General Chilton: Thank you. Hooah!
Thanks, General Sorenson. I appreciate the kind introduction.
I'm always struck when folks say this is the first astronaut to achieve the rank of four star general. I always think maybe it was the first four star general who wasn't smart enough to avoid getting on top of a rocket ship. [Laughter]. I'm not sure if it's a compliment or not to my intelligence. But it's truly a pleasure for me to join you all here today.
I've got to tell you, I didn't know much about this conference until I had this French general come sign in in my headquarters a little while ago and started working for me. A guy named General Pollett maybe you've heard of him.
[Hooahs and Laughter].
He says to me, ""Mon General, we need to make sure we get you down to this great AFCEA function down in Miami this year and have an opportunity to meet with some real cyber warfighters down here."" So General Pollett, thanks very much for motivating me to come this direction. [Applause].
I want to begin this morning by talking broadly a little bit about STRATCOM because I've got the podium and I can. [Laughter]. I think it's important to kind of touch base a little bit about what we're doing out there because quite frankly, STRATCOM of all the unified combatant commands, has done the most changing over the last several years and oftentimes people don't know what it is we do.
We started out in the way back as SAC doing nuclear deterrence versus the Soviets. That went away in '91. In '92 STRATCOM stood up to continue the nuclear deterrent mission. In 2002 they stood that command down, a little known fact, and they stood down US Space Command, combined them together, and renamed it STRATCOM. Now it wasn't a hostile takeover, I'm told. We really did take on three mission sets there, three principal mission sets -- in space; computer network operations, we called it at the time; and we continue to have that very important nuclear deterrent mission that we maintain today.
It wasn't too long after that when they decided there were a few other orphan mission areas out there in the world that needed a daddy rabbit, and those got assigned to STRATCOM.
So if you look at STRATCOM today we have about eight separate major mission areas according to the Unified Command Plan that we conduct. But really only three of those areas, only three of those missions are what I call lines of operations where I can give commander's intent to a next level echelon commander who has the ability to write orders and command and control forces and actually has forces assigned. Those three lines of operations, those three key mission areas, are still in the nuclear deterrent area. They are in space -- we command that domain and defend that domain and operate in that domain for the United States of America; and cyberspace, another domain which we command and operate in for the United States of America. Where we have subordinate commanders assigned and subordinate forces assigned provided by all of the services to conduct operations.
The unique thing about these three lines of operations, I think, that sets them apart from regional combatant commanders' mission sets, is that they're truly global in nature. In fact I would argue that these three principle lines of operations for STRATCOM are agnostic to any artificial lines that we draw on maps. Whether they be regional combatant commander boundaries, or in many cases whether they be continents or oceans. Space doesn't care about that, I'll tell you that. And I'm pretty convinced cyberspace doesn't care much about that either.
It's a different way of looking at these mission areas and a problem set when you start thinking about them from a global perspective.
You've heard me use the word domain. A lot of people get hung up on that word domain. I don't mean domain like we would use it in an IT context. I mean domain like I consider King Neptune the king of the undersea domain, okay? I consider the surface of the ocean and operations on the surface of the ocean part of the maritime domain. I consider land a domain. I consider air a domain. I consider space a domain. And I consider cyberspace a domain. These are areas that can be operated in, operated through, operated across, that can support other domains or can be supported by operations in other domains. I think cyberspace qualifies in that regard.
You know, I think there's some context required here when we think about cyberspace and think about what you do with regard to how long we've been at this business. If I put it in an analogy with airplanes, we're in the 1920s. The Wright Brothers flew in 1903. We're about 20 years into this business, in my view. I don't know about you, but in 1989 I was working at NASA when they issued me my first desktop computer. I wasn't real happy about that at the time, to tell you the truth. It kind of got in the way of things. I had to move my in-box. I had to take some books off my credenza that I was studying at the time, to put this damn thing in there. [Laughter]. I paid a little bit of attention to it, I'll tell you. I dusted it about once a week, just to keep the cobwebs off it.
I'm not talking that long ago. I'm well into my time in the Air Force and I'm not knowing what to do with this machine. 1989 wasn't that long ago.
The space shuttle that I was training to fly back then, to put things in context, well fortunately in 1991 before I launched on my first flight they had doubled the random access memory in the central computer on the space shuttle. I was relieved to hear that. [Laughter]. They increased it from 128K to 256K. [Laughter]. You've got more than that in your wristwatch, I guarantee you. [Laughter]. That's what they still ride that rocket into space on 256K of random access memory. That's another bit of context there about how far we've come so quickly.
There were some people out there that were pretty prescient at the time, though, none the least of which was President Ronald Reagan who in 1989 said that ""The Goliath of totalitarianism will one day be brought down by the David of the microchip."" This is 1989. You talk about someone who was thinking ahead back then.
I finally got past dusting off my computer and found myself like the rest of us starting to use it as a tool and eventually getting to a point where I think I've become pretty darn dependent on it. Not only at work, but certainly in my personal life.
How many of you do on-line banking? Yeah. I didn't start until about a year ago. Fortunately, my wife was way out ahead of me and she helped shape me as she does in so many different ways. I went to her and I said, ""Honey, can I borrow $5 to buy some stamps?"" She said no. [Laughter]. That helped me to adjust fire on how I was going to start paying bills. So I came on-line too.
But you think about it, and I don't have to tell this crowd, just how dependent we are on being connected through cyberspace for our personal lives and certainly when it comes to fighting our wars and preparing to fight our wars. To me it's about being able to plan and execute and command and control forces at a minimum, and there's more to it than that.
So what is STRATCOM's role in this cyberspace domain? We've been given a couple of mission sets according to the Unified Command Plan. First of all, we're chartered to operate and defend the GIG. Well, my first question was what is the GIG? What does that term mean? It's very specific what the GIG is, it's the www.mil and www.smil. Think about that for a minute. We have a force who's chartered to defend just the military network. That's like having an Air Force that just defends Air Force bases or an Army that just defends posts, camps and stations. But that's where we are today. That's how new we are at this. We are challenged enough to figure out how we're going to make sure we defend and assure the viability of the dot-mil and the dot-smil domains today.
Besides being required to defend these domains, we're also required to operate them, to ensure that they are operated. I'll speak a little bit more about this in my remarks, but my sense is that the hardest mission that we have in cyberspace is operating the net and it's the least talked about. People want to talk about defending, they want to talk about attacking, they want to talk about exploiting, but they forget to remember or think about operating the network. At the end of the day what it's about is keeping that network operating when it's under attack, making sure it's available for the warfighter when it's under attack, making sure I can pay my bills when they're due when it's under attack on a personal level. That is not easy work. It is not work that should be taken on by amateurs. It's work that needs to be taken on by trained professionals.
The other thing we're asked to do, though, is to look for opportunities to attack in cyberspace. To attack the adversary's use of cyberspace where they find an advantage, but also to attack through that domain into other domains as appropriate. We certainly can do that. We certainly need to think about that. But again, this is not something you just sprinkle fairy dust over and say hey, STRATCOM, give me a little bit of that non-kinetic stuff, will you? It takes a lot of work to do this. A lot of preparation.
How do we command and control this? I mentioned we have subordinate commands. You had the opportunity to hear I think General Napper speak this week. She's in our JTF GNO, Global Network Operations command, functional command. Think of these joint functional commands as we have in STRATCOM just like functional component commands in any regional combatant command. A JFAC, a JFMIC, a JFLIC. We have a JTF GNO, a JFCC, Joint Function Component Command for Net Warfare. Oh by the way, we have one for Space as well. They are experts in their domains and they conduct operational level of war and order writing and conduct operations in support of the commander's intent. So we do the operate and defend piece through Joint Task Force Global Network Operations.
I think brilliantly the former Commander of STRATCOM, General Cartwright, looked for opportunities to leverage since we weren't -- oh by the way, I didn't mention when we got all these eight missions we weren't given any extra people to do them. So he looked at opportunities to leverage institutions that were already standing. He married JTF GNO with DISA. What does DISA bring to us? Tremendous engineering support, contracting support, relationships with the commercial industry, an ability to leverage that capability and knowledge and expertise that JTF GNO uses every day as support agencies to support them to do their job.
I mentioned that GNO can give orders out. Who do they give them to? Well, they give them to the Army, Navy, the Air Force and Marines, they give them to the regional combatant commanders to make sure that they are operating their networks correctly and defending their networks correctly. Now this is a little unique as well.
We give orders to Force Command; we give orders to Air Combat Command; to Air Mobility Command. You can't imagine the CENTCOM Commander doing that. He's only going to give orders to the forces that are assigned in his region. But remember, the network's global, and a vulnerability in the headquarters, a vulnerability in the Pentagon can translate into a vulnerability on the other side of the world or a disaster on the other side of the world. So when we think about this network we not only have to think about the part of the network that's in the geographic combatant commander's AORs, but we have to think about a part of the network that's in the services AORs, if you will.
So we command through NOSCs, through NETCOM, through the Army, and for the Air Force, et cetera.
What kind of commands do we send out? As a minimum you've got to think about maintenance scheduling. You don't want to be taking down a critical server or a critical system in one AO and not fully appreciating the impact that might have on another AO, and oftentimes it can have that serious impact.
We think about commands on how we're going to route traffic and reroute traffic when there are malfunctions or maintenance going on or cables cut or hurricanes blowing through a region and damage caused by that. Bandwidth management is also important and it takes someone centrally looking at that and making sure those things are taken care of.
Then there's the defensive side, which is pretty obvious. Where are the vulnerabilities? Where are the patches? What are the patches that need to be put out? When should they be put out? What ports need to be blocked? What things need to be cut off from our network so that they no longer provide threats to us? What defensive actions do we need to take? So these are the kinds of things that JTF GNO has on their plate every day thinking about and putting orders out to the various entities and command and control facilities to execute.
How about net warfare? Our attack, we organize through Joint Functional Component Command Net Warfare, which again we leverage off a marriage with another great combat support agency called the NSA, National Security Agency. General Keith Alexander is dual-hatted as my commander, as a functional component for network warfare. He's also the director of NSA and has other roles and responsibilities in that regard.
This is an important marriage today because I would maintain that intel support for network operations, attack and defense, is absolutely critical. However, I would say it is not more critical than intel support in any other domain.
We don't just load up airplanes with bombs and go out looking for targets. A lot of intel preparation of the battlespace is required before we even think about loading up an airplane with weapons, what type of weapons even, and go looking for a target. We need imagery, we need lat/long, we need hardness of the target, then we start thinking about -- oh, we need analysis and the importance of the target and how it fits into the battle scheme. Then we start thinking about how we're going to go out and put iron on it.
The same thing in this domain. Most of the work that needs to be done before the attack is intel centric, and it's very critical to it. But in my view, this is not an intel mission. This is a combat operation that requires exquisite intel support, just like every other combat operation.
What do we want to do? After we do that operational prep of the environment that's so important, we want to cause effects in the enemy's cyberspace environment. We want to affect their ability to command and control their forces, their ability to plan. We may even be able to create doubt in their minds and have some sort of cognitive effects on the enemy by use of cyberspace correctly.
But also I want to emphasize, I believe firmly, that there's opportunity here for cross domain effects -- using cyberspace to create effects in the land domain, in the air domain, in the sea domain, and indeed in the space domain, is possible.
Let me transition a little bit here and talk about threats. A lot of this won't be new to y'all, but I think it's important to recognize them, because the more we recognize both our dependence on the network and the threats to the networks, the more seriously we'll take the disciplines required to properly operate it and defend it.
Today we read a lot about attacks on our networks. I don't characterize them as attacks. I characterize them as espionage. There's a lot of espionage going on around the world. Guess what? People have been doing espionage since time immemorial. It's just that now, because of where we store a lot of our information, where we have a lot of our conversations, is in cyberspace.
So instead of having to train a spy to learn English, to come over here and blend into our society, get a job or access to an organization where they can get into and get a trusted relationship. Get into a classified area in that organization late at night, crack the safe, take the microfilm camera out, take pictures so they can send that information back, this can all be done from the comfort of your home in your parent country through the internet. That's the kind of attacks we're experiencing today. Huge exfiltration of data. Huge exfiltration of data. Data that when pieced together, even taken off unclassified networks, can be very detrimental to the United States of America.
There's another form of attack that we have seen executed, not against the United States but certainly against Estonia that we have to be wary of and it's a denial of service attack. Now I don't know about you, but I remember back in '89, '90 when I had that first computer and I'd double click on an icon to open up something, and it would take two or three seconds before it would open up. Now if it takes less than a nanno-second I get pretty frustrated. In fact I'm on the phone calling my IT specialist and saying get in there and fix my computer. It ain't happening fast enough.
So imagine if you double click on an important icon on your computer tomorrow and it takes a minute for that data to come up. What if you're in combat? What if it's important to get that message through and it takes a minute? It ain't going to take long before you take that computer and throw it out the window. Denial of service, slowing down information flow is what we saw in Estonia, it's real, it's a capability that exists today, and it's one we have to be worried about.
There's a physical threat, of course, too. The physical threat can come from natural disasters. Hurricane Katrina is a great example of how that impacted networks down in the New Orleans area, in fact South Central United States. Something as unsophisticated as an old boat with a sturdy anchor and anchor chain, dragging it across the right spot near the coast line can pull up a lot of bandwidth in the form of pulling up undersea cables or fiber networks, and the impacts of that can be dramatic. I'm not talking about a real sophisticated attack here, folks. The impacts of that can be very dramatic.
Here's the one that scares me the most. I talked about the exfiltration of information and I talked a little bit about how maybe you can affect how people think, which could be very, have a big impact on an operation. So what happened? We had a lot of information exfiltrated from the United States Air Force's files. All of the records of all of the field grade officers and general officers was taken. We know. Medical records were taken. You can go on the internet today and you can type in my name and do a search and you'll find articles that have been written about speeches I've made or maybe places I've been stationed, or maybe someone's blog, maybe they don't like me and put up something on there. Who knows? But I bet you could find out somewhere along the way that I'm from Los Angeles, California and I'm a huge Dodger baseball fan.
Here's something that happened to me the other day, actually it was a couple of months ago. The season's getting warmed up. I get an e-mail from a retired general officer friend of mine who is also a Dodger fan. The e-mail comes into my account at STRATCOM headquarters because he knows, he's working at a contractor now and he has access and I guess my server or firewall said it's okay to receive e-mails from this source. So in comes an e-mail from this friend of mine. It says, ""Check out this video. You'll love it.""
Okay. I see there's an icon there for a video. I was tempted for about a nanno-second to open it up, and I said nope, and I deleted it.
Where did that video come from? What was on that video? Did Tom really send me that e-mail? How do I know? How do I know it wasn't somebody else pretending to be Tom on the internet with actually a legitimate video that had been doctored with some malware on it that I would download on my machine, and in the middle of the night someone would come into that machine and become the systems administrator for my machine, and now they're inside all of STRATCOM's NIPR network, with an ability to move around and pretend like they're me? What if this scenario happened in time of war and you got an e-mail from your commander that said go left when you thought he'd said the day before to go right.
Now whether you believe it or not, or whether you validate it and pick up the phone and go Boss, is this true or not? You have created doubt in the force about your ability to trust and rely on the information moving through that network. And as soon as you've created that cognitive doubt, one ounce of doubt, you begin to impact combat operations.
This attack is the one that bothers me the most. You can think about technical means to power through denial of service. But if they can get inside our heads by getting inside our machines and becoming us, the impact that they can have on military operations can be dramatic.
There are other threats too that we're all pretty familiar with. The insider threat. Somebody turns coat on the country. Supply chain. How closely are we paying attention to where we're buying our piece parts for these critical information tools that we use and what's in those piece parts? Paying attention to that is absolutely important.
So what? Hey, we're in peace time here, General Chilton. What's the big deal? And you're mostly talking about the NIPRNET, you know, our SIPRNET's pretty secure. In fact we haven't found any problems on the SIPRNET.
Well, let me give you a couple of so-what's from an economic perspective. Every time we have a problem where a virus is loaded or someone comes in and takes over systems administration of a computer, we've got to take that system off line, we've got to come in, we've got to scrub it. Sometimes we've got to throw it away. If it's a server, take it down, erase it, rebuild the server. If it's a desktop, take it apart, put it back together, scrub it, clean it. Guess what? That ain't free.
There are some estimates, and we're trying to get our arms around this right now. In fact General Napper has this as a tasker, to try to get our arms around exactly how much this is costing us every time we have someone break into our NIPRNET network. Some estimates are about $100 million a year. Some people think that's low.
How are people getting into our NIPRNET and doing this? I mentioned that e-mail from a friend. Well the real vulnerability to the NIPRNET is where the NIPRNET connects up to the internet. There's a finite number of locations where that happens, and we know exactly where they are and how that happens. We like to think we do, right Jennifer? Sometimes we get surprised.
But every time someone goes out of the NIPRNET domain, and now I'm using the computer term, into the internet, we're putting ourselves at risk for vulnerability, particularly if we're going out to places like MySpace, et cetera, where we know probably about 80 percent of the web pages out there have some sort of malware loaded on them, ready to be imported and brought right into our NIPRNET with the click of a mouse.
Cost is an important thing. Bandwidth. You know when the highest bandwidth rate goes up on the NIPRNET? We track this stuff. It's during March Madness. [Laughter]. March Madness. People watching streaming videos of basketball games, checking the scores, checking how their teams are doing in the various brackets. Let me tell you, if you're in the business of making money and you have employees who are spending a couple of hours a day on the payroll doing that kind of work you take that pretty seriously. If you're in the business of fighting our nation's wars and planning for our nation's war and defending this country and you've got people in their spaces and their cubicles doing that, we ought to take that pretty seriously as well. One, from a wasted effort perspective; but other, from opening vulnerabilities. And oh by the way, that bandwidth to see all that stuff? It isn't free. We're paying for that bandwidth. We're leasing that bandwidth oftentimes through commercial capability.
So the cost of not treating this network correctly and behaving correctly in this domain can not only be fiscal, it can be physical, and it can have an impact on the fight.
So how do we counter these threats to our networks? I begin with operational discipline first. There are processes, tactics, techniques and procedures that are good tactics, techniques and procedures that need to be followed. First we have to train our people, make sure they understand what we expect of them when they get on the NIPRNET or when they get on the SIPRNET. They need to know the rules so they can follow the rules. They need to know the regulations so that they can follow the regulations. They need to understand the orders that are given and follow them in a timely manner.
Identification management is very critical to defending our networks. The CAC PKI card was an important first step and we need to do more than that. Knowing who is on our network at all times and knowing what and what machines are on our networks are vitally important to the way that we move forward to defend it.
So equipment management, personnel management, and ID of personnel and equipment on the network is absolutely vital to our defenses.
At the end of the day, folks, like in any other domain, we need to train like we're going to fight. And we're in the fight every day already because we are being attacked if in no other way in an espionage sense day in and day out, 24x7.
I talked a little bit earlier about what I thought was the hardest thing we're challenged to do at U.S. Strategic Command and I think it's the hardest thing that you will be challenged to do at one point in your career. That is to operate this network through an attack.
When we're attacked in other domains, let's take a chem/bio attack in the land domain, we don't go into over-pressurized bunkers and wait for the attack to end. We mop up and move forward toward the objective. In the Air Force we don't go back into our hangars and wait for it to stop. We mop up, we load bombs, we man up aircraft, and we go to the objective and deliver fire.
In this domain, the same thing will be required, and the hardest thing will be keeping it operating when we're under attack. Fighting through the attack. One thing I know for sure, no defense is perfect. We will be attacked and we will be attacked successfully. How we recover from it and continue to operate the networks is going to be absolutely vital to our success on the battlefield.
I talked a little bit ago about how vulnerabilities come into our NIPRNET through the access points to the NIPRNET, sorry to the internet. I'd like to propose something here today. It's not new. I've talked about it before, but I'd like to put it out for you all to think about because you are the experts when it comes to this domain.
Today we kind of play whack-a-mole when it comes to attacks through the NIPRNET. Something bad happened, we do the forensics, we back it up, we block that port. I don't think that is a good way to prepare to fight in this domain. I think that's a way that we've elected to fight in this domain. We blacklist things. We say these following things are not allowed onto the NIPRNET.
As soon as you do that you get some smart young person out there that figures out a way to get around your blacklist and they get to that part of the internet anyway. And the vulnerabilities continue to flow in.
I think we need to reverse our thinking on this. We need to go to operators and say what is it that you need from the internet that is essential to your operations? Write them down. Then we whitelist things, and that's all we let in.
The first time we do this we're not going to get it right and you're going to have someone go hey, how come I can't get on the site any more? I need this information to conduct my operation. Adjust fire. Redo the whitelist. I'm hoping some day someone will click, hey, how come I can't get on the NCAA files TV screen here today? We'll go, because you're not supposed to be there, pal. That's why. [Laughter]. And because by going there you open up vulnerability to our network besides wasting government time and bandwidth.
I think this is a different approach that we need to think about, and I'd like you to think about because it's going to take a lot of people standing up and going that's the right approach for us to change the way we're currently using the NIPRNET and how we interface with the internet through that.
Another thing I believe we need to do, and I firmly believe this, is we need to make the operation and the defense of our network commanders' business. We probably have a bunch of G6s and J6s in the room here today, and I don't mean to offend any of you. In fact I mean to support you. Let me give you an example.
When I was a wing commander in charge of flying operations, one of the most important things I looked at was maintenance of the aircraft. I looked every day at leading and lagging indicators on the health of the fleet. Why was that important? You don't fly, you don't deliver ordnance, you don't get the mission done if you don't have a healthy fleet of aircraft.
Put that in the same perspective of a healthy network to conduct your operations. Commanders of organizations, commanders of brigades, commanders of battalions, commanders of companies, commanders of wings, commanders of ships should be paying attention every day to the health of their network because their network is important to them. It is not just the J6s or the G6s or the N6s or the A6s business. It is at least their business, but it is commanders' business as well, and commanders need to focus on it and they need to hold people accountable.
If you leave a safe open in your spaces or you take classified and you leave it laying on the countertop at the WalMart, are there consequences for that? You bet there are. If you open a vulnerability in our network and allow someone to come in and exfiltrate important data, are there consequences for that? When was the last time anybody in here saw anybody get a letter of counseling or reprimand or even called in front of the boss' office? The boss' office. Not the G6's office, the Commander's office, and reprimanded for not following proper procedures in the way they conducted business on our NIPRNET, on our warfighting network. That's a change in attitude, ladies and gentlemen, that I believe we need to have.
Commanders' business, accountability, commanders using the authority of the UCMJ when they have properly trained and equipped people. You don't hold people accountable for ignorance. You train them correctly, you teach them how to use it, and you hold them accountable. This is important business and important work that requires this important focus in my view.
There's something else we need to do our job at STRATCOM that we frankly don't have enough of, and that's people. I don't mean people working in the STRATCOM headquarters, I mean people in the business of doing the business that we're about from the services. I don't think we have enough people doing the operating side of the network; I know we don't have enough people doing the critical operational preparation of the environment that we need to do so that in time of war when they ask us for some non-kinetic capability that we can actually offer something up in less than a six month period of time, because it takes that kind of time and that kind of work, day in and day out work, to be able to develop offensive operation actions on the network.
We not only need these people in numbers, we need these people properly trained, properly organized, and properly equipped to do the missions we've been chartered to do at STRATCOM. We need to take this concept of a domain and the importance of this domain and our dependence on this domain, and we need to weave it into our war colleges and our schools so that it's not just those of us who are in the IT business who get it, but that everybody understands the capabilities, the requirements, and the vulnerabilities of this network and how important it is to combat operations. It needs to be a part of the fiber of every commander and every warfighter.
We need games and exercises that stress the system so that the operators of the networks can actually train in peacetime for what it's going to be like in wartime when their networks come under attack and they can take actions. They can practice procedures. Develop tactics, techniques and procedures that will help them fight through those attacks in time of war.
Our challenge at STRATCOM, another challenge we have that goes beyond the organize, train and equip of people is also a doctrinal challenge. I'll give you another example here.
In space when we think about that domain, we bring space capabilities to every geographic combatant commander. How do we do that? We have a three-star general in charge of space at the operational level of war. He has a command center where he writes orders and pushes them out. But how does he support the CENTCOM Commander?
Today, doctrinally we do through the JFACC, through a Director of Space Forces who can reach back to the United States, to the Central Command capability, to give him what he needs on the timing and tempo that the Joint Force Commander needs that capability presented. It's starting to work pretty well, quite frankly. It's been a long time in coming. It's taken about 15 years to get this codified and working and normalized to a point where regional combatant commanders can say I need a little of this, and they get it, and it's seamless.
The decision to plug that in through the JFACC I think was largely taken because if you look at the percentage of the services that are participating in the space domain, about 80 percent of what is being done in operating in space is done by the United States Air Force. So they built this natural link, I think, through the JFACC.
In the cyber domain I think all the services have about equal skin in the game. So one of the questions we're struggling with is how do we make that connection from JTF GNO, from JFCC-NW to the regional combatant commanders' headquarters to make sure that what we're doing is adequately integrated into their combat plans and their combat operations. It's not at all clear that it's going to come through the JFACC. JFMIC, JFLIC, direct to the headquarters. These are questions that we need to work through and understand, and they're important questions if we're going to bring these capabilities and integrate these capabilities correctly into the fight.
One thing I'm certain of, and there's a lot I am uncertain of, but one thing I'm certain of is in our lifetimes we're not going to uninvent the GIG. We're not going to go back to 1989 where that computer sitting on my desk just got in the way. We have gotten used to working in the network domain, and we have gotten more than used to it, we have gotten dependent upon it.
So the challenge we have now is to figure out how we're going to make sure it stays secure so we can operate it through the fight, and in time of crisis, and go beyond just defending and operating it but actually use it as a domain where we can deliver combat effects in and through to support victory for our forces anywhere in the world.
Cyberspace is a domain, and operations in that domain are essential to the fight. Mostly we'll be supporting, but on occasion this domain is going to need to be supported by other domains to achieve victory.
Ladies and gentlemen you're the folks that are going to make this happen for the United States of America. I thank you for your dedicated service to our country. I thank you for your professionalism. I encourage you to continue to press forward and move the ball forward in this domain we call cyberspace.
Thank you very much.
I think we have time for a few questions, and I'd be happy to field any.
Question: Sir, Colonel Joe Pewitt, NETCOM.
A quick question about satellite dependency. Increasingly it seems our GIG and our LandWarNet is dependent on the successful use of satellite. Also increasingly it seems like our adversaries are developing capabilities to interdict our satellite communications. Are you concerned about those trends? And what do you see as a long-term strategy associated with developing robustness in our infrastructure?
General Chilton: Thank you, that's a great question. First of all, I try not to think about satellites any differently than I think about wires or undersea cables or microwave connectivity. It's all part of, and it's all essential to the network and how we connect and pass information. But you bring up some great points.
Satellites are vulnerable in a couple of ways, or that part of the GIG is vulnerable, the transport system. Oftentimes we get too focused on the satellite. There's a ground station there too that you have to worry about defending. They're finite in numbers. Oh by the way, that ground station is probably plugged into the internet, and you've got to worry about your defenses there. That ground station sends signals to the satellite that can be jammed or intercepted, and then the satellite not only has to be told where to go and where to point, it has a payload on board that's being used, transponders that are being used to move information across, and the health and well being of those are essential as well.
What I'm concerned about is that we ever put too many eggs in one basket. By that I mean there are some who say we don't need as much satellite bandwidth, we'll just do it all with undersea cables and lay more glass. Then there's the other extreme that says no, we need to put it all in space.
There's another piece of that that I also think we need to do more of, is to have more air-breathing links and alternative bridges, and alternative ways of moving data around the battlespace. I think you need it all.
If we put our eggs all in one basket, the adversary will find a way to exploit that. If we put it all in undersea cables, they'll put it all in undersea cables. If we put it all in space, they'll go after space. They're probably going to try to go after all of it, oh by the way, so we need to have options and flexibility, and we need to be able to shift bandwidth from space to undersea to RF, across the airways, so that we can get the information and the C2 to the battlespace where and when we need it, and we need to be prepared for attacks against all those various portions of space.
Did that answer your question?
Question: Yes, sir.
General Chilton: I'll follow up on that and say we need to increase our bandwidth in space, I believe.
Question: Sir, LTC Peter Barclay, CLG6.
You talk about the need for trained professionals and the lack of people, but as we look across the force structure it seems that the Army has an automation community, functional area 53, but there is no senior functional area 53 O6 on the STRATCOM staff. Is that a significant shortcoming?
General Chilton: First of all, I'm not real familiar with the Army code for capabilities. I guess I would ask, make a couple of points.
When I say there aren't enough people, I don't have enough people working the mission for me. There may be enough people out there, we may just not be organized correctly to present the forces to this combatant commander that he needs. So there's that possibility out there.
But I know for a fact that I don't have the forces I need to do the mission sets I need to do, particularly in operational prep of the environment.
I'm assuming the code that you talked about is, we call it a specialty code, personnel specialty code. Is that right?
I'm not sure how the Army is set up in this regard, but I'll tell you the Air Force has some issues in this area. And I know as the former Commander of Air Force Space Command we had some big issues in this area when it came to managing our experts in the space business. I'll give you a quick story.
I'm the Commander of Air Force Space Command and my Director of Requirements, a major general, comes up to me and he says, ""Boss, I just got a fill for our division Director of Requirements for non-imaging infrared."" This is our satellites on orbit that do missile warning. Pretty important stuff. Oh, by the way, we're in the middle of fielding a new one and writing requirements for the next generation. He says, ""You know what those personnel guys sent me? They sent me a guy who just came out of four years in a missile silo up at Minot and he's an English major. He doesn't know anything about infrared and he's now in charge of requirements. That's why they filled the slot.""
I said, ""You've got to be kidding me. How did that happen? Get the A1 up here right now.""
So Colonel Pavarsky comes charging into my office. I said, ""How did you let this happen?"" She said, ""Sir, let me get back to you."" She went and did a little research. She said, ""You know, sir, that position description for that job says it must be filled by a 13S."" That's our code for space operator."" Guess what? We got a 13S, because ICBM people are 13S space operators. There was no difference between an ICBM space operator, a satellite space operator, an infrared, a GPS, a comm. We couldn't bring that out in our personnel system to be able to get the right talent in the right job.
I don't know if that's the question that was being asked or not, and I don't know if that's a challenge for the Army in the communication world. It certainly is a challenge for the Air Force. So how are we starting to fix that in the Air Force, in the space business? Special identifiers so that we can actually sort. Oh, by the way, rewriting our job descriptions correctly so that we get the right job description out there and we get the square peg in the square hole. Not any peg in any hole.
Now I may have dodged your question, but if it is, it's out of ignorance. Give me some feedback. Was I close?
Question: Yes, sir.
General Chilton: Okay. [Laughter].
Question: Good morning, sir. I'm Karen Judgkins from the legal community. I've got some questions about U.S. policy and law as it relates to cyber.
A question about at what point we can assume an act of war has occurred from the cyber domain. And what U.S. laws should be changed to better enable the fight. Thank you.
General Chilton: You asked the million dollar question there, when do you consider an act of war. I don't think we've closed on that. I'm not sure – well - let me ask this. I'll ask a rhetorical question.
Was 9/11 an act of war? Was flying airplanes into the World Trade Center an act of war?
How about bombing of the USS Cole? Was that an act of war?
How about, was there a difference between flying airplanes into the World Trade Center and flying airplanes into the Pentagon?
What's the difference between terrorism and an act of war?
What's the difference between espionage and an act of war?
What did I say is going on on our networks today? Espionage. Is denial of service an act of war? Do you measure it in lives lost?
I had an interesting discussion with a member of the U.S. Senate the other day. I said, Senator, how do you look at the difference between a MARK 82 or a MARK 84 in the New York Stock Exchange and blowing it up, or a cyber attack that completely takes out the New York Stock Exchange? The Senator's answer was, well I draw the line at lives lost. I go, you've got to be careful there. What if we take down the power grid? Nobody dies. Hospitals stop working. People eventually die as a result of that act. Is that an act of war?
We have the same issues, by the way, and I'm not answering your question because I don't know the answer to this and it's one we have to come to grips with, but we have the same issue in space, I would argue. So you've got this billion dollar national reconnaissance office satellite up there that we don't talk about, don't tell anybody where it is. It's up there flying around taking pictures for us to collect intelligence. An adversary shoots an anti-satellite weapon at it and destroys it. Not one single American dies. Most Americans don't even know it's up there. Is that an act of war? If it is, how are you going to convince the people of the United States of America that they're at war? They have to be convinced of that, I think. Certainly Capital Hill does.
These are really tough questions and we need to come to grips with them in my view. And guess what? They're policy questions and I don't set policy. But we certainly have the opportunity to advise and think these things through.
These are the kind of questions, when I say we need to be working these kinds of issues and thinking about education at our War Colleges, at our Service Schools, these are the kind of key questions that we ought to be asking and studying and thinking about because we're going to be faced with them, and we don't have good answers for them today.
Question: Sir, Mark Rigner, from the U.S. Military Academy.
You mentioned that we need to engage in peacetime exercises. Effectively, we need to practice like we're going to play when it comes down to the real thing.
General Chilton: I'm sorry. I missed that. Say that again please.
Question: Okay. You mentioned that we need to engage in peacetime exercises, that we effectively need to practice the way we're going to play when it comes to the real thing. The Academy's engaged in a cyber defense exercise every year that effectively is what you described. I'm wondering on what scale do you see the armed forces, DoD, engaging? How large of a scale do you see us engaging in in a peacetime exercise?
General Chilton: I think that's up to the warfighter to decide, that is dependent on the network. But I would say certainly at least at the operational level of war. We've got to get way above the tactical level on these exercises, in my view. We need to bring it up to the operational level. Because that's where, although the network is absolutely important all the way down, and it's important we get it to the forward edge of the battle space so that everybody's connected, when you start thinking about major movements, major decisions, command and control of forces, how we're going to move posture, flow TIPFDS, logistics, go right, go left, go up the middle, these kinds of decisions and planning and work at the operational level of war, that's where I think it would be a center of gravity for operations and an adversary want to attack.
Yeah, they can attack at the tactical level and have a tactical level effect. If you want to have a theater wide effect you start conducting operations and attacks at the operational level of war, the key command and control nodes that you have for conducting operations.
My opinion, just shooting from the hip here, would be you have to at least do it at that level.
I'm glad to hear there is some of that going on, but I'm thinking it's not as broad as it needs to be. Where's the NTC for Cyber? Where's the Red Flag for Cyber? How do we integrate those into NTC? How do we integrate cyber into Red Flag?
Here's another anecdote. I remember it was 1998, I'd just returned from NASA to the Air Force and the Air Force was conducting an exercise called an EFX. It's now called JEFX. Then it was the concept of a deployed command and control center at the operational level of war. We now call them AOCs, Air Operation Centers. But the idea was you'd have a deployable AOC. SO it was in a big tent. All the computers set up, all the planning, you had a strategy cell, planning cell, current ops cell, intel division, commander up there, and part of the exercise was, since it was deployed and relying on satellite connectivity to conduct its operations, to take in data and send its orders, part of the exercise was for the space guys to do a space attack on this deployed location.
I was there the day they did it. The commander was standing there, the head of everything. He knows what's in the script. And sure enough on the hack here comes a space attack. You look around the room and every screen went blank. The commander sat there for about five minutes and he said, okay, I've got it. Turn that space stuff off so we can get back to work. [Laughter]. Because there was no way to counter it. they hadn't thought about what they were going to do if it happened, and the easy solution to move on with the exercise was just tell the space guys to stop messing with us.
I think we've moved a little forward from there. But we need to do the same in cyberspace. WE need to have exercises where a cyber attack actually impacts some other domain and that other domain cares enough about it that they're going to fight back that cyber attack or at least figure out how they're going to operate through the attack. So we don't need to be doing practice on ourselves, we need to be doing practice in the integrated fight. That's what I'm talking about in training ranges. It needs to get to that level of sophistication, I believe. So the commander can make decisions.
Question: Sir, LTC Dino at the 335th.
We treat cyber and cyberspace operations kind of in a special way right now, not unlike we did chemical operations a hundred years ago. What's preventing us, in your mind, from getting to the point where we treat it like another area we operate so that at basic training we give a trooper, a Cav trooper or a truck driver, he gets at least a basic understanding of the risks and how to defend his personal computer, for example, and in his personal operation the same kind of camouflage yourself, the same kind of defense we give in other areas.
General Chilton: First of all on the training side you need to do that right up front, without a doubt. Every one of us has the opportunity to open a vulnerability in the gate. Every one of us. We can make a mistake, we can go to our desktops today, we can make a mistake, and allow a vulnerability through the gate. I can't go to my desktop today, I can't go to my office today and make a mistake and allow a vulnerability in the air domain or the land domain or the sea domain. I personally can't do that. Well, maybe I could. [Laughter]. But I'm talking every soldier, sailor, airman, marine, has that opportunity to open up a vulnerability to the NIPRNET. They need to be trained about what their roles and responsibilities are. We need to have TTPs. We need to hold them accountable. That's kind of a starting point.
The other thing is, most of them are a lot more savvy in cyberspace than any of us were when we joined up. They get it. They're eminently trainable.
Your other point about special, treating it special. If you take one thing away from my remarks today it's that I'm trying to make and talk about cyberspace as a domain akin to land, air, sea, and space. It's a place you fight in. It's a place you fight through. You deliver effects from the sea to the shore. You deliver effects from the air to the ground. You deliver effects from the ground to the air. We deliver cyberspace effects in cyberspace and through cyberspace on land, air, sea and space. We can create effects in other domains. It's not special. And oftentimes we're our own worst enemies by making it a little special. We need to normalize the way we think about this domain. We need to make sure we think about it in a warfighting sense and come at it from that perspective first. Yeah, it's high tech, but as a good friend of mine said, the thing that separates this domain and the way we think about it from the other domains is that it operates at the speed of light. Other than that, it's kind of the same principles.
Okay, space is a separate domain because they operate according to Keplarian motion. Air, Bernoulli. Land, well, Isaac Newton. [Laughter]. Right? Cyber is a little unique because it operates at the speed of light. So get over it. It's not so unique that we need to treat it so special that we don't treat it like a warfighting domain and a warfighting capability that can deliver effects. That's my take-away.