Index

 

STATEMENT OF REAR ADMIRAL RICHARD MAYO
DIRECTOR, SPACE, INFORMATION WARFARE,
COMMAND AND CONTROL
CHIEF OF NAVAL OPERATIONS
 

            Good afternoon, Mr. Chairman, Members of the Committee, and staff.  I am Rear Admiral Dick Mayo, currently serving on the Navy staff as Director of Space, Information Warfare, and Command and Control.

 

            I am pleased to be here to discuss what I believe are two of the most important areas we are facing today in the Navy—Information Superiority and Information Assurance.  The United States Navy is in the midst of a transformation that capitalizes on the awesome potential of advanced information technology, and the topics of this hearing go to the heart of all our basic Information Age challenges.  In a strategic sense, this now includes the dimension of cyberspace.  We must use cyberspace well to influence events, and we must protect our access to cyberspace.  Operationally, using networks to host this new medium provides a significantly increased advantage to our warfighters.  We have made tremendous strides in the last several years realizing this potential, and it is more important than ever that we maintain this momentum.

            I would first like to offer our current perspective on Information Superiority, then discuss Information Assurance, and finish with our "entry fees" to both of these.

Network Centric Operations

            Since the release of Joint Vision 2010 first focused awareness on the subject, many new insights have been gained.  Navy is fully engaged in the pursuit of Network Centric Operations as our capstone concept for bringing networked organizations and technologies to bear in the battlespace.  It leverages the distributed networking of our people, information, weapons, and sensors to achieve faster and significantly improved effects with smarter, more adaptive performance.  As we have started fielding our networks, and experimented and operated with them in the real world, we have brought additional insights into our new concept for Knowledge Superiority, building upon our original appreciation of Information Superiority.

Knowledge Superiority

Knowledge Superiority provides a strong perspective on the value of organizational and human dynamics, and how these networked organizations behave to yield truly powerful benefits.  Knowledge Superiority focuses on people; what they know; how they bring that knowledge together; and, how they put that knowledge into action to gain the advantage and take the initiative.  This power comes primarily from three main network features: first, the nearly universal access to information; second, the use of rich collaboration venues among interested and knowledgeable parties; and, third, smartly applied decentralized authority to act quickly and knowledgeably at the local “points of tactical contact.”  These “points of tactical contact” are where we most want adaptability, speed, precision, and agility.  By giving our Sailors the ability to access the nets, collaborate, and innovate—and the trust to act professionally and appropriately to achieve our goals—we ensure Navy's operational success.

Investment and Policy Choices Determine the Degree of Operational Adaptability

I want to emphasize this point about empowered capability first because it is absolutely vital to recognize that the choices we make about the connectivity and applications available to our people will determine our approach to warfighting.  Where we place our network connections, what connectivity is available, what network applications are provided, and how reliable they are, will determine how our Sailors will be able to achieve their goals.  We should be careful not to lock out options, especially when our greatest advantage is the battlefield innovation repeatedly demonstrated by our own people who constantly impress us with new combinations of actionable knowledge, followed by the unique and powerful application of capabilities that we did not previously imagine.

Our momentum must be maintained in delivering tools to our Fleet for a highly distributed, generally decentralized, fully empowering capability to realize our innovative Information Age potential.  This mentality must form our choices concerning connectivity, applications, and network control and management.  We must enable our Sailors to the fullest extent possible so as to allow them to control their combat destiny. Indeed, we should always err on the side of empowerment because I am eager to let the Sailors themselves tell us what we need to win our future wars.

 

Operational Payoffs

 

Here is what they are telling us.  During Operation ALLIED FORCE in Serbia and Kosovo, the SIPRNET (Secure Internet Protocol Router Network) literally replaced regular naval messages as the primary means for communication and coordination among our staffs and ships.  The medium is so much faster and more personal that it has become absolutely indispensable in the conduct of today's operations.  Key planning events were conducted via e-mail and video-teleconferences.  Commanding Officers had on-going dialog with their Task Force Commanders.  Navy air strike planners afloat collaborated with joint intelligence cells around Europe and with strike planners at the air operation centers ashore, and with Tomahawk missile planners on other ships hundreds of miles apart.  Pilots were on the net conducting live debriefs with intelligence collection managers.  New combinations of intelligence analysis, coupled with the commander’s wisdom and experience and the intimate reality of the on-scene tactician, created new and relevant successes in this joint campaign.

 

In the heat of war, we were able to capture one such amazing event.  On one occasion, a USAF aircraft over Serbia recognized a group of enemy mobile targets.  This information was fed to the network, resulting in a significantly reduced response time and allowing a Navy Tomahawk missile to be used against these targets. Through the use of our networking, we were able to take a process that previously consumed days, and turn it into a truly tactically significant capability.  We want to spread that capability throughout our forces.  Our Information Technology for the 21st Century, or IT-21 capable Battle Groups continue to report operationally significant benefits like this.  During Operation DESERT FOX strikes against Iraq, we conducted dual Carrier Battle Group strike coordination with the joint air commander almost exclusively over the SIPRNET.  Recently, during a crisis over the incursion of North Korean fishing vessels into South Korean waters, SEVENTH Fleet sent IT-21 capable ships to monitor and respond, enabling these ships to share their situational awareness with the joint forces commander ashore.   A true transformation is taking place, with organizational and operational overtones that are now just being recognized and understood.

 

Some additional examples come to us from our Fleet Battle Experiments.  My Directorate sponsors the Navy Warfare Development Command (NWDC) in Newport, Rhode Island.  NWDC coordinates live experimentation in our Fleets.  In Fleet Battle Experiment  (FBE) Delta conducted by SEVENTH Fleet, our networking technology enabled the planning and execution of an entirely new tactic—the coordinated employment of shore-based Army Apache helicopters against enemy maritime special operations forces (SOF). This previously untested and untried force combination was able to achieve a ten-fold increase in counter-SOF attacks.  In FBE Echo conducted by THIRD Fleet in March 1999, our networks enabled new combinations of surveillance and strike platforms working against mobile targets ashore.  Also in FBE Echo, our area anti-submarine forces successfully employed a SIPRNET site to maintain a common undersea picture and conduct collaborative planning via web-based chat.  This web-based function has transitioned to successful real world operations in the Pacific theater.  In FBE Foxtrot conducted by FIFTH Fleet in December 1999, our networks were used to accelerate all phases and dimensions of operations—air defense suppression, sea control, interdiction, and strike operations.  This is known as rapidly decisive “parallel” or “simultaneous” operations.  Our networks allow us to achieve new levels of performance.

 

Information Security and Information Assurance

 

            I would now like to address Information Assurance (IA).  Our approach to Information Assurance is known as “defense-in-depth.”  We have adopted a layered, end-to-end approach to network defense.  As I describe the measures, please keep in mind that these apply directly to our currently on-going IT-21 and projected Navy-Marine Corps Intranet (NMCI) efforts.  With defense-in-depth, security protection mechanisms are employed in multiple locations in the network architecture.  For example, depth could mean layering link encryption over network protocol encryption, and further layering it over e-mail (application layer) encryption.  Another example would be to use two different anti-viral packages, one at the firewall/mail server and another at the end-user workstation.   In addition to technical protection devices like these, our defense-in-depth takes into account trained personnel and an improved IA organizational infrastructure as well.

 

Firewalls, intrusion detection devices, and software tools are installed as technical defense measures throughout every network echelon.  This means that at each and every layer of our network--from the individual desktop, to the LAN (Local Area Network) in each ship or building, to the next layer network throughout a set of buildings (such as a headquarters facility or a base), to the metropolitan area networks, and to the regional Network Operations Centers--these tools are in use simultaneously.

 

We have designated our Space and Naval Warfare Systems Command's (SPAWAR) IA program manager as the IA Technical Authority and Certification Authority on all technical security matters. This central authority provides network-wide high standards for quality control and compliance.  Navy's central Technical Authority maintains a web site as a central up-to-date  resource that includes an IA software toolkit (such as virus scanners and a secure copying program), IA policy and guidance, and certification templates.  The Technical Authority also develops our IA technical publications which contain detailed incident reporting guidance, defensive system configuration guidance, and IA technical procedures in general.  Most important, the Technical Authority works with acquisition program managers throughout the Department of the Navy to ensure that technical requirements are being met in all programs.

 

A significant part of our Information Systems Technician (IT) personnel and training efforts cover our needs for IA.  All IT-rated personnel will be exposed to varying degrees of IA training over the course of their careers.  Beyond initial system administration training, mid-career personnel working at Network Operations Centers are being trained as Network Security Vulnerability Technicians.  This is an 8-week course directed at securing information systems.  Since introducing the course in 1997, we have doubled our throughput to 120 per year.  Qualified IT personnel at the E-6 and O-4 levels are being trained as Information Systems Security Managers through a new course that will train 164 personnel this year.  They will function as an activity's accreditation action officer, institute security policy, implement security risk management programs, and develop information systems security and contingency plans.  This training is being made available both at Pensacola and by six Mobile Training Teams.

 

Our organizational infrastructure has been adapted to deal with increased security threats.  We achieved full operational capability of the Navy Component Task Force for Computer Network Defense (NCTF-CND) on 31 July 1999.  NCTF-CND conducts continuous IA vulnerability assessments, implements Information Security Conditions (INFOCONs), and works directly with the Joint Task Force for Computer Network Defense (JTF-CND).  In 1999, the NCTF-CND issued eleven IA Vulnerability Alerts  and three IA Vulnerability Bulletins to mitigate computer network vulnerabilities.   NCTF-CND also conducted a Navy-wide INFOCON exercise in late 1999, the results of which contributed greatly to our understanding of the operational impact of INFOCONs and the need for detailed response procedures.

 

Our Fleet Information Warfare Center (FIWC) conducts intrusion detection, incident reporting, and operates the Naval Computer Incident Response Team (NAVCIRT).  FIWC additionally works with the numbered Fleet Commanders and Battle Group Commanders to conduct aggressive "red team" efforts during Joint Task Force Exercises.  In this way, we can detect IA problems, conduct on-the-job system administrator training under IA stress conditions, and heighten IA awareness as part of deployment preparations.

 

Together with my staff, each of these arms of our IA effort overlap to focus on supporting all Navy System Administrators, our “points of tactical contact” for IA.  They are notified of potential security activity or concerns by the NCTF-CND and have FIWC-developed response capabilities at their disposal.  Every System Administrator also has access to the expertise and security products resident at the Navy's central Technical Authority at SPAWAR.  They administer networked systems simultaneously at all levels, providing depth to the defense.  They are truly our first and best line of defense, and are often the initial reporting source on probes and incidents occurring in our networks.

 

Our organizational alignment will soon include the closer integration of Navy and Marine Corps Headquarter's C4I staffs, with single leadership for our IA programs and policies.  New IA leverage has also grown from our intense Y2K effort, including much greater insight into our total IT inventories which will be used for improved security through configuration control and improved enterprise-wide IA vulnerability assessments.

 

Other specific IA accomplishments this past year include:

 

  • An IA R&D plan focused on technologies which comprise our networks.
  • Every Navy web-page is monitored for OPSEC and content on an on-going basis by a dedicated risk analysis team manned by four Naval Reserve Security Group commands.
  • Public Key Infrastructure (PKI) DoD-level coordination, implementation planning, and pilot projects focused on device authentication for stronger access control across trusted boundaries.
  • Designation as the DoD lead service for implementation of the Common Access Card (CAC, or "Smart Card") for introduction of PKI.

 

Additionally, we recognize the importance of the security of information generated by Global Positioning System (GPS) for our platform navigation, locating and weapon targeting.  As the Navy’s agent for GPS, we are actively engaged in the joint Navigation Warfare (NAVWAR) effort.

 

We are ready to move forward on some IA programs that are currently under- funded in FY01.  These are:  COMSEC (high security cryptographic devices);  Secure Voice;  PKI;  and KIV-7.

 

Entry Fees to Information Age Power

 

Achieving our Information Age potential comes with a few “entry fees”—in other words, you can not achieve the operational outcomes without certain key investments up front.  In addition to network security and IA, these fees are: a complete network infrastructure; new operating processes and structures; and, people ready for and trained in Information Age operations.

Network Infrastructure

 

IT-21

 

Making the SIPRNET examples I just cited available to every naval force afloat means completing the fielding of our IT-21 networks.  Our IT-21 initiative has thus far equipped our four Command Ships, five Carrier Battle Groups, and five Amphibious Ready Groups.  We are approximately two and one-half years into a six-year initial fielding plan to fully outfit our afloat forces.  In addition to our groups, some form of IT-21 is scheduled to be installed in every naval combatant.  Slight variations of several related programs are planned, trying to balance our desire for high bandwidth connectivity and comparable ship capability with affordability.  IT-21 always comes with satellite access to the classified SIPRNET and the unclassified companion NIPRNET (Non-classified Internet Protocol Router Network).  On command ships, it also comes with video-teleconferencing capability.  In all cases, IT-21 comes with a set of operational tools known as GCCS-M or Global Command and Control System-Maritime.  The GCCS puts a shared, joint, common operational picture at every desktop and watch station.  Additional new applications are being developed by the operational commanders, and because these are software-based and can reside in almost any Internet-Protocol server, the IT-21 infrastructure supports an incredible amount of adaptability to the various Fleet and Joint Commanders’ needs.  Furthermore, our IT-21 network has allowed us to establish a tight information security enclave for our ships by bringing with it all those IA benefits I mentioned earlier. These aspects have already proven their worth in actual operations.

From where we started a few years ago with reasonable hopes that IT-21 would bring us new power, we are now at a time when our operational commanders are counting the ships that do not have IT-21.  The following example is illustrative: USS Mobile Bay was designated by the SEVENTH Fleet Commander to be the ship on-scene for the recent East Timor crisis specifically because she is IT-21 equipped.  As the time approaches to replace Mobile Bay on station, the Operational Commander will want an equally capable ship to similarly share situational awareness or conduct rapid coordination.  As you can see, Operational Commanders are now managing ships’ employment schedules based on their IT-21 capability.  We need to keep pressing to simplify these difficult and vital decisions.

Navy-Marine Corps Intranet

To bring those same benefits ashore that we have seen afloat in our IT-21 operational experience, we have set course on our Navy-Marine Corps Intranet (NMCI) initiative.  For long haul communications, the NMCI will ride the Defense Information Systems Network (DISN).  For other intranet services, it is Navy’s judgment that industry will provide a highly competitive solution. In December 1999, Navy issued a Request for Proposal (RFP) to industry for contracts to field our Intranet.  The Assistant Secretary of Defense for C3I has agreed to the Department of the Navy’s pursuit of the NMCI with the network utilities industry, subject to the finding of Navy’s business case analysis.  We are currently conducting this analysis.

There are some very key facets of an intranet that make it very compelling for us.  First, an intranet can provide full collaboration across every afloat and ashore element of our Department.  There will be no "haves versus have-nots" in the NMCI.  Every naval element will be a full participant.  Unlike today, every command and every Sailor will have the appropriate level of access to fully exploit network applications and services, and in turn, will be able to contribute fully.  Second, we will increase network interoperability through the common standards that only a single enterprise intranet can provide.  Like successful business enterprises, the NMCI will provide full access across the enterprise to common databases and information repositories, as well as a great cross-functional reach across previously stove-piped boundaries.  Our currently uncoordinated and inconsistently developed and operated networks do not permit this degree of synergy.  The NMCI will better enable us to support sweeping applications like enterprise resource planning, or “ERP.”  Several pilot projects for ERP have been chartered by the Navy Department’s Revolution in Business Affairs Executive Committee (RBA ExComm).  Much like a business enterprise, ERP will enable us to increase efficiencies in distributed design, development, acquisition, purchasing, distribution of supplies, maintenance chains, and other business-like activities by making the process fully interconnected and transparent, therefore becoming better suited to Fleet support.

 

Finally and most importantly, intranets bring with them security measures that are otherwise unachievable in uncoordinated and uncertain network conglomerations.  Improved security is probably the greatest value-added of our NMCI.  We want to take the improved security posture achieved with our IT-21 capability and expand that secure enclave ashore.  The NMCI architecture framework defines four defensive "boundaries" in conjunction with our overall IT defense-in-depth strategy, ranging from the external network boundary to the application layer.  These boundaries will be used to define specific, layered security measures.  Our NMCI guidance also delineates security requirements for technical and quality of service standards.  The requirements encompass content monitoring, content filtering, virtual private network (VPN) and encryption standards, standards for PKI-enabled applications, and web security.  Further, the NMCI sets the qualification standards required for contract systems administrators and network managers.  "Red Teams" are also established under the NMCI to determine the effectiveness of contract fulfillment toward security requirements and to perform ongoing network vulnerability and risk assessment.  A "Blue Team" will verify security configuration management and approve all security architecture choices and security procedures.   The NMCI vendor will be responsible for providing raw data that will be analyzed by Navy to determine whether an incident has occurred as well as the magnitude of any incident.  None of these security measures can be guaranteed without an intranet of common standards and required quality of service.

 

Since the beginning of this year, Navy has recognized nineteen computer network incidents on unclassified systems.  Our experience with these and past intrusion attempts validates the importance of maintaining a technically-astute, responsive IA organization on an enterprise level.  Although we train our System Administrators to run their systems as securely as possible, and we keep them up-to-date with IAVAs, NAVCIRT advisories, and other timely technical information, there is always the element of variation in local procedures, complex software version upgrades, and network reconfigurations.  With NMCI, centralized system administration will give us the ability to dynamically and remotely implement (i.e., "push") "best practices", countermeasures, and secure network configurations to permit a near-real time, technologically uniform implementation of IAVAs and technical advisories Navy-wide.  For example, while local commands would continue to author the content of organizational web pages, the web pages themselves would reside on uniformly and centrally configured NMCI servers--configured in accordance with DoD/DoN best practices.  Vulnerability to web page "hacks" will be uniformly mitigated across the enterprise.

NMCI will also accelerate the desired proliferation of Class 3 PKI-enabled web pages and authentication measures for appropriately authorized access to, and modification of, Navy web sites.  The uniform implementation of PKI/certificate authorities and anti-virus signatures across the NMCI enterprise will considerably reduce risks of external intruder root access gained by the "sniffing" of passwords, and from unsolicited e-mail with malicious attachments or "Trojan horses", such as last year's "Melissa" episode.

           

Organizational Processes and Structures

 

            Because there is so much appropriate attention to fielding the physical network infrastructure, it is sometimes easy to overlook the organizational dimensions.   In all of my statement thus far, however, there are glimmers of the tremendous need to focus on these organizational dimensions.  I have already highlighted the need for adequately empowering Sailors with the ability to collaborate in new ways.  The obvious move of the Systems Administrators to the center of our security efforts indicates important organizational adaptation.  Enterprise Resource Planning clearly leverages the network's reach across former organizational boundaries.  These are just a few examples of the ongoing shifts in organizational processes and structures that are absolutely necessary to attain the full power of the networks.  Others must follow.

 

We are constantly addressing our work processes.  We know from industry that organizational structures and processes are changing extensively in the Information Age.  A common theme in the business arena is to “disaggregate your current ways of business and re-aggregate them on the net.”  This is indeed what Network Centric Operations is all about. A very important effort to examine and adjust our business and operating processes is taking place at THIRD Fleet where the JOHN C. STENNIS Battle Group has just been outfitted with IT-21.  THIRD Fleet’s Network Centric Innovation Center (NCIC) has been targeting the improvement of Battle Group processes based on the IT-21 network. This low cost, high leverage activity is indeed a critical entry fee to achieving full operational potential of our networks.

 

            A byproduct of our success in process-redesign efforts like the NCIC, as with our experience with IT-21, is our recognition of an increasing need for more Information Management (IM), Knowledge Management (KM), Bandwidth Management, and improved Network Management procedures overall.  Navy recently introduced our FY 2000-2001 IM/IT Strategic Plan.  Our Intranet Knowledge Management Working Group (IKMWG), which was chartered last year by the RBA ExComm and is under the leadership of the Department of the Navy Chief Information Officer (DoN CIO), is pursuing many of the plan's objectives.  The IKMWG has begun to catalog and leverage the many lessons learned from several existing Navy KM initiatives. We are also leading the charge on a DoN enterprise “knowledge portal," a tailored web site that acts as the front end for a tremendous amount of Navy documented knowledge and data repositories.  The knowledge portal will be akin to having a Navy-wide librarian on your desktop.  Finally, we are conducting a pilot project on standardizing databases.  This effort will teach us how and where data and information is best organized on our networks to permit plug-and-play functionality.

 

People

 

Today, tomorrow, and in the future, our people are always our most vital resource.  They are truly the most adaptive element in our warfighting organization.  I have already highlighted the need to empower them with our distributive network infrastructure and policies, and how we have enhanced their capabilities through our security-related specialist training.  I would like to mention some specific initiatives we have directed at personnel structure, skills and training.

 

We have commenced fashioning an end-to-end approach to enlisted personnel in the Communications, Information Systems, and Networks—or “CISN”—field.  The Navy has re-designated the Radioman (RM) rating to the Information Systems Technician (IT) rating.  Along with this change in focus, come the following high impact actions:

·       Increased Selective Re-enlistment Bonus (SRB) across all promotion zones

·       Advancement opportunity well above Navy-wide averages for all pay grades

·       The IT rating is open to all non-rated, first enlistment Sailors (“GenDets”)

·       Rate conversion for E-5 and below into IT has been opened up significantly

·       Aptitude requirements for entry into the rating have been increased

 

We have also tripled the training availability for network system administrators over the last four years to 188 seats/quarter.  With the rapid infusion of our networks, this is a critical support item. We have identified an upward trend in retention of our IT-rated professionals when they have received formal training as systems technicians or administrators in their first enlistment.

Transformation

            An additional challenge is that something fundamental is happening that can truly be considered transformational.  We concentrate a great deal on the infrastructure, but as I have said, our people and their new collaborative behavior in these networks are extraordinary.  The shapes and processes of all of our organizations are in transition.  The “network effect,” where organizations are now working in a “many-to-many” system, creates relationships that cut across former boundaries in all directions.  Sometimes these relationships are highly transient and focused on a single unique task, and sometimes they become established to accomplish many tasks over time.  They draw on Navy-wide intellectual and informational resources in richly personal ways that make a difference in real operational events.  Often, new “communities” of practice arise.  Sometimes we have consciously facilitated this new organizational behavior, but most frequently the people themselves see the new power and reach for it themselves.  Sometimes, we do not even notice at first glance.

This “many-to-many” system is inherently non-linear.  I venture to say that because the possible networked combinations are so incredibly numerous, it is exponentially non-linear.  My Directorate has been spurred by our IT-21 experience and a concurrent need for models and metrics that will show how new IT network investments achieve discrete operational outcomes.  We continue to work hard on this, but we are convinced that the fundamental transformation happening here has raised the degree of analytic difficulty by an order of magnitude or more.  Highly discrete analytic metrics may not reveal themselves until we move further with this transformational shift. We are keeping up the press, and in the meantime, our best and most convincing evidence of value are the clear operational results--highlighted by my examples--that  simply could not happen without our new networking investments.

            The dawn of the Information Age is truly a remarkable time.  In society at large, we expect the ride to continue, fueled by both economic and social imperatives.  Alan Greenspan and other experts have described this transformation as “creative destruction,” where the old systemic order is pushed out by a new and better order on a whole new level.  For Navy, our imperatives are strategic, operational, and tactical in the ways I have already described to you.  And to attain this whole new level of combat performance and realize our full Information Age potential, we must continue strong investment in our entry fees.  More than half of our afloat forces are awaiting our new IT-21 networking capability.  We have not yet realized our Navy-Marine Corps Intranet, an effort to achieve the most efficient, effective, and secure networked naval community we can.  We have just begun to adequately train our people to work in this environment, including how to conduct network-based operations under security stresses.  These are things we must do.  We have made a great start.  Maintaining our pace and gaining momentum now is our greatest imperative, ultimately leading to our future--a Network Centric Force.

            Thank you very much for the opportunity to comment.