|Cyber-War: Point Counterpoint |
Cyber-War: Point Counterpoint
An Address to The Commonwealth Club, Palo Alto, California. September 21, 2000. By Kent Kresa, Chairman, President and Chief Executive Officer, Northrop Grumman Corporation.
Thank you and good afternoon. It is a great pleasure to be here with the Commonwealth Club and have the chance to spend some time in northern California. Each time I am here, I am reminded of how dynamic this region is and of the impact it has on the economies of California, the United States, and indeed the entire world.
Of course, as the economists constantly remind us, there is a cost to be paid for everything, and to some extent the Bay area is a victim of the old adage that no good deed goes unpunished. As you are all aware, the appeal of this wonderful region—its overall quality of life and the continued vibrancy of the information technology industry centered here—has resulted in increasingly high real estate prices. Northrop Grumman has a sizable marine systems division in Sunnyvale and we are certainly aware of the difficulties in attracting quality employees to an area where home ownership is so difficult.
I have been privileged over the past 10 years to serve as the Chief Executive Officer of Northrop Grumman. During that time the aerospace domestic and global environment has changed enormously. In our case, we have methodically re-shaped Northrop Grumman from a company that predominantly manufactured combat aircraft for the defense department, to a leading systems integration, defense electronics and governmental information technology enterprise.
It has been a most exciting transformation, and one that gives us a useful perspective on how some of the same strategies we've used in defense can be applied to the IT realm as well. Why the IT realm, you may ask? Well, although information technology, through its networks, has given us all a common ground, it has also created a new battleground—one that our experience tells us will need to be strategically managed. I speak, specifically, of information assurance and security and of cyberwar and the defensive countermeasures we need to address it. But before I do that, I'd like to touch on how traditional defensive measures evolved and then demonstrate how a parallel effort must be made in cyberspace.
At Northrop Grumman, our past efforts and experiences working with the military services and the defense establishment have conditioned us to expect that today's military systems, no matter how sophisticated and elaborate, will in due time generate counter systems, and even counter-counter systems. Let me describe how this cycle has worked in the past regarding one of the most significant military developments of the last century…radar.
When aircraft first saw military use in World War I, pilots quickly learned that the first requirement for any successful combat engagement was locating the enemy plane. Troops on the ground, and pilots in the air, relied on three phenomena to help them detect the presence of another aircraft: they either saw it, they heard it, or they were shot at by it. Of the three options, the last one was clearly the least preferred.
Since the bi-plane fighters of this era had no cockpit radios, even when an observer located a plane it was not possible to transmit this vital information to other aircraft. Even on the ground, using wire communications, information passed slowly and with little efficiency. Over the next several years, tactics were developed to help pilots cope with the challenge. Both sides mounted large and frequent patrols to monitor enemy aircraft, and telephone lines were laid from troop positions back to airfields where fighters could take off as soon as enemy planes were spotted. Audio detection became another important tactic, since planes at this time could be heard long before they were seen. In response, air attacks were then shifted to nighttime to minimize visual detection and reduce the advantages of sound detection. This in turn was countered by blackouts and air-raid shelters on the ground, which thwarted the nocturnal attack.
In the 1930s, a major change occurred when warning radars were developed. It was a development that took many airmen by surprise, and radar certainly changed air tactics as well. During the Battle of Britain, radar tipped the scales in favor of the defenders by substantially reducing the advantage of surprise and initiative. The planes of this period, having been designed with the idea of enhanced speed, greater payloads, and more survivable structures, found that they were easily detectable by radar. The British "Chain Home" radar system, which included both long-range and shorter-ranged systems for aircraft vectoring, was most effective.
Later in the war, when the Allies began deep penetration raids into Germany, they found themselves facing a well-integrated air defense system that tied together early warning radar, anti-aircraft guns and fighters. The effectiveness of this system spawned an entire series of measures and counter-measures. Bombers were built so that they were more rugged, night bombing raids continued and fighter aircraft were developed to escort bombers to and from the deepest targets.
Perhaps the most intriguing aspect of this era was the development of what we now call "Electronic Counter Measures," or ECMs. The British began using metallic foil to saturate radarscopes and create false returns and large electronic clouds that screened the size and location of the enemy force. The Germans developed electronic counter-counter measures by devising a system capable of detecting the slight differences in the speed of the slow-moving clouds contrasted with the faster moving bombers. This somewhat lifted the cloud from their radar screens.
This "radar game" continued and became increasingly elaborate. During the Vietnam War, radar was used to not only detect incoming aircraft but to guide surface-to-air missiles, or SAMs. This subsequently led to the development of systems to confuse these detection, fire-control and guidance radars. Special munitions were developed to home in on the emissions of North Vietnamese SAM radars, including specialized Wild Weasel aircraft. Jamming pods were used to conceal the precise locations of U.S. aircraft as they hunted for the SAMs. Late in the Vietnam War, U.S. attack packages consisted of as much as 80 percent support functions, such as SAM suppression and fighter escort, rather than a large proportion of bomb delivery.
Perhaps the ultimate move in the radar game was the development, during the late 1970s and early 1980s, of stealth technology. This innovative approach radically reduced not only the radar cross-section of aircraft, but their visual and acoustic signatures as well.
In the skies over Kosovo, NATO made use of both traditional counters to radar air defenses such as electronic jamming aircraft as well as the employment of two stealth aircraft, the F-117 and the B-2. The B-2 bomber, a Northrop Grumman aircraft, showed itself capable of flying brilliantly from Missouri to Kosovo with very minimal support while avoiding radar detection. This revolutionary aircraft, comprising some 300 computers and other high-tech equipment, was just one of several previously disparate elements of airpower, including surveillance, command and control and electronic warfare, that NATO commanders were able to integrate. One such example of air power effectiveness against land forces was NATO's application of a dynamic real-time targeting device to quickly detect, locate and track stationary and moving vehicles, while in a stand-off orbit clear of Serbia's air defenses.
But what does this all mean to you? In my view, the dynamics of the cyberwar that I mentioned earlier are very similar to those military moves and counter-moves and are occurring at an ever-shorter frequency cycle.
Like the rapid transition of the airplane, which moved from a vehicle of communications and transportation to one providing military advantage, the development of the Internet during the past decade seems to offer a striking parallel.
Those of you in this forum are well aware of the facts. Thirty years ago there were three computers that were connected together in a network. In early 1999 it was estimated that 43 million computers were connected to the Internet, and by the end of 2001 this number should more than double to 100 million. Electronic commerce that accounted for less than $30 million two years ago is expected to reach nearly $1 trillion by 2003.
But like the development of the airplane, then radar, then electronic counter-measures, and electronic counter-counter measures, the arrival of the Internet has created a security challenge that should concern us all in both its commercial and defense dimensions. In a recent survey, 92 percent of company CIOs listed information security as their number one priority. What were once a few isolated incidents of hacking into individual PCs now threaten to become organized, massive attacks against key financial, commercial, and even national security infrastructure systems in a degree approaching what has recently been described as an "electronic Pearl Harbor."
Disturbingly, we have begun to see harbingers of this electronic Pearl Harbor. During the 1990s, when some 6,000 viruses did 7 billion dollars' worth of damage to commercial businesses, the Pentagon reported that its computer systems had been under what was described as a "coordinated, organized" attack for many months. Later, the General Accounting Office reported that, despite efforts at corrective action, poor information security placed the Pentagon's defense operations at risk. During that same time, Serbian hackers broke into the NATO web site during the conflict over Kosovo, while in Asia there were reports that China and Taiwan were engaged in a cyber skirmish that was raising tensions across the straits in a most novel manner. And, of course, millions of Americans and others around the world found themselves crippled by viruses called "Melissa," "Chernobyl" and most recently the "I Love You" virus.
These two trends, the increasing reliance on technology and the Internet and the aggressive efforts by various parties around the world to disrupt and pervert their usage, suggest that we are moving into a period where counter-measures and security measures will become increasingly necessary and valuable. Up until now, the efforts of hackers have been largely uncoordinated and designed to either create an annoyance or merely to provide a field for competitive self-satisfaction by talented, and sometimes misguided, programmers. But we are now entering increasingly dangerous waters.
Consider just two examples of increased Internet use in the military and defense dimensions.
First, in the military dimension, as our forces become smaller and our missions more global, controlling and sustaining forces in numerous, distant theaters will rely more heavily on rapidly and reliably transmitting information. Our commanders today depend on multiple systems that provide information on the locations of the enemy and of friendly forces as well as the operational conditions of their units. It is increasingly understood that in modern conflict, superior information is nearly as important as superior ammunition. The aspiration is for a system-of-systems providing an elaborate intelligence, surveillance, reconnaissance, command, control, communications, and computer system–C4ISR, as it's known to the military services. Possessing such a system, which can be accessed by friendly forces as needed to extract information necessary and relevant to them, provides a key capability in fielding the force of the next decade. Efforts to turn this vision into reality are well under way, and we at Northrop Grumman have played a significant role in developing this capability.
And second in the defense dimension, imagine the implications of successful counter-moves. What if the enemy is able to access this system and extract the information available? Imagine the advantages to the enemy if the information our commanders access is suddenly corrupted, becoming either unusable or, perhaps more worrisome, inaccurate. Units could be reported to be in the wrong locations, increasing the chances of friendly-fire exchanges. Or personnel could be reassigned to units where their services are either not needed or not relevant. And what if fuel supplies are cancelled or diverted?
At all levels, from the local LAN system to national security issues, we need to think about such possibilities. The challenge is identical to the move and counter-move scenario that those of us in the defense sector have observed throughout the past century. Just as aircraft and the development of radar engendered countervailing responses, the same has been seen in armor and anti-armor warfare, submarine and anti-submarine warfare, and on a more contemporary issue, missiles and missile defenses. We are accustomed to thinking in these terms. Presently, one of Northrop Grumman's high-priority programs is developing not only information systems that detect attacks but hopefully also predict attacks, and when an attack succeeds, quickly and seamlessly restore any information that may have been lost, damaged, or altered.
I see this as a natural area in which the focus and experiences of those of us in the defense sector converge with those of you in the computer and software industry.
In the defense industry, we have been preparing for this new challenge by developing systems and software designed to help the military detect intrusions and recover critical data in real time—a concept called "information resiliency." But we have not been doing it alone. We have heavily relied on the valuable contributions of our IT colleagues in the private sector, who have provided many commercial off the shelf solutions that are woven into our own systems. For example, our Northrop Grumman team has integrated commercial products with our own efforts to forecast attacks and respond in real time immediately after the attack. From an information resiliency perspective, recovery is, after all, easier if the attack is not entirely unexpected.
There is, in fact, a growing recognition that in the new emerging field of cyberwar, such information resiliency—and the related concept of information superiority—may become as important as the traditional military concept of air, naval, and ground superiority. In fact, it is more than that, since it involves the very livelihoods of all of you in this room. The commercial applications you work on are all subject to—and indeed often devoted to—issues relating to cyberwarfare, and I see your industry as a key player in cyberdefense, helping to guard against an electronic Pearl Harbor.
This analogy brings me to another key point. Historically, only the government could have responded when the bombs fell at Pearl Harbor more than half a century ago, and it seems probable that only government has the unifying authority to retaliate against a concerted "cyberwar" assault today. In most venues, the reduction and even removal of governmental control in the private sector has unleashed new efficiencies and spurred prosperity. However, defense against cyberwar may be the exception to this trend.
Consider the potential implications of future cyberwar attacks. What if commercial air traffic controllers received spurious signals in their computer systems and could not identify real airplanes from phantoms? There are already recent reports about false instructions being sent to commercial airliners from bogus air traffic controllers. What if other false instructions crippled the national utility grid or destabilized nuclear power plants? Could an enemy nation or terrorist group electronically disable our national health infrastructure to pave the way for a biological attack?
Cyberwarfare could in fact be the tool that allows weaker nations to offset America's military might, compromising major defense systems by altering target information, changing surveillance data, corrupting intricate unit deployment schedules, falsifying readiness conditions and misdirecting key personnel. Since military logistics are increasingly designed to deliver enough support "just in time" rather than pushing mountains of equipment and supplies forward, the sabotage of software that changes priorities, destinations and timelines could halt or paralyze military operations.
We are now well into a cycle where advances of the positive dimensions of cyberspace must be matched by efforts that minimize the resulting vulnerabilities. This presents us all with a major challenge, but one I am confident our collective skills and experiences will meet. Steps have been taken, such as the establishment by the President of an office developing policies for the protection of key national infrastructure, and the recent publication of a plan to do so. But this must be viewed as a preliminary effort requiring further, more forceful, steps.
One of the top priorities of the new president and his national security team must be to convene a national cyberdefense summit. This summit should include government officials and CEOs from American industries and institutions with responsibility for the nation's infrastructure. Only a dramatic high-level commitment to address the dangers of cyberwar, along with intensive public and private "wargaming," will prepare us to repel an electronic Pearl Harbor.
I share the reservations of many regarding the establishment of new government agencies with broad authority. As a general rule, such actions tend to be counterproductive and costly, and they can run the risk of expanding bureaucracy without enhancing service to the citizenry. Cyberwar is different. Widespread disruption can be caused by a small group of electronic terrorists, just as effectively as it could by an organized cyber army. It is clear from the tepid federal response to the "I Love You" bug that new federal structures may be needed with the authority to act rapidly and in concert with the private sector. There may even be a need for a cyberwar Czar, or national "commander" with "troops" at his disposal. Today, we only have a national coordinator with the responsibility—but no real authority—to carry out this increasingly important mission.
Furthermore, some of the mandates in the presidential directive remain unfunded. Congress must appropriate the funds as quickly as possible-an investment that will pay dividends if it deflects just one attack by truly dedicated cyberterrorists.
A similar effort was mounted to address the Y2K challenge, and it did so successfully. But cyberwar presents a more complex problem, as it does not have a known date when it will occur, and the software enabling it is not already resident in the key systems under our control.
To summarize, in this era of increasing reliance on computers, and particularly on links between computers, there are more and more opportunities for conspirators to counter our technological advances by invading and corrupting key systems.
If we work together, pooling public and private sector assets and energies, I am confident that those of us who have wrestled with the traditional defense challenges can assist those who have pioneered this new cyber world to make it into a reliable servant rather than a threatening intruder.