Seal of the Department of Defense U.S. Department of Defense
Office of the Assistant Secretary of Defense (Public Affairs)
Speech
On the Web:
http://www.defense.gov/Speeches/Speech.aspx?SpeechID=731
Media contact: +1 (703) 697-5131/697-5132
Public contact:
http://www.defense.gov/landing/comment.aspx
or +1 (703) 571-3343

National Security Telecommunications Advisory Committee
Remarks by Deputy Secretary of Defense John Hamre, The National Security Telecommunications Advisory Committee, Thursday, September 10, 1998

Dr. Hamre: Thank you, Chuck, and thank you very much, all of you. I enjoyed being with you all last night. I was moved when I saw those young soldiers from Fort Bragg, [North Carolina]. In a society where we're obsessed with Generation X, I'm glad we still are able to find young men and women who are willing to separate themselves from the comforts of private life and take on the discipline of military service, the challenges of that, and be willing to serve this country by putting on a uniform. I'm very grateful for their service.

I also thought to myself how lucky we are that all of you are willing to participate in this kind of an organization. You surely all have many more pressing things that are probably more important on a day-to-day basis for your stockholders and for the bottom line. You don't need to have this distraction, but the fact that you are still willing to take time to sit and talk with us about national security is very gratifying. Thank you to all of you.

I would like to put my comments in a broader context because I think we need to step back. It's very hard at any point in history, when you're caught-up in the sweep of day-to-day events to get a bearing on where you are in a larger context, and I'd like to do that to frame some of my observations.

The United States has had only five security epochs. At the moment, we are in a transition period to a new epoch, slightly uncertain as to what its dimension is going to be.

The first epoch began with the start of the Revolutionary War and ended in the mid-1820s. At that time America stood at the fringe of an international security environment still dominated by relatively coherent and vital nation states, dominated, of course, by Europe. We were pulled into conflicts which were really secondary to the main fight in Europe.

From the mid-1830s through the end of the 1800s we saw the emergence of a second epoch. It was then that the European political construct was disintegrating, and was typified most directly with the failed Socialist Revolutions in 1848 that showed how bankrupt and corrupt the old system had become, but not so much so as to remove those powers. The United States was insulated from this by a huge ocean. We were becoming a very large and prosperous country, but because we were still expanding into Heartland America, we had our attention turned elsewhere and we were left alone.

This epoch ended around 1900, with the Spanish-American War as America emerged as a world power. With our imperial ambitions manifest, especially in Asia and in Latin America, we clearly came to dominate the Western Hemisphere, and have since that time.

Then came a brief transition period, from 1900 to 1920, a global transition which reflected a collapse of political and security structures in Europe. This period ended with World War I’s conclusion. The forth epoch occurred in the interwar years and was characterized by two forces; global recession and the rise of international communism. These two forces created a real crisis for American democracy and the free enterprise system in the '30s and the '40s.

That epoch ended with World War II, and what emerged in the fifth epoch was the Cold War. This was dominated by a bipolar world, maybe a tripolar world, with the United States leading the band of western countries confronted by a very aggressive, and what initially appeared to be a coherent communist world. Monolithic communism fractured in the early '60s.

Nonetheless, this bipolar world persisted, and that period created a kind of eerie predictability. Political and strategic developments were regulated by the tension and the pressures between these two worlds that possessed unprecedented arsenals that could wreak enormous destruction. Nuclear deterrence created an unusual calm.

That epoch ended in 1989 with the breach of the Berlin Wall, and we are now in a transition toward a new security epoch. It is hard to know exactly what it is going to be like. It is clearly characterized by the collapse of the old structure, as has each of the previous epochs. What has emerged is a still fuzzy but troubling image.

We are seeing the world evolve into very aggressive tribalism that is manifesting itself as quasi-nation states. Abkhazian is in conflict to Georgia, or East Timor in Indonesia. Congo is in a civil war as we speak, and could very well end up divided. Tribalism is becoming a dominant paradigm of this new security epoch.

Another dimension of this security epoch is the dissolution of the technologies that were created during the last epoch, during the Cold War. We confront the historically unprecedented condition in which a major global power falls apart, but it is a global power that had 30,000 nuclear weapons and unbelievable stockpiles of chemical and biological weapons, and it's disintegrating into tribal units that seem to have passions that we really don't understand.

Americans are so far away from this that it's inconceivable to us that people have 500-year grudges. When you get a grudge here in America, we just move along. That isn't the way it is in most of the rest of the world. And so we've seen the dissolution of technology into the hands of a lot of dangerous people.

There is also the emergence of quasi-governmental or governmental-sponsored organizations, such as terrorist organizations like the Usama bin Laden network. These are able to move in and out of government circles and extract rather threatening things. They then use those things, but not in controlled ways as governments behave. This is part of the very unsettling security epoch that's emerging.

What can we conclude about this right now? First, I think that the old patterns of deterrents on unacceptable behavior don't predictably work in this era. In the old days, you could threaten untold havoc on a nation-state if they did something that was out of bounds, and that created a deterrent effect. It's not clear that deterrent quality exists now. I agree strongly that we should strike out at Usama bin Laden, but it's not clear that's going to deter this group. The old security patterns that we were familiar with aren't necessarily going to work reliably in this era.

Second, I think we're going to be increasingly confronted by technology that's used by really dangerous people in very troubling ways -- not just cyber issues, but chemical and biological weapons as well. We've had three incidents in the United States in the last nine months involving anthrax. Two of them were spoofs, but nonetheless it's a pattern that's emerging, and it's not just going to be in the United States.

I think a third feature of this new epoch -- and this is one that's particularly troubling -- is that we're entering a period when obviously no other country or a tribal unit can take on the United States directly. They know it would be suicide to attack us in traditional ways.

The use of these troubling tools in nontraditional ways is going to become the preferred mode. We're entering a period where one individual, or a small group of individuals, are able to wage war on our entire country. This is not in the predictable ways in which, for example, we're worried about an invasion from the sea. Rather, it is entirely possible that the new ways will become highly disruptive to an organized society.

The last feature that I think is very relevant is that the target in this new world isn't necessarily going to be a direct attack of America's military forces. We certainly will be targeted overseas as terrorists try to make a political statement, as at Khobar Towers [Saudi Arabia]. That is going to be a dominant feature, but a bigger problem is that at some point the fight will be brought here to the United States. The target isn't really going to be military per se, and it's more likely going to be nonmilitary target for which we don't have a protection infrastructure.

This is all troubling enough, but I think we're also in one of the most complicated periods of American history, with huge social forces colliding with technology developments, and I'm not sure we understand this well enough. I am confident the government is not well organized to deal with this.

We also see the explosive globalization of the American economy. I'm not sure I know what an American company is anymore. I know that it means the board of directors is largely going to be Americans, but it doesn't mean that the processes or the content is American. What is American now? What is American anymore when you have software engineers in India who are writing code for the Iridium satellite system? This explosive, dynamic American economy is opening up security dimensions we haven't thought about.

You're in pioneering business practices that are exciting on the one hand and troubling on another. Each of you, in your own ways, is seeking to find ways to get your customer to become part of your business process so they'll do some of the work and offset some of the cost of the business transaction, and yet that introduces a vulnerability. When you establish electronic links with subcontractors, for example, how do you keep those subcontractors from looking back up in your management system to learn key corporate information that you'd rather they not know? This is an interesting problem in this world.

I think we're confronted by a time when American politics is astoundingly parochial just as America's economy and society is international. Washington is preoccupied just now with the Loral-Hughes China satellite controversy. Congress is passing amendments that are coming up about how we punish a company for allegedly doing something wrong with satellites, and the amendment would preclude any company from ever doing this again. This is a crazy time we're experiencing, and we haven't thought our way through.

How are we, as a political entity, going to deal with this enormously complex new social and economic environment that America is leading? We are starting to come to grips with what this new Internet society means. I probably am typical of most people in Washington in that we tend to have a consumer view of the Internet. If you see a new homepage for a ship, you think, "Isn't this great - this thing is linked up real-time," never thinking about the security dimensions.

We are providing information to potential enemies that they used to spend hundreds of millions of dollars in intelligence operations to attempt to get. I'm not going to pick on [Lieutenant General] Dave Kelley [Director, Defense Information Systems Agency and Manager, National Communications System] here. I know he's fixed this problem. He had an installation that had a homepage with an aerial view of the facility with little arrows that said "Operations Center," "Technical Support Center." It's those computer specialists who are out there thinking about this as, "Boy, this is great, you can click on a little arrow and up pops an outline of what's inside the building," without ever asking, "Is this a good thing or bad thing for terrorists to know?" We put it in front of them in a medium where they can get it instantly.

We have to step back and think about this world that we have created in this glow of the end of the Cold War. We need to think about it in terms of an emerging security epoch, where we've got a lot of potential enemies who really would like to do some bad things to us, and we're making it awfully easy. That's the broad context.

All of that, by the way, was just the introduction to my speech. (Laughter.) I'm not going to take longer than my half-hour, though, Chuck [Lee, NSTAC Chair Charles], I promise you that.

We're entering a period of profound intellectual challenge for the Department of Defense to think about national security in this new era. We have had a 200-year history of national security concerns solely outside the boundaries of the United Sates. We may have set up coastal artillery, which we did in the WWII period, but it was still shooting away from the US. We have never thought about security in terms of threats inside the United States. That's been a law enforcement problem. That's been the FBI’s responsibility. That paradigm is no longer applicable.

This complex new world and its new threats are going to stress us in ways very difficult to handle politically. We're rather obsessed right now politically, and I'm not sure we can tackle a topic like this in Washington. We're going to have to get our arms around this question of what constitutes national security, and how does the Department of Defense interact with law enforcement? The reality is that the Department of Defense has no formal responsibilities for infrastructure protection in the United States, with the exception of the inland waterways because the Corps of Engineers manages them.

That's the only thing the Department of Defense is responsible for, and yet we're entering a period when the biggest national security challenge is going to be the interaction of America's society and economy with the world. We're stretching ourselves in ways we really haven't dealt with yet.

Let me tell you some of the things we've been doing. It's our view that we can't meet the challenges of this new security epoch without finding institutional ways to be working as partners with law enforcement in the United States.

We have been doing some of that with the drug enforcement effort, but it's going to have to be far more direct and involved than it has been in the past. That's why we entered into partnership with the FBI on the NIPC [National Infrastructure Protection Center]. We know at some point when an event occurs -- whether a cyber attack, chemical terrorist incident, or something else-- the day after is going to be qualitatively different from the day before. And the day after is going to require the United States military to be involved in ways unprecedented in the United States.

I personally believe a terrorist incident in the United States involving chemical or biological weapons will become one of the most serious challenges we will ever confront to civil liberties in this country since at least the bombing at Pearl Harbor. We have to start getting ready for that, and institutionally we need to be working with each other. One thing we're doing is finding institutional partnering opportunities with law enforcement.

A second thing we're trying to do is develop a new security model. We have to develop a new security model for this country that recognizes the dynamism of the American society and the American economy.

We continue to operate a security model that’s like the fence around the outside of your yard. If you see a hole in the fence, you go over and try to patch the hole. This analogy is wholly inapplicable when you're dealing with an economy in which American products are routinely built overseas and business processes are inherently interconnected with other companies, many of them are overseas.

We still have a security model that revolves around the nationality of the board of directors of the corporation, not the underlying business activity. Our friends on [Capitol] Hill criticize us on export controls; they say we ought to toughen security by moving satellites back to the State Department, away from Commerce. We will take the criticism; we haven't paid enough attention to some things. But I tell my congressional friends you are also giving me a naive solution to a very complicated problem. That isn't going to solve the problem. It's a much more complex problem than that, and we need to develop a much more sophisticated security model for dealing with it.

We've launched a number of efforts to do that, and we've asked the Defense Science Board to lead an effort to reach out to all of you, and I hope you would be willing to participate with us as we are thinking our way through this. Frankly, you are all confronting the same thing, in many different ways.

People like Dennis Picard [Raytheon Chairman and Chief Executive Officer] are trying to get their arms around this, and that means dealing with disparate management systems. That's exactly the same problem we're confronting. It's the same sort of difficulty.

Many of you have exactly the same problem in a different way, and it requires technical solutions, process solutions and organizational changes. You're wrestling with the dilemma of retaining agility as a corporation and at the same time trying to protect your security. That's exactly what we're going to have to find in a new model to do that in the United States, and I ask for your help on that.

A third thing we're dealing with is consequence management in the event of a terrorist incident using chemical or biological weapons. We have really never dealt with this in the Department of Defense before. For example, we're responding to emergencies and natural disasters. We do literally thousands of things every year. We augment police forces 2,000 times a year to help them with suspicious packages and things of that nature. But if there is a terrorist incident, it's going to be very different if it involves chemical or biological weapons. It's going to require the mobilization of capabilities that are unprecedented, and we have not done really concrete thinking about that in the Department of Defense.

The reason for that is we never assigned the United States to one of our Unified Commanders-in-Chief (CINC) as an area of responsibility. There are only four countries in the world that were never in the area of responsibility for one of our commanders, and those were the Soviet Union, the United States, Canada and Mexico. We never had a CINC who was worrying about homeland defense of America before. Our Unified Commands do our concrete contingency planning and thinking, matching up of requirements and resources, and laying out a program for the future. We've never done that before, and we're going to start doing that.

We're going to have some decisions here in the next two or three days that will finally provide a sense of direction. DoD will always be in a supporting role because, as I said, we don't own any of these infrastructures directly, and we don't have organizational responsibility for them. But that's going to be no excuse the day after a terrorist strike. We're going to get the call, so we're going to have to do something about that.

The fourth thing we're doing is spending a lot of time, effort and money to try to figure out how to protect ourselves in cyber space. We had a cyber attack yesterday. It was almost comical. Some little group -- we're not exactly sure, we think they're in Germany -- decided that we were supporting the Mexican government's efforts to suppress the Zapatistas, and so they decided the best way to attack us was to flood our Department of Defense homepage, Defenselink. They were going to try to freeze up our homepage with a cyber attack. They had automated an attack that was very simpleminded and easy to blunt, which we did, but it's another example of cyber security issues we face.

In the last year, we have pulled together disparate efforts to try to get our arms around protecting our information infrastructure. Nine months ago we didn't even have a good handle on how many networks we have. We didn't have any idea about their configuration and had very little idea about the operating systems inside. The people who were running them did, but we didn't understand them in any central way. When we got the Solar Sunrise attack in February, we were running from behind just to get basic controls in place.

I think we've done a great job, and hats off to the Air Force that led the way for the entire Department, in putting in place the infrastructure to do that. [Lieutenant General] Bill Campbell has made an heroic effort in the last nine months to get the Army up to speed. We are finding ourselves enormously vulnerable as we operate in this electronic space, and we haven't thought about it very well. We haven't thought about it in a disciplined way from a security standpoint, and we're working hard to get caught up. We have assigned the mission to a military unit. LTG Kelley has that duty now as Joint Task Force Commander for Computer Network Defense. That task force will stand up the beginning of January.

 It is just a first step, but it is something that we're finally getting off the ground. We are standing up our contribution to the NIPC. We are very near to taking a very important step in focusing on encryption. Our dilemma has been trying to find ways to reconcile the conflicting values that collide on this issue; the privacy values, the economic incentives, the dynamism that this sector has brought to American industry and the security dimension. We're very close, and literally within days we're going to be able to finally start a new policy on encryption. And let me say it's not the endpoint, it's the starting point, but I think it's going to be a critical development when we can do that.

 

Finally, I think we very much need a place to turn to. NSTAC right now is the only place to turn to. We need a place to turn to to help us understand what's going on in this very dynamic industry. DOD doesn’t have sufficient insights into industry, because we tend to be plugged into solely defense issues. We don't have routine contacts into the telecommunications sector, or into the banking industry. We don't know how to do that here, and yet this is the infrastructure that very well could be attacked and become a national security problem.

We've talked a bit with [former Secretary of Defense] Bill Perry and [former Deputy Secretary of Defense] John White, who have been pioneers in thinking about this and wanting to develop some capabilities. They have offered to reach out to industry to create a forum for industry and government to interact. It would be entirely based in the private sector, entirely consensus-oriented, and would involve things where we could interface and get problems solved for us and insights from you. It will be enormously important for us to try to get something like that going because we don't have it right now.

We don't have a good way to interface except for the NSTAC. That's why we believe the NSTAC is such an important venue for us to interact with this sector because the telecommunications industry is crucial. There are three crucial backbones – telecommunications, power and finance -- and if those things either don't make it for Year 2000 or don't make it because of a cyber attack, this country is going to be in serious trouble. We can always handle getting attacked at the DOD homepage; that isn’t going to be the end of the world, but if something bad happens to the telecommunications industry, we're in deep trouble.

I think the inherent dynamism and resiliency of this industry provides a level of basic protection that gives us all confidence, but I don't think any of us can be naive about what we're confronting. It no longer takes enormous resources for a foreign power to wage war on the United States; not to win on a battlefield, but to intimidate us into political outcomes that we otherwise wouldn't even consider. That's what we're going to have to work on together. I would ask you to think about finding ways to work with us in either working with Bill Perry or John White, or however else.

Let me again conclude where I started, with a very sincere thank you to all of you who are willing to take time out of your private lives when they are so demanding, to still pull on the "uniform of public service" for this period to help us wrestle with some very tough issues. We know that as Americans we're going to have to get our arms around these issues over the next three to four years.

We're going to really have to count on a dialogue with the full spectrum of leaders in American society, and ask for your help in developing solutions to these problems. I'm very grateful that you let me come and talk to you. Thank you.