Sen. McCain on Offensive Cyber Warfare

112th Congress                                                  Report
                               SENATE
2d Session                                                     112-173
_______________________________________________________________________

 
                     NATIONAL DEFENSE AUTHORIZATION
                        ACT FOR FISCAL YEAR 2013

                              R E P O R T

                         [to accompany s. 3254]


                      COMMITTEE ON ARMED SERVICES
                          UNITED STATES SENATE

                                    
                  June 4, 2012.--Ordered to be printed

[...]

ADDITIONAL VIEWS OF MR. McCAIN

[...]

I believe that cyber warfare will be the key battlefield of 
the 21st century, and I am concerned about our ability to fight 
and win in this new domain. I authored a provision in the bill 
that requires the commander of U.S. Cyber Command to provide a 
strategy for the development and deployment of offensive cyber 
capabilities. I am very concerned that our strategy is too 
reliant on defensive measures in cyber space, and believe we 
need to develop the capability to go on the offense as well. 
This provision to craft a comprehensive strategy should spur 
U.S. Cyber Command to develop this offensive capability 
effectively and at a reasonable cost to the taxpayer.


[...]

Rationalization of cyber networks and cyber personnel of the Department 
        of Defense (sec. 923)
    The committee recommends a provision that would require 
network consolidation and re-design to free up personnel to 
achieve an appropriate balance between U.S. Cyber Command's 
mission capabilities. In the event that the rate at which 
personnel freed up from network consolidation is insufficient, 
or if the personnel available are not able to meet the 
requirements for supporting Cyber Command's offensive missions, 
the provision would require the Secretary of Defense to take 
appropriate action to provide qualified personnel in the 
required timeframe.
    General Alexander, the Commander of U.S. Cyber Command, in 
speeches, testimony to the committee, and within the Department 
of Defense (DOD) has declared that DOD networks are not 
defensible due to the proliferation of sub-networks, each with 
its own security barriers, which prevents visibility and 
control by commanders. Although the committee cannot 
substantiate the claim that there are ``15,000'' such sub-
networks, there is no dispute that there are far too many such 
enclaves with features that today hinder rather than promote 
information security.
    General Alexander's testimony also confirmed that the 
personnel assigned to Cyber Command and its components are 
overwhelmingly allocated to network management and defense. A 
small percentage of the workforce attends to the Command's 
offensive missions and responsibilities. General Alexander 
confirmed that this ratio reflects an imbalance in capabilities 
and must be rectified.
    General Alexander and others in DOD agree that both issues 
could be at least partially rectified by dramatically reducing 
the number of separate network enclaves in the Department, 
which should yield significant manpower savings, and re-train 
and re-assign that manpower to supporting offensive missions.
    In the past, DOD sought to secure information and regulate 
access to information by controlling access to the network 
itself. DOD rules encouraged or even required organizations to 
erect access and security barriers as a condition for 
connecting to the backbone network. The result is a 
proliferation of ``virtual private networks'' with firewalls 
and intrusion detection systems, and administrators and 
analysts to manage and protect them. Desktops and servers 
behind those barriers are hidden from view and from management. 
In addition to hampering the work of Cyber Command, this 
network balkanization makes it hard to share information, to 
collaborate, and to access common enterprise services.
    Network rationalization and the use of identity- and 
attribute-based access controls should enable improved 
performance, better security, and more efficient use of 
personnel.

[...]

Cyber research, development, test, and evaluation, and training 
        infrastructure

    The Department of Defense's new strategic guidance 
emphasizes the importance of operating effectively in 
cyberspace and states that the United States will ``invest in 
advanced capabilities to defend its networks, operational 
capability, and resiliency in cyberspace''. To the Department's 
credit, cyber was one of the few areas where the DOD increased 
its investments in both defensive and offensive capabilities.

[...]