1998 Congressional HearingsIntelligence and Security
1998 Congressional Hearings"The greatest threat to America today is not Iraq, Iran, North Korea, terrorism, or weapons of mass destruction. It is the potential that we will become too complacent during this time of peace." General Henry Shelton, Chairman of the Joint Chiefs of StaffThank you Mr. Chairman and members of the Committee. I am honored to be here. I am pleased to have the opportunity to provide the Department of Defense perspective on the threats and challenges confronting our information systems in the future. Today I would like to speak to you about three issues that are very important to our ability to achieve and sustain information superiority for our armed forces: the so-called "Y2K" problem, information assurance and the potential sale of segments of the frequency spectrum.
The failure of an embedded microchip in a discrete, localized computer or machine, such as a wristwatch or the air-conditioning system in a building, can be merely inconvenient. However, failure of a microchip in a critical, large, or dangerous piece of machinery -- loss of air pressure in an F-15 or a submerged submarine -- can be devastating and even life-threatening.
Virtually every week we see more and more examples of how failure in digital technology can have unanticipated and widespread repercussions. Failure in a networked computer system that is a hub or link in other computer or telecommunications systems can be catastrophic. Each one of these accidents is a warning about our the extent of our reliance on information technology and the vulnerability it has created. Several incidents have vividly illustrated the extent of this problem for us:
Just a few weeks ago, the computer system in a communications satellite more than 22,000 miles above the state of Kansas malfunctioned, and the satellite began tumbling out of control. That malfunction disrupted the satellite's ability to communicate with its customers and set off a cascade of communications failures of a magnitude never seen before. Indeed, it ranks as the worst outage in the history of satellite communications.
By conservative estimates, more than 35 million people lost the use of their pagers, including everyone from school children and repairmen to doctors, nurses, and other emergency personnel. Transplant recipients could not be notified when organs became available. Members of a bomb squad in New Jersey could not be paged to respond to an emergency call. Motorists nationwide could not use their credit cards to pay for gas at the pump. Television and radio broadcasts were broken off. Several Fortune 500 companies and news wires had their business operations impaired.
On December 31, 1996, New Zealand Aluminum Smelters' process control program had a leap year failure in its Julian calendar. When the program failed to recognize "366" as a valid date, the system shut down all smelting pot lines. Without computers to regulate the temperatures inside the pot cells, five over-heated and melted down.
Unum Corporation, an insurance company, suffered system failure because the program was written to add five years to the date of last transaction. In 1995, the program interpreted a designation of the year 2000 on a file as the year 1900, automatically canceled thousands of policies, and then deleted the files from the database.
Phillips Petroleum Company engineers ran a Y2K simulated test of its systems aboard an oil platform in the North Sea. One of the safety systems to detect hydrogen sulfide, a deadly gas, was not compliant and shut down.
Chrysler Corporation conducted an actual test of an assembly plant last year. Many of their "mission critical" systems worked, but they also had some surprises. The time clocks didn't work, and the security system shut down, and nobody could get out of the building.
The Department of Defense has more than 25,000 computer systems, of which 11 percent (or 2,803 systems) are, mission critical. These computer systems are not simply weapons systems, the category best prepared to meet the Year 2000, but command and control systems; satellite systems; the Global Positioning System; highly specialized inventory management and transportation management systems; medical equipment; and important universal systems for payment and personnel records. DoD also operates a multitude of military bases, which are much like small towns, where the infrastructure is also vulnerable to Year 2000 problems. Power grid, heating systems, air filtration , automatic locking devices, chronometers on ships and airplanes, and any timed device, contain embedded chips that may not be Y2K compliant. The problem will also extend to all forms of commercial communication and mass transportation systems (traffic lights, trains, subways, and elevators), which will affect our men and women in uniform.
Department of Defense Chief Information Officer. The senior civilian official of the Office of the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence is the DoD CIO. The CIO has Department-wide responsibility for the Y2K problem. The DoD CIO sets Y2K policy, coordinates the efforts of the Services and Defense Agencies, and monitorsY2K progress on behalf of the Secretary of Defense.
Special Assistant for Year 2000 to lead the DoD Year 2000 Oversight and Contingency Planning Office. Both the GAO and the recent Defense Science Board Task Force report recommended assignment of a strong central leader. A Special Assistant for Y2K has been designated by the CIO to lead the Y2K effort in DoD. The Special Assistant reports directly to the CIO and heads a Contingency Office that handles all multi-Component Y2K actions, such as developing DoD Y2K policy, management plans, consolidated reporting, interface assessments, contingency planning guidance and oversight, and testing oversight.
DoD Y2K Steering Committee. As Deputy Secretary of Defense, I chair the DoD Y2K Steering Committee which reviews the progress of DoD's Components toward full Y2K compliance at monthly meetings, provides guidance, and makes decisions not already resolved at a lower level. The Committee serves as a forum for sharing information, eliminating overlaps, resolving cross-functional issues and seizing opportunities to accelerate system Y2K fixes. Key representatives from all major DoD Components serve on the Steering Committee.
Each DoD Component Head is responsible for assuring all software and systems correctly process dates. The Military Department's and Defense Agencies' CIOs are assigned the responsibility for monitoring the progress and ensuring their mission critical systems are Y2K compliant before January 1, 2000, and for reporting status of their systems each quarter to the DoD CIO. Overall tracking is done through a central database.
The DoD CIO co-chairs Y2K Interface Assessment Workshops to ensure information systems and processes that exchange data among DoD functions or with non-DoD government entities will be Y2K compliant prior to January 1, 2000. Assessment workshops are conducted for each DoD functional area to identify common systems, action plans, and review implementation progress in each respective area. In addition to the DoD Components, the assessment workshops include representatives of other Federal Agencies and DoD Allies and Partners.
For example, DoD is establishing a Y2K database on mission-critical systems to expedite Y2K reporting. Each Component will also establish a Y2K database to provide detailed information on Y2K progress. Finally, special data calls obtain additional information from each Component when required to meet the needs of DoD's senior leadership, OMB and Congress.
The DoD CIO, in addition, places special emphasis on contingency planning and testing, the primary areas of emphasis of Y2K efforts in calendar year 1999. As systems approach the anticipated date for all fixes (December 1998), contingency plans for both mission critical and non-mission critical systems will mature as well. Mission critical systems receive the highest priority in contingency planning.
DoD's contingency planning will come to the fore as the results of testing beyond the system level takes place. DoD's operational tempo and complexity of interactions among systems require that testing take place across DoD functions and throughout an entire theater. DoD is establishing plans for including Y2K testing as part of special functional area tests and CINC training exercises in CY 1999. These should result in refining of contingency planning on departmental, functional, and theater levels.
An area of concern to DoD is the availability of the hardware needed to make fixes for Y2K compliance. DoD has identified its need for these devices, such as communications routers, servers, and hubs, and has acquisition actions underway for them. However, there is no assurance that industry can meet the demand for these items which are crucial to maintaining an effective communications network for command and control, emergency response, and day-to-day DoD operations.
System level testing is conducted by each Service, Agency, and Field Activity, under the oversight of a designated Y2K focal point or program office and is intended to ensure that individual systems are Y2K compliant and can perform as originally designed.
Functional testing will be based on test strategies and data collection resulting from the Y2K Interface Assessment Workshops. This includes an appropriate combination of interoperability and laboratory testing across Components, Departments, NATO and Allies. Exemplary among collaborative efforts is the systematic and comprehensive process that the nuclear community is implementing to assess mission readiness for the Nuclear C3I System of Systems. The process builds on end-to-end "single string" testing that initially demonstrates interoperability from sensor to shooter (i.e., sensors, receivers, C2, forces, platforms, and weapons). Virtual and physical test methods will be needed to complete end-to-end testing as dictated by factors such as time, risk, cost, and resource availability. The single string approach facilitates fault isolation while maintaining readiness of proven primary missions.
End-to-end, mission-level testing will be used to demonstrate DoD's operational readiness in a Y2K scenario. Mission level operational assessments can be achieved by augmenting existing Joint and CINC exercises to include Y2K functional and operational objectives. This testing requires that the joint community define specific Y2K objectives that address primary end-to-end operational capabilities, continuity of operations planning and risk areas. Adhering to DoD Y2K checklists and recommended test strategies will provide evidence of progress and leadership commitment throughout the process.
The Air Force has analyzed satellite and satellite support systems, evaluated ground control systems, tested DoD GPS receivers, identified cost and schedules for corrective actions. The GPS Space Segment is ready for the year 2000. All GPS satellites are Y2K-compliant. However, some satellite support systems are not Y2K-compliant, but are scheduled for repair or replacement by December 1998.
GPS's Control Segment consists mostly of legacy systems, which are not Y2K compliant. However, a system-wide assessment of the problem has been completed and all corrective actions will be implemented by December 31, 1998.
All GPS Joint Program Office (JPO)-procured receivers are Y2K and EOW compliant. For non-JPO-procured receivers, test plans and procedures have been established so manufacturers and users can determine how their receivers behave on January 1, 2000.
There are two areas of risk that must be considered in planning for Year 2000 disruptions: (1) known or suspected sources of disruption, and (2) unanticipated disruptions. DoD systems with Y2K vulnerabilities were identified in the Assessment Phase of the of the five-phase Y2K management process DoD adopted for mitigating risks of system failures. The Department has assessed virtually all of our systems and identified Y2K issues for corrective action. Renovation of systems is in process, and schedules have been developed for testing each system. Resources are identified and available for accomplishing these actions.
To further diminish possible adverse impacts on the readiness of the Department of Defense to conduct its mission on January 1, 2000, contingency planning is critical. These plans address failure of the system, disruptions at interfaces, receipt of corrupt data, and failure of utilities and infrastructure. Specific workarounds and actions to accomplish the system functions will be addressed, including providing manual processes to replace systems that rely on information technology.
Existing contingency plans, business continuity plans, or disaster recovery plans at the system, Component, and Department levels provide courses of actions in response to fire, flood, terrorist attack, and other general risk scenarios. The intent of Y2K contingency planning is to ensure continuity of operations through a period of technical difficulty. The Department's Year 2000 Oversight and Contingency Planning Office is participating in working groups at all levels to interject Year 2000 threats such as infrastructure failures into existing contingency plans. Developing alternative courses of action now that can be implemented should failures occur assures the Department maximum readiness under adverse circumstances.
Contingency plans for each DoD Component will include a prioritized list of systems and major actions taken to minimize Y2K disruptions to the core missions of the Component. At the Department level, continuity of operations plans will be reviewed and Y2K scenarios will be incorporated.
Apply an enterprise view that links Y2K vision and strategy to requirements, execution, and contingency planning,
Identify opportunities to enhance Component remediation, testing, and validation activities, and
Compile and disseminate lessons learned, promote collaboration among Components, and promote best use of resources.
The first Allied Interface Workshop was held on February 18, 1998, with the member nations of the Combined Communications Electronics Board (Australia, Canada, New Zealand, United Kingdom and the U.S.)
The UK presented their strategy within the Ministry of Defense (MOD). Many similarities between the UK and U.S. were noted in the MOD's aggressive plan.
The UK provided a listing of those systems believed to have interfaces with U.S. systems. The U.S. is working on a similar list.
Among the topics discussed at the most recent (May 1998) NATO C3 Board was Y2K. Awareness among the community is heightened and fixes to the problem underway.
Representatives at the first Allied Interface workshop agreed to form an executive level steering committee with a senior representative from each nation. There will also be a working level group formed to ensure that progress is being made in this area. Additional interface workshops are being planned. The regional CINCs will sponsor these workshops with close cooperation from the US Embassy Security Assistance Officers. The success of a program as critical and as pervasive as solving the Y2K problem requires the support of the Executive Branch of the government. DoD is working closely with other agencies in the Federal government and seeks to establish similar ties to Allied defense ministries for critical defense systems which are jointly operated.
While our allies are aware of the Y2K problem, there is concern that the level of attention is not as great as it is in the U.S. For example, some of the energy devoted to solving the Y2K problem in Europe has been diverted to addressing the changes introduced by the transition to Euro monetary system.
To date the Department estimates it has expended over $1.9B - out-of-hide -- to fix Y2K problems in its information systems. As a result, $1.9B worth of improvements to existing systems -- as well as the addition of critical new capabilities and development of new systems -- have been deferred. The Department will continue to defer modernization and development efforts as necessary to fix the Y2K problem.
The leaders in the Department respect the complexity and pervasiveness of the issue, and recognize that the Y2K challenge requires:.
Our best leadership to motivate, educate, facilitate and interface with the myriad of other Federal, State, civilian industry, Allied and international organizations upon which we mutually depend.
Support, recognition, and incentives both for successful program managers and for the information technology workers who are doing the hard work. The software engineers, in and out of uniform, who must slog through millions of lines of code to repair our systems, are an important defense resource, and there is no time to replace or train more.
Meticulous prioritization and focus on the most important systems. We must work together to ensure that our most important and complex systems are repaired first, and provide contingencies for minor systems. Contingencies don't necessarily need to be elegant; they just need to work. Similarly, several contingencies are less elegant but very workable options.
Ruthless stewardship of our most constrained resource -time. Time is critical. We can't slow it down. We cannot change the deadline. The Department of Defense is like a large ship entering a harbor. Our job is to turn the ship and bring it safely to the dock, not to rearrange the deck chairs.
DoD has made great progress in addressing the Year 2000 challenge, and will continue to make this one of its highest priorities as we ensure national security before, on, and after the Year 2000. I encourage you to resist the temptation to draft legislation on the Y2K issue, it is not a problem that can be legislated away or solved by levying new requirements on DoD or its program managers. Instead, I respectfully request that the Department be given the flexibility to manage this problem in the manner described above.
INFORMATION ASSURANCE -- A THREAT TO OPERATIONAL READINESS
These IA services assure the readiness, reliability, and continuity of the DII and the information systems that are a part of it. They also protect functions against exploitation, degradation, and denial of service while providing the means for the rapid reconstitution and re-establishment of mission-essential elements of the DII. The importance of IA is increasing as technology moves toward integrated networks that support both classified and unclassified information, and as DoD increases its reliance on commercial off-the-shelf products and connections to public networks.
In the past, the Department relied upon "stovepiped" systems, local area networks, and limited numbers of users -- therefore, limited access -- to protect information. Today, the Department is developing information infrastructures that support DoD systems and networks, including connections to networks such as the Internet. As the Department's Services and Agencies interconnect more of their networks, we are creating a shared risk environment. In a shared risk environment, the security posture of the interconnected systems is only as great as the system with the weakest assurance posture -- in effect, the weakest link in the chain. Given these risks and the fact that weakness in any portion of the DII is a threat to the operational readiness of all Components, the Department is moving aggressively to ensure the continuous availability, integrity, authentication, confidentiality, and non-repudiation of its information and the protection of its information infrastructure. Growing numbers of authorized users in a shared risk environment exacerbate a problem shared by government and industry: a malicious insider who really is authorized access to networks.
One activity using the PKI is the Defense Travel System, which is adopting the use of digital electronic signatures for travel. Digital signatures will allow travelers to receive electronic authorization prior to a trip and permit them to sign their vouchers after the trip. These electronic "John Hancocks" create a secure and legal association between the travel and voucher information. The Defense Travel System is a practical approach for digital signature certificates, including commercial infrastructures and services, which could eventually be used in Department-wide electronic commerce efforts.
We will also deploy those same pilot services within a command and control environment, the Global Command and Control System in particular, to begin providing community-of-interest separation capabilities, as well as data integrity capabilities beyond what is currently available on those type of networks. Department-wide implementation of a PKI capability will facilitate secure electronic commerce and allow controlled access to DoD information and resources. We are also looking at the medium assurance solutions emerging in the commercial marketplace. Many of these commercial solutions are based upon PKI and public key technology and may be viable solutions for the Department.
NSA is also establishing a Network Incident Analysis Cell (NIAC) to perform post network intrusion, forensic-style analyses. It will carry out comprehensive and systematic analyses of security incident data received from incident response centers. The objective is to establish a capability to provide incident trends, including forensic services, such as identifying electronic fingerprints, signatures, attack profiles, and attack scenarios. These analyses and incident trends will lead to the development of applied countermeasures, improved front-end filtering for intrusion detection, and support for indications and warnings of impending attack. In particular, these in-depth analyses will support efforts to design and develop pre-emptive defensive tools.
The military faces unique challenges in its spectrum operations. Military communications-electronics systems perform a wide variety of functions, many of which must be performed simultaneously on comparatively small platforms, or by units in close proximity to one another. Military aircraft must not only perform voice communications, radio-navigation, and radar surveillance operations, they must also be capable of sustaining multiple radar tracks of hostile forces, launching and controlling weapons, providing data communications to other units, jamming hostile sensors and performing counter-countermeasures when necessary. Successfully performing all of these functions on a small platform, in the face of active attempts by hostile forces to jam and disrupt their operations, requires various control measures that include the need for sufficient parts of the electromagnetic spectrum. Eroding spectrum access and thus, limiting the tuning capability of military systems, increases system vulnerability to hostile attack and self-induced interference.
Our future force will be an integrated "system of systems" that aims to give our forces total battlespace awareness, as well as the capability to maneuver and engage the enemy at the times and places of our choosing throughout the entire battlespace. With a full picture of the battlespace, advanced weapons and agile organizations, US forces will be able to attack enemy weak points throughout the depth and breadth of the battlefield -- summed up by the phrase dominant maneuver. They will also have precision engagement -- the ability to precisely deliver the desired effects at the right time and place on any target. They will be supported by focused logistics -- the ability to deliver the right supplies at the right time and place on the battlefield. And they will have full dimension protection -- multiple layers of protection against a full range of threats, from ballistic missiles to germ warfare, giving them greater freedom of action in all phases of combat.
What these four capabilities mean is that our forces will deploy lighter. They will need fewer weapons platforms and fewer munitions. They will be able to direct both lethal and nonlethal fire to the right targets. There will be less collateral damage, less friendly fire and fewer US and allied casualties. US forces will be able to descend on the scene early in a conflict, take the initiative away from a numerically superior foe - by disrupting the flow of information required for decisions -- and end the battle quickly on our terms.
What does loss of spectrum access mean to our nation's military capability? Essentially, the impact of diminished spectrum access is a reduction in the effectiveness and overall capability of the Department of Defense. Losing spectrum access is like losing any other resource, it costs us both in current capability and future opportunity both directly and, through the reallocation of dollars to mitigate the damage, indirectly as well. Less spectrum access yields an increased expenditure of time, funds, and other resources to develop, test, and field alternative capabilities or work-arounds that in many cases will be less effective than the capabilities they replace. Less spectrum access yields a degradation of military readiness while alternative capabilities are developed and compensatory training requirements are generated.
Each "work around" is one more thing our young people must learn and remember, perhaps while under fire. Each time we are forced to "adjust" training in the United States away from operational norms to accommodate domestic spectrum constraints, our training realism and hence training effectiveness suffers. Thus loss of spectrum access potentially forces us to expend other resources to compensate, expenditures that do not advance our capabilities.
We in the Department of Defense and our colleagues in the intelligence community fully understand the ever-increasing utility and value of the electromagnetic spectrum, and the need to make the most efficient use of that spectrum. The DoD's needs are increasing too. Our tasks for the nation have become more challenging since the end of the Cold War for we are being called upon to do more things, more often, and in more places than ever before.
Title III of the Balanced Budget Act of 1997 (BBA-97) directs the identification for reallocation of another 20 MHz of Federal spectrum below 3 GHz. In response to this legislation, the National Telecommunications and Information Administration (NTIA) identified several bands for reallocation. The DoD, as primary user of these bands, will experience major cost impacts and impairments to critical missions as a result of this reallocation.
Providing accurate impact information is extremely difficult, especially in a short period of time. The analysis must consider the current missions and functions performed in each band, the primary systems in each band, their estimated operational lifetimes, the cost of reengineering or replacing the systems, other systems that may be affected, estimated indirect costs for items such as training, and the nature and severity of anticipated operational impacts. Even then unknown factors such as what commercial systems will operate in the vacated band in the future can change the estimate.
We use certain frequency bands because they are the frequencies that work best for the purpose at hand -- in some cases, they may be the only workable frequencies. The physics of radio wave propagation is not something we can change.
Since DoD operations are conducted worldwide, some DoD use of the spectrum is bound by international agreements.
Relocation of systems is not trivial because each piece of equipment interacts with many others. Relocation and adjustment can have a domino effect. Changes in any single part of the system can force changes in other parts of the integrated military system.
Changing the operating frequency of a piece of equipment is a re-engineering effort; replacing perfectly effective equipment just to effect a frequency change can be costly. This is particularly difficult in an era of declining budgets.
Lastly, the parts of the spectrum we move to often is less optimal for the functions concerned than the spectrum we leave if it works for us at all. Hence, not only do we spend more, we get less.
The severity of these impacts is discussed in the report to OMB in the context of a National defense posture that will remain unchanged for the foreseeable future. This posture requires that our forces receive adequate training and be prepared for short notice deployment to regional hotspots throughout the world. Likewise, there is a continuing requirement for noncombat operations worldwide as the military continues to participate in a broad range of deterrent, conflict prevention, and peacekeeping activities. No medium other than the electromagnetic spectrum can support the DoD's attendant mobility and flexibility requirements. Critical missions and operations that would be affected by the reallocation of the 20 MHz under the Balanced Budget Act of 1997 include NORAD's Warning and Aerospace Control mission to provide surveillance and control of North American airspace, air launched missile control and precision strike test and training operations, and aeronautical telemetry operations supporting flight testing of aircraft, spacecraft, and missiles at major military test ranges and facilities.
The need to review spectrum usage, to clearly articulate requirements and identify opportunities for sharing, does not fall upon the DoD and other Federal users alone, but also upon commercial users of the spectrum in the United States. Spectrum sharing is a way to satisfy the growing demands, both private and government, for this finite and critically important resource. We know this can be done because the Department of Defense does it daily. Our definition of sharing is using technology and coordination to enable disparate users to exploit the same parts of the spectrum, i.e., multiple users of the same frequencies whose individual uses are technically compatible, and multiple re-use of the same frequencies through physical separation of users.
We develop and implement technical spectrum sharing criteria among the Army, Navy, Air Force and Marine Corps. For some time there has not been enough spectrum to give each individual system or individual user the luxury of their "own" unshared frequency bands. We carefully examine the functions to be performed. We separate the high-powered or highly-critical spectrum uses from other uses to prevent interference. We "co-locate" compatible uses. We engineer our systems to operate compatibly with other uses in the same or nearby bands. We also employ "dynamic management" to maximize frequency reuse to meet our extensive requirements.
Our ability to meet emerging military and intelligence data transfer requirements, which are expected to exceed multi-gigabits of information, demands effective spectrum utilization on our part. Outside of the DoD in contrast, "sharing" often means highly inefficient band segmentation in which individual users are provided their own piece of the spectrum, often with additional valuable spectrum squandered as unused "guard bands."
The DoD is also expending resources to identify its spectrum needs for the future. This is a formidable task, however, since it includes not only a determination of future operational scenarios and the information capacity they will require, but also an informed estimate of the types and extent of future technology development. Completing such a complex task will require time, as will migrating to any future system technologies. The Defense Department requires adequate spectrum access to support National Defense missions in the interim. Numerous factors, including the physics of propagation, the density of current spectrum users, and concern regarding possible future reallocations, make it extremely difficult for the DoD to gain access to alternative spectrum. Measures that would help mitigate the impacts of spectrum reallocations and ensure adequate spectrum availability include institution of a moratorium on the reallocation of government spectrum until our assessment is complete, mandated identification of and guaranteed access to alternative spectrum for displaced users, reimbursement of the costs incurred to migrate from one spectrum band to another, and the implementation and enforcement of equipment (transmitter and receiver) standards for all spectrum users.
Once again, thank you for your support.