112th Congress Report SENATE 2d Session 112-173 _______________________________________________________________________ NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2013 R E P O R T [to accompany s. 3254] COMMITTEE ON ARMED SERVICES UNITED STATES SENATE June 4, 2012.--Ordered to be printed [...] ADDITIONAL VIEWS OF MR. McCAIN [...] I believe that cyber warfare will be the key battlefield of the 21st century, and I am concerned about our ability to fight and win in this new domain. I authored a provision in the bill that requires the commander of U.S. Cyber Command to provide a strategy for the development and deployment of offensive cyber capabilities. I am very concerned that our strategy is too reliant on defensive measures in cyber space, and believe we need to develop the capability to go on the offense as well. This provision to craft a comprehensive strategy should spur U.S. Cyber Command to develop this offensive capability effectively and at a reasonable cost to the taxpayer. [...] Rationalization of cyber networks and cyber personnel of the Department of Defense (sec. 923) The committee recommends a provision that would require network consolidation and re-design to free up personnel to achieve an appropriate balance between U.S. Cyber Command's mission capabilities. In the event that the rate at which personnel freed up from network consolidation is insufficient, or if the personnel available are not able to meet the requirements for supporting Cyber Command's offensive missions, the provision would require the Secretary of Defense to take appropriate action to provide qualified personnel in the required timeframe. General Alexander, the Commander of U.S. Cyber Command, in speeches, testimony to the committee, and within the Department of Defense (DOD) has declared that DOD networks are not defensible due to the proliferation of sub-networks, each with its own security barriers, which prevents visibility and control by commanders. Although the committee cannot substantiate the claim that there are ``15,000'' such sub- networks, there is no dispute that there are far too many such enclaves with features that today hinder rather than promote information security. General Alexander's testimony also confirmed that the personnel assigned to Cyber Command and its components are overwhelmingly allocated to network management and defense. A small percentage of the workforce attends to the Command's offensive missions and responsibilities. General Alexander confirmed that this ratio reflects an imbalance in capabilities and must be rectified. General Alexander and others in DOD agree that both issues could be at least partially rectified by dramatically reducing the number of separate network enclaves in the Department, which should yield significant manpower savings, and re-train and re-assign that manpower to supporting offensive missions. In the past, DOD sought to secure information and regulate access to information by controlling access to the network itself. DOD rules encouraged or even required organizations to erect access and security barriers as a condition for connecting to the backbone network. The result is a proliferation of ``virtual private networks'' with firewalls and intrusion detection systems, and administrators and analysts to manage and protect them. Desktops and servers behind those barriers are hidden from view and from management. In addition to hampering the work of Cyber Command, this network balkanization makes it hard to share information, to collaborate, and to access common enterprise services. Network rationalization and the use of identity- and attribute-based access controls should enable improved performance, better security, and more efficient use of personnel. [...] Cyber research, development, test, and evaluation, and training infrastructure The Department of Defense's new strategic guidance emphasizes the importance of operating effectively in cyberspace and states that the United States will ``invest in advanced capabilities to defend its networks, operational capability, and resiliency in cyberspace''. To the Department's credit, cyber was one of the few areas where the DOD increased its investments in both defensive and offensive capabilities. [...]