Dr. Hamre's Speech to the Council on Foreign Relations
(As delivered, edited for grammatical errors)
When I first received this invitation to speak to you about how free trade and globalization impinges on U.S. security, I said, "Well, I don't want to talk about that." I was fully prepared to do what everybody else does, which is just talk about what I wanted to talk about. But the more I thought about it, the more I came to realize this really was in many ways a salient subject, probably one of the most important subjects facing the Defense Department right now. And, in all candor, it is one we have not thought about very well. So I thought I would use this as an opportunity, frankly, to develop my own mind and then to share some thoughts with you. And I hope I will get some reaction from you -- if not tonight, then over time. I very much would like to get your reaction because we would like to try to address this enormously important subject.
It goes without saying that Americans are starting to realize how important trade is to the American economy. Certainly the events of the last three or four months have brought that home in a very gripping way. Probably a third of the U.S. economy in one way or another today is related to trade or overseas investment. It's become such a huge element in our economy, there is certainly not a CEO in the world who does not understand how important this is.
We in the Department of Defense feel that we have a very important role to play. We believe that the security that comes from America's presence overseas provides a framework of stability that is essential to the prosperity that comes from trade.
We believe that a healthy economy strengthens democracy, and democracy in turn provides for stability. Where some talk about a vicious circle, we think this is a virtuous circle and we think that trade and national security and democracy are highly related to each other, not just in our traditional trading relationships with Europe, but also with Asia. And I honestly believe that our relationships, our military-to-military relationships, in Asia have been one of the stabilizing elements in the last four months. We think that they have been very important.
I would like to go beyond this discussion to a more subtle dimension of our national security that is emerging at least in my mind because of the economic forces that are afoot at the time. We are all, of course, seized by the images of national defense: the aircraft carriers in the Arabian Gulf, the Patriot missiles that are standing alert in Saudi Arabia, the soldiers in Korea. We are all very familiar with that dimension of national security.
What we see emerging, however, is a very different dimension, a very important dimension, a dimension where America for the first time probably in 40 years has become vulnerable to unconventional attacks that are very much national security risks. Here I speak to the significance of weapons of mass destruction that might fall in the hands of terrorists and other organizations and of cyber attacks. Very small numbers of people can now wage war on America.
This is emerging as a very important dimension to our evolving thinking about national security. Counter-proliferation, chemical weapons, biological weapons and preventing the use of them by terrorists, cyber warfare, cyber attack, protecting America; I think these are some of the most pressing security issues we face. But in all honesty, I think this issue of the inter-relationship of security and trade is just as much on a par with these other issues.
First, if I may, I would like to provide a historical context or a framework for our thinking. Periodically American history has been punctuated by events that have been truly historic in their size or in their consequence. These were times when major government policies had to interact with sweeping social or economic or technological developments.
There were times when government became the engine of progress and facilitated development, and there were times, sadly, when government was woefully unprepared to deal with these changes. Back in the 1800s, when we bought the Louisiana Purchase from the French, the government set about a remarkably successful policy to open up a vast, new territory. It established in essence a condominium arrangement with railroads giving land grants to open up the Midwest. It gave land away to establish institutions of higher education, land grants to homesteaders, and effectively populated the heartland of America in a remarkably short period of time.
In 1929 and over the following decade when the Great Depression gripped the country, the government worked creatively and developed a series of policies and programs for a socially responsible capitalism, a capitalism that could stand up against the challenges of communism on the left and national socialism on the right.
World War II shattered the international political system at the same time that it brought an end to 19th century colonialism. America in the aftermath launched the Marshall Plan to help rebuild Europe and boost the American economy. We worked with other countries and evolved a set of remarkably successful international organizations to create the liberal international economic order that for all practical purposes won the Cold War, that and our vigilance in the Defense Department and as a country to maintain strong defenses during that period.
Each of these were very historic episodes in American history where complex social and economic, and in some cases technological forces, came together and became a tough political reality that we had to deal with. In many of these instances we dealt with them quite successfully.
We are right now in an equally historic time. The forces that are afoot and summarized by trade and globalization really represent just such a sweeping set of challenges. I would like to discuss three dimensions of this problem, all of which have enormous significance for national security.
The first development is the globalization of American business. The second is the radical new business practices that have been pioneered by American business and the security implications of those practices. Then finally, I would like to talk about the maturing of the information technology that is used as the primary method of control of physical processes and business processes and the implication that has for national security.
First, let me discuss the globalization of American business. The most American car you could buy today is only 94 percent American. That is the most American car you can buy. McDonnell-Douglas and now Boeing, when it competes overseas selling the F-18, it competes frequently against the Swedish Grippen fighter which is 60 percent American content.
The most important elements of any weapons system that we buy nowadays, the electronic components, are based on computer chips, and we have virtually no idea in what country they are manufactured. Software that runs computers in virtually every aspect of American life is increasingly international. The source code running the systems is routinely written overseas.
One American software giant has a subsidiary that is developing security software using former Soviet cryptologists. The new Silicon Valley is actually located in India, and in Ireland. A major overseas telecommunications entity just last week bought a U.S. manufacturing subsidiary to make switches.
All of these examples lead me to say I am not sure what an American company is anymore. I am not sure what an American product is anymore. Our industrial security system is structured around 50-year-old concepts of national security, structured around the nationality of the board of directors. It is structured around the geographical location of the corporate headquarters. It is not at all structured around the real content of the processes that make American products anymore.
The Defense Department has a very special problem in this area. We want very much to eliminate a dedicated defense industrial base. The defense industrial base that was built up during the ‘60s and ‘70s and ‘80s was a hothouse industry, very much revolving around defense acquisition techniques and procedures and all of the inefficiencies that came with that. We want very much to eliminate a defense industrial base and to adopt, in essence, just an industrial base. But then we have to come to grips with what it means when your industrial base is international and how to protect ourselves and the technology in our systems in what is, in essence, a global industrial base.
The second development I want to talk about concerns the radical new business practices that have revolutionized American industry and have fueled American productivity in the last 10 years. During the last 10 years, American businesses pioneered some startling relationships that effectively blur the distinction between customer and provider.
Let me use as an analogy the case of AT&T. AT&T at one time had thousands of switchboard operators who would place a call for you. AT&T came to the remarkable conclusion that if they could automate that process with dial telephones they could get you, the customer, to do all the work, lower their costs, and you would actually learn to like to that. And we all do. We take that very much for granted now.
That very phenomena has seized American business during the last 10 years. If you want to ship more than five parcels a day with FedEx, they will come and put an entire management system in your office to prepare the label to put on the packages. What you don't know as the customer is you are actually preparing your own invoice. You are doing FedEx's work for them.
If you are a shipper and you want to ship commodities on the Burlington Northern, you can give them a call and they will send you software that lets you, the customer, enter into their routing system to schedule your own transportation arrangements.
The deregulation of the power industry has effectively required the utility companies in this country to provide technical information about their networks and systems to anyone who wants to sell surplus power to them as excess to their local production capacity.
Now what all these examples effectively mean is that a foreign country with hostile intent can easily penetrate America's infrastructure by setting up subsidiaries in the United States.
The third development I would like to talk about is the maturing information technology being used as a primary control for physical and business processes. I do not think any of us has appreciation of how pervasively this technology has come to dominate the business and social life in this country. Every infrastructure in this country effectively is controlled today by remote computer control systems. They're called SCADAS, Supervisory Control and Data Acquisition Systems.
Microprocessors control valves and switches, irrigation pumps, traffic flights, pumping stations, you name it. All are being controlled largely by these SCADAS systems. We have had SCADAS systems for sometime. What has been more remarkable during the last 10 years is the way that companies, in order to minimize costs, have abandoned the unique proprietary telecommunications systems they used to link up their sensors, their control devices, and have adopted an Internet basis to connect them, instead. Right now, many utility companies in this country are largely controlling sensitive measuring devices and control devices through the Internet, and virtually none of it is encrypted.
We ran an exercise in the Defense Department a year ago called Eligible Receiver, where we tried to test whether or not we were susceptible to computer attack. We assigned the task to 35 guys at the National Security Agency. They were given money to buy computers from a commercial store and told to set up their own commercial access through an Internet provider. They were given no special tools. The only software they were allowed to use was software they could either buy off of the shelf or download from the Internet. They were given only three months to do what was effectively an electronic surveillance of the country. It was, in essence, an off-the-shelf attack.
We did not let them bring down the electric grid in the country, but they proved they could do it. We did let them attack the telecommunications system that is the backbone for the Department of Defense, and it was frightening. The bottom line to all of this is that America's infrastructure is wide open to disruption, increasingly connected to the Internet, and connected to a technology for which there is no embedded security.
Let me draw these three different dimensions together and pose some observations. I firmly believe that the next decade poses some unusual national security challenges much different in scale and in sweep than those in our planning. They are caused by the deep economic forces that are afoot in this country. Our very economic productivity is creating our vulnerability. You cannot wish this problem away. You cannot wish the clock back. You cannot stop the remarkable engine of productivity that is driving this economy. Yet, I do not believe we can proceed without thinking this through very, very carefully as a Department and, frankly, as a country.
When small countries or small groups of people can effectively wage war against the most powerful country in the world, we face a serious future, and we have to do something about it.
I fear that the American government right now can scarcely cope with this challenge. Politics in Washington remains profoundly parochial at a time when America's security challenges are astoundingly international. A simple allegation of impropriety by a company launching satellites brought forth five amendments that could well become the law of the land, and that would prohibit us to export satellites at all to China ever again. If one company allegedly violated export controls, all companies are to be punished. We are wrestling with profound limitations because the parochial nature of our system is wrestling with and struggling with international challenges. That is part of the reason I wanted to come up and talk to you.
The forces that I have described are so sweeping that they transcend the structure of the executive branch of the government. We have spent the last two-and-a-half years trying to come to grips with an encryption policy, and we have not been able to succeed. It is not any better up on Capitol Hill. There are 15 separate committees that claim jurisdiction over the encryption issue. We are making little progress dealing with such complex problems.
You asked me to discuss where free trade and globalization impinge on U.S. security and, as I said at the outset, I think this is probably one of the most important and complicated subjects that we face. It is in one sense far more complicated than the counterproliferation problem, and that, I think, is probably our most serious challenge.
Let me at least suggest three areas where I think we as a government and you as important influence-shapers need to help us, areas where we as a government need to devote considerable energy in the next couple of years.
First, we must develop a modern 21st century risk model for national security. We are still operating a security system that goes back to Julius and Ethel Rosenberg. We screen kids for using drugs, but we ignore the fact that a fraudulent company can operate in the United States and on its own sweet time develop an economic order of battle against this country. We screen kids for drugs, but we have no idea where the operating codes for most of our computer systems is written.
All around us, the private sector has developed much more sophisticated models to manage risk than we have in the federal government. When we use a credit card, the credit card company is matching us against a profile, a risk profile. Granted, it is a simple, one-dimensional problem compared to what we would face, but at least they are working on it in a much more sophisticated way.
We are going to have to develop a risk model that integrates the nature of the job, the nature of the task, the behavior of the individual, and brings a temporal dimension to the sensitivity of the information that we are trying to protect. It will require an unusual degree of cooperation between law enforcement and national security organizations.
Second, we need to reassess the very foundations of the regulatory control system that governs American industry when it comes to the issue of national security. We continue to operate a security system that largely worries about the nationality of the board of directors or the geographical location of the corporate headquarters, which is very naive.
We need to develop an entirely new approach to this problem. We are bumping up against this time and time again when overseas companies want to buy U.S. companies that are involved in the defense business and we continue to think that protection comes from independent directors who are Americans. That is very naive on our part. We need to develop an entirely new system of procedural controls.
Third -- and this is going to be hard -- we, as a country, are going to have to reassess the traditional boundaries that delimit national security and law enforcement. We have a 19th-century view of national security. If a problem develops outside of the borders of the United States, it is a national security problem. If it is inside of U.S. borders, it is law enforcement. But there are no borders in cyberspace.
For us to deal with things such as state-sponsored terrorism and cyberattacks, we are going to have to overcome this inherent, very profound limitation that delimits how we at the Department of Defense relate with other agencies in the federal government. We would rather not be involved, but like it or not, we will be heavily involved in coping with the consequences in this new world.
To summarize, we are living through an enormously historic time. The economic and technical and social forces are well beyond my ability to comprehend or probably any individual's ability to comprehend. They are vibrant and changing, and we are not dealing with them adequately. They have far-reaching implications for our national security, and we as a government have been feeble in dealing with them.
I ask for your help, frankly. I came to the Council on Foreign Relations because you are very serious and successful people who are willing to tackle very tough problems. These are enormously complex problems, and you have to help us as a government wrestle with them and find solutions. Our future national security depends on it.