Senate Armed Services Committee

Report 110-335

on National Defense Authorization Act for Fiscal Year 2009

[...]

National cyber security initiative

The committee applauds the administration for developing a serious, major initiative to begin to close the vulnerabilities in the government's information networks and the nation's critical infrastructure. The committee believes that the administration's actions provide a foundation on which the next president can build.

However, the committee has multiple, significant issues with the administration's specific proposals and with the overall approach to gaining congressional support for the initiative.

A chief concern is that virtually everything about the initiative is highly classified, and most of the information that is not classified is categorized as `For Official Use Only.' These restrictions preclude public education, awareness, and debate about the policy and legal issues, real or imagined, that the initiative poses in the areas of privacy and civil liberties. Without such debate and awareness in such important and sensitive areas, it is likely that the initiative will make slow or modest progress. The committee strongly urges the administration to reconsider the necessity and wisdom of the blanket, indiscriminate classification levels established for the initiative.

The administration itself is starting a serious effort as part of the initiative to develop an information warfare deterrence strategy and declaratory doctrine, much as the superpowers did during the Cold War for nuclear conflict. It is difficult to conceive how the United States could promulgate a meaningful deterrence doctrine if every aspect of our capabilities and operational concepts is classified. In the era of superpower nuclear competition, while neither side disclosed weapons designs, everyone understood the effects of nuclear weapons, how they would be delivered, and the circumstances under which they would be used. Indeed, deterrence was not possible without letting friends and adversaries alike know what capabilities we possessed and the price that adversaries would pay in a real conflict. Some analogous level of disclosure is necessary in the cyber domain.

The committee also shares the view of the Senate Select Committee on Intelligence that major elements of the cyber initiative request should be scaled back because policy and legal reviews are not complete, and because the technology is not mature. Indeed, the administration is asking for substantial funds under the cyber initiative for fielding capabilities based on ongoing programs that remain in the prototype, or concept development, phase of the acquisition process. These elements of the cyber initiative, in other words, could not gain approval within the executive branch if held to standards enforced on normal acquisition programs. The committee's view is that disciplined acquisition processes and practices must be applied to the government-wide cyber initiative as much as to the ongoing development programs upon which the initiative is based.

The committee also concludes that some major elements of the cyber initiative are not solely or even primarily intended to support the cyber security mission. Instead, it would be more accurate to say that some of the projects support foreign intelligence collection and analysis generally rather than the cyber security mission particularly. If these elements were properly defined, the President's cyber security initiative would be seen as substantially more modest than it now appears. That is not to say that the proposed projects are not worthwhile, but rather that what will be achieved for the more than $17.0 billion planned by the administration to secure the government's networks is less than what might be expected.

Finally, the committee concludes that, for all its ambitions, the cyber initiative sidesteps some of the most important issues that must be addressed to develop the means to defend the country. These tough issues include the establishment of clear command chains, definition of roles and missions for the various agencies and departments, and engagement of the private sector.

Additional information on the cyber initiative is contained in the classified annex to this report.

[...]