnerability Technicians. This is an 8-week course directed at securing information systems. Since introducing the course in 1997, we have doubled our throughput to 120 per year. Qualified IT personnel at the E-6 and O-4 levels are being trained as Information Systems Security Managers through a new course that will train 164 personnel this year. They will function as an activity's accreditation action officer, institute security policy, implement security risk management programs, and develop information systems security and contingency plans. This training is being made available both at Pensacola and by six Mobile Training Teams.
Our organizational infrastructure has been adapted to deal with increased security threats. We achieved full operational capability of the Navy Component Task Force for Computer Network Defense (NCTF-CND) on 31 July 1999. NCTF-CND conducts continuous IA vulnerability assessments, implements Information Security Conditions (INFOCONs), and works directly with the Joint Task Force for Computer Network Defense (JTF-CND). In 1999, the NCTF-CND issued eleven IA Vulnerability Alerts and three IA Vulnerability Bulletins to mitigate computer network vulnerabilities. NCTF-CND also conducted a Navy-wide INFOCON exercise in late 1999, the results of which contributed greatly to our understanding of the operational impact of INFOCONs and the need for detailed response procedures.
Our Fleet Information Warfare Center (FIWC) conducts intrusion detection, incident reporting, and operates the Naval Computer Incident Response Team (NAVCIRT). FIWC additionally works with the numbered Fleet Commanders and Battle Group Commanders to conduct aggressive "red team" efforts during Joint Task Force Exercises. In this way, we can detect IA problems, conduct on-the-job system administrator training under IA stress conditions, and heighten IA awareness as part of deployment preparations.
Together with my staff, each of these arms of our IA effort overlap to focus on supporting all Navy System Administrators, our “points of tactical contact” for IA. They are notified of potential security activity or concerns by the NCTF-CND and have FIWC-developed response capabilities at their disposal. Every System Administrator also has access to the expertise and security products resident at the Navy's central Technical Authority at SPAWAR. They administer networked systems simultaneously at all levels, providing depth to the defense. They are truly our first and best line of defense, and are often the initial reporting source on probes and incidents occurring in our networks.
Our organizational alignment will soon include the closer integration of Navy and Marine Corps Headquarter's C4I staffs, with single leadership for our IA programs and policies. New IA leverage has also grown from our intense Y2K effort, including much greater insight into our total IT inventories which will be used for improved security through configuration control and improved enterprise-wide IA vulnerability assessments.
Other specific IA accomplishments this past year include:
Additionally, we recognize the importance of the security of information generated by Global Positioning System (GPS) for our platform navigation, locating and weapon targeting. As the Navy’s agent for GPS, we are actively engaged in the joint Navigation Warfare (NAVWAR) effort.
We are ready to move forward on some IA programs that are currently under- funded in FY01. These are: COMSEC (high security cryptographic devices); Secure Voice; PKI; and KIV-7.
Entry Fees to Information Age Power
Achieving our Information
Age potential comes with a few “entry fees”—in other words, you can
not achieve the operational outcomes without certain key investments up
front. In addition to network
security and IA, these fees are: a complete network infrastructure; new
operating processes and structures; and, people ready for and trained in
Information Age operations.
Making the SIPRNET examples
I just cited available to every naval force afloat means completing the
fielding of our IT-21 networks. Our
IT-21 initiative has thus far equipped our four Command Ships, five
Carrier Battle Groups, and five Amphibious Ready Groups.
We are approximately two and one-half years into a six-year initial
fielding plan to fully outfit our afloat forces. In addition to our groups, some form of IT-21 is scheduled to
be installed in every naval combatant.
Slight variations of several related programs are planned, trying
to balance our desire for high bandwidth connectivity and comparable ship
capability with affordability. IT-21
always comes with satellite access to the classified SIPRNET and the
unclassified companion NIPRNET (Non-classified Internet Protocol Router
Network). On command ships,
it also comes with video-teleconferencing capability.
In all cases, IT-21 comes with a set of operational tools known as
GCCS-M or Global Command and Control System-Maritime.
The GCCS puts a shared, joint, common operational picture at every
desktop and watch station. Additional
new applications are being developed by the operational commanders, and
because these are software-based and can reside in almost any
Internet-Protocol server, the IT-21 infrastructure supports an incredible
amount of adaptability to the various Fleet and Joint Commanders’ needs.
Furthermore, our IT-21 network has allowed us to establish a tight
information security enclave for our ships by bringing with it all those
IA benefits I mentioned earlier. These aspects have already proven their
worth in actual operations.
From where we started a few
years ago with reasonable hopes that IT-21 would bring us new power, we
are now at a time when our operational commanders are counting the ships
that do not have IT-21. The
following example is illustrative: USS Mobile Bay was designated by the
SEVENTH Fleet Commander to be the ship on-scene for the recent East Timor
crisis specifically because she is IT-21 equipped.
As the time approaches to replace Mobile Bay on station, the
Operational Commander will want an equally capable ship to similarly share
situational awareness or conduct rapid coordination.
As you can see, Operational Commanders are now managing ships’
employment schedules based on their IT-21 capability.
We need to keep pressing to simplify these difficult and vital
To bring those same benefits ashore that we
have seen afloat in our IT-21 operational experience, we have set course
on our Navy-Marine Corps Intranet (NMCI) initiative.
For long haul communications, the NMCI will ride the Defense
Information Systems Network (DISN). For
other intranet services, it is Navy’s judgment that industry will
provide a highly competitive solution. In December 1999, Navy issued a
Request for Proposal (RFP) to industry for contracts to field our
Intranet. The Assistant
Secretary of Defense for C3I has agreed to the Department of the Navy’s
pursuit of the NMCI with the network utilities industry, subject to the
finding of Navy’s business case analysis.
We are currently conducting this analysis.
There are some very key facets of an intranet that make it very compelling for us. First, an intranet can provide full collaboration across every afloat and ashore element of our Department. There will be no "haves versus have-nots" in the NMCI. Every naval element will be a full participant. Unlike today, every command and every Sailor will have the appropriate level of access to fully exploit network applications and services, and in turn, will be able to contribute fully. Second, we will increase network interoperability through the common standards that only a single enterprise intranet can provide. Like successful business enterprises, the NMCI will provide full access across the enterprise to common databases and information repositories, as well as a great cross-functional reach across previously stove-piped boundaries. Our currently uncoordinated and inconsistently developed and operated networks do not permit this degree of synergy. The NMCI will better enable us to support sweeping applications like enterprise resource planning, or “ERP.” Several pilot projects for ERP have been chartered by the Navy Department’s Revolution in Business Affairs Executive Committee (RBA ExComm). Much like a business enterprise, ERP will enable us to increase efficiencies in distributed design, development, acquisition, purchasing, distribution of supplies, maintenance chains, and other business-like activities by making the process fully interconnected and transparent, therefore becoming better suited to Fleet support.
Finally and most importantly, intranets bring with them security measures that are otherwise unachievable in uncoordinated and uncertain network conglomerations. Improved security is probably the greatest value-added of our NMCI. We want to take the improved security posture achieved with our IT-21 capability and expand that secure enclave ashore. The NMCI architecture framework defines four defensive "boundaries" in conjunction with our overall IT defense-in-depth strategy, ranging from the external network boundary to the application layer. These boundaries will be used to define specific, layered security measures. Our NMCI guidance also delineates security requirements for technical and quality of service standards. The requirements encompass content monitoring, content filtering, virtual private network (VPN) and encryption standards, standards for PKI-enabled applications, and web security. Further, the NMCI sets the qualification standards required for contract systems administrators and network managers. "Red Teams" are also established under the NMCI to determine the effectiveness of contract fulfillment toward security requirements and to perform ongoing network vulnerability and risk assessment. A "Blue Team" will verify security configuration management and approve all security architecture choices and security procedures. The NMCI vendor will be responsible for providing raw data that will be analyzed by Navy to determine whether an incident has occurred as well as the magnitude of any incident. None of these security measures can be guaranteed without an intranet of common standards and required quality of service.
the beginning of this year, Navy has recognized nineteen computer network
incidents on unclassified systems. Our
experience with these and past intrusion attempts validates the importance
of maintaining a technically-astute, responsive IA organization on an
enterprise level. Although we
train our System Administrators to run their systems as securely as
possible, and we keep them up-to-date with IAVAs, NAVCIRT advisories, and
other timely technical information, there is always the element of
variation in local procedures, complex software version upgrades, and
network reconfigurations. With
NMCI, centralized system administration will give us the ability to
dynamically and remotely implement (i.e., "push") "best
practices", countermeasures, and secure network configurations to
permit a near-real time, technologically uniform implementation of IAVAs
and technical advisories Navy-wide. For
example, while local commands would continue to author the content of
organizational web pages, the web pages themselves would reside on
uniformly and centrally configured NMCI servers--configured in accordance
with DoD/DoN best practices. Vulnerability
to web page "hacks" will be uniformly mitigated across the
NMCI will also accelerate the desired proliferation of Class 3 PKI-enabled web pages and authentication measures for appropriately authorized access to, and modification of, Navy web sites. The uniform implementation of PKI/certificate authorities and anti-virus signatures across the NMCI enterprise will considerably reduce risks of external intruder root access gained by the "sniffing" of passwords, and from unsolicited e-mail with malicious attachments or "Trojan horses", such as last year's "Melissa" episode.
Organizational Processes and Structures
Because there is so much appropriate attention to fielding the physical network infrastructure, it is sometimes easy to overlook the organizational dimensions. In all of my statement thus far, however, there are glimmers of the tremendous need to focus on these organizational dimensions. I have already highlighted the need for adequately empowering Sailors with the ability to collaborate in new ways. The obvious move of the Systems Administrators to the center of our security efforts indicates important organizational adaptation. Enterprise Resource Planning clearly leverages the network's reach across former organizational boundaries. These are just a few examples of the ongoing shifts in organizational processes and structures that are absolutely necessary to attain the full power of the networks. Others must follow.
We are constantly addressing our work processes. We know from industry that organizational structures and processes are changing extensively in the Information Age. A common theme in the business arena is to “disaggregate your current ways of business and re-aggregate them on the net.” This is indeed what Network Centric Operations is all about. A very important effort to examine and adjust our business and operating processes is taking place at THIRD Fleet where the JOHN C. STENNIS Battle Group has just been outfitted with IT-21. THIRD Fleet’s Network Centric Innovation Center (NCIC) has been targeting the improvement of Battle Group processes based on the IT-21 network. This low cost, high leverage activity is indeed a critical entry fee to achieving full operational potential of our networks.
A byproduct of our success in process-redesign efforts like the NCIC, as with our experience with IT-21, is our recognition of an increasing need for more Information Management (IM), Knowledge Management (KM), Bandwidth Management, and improved Network Management procedures overall. Navy recently introduced our FY 2000-2001 IM/IT Strategic Plan. Our Intranet Knowledge Management Working Group (IKMWG), which was chartered last year by the RBA ExComm and is under the leadership of the Department of the Navy Chief Information Officer (DoN CIO), is pursuing many of the plan's objectives. The IKMWG has begun to catalog and leverage the many lessons learned from several existing Navy KM initiatives. We are also leading the charge on a DoN enterprise “knowledge portal," a tailored web site that acts as the front end for a tremendous amount of Navy documented knowledge and data repositories. The knowledge portal will be akin to having a Navy-wide librarian on your desktop. Finally, we are conducting a pilot project on standardizing databases. This effort will teach us how and where data and information is best organized on our networks to permit plug-and-play functionality.
Today, tomorrow, and in the future, our people are always our most vital resource. They are truly the most adaptive element in our warfighting organization. I have already highlighted the need to empower them with our distributive network infrastructure and policies, and how we have enhanced their capabilities through our security-related specialist training. I would like to mention some specific initiatives we have directed at personnel structure, skills and training.
We have commenced fashioning an end-to-end
approach to enlisted personnel in the Communications, Information Systems,
and Networks—or “CISN”—field.
The Navy has re-designated the Radioman (RM) rating to the
Information Systems Technician (IT) rating.
Along with this change in focus, come the following high impact
· Increased Selective Re-enlistment Bonus (SRB) across all promotion zones
· Advancement opportunity well above Navy-wide averages for all pay grades
· The IT rating is open to all non-rated, first enlistment Sailors (“GenDets”)
· Rate conversion for E-5 and below into IT has been opened up significantly
· Aptitude requirements for entry into the rating have been increased
We have also tripled the training availability for network
system administrators over the last four years to 188 seats/quarter.
With the rapid infusion of our networks, this is a critical support
item. We have identified an upward trend in retention of our IT-rated
professionals when they have received formal training as systems
technicians or administrators in their first enlistment.
additional challenge is that something fundamental is happening that can
truly be considered transformational.
We concentrate a great deal on the infrastructure, but as I have
said, our people and their new collaborative behavior in these networks
are extraordinary. The shapes
and processes of all of our organizations are in transition.
The “network effect,” where organizations are now working in a
“many-to-many” system, creates relationships that cut across former
boundaries in all directions. Sometimes these relationships are highly transient and
focused on a single unique task, and sometimes they become established to
accomplish many tasks over time. They
draw on Navy-wide intellectual and informational resources in richly
personal ways that make a difference in real operational events.
Often, new “communities” of practice arise. Sometimes we have consciously facilitated this new
organizational behavior, but most frequently the people themselves see the
new power and reach for it themselves.
Sometimes, we do not even notice at first glance.
This “many-to-many” system is inherently
non-linear. I venture to say
that because the possible networked combinations are so incredibly
numerous, it is exponentially
Directorate has been spurred by our IT-21 experience and a concurrent need
for models and metrics that will show how new IT network investments
achieve discrete operational outcomes.
We continue to work hard on this, but we are convinced that the
fundamental transformation happening here has raised the degree of
analytic difficulty by an order of magnitude or more.
Highly discrete analytic metrics may not reveal themselves until we
move further with this transformational shift. We are keeping up the
press, and in the meantime, our best and most convincing evidence of value
are the clear operational results--highlighted by my examples--that
simply could not happen without our new networking investments.
The dawn of the Information Age is truly a remarkable time. In society at large, we expect the ride to continue, fueled
by both economic and social imperatives.
Alan Greenspan and other experts have described this transformation
as “creative destruction,” where the old systemic order is pushed out
by a new and better order on a whole new level.
For Navy, our imperatives are strategic, operational, and tactical
in the ways I have already described to you.
And to attain this whole new level of combat performance and
realize our full Information Age potential, we must continue strong
investment in our entry fees. More
than half of our afloat forces are awaiting our new IT-21 networking
capability. We have not yet
realized our Navy-Marine Corps Intranet, an effort to achieve the most
efficient, effective, and secure networked naval community we can.
We have just begun to adequately train our people to work in this
environment, including how to conduct network-based operations under
security stresses. These are things we must do.
We have made a great start. Maintaining
our pace and gaining momentum now is our greatest imperative, ultimately
leading to our future--a Network Centric Force.
Thank you very much for the opportunity to comment.