|National Security Telecommunications Advisory Committee |
National Security Telecommunications Advisory Committee
Remarks as Delivered By Deputy Secretary of Defense John J. Hamre Henderson, Auditorium, U.S. Department of State Washington, D.C. Wednesday, June 9, 1999.
[Transcript begins with speech progress.] We are probably several hours away from possible returning to an uneasy peace in Kosovo. So if I might take just a few minutes to give you a bit of comment on that before I talk about Y2K.
I am hopeful that the commitments that were made for a peaceful resolution about a week ago are finally going to be realized in the next several hours. It's been a very difficult time, obviously, as everybody understands. It's always hard when your country is at war. So in the uneasy calm of right now, let me give you a bit of reaction.
First, I think we need to recognize what an enormous accomplishment this was for an alliance of 19 countries that had never been to war before [together] to have stayed together and have functioned very, very well. I think it's astounding; [we have] flown over 30,000 air sorties in the last 72 days. We have had no casualties on the Western side, which is a remarkable accomplishment. We have lost two aircraft. But two aircraft in 30,000 sorties is just unbelievable when you think about it.
I've just finished reading a book about the Normandy invasion from the perspective of the Germans. It is a very, very interesting text [about] the damage that was created by 30 and 40 waves a day, of 400 aircraft each. It's astounding; how carpet bombing, 300 airplanes in one mission, [would try to] take out one bridge.
In this operation, we would have a B-2 fly one sortie, it would drop eight bombs and it would take out every span of a bridge across the Danube, then have half a load to do another mission. It was truly remarkable. The accuracy has been unprecedented.
I say a lot of that by way of backdrop to voice a bit of my personal outrage at the discussion in this country and elsewhere by the "blame America first" crowd that always likes to bring up "moral equivalency" when we have an opponent that displaced one-and-a-half million civilians. We go to great pains, astounding pains, to make sure that we minimize collateral damage. Because of accidents we've had, perhaps, 500 civilian casualties. Five hundred casualties after 30,000 sorties.
Thirty thousand French civilians died during the Normandy invasion. I tell you, I’m offended by anybody who would argue "moral equivalency." But we're glad it's over, and I think we should be very proud of how the Air Force and all of the air forces have performed; not just our Air Force, but the Marines and Navy, the Army, and certainly our colleagues and our allies.
I think this [operation] has led us to ask some very hard questions. Clearly, as an alliance, this was hard. I think we have to ask a lot of rather tough questions about where our allies are going in terms of their modernization plans. If they're going to fight with the United States in the future, they have to start doing a better job of buying the kind of equipment and embracing the sorts of doctrine that have it takes to fight the way the United States does.
This is going to be a real challenge because there are an awful lot of countries that would like to sit back and say, "Wow, that’s over. We'll not do that again for a while." Well, I'm afraid this could very well be our future, and we have a requirement, as allies, to come together with a very steely eye to assess how well we did, [whether] we were all able to contribute in equal measure, and [whether] we are going to be able to do that over time?
This was a fairly searing experience in terms of how demanding this was and how we operated in a very conservative manner. In the United States, it's very clear now that we do not have the balance in our forces to be able to conduct two [such conflicts] at the same time. That would be a very hard thing. We clearly do not have enough air reconnaissance assets, jamming aircraft and ground surveillance aircraft. We have really flown our people hard in the last two and a half months. We're going to have to make some important resource decisions.
I think they're balance issues, I don’t think they’re necessarily of magnitude, though we’d sure take more money if [Congress] gave it to us. But there certainly are some balance questions we have to go through and that will be the effort over the next 18 months because it will have to be a backdrop for everybody’s preparation for the next Quadrennial Defense Review. But I want you, all of you, to feel genuine satisfaction and pride in how well our forces did. This was tough, very tough.
You should also be grateful for a country that has invested in the ability to wage war and minimize civilian casualties. I remember seeing the plans when we needed to take out a transmitting tower in downtown Belgrade. It was two blocks away from St. Marks Cathedral, the seat of the Diocese. We took down that tower and didn't knock out a window. That's how we want to do it in the future, and we need to have allies who can do that with us.
Let me take a minute to talk about Y2K, and then I would like to talk about another subject. We've made a lot of progress during the last year on Year 2000. As I think I may have mentioned to you before, from our perspective, rarely do you know exactly the time and the place when the enemy will attack you. But we had the luxury in this case. We knew exactly the time and exactly the place and exactly how an attack would occur. Rarely do we have that.
We put our warriors in charge; like [General] Dick Myers [Commander in Chief, U.S. Space Command]. Nobody gets to duck this one. It's his responsibility. If the computers don't work and he can't warn the President of a strategic attack on the 1st of January, nobody is going to blame a first sergeant someplace. It's going to be Dick that has that problem. He knows that. All of our commanders know that.
That's why this system is really turned around. Ninety-eight percent of our systems right now are fixed and certified as fixed. We have about 40 to 50 systems left to fix. This is out of 2,000, 2,100 mission-critical systems. A lot of these were so old that the programmers who worked on them have long since died. We had to bring a few of them back from the dead to help us fix them.
We're talking about another 4,000 non-mission-critical systems. We're about 85 to 90 percent fixed with those. And when we say fixed, it's not just that I said so, it's because somebody has independently tested to say that [they work]. We are right now in the process of conducting a series of end-to-end tests. General Myers and SPACECOM really took the lead in this. They were the first ones to demonstrate what it took. They did a series of exercises, all the way from the early-warning radars to the command centers, to the processing centers to the President to the forces in the field in a string of communications 30 and 40 deep, to find out where we would have a problem.
We were pleasantly surprised that the fixes and the testing that have been done largely proved out that they worked. We have a couple of little problems. Thank God we had a couple, otherwise you wouldn't believe the test was honest. But they have demonstrated that there's no question that we'll be able to defend America on the 1st of January, on the 2nd of January, on the 29th of February, and all those other days [after].
We have been shifting our focus in addition to the operational testing. We are now shifting our focus over to two related things that are important to us. One is our forces deployed overseas and their dependents on the infrastructure in host countries. This makes us a bit nervous. As all of you know from your experience, a lot of these countries have said that they don't have a problem, but there's not a lot of evidence that they've fixed the problem.
For example, all the countries in Asia that have been struggling with very significant economic problems all of a sudden have to tackle the Year 2000 problem and it is quite a challenge. We are a bit nervous. Obviously, we're not worried about our warfighting capability, because we designed that to operate autonomously. That will be okay. But we are worried about quality-of-life related problems and that sort of thing. The regional CINC's right now are working with host governments to see where we are. We are doing a survey to find out whether we need to pre-position some power generators and things of that nature. I think we'll be okay.
The other thing that we are focusing on is how we, the Department of Defense, can provide augmenting resources if there are problems in the United States or elsewhere. We have formulated a basic decision-making framework for dealing with this. The first priority will go automatically to demands related to the survival of the Nation; supporting the National Command Authorities, our intelligence capabilities, ongoing military operations and so forth.
The second priority is health and safety issues, such as making sure that Federal penitentiaries have backup power and the air traffic control system will work, and that sort of thing. [The military has] the ability to operate about 30 airfields in the field if we had to in the event of war. So as for the question of whether we have to move someplace in the United States, we'll be ready.
Again, we don't anticipate many problems in the United States. We're less certain about what's going to happen overseas. I, like you, Larry [Weinbach; Unisys], would love to not have this legal pall hang over our head, so we could talk more honestly about where things stand. It's pretty awkward having everybody worry about their legal flanks and not being able to talk a little bit more about it. So I share your frustration. But I think from a perspective of at least national security, we're going to be fine. We're going to do okay.
We were surprised to find how small the embedded chip problem was. I'm hearing that that's been your experience, too. When we got into really testing it, we found 3 percent or so of the problematic chips really had problems. That's obviously something we can handle if we get any surprises. I'm sure that most of you are finding the same thing. So, just to report to you, Van [Honeycutt; NSTAC Chairman] and to others as consumers of national security that is depending on us, we'll be there.
Let me also talk about some things that we have been going through in the last couple of days. I'm going to a meeting with Dr. [Linton] Wells [Principal Deputy Assistant Secretary of Defense, Command, Control, Communications and Intelligence] at the White House in a few minutes to talk about encryption and export controls. Of course, when I last met with you, I was fearing what has happened. Allegations of foreign spies and America's infrastructure have come out. It has led our political climate to get more paranoid and parochial.
My fear is that we, in this environment, will seek nostalgic solutions that are inappropriate to the problems we face today. To think that we could go back to Cold War industrial security models that we had in the sixties and the seventies, and to think that that would work in the nineties and in the new millennium, is crazy.
As I said to you before, I don't know what an American product is any more, with components that are made all over and then brought to a foreign place to be manufactured, to be shipped with an English label around it and sold in the United States. I'm not sure what an American product is. Yet, to adopt a security approach that assumes that products are made in the United States and that the manufacturing processes are all controlled and predicted, is inappropriate to the world that we're in. I wish it were so simple, but it isn't that simple. It's dramatically harder.
This is why I think a forum like this is so important. I don't know that we can solve these problems as a country without having a very robust and open dialogue between those of us who, in our current jobs, are responsible from a national perspective for the government, and those of you who have national responsibilities of the part of companies that depend on a strong, vibrant government and an adaptive and a flexible government to deal with these incredibly complex challenges. None are more important the issues of software controls, export controls, encryption, computer exports and supercomputers.
It's amazing to me that a supercomputer is now two laptops strapped together. But if you were to look at what was put in the law five years ago in terms of what defines a supercomputer, I think it involved having two chips operating in tandem. Is this the stuff of which we ought to write legislation and take eight months to enact, and then 15 years to un-enact?
This is very hard work, and what it means is that you and I – industry and government -- have to sit down and find solutions to this very complex problem. [We need to examine] how we can stay adaptive as a government so that American products really can lead the world. We want that more than we want anything, but in a manner where we can still protect underlying security interests, and not in a mindless, unthinking way.
In this regard, I very much hope and would ask for NSTAC's help. I know that a lot of you are rather wary about this encryption issue. I'm not asking you to get into the debate as it relates to privacy or to law enforcement issues. We'll handle that here [in the government]. Rather, we need you to tackle the much deeper, more complicated problem of how we embed security "in depth" in the infrastructure upon which we the government depends and upon which you and your customers depend.
It isn't possible to just say, "Well, whoever wants to use our pipes can encrypt whatever they want to send over the pipes." That's too simple a solution to this problem. Security is going to have to be built in, "in depth," and part of it has to be in the underlying infrastructure that we're using. I know your customers are talking to you about that. You're trying to figure out what they really mean and whether they are really willing to pay for it, and how you can get your money back. Those are all legitimate questions.
As we're learning, this is a very dynamic and porous technology. As we are rationally bringing together this integrated cyber space, the seamless, digital world, we are going to have to find ways that we can provide reliable and safe operations inside of it. I don't know that we can do that, as the government, just thinking our way through it by ourselves. As a matter of fact, I know we can't do that, as the government just thinking our way through it by ourselves. If we tried, we'd end up with a typical government solution. It would be state-of-the-art today and obsolete within a year. We would design something that was strongly oriented around what some of us might think is a winning technology today, and we may find out, in three years, that it's obsolete because something else has come along. So we need to find a solution, in partnership. We need to find a solution to this security problem.
John Lofstedt [NSTAC Vice Chair Representative to Industry Executive Subcommittee] said something to me last night that was very insightful. He said, "When [the government] says ‘security,’ it means something different than when [industry] hears the word ‘security.’ We hear ‘security’ and we think liability; is this going to be able to provide reliable, dependable service? That's what we think about security." That was very interesting and insightful. It led me to realize that we probably had a dialogue of the deaf for the last couple of years on this subject, where we each think we're talking to each other, but we're not hearing each other.
At the same time, I'm very, very realistic in knowing that you're not going to embed extensive procedures and techniques and tools inside your world that you can't charge or get reimbursed for. I understand that. We've got to figure this out together. The Department of Defense is a unique partner for you, in this sense because we have to live with a foot in both worlds. We are a very large customer that depends on commercial services, but also an entity in the government that worries about security in a longer-term sense. So we want both to protect ourselves in cyberspace and we want to take advantage of its boundless productive opportunities.
We can't do that by ourselves. We will get the wrong solution. Again, I'm not asking you to get into all of these hot political issues in Washington with the cyber libertarians. We'll handle that. But help us on a technical level. Understand where and how we should design operable security solutions "in depth."
That's what I would ask your help on. We don't have that in Washington. What we have is warring factions from the various constituencies that come to town and try to gain a preferred leverage position against each other in the political environment. We don't have a useful, technical road map to guide us and help us think about this, and I think NSTAC is uniquely important to help us in that regard. Let me stop with that.