Statement
by
Opening
Thank
you Mr. Chairmen and members of the Subcommittees. I am honored to be here, and pleased to have the opportunity
to update your committee on many of the issues we discussed roughly one
year ago. I believe the
United States Government and the Department are making significant
progress in the quest to achieve information superiority, providing
information assurance and protecting our critical infrastructures.
These are absolute necessities if we are to truly achieve
information superiority. Other
testimony that you will receive today from the Joint Staff and Services
will highlight the progress we’ve made over the past year in achieving
both information superiority and information assurance. DoD is in the process of a transformation that will better enable it to meet the mission challenges of the 21st century by taking full advantage of Information Age concepts and technologies. Information Superiority is a key enabler of this transformation and central to emerging warfighting concepts. Today I hope to articulate DoD’s Information Superiority vision, goals, and strategy; delineate current initiatives and recent accomplishments; and set the stage for the future. In essence, Information Superiority is about ensuring that the right information gets to the right people at the right time and in the right format, empowering them by a vastly improved shared understanding of the situation. As defined in Joint Pub 3-13, Information Superiority requires “the capability to collect, process, and disseminate an uninterrupted flow of information while exploiting and/or denying an adversary’s ability to do the same.” Information Superiority creates an advantage in the information domain that has been shown to result in a significant advantage in the operational domain. The synergy resulting from the consolidation of Information Superiority and CIO responsibilities the Secretary of Defense has assigned me as the ASD(C3I) and the Department’s Chief Information Officer, continues to yield significant technical, operational, and financial benefits. The consolidation of policy development and oversight of the Department’s space force structure and close coordination with the intelligence community has served to create synergies and better integrate all elements of Information Superiority into a coherent whole. DoD is currently without peer in its ability to collect, process, and use information in support of traditional combat operations. DoD is acquiring and deploying information-related capabilities that will maintain, if not widen, its edge in this area. However, this information advantage is incomplete and fragile. It is fragile because the systems that collect, process, and disseminate the high-quality information that powers our organization and empowers our people are vulnerable. It is therefore imperative that DoD information and information processes are adequately protected lest adversaries are able to even the playing field by exploiting vulnerabilities in DoD C3ISR and space systems. The rapid proliferation of these technologies requires that DoD work to assure its information capabilities on a continuing basis. This makes the pursuit of Information Superiority a constant quest. Our information edge is also incomplete because DoD does not yet possess “full spectrum” Information Superiority. The current edge the U.S. holds in traditional combat does not extend to asymmetrical conflicts or operations other than war. In addition to the need to keep abreast of evolving mission challenges and adversary capabilities, continued investment in Information Superiority also makes sense purely from a return on investment point of view. There is a growing body of evidence that shows the enormity of the impact that increased shared awareness and network-centric operations have on mission outcomes and efficiencies. DoD has only just begun to harvest the low-hanging fruit in this area and the best is yet to come. In light of all this, Information Superiority priorities need to be continuously reevaluated in light of changing circumstances. Therefore, DoD has established the following set of Information Superiority goals to focus efforts, form the basis for measuring progress, and setting priorities: (1) Implement effective programming for establishing information assurance (IA) and critical infrastructure protection (CIP). (2) Build a coherent Global Information Grid (GIG). (3) Plan and implement joint and combined end-to-end C3ISR and space integration. (4) Promote the development of knowledge management and a skill-based workforce. (5) Develop policies and procedures that will reinvent intelligence for the 21st century. (6) Strengthen information operations, security, and counterintelligence. (7) Promote electronic commerce and business process change. (8) Foster the development of an advanced technology plan for Information Superiority. DoD has assembled an ambitious set of initiatives in support of these goals, which are highlighted below. However, despite these efforts, weak links in the Information Superiority value chain exist. An examination of these weak links points to the necessity to increase investments in: information assurance; efforts such as the Global Information Grid designed to establish the connectivity and interoperability needed; collection and analysis capabilities and end-to-end integration of C3ISR and space capabilities; education and training and retention of a cadre of IT professionals; removal of legal impediments to protecting information and information processes; and electronic commerce and electronic business to make the business side of DoD more effective and efficient. Impact of the Information Age
In less than one generation, the information revolution,
characterized by the introduction of networked computers into virtually
every dimension of our society, has changed how our economies work, how we
structure our everyday lives, and even how we provide for national and
international security. With
the dawning of the information age, we have entered a new era – one of
increasing interconnectivity and interdependency – an era that is not
reversible. Although this
interdependence brings both opportunities and risks, the benefits of the
information revolution in the commercial world have been proven to far
outweigh the risks.
Given the implications of this interdependency in the military
arena, we must take steps to understand and manage these risks so their
potential negative impact is negligible in terms of our overall military
mission success. It is
essential we do this because to achieve revolutions in both military
affairs and business affairs –- the cornerstones of our new DoD and
Joint Vision 2010 -- we must actively accept and embrace this new
interconnected world. We have
seen this need demonstrated in both our warfighting and peacekeeping
mission areas, in Kosovo and East Timor, as well as in our business
operations where our acquisition cycle time has been reduced to 15 months
for key information technology systems and even less for
commercial-off-the-shelf technologies.
It is the capabilities offered by this new age that are at the
heart of how the U.S. military intends to win future conflicts -- by
massing the effects of our highly mobile, widely distributed,
self-synchronizing military forces when and where desired – what we call
Information Superiority and it is the heart of Joint Vision 2010.
To be successful in Joint Vision 2010, we must have information
superiority, built on such advances as enhanced battlespace awareness
through a common operational picture, and to have information superiority
we must have interoperability and information assurance.
Information Assurance and Critical Infrastructure
Protection. Information
Superiority is essential to the United States military achieving and
maintaining a decisive military advantage over our adversaries.
In addition, as a result of our Revolution in Business Affairs, the
Defense Department has come to rely on the ready availability of
information to run much of the business of Defense.
As a result, much of the emphasis over the last several years has
been focused on information assurance (IA).
As recent critical infrastructure events and analysis have
demonstrated, it is prudent to increase the emphasis on the first IA
pillar (availability) within our information infrastructure.
It is not enough just to protect our essential information; we must
also be able to assure the critical infrastructures upon which information
use, transport, and availability depend.
To effectively assure the availability of key DoD information
infrastructures, we must understand their vulnerabilities as well as their
interdependencies on other key infrastructures (e.g., telecommunication
systems and networks, electrical power, HVAC, people, etc.) and then be
able to mitigate them. Critical
Infrastructure Protection is about mission assurance -- ensuring that
infrastructures, whether physical or cyber, DoD-owned or
commercially-owned, are available when needed to execute mission essential
functions. Significantly,
success in protecting these infrastructures can only be achieved through a
DoD-wide enterprise solution that is beyond the means of any single
defense entity to implement. The
Department of Defense has laid the groundwork and developed the strategy
and means to implement critical infrastructure protection within the
Department. My fiscal year
2001 legislative agenda lays out the specific assistance you can provide
to assist us in making critical infrastructure protection a reality within
the Department of Defense and lead the way for our nation in this critical
arena. The
key elements of the Department of Defense’s effort are to provide a
comprehensive critical infrastructure analysis and assessment,
infrastructure vulnerability remediation, and consequence management
capability to realistically address the emerging horizontal challenges of
the 21st century. Specifically,
we must: a)
Develop a comprehensive critical infrastructure analysis and
assessment capability across the DoD enterprise, including the Unified
Commanders-in-Chief, the Defense Infrastructure Sectors and the Services.
We must be able to determine our most critical infrastructures and
assets, identify their associated vulnerabilities and recognize and
document interdependencies across several infrastructures.
This analysis is essential to both warfighter and warfighter
support/business operations, mission accomplishment, and lays the
groundwork to accomplish integrated vulnerability assessments, perform
mitigation of critical infrastructure vulnerabilities and manage the
consequences of the loss of a critical infrastructure. b)
Conduct DoD Integrated Vulnerability Assessments at major domestic
and overseas regional operating areas critical to the performance of DoD
missions and remediate the most significant of the identified
vulnerabilities. Regional
assessments in support of installations, bases, and other critical
infrastructure owners are essential in order to understand both physical
and cyber vulnerabilities to those DoD and commercial infrastructures that
are critical to military mission success.
Initially focusing on identifying single and double asset
vulnerability sets resulting in mission failure, the Department will then
work with the asset owners -- whether military, government or commercial
-- to develop effective vulnerability mitigation efforts, focused on
infrastructure protection investment strategies, operational protection
enhancements and contingency plans. In
a world where configuration management is essential to successful
information assurance, these independent, on-site regional and local
assessments are invaluable in verifying the defense posture necessary to
maintain true information assurance. c)
Develop consequence management capabilities to address failures of
critical infrastructures and assets and support dynamic mitigation of
their impacts in support of Information Superiority and warfighter mission
accomplishment. Consequence
management capabilities within the CINCs, Defense Infrastructure Sectors,
and Services are essential to supporting an effective DoD-wide management
capability. Our Y2K
experience provided us with direct and compelling evidence of the
necessity to organize to deal with our increasingly interconnected and
interdependent national and global critical infrastructures from an
enterprise or horizontal perspective.
Attempting to protect our critical infrastructures using our
existing, narrowly focused organizational efforts will ensure that
critical infrastructures will not be available to support our warfighters
in an adversarial confrontation. Therefore,
to effectively mitigate critical infrastructure failures, it is necessary
to provide full spectrum consequence management across both the physical
& cyber and government & commercial infrastructures. In addition, the Department and our nation must remain at the cutting edge of assuring mission essential infrastructure availability to our warfighters. We must therefore, develop risk management and infrastructure process and technology improvements as well as develop the essential analytical methodologies for a true indication and warning capability against adversarial infrastructure attacks. RDT&E investments are essential not only to develop vulnerability mitigation technologies for our information infrastructures in the information assurance realm, but also in supporting infrastructures (e.g., telecommunications, electrical power, etc.), particularly those that rely upon computer control systems. Likewise, tool development to understand infrastructure interdependencies and integrate them into our analysis and assessment methodologies is essential. These
critical infrastructure protection investments will directly contribute to
DoD mission success in three ways: ·
Maximizing warfighter capabilities and
effectiveness by minimizing the impact of infrastructure failures on
defense capabilities; ·
Shrinking the asymmetric advantage
derived from the use of non-conventional or terrorist strategies; and ·
Aligning the Department’s
infrastructure-related expenditures to maximize critical infrastructure
availability essential to warfighter mission accomplishment.
This
holistic, soup-to-nuts, approach will ensure the availability of those
critical infrastructures that are essential to ensuring information
superiority, as well as sustaining essential DoD and National operations
and functions. Protecting Our Information and
Information Processes The
challenge for DoD is the same as that facing all Federal agencies. What
sets DoD apart from other agencies is its size, complexity, and the
criticality of its mission to the Nation. The Department of Defense is the
largest organization in the nation. It has over 3 million people—active,
Guard, Reserve, and civilian employees—spread all over the world at 637
military installations and many other locations. To administer to this
community it takes roughly 10,000 separate computer systems involving 1.5
million individual computers. Of these, over 2,000 systems are
mission-critical systems that must work for DoD to successfully execute
its myriad missions. Nearly one half of all mission-critical computer
systems in the Federal government are in the Department of Defense. Information Assurance The
past year has been one of significantly increased activity in the
Information Assurance arena. Investments and programs begun in previous
years were beginning to bear fruit and progress is being made in
addressing the complex issues. Also, Information Assurance awareness at
all levels and in all DoD activities has risen. The
DoD treated the Year 2000 problem as if it were a cyber attack directed at
the very core of its military capability—at the ability to obtain,
process and control information that enables American forces to dominate
the battlefield. Securing systems for the Year 2000 provided numerous
lessons that will translate well to efforts in securing the critical
information infrastructure in the years ahead. Assessment efforts for Y2K
led to the best ever inventory and
accounting of DoD systems and their status. The information management
structure now in place meets the requirements of the Clinger-Cohen Act.
There is more senior level awareness and appreciation for information
technology than ever before, to include an acute awareness that the
government needs to keep pace with industry. The enormous effort and
awareness of IT generated by the Year 2000 problem resulted in significant
progress across the board in information superiority. Given
the risks and the fact that weakness in any portion of the Defense
Information Infrastructure (DII) is a threat to the operational readiness
of all Components, the Department is moving aggressively to ensure the
continuous availability, integrity, authentication, confidentiality, and
non-repudiation of its information and the protection of its information
infrastructure. Achievement
of Information Superiority in the highly compatible, interconnected,
interdependent, shared-risk DoD environment requires that Information
Assurance (IA) capabilities be based on consistent risk management
decisions and a coherent strategy. The
technical strategy that underlies DoD IA is Defense-in-Depth, in which
layers of defense are used to achieve balanced overall IA.
The strategy recognizes that no single element or component of security can provide adequate assurance. This concept invokes the use of layered security solutions that allow us to maximize the use of commercial off the shelf (COTS) technology. The fundamental principal is that layers of protection are needed to establish an adequate security posture. For example, enclaves require a strong perimeter to guard against malicious outsiders. Within the protected enclave, protection is needed against malicious insiders as well as malicious outsiders who have penetrated the protected enclave perimeter. This concept is relevant, whether it is used to protect against potential adversaries gaining access over the Internet or enforcing community-of-interest or need-to-know isolation within an otherwise protected intranet. In
May 1999, the Deputy Secretary of Defense issued the Defense-wide public
key infrastructure (PKI) policy. This
policy requires the use of a common, integrated DoD PKI to enable security
services at multiple levels of assurance, providing a solid foundation for
IA capabilities across the Department, and mandates an aggressive approach
in acquiring and using a PKI that meets DoD requirements for all
information assurance services. The
DoD-wide infrastructure will provide general purpose PKI services, e.g.,
issue certificates supporting digital signature and encryption, provide
directory services, enable the revocation of network privileges, etc., to
a broad range of applications, at the levels of assurance consistent with
operational mission imperatives. In the area of Intrusion Detection, we are greatly accelerating the development of technologies to detect and respond to cyber attacks against critical infrastructures. Current intrusion detection techniques are extremely limited in their ability to identify attacks, particularly large scale attacks against multiple points in the infrastructure, such as the recent Distributed Denial Of Service (DDOS) attacks against internet service providers and e-commerce companies. We have been conducting research into a broad variety of concepts which offer the potential to identify the most sophisticated kinds of cyber attacks, analyze the attack method and source(s), and institute protective measures in near real-time. This year we will characterize this technology and test its effectiveness in a genuine operational environment. Wireless
technology is also rapidly changing, and the Department is attempting to
take advantages of “windows of opportunity” in the wireless
development cycle. Our Secure
Wireless Communications initiative will provide the capability for joint
forces to use whatever wireless services are available in a given region
of the world. Investments by
DoD today in these emerging wireless services will allow security
capabilities to be built in (and reserved for future use) rather than
trying to retrofit security into completed designs at substantially
greater cost.
A
corps of appropriately trained and experienced IT professionals is the
most critical component in protecting the Department’s information
resources against modern day cyber attacks.
Individuals using, administering, and maintaining these systems
must follow prescribed protective procedures, and know how to operate the
equipment designed to mitigate these threats.
Although training for all employees using DoD computer systems is
already mandated by statute and Department regulation, many lack a
sufficient level of technical and procedural knowledge to fully protect
the DoD’s information resources.
This problem is not unique to the Department of Defense, but
certainly presents a challenge to an organization with our size,
complexity, and deployment across the world. Information
Assurance and Computer Network Defense are fundamental design elements of
the Global Information Grid (GIG), and thus will provide DoD a much more
robust and defensible information infrastructure for the future. In essence, the GIG is a globally interconnected, end-to-end
set of information capabilities, associated processes and personnel for
collecting, processing, storing, disseminating, and managing information
on demand to warfighters, policy makers, and support personnel. Improved
and timely GIG policies are the cornerstone to enabling change,
eliminating outdated ways of doing business, implementing the spirit and
intent of the Clinger-Cohen Act and other reform legislation, and
achieving our Information Superiority goals. Summary
The denial of service attacks witnessed in the past few weeks only
prove why information assurance is so important to the processes required
for businesses to operate in today’s information environment.
And while the DoD was not the subject of these particular attacks,
we are probed on a daily basis by those who are trying, or planning, to
disrupt our nation’s military capabilities.
Constant vigilance over our networks is required, and that includes
skilled people and technology working together, if we are to defend the
infrastructures that allow our information processes to work effectively. Substantial progress has been made, but we must always think of it as a journey, not a destination. As new technology is created, new attacks will be developed, and new countermeasures must be adopted. There is a lot more that must be done to achieve information superiority. The major challenges continue to be in the areas of information assurance, collection and analysis, the achievement of a secure, robust, coherent, and interoperable information infrastructure to support DoD’s twin revolutions—the Revolution in Military Affairs and the Revolution in Business Affairs. But only by recognizing these challenges, and facing them head on, can we realize the military potential afforded by achieving Information Superiority. I look forward to working with Congress to overcome these challenges and make Information Superiority happen.
|