17 August 1999. TTA.
Association of the United States Army & Association of Old Crows
Falls Church, Virginia
Wednesday, April 14, 1999
Thank you, General [Gordon] Sullivan [United States Army, Ret., Association President]. Thank you very much for inviting me. I'm delighted to be here. In all candor, it's not because of you, it's because Bill Campbell asked me if I would come. On five or six occasions last year, I had to set up an emergency meeting where we had a crisis and needed to turn to Bill and say, "Bill, we've got to get something going here," and he's done a terrific job and I wanted to publicly thank you for it. We've had some real battles and everything that I asked you to do, you did. So all you asked me to do was come out here and put all of you to sleep and I said, "Well, I can do that." [Laughter]
Gordon was right. It is somewhat of an awkward time with everything that's going on in the Department to be breaking away to come out and talk to an information symposium. For all practical purposes, we are fighting the first cyber-war. I don't how many of you were aware of this, but while we have the kinetic operation underway, we are also being hit -- I think in a very incoherent and rather amateurish manner, probably not by the Serbian government - but we're being Yugo-spammed, as it was described in The Wall Street Journal.
Hackers have found a way to get past security to the NATO home page and send a lot of simplistic email. It's all directly tied to this war. And so, I think for the first time in history, we are in a cyber-war. Actually, there are a lot more events underway which we can't talk about here that make that statement true.
It was only two years ago that we had the first cyber terrorist attack in this country. It was very simple-minded and incoherent. But it was unequivocal that someone was using cyberspace to advance a political agenda through disruptive techniques. That was only two years ago. In two short years, we've found ourselves in full-scale combat. Bill knows this. A lot of folks in this room have been working this. I think there are some very important messages here.
Cyberspace isn't just for geeks. It's for warriors now. There is a bit of a cultural bias that we have in DoD where [information specialists] are signal guys, not warriors. I hope those days are over. You are in the thick of it and if there's any warrior who's out in combat who doesn't realize his weakest link is his electronic link, he isn't going to be in that command billet very long. That's just the way it is.
It's not just the case of some Serbian hackers being able to fool around. We now have information on satellite structure routinely available on web sites. We're providing this kind of order of battle information routinely to potential adversaries on the Internet. There once was a time when we put up billion-dollar satellites so we'd know what the weather coverage was like. Now you can get real-time radar feeds on the Weather Channel.
We have to have a whole new way of thinking about force protection, [as a result of] this world that we have created over the last five, eight, ten years. Information that we routinely make available or that others make available about us is now in a public media that is accessible virtually to any Third World country. This is a very different world. We don't have the freedom to maneuver the way we thought about that in the past. That is going to take quite different thinking compared to what we've been doing so far.
Bill Campbell and I were at a hearing about a month ago and we discussed some of the things the Department was confronting right now. We said that the most important thing to give members of Congress, is the initial [ability to] unplug yourself from the network. You can't do that.
We are now far, far, far too connected in our business practices to just unplug ourselves. I don't think we would even know how to do it. We found that out when we tried to get our arms around the web site problem. I don't know how many of you are aware of the web site issue. We took a couple of shots from cyber-libertarians corps out there saying that we shouldn't be regulating this industry. Well, I don't want to regulate the industry, but I sure don't want to make ourselves vulnerable through inattention through this industry. We turned over our web pages to the public affairs crowd.
[I was once shown] a briefing that [had just been] shown to Hugh Shelton [Chairman of the Join Chiefs of Staff]. [The briefer had] shown Hugh Shelton a homepage for his [Shelton's] house. Here was a homepage that had pictures of every angle of his house, where the shrubs were, where the doors were, what the attic was like, how the rooms were oriented. This was on his web site because we have turned over this media to the public relations guys without any idea about what this means to the warfighter.
We have the same problem right now. We have a public web site right now that provides orbital mechanics data on U.S. satellites when they are going to fly over Sarajevo. Does that sound right? There's a commercial web site right now that will provide you every airplane that's going to land at National Airport in the next 20 minutes by tail number. Is that a good idea?
I don't know that we can stop it. We can't stop this engine that's going on and we can't unplug ourselves, so we have to become a lot more thoughtful about what we are doing. That isn't just computer [professionals]. It [involves] computer [professionals] and warriors sitting right beside their commanding officers and saying, "What are we trying to do and how are we going to support it and what do we have to do to protect ourselves as we do it?" I don't think we have those questions wired in our heads yet.
I think we made enormous progress during the last year. A year ago, we had Solar Sunrise. We went for a period of two to three weeks without [really knowing] what was happening. We didn't know who it was after the first week. We watched it for another week, pretty sure by the second week that it was not malicious although it was worrisome. It took the third week before we could figure out where this was coming from. That was back then.
About two weeks ago, we had the Melissa virus. We stopped it almost overnight in our network. That was because of the enormous progress that has been accomplished through General Campbell's efforts and others. Through all of these efforts, it's been remarkable during the last year. Two years ago, we didn't have any idea even what the map was of our own networks or who was operating them. Today we do. Two years ago, we didn't even know where all the web sites were for our own operation. Today we do. Two years ago, we had an incoherent configuration over our network. Now, it's still evolving and it will for some time because this has been growing up for the last ten years. It's going to take a little while for us to get our arms around it, but we now have control over it. Two years ago, we didn't know all the fire walls we were using, where they [were or] who [was] responsible for them. Today we do. A year ago, we didn't have real-time network monitoring centers across the networks. Today we do. We didn't have real-time intrusion detection capability a year ago. Today we do.
It has been astounding how much work has [been] accomplished during the last year. Unfortunately, it's just a foundation. It's the foundation of what we now have to build on. This is somewhat like going back to a basic discipline, signal discipline that we routinely exercised at the height of the Cold War and bringing it to the computer world, a world far more dangerous, it strikes me, to which we haven't had enough added attention to. These people are doing a great job.
Where do we have to go from here? I think the foundation is in place. And where a year ago, I think the computer folks were fighting for nickels and dimes to buy encryption software and fire-walls, I don't sense that problem now. So I think we've made a major change in how people think about this problem. This is a priority, but it is a dramatically more complicated problem than we all thought.
Where I think we probably have one of the biggest challenges is people power. I tell you, we are hemorrhaging. It's very hard to hold on to people that have expertise. And all of you [in the private sector] are out there offering salaries two and three times what an E-5 or E-6 is making. They walk out the door. How are we going to hold people? We're doing a very good job, holding onto those we can. But we know that we can't bribe people to stay in this type of environment. So we're going to have to find a much more sophisticated way of dealing with the people side of this problem.
I think the Reserves have become an enormously important dimension to this. We're going to have a lot of folks that leave, but who still like the sense of importance and excitement that comes with being in the armed forces. We've have to hold onto that. I don't think we have that in place yet. Right now, the private sector has found a way that within two months of the separation date, they start sending letters directly to the homes of people before they retire. And yet, we don't have a comparable tracking system in DoD for people we want to hold onto. Maybe we ought to contract out. [Laughter.]
So we have to do something about this. We also have to offer them meaningful things to do, [as opposed to] just signing [them] up for the Reserves and we'll figure it out later. We have to find meaningful things to do and we've had several conversations about that.
As I said to Gordon on the way in, I don't think there's any area that's more important for us to get right over the next year and a half than this. We are going to hit on a lot of things. It's going to take visionary leadership and people like you who are willing to spend some time and effort getting on top of this problem and helping us stay in front of it. And we're only doing this now for DoD.
I have to tell you that the private sector is highly vulnerable. We're way, way out in front of the private sector. The Melissa experience was the first time a lot of them [had to consider] how soon you can get fouled up and the fact that we have a larger national security responsibility now. This is one of the things that General Campbell is working on with the NIPC [National Infrastructure Protection Center] how we, DoD, can exercise a national security responsibility over an infrastructure that doesn't belong to DoD but is likely to get attacked. That's a hard problem. But I think, again, the infrastructure is in place for us to start working for us to start working on that problem.
We're going to have a battle again this year on encryption and I need to say something about this. There are already forces coming up in Congress that want to drive all restrictions on the strongest encryption for purposes of export. I think we, DoD, have thought about this more than probably anybody, because we have both sides of this problem that we have to come to grips with. We operate in a non-regulated commercial cyberspace now for 95% of our communications. So we're very keen on encryption. We have to be. There's nothing more unnerving than to get a potentially "spoof" message on your own hardware. Can you think of anything that would throw you off more than that?
There also isn't a person in the Department, or any businessman who's thought about it more than ten minutes, who would ever want to have encryption without some form of key recovery. You are surely not going to give your employees the ability to send your proprietary data or your cash or your contracts anyplace they want and not have electronic fingerprints on it. This is just a basic of internal control. So we have to get past this false debate that's been created by the cyber-libertarians that somehow their personal liberties are at stake because I want encryption and key recovery. I'm not trying to say that you have to have it. But I want it. I want it for the Department. And I think every businessman that I've talked to has said he's going to want it for himself as well.
Instead, we have this fraudulent debate that's been created by the cyber-libertarians that somehow, America's liberties are at stake because we won't let them have the strongest encryption, free to send anyplace in the world. I'm telling you, we can't do that. You are still going to count on us, the federal government, to be able to provide as much advance warning as possible that there's a terrorist attack about to happen the United States. And what excuse are we going to give when we say, "Well, we couldn't do it because we couldn't break the code fast enough?"
We know how to protect civil liberties in this country. We are far more worried about the government violating civil liberties than we are about private citizens doing it to other people. Do you know right now that there's a commercial company that's selling your personal telephone records of every phone call you've made in the last three months and they'll sell it to anybody that asks? There's only one party in America that can't buy it: the federal government. But anybody else can buy your private information. We can't. We know how to protect civil liberties in this country.
I'm not at all saying, "Throw away the 4th Amendment." [It is a] false debate to say that America is at risk because America's national security infrastructure wants to protect America against unregulated encryption. That's a false debate. And I'd be glad to debate anybody on that subject. I've asked for your help on this. You have to help us make this an educated discussion, not just a symbolic, rhetorical exercise of throwing barbs at each other. This is complex area. It's very important. It's where our personal rights and freedoms and liberties as citizens bounce up against our responsibility as a government to protect our citizens. It is a very important debate and we ought to have it, but we shouldn't just go ram-rodding through with false rhetoric that somehow America is at risk because the federal government wants to protect its own citizens. I need your help to work that out.