Index

Lieutenant General William J. Donahue, USAF

Director, Communications and Information

United States Air Force

          Mr. Chairman, distinguished members of the committee, I want to thank you for your continued interest in this nationally important issue.   This is my third opportunity to provide testimony on this important subject.  Three years ago, the Air Force had only begun its journey in establishing a strong network protection posture.  The Air Force was also in a transformation stage 3 years ago--becoming an aerospace force--and Information Superiority was a critical piece to making that vision a reality.

  At the time of my appearance before you in 1997, every Air Force base had an intrusion detection system; firewalls were new but they were the exception; we were prototyping base network control centers; we crafted our defense in depth security concept, known as the Barrier Reef; and our Air Force Computer Emergency Response Team  (AFCERT) was a reality. 

   In 1998 with funding support from Congress, we undertook an aggressive program to install network management systems and base information protection (NMS/BIP) tools at 109 bases.  We installed firewalls, scanning tools, and network management tools at our main bases.  Our concept of Operationalizing and Professionalizing the Networks was in full swing--we were treating networks like the weapons systems they had become.

  By the time of my 1999 appearance, we had established the AFCERT as the Air Force component to the Joint Task Force for Computer Network Defense and the Air Force had published its Information Operations Doctrine.  Every Air Force base had a network control center with an initial network protection tool set and we had begun establishing Network Operations and Security Centers at our Major Commands.  We were wrapping up Operation DESERT FOX; and we were shoring up our defenses as intrusion attempts into our base networks continued to grow.

  Today, every Air Force base is protected by intrusion detection systems and we scan our networks for malicious activity and vulnerabilities.  We have upgraded our information protection tool sets with new technology and we operationally task our Network Control Centers and report their readiness through the Status of Resources and Training System.  We think we are running world class networks but the threats to them are real and dangerous.

  In my testimony today, I will focus my remarks on our operational successes, the considerable threats we face daily, and the way ahead for the Air Force.

Operational Successes

          Last year, US involvement in the Kosovo conflict illustrated clearly the Air Force's ability to leverage information superiority for combat success. Additionally, Operation ALLIED FORCE has been called the first "Cyber War."  Let me illustrate with a few examples:

- Although our communications networks were repeatedly subjected to probing, barrages of E-mail, and the "virus of the week" program, our mission operations continued unaffected.

 - Communications bandwidth requirements were not a significant limiting factor for accomplishing mission objectives--we supported 40 contingency sites in 15 countries with twice the capacity of that used during Operation DESERT SHIELD/DESERT STORM.

- Reachback worked.  Our information systems, consisting of both commercial off-the-shelf and military communications equipment, enabled reliable, timely reachback to the continental United States for intelligence, logistics, and personnel support that otherwise would have had to deploy forward.

- Predator unmanned aerial vehicle images were transmitted to Beale Air Force Base in California, analyzed and sent back to theater in finished form in less than 10 minutes.  It also contributed to an extremely effective logistics system where 93 percent of replacement parts were shipped to forward bases in less than four days.  This allowed forces directly engaged in combat to average a 92 percent mission-capable rate -- a rate higher than peacetime averages.

   Despite our overwhelming success, we can’t underestimate the dangers in the information age.  Just because we had little trouble defending ourselves last time does not mean we are safe from cyber attack.  Recall that Serbian air defense systems knocked out two of our airplanes, they were real, they were dangerous but in the final analysis they were not a big player in combat operations.  The cyber attacks we experienced were also real and dangerous. But in the final analysis, our information assurance posture caused the cyber attacks to be nothing more than a nuisance and had little impact on combat operations.

   Similarly, we achieved a stunning victory in the Information Assurance test of our lifetime--Y2K.  Our success in defeating the potential Y2K problem was a direct result of senior leadership involvement and the hard work of all Air Force members.  Because of our preparations, we came out of Y2K a better Air Force for the new millennium.  We tightened up and tested continuity of operations plans, we eliminated over 390 non-mission essential systems and migrated others to less costly, more efficient, common-use systems, upgraded our base-level computer and telephone systems--the bottom line is we linked information assurance to mission assurance in working Y2K and do so in our daily operations. 

Threats and What We've Done to Mitigate Them

          Threats to Air Force information systems and our capabilities to detect, prevent and defeat these threats are significant targets on my scope.  We are not only implementing good information assurance tools, but we're emphasizing good security policy and good business rules that ensure we deliver accurate information to the warfighter anytime, anyplace.

 

  We're facing a considerable challenge on the personnel front to recruit, train, and retain qualified network technicians able to build, run, and sustain the information technologies that enable us to be so effective.  The challenge is compounded by the fact that this is a national problem--the shortage of information technology talent is significant and impacts every organization that is an information enabled, high performing enterprise. 

  While there are no simple and quick solutions to the people challenge we must continue to operate.  Our program involves operationalizing and professionalizing the network--organizing, training, and equipping Air Force network professionals to do their jobs.  From the professionals who operate and maintain them to the users who depend on them every day to accomplish their mission, we are holding everyone responsible for information assurance.  Let me give you some examples:

- Over the past year, we developed a standardized set of network Tactics, Techniques and Procedures designed to incorporate rigor and discipline into operating, maintaining, and reporting status of our networks.  We have established crew positions and identified the requisite training requirements for those positions.  Establishment of  "checklist" procedures instills even greater confidence in our operators' ability to provide timely, reliable information to our warfighters.

- We have totally revamped initial skills courses for our computer operators.  Today, we produce troops with good training on network operations fundamentals who can dive into "on the job training" and rapidly acquire a solid set of “journeyman” skills.

- We’ve funded Information Assurance Computer-Based Training and Internet -Based Training courses tailored to both users and system administrators.

Our first line of defense, our network professionals and users, are well trained and poised to respond to network threats.

  These efforts focus inward on what we’re doing to enhance our personnel strengths.  We must also maintain our focus on mitigating the external threats to our networks.  Though the recent highly publicized Distributed Denial of Service attacks did not affect any Air Force systems,  we are just as susceptible to this kind of crippling attack as the commercial sector.  Individual hackers and hacker groups have proliferated over the last year and we must remain vigilant against the potential of these attacks every day.  Good networks, good procedures, good training, and good protection tools are the bedrock of our defense.

          Viruses also remain a potential threat.  Although we were able to stave off the "Melissa" virus and sustained little damage, there are variants and new viruses that are cropping up all the time.  Again, these examples provide a stark reminder that we CANNOT ever let our guard down.

          We not only need to prepare for and protect ourselves from network vandalism, but we must also treat our networks as the weapons systems they’ve become.  Whether viewed offensively or defensively they are weapons systems.  I’d like to quote a recent news article that describes the target environment:

  It is essential to have an all-conquering offensive technology and to develop software and technology for Net offensives so as to be able to launch attacks and countermeasures on the Net, including information-paralyzing software, information-blocking software, and information-deception software… Modern high-tech warfare cannot win without the Net, nor can it be won just on the Net. In the future there must be a coordinated land, sea, air, space, electronic and Net warfare, and the state's determination will be fully expressed in this mysterious theater space.”

 

    This quote, reported in the 1 Nov 99 Washington Times, is from an article in China’s Liberation Army Daily, the official daily newspaper of the People's Liberation Army General Political Department.  Additionally, members of the PLA have laid out plans for Internet insurgency in the People’s Daily.  PLA colonels wrote in Unrestricted Warfare, “A planned stock market crash, a computer virus attack, making erratic the exchange rate of the enemy’s currency and spreading rumors on the Internet about enemy leaders can all be considered new concept weapons.”  My point--information warfare is not hyperbole--its real.

          These articles indicate the Chinese are aware of the capabilities of computer networks in warfare.  Let me point out what we are doing to mitigate threats to our information systems:

- we are locking down our networks

- closing known vulnerabilities

- standardizing our base information protection and firewall configurations

- installing automated anti-virus software and alerting all units when a new virus appears

- using intrusion detection systems

- standardizing Internet scanning tools

We also developed and fielded a suite of defensive tools for our deployed Network Control Centers and Network Operations and Security Centers.

Way Ahead--The Next Step

   We've accomplished a lot over the past year, but we must continue to raise the bar.  The future looks bright and we have a number of initiatives under way that I'd like to highlight.

- Information Assurance Awareness.  Three years ago we began an initiative called Information Assurance Awareness Month.  During the month of February, we emphasize awareness of Information Assurance issues.  Our point is that Information Assurance is everybody's business.  Our users must all realize their obligation to “fly the network” securely, get the necessary training, and practice good network security.

- Training.  We established a Network Center of Excellence at Keesler AFB for training our network professionals and just recently graduated our first class of skilled professionals.  Training is critical and in the information age it involves a continuous life of learning.

- Equipment.  We are working to complete our Phase II upgrades to our bases by improving base information protection tools--installing additional firewalls, upgrading software, and providing added training.  We have begun fielding an improved Intrusion Detection system that will fill in the gaps of our current system.

- Public Key Infrastructure (PKI).  We recently awarded an Air Force-wide PKI contract and have already begun the first phase of issuing certificates to our members.  This is just the beginning of increased security measures across the board, using technology to enhance our security. 

- C4ISP.  Information systems are more and more integrated into our command and control and weapons systems.  The acquisition process must include planning for information assurance as a fundamental step.  Our proposal for C4I support planning will ensure that information assurance planning is embedded in the total system acquisition and sustainment cycle.

- Presidential Decision Directive 63 - Critical Infrastructure Protection.  The Air Force is marching lockstep with the broad federal efforts to protect our critical infrastructures.   We have functional community representatives for each critical sector developing their Defense Infrastructure Sector Assurance Plans.  Additionally, the Air Force has taken on the task of protecting not only the Global Positioning System (GPS) but also the whole national space launch and range infrastructure vital to our nation. 

   I believe the Air Force is focused on the right issues and building the programs that provide the best service and protection possible. Our Air Force Posture Statement highlights the importance of Information Superiority and Information Assurance; our programs demonstrate our commitment. You can help us by supporting our Information Assurance and base infrastructure programs.  Our Information Technology Exhibit (Exhibit 53) supports the Air Force effort to leverage networked information systems that guarantee our Information Superiority.  Information assurance is a high priority, and the Air Force is committing resources to provide it, but we could still do more.  Information infrastructure is number three on the Air Force unfunded priority list.  If you have more top line resources, we’re ready to put the money to work.  

   The second thing you can do is strengthen the laws that relate to computer intrusion, computer vandalism, and computer crime.   The foundation of our Information Technology laws owes its legacy to telecommunications law and specifically links back to the Communications Act of 1934.  It was good and appropriate for its time.  However, the cyber world is moving at light speed and we need laws that deal with this reality.  The ability to track down or search for hackers who vandalize web pages or organized hacking groups who infiltrate information systems and extract sensitive information CANNOT hinge upon outdated criminal or civil legal processes.  The law needs to catch up with the realities of cyber crime and investigative needs by “out of box thinking” such as use of verbal search requests and dedicated IT-trained approval magistrates.  It is our understanding that the Department of Justice is considering legislation to address these issues, and any such effort warrants your fullest attention.  We also need to send a clear and hard-hitting message--you violate the computer network laws and we will hunt you down and hold you accountable.

   In closing, let me say that this Nation has every reason to be proud of its military.  Throughout the spectrum of conflict and in the competency of Information Superiority, the US military has no peer.  The United States Air Force is organized to win, prepared for the future, and committed to supporting our nation's security needs--anytime and anywhere.