intellectual property, we must do more to prevent, respond to and deter cyber threats. the inevitability of a large scale cyber attack is an existential threat to our nation and does little to influence the psychology of attackers who operate in a world with few if any negative consequences for their actions. last july general cartwright, the former vice chairman of the joint chiefs of staff, criticized the administration's reactive strategy for operating in cyber space saying, "if it's okay to attack me and i'm not going to do anything other than improve my defenses every time you attack me, it's very difficult to come up with a deterrent strategy. " deterrent strategy. i look forward to hearing from our witnesses if they believe

that a strategy overly focused on defense is sustainable and whether they agree more must be done to defer and dissuade those who look to hold u.s. interests at risk via cyberspace. the senate will soon begin debate on cyber security legislation. the central themes in that debate will focus on how to improve information sharing across the spectrum and whether a new governor bureaucracy will improve our cyber security. >> i have proposed legislation that first focuses on removing legal hurdles that hinder information sharing. if a timely response is essential, how would another layer of bureaucratic red tape be helpful? while a secured act does not give new authorities to the national security agency or u.s. cyber command, few will deny that those institutions not the department of homeland security are most capable of guarding against cyber threats.

unfortunately, other legislative proposals favor adding prematurely more government bureaucracy rather than focussing on the objective of protecting our cyber interests. general alexander, during an fbi sponsored symposium at fordham university, you stated that if a significant cyber attack against this country were being planned, there may not be much that either cyber command or nsa could legally do to discover and thwart such an attack in advance. you said, "in order to stop a cyber attack, you have to see it in realtime, and you have to have those authorities. those are the conditions we put on the table." now, how and what the congress chooses, that will be a policy decision. in a fight where the threat can materialize in milliseconds and quick action is essential, i look forward to better understanding what authorities you believe are needed to protect the united states interests both at home and

abroad. the department of defense is requesting nearly $3.4 billion for cyber security any fiscal year 2013, and almost $17.5 billion over the future years' defense program. the cyber budget is one of the only areas of growth in the d.o.d. budget because of broad agreement that addressing the cyber threat must be among our highest priorities. i thank the witnesses for appearing before the committee today and look forward to their testimony. thank you, mr. chairman. >> thank you very much. senator kaehler. i mean, general kaehler. excuse me. >> thank you, mr. chairman. if it's okay with you, i'd like to have my statement admitted to the record. >> it will be part of the record. >> sir, senator mccain and distinguished members of the committee, thanks for this opportunity to present my views on united states strategic commands missions and priorities.

very pleased to be here today with general keith alexander, cyber commands commander and of course as both of you have pointed out, cyber is a critical component of our global capabilities. without question, mr. chairman, we continue to face a very challenging global security environment marked by constant change, enormous complexity and profound uncertainty. indeed, change and surprise have characterized the year that have passed since my last appearance before this committee. over that time, the men and women of strategic command have participated in support of operations in libya and japan, have supported the withdrawal of u.s. combat forces from iraq and have observed the arab spring, the bold operation that killed osama bin laden, the death of kim jong il and the succession of kim jong un, the passage of the budget control act and the adoption of new defense strategic guidance. through this extraordinary period of challenge and change, stratcom's focus has remained

constant. to partner with the other combatant commands to deter, detect and prevent attacks on the united states, our allies and partners and to be prepared to employ force as needed. our priorities are clear. deter, attack, partner with the other commands to win today. respond to the new challenges in space. build cyber space capability and capacity, and prepare for uncertainty. transcending all of these priorities is the threat of nuclear tooerm materiels or weapons in the hands of extremists. conflict will likely be increasingly hybrid in nature, encompassing, land, sea and space and cyber space and likely cross geographic boundaries, involve multiple participants. be waged by actors wielding

compacts of strategies and tactics. i think it's important to note the same space and cyberspace tools that connect us together to enable global commerce also present tremendous opportunity for disruption and perhaps destruction. just last month the department of defense released new strategic guidance to address these challenges. this new guidance describes the way ahead for the entire d.o.d., but i believe many portions are especially relevant to stratcom and our broad assigned responsibilities. for example, global presence succeed be in current conflicts, deterring and defeat ago grgres. countering weapons of mass destruction. effectively operating in cyber space, space, and across all other domains and maintains a safe, secure and effective nuclear deterrent are all important areas in the new strategy where the global reach and focus play a vital role.

these are important responsibilities, there are real risks involved in the scenarios we find ourselves in today. it's my job to prepare for those events and to advocate for the sustainment and modernization efforts we need to meet the challenges. in that regard, the fiscal year 2013 budget request is pivotal for our future. we're working hard to improve our planning and better integrate our efforts to counter weapons of mass destruction, we need to proceed with our nuclear delivery, command and control systems. we need to proceed with life extension programs for our nuclear are weapons and modernize the complex area that cares for them. we need to improve resilience of our space capabilities and enhance our situational awareness of the congested, competitive and contested domain. we need to improve the protection and resilience of cyber networks, increase capacity and work across the inner agency to

increase protection of our critical infrastructure. enhance our isr capabilities. we need to get better at electronic warfare, we need to practice how to operate in a degraded space and cyberspace environment. we need to improve our understanding of our at verify series. review our plans and improve our decision processes and command relations. all subjects that the two of you touched on in your opening comments. in short, the new national security reality calls for a new strategic approach that promotes agile, decentralized action from a fully integrated and interdependent and resilient joint force. these are tough challenges but the men and women of stratcom view our challenges as opportunities. the chance to partner with the other kplands to foerg a better, smarter and faster joint force. we remain committed to work with this in committee, the services, other agencies and our international partners to provide the flexible, agile and reliable strategic deterrence and mission assurance

capabilities that our nation and friends need in this increasingly uncertain world. mr. chairman, it's an honor and privilege to lead america's fine finest men and women. they are our greatest advantage. i'm enormously proud of their bravery and sacrifice, and i pledge to stand with them and for them to ensure we retain the best force the world has ever seen. in that, i join with the secretary of defense and the chairman of the joint chiefs of staff and other senior leaders, my colleagues, other combatant commanders in thanking you for the support you and this committee have provided them in the past, present, and on into the future. before i close, mr. chairman, i would like to pause and remind the committee that stratcom is headquartered in the great state of nebraska. and i wanted to take this opportunity to thank senator ben nelson for his service. senator nelson will retire at the end of this congress, and during his service he has worked dill gently to better the lives of our troops and strategic forces. those who work at the air force

base the at offutt are well aware of his deep commitment to them. on behalf of your fellow nebraskans at stratcom, senator, we off our thanks. thank you for this opportunity. i look forward to your questions. >> thank you very much, general. thank you for your reference to general ben -- now i call him a general and you a senator. to senator ben nelson. we all feel very much the way you do and grateful for your reference to him. thank you. general alexander? >> chairman levin, ranking member mccain and distinguished members of the committee, thank you for the community to appear before you today. i'm pleased to appear with general bob kehler, and i echo his comments all across the board, including with senator nelson. i would start up front by echoing some of those comments which is, is it a privilege and honor to lead the soldiers, sailors, airmen, civilians of marines of cyber command in nsa. we have great people.

thanks for what you do to get those great people for us. i'd like to thank you and your colleagues to your support and helping the command move rapidly forward in our efforts to address emerging threats and concerns to our nation. i also need to thank all our partners throughout d.o.d., dhs and the fbi and the endeavor to build capability and capacity. cyber is a team sport and we could not have come this far and accomplished as much as we have without them. many changes and substantial progress have been made since i last spoke to the committee almost two years ago. cyberspace has increasingly become more critical to our national and economic security, and chairman, you brought up one of the quotes about the greatest transfer of wealth. i think that is absolutely correct. we are seeing increased exploitation into industry, government, other government

agents and the theft of intellectual property is astounding. i'll address part of that shortly in comments coming up. i also think that the, the threat has grown in terms of activists, nation state and non-station state actors. the chairman emphasizes krib hear an area of investment and a leaner defense budget. the task of assuring cyberspace access and security has drawn attention of all of our nations' leadership. u.s. cybercommand is a component of a larger u.s. government-wide effort to make cyberspace, one, safer and a form for vibrant citizen interaction, reserve our freedom to act in cyberspace and defend our vital interests those of our allies. cybercommand is charged to direct the security, operations and defense of the department of defense information systems. but our work is affected by threats outside d.o.d.'s networks. threats the nation cannot

ignore. what we see both inside and outside d.o.d. information systems underscores the imperative to act now to defend america in cyberspace. the american people expect broad and efficient access to cyberspace. military and civilian sectors rely on accessibility, increased inner connectedness of information systems, growing sophistication of cybercriminals and foreign intelligence actors has increased our risk. last spring, international strategy for cyberspace the president confirmed inherent right to protect ourselves against attacks in this domain as in traditional domains. he said, when warranted, the united states will respond to hostile acts in cyberspace as you would to any other threat to our country. cybercommand exists to ensure the president can rely on the d.o.d. information systems and has military options available

to defend our nation. the president and secretary of defense recently reviewed our nation's strategic interests issued guidance on defense priorities. in sustaining u.s. global leadership, priorities for 21st century defense, the secretary focuses on protecting access throughout the cyber domain. the u.s. cybercommand role is to pay attention to how nations and non-nation state actor ares are developing asymmetric capabilities to conduct cyber espionage and attacks. d.o.d. recently added detail to that position in accordance with the president's strategy the department further explained our deterrent posture to congress in a cyberspace policy report last november. d.o.d. components especially cybercommand, worked to dissuade others from attacking our or planning to attack the united states in cyber space. we worked with a range of partners, u.s. governmental allies, private industry, who

strengthen defense of our citizen, the nation and allies in cyber space. i wanted to assure you that all of our work is performed to safeguard the privacy and civil liberties of u.s. persons. these responsibilities are very much on our minds. in establishing the co-com relationships you asked about our relationships with other commands, and i'd like to briefly address that. first establishing a cybersupport element at each of the six geographically-based co--comes. u.s. centcom is operation, u.s. paycoms is partially operational and others are partially operational and the others are on the way. the purpose is to provide technical expertise and cape ability and improve capabilities to the cocom planning efforts. our goal to ensure each has full suite of cyberoptions to choose from and an understanding of

effects these options can produce in aor. chairman, you also asked about the standing rules of engagement. the department is conducting a thorough review of the joint staff of existing standing rule of engagement on cyber space. these revised standing rules of engagement should give us authorities we need to maximize preauthorization of defense responses and empower activity at the lowest level. issues being ironed out are what specific set of authorities we will receive conditions in which we conduct response actions and we expect those will be done in the next few months. d.o.d.'s role in defense against cyber attack, defending the nation in cyberspace requires coordination with several key government players, notably, dhs, the fbi, the intelligence community. i'd just like to put some of those on the table, because it is my tn that we need all three working together as a joint team.

dhs has to lead for coordinating overall national effort to enhance cybersecurity of the u.s. critical infrastructure. they lead in resilience and preparing the defense. the fbi has the lead for detection investigation prevention and mitigation response within domestic arena under their authorities for law enforcement, domestic intelligence, counterintelligence, and counterterrorism. and of course d.o.d. and nsa and cybercommand lead for detection, prevention and defense in foreign space. defense of the nation comes under if the nation comes under attack. i'd like to go into a few -- if i could -- a little bit on what i see we need in cyberspace. the requirements to defend the nation from attack, because there's been a lot of discussion on this and i think it's important to put this up front. i think this is the heart of some of the discussion that's going on with the legislation today. first, we need to see the attack. what do i mean by that? that was a quote that we made up

at the fordham university. if we can't see the attack, we can't stop it. what we're not talking about is putting nsa or the military into our networks to see the attack. what we're talking about that all of you have put on the table is, we have to have the ability to work with industry, our partners, so that when they are attacked or they see an attack, they can share that with us immediately. the information sharing and the liability that goes along would allow industry, armed with signatures that we can provide, signatures that they have i agree it takes all of us working together to provide a better defense. what we need is for them to tell us that something is going on. there's a couple of analogies that i'd like to use. these are not perfect analogies, just the best that i can come up with. being in the armed services committee here i use the missile analogy.

so if a missile were coming into our country and we had no radars to see it, we couldn't stop that missile. if we have a cyberattack coming in and no one tells us that that's that cyberattack is going on, we can't stop it. today, we're in the forensics mode. what that means is, an attack or an exploit normally occurs, we're told about it after the fact. i think we should be in the prevention mode in stopping that. a lot of that can be done by industry. i think that industry should have the ability to see these and share that with government in realtime. when you think about it it's almost like the neighborhood watch program. somebody's breaking into a bank, somebody needs to call the authorities to stop it. in cyberspace, what we're saying is armed with the signatures, the software, those things that help us understand an attack is going on we believe that industry is the right ones to

tell the government that they see that, and get us respond to it. so i just want to clarify, because i do not believe we want nsa or cybercommand or the military inside our networks watching it. we think industry can do that. we think that's the right first step. and we think actually that's in both of these bills. the second part, i used that bank one because i think there's another part to this, that we have enforced within d.o.d., and that's what standards do we bill build our networks to, and how much of a defense do we put in there? how do we make our defense better? so we've put in a series of defensive capabilities, if you will, standards that we operate and defend our networks. how do you align your networks, how do you know they're configured right? how do you make them defensible so they will last when somebody's trying to get? trying to get in? i -- we have a great information assurance directorate and one of the former directors told me

that 80% of the exploits in attacks that come in could be stopped just by the hygiene itself. chairman, you also brought up the issue of the carnegie melon mellon report, and i would like to hit some of that, because i do think that's an important report, ait has -- it really ap this discussion that we have going on now. as i have stated previously, that report and that assessment was early on in the d.i.b. pilot. that done mean that we can't do better. in fact, let me turn that around and say, for us to be successful in cyberspace, it's going to require government and industry working together with best of both. industry partners see signatures that government doesn't see and government sees signatures or militia software, exploitations and attack into the country that

industry doesn't see. information sharing and the ability to do that is key to stopping that. what i see from the d.i.b. pilot was increased discussion between government and industry, and this was a good thing. and it has grown. it continues to grow and we're getting better. so in legislation, what i think is we need to make the first step. we need to start. start on that journey. we won't get it perfect but we need that ability for industry to share with us the fact that these attacks and exploits are going on. or we cannot stop them. we cannot help. there is five areas that i focused on with our folks, with the folks at u.s. khyber are command. at u.s. cyber command. first, we have to build and train cyberforces and these are things that bob kehler and i are arm and arm on. second a defensible architecture. you mentioned 15,000 enclaves and the reality is, our antiquated architecture, if we went to the way google, yahoo! and others are doing in the defense department we'd have a more defensible architecture

and that's the way we are pushing, and the services are helping us get there. i think we have to partner with dhs and fbi. the reason that i bring dhs into this is that, i believe we want them working with the rest of government to help set up the rest of government networks and work with that. we do not want to take the people that i have and push them over here. i think we want people that we have looking outside and that goes to senator mccain's comments. we're the offensive force. we're the ones that are going to protect the nation, we need to see what's going on and be prepared to do that. we can give and work with dhs and provide capabilities and technical expertise, and that's growing. finally, i'd add in fbi. they have some tremendous capabilities. they have the law enforcement arm. when you put all three of us together, i think our country knows that what we're doing is transparent and we're doing the right thing. in doing that, you've brought

all three players to the table. i see command and control in partnership is key, especially with our allies, and i'd put the allies on the table because this is going to be huge for our future and the concept of operating in cyberspace we mentioned earlier. so, it is an honor and privilege to represent the soldiers, sailors airmen, marines and civilians at u.s. cybercommand here today. i thank you for your capabilities in sustaining our future, and i ask that my statement be included in the record, and that's all i have, chairman. >> thank you so much, general. the statement will be made part of the record. we'll start with a seven-minute first round. general kehler, first, do you support the fiscal year 2013 budget request? >> yes, sir, i do.

>> general kehler, you made reference to effective nuclear command and control network that needs improvement, i believe, in your opening statement. are those efforts under way to modernize that command and control network? can you describe those efforts a little bit? >> yes, sir, i can. of course, as you know, the nuclear command and control system is composed of many, many parts. there are parts of the nuclear command and control system that are not survivable. there is, however, as part inherent in the nuclear command and control system is a thin line that ultimately would be survivable under any conditions. so that we could always ensure that the president of the united states is connected to the nuclear forces. investments are under way in those critical capabilities, the capabilities that are part of the space architecture layer. of course, advanced dhs

satellites. the first one is on orbit. the second one will go to orbit in the next year or so. i don't have the exact date. that will be the satellite-based survivable part of our thin line network, as we go forward. we have some issues with terminals and terminals lagging the deployment of the satellites. that means we have to use older terminals we won't get the full capability of the satellites at first. we're working that program. we have some issues to make sure that our bomber connectivity is maintained. the air force program supports that. and so i am comfortable that we're going forward there to maintain the connectivity at the force end of this. we're also upgrading some of our other components to the network, ground-based parts of the network, et cetera. so i believe -- i will always be a little uncomfortable about the network. i will tell you that i think there is more to be done. we are working that inside the

department for future budget requests and in fact, we're undertaking a fairly substantial review at this point in time about the nuclear command and control system and how it does or doesn't support other issues as well. >> thank you, general. the 2010 nuclear posture you call out for studying additional reductions in nuclear weapons, do you think it is possible to further reduce our nuclear weapons beyond the new s.t.a.r.t. levels? >> mr. chairman, i think there are opportunities to reduce further, but i think there are factors that bear on that ultimate outcome. and rather than get into those, which i don't think would be appropriate, i would just simply say i do think there are opportunities here, but recognizing that there are some factors that bear on this. i would also mention it is never our view that we start with numbers. we start with an assessment of the situation we find ourselves in, the strategy, our

objectives, et cetera, and ultimately then you get to numbers. >> thank you. general alexander, are you advocating for any additional legal authorities that are not included in the cybersecurity legislation that was proposed by the administration to congress or that's included in the lieberman-collins bill? >> no, chairman. >> industrial espionage campaign. i noted in my opening statement, and you made reference to it in your statement. particularly china's aggressive and relentless industrial espionage campaign through cyber space. i wonder, can you give us some examples in open session of the technologies that have been stolen through penetration of

major d.o.d. contractors and perhaps the department itself? and do you know whether or not, in fact, we have raised this issue, particularly vice president biden, with the chinese? >> senator, i'm not aware on the last, what vice president biden has shared with the chinese through that discussion, but we are seeing a great deal of d.o.d.-related equipment stolen by the chinese. i can't go into the specifics here, but we do see that from defense, industrial-based companies throughout. there are some very public ones, though, that give you a good idea of what's going on. the most recent one, i think, was the rsa exploits. rsa creates the two factor authentication for things like paypal. so when you get on and order something and pay for it over the network the authentication is done by encryption systems that rsa creates.