Good morning and welcome to a very beautiful Colorado morning as we kick off this NSTAC [Business] Session. I’ve been Deputy Secretary of Defense now for six weeks and while I’m doing my 25th defense budget with the markups on the Hill and the POMs [Program Objective Memoranda] we’re about to receive, needless to say, this is a time of challenge and learning.
Mike [Van Honeycutt, Chairman of the National Security Telecommunications Advisory Committee,] told a joke on Sunday that is reminiscent of both my unique perspective here today and what we are really going to try to accomplish at this conference. He talked about a mouse in New York City that was being chased by a ferocious cat. Fortunately for the mouse, he found a pothole that he could go and hide in. For a while, the cat was there at the top of the pothole just waiting for that mouse to come out. He knew he had him there. So the mouse hunkers down and finally there is some relief. He hears a dog barking and he figures, "I have been saved." He finally musters the courage to get out of the pothole, and there with the biggest grin you could ever imagine was that cat. He looked at the mouse firmly in his sights and said, "What can I say? This is New York. It pays to be bilingual." [Laughter.]
Well, that’s what we are going to try to accomplish today on the Government side and on the industry side. How can we, at the end of this conference, speak a common language? We face critical challenges to the commercial side as well as to the government infrastructure. And so to members of the NSTAC, let me say that I hope we have a challenging and invigorating morning and afternoon.
Members of the NSTAC, I see a number of familiar faces here this morning, faces that range from my days when I was Staff Director of the House Armed Services Committee and later when I was serving as Under Secretary of the Air Force. I thank you for being part of this session this morning.
General [Ed] Eberhart [Commander-in-Chief, U.S. Space Command] is here. He was Vice Chief of the Air Force when I was Under Secretary. Also Dick Clarke from the National Security Council, who is really the point man for the President of the United States in terms of how we as a country and as a government respond to these new and very critical threats.
My predecessor, Dr. [John] Hamre, had planned to be here but got caught with some delayed flights and did not make it. But I truly want to pick up the baton and continue the initiative that he brought forward in terms of mastering this topic during his tenure and to making sure that we continue with his commitments.
Art Money, the Assistant Secretary for C3I [Command, Control, Communications and Intelligence], the man who devoted so many Saturdays in 1999 to dealing with the Y2K issue. In many respects, the fact that we are focused on the "I Love You" virus or the "Melissa" virus or "Mafia Boy" or all of those other viruses are testimony to all of that effort. You can really measure how committed Washington and the Pentagon are to solving a problem by whether they are meeting on Saturday to deal with an issue. So on countless Saturdays throughout 1999, Art Money was our leader.
[Lieutenant] General [David] Kelley, our leader at DISA [Defense Information Systems Agency], who is finishing a very, very distinguished Army and joint career. He completes what we in the Pentagon call a "purple" position. But he has, helped us make great strides in terms of our information systems and our information security.
Ladies and gentlemen, I thought I might begin this morning by painting two pictures that capture both the promise and the peril of this information age and therefore the paradox it presents for the Defense Department and for the nation.
The first picture is of our operations in the Balkans last year. When Dr. Hamre spoke to you last June, we were in the final hours of Operation Allied Force. A year later, consider the truly revolutionary type of warfare we waged. On the ground in Albania, soldiers log on to laptops and exchange frequent messages across our classified military communications system. In the skies over Kosovo, unmanned aerial vehicles hover above and hunt for the forces of our adversary and feed live video back to analysts in America and other forward-deployed fusion centers. In space, satellites focus on Serbian targets no matter the weather or time of day.
All that information and imagery then travels from those analysts in America to planners in Europe and finally to F-15 crews, to a pilot sitting alone in the cockpit. He takes this information and processes it in his battle plan. With a handful of exceptions, 26,000 munitions, many guided by the Global Positioning System, hit their target with astonishing accuracy. And at the end of the day, some 150 military and civilian leaders spread across a dozen locations and several continents come together in secure video teleconferences to discuss and coordinate the next day of the campaign.
When I started my career 25 years ago, when we talked about readiness on the flight-line, we were talking about readiness of jet engines or readiness of electronics or airframes. Today, when you talk about the critical support that is essential to launching air combat operations, we’re talking about the flow of information, whether it be to our pilots or in the JSTARS [Joint Surveillance Target Attack Radar System] aircraft that is providing information to ground troops so that American generals can track what an adversary is doing at night without putting young troops out into a forward deployed and vulnerable position.
But if that is a success story, the second picture is more recent and perhaps less publicized, but more critical -- the events that began on January 24 of this year when the National Security Agency endured the failure of its communication infrastructure. While no intelligence is lost, agency personnel are unable to electronically communicate with one another, and the Agency’s intelligence data cannot be forwarded. This lasts for three days. Thousands of man-hours and some $1.5 million in repairs later, the system is restored and one of the more troubling collapses of an information infrastructure in our nation’s history is over.
While unprecedented in its severity, the NSA failure was unfortunately not unique. In recent months, similar outages, mostly for a few hours at a time, have occurred in critical infrastructures across the Defense Intelligence community; at NIMA, the National Imagery and Mapping Agency, and at the Defense Intelligence Agency. Now, one might be tempted to think that these outages were the result of the most successful cyber attacks on the U.S. Government in history. In fact, all of them can be traced to the most simple of shortages -- defects in the wires, switches and nodes in increasingly stretched systems that make up the electronic nervous systems of these agencies.
These two pictures, of both the promise and peril of this information age, capture the challenges we face as an increasingly cyber military and cyber nation. As Under Secretary of Defense for Personnel and Readiness, I saw first hand how this same technology is transforming everything we do to support our forces, from how we pay them to how we provide their health care. In short, information is the very life-blood of the systems that are critical to taking care of our forces. With it, we can thrive. Without it, we can be crippled.
Therein lies the great paradox of this information age. The very technology that makes us stronger makes us vulnerable. The incident at NSA underscores the inherent fragility of our systems on the inside. The litany of attacks on our system in recent years underscores the threat from the outside. Now I understand that one of the issues you’ve discussed at NSTAC is to look at how we come together as a government and as an industry to work together. I think we would both agree that the threat is not only here, but that the threat is growing.
Consider what occurred in the Department of Defense in 1998 during the confrontation with Iraq. For weeks, our global transportation system and our finance, personnel, and logistics systems were systematically probed. The culprits? Not Saddam Hussein in Baghdad, but rather teenagers in California. At the same time, the recent denial of service attacks on commercial internet sites were a window in the future, a future in which the number of viruses explode, as they did last year alone by some 40 percent. It is the future of progressively more potent viruses as we saw in the "Love Bug" case, perhaps the most damaging and costly virus yet. The "Love Bug" reminds us that the same technology that empowers America, empowers our adversaries.
As long ago as 1992, NSTAC warned that hackers would increasingly have ties with international adversaries. Information is now the great equalizer. A lot of nations and groups unable to match us on our conventional battlefields are turning increasingly to unconventional fields such as cyber space and other potential mechanisms. As long as we have a strong and significant military capability that we have today, adversaries know that they won’t be able to take us on in the air or on ground or in the sea and so they will look for vulnerabilities. They will look for ways that they can significantly impact the way that we do our business.
Last year, Dr. Hamre discussed some of the measures we’ve taken to defend against these threats. We have made enormous progress over the past several years, investing enormous sums of money, installing real-time network intrusion devices and protection software on all networks, creating real-time watch centers in all the military services, and empowering our Assistant Secretary for Command, Control, and Communications to lead our efforts.
In 1994 and 1995 when I was Under Secretary of the Air Force, our OSI, Office of Special Investigations, had a very small cell on the fourth floor of the Pentagon focusing on how we defend our information systems. I knew that when I went before the Senate for the confirmation process for becoming Deputy Secretary of Defense I was going to get questions on MTOPS [millions of theoretical operations per second], cyber security and information security. So in one of my preparatory actions, my Chief of Staff and I physically walked from the laptop computer in my office to a place where the Pentagon intercepts the DISA backbone.
That walk was a phenomenal discovery in terms of how we have changed from that 1994-1995 time period when [then-Senator] Sam Nunn and [then-Secretary of Defense] Bill Perry made a visit up to the Air Force OSI Center to visit an information control room where young officers, contractor personnel and career civilians were working together to constantly monitor the system, to see how the system might be attacked, how was it vulnerable, and to make sure that the firewalls and backbones were in place.
So when the "Love Bug" hit the Pentagon a week ago, rather than wiping out files, the worst thing that happened was our firewalls caught it. For a few hours we were unable to transact business electronically but when the "all clear" came, when our security specialists understood what was happening, when Art Money gave Secretary [of Defense William] Cohen and I the high sign in the morning staff meeting, we went back online and we were back in business.
But all of these things flow out of the initiatives that Dr. Hamre gave us last year. And so I’d like to use the remainder of my time to update you on our efforts; what we have done over the last year, where we are going, and why the Department and why our nation, needs your help.
We realize that we can never eliminate the vulnerabilities of our systems, but that we can at least move to mitigate them. So to prevent intrusions we’re implementing a "defense in-depth" approach -- layers of defense from the corporate level down to the desktop, from increasing reviews of our vulnerabilities to increasing training and certification of our system administrators, the men and women who quite literally hold the keys to our cyber kingdom.
Instead of viewing security as an afterthought, this means making it an article of faith, an indispensable element to be built-in deep into our systems from the beginning. This includes increased training for all those who use our systems and improving our ability to alert users to looming dangers and ways to protect against them. It includes building stronger firewalls that block unauthorized users without blocking authorized users. It includes instituting public key infrastructure to ensure the integrity of our electronic transactions and it includes, to get it all done, a cyber security budget of some $1.4 billion.
Central to our efforts has been the new Joint Task Force for Computer Network Defense, which is now our front line. I know some of you were treated to a tour of Cheyenne Mountain yesterday. If you were watching "60 Minutes" several weeks ago [you would have seen] a tour of the Joint Task Force in Washington and its 24-hour Operations Center. All of that now falls under General Ed Eberhart in Space Command in a reflection of how we consider this to be inseparable from our foremost mission of fighting and winning this nation’s wars.
We’re now entering a critical new phase in these efforts. Until recently, as the initiatives I just mentioned reveal, we’ve tended to focus almost exclusively on information assurance -- assuring the reliability and dependability of our systems and the information on them. Increasingly, we’re realizing that we need to take a broader view of the problem and also focus on the underlying critical infrastructures upon which those systems rest.
In this age of interconnectivity, no organization, public or private, is an island unto itself. It is no secret that some 90 percent of our communications in the Defense Department rely on the same commercial bandwidths, nodes and facilities you own and operate on. DoD traffic is growing tremendously, nearly doubling in the last 10 months alone. And moreover, it’s becoming increasingly difficult for our people at bases and installations to connect to our network, for example, to conduct video teleconferencing or to use internet-based purchasing tools. As a result, our people are experiencing longer delays in getting the information they need to accomplish their daily missions.
Because NSTAC has been looking at this, and ensuring the continuity of such operations for years, few know better than the people in this room that the risks to these infrastructures are increasing. The Department of Defense’s 1997 "Eligible Receiver" Exercise proved that only a few hackers with off-the-shelf technology could disrupt power and telephone lines across the country. This last October in the "Zenith Star" Exercise, the Joint Task Force provided how little it would take to trigger blackouts in regions with military bases or shut down 911 emergency systems.
Government has always protected critical infrastructures such as dams and power plants. As a cyber nation we now need to protect these information infrastructures as well. That is why the plan the President unveiled several months ago calls for a concerted effort to do just that. And I know that Dick Clarke as the President's representative will delve deeper into this topic and offer more detail. We need your help.
One of my great opportunities is to go into the field and to meet with the very capable young men and women that are serving. General Fred Volrath is here now in a civilian capacity, but there was a time when he and I stood with some young enlisted soldiers on a mountaintop in Bosnia. We could look down into the valley, which had been hostile enemy territory once. As long as the Serbs held the mountain top, the valley below was vulnerable to their artillery fire.
But there we stood on this mountaintop with young enlisted soldiers. And as impressive as those young men and women are, what is even more impressive, what is even more insightful in terms of understanding the great power of our military, is not just their unique capability, but rather to see how in everything they do they recognize how dependent they are upon one another, how one cannot do the job without the assistance of his colleague. That lesson from our troops serving around the world, how much they depend on one another, should come back to us.
We have an amazing country and the marketplace is developing incredible and new technologies. Still, we have only begun to scratch the surface of how we are going to utilize these technologies. If the 21st Century is going to be dramatically and significantly different from the 20th Century, in terms of learning how to better work together and to live together, then we’re going to have to make sure that we do whatever is necessary to protect our country.
That’s what our young troops do when they serve in faraway places like Bosnia, Kosovo and Korea. That’s what our pilots do whether they’re flying an F-15 on air patrol over the Saudi Desert or whether they’re sitting alone in a U2 as a desert reconnaissance over a critical area. But at the end of the day, they know that that F-15 pilot, that the U2, that the soldiers and sailors are all dependent upon one another. Well, in this critical area of information protection, infrastructure protection, and information security, [government and industry] are truly dependent upon one another.
And so to the Chairman, Mr. Van Honeycutt, I look forward to a vigorous day here. I look forward to listening to the other speakers, and I ask all of us to recognize that we are truly in many respects trying to chart a course for the 21st Century. So I look forward to the discussions and thank you very much. [Applause.]