Index

Statement by The Honorable Arthur L. Money
Assistant Secretary of Defense for Command, Control, Communications and Intelligence and DoD Chief Information Officer

Opening

Thank you Mr. Chairmen and members of the Subcommittees.  I am honored to be here, and pleased to have the opportunity to update your committee on many of the issues we discussed roughly one year ago.  I believe the United States Government and the Department are making significant progress in the quest to achieve information superiority, providing information assurance and protecting our critical infrastructures.  These are absolute necessities if we are to truly achieve information superiority.  Other testimony that you will receive today from the Joint Staff and Services will highlight the progress we’ve made over the past year in achieving both information superiority and information assurance.

DoD is in the process of a transformation that will better enable it to meet the mission challenges of the 21st century by taking full advantage of Information Age concepts and technologies. Information Superiority is a key enabler of this transformation and central to emerging warfighting concepts.  Today I hope to articulate DoD’s Information Superiority vision, goals, and strategy; delineate current initiatives and recent accomplishments; and set the stage for the future.

 

In essence, Information Superiority is about ensuring that the right information gets to the right people at the right time and in the right format, empowering them by a vastly improved shared understanding of the situation.  As defined in Joint Pub 3-13, Information Superiority requires “the capability to collect, process, and disseminate an uninterrupted flow of information while exploiting and/or denying an adversary’s ability to do the same.”  Information Superiority creates an advantage in the information domain that has been shown to result in a significant advantage in the operational domain.

 

The synergy resulting from the consolidation of Information Superiority and CIO responsibilities the Secretary of Defense has assigned me as the ASD(C3I) and the Department’s Chief Information Officer, continues to yield significant technical, operational, and financial benefits.  The consolidation of policy development and oversight of the Department’s space force structure and close coordination with the intelligence community has served to create synergies and better integrate all elements of Information Superiority into a coherent whole.

 

DoD is currently without peer in its ability to collect, process, and use information in support of traditional combat operations.  DoD is acquiring and deploying information-related capabilities that will maintain, if not widen, its edge in this area. However, this information advantage is incomplete and fragile. It is fragile because the systems that collect, process, and disseminate the high-quality information that powers our organization and empowers our people are vulnerable.  It is therefore imperative that DoD information and information processes are adequately protected lest adversaries are able to even the playing field by exploiting vulnerabilities in DoD C3ISR and space systems. The rapid proliferation of these technologies requires that DoD work to assure its information capabilities on a continuing basis. This makes the pursuit of Information Superiority a constant quest.

 

Our information edge is also incomplete because DoD does not yet possess “full spectrum” Information Superiority. The current edge the U.S. holds in traditional combat does not extend to asymmetrical conflicts or operations other than war.

 

In addition to the need to keep abreast of evolving mission challenges and adversary capabilities, continued investment in Information Superiority also makes sense purely from a return on investment point of view. There is a growing body of evidence that shows the enormity of the impact that increased shared awareness and network-centric operations have on mission outcomes and efficiencies. DoD has only just begun to harvest the low-hanging fruit in this area and the best is yet to come.

 

In light of all this, Information Superiority priorities need to be continuously reevaluated in light of changing circumstances.  Therefore, DoD has established the following set of Information Superiority goals to focus efforts, form the basis for measuring progress, and setting priorities:

(1)          Implement effective programming for establishing information assurance (IA) and critical infrastructure protection (CIP).

(2)          Build a coherent Global Information Grid (GIG).

(3)          Plan and implement joint and combined end-to-end C3ISR and space integration.

(4)          Promote the development of knowledge management and a skill-based workforce.

(5)          Develop policies and procedures that will reinvent intelligence for the 21st century.

(6)          Strengthen information operations, security, and counterintelligence.

(7)          Promote electronic commerce and business process change.

(8)          Foster the development of an advanced technology plan for Information Superiority.

 

DoD has assembled an ambitious set of initiatives in support of these goals, which are highlighted below.  However, despite these efforts, weak links in the Information Superiority value chain exist.  An examination of these weak links points to the necessity to increase investments in: information assurance; efforts such as the Global Information Grid designed to establish the connectivity and interoperability needed; collection and analysis capabilities and end-to-end integration of C3ISR and space capabilities; education and training and retention of a cadre of IT professionals; removal of legal impediments to protecting information and information processes; and electronic commerce and electronic business to make the business side of DoD more effective and efficient.

 

Impact of the Information Age

            In less than one generation, the information revolution, characterized by the introduction of networked computers into virtually every dimension of our society, has changed how our economies work, how we structure our everyday lives, and even how we provide for national and international security.  With the dawning of the information age, we have entered a new era – one of increasing interconnectivity and interdependency – an era that is not reversible.  Although this interdependence brings both opportunities and risks, the benefits of the information revolution in the commercial world have been proven to far outweigh the risks. 

 

            Given the implications of this interdependency in the military arena, we must take steps to understand and manage these risks so their potential negative impact is negligible in terms of our overall military mission success.  It is essential we do this because to achieve revolutions in both military affairs and business affairs –- the cornerstones of our new DoD and Joint Vision 2010 -- we must actively accept and embrace this new interconnected world.  We have seen this need demonstrated in both our warfighting and peacekeeping mission areas, in Kosovo and East Timor, as well as in our business operations where our acquisition cycle time has been reduced to 15 months for key information technology systems and even less for commercial-off-the-shelf technologies.

 

            It is the capabilities offered by this new age that are at the heart of how the U.S. military intends to win future conflicts -- by massing the effects of our highly mobile, widely distributed, self-synchronizing military forces when and where desired – what we call Information Superiority and it is the heart of Joint Vision 2010.  To be successful in Joint Vision 2010, we must have information superiority, built on such advances as enhanced battlespace awareness through a common operational picture, and to have information superiority we must have interoperability and information assurance. 

 

Information Assurance and Critical Infrastructure Protection.

Information Superiority is essential to the United States military achieving and maintaining a decisive military advantage over our adversaries.   In addition, as a result of our Revolution in Business Affairs, the Defense Department has come to rely on the ready availability of information to run much of the business of Defense.  As a result, much of the emphasis over the last several years has been focused on information assurance (IA).  As recent critical infrastructure events and analysis have demonstrated, it is prudent to increase the emphasis on the first IA pillar (availability) within our information infrastructure.  It is not enough just to protect our essential information; we must also be able to assure the critical infrastructures upon which information use, transport, and availability depend.  To effectively assure the availability of key DoD information infrastructures, we must understand their vulnerabilities as well as their interdependencies on other key infrastructures (e.g., telecommunication systems and networks, electrical power, HVAC, people, etc.) and then be able to mitigate them.  Critical Infrastructure Protection is about mission assurance -- ensuring that infrastructures, whether physical or cyber, DoD-owned or commercially-owned, are available when needed to execute mission essential functions.   Significantly, success in protecting these infrastructures can only be achieved through a DoD-wide enterprise solution that is beyond the means of any single defense entity to implement.  The Department of Defense has laid the groundwork and developed the strategy and means to implement critical infrastructure protection within the Department.  My fiscal year 2001 legislative agenda lays out the specific assistance you can provide to assist us in making critical infrastructure protection a reality within the Department of Defense and lead the way for our nation in this critical arena.

 

The key elements of the Department of Defense’s effort are to provide a comprehensive critical infrastructure analysis and assessment, infrastructure vulnerability remediation, and consequence management capability to realistically address the emerging horizontal challenges of the 21st century.  Specifically, we must:  

 

a)  Develop a comprehensive critical infrastructure analysis and assessment capability across the DoD enterprise, including the Unified Commanders-in-Chief, the Defense Infrastructure Sectors and the Services.  We must be able to determine our most critical infrastructures and assets, identify their associated vulnerabilities and recognize and document interdependencies across several infrastructures.  This analysis is essential to both warfighter and warfighter support/business operations, mission accomplishment, and lays the groundwork to accomplish integrated vulnerability assessments, perform mitigation of critical infrastructure vulnerabilities and manage the consequences of the loss of a critical infrastructure.

 

b)  Conduct DoD Integrated Vulnerability Assessments at major domestic and overseas regional operating areas critical to the performance of DoD missions and remediate the most significant of the identified vulnerabilities.  Regional assessments in support of installations, bases, and other critical infrastructure owners are essential in order to understand both physical and cyber vulnerabilities to those DoD and commercial infrastructures that are critical to military mission success.  Initially focusing on identifying single and double asset vulnerability sets resulting in mission failure, the Department will then work with the asset owners -- whether military, government or commercial -- to develop effective vulnerability mitigation efforts, focused on infrastructure protection investment strategies, operational protection enhancements and contingency plans.  In a world where configuration management is essential to successful information assurance, these independent, on-site regional and local assessments are invaluable in verifying the defense posture necessary to maintain true information assurance. 

 

c)  Develop consequence management capabilities to address failures of critical infrastructures and assets and support dynamic mitigation of their impacts in support of Information Superiority and warfighter mission accomplishment.  Consequence management capabilities within the CINCs, Defense Infrastructure Sectors, and Services are essential to supporting an effective DoD-wide management capability.  Our Y2K experience provided us with direct and compelling evidence of the necessity to organize to deal with our increasingly interconnected and interdependent national and global critical infrastructures from an enterprise or horizontal perspective.  Attempting to protect our critical infrastructures using our existing, narrowly focused organizational efforts will ensure that critical infrastructures will not be available to support our warfighters in an adversarial confrontation.  Therefore, to effectively mitigate critical infrastructure failures, it is necessary to provide full spectrum consequence management across both the physical & cyber and government & commercial infrastructures.

 

In addition, the Department and our nation must remain at the cutting edge of assuring mission essential infrastructure availability to our warfighters.  We must therefore, develop risk management and infrastructure process and technology improvements as well as develop the essential analytical methodologies for a true indication and warning capability against adversarial infrastructure attacks.  RDT&E investments are essential not only to develop vulnerability mitigation technologies for our information infrastructures in the information assurance realm, but also in supporting infrastructures (e.g., telecommunications, electrical power, etc.), particularly those that rely upon computer control systems.  Likewise, tool development to understand infrastructure interdependencies and integrate them into our analysis and assessment methodologies is essential.

 

These critical infrastructure protection investments will directly contribute to DoD mission success in three ways:

·       Maximizing warfighter capabilities and effectiveness by minimizing the impact of infrastructure failures on defense capabilities;

·       Shrinking the asymmetric advantage derived from the use of non-conventional or terrorist strategies; and

·       Aligning the Department’s infrastructure-related expenditures to maximize critical infrastructure availability essential to warfighter mission accomplishment. 

 

This holistic, soup-to-nuts, approach will ensure the availability of those critical infrastructures that are essential to ensuring information superiority, as well as sustaining essential DoD and National operations and functions. 

 

Protecting Our Information and Information Processes

The challenge for DoD is the same as that facing all Federal agencies. What sets DoD apart from other agencies is its size, complexity, and the criticality of its mission to the Nation. The Department of Defense is the largest organization in the nation. It has over 3 million people—active, Guard, Reserve, and civilian employees—spread all over the world at 637 military installations and many other locations. To administer to this community it takes roughly 10,000 separate computer systems involving 1.5 million individual computers. Of these, over 2,000 systems are mission-critical systems that must work for DoD to successfully execute its myriad missions. Nearly one half of all mission-critical computer systems in the Federal government are in the Department of Defense.

 

Information Assurance

The past year has been one of significantly increased activity in the Information Assurance arena. Investments and programs begun in previous years were beginning to bear fruit and progress is being made in addressing the complex issues. Also, Information Assurance awareness at all levels and in all DoD activities has risen.

 

The DoD treated the Year 2000 problem as if it were a cyber attack directed at the very core of its military capability—at the ability to obtain, process and control information that enables American forces to dominate the battlefield. Securing systems for the Year 2000 provided numerous lessons that will translate well to efforts in securing the critical information infrastructure in the years ahead. Assessment efforts for Y2K led to the best ever inventory  and accounting of DoD systems and their status. The information management structure now in place meets the requirements of the Clinger-Cohen Act. There is more senior level awareness and appreciation for information technology than ever before, to include an acute awareness that the government needs to keep pace with industry. The enormous effort and awareness of IT generated by the Year 2000 problem resulted in significant progress across the board in information superiority.

 

Given the risks and the fact that weakness in any portion of the Defense Information Infrastructure (DII) is a threat to the operational readiness of all Components, the Department is moving aggressively to ensure the continuous availability, integrity, authentication, confidentiality, and non-repudiation of its information and the protection of its information infrastructure.   Achievement of Information Superiority in the highly compatible, interconnected, interdependent, shared-risk DoD environment requires that Information Assurance (IA) capabilities be based on consistent risk management decisions and a coherent strategy.  The technical strategy that underlies DoD IA is Defense-in-Depth, in which layers of defense are used to achieve balanced overall IA.

 

The strategy recognizes that no single element or component of security can provide adequate assurance.   This concept invokes the use of layered security solutions that allow us to maximize the use of commercial off the shelf (COTS) technology. The fundamental principal is that layers of protection are needed to establish an adequate security posture.  For example, enclaves require a strong perimeter to guard against malicious outsiders.  Within the protected enclave, protection is needed against malicious insiders as well as malicious outsiders who have penetrated the protected enclave perimeter.  This concept is relevant, whether it is used to protect against potential adversaries gaining access over the Internet or enforcing community-of-interest or need-to-know isolation within an otherwise protected intranet. 

 

In May 1999, the Deputy Secretary of Defense issued the Defense-wide public key infrastructure (PKI) policy.  This policy requires the use of a common, integrated DoD PKI to enable security services at multiple levels of assurance, providing a solid foundation for IA capabilities across the Department, and mandates an aggressive approach in acquiring and using a PKI that meets DoD requirements for all information assurance services.  The DoD-wide infrastructure will provide general purpose PKI services, e.g., issue certificates supporting digital signature and encryption, provide directory services, enable the revocation of network privileges, etc., to a broad range of applications, at the levels of assurance consistent with operational mission imperatives.

 

In the area of Intrusion Detection, we are greatly accelerating the development of technologies to detect and respond to cyber attacks against critical infrastructures. Current intrusion detection techniques are extremely limited in their ability to identify attacks, particularly large scale attacks against multiple points in the infrastructure, such as the recent Distributed Denial Of Service (DDOS) attacks against internet service providers and e-commerce companies.  We have been conducting research into a broad variety of concepts which offer the potential to identify the most sophisticated kinds of cyber attacks, analyze the attack method and source(s), and institute protective measures in near real-time. This year we will characterize this technology and test its effectiveness in a genuine operational environment.

 

Wireless technology is also rapidly changing, and the Department is attempting to take advantages of “windows of opportunity” in the wireless development cycle.  Our Secure Wireless Communications initiative will provide the capability for joint forces to use whatever wireless services are available in a given region of the world.  Investments by DoD today in these emerging wireless services will allow security capabilities to be built in (and reserved for future use) rather than trying to retrofit security into completed designs at substantially greater cost.

           

A corps of appropriately trained and experienced IT professionals is the most critical component in protecting the Department’s information resources against modern day cyber attacks.  Individuals using, administering, and maintaining these systems must follow prescribed protective procedures, and know how to operate the equipment designed to mitigate these threats.  Although training for all employees using DoD computer systems is already mandated by statute and Department regulation, many lack a sufficient level of technical and procedural knowledge to fully protect the DoD’s information resources.   This problem is not unique to the Department of Defense, but certainly presents a challenge to an organization with our size, complexity, and deployment across the world.

 

Information Assurance and Computer Network Defense are fundamental design elements of the Global Information Grid (GIG), and thus will provide DoD a much more robust and defensible information infrastructure for the future.  In essence, the GIG is a globally interconnected, end-to-end set of information capabilities, associated processes and personnel for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policy makers, and support personnel. Improved and timely GIG policies are the cornerstone to enabling change, eliminating outdated ways of doing business, implementing the spirit and intent of the Clinger-Cohen Act and other reform legislation, and achieving our Information Superiority goals.

 

Summary

            The denial of service attacks witnessed in the past few weeks only prove why information assurance is so important to the processes required for businesses to operate in today’s information environment.  And while the DoD was not the subject of these particular attacks, we are probed on a daily basis by those who are trying, or planning, to disrupt our nation’s military capabilities.   Constant vigilance over our networks is required, and that includes skilled people and technology working together, if we are to defend the infrastructures that allow our information processes to work effectively.

 

Substantial progress has been made, but we must always think of it as a journey, not a destination.  As new technology is created, new attacks will be developed, and new countermeasures must be adopted.  There is a lot more that must be done to achieve information superiority.  The major challenges continue to be in the areas of information assurance, collection and analysis, the achievement of a secure, robust, coherent, and interoperable information infrastructure to support DoD’s twin revolutions—the Revolution in Military Affairs and the Revolution in Business Affairs.  But only by recognizing these challenges, and facing them head on, can we realize the military potential afforded by achieving Information Superiority.  I look forward to working with Congress to overcome these challenges and make Information Superiority happen.