 The defense is at the edge of a network that begins with the soldier in the foxhole and vice versa. We're trying to move from a smart push to a smart pull system. Smart push, think of a telephone. I need to know not only where you are but what you need to know in order to convey the information. Smart pull says I probably don't know where you are and I certainly don't know what you need to know. So we'll use the network to provide the information for you to gather it. The basic thing we're trying to get to is to take data and turn it into information and turn it into knowledge and turn it into understanding and then into action as quickly as possible in near real time if we can. And the point of this is not just material, we're not just talking about the networks. We're talking about you have to change the doctrine by which new business, we have to reorganize the way we are set up, we have to train our people. Obviously there's some material pieces, there's a key leadership piece we need to personnel in place to do, to be trained to do this and we have to have facilities and infrastructure to support it. So all of this needs to be evolved together in order to get the objective we're looking for. The mission I think is more complex than a lot of people realize, it's not just war fighting, it's a mix of that of course plus business, plus intelligence, plus logistics and also increasingly importantly peacekeeping. I was in Afghanistan in January talking with people in the provincial reconstruction teams working with the Afghan provinces. We did a lot with the tsunami relief efforts in Southeast Asia. We've had people supporting relief efforts in Darfur. All of this relies on the same network we're talking about. A point to be made is that when we do get to combat, it's a fundamentally different sort of things than one might have expected in the past. So people now talk about something called the three block war. You're engaged in peacekeeping on one block, you're putting down a riot in the next and you're engaged in full-fledged combat operations the next. It's not the clear kind of distinction that most of the planning and most of the people are used to in terms of the phases of operations. People also talk about something called a strategic corporal, meaning that decisions made by people at every level at this point, get into the newspapers, get into the CNN, get into whatever, and they become sort of national issues very quickly. So in short, the whole structure, the whole hierarchical structure is breaking down to a much flatter, much more network, much more dynamic organization. There are a lot of things in the security field that relate to what industry is doing, but frankly there's a scale and a complexity and perhaps even a sort of stakes issue here that doesn't really reflect a lot of what industry has. We have people whose lives literally on the line today, depending on the network. Somebody described DoD as being just like Walmart, except that, you know Walmart, okay, except that every store is mobile, the competition fires ordinance at you and Christmas comes randomly on any given day. So other than that, we're more or less the same. We have this thing on which, of course, the key to network-centric operations, you've got to have a network, and the basis of this is something we call the global information grid, or gig, since we addicted to acronyms, and there are six major programs that comprise this gig, and it's not just material, it's also the people and processes who store, process, transmit, add valued information across the department. So four of the programs deal with the transport of information. Two, one deals with enterprise services, and I've just come from a very sobering talk from Scott Stender on the vulnerabilities of network services, and one deals with the information assurance of the network. By the way, I'd like to talk for about 30 minutes and then I'll open it to questions. The programs first, four deal with transport. One is a terrestrial fiber net, we call it the gig band with expansion, 10 gigabit per second, OC192 fiber, to the 80 largest command and control nodes around the world. That'll be full operational capability by the end of this year. The second is to extend this global network to mobile units, and that's a transformational satellite that's going to take lasers around the satellite ring to give you, again, 10 gigabits a second anywhere on the planet. One of the purposes of that is to use laser uplinks from aircraft, so we won't have to use so much spectrum to exfiltrate the data from the various kinds of reconnaissance sensors on the aircraft. The third piece of transport is something called the Joint Tactical Radio System. It's a software-defined radio, software-controllable architecture, and that's designed to provide the mobile routers on the IP mobile networks in order to bring these capabilities to the tactical units. Finally, there's something called teleports that links the ground infrastructure with the on-orbit infrastructure. That's kind of the very heterogeneous network we're talking about. It's 10 gigabit per second, stable, to 10 kilobit per second, very unstable in tactical mobile environments. The Enterprise Service, NetCentric Enterprise Services, is basically beginning to take you to a software as to a service-oriented architecture. I'll talk more about that in a bit. And then there's a whole information assurance program called the Gig Information Assurance Program. We spend about $2.2 billion a year in DOD and with NSA on the security of the network. One of the pieces we're trying to work on is to move from this stable environment to a tactical environment. This perhaps is something that a lot of the commercial analogies break down, because we have to be able to handle very dynamic environments, of course the cell phone environment is dynamic also, mobile, but here with people jamming, shooting, very kind of severe environmental conditions. The paradigm that goes with this is a movement from need to know, which is kind of hoarding the information, I own it, to need to share. You're not going to get the value of the network until you get the information out on the network. And this is much more of a policy and a cultural thing than actually a technological thing. People issues come to mind in 1996 or seven or so I went up to New York and listened to a group of presentations by a series of analysts from the computer security industry talking to people on Wall Street. And so there's maybe a certain amount of hype in the presentations, but what I took away was we industry can provide you customer with any level of security you want. But we need from you three things. We need to have a commitment from the top of your organization that security is important. We need to have you spend the resources and by resources I don't mean the one time procurement of firewalls and guards, but the ongoing expenditures to maintain near real time situational awareness of what's going on in your networks. And you got to be willing to drop the hammer on people who don't play by the rules. And I'd say in government at this point we've done a pretty good job at conveying that security is important. God knows we're spending a lot of money on the problem. We have not done a good job in dropping the hammer on people who don't play by the rules. It's a lot easier for me right now to get a security violation by leaving my safe open than it is by posting my password on my computer or letting an unattached unauthorized modem be attached to my network. We need to work on that. NSA has done a terrific job in putting together a new information assurance architecture for the gig. And this is being driven by several factors. I mean obviously the environment is changing, the paradigm security is changing, moving network-centric operations. But we also have to pay a lot more attention to the insider threat. If you look at our major espionage cases over the past 25 years, almost every single one of them had their security clearances before they went bad. We focus a lot on the perimeter of the problem, keeping the bad guys out. The issue is we have to be able to detect anomalous behavior in the network and respond to it. I heard today from Paul Simmons of Jericho Forum the term deparimeterization, and I look forward to learning more about that because I think that's some description of where we're going. So there are five concepts you will in this new information assurance architecture. One is to separate the protection of the information from the protection of the infrastructure. Another is the end-to-end protection of information through enhanced access controls. We need to have strong identification and authentication, which is absolutely critical to being able to do security based on rule policy-based access. We've got to have enhanced misuse identification. For example, Visa and MasterCard. I was in Kuwait a couple of months ago, and I went to buy my wife some jewelry, swiped the first card and went through, second time went through and said, ah, denied. So we pulled the string on and turned out of course they said, well last Saturday you were in Virginia, now you're in Kuwait, you never told us you're going overseas, is this really you? And I appreciate that. On the one hand, if they can do this sort of thing on the basis of hundreds of millions of transactions, why can't we do this in our network? But it was pointed out to me several occasions, most recently today, the problems we're looking about detecting anomalous behavior inside a military network are perhaps qualitatively different than those on just credit card transactions. I mean if you want to ask why as well as trying to hack into the Secretary of Defense's computer at midnight, if you want to say why is the Southeast Asian analyst all of a sudden more interested in Cuba, and I submit that to a more complicated problem than just a transaction in different physical location. And some of these in fact may not even be solvable problems, we need to understand just what the limits are of what we can do. So the fourth piece of these five characteristics is enhanced computer network defense. And I'll talk a little bit more in a minute about something called the Joint Task Force Computer Network Operations that's recently been set up. But basically it's improved detection, correlation of data, and visualization of data. The fifth point is we need very aggressive research and development. These are going to be different problems. We're building really for the world of 2012 to 2015. And they're not going to be solved in the near term. So first of all we have to stay abreast of the changing threat. Some of the examples, the really high-end computing that are going on, or high-end R&D, a lot of work in quantum computing. As Feynman said at one point, by the time every bit gets down to an atomic scale then you're going to be at quantum principles whether you like it or not. And so as Moore's law progresses we're going to be driven to quantum computing whether we like it or not. Some of the breakthroughs recently or some of the developments recently, much more control over single photons, the ability to separate electrons into separate streams based on their spin, the ability to combine information from multiple atoms onto a single photon, and the building of the first quantum registry with progress made towards a quantum gate. So that's a fairly aggressive program. DARPA, www.darpa.mil, they have a strategic plan there which I encourage anybody interested to take a look at. I mean some of the things they're looking at are self-forming, self-feeling networks. They've already made a lot of progress in tactical environments. There's a lot of questions about whether in these dynamic networks, TCP for example is an acceptable protocol just because the overhead associated with all the handshaking is so high that we may not be able to get enough throughput. So we're looking at alternatives. Chipscale atomic clocks, 200 times increase in power and size, 300 in power, 200 in size. And then a lot of work on hybrid optical and RF connections so we can get much more robust, smaller units in the field to let us get around bandwidth limitations. So there's an awful lot of stuff going on and I think we're making some progress but obviously we don't have all the answers. I mentioned the Joint Task Force Global Network Operations. This was changed last year from the Joint Task Force Computer Network Operations because we're expressly trying to get to not just computer nets but telephone nets and space networks and a whole series of different approaches to the problem. It's responsibility is the operation and the defense of the network and it does this by coordinating and directing the activities of the network operation centers, the various components across the department and also the computer emergency response teams. We also work very closely with law enforcement and the intelligence community. The Task Force I would say has successfully responded on several occasions to attacks whether direct or indirect on the DOD network. I love you, Nimda, Whitty Worm. We did not have significant degradations from those. We certainly don't have it 100% but I think we are getting better at containing the events early and mitigating the consequences of people again where folks' lives are quite literally on the line. We're not doing this for profit. We're not doing this for bragging rights. We're doing this to support people who are in the field today and whose lives are on the line. We've also had much better cooperation I think with other agencies and I'll talk more about that in a little bit. We certainly don't claim to have all the answers and we need talented people and that's one of the reasons why I really appreciate the chance to be here today because you all out there represent an enormous body of knowledge, an enormous amount of talent and we could use a better understanding of some of the skillsets you have. My main focus frankly is not on the hacker who's in a way for support or challenge. My concern is the people who want to steal DOD information and do harm either in sort of directly or indirectly to these people who are out there every day putting their lives on the line. We do prosecute lawbreakers, those caught getting into DOD networks and so if you are going to try to break the law and hack into our nets we will try to impose legal consequences. But I'd rather emphasize today something different. It's an opportunity. The opportunity is if you want to work on cutting edge problems, if you want to be a part of the truly great issues of our time, if you want to literally write history, we invite you to work with us. Quite frankly in my job not a day goes by that I don't come to work and say wow what new and interesting thing is going on out there that I want to work on and it's an absolutely fascinating environment and we definitely need your help. What I would ask for is your help in reducing the noise. All the scanning, all the probing, all the attempted intrusions divert our resources from the truly serious attacks that are out there and have no doubt there are people out there who seriously want to do us harm and do not share the values of the country of the freedom of information on the network. There are people who want to do us harm. If you haven't taken a look at it, I recommend Scott Borg who's done some very interesting work on the economic consequences of cyber attack. He used to be up at Dartmouth and now he's his own country company. Really worthwhile. So my final message is again, we value your talents. I would like very much to learn from what you have to offer. I frankly have taken away just from the time I've been here so far an enormous amount of information that is really useful to me that I would not have gotten without coming here. I look forward to coming back and talking with you more on the Meet the Fed panel later on in the afternoon and let me open it to questions. Thank you very much. Go ahead. The question is on full disclosure and what is my, sure, what's my take on full disclosure, national security compared to business, so on and so forth. By and large, as we moved in network environment, again, I mentioned the point is sharing of information and we do better in the long run by having information out there and having us, having us share it. It's a major cultural change for us in terms of people who've owned information and say, you know, my owning it is more important than, you know, getting out to other people. And so I can't draw you a clear line that says everything right of the line is kept hidden. Everything to the left is shared. My inclination to this point is shared because as I say, I've learned stuff today about vulnerabilities that we need to get back and work on that I wouldn't have known if I hadn't come to a place like this. At the same time, there clearly is stuff that needs to be protected. And my particular focus is on protecting that information that puts people's lives directly at risk, which tends to be fairly perishable operational information. And then the flip side is things to say the U.S. has invested tens of billions of dollars of research and development in that gives us some kind of competitive advantage long term that needs to be protected. And so those are the sorts of things that I tend to focus my concerns on rather than just saying, well, everything has got to be kept secret. Let's hear. The use of COTS and weapon systems. Let me answer that in two, pardon me. Yeah, OK. So the use of COTS and weapon systems. There's an interesting study that says that the government is a whole, federal government is a whole. Now, outsources more than, and now pays more in contracted services than it does in salaries of government employees. And this trend appears to be one that's only going to continue. So part of the problem is that almost none of us gubbies know how to manage those kinds of outsourced services. We may not have to manage a program that where the gubbies are controlled and deliver it all, we don't know how to manage these outsourced services very well. And so the challenge is, the baby boomers shuffle off the stage. What are we doing to train up the next generation of managers to do a better job of managing these outsourced services and the COTS that go with them and avoiding more AIDAs and things like that? From the security perspective, my concern is that this now means I will have almost no clue into the pedigree of the networks that we're becoming so dependent on. I may know who the prime is, I'm likely to have no idea who the second and third tier subs are and where they're coming from. And so this then leads me to a much greater emphasis on not only the near real-time situational awareness of the network I mentioned before, but in some kind of understanding of software and hardware assurance for those critical applications where it really does make or break the successful missile engagement or the tip of the spear issues. And so we're looking at, for example, we have a trusted foundry that we're building for hardware chips. For those certain applications, we absolutely have to make sure that the pedigree is right. We're looking at various ways through, you know, common combinations of common criteria and CMM and others on how to get better software assurance involved. So I think there's going to be a graduation between GOTS and kind of trusted COTS and then what's just out there in the marketplace. Because I think we're migrating to this much more commercial environment where we frankly are never going to know where a lot of this stuff comes from, I would tend to put more of my emphasis on the anomaly detection of the network, the strong identification, authentication and the response to, you know, problematic behavior in the net, then I would worry about, you know, what was going on in every piece of software in the system. And so you draw the line here as to, you know, what's in a weapon system. If you're dealing with a fighter plane, that's pretty much going to be, at the very least, the high pedigree commercial software and probably is going to be dedicated design systems. But it turns out that for us, you know, exercise after exercise after exercise shows that the most dangerous, most vulnerable parts of our operational chain, if you will, are things like logistics and medical. And in that, you're almost certainly going to have lots of COTS products. So I'd love to give you an answer to what's a weapon system. I'm more interested in what do you need to assure the mission to complete the job, irrespective of the level of attack you're under, and that's going to be a layered process. Okay? Sir. The question is, what do I feel about how other foreign governments stand in information assurance in England, Russia and China, whatever? I think we understand at this point that almost every significant operation we're going to do is going to be in some kind of coalition environment. And therefore, we have to take into account the fact that our coalition partners are going to come from very different levels of information assurance and capability. I was struck by at one point, one of our coalitions when right now you have long-time partners like Lithuania, Moldova and Tonga. So this means that we're going to have to, in fact, we are working very hard in developing something called MNIS, Multinational Information Sharing. It's going to have to give you some sort of multi-level security firewalls and guards to allow you to interoperate them in some kind of a shared space while protecting those core command and control functions, say, and key pieces of data that you don't want to share. So I spend less time actually worrying about what foreign governments are doing because I don't have much control over that and rather having to put together an operational networked environment where I can bring in unanticipated users. To that effort, I would say that we are trying to completely rethink the paradigm for DOD to operate outside the dot mill domain, to work with non-traditional partners like the Agency for International Development, UN, Doctors Without Borders, and even commercial partners in the kind of stabilization and reconstruction operations that we're seeing more and more of in what we're doing. We learned a lot from Tsunami. We learned a lot, we are learning a lot from Afghanistan. Some of you may know there's something called the World Summit on the Information Society that's coming up in Tunis. It's the second of two conferences this November and we'll be working with the whole batch of the international community to try to look at ways we can do that. I personally think we are never going to get to the stage where we'll allow these, you know, pick up team partners to get inside, say, the NipperNet firewalls, which means that we have to go outside and have .NET or .org type domains in which we can operate and share the information. So the long answer is I'm not too much worried about what foreign governments are doing. I'm trying to set the conditions whereby we can work with a whole batch of different people in different circumstances. Back there first. The question has to do with integrated tax. Something like, you know, terrorist, physical terrorist attacks are coupled with attacks on PBX boxes and this sort of thing. And this clearly is an area that we have to be working on and working on harder. I personally think that the, again, my goal is to get to mission assurance, not just information assurance. Coming from a Navy background, I tend to think of a ship, you know, which is built with watertight compartments and you can still float with a couple of compartments flooded and you have a starboard to engineering plant and a port engineering plant so if one is damaged, you can still carry on. You've got multiple fighting men and you train and you train and you train and you train. So we need to take into account the fact that an attack may be just cyber, just physical, a mix of physical and cyber and work the problem in an integrated manner. This is not entirely within the domain of the Department of Defense. A lot of this comes now up in the US with Department of Homeland Security where a lot of the cyber defense of the National, the defense of national infrastructure rides. So in fact, this week I've just spent several meetings with people from Department of Homeland Security and how we in defense and they and the private sector can do a better job at coordinating the infrastructure defense on which things ride, E911, those sorts of things to give an integrated approach. So is there an answer? No. Are we better off than we were? I mean, we now have, I mean, GETS worked very well. The government emergency telephone system worked very well on 9-11. We now have the wireless equivalent of that in place and so you basically priority overrides in the wireless service for first responders. We've had a series of major exercises called top off, top officials where you bring the FBI and Homeland Security and National Security Council all that together and actually run through some pretty horrific scenarios and how the decision-making would flow. So a lot of this stuff, quite frankly, is as much a policy and a decision-making process as it is the technical parts of the network and that's what we're trying to get right now while we inventory the networks and you will find out what's available out there to use when the situation comes up. Okay, somebody's down here. There's one behind. Go ahead. Question is, do we allow the implementation of software hasn't been entered in the audited? All software needs to have been validated through the NIAP to be used in the DOD, National Information Assurance Partnership to be used in the DOD networks and in most cases it also has to go through an interoperability certification through the Joint Interoperability Test Center. Well, in some of the code, there is code review in the NIAP. It's done not in JITIC, but it is in the NIAP. And then there are other things that NSA does to review code and that sort of thing. But so we're cautious and this question goes back earlier about what we do with commercial software and part of it is, if we're going to use something, say, like enterprise resource software, ERP or PeopleSoft or something like that, I mean, you're obviously not going to go through and try to change or validate every piece of code in that and yet we're going to be dependent on it. And so the question again is how do you detect anomalous behavior in that and but for those things that are in our NIPRnet or SIPRnet, we're requiring the NIAP certifications. So the question is, has anybody given any thought to preventing cell phones being used for detonating IEDs by war-dialing all the cell phones in Iraq? The amount of time we spend on IEDs is quite extraordinary. I mean, literally, you know, our tens of hours a week on the IED problem. And the cell phone issue has actually come up a lot. Now, there are ways to get the cell phones beyond just war-dialing. I mean, there are different ways to get to them. And so that problem has been addressed. I have to tell you, there's not a lot of evidence that cell phones per se have been used to trigger IEDs. There's much more stuff on garage door openers and those sorts of things than cell phones per se. But I guess all I can say in this forum is we understand the potential threat of the cell phone. Guys are spending lots and lots of time on, you know, when we see it being used like this, how would we counter it? I haven't heard war-dialing specifically as suggested of a way to do it, but there are other kind of electronic ways they've been looking at countering it. So it's a, there's nothing, frankly, of a higher priority issue for the military right now than addressing this improvised explosive device issue in Iraq, because that's what's killing our people. Let me see, is there any shrimp back in the back? I'll get to you in a minute. Sir, you're talking about ADA? The question is that DOD has spent a lot of money to develop ADA. We're not using it. Other people are. Is there a way we can bring it back? Let me take that for the record and go back and look at it. Frankly, my sense is that time has moved beyond ADA. But, and there are lots of other ways to do business, especially as you go to the net-centric environment. So I haven't paid a lot of attention trying to revitalize it. If you want to give me your name later on, I'll take it for the record and get back to you. It just hasn't been something I've focused on. Is there anyone here? Yeah, the question is, what's the ratio and the number of IEDs, improvised explosive devices, that are being detected and disarmed before they are exploded? And the answer is, yes, we have those data. I'm not sure I can share that. What's happening, though, is that we're getting better at detecting them and disarming them, but they're making them more lethal, so each one causes more attacks. I mean, using explosive-formed jets and things like that, as opposed to just focused explosive jets, rather than just a circular explosion. So anyway, it's a typical dynamic of offense and defense. And, sir, what kind of scorecard? Assist? Yeah. So the question is, is there anything like an assist scorecard and what are we doing with the guidance for the private sector about implementing data tag? I'll get you next. And I would say that we're doing, a lot of our work is based on various kinds of balance scorecards, we're trying to put together metrics. Right now, the deputy has challenged us on getting metrics for the information assurance world. And I have to tell you, this is one of the hardest problems I've got, and this is something I would really ask for your help with. The question is, how you measure and return an investment on information assurance-type things. So if I'm going to go in and put, you know, $100 million into some sort of technique to get to better multi-level security in 2012, and the budgetiers are out there saying, well, you know, show me, that's going to give us a 14 or a 22 or a 71% increase in security. It's really hard to do that. And so the idea of link between metrics and investments and all that is a hard problem for us. I mean, I can go through right now and measure what's working in different network operation centers and all that, how we're doing on implementing known vulnerabilities and all that, and more concerned about the long-term return to investment metric. With regard to the public-private sector, again, a lot of this lies in the Department of Homeland Security, and part of the problem we've had ever since PDD 63, which is the critical infrastructure protection in the last administration, is building the trust, if you will, to be able for two-way sharing of information. We've spent a lot of time working with Congress and others on trying to change laws so you can provide better protection to proprietary information that comes up through the ISACs, these information sharing and analysis centers, and we're trying to work with getting the government being more willing to share a sense of information on the way back down. If I were to say anywhere, I think the telecommunications sector, the National Security Telecommunications Advisory Committee, that process is working pretty well in the telecom sector. I don't think it's working as well in, say, transportation or energy or others, and what's coming to be a concern for me as SCADA, as the Supervisory Control and Data Acquisition Nets, become more and more a part of all of our critical infrastructures. We're making the most progress in the telecoms and the ISP world, and I think we're getting as much progress in controlling the information technology in these other sectors where it may be equally critical to us on a national basis. So the answer is one piece of advice I would have is the DOD and the Intel community have committed, I mentioned the Global Information Grid and the programs. There are three other pieces that go with that. There's a network operations, network resources, management piece about how you balance the use of resources to the network. There's a spectrum management piece and the key underlying bit is the NetCentric Data Strategy, which is an XML-tagged approach to the problem. And it turns out that DOD and the intelligence community and NATO have almost identical NetCentric Data Strategies. And we've really had some very good luck over the past several months in moving towards a service oriented architecture approach and a shared situational awareness. That strategy has not yet been adopted by the Department of Homeland Security, which means it's not being infused into the private sector through those channels. And over the past week, we've actually been working hard with a senior leadership of DHS to get them to adopt that kind of a strategy. So maybe that'll be an answer to one part of your question. Okay. Yeah. Question is as warfare goes NetCentric, how do you envision managing security connecting together what used to be standalone systems? I don't think there's ever going to be a closed-form solution where you lock the door and say, we got there, let's go go and turn off the lights and go home. It's, there are just too many dynamic pieces of the puzzle in terms of not only the evolving threat, but the rolling out of new technologies. I mean, there's a very good session this morning on vulnerabilities associated with XML and service oriented architectures. Three years ago, we wouldn't have paid any attention to that. And so now we need to fold that into the process. So I think it's going to have to be an ongoing dynamic series of reviews. The first key part of this is cultural. If you talk to the intelligence community, they have a concept called Orcon, originator controlled, which basically says, I wrote the information, it's mine. And so just trying to break down the stovepipes to share that becomes much more an issue of politics and culture than it is of physically getting the bits and bytes to work out. So I think it's going to be a mix of cultural solutions, this doctrine organization training evolution, the physical. And even if I could give you a solution today that said I'm at the 95 percent level, I'm happy with it. It won't be that way tomorrow. The one thing I would say in DoD that, again, I look for your help on if I'm a credit card company and I'm willing to and I realize that I'll probably get three to four percent loss rates in fraud or whatever. I can factor that into my calculus. I can put that in my interest rates. I can factor that in. And what you get from that is an explosion of credit across the economy that transforms the ability of every day people to buy things they never would have been able to buy before. And I don't know anybody lately who's gone to the top secret control officer and say it's OK to lose 3 percent of your documents a year. Even though in the net centric model, you might have maybe 100 people were lost because some piece of information were compromised, maybe 10,000 were saved because the fight was over in three days rather than three months. And the value of net centricity had an upside. So we need to think through our cost benefit analysis to put more emphasis in the military on the upside benefit, even as we focus on the cost. So not not a neat clean answer, but it's that's where we're looking at. Over there, sir. Critical factors in my going, I mean, how I got to be CIO. I'm sort of in a strange situation in that I was career Navy and so I spent 26 years in uniform and then and then about seven years in the office of the Intersecretary of Policy for Policy working largely on the interface between policy and technology issues. And so when in 1998, the secretary decided to beef up the role of the the assistant secretary for command control, communications and intelligence, which is what this my organization was then known as, I was asked to go over and be the principal deputy in that organization because I had an understanding of, you know, less the technical details and the the balance between policy and technology. I mean, my own my own education is my undergraduate work with physics and oceanography. My master's is an applied math, my doctorates in international relations. And I found that nicks of a policy science and engineering science to have been a really valuable combination. So so just a long story, what's happened now is my permanent title as principal deputy, our assistant secretary left about 18 months ago. And so I've been acting as the CIO since. But I think in my case, it was less a certainly wasn't a commercial background. It was less a technical background than having the policy technology interface understanding. The question is I've been focusing a lot on information assurance. And as you play out 2012, 2014, how do I see the offensive side playing out of information operations? I'm really limited in what I can say on that in this venue. But I think the one of the key points is as the network becomes the center of gravity for military operations. I mean, right now, we're probably the most net centric of any of any military in the world. Its model is being adopted by a number of others as well. As more and more countries come to depend on the network, then how you attack that network, be it a physical attack or a cyber attack or whatever, will become a more important thing to work on. And I think also what I would expect to see is not just a you know, not just a single solution, but a broad it'll become a target just like anything else. And one of the things we're saying is we need to fight the network like a weapon system. You need to think of it as a ship tank and airplane. It's a critical component. And so as a result, you have to defend it against the full range of threats and we have to be able to similarly mount the full range of threats. That's probably about as far as I can go. Somebody in the back, I'm sorry, I can't see hands back there. I'm glad to... Yeah, please. It's a really good question. It's what about cyber attacks and penetrations that originate from foreign countries and how do we prosecute them? I think as most of you know, the attribution of a cyber attack can be a really hard thing to do. And so with the number of countries, for example, in Europe and the Interpol and a number of bilateral agreements, we now have some pretty good mutual law enforcement rules to be able to address, for instance, the UK. There was a, the UK would either prosecute people who were hacking to our nets or in some case, we can extradite them to be prosecuted here. There are other countries where, frankly, it's a free ride. If you hack from there, there's no, some cases it's not a crime to the hacking and those nations' laws. And if we don't have agreements with them, there's not much you can do about it. So I think over the past 10 years, we've made a lot of progress in working out multilateral and bilateral law enforcement agreements, but it's certainly a patchwork quilt around the world. The question is on these countries that are not doing a good job in policing their own cybersecurity or which we don't have agreements with, are there other ways we could put pressure on them, postal agreements or something like that too? And the answer is, Defense Department doesn't do, that's not our thing. That would be the law enforcement or State Department. When we have the Ask the Fed panel later on, if you come, that'd be a very good question to ask for the folks who'd be here because it'd be people who could address it. Back there first. What does IPv6 capable really mean? We've set a goal of 2008 to implement IPv6. And it's gonna be done through a technology refresh policy rather than a big bang solution. And so I would guess we'll be running dual stack for a long time. Tell me more about your question because what we're essentially saying is anything that we're buying since last year or 2003, I think should have been IPv6 capable. And your question is, that's an ambiguous definition. I see the rollout of IPv6 is gonna be a, we're pushing as hard as possible. And it was just a congressional hearing that was basically saying that the government as a whole should be doing more with IPv6. And the DOD was really the only organization that was taking the lead. And so the Congress seemed fairly happy with what we're doing. At the same time, as you know, there are lots of issues associated with it, what kind of costs are gonna be imposed, how much, how quickly we're gonna retire the IPv4 systems if they can't run dual stack. So I don't think this is gonna, on the 31st of December, 2008, there's not gonna be a magic cut-off because we try to get there as fast as possible. Most of it's gonna be new equipment we buy, data we refresh, they're gonna have to be IPv6 compatible. But we can talk later on if you want, I don't think that's answered it. There was a, yeah. By the which project? I can't actually know. The question is, can I comment on the achievements of the DETER project? And I'm not familiar with the project. What's, give me some more background. It's an NSF DOD funded testbed, if you will, to look at the internet. Actually, I'd like to learn more about that because we're in the process right now of assembling an end-to-end testbed for the global information grid. And we've been going around inventorying, if you will. For example, I'm funding something at the Naval Research Lab that's an end-to-end testbed. The Joint Forces Command down in Norfolk has an end-to-end testbed. Army has one out of Fort Hood. So I'd like to learn more about where DETER goes because I'm not familiar with it. Question is, why are we moving towards IPv6? Well, we need the security and the mobile environment features are being able to automatically establish links with adjacent networks, those sorts of things. The security, there's a sense that the rest of the world, China or whatever is likely to move to it. We're certainly not doing it because right now we're constrained in IP address space but the department is going to be explosively moving to unattended ground sensors and unattended, well, mainly ground. And that's going to start using up our space. We were trying to not have to go to NATS for some of these sub-NATS. So that was essentially the reasons that drove it. The question is, how much collaboration do we do with other agencies on information sharing and information security? As I mentioned, we in the intelligence community and NATO have a very close relationship based on the fact we have a common data strategy. And that's, NATO has something called stand-ag, standing agreements. And in fact, we've tried to base a lot of our policies and technologies on NATO stand-ags. So it's not just a U.S. only and we're actually trying to show it's an alliance event as well. I think there's still some major cultural differences in here, especially with the intelligence community in terms of some of the stove pipes that have been around for a long time. And they probably feel that we're moving too quickly to need to share or vice-need to know. And we probably feel that we'd like them to put some more information in the network faster. So the discussions are ongoing continuously. The president signed the executive order last summer mandating the sharing of terrorist information across the government. The legislation that set up the director of national intelligence amplified that to actually set up a position within the DNI's office as a program manager for information sharing. So there's just a lot of energy in this and we're just trying to pull it together across the messy processes that are the U.S. government. Okay, that's on here. Yeah, the question is, do I think there's enough control by the government over the internet, not enough control? This is going to come up in the WUSIS and the World Summit in Tunis and we're working out the various positions. I think by and large the U.S. is willing to see more role in internet governance by other countries, but we're not willing at this point to give up some of the key features like ICANN and that sort of thing. The positions frankly are still being refined, but let me see, first of all, I can only speak for the Department of Defense and from the DOD perspective, I have no problem with the current level of control of the internet. I'll defer, it's a good question for the ask the Fed panel because the law enforcement people might have a different view, okay? Please, the question is there's a need to keep a 10 to 15 year focus on information assurance. The concern that recently the DARPA funding for the longer term computer science projects has dried up, what do I think about that? I know there's been a conscious effort on the part of DARPA to focus on projects with more, what do I wanna say, direct return on investment from the R&D. There's always gonna be a tension between what the 10 to 15 year problem is and what the local one is. Candidly, I've more or less accepted the view of the director of DARPA where he should put his resources. We're doing a lot of work, not just with DARPA but also with NSA and also with the academic community in terms of the long term projects. And at this point, I have more problem with the point I made earlier of how to justify what I believe should be a higher level overall of across the board and information assurance projects rather than whether DARPA is not doing enough because there are ways to cover that in other areas. So that hasn't bothered me particularly. Ma'am, I got you. I'm sorry, the question is, as we work outside the dot mill domain, the areas, the ones I cited were non-traditional partners within the U.S. government like USAID with whom DOD hasn't typically worked. International organizations like the United Nations, some NGOs, and I cited Doctors Without Borders because they're a whole raft of them. And some of these in the past have actually had in their charters that they should not work with the military. And I think one of the things that we've made some progress on over the past year or so, particularly since Tsunami, is a recognition that if we really are gonna provide services to people in distress, and frankly from my perspective, I'm just talking from my DOD hat, I'm interested in the stabilization of these situations so they don't turn into problems where the military has to intervene. So in those type of situations, we have a common interest. And that was the, I just used the Doctors Without Borders in the example of a broad class of non-governmental organizations. Absolutely, NGOs are a group we're actively courting. Yeah, you had something here, right? Yeah. And the question is, we've seen anything similar to TPED, the Trusted Product Evaluation Program for military? Yeah, for power grid and banks and other critical infrastructures and things like that. That's a very interesting question. I hadn't thought of it, let's talk afterwards. Because I think you could do a lot with that, but we need to work that through this messy inter-agency process and I haven't tried to do that. I'm getting a sign here, I think maybe two more questions and we'll have to call it a day. Question is, information assurance and contractors, how does that affect security when information assurance isn't part of their award fee? And one of the things we've got to learn to do better in this outsourcing of services is to write our contract smarter. I was out in Afghanistan earlier this year and the contracting officers represented for the 25th Infantry Division in Bagram was actually down in Gutter. And if they wanted to do combat operations after hours, they would have to call Gutter and get money added to the contract in order to conduct the operations. Because we just hadn't written the contract right. So it seems to me in this environment we've got to write the contract so that information assurance becomes part of the award fee structure and we're not there yet. This is a learning process. Any more? Thank you very much. I appreciate the chance to talk with you today. Come work with us. I'd love to draw on your talent, Paul. Thanks again.