Defending Cyberspace ’98

Technology is dramatically changing the way we do business in the DoD. For example, we no longer send doctors into the field with all kinds of manuals. Now we simply can call that down off the web. It’s really quite exciting.

Remarks by Dr. John J. Hamre, Deputy Secretary of Defense, at the CardTech/Secure Tech Conference. Washington, D.C., Sept. 23, 1998. Source : DoD.

Deputy Secretary Hamre: Good morning to all of you. I’m really delighted to be with you. I have a special affinity to this organization. One of the component elements that is now making up this new combined conference were the « fraud in cyberspace » conferences, and I worked closely with you all in that regard over the last several years and felt it was an enormously important thing to get started.

I was feeling this rather firsthand because I was the Comptroller at the time in DoD and regularly was skewered and roasted medium well on the Hill for our failings, and thought that we really needed to do something about this. I thought there was an awful lot of good and very productive work that was done through the previous conferences. I’m really delighted that it’s continuing, and it’s continuing now I think in a deeper and richer form, and that’s just terrific.

I would also say I think this is a community that frankly is fairly much ahead of everyone else in government thinking about security in cyberspace. It’s just starting to dawn on people the kind of challenges we’re creating for ourselves with this very exciting and very dynamic technology, and that’s really what I would like to talk with you about. My views are going to be slightly different than in the previous conferences because my world view is slightly different now. I still want to talk about the same thing — not just from a financial management standpoint. I would like to talk about it a little bit more broadly from the Defense Department’s perspective, and to really talk about this central tension that I think is emerging between the exciting opportunities, enormous productivity that comes with these new electronic tools versus the insecurity that we’re creating for ourselves as a byproduct of this new technology and the way we’re bringing it on board.

First, let’s talk about the plus side of the equation. I forget the statistic, but I think someone once said that 80 percent of the productivity growth in our economy in the last ten years really is a direct byproduct of this technology coming into the business place. It is absolutely explosive and enormously exciting.

What’s probably most interesting to me is that in the past when organizations — businesses, government — when organizations chose to use computers they basically bought computer systems and adapted those systems to fit the business practice of the organization. That’s part of the reason why we’ve got 28,000 computer systems in the Department of Defense.

What’s most interesting about this new revolution that’s underway is that this technology is so flexible, it is so open, it is so dynamic that organizations are adapting their business practices to fit this new technology. It’s really a very interesting development. It is, I think, hard to overstate the significance of that.

We’re certainly seeing this in the Department of Defense. We have an explosive use of this new technology for our business practices, and it’s really quite dramatic.

We frankly see it as being the backbone for so much of our new business practices. We have committed ourselves as a department to try to have a paper-free acquisition process by the turn of the century. We’re not going to make it, but we’re going to do pretty well. We’re going to get fairly close in many ways. And at its core is the adaptability of this technology and its utility.

For example, we started off in DFAS [Defense Finance and Accounting Service] trying to get paper-free, to get a lot of the paper that’s choking the system out. Of course the initial response is to go out and hire somebody to bring in, buy lots of Kodak scanners and do imaging and all this sort of thing. Some very clever, thoughtful people over there said, « Well, you know, before it ever became paper they were electrons. Let’s find a way to get the electrons to begin with. Go out and borrow those electrons, drop them in a server, and access them through standard search tools, and you can get an enterprise-wide imaging solution really, for peanuts. » It was incredible insight. Now it’s become basically the backbone for this paper-free acquisition process in the department.

It’s astounding how simple it is and quickly it pays for itself. One of the real advantages, of course, is that you can get an enterprise-wide solution without requiring everybody in the enterprise to buy into it. They can join the process when they want to, and most of them when they see the advantages of it get very interested in getting on board as quickly as possible. That’s really exciting.

We’ve committed ourselves to a new travel process that’s going to be paper-free. And there really have been some wrenching changes in trying to think our way through the old way of doing business. Because, after all, our travel system in the Defense Department was your classic government travel system. You always knew somebody was going to be cheating, so the solution to that was to have a huge system that would fail so you could blame it on the system rather than personal accountability. You all know what I’m talking about? (Laughter.)

So you had to think in very different ways. The core to a new system was not new technology, it was thinking in a fresh way about the business. The best way to catch a bottom feeder is not with some poor GS-5 voucher clerk two buildings away or two states away, but with a supervisor. Very simple, really.

It’s very exciting what’s happening, and we’re in the department adapting the Internet now in ways to make it a central element of our invoicing process and our vouchering process. It’s really terrific.

So in our electronic business practices it’s becoming a core element and it will get much larger. We actually created a separate organization, the Joint Electronic Commerce Program Office to start focusing on some of these things, to proliferate them.

Paralleling that we’re seeing just an explosive use of web technology for other business applications. We have now, I think, over 7,000 home pages in the Department of Defense. Now some of them are just your classic PR events — Hi, welcome to XYZ’s home page. But that’s really the very small part of it. We are now using, for example, technology, for all practical purposes, to post all of our contracts. It’s become the core of it. We’re using this technology now as the primary means of communication of a ship with the family of the members who serve on the ship. So to stay plugged in with where your spouse is, for example, the first thing most families do in the morning is just get onto the net and find out where the USS BRIDGE is today. That sort of thing.

We have really made enormous strides in going to direct electronic publishing. In DoD we’ve got more regulations than Custer had problems, you know. (Laughter.) It’s just unbelievable. But when you go to an electronic publishing format you don’t have to have this lag time. When regulations are being updated and distributed it’s all very confusing. Now they’re instantly updated and available. And you don’t have to slaughter a forest of trees every time you want to make a small change in a regulation. So it’s really exciting.

For example, we no longer send doctors into the field with all kinds of manuals. When a doctor confronts something strange in another country, he may not necessarily be an expert. In the past we used to publish all kinds of thick books on tropical diseases and this sort of stuff. Now they simply can call that down off the web. It’s really quite exciting.

This technology is dramatically changing the way we do business in the department.

But that exciting dynamism and productivity is frankly bringing on some new insecurity and we haven’t thought enough about it. Let me talk about a few of these things.

Almost everyone some way in the department is trying to find ways to graft this new Internet-based technology onto existing business practices. Varying degrees to which we change our underlying business practices, but invariably trying to find ways to electronically plug things together. I found the same phenomena out in business. Business was doing very much the same thing. And yet, I’ve been surprised to find how little attention in business and insufficient attention in the government has been paid to a systems engineering of security in this new environment.

How do you keep people from looking back up the system to look into your own management controls, your own management systems? Very interesting. Not enough attention has been paid to that.

It’s an interesting problem for corporations because almost all corporations are trying to find ways to get their customer to do some of their work for them. It’s the way in which they’re integrating their customers into their work processes. It really is a cost saving device. And the way they do it is frankly giving part of their management system, and access to their management system, to their customers. It introduces interesting new vulnerabilities.

For example, I will not ground us in the Defense Department. It is very much the norm now for industry to, as I said, to bring their customers into the process. There are transportation companies in this country that if you want to ship some threshold level of commodity over their line, they’ll actually give you electronic access to their scheduling systems. That’s a very interesting vulnerability. The best way for some future adversary to bring our transportation system to its knees is to become a customer in the United States and find a way to enter into the scheduling system for the transportation companies. It’s an interesting problem and very hard to deal with.

So one of the interesting new security problems is finding a way in this very dynamic technical environment, in this every dynamic business environment, to do careful systems analysis for security when we have hybrid integrated systems.

A second concern: we have far too many enthusiastic little webmasters, at least in the Defense Department, and my guess is everyplace else, who are busily trying to put as much information on the web because we have a culture among these little webmasters of fancy new ways to demonstrate information. I mean you all kind of enjoy it when you’re cruising the web on Saturday night and it’s astounding really. But in the process there are some very interesting vulnerabilities that we’re creating for ourselves.

I’ll give you an example. Hugh Shelton, who is the Chairman of the Joint Chiefs of Staff, was previously head of the Special Operations Forces, our commando types, the types that do low profile operations. And when he got into the office, he was going through the standard introduction and they said, « Would you like to see your homepage? » Well, okay. They showed him his homepage, and part of it was his residence, and it showed pictures of his bedroom, it showed a photo image looking down on the residence, it showed where all the shrubbery were and where the access places. For a Special Operations guy, a commando, it was a lot of useful information and it was about his own house, and nobody had ever thought about it. Nobody had ever thought about this from a security standpoint. It was again, this culture of accessibility that really has created around this environment, and by all of these very, very clever webmasters that are doing this.

Another example: we have a facility that was owned and operated by the Defense Information Services Agency. It’s basically our internal telecommunications outfit. This was an overseas location that was basically a central gateway for all communications in this region. The homepage had an aerial photo of the facility with little arrows pointing down — network operation center, technical control center. You click on the little arrow and it would pull up a description of what was going on inside the building.

Now we used to pay millions of dollars to try to get comparable information about our opponents. (Laughter.) We laugh about it, but this is really serious stuff. Again, nobody was paying attention. We have basically let the homepage culture flow under the public relations directorates in our organizations. Isn’t that about right? Isn’t most everybody feeling about the same thing?

Take a fresh look at that sometime. A fresh look that you’re a bad guy and you want to take advantage of you, and now look at your homepage. And it is not a little, it’s very worrisome.

We are, within several days, going to give some new direction in the department to bring much more close attention to security issues as it relates to our homepages. I don’t want people to think that we are taking a step back from using this technology to improve and modernize our business practices. We’re not. But we have got to start having a realistic balance between the productivity and the creativity that we can exploit with this technology and the inherent insecurity that comes with doing this without paying attention to it.

We in DoD, and I will only point a finger at us, we have been too naive since the end of the Cold War that all of our enemies went away when the Berlin Wall came down. That’s not true. There are more than enough bad guys out there and we have not been paying anything close to enough attention. We basically dismantled our counterintelligence capabilities. We’re going to have to rebuild them and give them much more of a high tech flavor. We don’t need to have gumshoes out knocking on doors in neighborhoods trying to find out if somebody had a bad childhood if we can’t control basic management systems. Right now we’re not doing an adequate job of that.

A third area here of insecurity is, my sense is that just as this is a technology that we are adapting ourselves to, that criminals are doing a better job of adapting than are we. The criminal mind is endlessly inventive and we are not paying enough attention to the opportunities we’re giving these guys.

A lot of it is low level fraud, but some of it can be fairly spectacular. It is Ð- in this environment where business practices are changing so dramatically and where technology is changing so dramatically, it seems to me we all have to have a fundamentally stronger systems approach to internal controls. Internal controls are no longer just a subspecialty of the auditors, folks. That’s absolutely the wrong mindset. It now has to be a central concern of principal managers in this new environment.

So what are we doing about all of this? First let’s talk a bit about technology. I think that there are some — this is not a hopeless problem. This is not at all a hopeless problem. As a matter of fact there are some very, very interesting new tools that are emerging, and in some ways I believe that we could have significantly stronger management security with this new environment than we currently have.

Last week I announced a very important development as it relates to encryption. This is a tough issue. It’s a very tough issue, because we’re talking about the contending priorities that are central values in a democracy: privacy on one hand and law enforcement and protection against terrorists and criminals on the other. This is a hard thing to balance, especially with the technology that’s now become so pervasive and convenient.

I must confess I was very frustrated with the cyber-libertarians that chose to, in my view, cheaply mischaracterize this issue — I know I’ll get myself in trouble with these kinds of remarks — trying to pretend that the government is just waiting to look into everybody’s e-mail. Give me a break. We know how to protect civil liberties in this country and still recognize law enforcement imperatives, national security imperatives. We have an independent process through the court system. The government doesn’t have an ability to tap your phone at all without a very rigorous, enormously demanding process, going through with an independent agent, in this case the U.S. courts, to genuinely, validly balance these privacy and law enforcement concerns. We know how to do that, and it’s exactly the same thing that we will bring forward into communications via digital means.

The policy that we put forward last week I think is a very important new step. A lot of people said, « You and the government are just after your goal of being able to snoop. » That’s not at all the case. We in DoD, we’re much more interested, in getting strong encryption to protect ourselves in this environment. Ninety-five percent of all of our communications are over public switches and public telephone lines and circuits. We don’t own dedicated things anymore in the Department of Defense, so we have to find a way to protect ourselves in this very open and vulnerable environment. Encryption becomes a central core element for that. We have to be able to encrypt. There’s nothing in the world more dangerous.

We know from personal experience because we’ve had several exercises that proved it, that we can be easily spoofed in this new environment because we transport through cyberspace all of the real world trust that we develop in our society. If someone has a pleasant speaking voice on the phone you tend to trust them. Without ever knowing who’s on the other end. Now we’re not even getting a voice. We’re just seeing digits that appear on a screen.

Americans are so naive in many ways. We’re so trusting. When you transport that to cyberspace there’s a very important vulnerability that comes with that, so it’s not enough just to have an encryption, but you have to have some form of digital identity in cyberspace. There has to be some form of digital identity and for us in the Defense Department we need and will buy a public key system just so we know who we’re talking to. We’ll also insist that whoever is talking to us that’s outside of the department also have some form of a key identity so that we know who we’re talking to.

Now every businessman that I talk to will agree that this is an essential part of internal controls as well. They’re not going to let their employees move contracts or money or technical data around, especially encrypted, and not leave electronic fingerprints when they go. It’s just a centerpiece of internal control and all business understands that, and we certainly understand it. So I think this new technology is a very important development.

At some point, I think it’s still on the horizon, but at some point I think that biometrics becomes an important new element of this. I think we’re still waiting for (inaudible) here as to what’s the technology that’s going to prevail. But in my mind it’s almost inevitable. Now I think it’s more likely than not going to be the device that confirms identity inside, as a component of a security system, not the exclusive element of the security system, but I think it’s inevitable in our future.

We are also making, I think, important strides, and all of you need to think about this in your world, very important strides for broader network security. We let a thousand flowers bloom in the Defense Department when it came to Internet technology without having put a central system to manage security for the network itself. We’re now having to create that after the fact.

We had a very interesting episode in February when all of a sudden we were seeing our computers being systematically probed by some outside agent. Some of the probes were coming from overseas web sites. This was exactly the same time that we were mobilizing our forces and sending them to the Persian Gulf, so we were very apprehensive that we may have been under a government-sponsored computer attack. These probes were confusing because they were surprisingly sophisticated on the one hand and surprisingly naive on another. They would last anywhere from 10 seconds to 90 seconds. They would routinely have — because you try to trace one back — they’d routinely use six and seven hops in the network to mask their origin. Yet they were repetitive and they were almost always the same thing over and over and over again. Not something you would expect a very sophisticated computer attack to look like.

It took us about three weeks, and we ultimately found out there were two 16-year-old kids in California who were doing this. They had an overseas sponsor, a mentor in Israel who was coaching them. And while in this case it looked benign, we have had previous instances in this country where kid hackers thought they were doing something and didn’t realize that their mentor was a foreign intelligence organization. So this is a dangerous new environment and you’ve got to have much stronger network security than we have had before.

So we are rapidly installing network monitoring capabilities, trying to get configuration control over an inherently changing and dynamic network environment, trying to get firewalls installed, trying to get firewalls properly installed. One of the things you need to ask fairly quickly is not do you have a firewall, but who installed it? Did they know how to install it? We found that about a third of our firewalls were improperly installed when calibrated.

So it’s the fundamental new challenges that we have. Let me just say it’s not just technology. A lot of these things are technology, but at its core and I think much more important, frankly, is management attention. Just as I said before, your little webmasters are out there putting up all this enormously useful information to the bad guys on web sites. My guess is every one of those web sites at some time was seen by a senior manager. But they all had on the public relations glasses. Hey, isn’t this interesting? Yeah, that’s a clever little guy. Without ever putting on the security spectacles and saying what are we showing to bad people here?

So ultimately this is not a technology issue, it’s a management issue. It’s just the same way that the Year 2000 problem is not a technology problem, it’s a management problem. Gosh, we’ve been spending so much time in the Defense Department and we were never breaking through to people that this was about warfare. If you knew that an enemy had the capacity to disrupt your supply system or to cut off your fuel distribution system, we’d consider this to be a major security threat.

We know exactly when this attack’s going to take place. It’s going to be on the 31st of December 1999. We rarely know exactly the time and the place when the enemy’s going to attack us. We do this time. And this is not just a job for the computer geeks, this is a job for the warriors because they’re the ones that are going to be out of business. This is war. And frankly, it’s the same for all of you — whatever your organization is. This is about warfare and survival.

I was talking to a very senior CIO in a company and he was lamenting the fact about how much money he was having to spend, it was like $400 million. We’re going to spend about $2 billion in DoD. He’s spending about $400 million and he said I’ve got to spend all that money only to save my company. That’s really what it’s about.

In this regard, let me just say, I think all of you have got to be working with your senior management team to find ways to bring systems analysis into, or to bring internal control — another way of saying it is counterintelligence, but internal controls and counterintelligence into systems analysis as you’re designing these systems. It’s absolutely indispensable. We’re not doing enough of that in the Defense Department. Frankly, we cut too much of our counterintelligence capability at the end of the Cold War. We’re going to have to get that back.

This is an enormously dangerous time for us in the Defense Department, largely because of our inattention, [which is] creating more weaknesses every day. So it will be our focus for the next half year.

Again, let me emphasize we’re not walking away from this dynamic new technology at all. We were going to embrace it as aggressively as possible. But it has got to be with the perspective of security in mind at the same time. I have rambled on almost long enough so I can’t take any questions, but I did promise that I would field a question or two if there are any before I have to leave.

Let me close then by thanking you all for taking time to come to this conference and to think about these problems. My guess is half of the people, probably two-thirds of the people in your organization don’t know what you’re talking about when you talk about internal controls and fraud detection, prevention, and security. There are probably an awful lot of people in your organization that consider that to be needless overhead. When all of our organizations are going through downsizing and there are pressures to cut out end strength, too readily people have been looking at well, we don’t need all those auditors, do we? That’s part of the climate we’re in, and that’s part of what contributes to this danger.

You’re the professionals who are involved in this. Don’t be embarrassed to be advocates for security. People are going to say you’re being self-serving because you’re in that business. Don’t be put down by that argument. This is an enormously important time, and all of you, frankly, are on the front lines of a battle we can’t afford to lose so we need you. I’m very grateful that so many of you would choose to participate in this. I hope that you gain enormous insights during these two days, three days, and take them back. But more than anything, take back to your organizations a kind of a fiery desire to bring security as well as opportunity into your organizations as you’re going through these dynamic changes and bringing on this technology. It is both an imperative and an opportunity, and I’m very proud that all of you would be taking the time to do this.

Thank you very much.