1997 Congressional Hearings
Intelligence and Security

Duane P. Andrews
Chairman, Defense Science Board Task Force 
Information Warfare & Defense 
Mr. Chairmen, members of the Committee. I am pleased to be able to support your examination of Information Warfare - a matter of great importance to the national security. 

I am appearing here today in my role as Chairman of a DSB Task Force and consultant to the Defense Science Board. In that role I have not received any federal grant, contract or salary. Although I am not here to represent the interests of my employer, Science Applications International Corporation, consistent with House rules, I have included with my statement a biography and a copy of SAICís most recent annual report which clearly shows that my private sector employer is a major defense contractor. 

The Task Force on Information WarfareñDefense that I chaired was initiated by direction of the Under Secretary of Defense for Acquisition and Technology in the fall of 1995 under the sponsorship of the Honorable Emmett Paige, Jr., Assistant Secretary of Defense for C3I, and Vice Admiral Arthur K. Cebrowski, then the Director for C4 Systems, Joint Staff. 

The formal Terms of Reference for the Task Force called for a "focus on protection of information interests of national importance through the establishment and maintenance of a credible information warfare defensive capability in several areas, including deterrence." In addition, the Honorable John White, Deputy Secretary of Defense, asked the Task Force to look at various organizational and policy matters internal to the Department and other external matters of interest to the Department such as cryptography. 

The Task Force was fully formed and underway early in 1996. The members of the Task Force were drawn from academia and the aerospace, banking, systems integration, and telecommunications industries. A number of the panel members had former government or military service. The Task Force met formally eight times and individual panels for Organization and Management, Policy, Threat and Technology each met about the same number of times. The Task Force and separate panels heard from witnesses and examined both classified and unclassified material from across the military departments, defense and intelligence agencies, and private sector. 

The Task Force issued its report in November 1996. The report is over 80 pages in length with additional attachments and background material. I can best summarize the conclusions of the Task Force by reading from my letter of transmittal to Dr. Craig Fields, Chairman or the Defense Science Board. 

Quote. We conclude that there is a need for extraordinary action to deal with the present and emerging challenges of defending against possible information warfare attacks on facilities, information, information systems, and networks of the United States which would seriously affect the ability of the Department of Defense to carry out its assigned missions and functions. 

We have observed an increasing dependency on the Defense Information Infrastructure and increasing doctrinal assumptions regarding the continued availability of that infrastructure. This dependency and these assumptions are ingredients in a recipe for a national security disaster. 

I should also point out that this is the third consecutive year a DSB Summer Study or Task Force has made similar recommendations to better prepare the Department for the challenges of information warfare. 

Accordingly, we recommend a series of over 50 actions designed to better prepare the Department for this new form of warfare beginning with identification of an accountable focal point within the Department for all IW activities and ending with the allocation or reallocation of approximately $3 billion over the next 5 years to implement these recommended actions. End Quote. 

The Task Force arrived at these conclusions by considering todayís information-dominated environment and our increasing civil and military dependence on interconnected information and communications systems; the techniques and technologies widely available to those who may wish to attack these systems; and the current state of our national and military capability to detect and respond to such attacks. 

The U.S. susceptibility to hostile offensive information warfare is real and will continue to increase until many current practices are abandoned. 

The Task Force concluded that the scope of national information interests to be defended by information warfare defense and deterrence capabilities include the continuity of a democratic form of government and a free market economy, the ability to conduct effective diplomacy, a favorable balance of trade, and a military force that is ready to fight and that can be deployed where needed. 

Given the responsibilities of your Committees, I call your attention to Section 2 of the report. The Task Force noted that Service and Joint doctrine is now principally based on the superior use of information and clearly indicates an increasing dependence of future forces on information and information technology. However, this military doctrine of information superiority assumes the availability of the information and information technologyóa dangerous assumption. Although stating that U.S. information systems will have to be protected, the published Service and Joint doctrine does not address the operational implications of a failure of information and information technology. 

I stress that the Task Force did not say that the militaryís concept of gaining an information advantage over a potential adversary is in itself a flawed concept. Rather we warn that ìthe vulnerability of the Department of Defenseóand of the nationóto offensive information warfare attack is largely a self-created problem. Program by program, economic sector by economic sector, we have based critical functions on inadequately protected telecomputing services. In aggregate, we have created a target-rich environment and the U.S. industry has sold globally much of the generic technology that can be used to strike these targets. 

Further, despite the enormous cumulative risk to the nation's defense posture, at the individual program level there still is inadequate understanding of the threat or acceptance of responsibility for the consequences of attacks on individual systems that have the potential to cascade throughout the larger enterprise.î 

To reduce this danger, the Task Force recommends that all defense investments be examined from a network- and infrastructure-oriented perspective, recognizing the collective risk that can grow from individual decisions on systems that will be connected to a shared infrastructure. Only those programs that can operate without connecting to the global network or those that can operate with an accepted level of risk in a networked information warfare environment should be built. Otherwise, we are paying for the means that an enemy can use to attack and defeat us. 

This will not be easy and probably the biggest obstacle to the creation of a resilient information warfare defense posture will be the difficulty in convincing peopleówhether in commerce, in the military, or in governmentóof the need to examine work functions and operating processes. This examination should uncover unintentional dependencies on the assumed proper operation of information services beyond their control. 

The Task Force concluded that establishing an information warfare defense will not be cheap, nor be easily obtained. It will take resources to develop the tools, processes, and procedures needed to ensure the availability of information and integrity of information, and to protect the confidentiality of information where needed. Additional resources will be needed to develop design guidelines for system and software engineers to ensure information systems that can operate in a information warfare environment. More resources will be needed to develop robust means to detect when insiders or intruders with malicious intent have tampered with our systems and to have a capability to undertake corrective actions and restore the systems. 

In Section 5 of the report the Task Force suggests the procedures, processes and mechanisms to be used to establish an information warfare defense. 

The first order of business is to deter information warfare attacks. This deterrence must include a national will as expressed in law and conduct, a declaratory policy on consequences of an information warfare attack against the United States, and an indication of the resiliency of the information infrastructure to survive an attack. 

The most immediate need is to provide some form of protection. This protection might include physically isolating information, providing some form of access control and authentication of personnel performing critical functions or accessing information, or encryption of the information. As time permits, the information infrastructure supporting critical functions should be designed for utility, resiliency, reparability, and security. An equally important function is to verify through independent assessments that the design is being followed, that protective measures are being implemented where appropriate, and that the information warfare defense readiness posture is as reported. 

The Task Force also concluded that the importance of intelligence support to information warfare defense cannot be overemphasized. This support must include strategic indications and warning of potential information warfare attack, timely and accurate threat assessments, and current intelligence support in the event of an information warfare attack 

The essence of tactical warning is monitoring, detection of incidents, and reporting of the incidents. Monitoring and detection of infrastructure disruptions, intrusions, and attacks are also an integral part of the information warfare defense process. Providing an effective monitoring and detection capability will require some policy initiatives, some legal clarification, and an ambitious research and development program, all of which are addressed in the report. All intrusions and incidents should be reported so that patterns of activity can be established to aid in strategic indications and warning. The FCC requirement to report telephone outages of specified duration affecting more than a specified number of customers serves as a model in this regard. 

It is probable that the telecommunications infrastructure will be subject to some form of attack. We should have some capability to limit the damage that results and to restore the infrastructure. Little research has been devoted to the basic procedures necessary to contain "battle" damage, let alone to the tools which might provide some automated form of damage control. 

Restoration of the infrastructure assumes some capability to repair the damage and the availability of resources such as personnel, standby services contracts, and the like. 

Finally, information warfare defense should include some form of attack assessment to aid in determining the impact of an attack on critical functions and in determining the appropriate response to an attack. 

A key point is that this defense process must be a distributed process. The basic functions of monitoring, detection, damage control, and restoration must begin at the lowest possible operating level. Reports of the activity must be passed to regional and DoD-level organizations to establish patterns of activity and for assistance as needed in damage control and restoration. 

To achieve the necessary defensive and deterrence posture, the Task Force put forth a series of key recommendations that can be implemented by the Secretary of Defense. Other recommendations were included which the SECDEF should make to the Director of Central Intelligence, and those which relate to the President's Commission on Critical Infrastructure Protection or the Infrastructure Protection Task Force. 

The most important recommendation the Task Force has to offer is for the Secretary to Designate an Accountable IW Focal Point. 

Multiple lead organizations with no clear principal staff assistant have led to confusion and slow progress to date. Boards and councils are important for discussing the issues, but have not and cannot provide the needed focus. 

Information warfare is not the sole responsibility of the Chief Information Officer, the Assistant Secretary of Defense for C3I, the Director of Central Intelligence, the Chairman of the Joint Chiefs of Staff, the Secretaries of the Military Departments, or the Service Chiefs. Each of these is, however, responsible for a portion of this new warfare area. 

The Secretary of Defense, however, needs a single person and office to plan and coordinate this complex activity, as well as to serve as a single focal point charged to provide staff supervision of the complex activities and interrelationships involved. This includes oversight of both offensive and defensive information warfare planning, technology development, and resources. Given the interconnected nature of the information infrastructures, it is critical that the left hand knows what the right hand is doing and that these complex activities are coordinated. 

The Task Force recommended that the focal point be the Assistant Secretary of Defense for C3I. The long view suggests the eventual need for an Under Secretary of Defense for Information. 

The Task Force also recommended that a Deputy Assistant Secretary reporting to the ASD(C3I) be named and provided an adequate supporting staff to assist in providing the necessary staff oversight and coordination of information warfare activities. The Task Force hope is that as many IW-related functions as possible would be consolidated under this individual. 

The Task Force recommended a series of organizational capabilities that will be needed for an effective information warfare defense. These include organizations to conduct: 
  • Intelligence indications and warning, current intelligence and threat assessment; 
  • Time-sensitive operational activities necessary for dealing with an actual attack; 
  • Planning and coordination as needed for information warfare defense preparedness, to include a Joint office for system, network and infrastructure design; and 
  • Independent ìRed Teamî assessments of vulnerability, training, and readiness, including an independent team whose central role would be to provide the Secretary of Defense with unbiased assessments on the Departmentís IW ìstate of health.î 

The Task Force recommended a series of steps to raise awareness of the need for defensive information warfare preparations. 

The Task Force calls on the Departmentís operational and functional planners to assess and document the extent to which their plans are dependent on critical information infrastructures and what effect infrastructure disruptions might have on execution of the plans 

The Task Force recommends the Department undertake two related activities. One is to develop a set of defined Threat Conditions and preplanned Responses and the other is to establish a Readiness Assessment and Reporting System. These recommendations mirror similar Defense Condition and readiness assessments established in the nuclear era. A structured process is need to assure unambiguous communications about information warfare preparedness, attack and response. 

The Task Force proposed a series of High-Payoff, Low Cost protective steps to ìRaise The Barî against the penetration of DoDís unclassified computers. 

The Task Force recommends that the Department Establish and Maintain a Minimum Essential Information Infrastructure. This minimum infrastructure can largely be constructed of existing assets and serve as a means for restoring services and adapting to wide-scale outages. In addition to an overall MEII architectural concept, operational concept, and management structure, a strategy must be developed for the transition from peacetime or normal operational activities to the minimum essential information infrastructure. It will be important to execute the transition strategy in the context of exercises. 

The Task Force recommends a series of steps to Focus the R&D to provide the Department the necessary tools and techniques to rapidly and securely assemble and protect a robust, resilient, deployable information system to support a Joint Task Force or coalition operations. 

The Task Force Recommends the Department Staff for Success. A cadre of high-quality, trained professionals with recognized career paths is an essential ingredient for defending present and future information systems. Particular attention is needed on the systems/network administrators who are the first line of defense. These positions should be filled by a professional cadreónot todayís practice of "other duties as assigned." 

The Task Force also recommends establishment of a skill specialty for military personnel to enable the formation of a cadre of knowledgeable and experienced defensive information warfare specialists. The development of a skill specialty is recommended instead of a career path to ensure that operational experience is reflected in the performance of the information warfare defense duties and to preclude the possible formation of a closed community of experts. These skills and awareness are required in all functional areas. 

The Task Force found some confusion among the Departmentís representatives regarding the scope of their authority to monitor systems and networks for the purpose of assessing the security of the systems and networks. The Task Force recommends that the Department Resolve the Legal Issues and issue rules of engagement regarding appropriate defensive actions that may be taken upon detection of intrusions into and attacks against DoD systems and networks. Further, the Department should propose legislation, regulation, or executive orders as may be needed to make clear the DoD role in defending non-DoD systems. 

The Task Force provided several recommendations related to the Presidentís Commission on Critical Infrastructure Protection. These include capabilities the DoD can provide to the Commission, the Departmentís interests that should be advocated to the Commission, support the Department would like to receive from a national infrastructure protection program, and the Departmentís views on the appropriate roles of the government and private sector in critical infrastructure protection. 

Finally, the Task Force provided a rough estimate of the Resources that the Department should Provide to obtain needed information warfare defense capability. Resources were estimated for each of the major recommended actions. In aggregate these totaled $3.1B from FY97 to FY01 and are in addition to the current Information Systems Security Program and other distributed information security costs which in aggregate total about $1.6 billion annually. 

I want to stress that each of these recommendations is important in its own right but to meet our critical national security requirements the Department needs to tie all these recommendations together with an integrated plan and approach. This should be a high priority for the designated IW focal point. The Task Force believes, however, that without further delay the Department can undertake actions to assess its IW-D readiness, ìRaise the Barî with high-payoff, low cost items, establish a minimum essential information infrastructure, and provide the necessary resources through reprogramming and budget requests. 

This concludes my summary of the Task Force report. I commend you for looking into this important matter and I thank you for your attention. I would be pleased to answer any questions you may have.