Stenographic Transcript Before the Subcommittee on Cybersecurity COMMITTEE ON ARMED SERVICES UNITED STATES SENATE JOINT HEARING TO RECEIVE TESTIMONY ON THE CYBER OPERATIONAL READINESS OF THE DEPARTMENT OF DEFENSE OPEN SESSION Wednesday September 26 2018 Washington D C ALDERSON COURT REPORTING 2020 K STREET NW SUITE 700 WASHINGTON D C 20006 202 289-2260 www aldersonreporting com 1 JOINT HEARING TO RECEIVE TESTIMONY ON 2 THE CYBER OPERATIONAL READINESS OF THE DEPARTMENT OF DEFENSE 3 OPEN SESSION 4 5 Wednesday September 26 2018 6 7 U S Senate 8 Subcommittee on Cybersecurity 9 Subcommittee on Personnel 10 Committee on Armed Services 11 Washington D C 12 13 The subcommittees met pursuant to notice at 2 43 p m 14 in Room SD-106 Dirksen Senate Office Building Hon Mike 15 Rounds chairman of the Subcommittee on Cybersecurity and 16 Hon Thom Tillis chairman of the Subcommittee on Personnel 17 presiding 18 Members Present Senators Rounds and Tillis 19 presiding Wicker Fischer Nelson Gillibrand McCaskill 20 and Warren 21 22 23 24 25 1 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 2 OPENING STATEMENT OF HON MIKE ROUNDS U S SENATOR FROM SOUTH DAKOTA 3 Senator Rounds The Cybersecurity and Personnel 4 Subcommittees meet this afternoon to receive testimony on 5 the cyber operational readiness of the Department of 6 Defense 7 Our witnesses are Brigadier General Dennis Crall 8 Principal Deputy Cyber Advisor and Senior Military Advisor 9 for Cyber Policy Ms Essye Miller Principal Deputy 10 Department of Defense Chief Information Officer Lieutenant 11 General Stephen Fogarty Commander U S Army Cyber Command 12 and Lieutenant General Vincent Stewart Deputy Commander 13 United States Cyber Command 14 Welcome 15 This hearing will commence in open session in which 16 Senators Tillis Nelson and Gillibrand will all make a few 17 opening remarks 18 comments we will ask our witnesses to make their opening 19 remarks 20 questions and answers 21 the Office of Senate Security and recommence in closed 22 session 23 context and testimony that they were not able to provide in 24 an open setting and we will then close with another round 25 of Q A At the conclusion of Senator Gillibrand's After that we will all have our round of We will then transition to SVC-217 Each of the witnesses may provide additional I encourage members and staff to stay through the 2 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 closed session given the gravity of the topic at hand 2 The administration recently issued a new policy 3 document known as National Security Presidential Memorandum 4 13 5 PPD or Presidential Policy Directive 20 which virtually 6 paralyzed the conduct of offensive operations by U S Cyber 7 Command outside of armed conflict 8 Department of Defense briefing on the new policy in the near 9 future The new policy entailed by NSPM-13 replaces that of I look forward to a I am hopeful this new policy will enable the 10 Department of Defense to act more nimbly and effectively to 11 counter and deter our adversaries' ongoing cyberattacks on 12 the United States attacks conducted with virtual impunity 13 However no such policy however well crafted will succeed 14 unless U S Cyber Command develops and maintains the high 15 level of cyber operational readiness required to implement 16 it 17 With the elevation of Cyber Command to status as fully 18 unified command and the Cyber Missions Forces achieving full 19 operational capability in May the Department cyber forces 20 appear to have moved beyond adolescence 21 that the current capability and operational readiness of the 22 Command fulfill the requirements entailed by these 23 designations 24 Gillibrand along with the remainder of the Personnel 25 Subcommittee because these shortfalls are not limited to It is now vital I invited Senator Tillis and Senator 3 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 traditional readiness measures of equipment and training 2 Indeed a great deal of the Department's cyber readiness 3 issues resolve around the shortage of skilled cyber-capable 4 personnel 5 Cyber Mission Force needs to be expanded in the future 6 I am concerned that the current recruitment pay retention 7 and career pathway structures in place are not equipped to 8 manage this problem 9 or tactical-level perspective from General Fogarty the These shortfalls will only be aggravated if the And I am thus eager to hear the service 10 operational Cyber Command's perspective from General 11 Steward the more strategic and governance perspective from 12 General Crall in OSD and the CIO and civilian personnel 13 perspective from Ms Miller 14 Department's plans to correct these shortfalls with the 15 Senators of the Personnel Subcommittee today 16 to have their expertise at this table 17 I am also eager to explore the I am grateful An ongoing concern of the subcommittee which I am sure 18 the Department shares is that we preempt a hollow cyber 19 force and that we have a cyber force that is adequately 20 staffed and equipped and has the necessary tools targeting 21 capability and development capability to respond to 22 operational needs 23 indigenous capability without over-reliance on NSA to 24 surveil adversary networks for zero-day vulnerabilities 25 produce malware to exploit these vulnerabilities and In particular Cyber Command needs the 4 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 implant this malware within a reasonable and realistic 2 timeline 3 own DODIN defense and national missions but also for those 4 conducted in support of the combatant commands 5 to hear about CYBERCOM's current capability and activity to 6 assist EUCOM's PACOM's and CENTCOM's operations 7 Such capabilities are necessary not only for its I am eager Each of our witnesses have an important role to play in 8 this space General Stewart as Deputy Commander of the 9 Cyber Command is most directly responsible for the 10 readiness of Cyber Mission Force 11 defining DOD cyber policy shapes and is shaped by the 12 capabilities offered by the Cyber Mission Force 13 Fogarty as Commander of the Army Cyber Command is the 14 executive agent for the persistent cyber training 15 environment and must man train and equip its cyber teams 16 General Crall's role in General And Ms Miller and the CIO's office generally retain 17 responsibility for the cyber infrastructure including that 18 on which the Cyber Mission Force will fight and test their 19 malware across the Department 20 I will close by thanking our witnesses for their 21 service and for their willingness to appear today before the 22 subcommittee 23 Senator Tillis 24 25 5 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 2 STATEMENT OF HON THOM TILLIS U S SENATOR FROM NORTH CAROLINA 3 Senator Tillis Thank you Mr Chairman 4 I'm glad our two committees were able to put together 5 this joint hearing 6 examine an important topic but also to share information 7 that's instructive to our independent roles on committees 8 And we should do more of them 9 I think it represents an opportunity to Success in the cyber domain is uniquely reliant on 10 highly qualified personnel Where aircraft carriers 11 stealth technology and smart weapons have given the United 12 States a discernible advantage in traditional warfighting 13 domains the U S military doesn't have similar 14 technological edges when it comes to cyberspace 15 must rely on intelligence creativity and cunning of our 16 people if we are to be successful in this rapidly changing 17 environment 18 dependent on access to talented people we look forward to 19 asking questions on the proper cyber workforce mix the 20 status of Cyber-Excepted Service and the larger personnel 21 management issues within the Cyber Mission Force Rather we Since operating in cyberspace is so heavily 22 I thank all of the witness for your willingness to be 23 here today and I look forward to the following questions 24 Senator Rounds Senator Nelson 25 6 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 2 3 STATEMENT OF HON BILL NELSON U S SENATOR FROM FLORIDA 4 Senator Nelson In the interest of time I'll submit 5 it for the record but the questions I'll be asking are Are 6 the forces the right size 7 training 8 have the tools and infrastructure they need 9 recruiting the right people 10 and managing their careers Are they getting the right Are they a good match for their mission Do they Are we And how are we retaining them 11 Thanks 12 The prepared statement of Senator Nelson follows 13 SUBCOMMITTEE INSERT 14 15 16 17 18 19 20 21 22 23 24 25 7 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 Senator Rounds Senator Gillibrand 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 8 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 2 STATEMENT OF HON KIRSTEN E GILLIBRAND U S SENATOR FROM NEW YORK 3 4 Senator Gillibrand I will also submit my statement for the record 5 6 The prepared statement of Senator Gillibrand follows SUBCOMMITTEE INSERT 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 9 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 Senator Rounds At this time I would ask -- Ms 2 Miller would you like to begin or did you have planned 3 sequence that you would like to deliver these remarks today 4 Ms Miller Mr Chairman if you don't mind we do 5 have a planned sequence 6 Senator Rounds 7 Ms Miller 8 Senator Rounds 9 General Crall begin 10 Okay We'll start with General Crall Very good Thank you 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 10 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 STATEMENT OF BRIGADIER GENERAL DENNIS A CRALL USMC 2 PRINCIPAL DEPUTY CYBER ADVISOR AND SENIOR MILITARY ADVISOR 3 FOR CYBER POLICY 4 5 General Crall I think the sequence should start with the junior person so I'll certainly oblige sir 6 First I'd like to thank the committee members for a 7 couple of things One for my invite to talk about a matter 8 that's clearly important to the Department and the Nation 9 but also your continued interest and investment in improving 10 these things that we're about to discuss today 11 certainly thank you for that 12 So I In your openings it's very clear that we all 13 understand the challenges we have We keep talking about 14 competitive spaces in cyberspace particularly in how we're 15 going to see information contested in our current and future 16 wars that we fight 17 dynamic as you've pointed out 18 recruitment retention the training aspect and development 19 of the cyber workforce 20 competition if you look at it that way -- these are really 21 partnerships but when it comes down to resources each of 22 these communities handles these differently and they all 23 have their own unique allures 24 know that it's difficult to match some of the compensation 25 packages But we also have an interesting We have competition in the And we understand that in our For private industry we It's also difficult to match the speed with which 11 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 they hire and onboard and start individuals and clear them 2 for some very sensitive projects 3 civilian side for the Department of Defense we have our own 4 allures as well 5 perform very unique mission sets you can't do anywhere else 6 and also the exposure to a wide array of technology that 7 really pulls individuals in 8 that and understand it well 9 On the military or the service to the Nation the ability to So we need to understand So what I'd like to do is cover a couple items very 10 briefly in my opening and that is to really set the stage 11 for how we -- enhancements that we're looking at on how we 12 recruit how we keep the folks that we recruit and how we 13 develop or train them 14 use some of that time to talk about the governance 15 structure as it is classified tied to our recently 16 published Cybersecurity Strategy and going into some of 17 those details require that setting 18 On the closed session I'd like to So to really get to the meat of what I will present 19 today is in the Cyber-Excepted Service These are 20 authorities and funding that Congress gave the Department 21 back in fiscal year '16 and the rollout of that started in 22 '17 23 I'll cover a couple of them with a few that are being 24 onboarded here really starting in the next 30 days the 25 first of which is this idea of moving between competitive And a couple of these incentives are already in place 12 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 service and noncompetitive service The idea of how we take 2 Title 5 and Title 10 blend them together and move 3 individuals and attract them to the Cyber-Excepted Service 4 without penalty or loss of grade or seniority 5 attractant 6 qualifications and advancements based on competencies where 7 you can be rewarded compensated and advanced because of 8 the unique training that you have 9 pay scale Certainly an The other is the idea of building And finally increased We know that the general service or competitive 10 pay scales stop at the pay band of 10 where the Cyber- 11 Excepted Service we've expanded that to include pay bands 12 11 and 12 which offers a little more flexibility for that 13 professional worker who would have no other place to go or 14 no other incentive to offer 15 albeit in a modest fashion 16 minute 17 Those are in place today I'll explain the numbers in a But they are in play What we're proposing are a few other items that will 18 again start here hopefully in the next few months One 19 of them is the idea of a targeted market compensation We 20 know that it's difficult to recruit competent quality that 21 we're looking for in every part of the country 22 cases it's due to high-demand low-density assets 23 just really a strict competition 24 don't exist writ large where we need them 25 targeted compensation package will allow us to apply that In some There's In other place they just So that 13 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 particular solution to that target set 2 We also are looking at the idea of retention bonuses 3 Current pay caps prevented us from applying these meaning 4 they were available but they couldn't be used in other 5 combinations 6 where it makes sense to apply them again to our most 7 gifted workforce 8 9 You've given us the authority to move out And finally the piece the Department has to solve is its long security clearance process We certainly don't 10 want to compromise the end result We want to ensure that 11 we understand who we're employing But we certainly 12 recognize that we've got to cut down the timeframe 13 you've asked us to do that 14 ways and means in front of us to do just that 15 And And we're -- certainly have From the total-force side that we're looking at we're 16 looking at the development and training aspects of this 17 enterprise and joint training standards 18 finishing a coding initiative so that we can understand what 19 a Military Occupational Specialty means in language to a 20 civilian hire that we have Right now we -- every service 21 uses different descriptions It's difficult to understand 22 how to move an individual from one spot to another 23 when you're trading spaces and looking at benefits of 24 training manpower reallocation and rightsizing the force 25 you have to start with a common lexicon We're just And And that coding 14 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 effort is largely complete 2 that we can develop 3 Goes a long way to making sure And also finally I would say putting on a career 4 path 5 ensure that we don't pyramid out where we have a lot of 6 competent people that are stuck in certain places but we 7 have either the rotation that they need to go to to continue 8 those skillsets or the advancement opportunities there in 9 front of them 10 What right looks like in a workforce management to More work to do on that front Definitely not there yet but certainly putting brainpower to that 11 On the military side I'd let the generals on the panel 12 discuss the efficiency of some of the things that they're 13 working on but direct commissioning we've been given the 14 authority to increase both our rates and the levels in which 15 we do that very similar to the way that we onboard doctors 16 lawyers and chaplains bringing in those specialists at 17 higher grades initially 18 how we can take people who are coming from the workforce and 19 actually give them the credit due for the job skills they've 20 had previously whether that be in the service or in private 21 industry 22 side as well 23 And also the constructive credit So those two are available for our military Looking at how we phase these phase 1 was a very 24 modest rollout We had roughly 363 I believe slots that 25 we created in Cyber-Excepted Service and we targeted U S 15 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 Cyber Command with that initiative to begin with 2 percent of those billets were filled in relatively short 3 order which means I think we've got part of the cocktail 4 correct that the recipe may be right And that's only with 5 half the enhancement packages onboard But given the size 6 of our workforce that's a very small number 7 year we've -- we're going to expand that to about 8300 8 slots and we're going to target a few others -- DISA and 9 the service cyber components -- again rolling out the full 10 Almost 70 Starting this package to see if we can get that mix right 11 Some areas that I would tell the committee that I 12 believe we need to improve and in full transparency we 13 need to understand our market better 14 much anecdotal evidence and experience to describe what 15 attracts people and why people leave 16 say that most of it sounds right and we do have a few 17 studies that look at it from you know doing a couple of 18 recruiting tours market analysis is key and we've got to 19 make sure we're dialed in and we're not focusing on a goal 20 that's maybe a year or two old 21 I think we use too And while I would We may need to take a look at how we recruit I think 22 our message is slow to get out Not everyone knows what our 23 message is 24 is a little easier far stronger and we find that our 25 audiences are more informed On the military side I would say the campaign Very few understand what we 16 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 offer in the Federal Government side that would be an 2 attractant as well We've got to do better there 3 I attended a ribbon-cutting ceremony with Senator 4 Nelson a few years back at the Cyber Center in Tampa sir 5 And in both your public remarks and remarks to me 6 privately you stressed the importance of internships and 7 making sure that we stay connected to academia that we can 8 build the kind of force we need if they come out of the 9 schoolhouse equipped and right-set for us to put them to 10 work 11 and Special Ops Command right there 12 think our efforts are still too modest 13 come close to leveraging that requirement and that 14 opportunity 15 They groom very early 16 universities 17 to that workforce and we could learn something from that 18 So we have the means 19 to execute better to get after that 20 Neat environment in Tampa with U S Central Command And I'll tell you I I don't think we've Our intelligence community does that well They have recruiters at the They teach classes they stay very connected They're in front of us We've got We're a bit slow And lastly I would say we need to ensure that we have 21 a solid baseline and assessment mechanism so when we come 22 back here and talk to you about what's working and what's 23 not working and how we've spent money we can do so with the 24 right kind of accountability 25 all these incentives -- and you've charged us to be careful We've got to be careful with 17 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 with those -- to ensure we just don't simply throw money at 2 a problem without making sure that these are targeted and 3 they're targeted very specifically and the outcomes are 4 examined so we can keep that machine refined and moving in 5 the right direction 6 7 So hopefully with an opener I'll leave it at that and either take questions or pass it on for opening 8 Thank you 9 The prepared statement of General Crall follows 10 SUBCOMMITTEE INSERT 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 18 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 Senator Rounds 2 And who would you like to have move next 3 Ms Miller 4 Thank you Well Mr Chairman had I known General Crall would cover the world -- 5 Laughter 6 Senator Rounds 7 Well that's okay because what we're going to do is Okay 8 we'll take all of your full remarks for the record but then 9 I'd ask that each of you limit your opening remarks to about 10 5 minutes and we'll kind of move from there 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 19 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 2 STATEMENT OF ESSYE B MILLER PRINCIPAL DEPUTY DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER 3 Ms Miller So -- 4 Senator Rounds 5 Ms Miller 6 Senator Rounds 7 Ms Miller Ms Miller would you like to go next So given that General Crall -Very good -- has done a great job of laying out 8 where we are with policy and governance and how we are 9 looking at the environment writ large -- and I'd like to 10 just add that the Department does face workforce challenges 11 that we need to address -- most of the job losses that we've 12 seen here over the last year or so total about 4 000 13 civilian cyber-related personnel losses 14 have to to his point work the recruiting piece of this 15 such that we are postured and we know what that industry 16 should look like what the objectives and the outcomes of 17 those hiring positions should be and how we manage the 18 force in terms of career paths 19 this is -- encompasses more than your traditional IT intel 20 role 21 criminal investigation and other occupational series that 22 we need to keep in mind such that we take a holistic 23 approach to how we execute the mission with our cyber forces 24 and drive effect and outcome 25 We're going to But keep in mind too It also includes some our health occupations So with that sir I look forward to your questions 20 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 I really appreciate the opportunity to have this discussion 2 with you today 3 The prepared statement of Ms Miller follows 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 21 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 Senator Rounds 2 General Stewart Thank you 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 22 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 2 STATEMENT OF LIEUTENANT GENERAL VINCENT R STEWART USMC DEPUTY COMMANDER UNITED STATES CYBER COMMAND 3 General Stewart Yeah Mr Chairman Ranking Members 4 members of the committee first of all thanks for the 5 opportunity to do this 6 gotten -- that we've received from the committee that's 7 driven us to think about the policy think about the 8 strategy think about the readiness of the force has pushed 9 us in the right direction 10 I think the support that we've So I thank you for the opportunity to be here 11 But more than that I thank you for the opportunity to 12 be able to speak about the men and women who make up this 13 cyber force extraordinary men and women who today are on 14 mission against a threat that's operating -- that's 15 pervasive in this space 16 opportunity to talk about that and I certainly look forward 17 to the opportunity to discuss that in closed session And so I look forward to the 18 Among the things that we've learned over the last year 19 or so is that success in cyberspace requires -- in fact it 20 demands -- persistent engagement it demands persistent 21 presence and it demands a persistent innovative spirit 22 Failure to do that means that we will never compete against 23 near-peer competitors in this space 24 way now through how we move from growing this force to how 25 we persistently engage persistently have presence and we So we're thinking our 23 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 innovate in this space 2 We have shifted from building out those teams to how we 3 build a force that is operationally relevant and is able to 4 deliver outcomes as necessary from the Chairman -- from 5 the national authorities all the way through the Chairman 6 We've shifted a little bit from building capacity -- we 7 think about just personnel and their training readiness -- 8 to the capabilities 9 speaks to our necessity for the right tools or the munitions And those capabilities requirements 10 that we need in order to be successful in this space the 11 access that we need the authorities we need the 12 infrastructure we need and the intelligence necessary to 13 support operation of a relevant force 14 So we're now melding -- in order to get a better sense 15 of readiness we're melding both capability and capacity 16 against the problem sets that we've been assigned 17 we look forward we realize that the future requires us to 18 be continually engaged in order to compete in cyberspace 19 We're building a combatant command that will be postured for 20 success 21 accomplished what we have for this Nation without your 22 dedicated support that we receive from the committee 23 language you included in the FY19 NDAA was especially 24 helpful and we thank you for your continued advocacy and 25 support and we look forward to your questions So as And we couldn't have built that without -- or The 24 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 The prepared statement of General Stewart follows 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 25 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 Senator Rounds 2 General Fogarty Thank you General 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 2 STATEMENT OF LIEUTENANT GENERAL STEPHEN G FOGARTY USA COMMANDER U S ARMY CYBER COMMAND 3 General Fogarty Chairman Rounds Chairman Tillis 4 Ranking Members and members of the subcommittee I want to 5 thank you for the support from both committees which is 6 vitally important to Army Cyber Command's continued progress 7 and the critical missions of our dedicated and talented 8 soldiers Army civilians contractors Reserve and Army 9 National Guardsmen carry out every day on behalf of the Army 10 and the Nation 11 The Army's philosophy for training is to train as you 12 fight For the Army's teams within the DOD Cyber Mission 13 Force training to a joint standard is predicated on a 14 culture of adaptive learning for operations and form 15 training at every level 16 in cyberspace also depends on employing realistic dynamic 17 and complex range environments against simulated peer and 18 near-peer adaptive adversaries 19 training must be tough realistic relevant and holistic 20 just like it is for the rest of our forces 21 achievement of full operational capabilities for the Army's 22 CMF last year the Army and joint forces are shifting focus 23 to measuring and sustaining CMF readiness 24 full operational capabilities of these teams was an 25 important milestone it is certainly not an end state and A train as you fight philosophy Cyber Mission Force With the While achieving 27 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 doesn't tell the complex story of the Army and joint force's 2 overall readiness to fight and win 3 Readiness is a combination of the CMF's ability to 4 conduct cyberspace operations reflects a team's ability to 5 plan develop access report and maneuver in cyberspace 6 hold targets at risk and deliver capabilities based on 7 assigned missions 8 operations and it must be the standard we use for training 9 This includes a focus on nonstandard access methodologies This is the standard we use for 10 Title 10 operator training and integration with mission 11 partners to improve mission readiness 12 we fight 13 Again training as Army Cyber Command's mission success rests on our 14 people We must recruit retain and reward the most 15 talented people 16 talent management 17 management initiatives continue to show increased results in 18 civilian hiring and military recruiting 19 challenge with retaining the core skills that we need 20 have a superb recruitment pool that we draw from 21 the training is outstanding 22 our challenge as the other witnesses have already 23 mentioned is the compensation to keep that trained force 24 You know the average interactive online operator it takes 25 about 2 and a half years of training to be able to conduct And as such we put tremendous focus on Thanks to your support Army talent But we do have a We I think They get on the mission But 28 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 operations And in a 6-year enlistment you get about 3 2 maybe 3 and a half years of useful work out of that 3 individual 4 really the incentives we need to maintain that force So it's absolutely critical that we roll out 5 Now readiness of the total force requires that our 6 investment in cyber ensure that Active and Reserve and Guard 7 forces are trained and equipped to one standard 8 continue to make progress toward fully integrating the 9 Army's Reserve and National Guard into the Cyber Mission We also 10 Force We're already benefiting from the critical skills 11 the Reserve component brings to bear and look forward to 12 their full integration 13 The Reserve component is approved to build and maintain 14 21 Cyber Protection Teams 11 in the Army National Guard and 15 10 in the U S Army Reserve 16 two Army Reserve CPTs have already achieved initial 17 operational capabilities 18 scheduled to have all 11 CPTs at full operational capability 19 by fiscal year '22 20 fully operational-capable by FY24 trained and equipped to 21 the same standards as the Active component 22 PCT at detail to answer your questions 23 One Army National Guard and And the Army National Guard is In the Army Reserves 10 CPTs will be I'll discuss One of the things I did want highlight is my command 24 is getting ready to move from Fort Belvoir down to Fort 25 Gordon Georgia We'll do that in about 18 months And 29 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 that is a significant investment almost $1 3 billion that 2 the Army has placed in Army Cyber Command and the Army Cyber 3 Center of Excellence which is our premier schoolhouse 4 we train Active we train civilians and then we train Army 5 National Guard and Reserve forces 6 important because we'll have the operational headquarters 7 the operational platform and the schoolhouse all on the 8 same location 9 ability to take operators that are in active missions to be 10 able to move over and instruct realtime in the classroom 11 It also gives a stability for our workforce 12 an entire career at Fort Gordon Georgia if you decide that 13 you wanted to have your family there And For the Army this is And we think that's going to give us the You can have 14 The soldiers civilians and contractors from Army 15 Cyber Command are persistently engaged against a wide range 16 of adversaries and competitors in the cyber domain 17 remain committed to preserving U S superiority in 18 cyberspace and defending the Nation 19 committed to working with our interagency partners 20 international allies and partners the defense industrial 21 base and defense critical infrastructure partners to secure 22 that critical infrastructure 23 operations in the cyber domain require problem-solving in 24 ways never employed before by the U S Army 25 creativity aggressive problem-solving and rapid mastery of We Furthermore we are It's worth stating that But 30 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 new fighting methods are not just possible for the Army 2 they are in fact qualities that lie at the core of our 3 service 4 we will continue to make progress and continue to achieve 5 mission success 6 7 I'm confident that with your continued support I thank you for the opportunity to testify today and look forward to answering your questions 8 9 The prepared statement of General Fogarty follows SUBCOMMITTEE INSERT 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 31 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 Senator Rounds Thank you General 2 This group in front of us as a team has a huge 3 responsibility Cyberspace this new domain requires 4 personnel 5 with both subcommittees Personnel and Cyber together is 6 because we recognize the seriousness of the situation at 7 hand The reason that we're doing a program like this 8 General Fogarty the Army faces significant manning 9 gaps in the roles of tool developers and interactive on- 10 network operators or I think as we call them IONs 11 While the Army needs about 150 operators for example it 12 has about half of its requirements 13 that the Army has only about 14 spots in the RIOT training 14 which is the as they would call Remote Interactive 15 Operational Training which is provided by the NSA 16 half of these personnel will fail the training meaning that 17 the Army might only see seven graduate to the Cyber Mission 18 Force or CMF as capable operators for any given RIOT 19 course 20 level given promotions and retirements and yields a major 21 capability gap 22 has facilitated -- they're obtaining more spots in training 23 as required and that because they send their operators to 24 training later they are less likely to fail leaving them 25 without the shortfalls that afflict the Army Part of the problem is About This could leave the Army below the replacement The Air Force has noted to us that the NSA 32 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 My specific question is What is the impact of the 2 resulting gaps -- in particular in infrastructure IONs 3 and tool developers -- on your operations 4 General Fogarty So Senator we have identified three 5 critical missions for -- or critical work roles for the 6 offensive force 7 and the tool developers 8 Army is in a different point 9 our challenge with IONs So the IONs the exploitation analysts And each one is really -- for the So you've aptly described There are two things that we're 10 doing about this First of all as we conduct more and more 11 operations off of Title 10 infrastructure -- and the Army is 12 really -- we were the service that had Title 10 13 infrastructure first we've got the most robust capability 14 -- what we recognize is not every ION has to be RIOT 15 qualified 16 our IONs to actually operate off the Title 10 17 infrastructure 18 them as they start to act conduct reps 19 identify better those star athletes that we need to send to 20 RIOT 21 has better aptitude a better likelihood of actually 22 graduating and that would essentially double our numbers if 23 we can get that straight per -- We have a Title 10 operators course that allows That gives us the opportunity to observe Then we can And what we're hoping is we can identify someone who 24 Senator Rounds Excuse me 25 General Fogarty You don't -- -- per year 33 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 Senator Rounds -- you don't quite have it straight 2 yet so what is that doing to your operational timelines 3 today 4 General Fogarty So what happens sir is with the 5 current limit of 15 per year -- and I would say for the Air 6 Force we actually gave up slots both for EAs and IONs so 7 they could actually get fully operational-capable and meet 8 their timelines 9 But I think the big thing is we weren't selecting people So we took a little bit of hit there 10 that were making it all the way through the course 11 getting them in the Title 10 operators course we get them 12 actually on mission much sooner than we do if we send them 13 through RIOT training 14 athletes that would then allow us to get them into RIOT 15 have a much better chance of graduating 16 will increase graduation 17 So by That allows us to determine the best So we think that We've also talked to General Nakasone We think 18 ultimately we're going to have to expand the throughput of 19 the RIOT course 20 to meet our ultimate requirements 21 So we think that's going to be necessary But we think success for us is a number of RIOT- 22 trained operators and then a larger number actually of 23 Title 10 operators 24 eloquently we've got to get off of the NSA platform become 25 more independent Because again as you said very The Title 10 infrastructure with Title 10 34 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 IONs actually allows us to achieve that goal 2 Senator Rounds One thing that I'm going to ask for 3 the record of both you General Fogarty and also for you 4 General Crall is a timeline for actually meeting the 5 guidelines necessary to make that happen 6 7 The information referred to follows SUBCOMMITTEE INSERT 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 35 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 Senator Rounds And General Crall I'm out of time 2 but the same questions that I've asked of General Fogarty I 3 will be asking of you for the record as well 4 5 The information referred to follows SUBCOMMITTEE INSERT 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 36 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 Senator Rounds 2 With that Senator Tillis 3 Senator Tillis 4 And again thank you all for being here 5 General Crall thank you for I think covering good 6 Thank you Thank you Mr Chair landscape in your opening comments 7 And Ms Miller my first question is for you 8 believe you chair the Cyber Workforce Management Board 9 that correct 10 Ms Miller 11 Senator Tillis 12 Ms Miller 13 Senator Tillis And I Is Yes sir along with -And P R co-chairs right -- P R exactly Tell me a little bit about how that 14 relationship works and how the roles are playing out right 15 now 16 Ms Miller Well actually sir we're very well 17 aligned The board was charted to manage the health and 18 welfare maturity of the force both civilian and military 19 so we have an opportunity to oversee and assess the use of 20 the force how we are doing on the recruiting and 21 attracting as General Crall talked about 22 efforts have been focused on Phase 1 and how we code the 23 positions identifying the work roles and understanding 24 where our shortfalls are and where we need to focus our 25 efforts Predominantly But I think it's pretty safe to say the 37 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 relationship between the three organizations are very 2 closely aligned 3 are joined at working the issues be it with the coding or 4 with the hiring-and-retention piece 5 We meet on a regular basis and our staffs Senator Tillis And this question is probably for all 6 of you I spent virtually all of my professional career in 7 technology first in research and development then 8 architecture definition deployment and then project 9 execution And you know some -- I worked at 10 Pricewaterhouse so sometimes we would acquire another firm 11 or at IBM we would acquire another firm and it would be 12 standing alone but it really didn't make sense to have it 13 stand alone for long 14 can see a very rational basis for -- the mission of the 15 Marines has its own kind of training tools tactics it's 16 separate from the Army the Navy the Air Force 17 this domain I'm struggling -- except at the atomic level 18 maybe equipment that you need to a service line -- I'm 19 struggling to understand why we're not looking at a more 20 innovative way to leverage -- you know we had matrixed 21 organizations where we have the silos of the service lines 22 now or we had market domains or technology domains -- but 23 the common platform that we're talking about can you 24 explain to me the rationale for having -- and the risk of 25 having duplicative systems and environments and potentially And in most of your mission sets I But in 38 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 sub-optimizing some of the cross-learning 2 that any one service should own it but I'm wondering 3 whether or not we should be looking at a very different 4 structure than the current trajectory 5 General Stewart I'm not saying Let me take the first shot at this 6 one 7 forward Senator is what we call the Joint Cyber 8 Warfighting Architecture 9 It includes building common firing platforms common set of 10 tools common infrastructure common cockpit for command and 11 control 12 themselves but we will designate a specific service to 13 build one element of that Joint Cyber Warfighting 14 Architecture 15 16 In fact what we've designed and what we've put It is an integrated architecture Now none of the services will do that by Senator Tillis So a center-of-excellence sort of capability 17 General Stewart So for the training component the 18 Army will take that persistent common training environment 19 And so they will bring that into a common architecture 20 where U S Cyber Command will set the standards set the 21 information exchange protocols and then each of the 22 elements within our subordinate elements within Cyber 23 Command will build those pieces and those components to a 24 common standard 25 each of the services build their own unique tools build So we get the idea that we don't want 39 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 their own training environment build it on -- and so now 2 we've put that all together and we structured that into 3 what we call the Joint Cyber Warfighting Architecture 4 Senator Tillis 5 General Stewart 6 Senator Tillis 7 General Stewart 8 Senator Tillis 9 And the government -So we're moving in that -Okay -- direction Because I'm going to be limited on time -- I have to step out briefly to go to a VA Committee 10 -- I think that the -- with respect to something that 11 General Fogarty and I talked about and as Chair of the 12 Personnel Subcommittee we have provided some authorizations 13 that hopefully are helping you be a little bit more 14 competitive recruiting and retaining resources 15 can expect that we'll have a hearing in Personnel to talk 16 about what more we can do 17 But you And General Crall you made a very important point 18 If we're giving you these authorities to use to be more 19 competitive but we're also going to be expecting seeing how 20 they've been used and what the results are 21 discuss those in the -- we'll discuss those in the hearing 22 or in meetings that we'll have in my office 23 And we'll And for many of you I've got a lot of questions and 24 I know -- I'm looking forward to getting back so we can go 25 to the closed session but I'll probably have a number of 40 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 questions that are structural in nature that'll be 2 instructive to some of the work we'll be doing on the 3 Personnel Subcommittee 4 Thank you Mr Chair 5 Senator Rounds 6 Senator Nelson 7 Senator Nelson Thank you General Stewart how are we going to 8 objectively measure the readiness of Cyber Mission Forces to 9 execute their mission 10 General Stewart 11 that the Chairman measures 12 folks that the services are providing the level of their 13 training 14 that 15 is clearly define the mission essential task and the joint 16 mission essential task that says When a team is presented 17 to us here are the things that we need them to do against a 18 particular target set 19 personnel 20 are either providing them at a certain level or they're not 21 they're either trained to a certain level or not 22 quite frankly the services are doing a remarkable job in 23 presenting personnel 24 25 So we know we have a standard now personnel readiness number of So we have a standard approach for measuring Now what we have to do is -- in U S Cyber Command That is more than just the That's easy objective measurement Senator Nelson The services And Will the combatant commanders understand this so-called meaningful set of metrics that 41 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 you're talking about a standard 2 General Stewart There is no doubt in my mind that 3 we've identified intelligence requirements that are 4 essential for delivering capabilities we've identified 5 access requirements that are important we've identified 6 tools and munitions that are important we've identified 7 architecture that's important to get to the target 8 are things that I think any combatant commanders would 9 understand In order for me to have an operational effect Those 10 here are the things that I must have in order to deliver 11 those outcomes 12 and we'll continue to refine that over time 13 So we think that's pretty well-defined Senator Nelson So how are you going to make sure 14 that the services are giving you what you need in their 15 training and standards 16 General Stewart We've now mandated or laid out the 17 requirements for 1 000-2 000 level That's the basic entry- 18 level training 19 and capacity 20 opportunity to see the things that the Army was doing 21 of the services understand the requirements 22 frankly Senator I think they're delivering a fairly 23 capable -- and I say that fairly capable because we now 24 have to take them when they come to Cyber Command and take 25 them from the journeymen and the apprentice level to the And the services are building capability We were just down in Georgia had an All And quite 42 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 mastery level 2 job and we have to -- to go back to the question on IONs 3 for instance we have to now define whether or not we have 4 the right number of IONs on the teams 5 number based on our best guess of how we would operate in 6 the space 7 and that will change the training requirements and allow us 8 to do some things that are more creative to get our 9 workforce from journeyman from apprentice to a mastery 10 level 11 I think the services are doing a remarkable We started with a The reality is we may not need as many IONs And I -- we're working to refine those as we speak Senator Nelson General Fogarty the Secretary 12 assigned to you the job of building a cyber range and 13 training system 14 being consolidated and moving to a Cloud 15 Why aren't all of these separate ranges General Fogarty Senator currently there are so many 16 ranges -- there are so many ranges 17 for the training ranges 18 and-evaluation ranges that TRMC is the executive agent for 19 I'm the executive agent There are a whole series of test- Services have built ranges So what we're trying to do at 20 this point is start to move these ranges connect them 21 the objective actually is to move them into the Cloud 22 that's the direction we believe we need to be at 23 And So But it's -- I think it's similar to many challenges 24 Over a long period of time you had organizations that built 25 their own capability because they had an immediate need for 43 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 it 2 those 3 different ranges are how to better connect them 4 certain ranges that frankly we'll probably have very 5 limited interest in 6 requirement but it's not for the Cyber Mission Force 7 There's others that are very robust 8 duplicate that 9 ranges 10 We're at the point now where we're -- we've inventoried We know what the advantages and disadvantages of the There are It doesn't mean there's not a We don't want to We actually want to connect to those Senator Nelson Can I assume that what you're saying 11 is that you're going to move to the Cloud so that you don't 12 have to constantly upgrade the in-house computing 13 infrastructure 14 15 General Fogarty Senator that's actually a succinct way of saying that but we're -- 16 Senator Nelson Okay 17 General Fogarty 18 Senator Nelson 19 General Fogarty 20 Senator Nelson -- we're not there yet -Let me --- for sure Let me ask General Crall Cyber 21 Command created in '09 but it wasn't until '13 that we 22 actually started to build the mission force 23 of years we had a Command with no forces 24 couple of years for the Department to start the acquisition 25 process for command and control network infrastructure So a number It took another 44 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 weapons and so forth 2 General Crall Why the delays Sir that's probably a question that 3 I'll have to go back and do some forensics to give you an 4 adequate answer 5 apply generally and certainly not making excuses 6 understanding what rightsizing looks like I've learned the 7 challenges of moving anything quickly in the Department 8 Matching resources at the time they're available with the 9 need and the planning that we're trying to execute has also I can give you a few answers that I think But 10 been a challenge 11 infrastructure writ large 12 infrastructure for 10 years at least in a holistic 13 fashion 14 looking at the problem set in a new way 15 session we're going to lay out a placemat for you to 16 consider the eaches of how we're trying to do this in a 17 way that makes some sense 18 the areas that we're making improvements on General Stewart 19 has already covered 20 building 21 what's right in their own eyes in the process and not 22 holding individuals or services accountable for a common 23 standard I believe have all been contributors and 24 significant contributors to delays 25 You could ask the same question on our We've been modernizing our IT Change has been difficult but I think we're And in the closed But I'll tell you sir one of We've allowed too much of unique Lack of standards allowing each person to do Senator Nelson Thanks 45 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 Senator Rounds Senator Gillibrand 2 Senator Gillibrand General Stewart I appreciate that 3 your authority is focused on addressing foreign 4 cyberactivities and you're constrained in working on 5 domestic matters 6 adversaries have abused the borderless nature of the 7 Internet to stage cyberattacks on our domestic critical 8 infrastructure such as our election system 9 coordinate with domestic Federal agencies as well as local 10 and State agencies where much of our election security is 11 entrusted 12 However I'm very concerned that foreign General Stewart How do you Well we're generally not Senator 13 directly interfacing with the State and local levels 14 are in fact working closely with the Department of 15 Homeland Security 16 ensure that they understand the threats as we see the 17 threats that we've asked them to pass those indicators of 18 compromises down to the States so they can also see the 19 threats 20 with and through DHS to get the insights that we have both 21 from Cyber Command and from our NSA partners turn those 22 into real indicators and pushing those out to the State and 23 local level 24 to the State and local levels 25 We We've had a series of engagements to So we're working this to borrow a phrase by Beyond that we have limited authority to go So if I were going to use this platform to send a 46 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 message I suspect the message would be 2 indicators of compromise from DHS down to the State levels 3 how do we make sure the States are loading those indicators 4 of compromise onto the appropriate sensors and then passing 5 them back up through DHS so that we can be proactive in 6 going after the adversary in gray and red space 7 Senator Gillibrand As we move It also sounds though that your 8 limited authority is limiting for you I'm concerned that 9 you know you have a mission to protect this country and our 10 critical infrastructure That's part of Department of 11 Defense mission 12 authorities you need in fact to prevent or stop or respond 13 to cyberattacks to critical infrastructure if it has to do 14 with the electoral system 15 So one thing that I hope you will do is seek the 16 authorities that you think you need from this committee 17 because regardless of what the administration believes I 18 believe that better coordination more holistic 19 coordination through the National Guard perhaps so that 20 the States can have on-the-ground expertise that is feeding 21 information and data and intelligence back up to the 22 Department so that you have a fully integrated defense 23 system for this country 24 powerplant or they were bombing or even cyberattacking a 25 powerplant you might have a response or a responsibility But you've not been given all the And I think that's a mistake Because if they were bombing a 47 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 but because somehow it's an election infrastructure you 2 have to stay hands-off 3 authorities as you believe from your expertise you think 4 you should have them 5 General Stewart So I hope that you will seek In the closed session we should 6 probably talk about the changes in authorities over the last 7 6 months 8 Senator Gillibrand 9 General Stewart Correct If you had approached me 6 months ago 10 about the limits of our authorities I would tell you that 11 it would cause me great frustration 12 Senator Gillibrand 13 General Stewart 14 Yes We're in a much better place today Senator 15 Senator Gillibrand I understand But I think 16 there's even more authority that you should seek especially 17 in giving more support to the National Guard to continue to 18 be eyes and ears on the ground 19 pursue this more in closed session because I think it's so 20 vital And we will -- I will 21 General Crall the military's ability to pay for high- 22 quality educational degrees through ROTC programs or direct 23 accession programs for skilled doctors and lawyers have 24 undoubtedly played a key role in recruiting talented 25 individuals into our uniformed ranks In addition to paying 48 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 cyber operators for the skills through specialized 2 compensation I also believe we should leverage our ability 3 to pay for the educational -- education of servicemembers 4 and civilians interested in joining the cyber workforce 5 you believe that a cyber ROTC scholarship or advanced 6 degree-holders would help us to attract skilled military 7 cyber officers 8 9 General Crall course of action Ma'am I do Do I believe that's a wise In fact in the opening we talked about 10 expanding all the opportunities 11 to that is it's important for us to ensure that when we 12 track this we learn what's working and what doesn't work 13 I've found that sometimes these things are a bit 14 counterintuitive 15 as you would expect us to and we want to make sure as the 16 markets change we follow those trends very carefully and we 17 apply our valued resources to the right population groups 18 and pockets 19 But what I would also add We have to apply our resources properly But I will say this Every university -- this is 20 anecdotal this is me walking around and talking to people 21 in these environments -- it is the most talked-about subject 22 matter 23 the local communities we've got a large force of young 24 civilians who are very interested and eager to work in the 25 cyber workforce Whether we're at the service academies or out in 49 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 Senator Gillibrand Thank you 2 Thank you Mr Chairman 3 Senator Rounds 4 Senator Warren 5 Senator Warren 6 And thank you to our witnesses for being here today 7 Talent management is a critical component of the Thank you Thank you Mr Chairman 8 ability to maintain cyber readiness 9 need to recruit and retain for a set of skills that might 10 not necessarily be considered traditional military skills 11 I was glad to see that talent management is included as a 12 key component of the Department's updated cyber strategy 13 which was released last week 14 offer much detail on the specifics of how exactly the 15 Department plans to recruit and retain men and women with 16 the necessary skills 17 And that means that we But the strategy doesn't So can I start with you General Crall Can you be 18 more specific for us on the Department's long-term plans for 19 cyber talent management 20 General Crall Yes ma'am I can And I'll also share 21 with you some shortcomings in that because I think your 22 instincts of maybe -- on some of the leads of understanding 23 that market we may not be as refined as we need to be 24 share -- if those are your concerns I share some of those 25 I But yes when it comes to developing you know the 50 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 recruitment aspect the military side has a very unique 2 recruiting campaign and designated workforce that gets after 3 that professional recruiters who work very aggressively at 4 ensuring that message is out 5 described a kind of a vacuum for the Federal Government 6 side 7 initial tenets of our Cyber-Excepted Service well known 8 So we need to get our message out for one 9 In part of my opening I The civilian side we really don't have even the One of the ways that we could get that message out is 10 to ensure that we have very robust presences in areas where 11 these people are being trained -- in academia you know our 12 universities internships exchanges with private sector -- 13 all of those areas where we can get natural exposure to some 14 of those benefits that only we can provide 15 still I would say maybe anecdotal to express it this way 16 the people that we've spoken to have explained very 17 carefully their desire to serve the Nation do unique 18 mission sets they can't do in the private sector and work 19 with emerging technology 20 offer that -- very unique to our government 21 need to do more in that 22 And while it's Those are things that we can So yes we On the civilian side for Excepted Service I had 23 mentioned we've covered a few to close some of the pay gaps 24 Congress has given us the authority to address some of 25 those to include regional pay gaps compensation higher 51 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 step increases 2 who are really at our doorstep already 3 better job of getting the word out on what we can offer and 4 to pursue those individuals at a very early start 5 But those are normally only known by those Senator Warren We need to do a Well I'm very glad to hear this 6 General Crall and glad to hear your enthusiasm for this 7 You know our readiness is only as good as our people 8 if we don't recruit and retain the best and offer the kind 9 of career incentives for people to stay in public service 10 then we can't mount an effective cybersecurity defense or 11 response 12 And So thank you for that I have one other issue I want to raise I am a big 13 supporter of the Defense Innovation Unit which has an 14 office in Cambridge for piloting new approaches to 15 technology including cyber and software engineering 16 want to ask about one of those experiments 17 software system at the Al Udeid Air Operations Center in 18 Qatar was so outdated -- are you ready for this 19 airmen were using a flight board to manage aerial refueling 20 Now in response DIU worked with the Air Force to sponsor a 21 small program called the Kessel Run to teach Active Duty 22 Air Force personnel how to code 23 at a cost of just about $2 million they designed a software 24 application that automated the refueling 25 airmen now have the coding skills they can continuously And I In 2016 the In 2016 In the span of 4 months And because the 52 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 update that software to meet the mission 2 So maybe I could ask you Ms Miller Do you think 3 having in-house coding ability like this can also help 4 improve our cyber operational readiness 5 Ms Miller Yes ma'am I do And that's actually one 6 of the skillsets 7 skills that we know we need to mature that is one at the 8 top of the list 9 If you look at the list of specific Senator Warren So we're trying to build this in- 10 house I think that makes a lot of sense I'm glad to hear 11 it 12 running was not easy 13 resistance within segments of the Department 14 question I want to ask is How can we normalize and scale 15 these types of programs up and make technical skills like 16 coding or cyber defense a core competency for Active Duty 17 personnel and defense civilians But getting the Kessel Run Development Lab up and I understand there was some real So the 18 General Crall it looks like you want to answer 19 General Crall 20 Yes ma'am This is an exciting question because you're -- 21 Senator Warren 22 General Crall Good -- you're spot-on We have young 23 folks who are -- have zero experience in doing this 24 formally who are writing programs for us today 25 to my answer earlier the proper venue and outlet for this Going back 53 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com 1 is to ensure that we have the right developers toolkits and 2 the right coding infrastructure the lateral limits left 3 and right so that they know what standards to write these 4 to 5 Department of trying to make these disparate software 6 applications communicate with each other 7 closed session I can cover some of the solutions we have 8 But they are screaming for ways to contribute and we are 9 taking that onboard and it's showing great promise 10 We spent a lot of time and frustration in the And in the But there is a lot of work ahead ma'am 11 Senator Warren Good So I -- again I'm glad to 12 hear your enthusiasm but I sure want us to concentrate on 13 how we can scale this up and normalize it within the 14 Department 15 Thank you 16 Thank you Mr Chair 17 Senator Rounds 18 Okay this will conclude the open portion of the Thank you Senator 19 session My intention is to recess until 4 o'clock and 20 that will be in SVC-217 21 At this point we will recess 22 Recess until 4 00 p m 23 24 25 54 Alderson Court Reporting 1-800-FOR-DEPO www aldersonreporting com