Hamre Discusses Technology, Security Challenges

We are now in this transition toward a new security epoch. It is hard to know exactly what it is going to be like. It clearly is characterized by the collapse of the old structure, as has each of the previous epochs. What has emerged is still fuzzy, but troubling.

Remarks by Dr. John J. Hamre to the National Security Telecommunications Advisory Committee. Washington D.C., 14.10.1998

Dr. Hamre: Thank you, Chuck, and thank you very much, all of you. I’m glad you turned up the lights because my dull speaking style would put everyone to sleep.

I enjoyed being with you all last night. I was, quite frankly, moved when I saw those young soldiers from Fort Bragg, [North Carolina] and I thought to myself, in a society where we’re kind of obsessed with Generation X, I’m glad we still are able to find young men and women who are willing to separate themselves from the comforts of private life and take on the discipline of military service, the challenges of that, and be willing to serve this country, put on a uniform. I’m very grateful for that.

I also thought to myself how lucky we are that all of you are willing to do that in your way, to participate, frankly, in this kind of an organization. God knows, you all have many more pressing things to do that are probably more important on a day-to-day basis for your stockholders and for the bottom line, and you don’t need to have this distraction, but the fact that you are still willing to take time apart from that and dedicated to sit and talk with us about national security is very gratifying, and I would like to say thank you to all of you for doing that.

If I may, I would like to put my comments in a broader context because I think we need to step back. It’s very hard at any point in history, when you’re kind of caught-up in the sweep of day-to-day events, to get a bearing on where you are in a larger context, and I’d like to do that to frame some of my observations.

The United States, in its history, has probably only had five security epochs that we’ve endured, and we’re really in a transition period to a new epoch, slightly uncertain as to what its dimension is going to be.

The first step was from the start of the Revolutionary War probably until the mid-1820s, and at that time the international security environment was still dominated by relatively coherent and vital nation states — dominated, of course, by Europe — and we were at the edge and the fringe of that. It was a little like « crack the whip »; when the thing came around, we were flung wildly in that environment, and we got pulled into conflicts which were really secondary, to the main fight that was going on in Europe.

From the mid-1830s on to the end of the 1800s, until about 1900, was really the emergence of a second epoch. It was then that the European political construct was disintegrating, and was probably typified most directly with the failed Socialist Revolutions in 1848 that showed how bankrupt and corrupt the old system had become, but not so much so as to remove those powers. We, the United States, were insulated from that by a huge ocean. We were becoming a very large and prosperous country, but because we were still expanding into Heartland America, we had our attention turned elsewhere and we were really left alone. That epoch probably ended around 1900, with the Spanish-American War as America emerged as a world power. With our imperial ambitions manifest, especially in Asia and in Latin America, we clearly came to dominate the Western Hemisphere, and have since that time.

Then came a small brief transition period, to 1900 to 1920, which really represented in some ways a transition globally, but reflected a collapse in Europe, and produced the end-of-war period which was largely characterized by two forces; global recession and the rise of international communism. These two tensions created a real crisis for American democracy and the free enterprise system in the ’30s and the ’40s. That epoch ended, of course, with World War II, and what emerged in that fifth epoch was the Cold War, and it was dominated by a bipolar world, maybe a tripolar world, the United States leading the band of western countries, the Free World, confronted by a very aggressive and what appeared initially to be a coherent communist world that fractured in the early ’60s.

Nonetheless, that persisted, and that period created kind of an eerie predictability — everything was regulated by the tension and the pressures between these two worlds that possessed fairly unprecedented arsenals that could wreak enormous destruction, and that created an unusual calm.

And, of course, that epoch ended in 1989, and we are now in this transition toward a new security epoch. It is hard to know exactly what it is going to be like. It clearly is characterized by the collapse of the old structure, as has each of the previous epochs. What has emerged is still fuzzy, but troubling.

We seem to be seeing the world emerging as a very aggressive tribalism that is manifesting itself as kind of quasi-nation states. I mean, who knows where Abkhazia is, but all of a sudden the Abkhazian conflict is a big deal in Georgia, or East Timor in Indonesia. Congo is in a civil war right now as we speak, and could very well be divided up. Tribalism is becoming a dominant paradigm of this new security epoch.

Another dimension of this security epoch is the dissolution of the technologies that were created during the last epoch, during the Cold War. All of a sudden we confront, the historically unprecedented condition where a major global power falls apart, but a global power that had 30,000 nuclear weapons, had unbelievable stockpiles of chemical and biological weapons, and it’s disintegrating. And it’s disintegrating into tribal units that seem to have passions that we really don’t understand.

You know, Americans are really so far away it’s inconceivable to us that people have 500-year grudges. You know, when you get a grudge here, we just move. That isn’t the way it is in most of the rest of the world. And so you’ve seen the dissolution of technology into the hands of a lot of bad people.

And then we’ve seen the emergence of quasi-governmental or governmental-sponsored organizations, terrorist organizations, like the Usama bin Laden network, that are able to move in and out of government circles and extract rather threatening things from that, and then use those things, but not in controlled ways as governments behave. It’s a very unsettling security epoch that’s emerging.

What can we conclude about this right now? Well, first, I think — let’s just say I think the old patterns of deterrents on unacceptable behavior don’t predictably work in this era. In the old days, you could threaten untold havoc on a nation-state if they did something that was out of the bounds, out-of-norm, and it had a deterrent quality. It’s not clear that deterrent quality exists now. It’s not clear that striking out at Usama bin Laden — I agree strongly that we should do that — but it’s not clear that that’s going to deter this group. So the old patterns that we were familiar with, security patterns and deterrents, just aren’t necessarily going to work reliably in this era.

Second, I think we’re going to be increasingly confronted by technology that’s used by really bad people, in very troubling ways — not just cyber issues — and, of course, we’ve talked about that before — but chemical and biological weapons in their hands. We’ve had three terrorist incidents in the United States in the last nine months involving anthrax. Now, two of them were spoofs, but nonetheless it’s a pattern that’s emerging, and it’s not just going to be here in the United States.

I think a third feature of this new epoch — and this is one that’s particularly troubling — is that we’re entering a period when obviously no other country, or these tribal units, can take on the United States directly. They know that would be suicide in traditional ways.

And so it’s using these tools, these troubling tools, in nontraditional ways that are going to become the preferred mode. And we’re entering a period where, frankly, one individual, or a small group of individuals, are able to wage war on our entire country, not in the predictable ways where we’re worried about sea invasion on the coast or anything like that, but ways that will become highly disruptive to an organized society is a possibility now.

So, I think the last feature that I think is very relevant is that the target in this new world isn’t necessarily going to be directly America’s military forces. We certainly will be targeted overseas as terrorists try to make a political statement like at Khobar Towers [Saudi Arabia]. That clearly is going to be a dominant feature, but a bigger problem is that at some point these bad people are going to bring this fight here to the United States, and the target isn’t really going to be military per se, it’s more likely going to be nonmilitary, frankly, where we don’t have an infrastructure of protection.

Now, all that’s probably troubling enough, but I think we’re also probably in one of the most complicated periods of American history, where huge social forces are colliding with technology developments, and I’m not sure we understand them very well, and I am confident the government is not well organized to deal with it.

We see the explosive globalization of the American economy. I’m not sure I know what an American company is anymore. I know that it means the board of directors are largely going to be Americans, but it doesn’t mean that the processes or the content is American. What is American now? What is American anymore, Gary, [directed to Motorola Chairman Gary L. Tooker] when you’ve got software engineers in India who are writing code for Iridium? And I’m not picking you out, I understand why you did that. It’s typical of American business — this explosive, dynamic American economy — that is opening up security dimensions we just haven’t thought about.

You’re in pioneering business practices that are exciting on the one hand and troubling on another. Each of you, in your own ways, are seeking to find ways to get your customer to become part of your business process so they’ll do some of the work and offset some of the cost of the business transaction, and yet that introduces a vulnerability. How do you keep subcontractors from looking back up in your management system to find out key corporate information that you’d rather they not know? This is an interesting problem in this world.

I think we’re confronted by a time when I think American politics right now is astounding parochial at a time when America’s economy and society is international. And I think we’re wrestling with that. We’re wrestling with that right now with these amendments that are coming up about how we punish a company for allegedly doing something wrong with satellites, and then we say no company is allowed ever to do this again. I mean, this is kind of a crazy time that we’re going through, and we haven’t thought our way through.

How are we, as a political entity, going to deal with this enormously complex new social and economic environment that America is leading? We are, I think, starting to come to grips with what this new Internet society is meaning. I probably am typical — not typical of all of you sitting at the table, but probably typical of most people in Washington — that have tended to have a consumer view of Internet. And so you go down and you see some new homepage for a ship, and you say, « Isn’t this great, what we’re able to do here, this thing is linked up real-time, » never thinking about the security dimensions to that.

We are providing information to bad guys that they used to spend hundreds of millions of dollars in intelligence operations to try to get. I’m not going to pick on poor [Lieutenant General] Dave Kelley [Director, Defense Information Systems Agency and Manager, National Communications System] here. I know he’s fixed this problem. He had an installation that had a homepage that showed an aerial view of the facility with little arrows that said « Operations Center, » « Technical Support Center. » And it’s our little homepage geeks who are out there thinking about this as, « Boy, this is great, you can click on a little arrow and up pops an outline of what’s inside the building, » without ever asking, « is this a good thing or bad thing for bad guys, terrorists, to know? » And we put it in front of them in a medium where you can get it instantly.

We have to step back and think about this world that we have created in this glow of the end of the Cold War. We need to think about it in terms of this new security epoch that’s emerging, where we’ve got a lot of bad people out there who really would like to do some bad things to us, and we’re making it awfully easy. So that’s the broad context.

All of that, by the way, was just introduction to my speech. (Laughter.) I’m not going to take longer than my half-hour, though, Chuck [NSTAC Chair Charles Lee], I promise you that.

I think we’re entering a period of really profound intellectual challenge — where we have profound challenge for the Department of Defense to think about national security in this new era. You know, we have had a 200-year history where national security has been outside of the boundaries of the United Sates. We may have set up coastal artillery, which we did in the WWII period — but it was still shooting out. We have never thought about security in terms of being inside the United States. Frankly, that’s been law enforcement. That’s been the FBI. And that paradigm probably is no longer applicable.

Now, I know that’s going to stress in ways, frankly, I’m not sure we can handle right now politically. We’re rather obsessed right now politically, and I’m not sure that we can tackle a big topic like that in Washington. But we’re going to have to get our arms around this question about what constitutes national security, and how does the Department of Defense interact? The reality is that the Department of Defense has no formal responsibilities for infrastructure protection in the United States, with the exception of one area, and that is we’re responsible for the inland waterways because the Corps of Engineers manages them.

That’s the only thing the Department of Defense is responsible for, when you get right down to it, and yet we’re entering a period when the biggest national security challenge is going to be this interaction of America’s society and economy with the world, and we’re stretching ourselves in ways we really haven’t dealt with yet. So, we’ve been wrestling with that.

I’ll be honest and tell you that we don’t have a clear path right now. But let me tell you some of the things that we’ve been doing. It’s our view that we can’t meet the challenges of this new security epoch without finding institutional ways to be working as partners with law enforcement in the United States.

We have been doing that a little bit on the fringe, on the drug enforcement effort, trying to interdict drugs and that sort of thing, but it’s going to have to be far more direct and involved than it has been in the past. And that’s why we entered into partnership with the FBI on the National Infrastructure Protection Center, the NIPC, because we know at some point when this event occurs — if it’s a cyber attack, if it’s a chemical terrorist incident, or something — the day after is going to be qualitatively different from the day before. And the day after is going to require the United States military to be involved in ways in the United States that are unprecedented.

I personally believe it will be one of the most serious challenges we will ever confront to civil liberties in this country since at least the bombing at Pearl Harbor. And we have to start getting ready for that, and institutionally we need to be working with each other. So one thing we’re doing is finding institutional partnering opportunities with law enforcement.

A second thing we’re trying to do — and this is very hard, and I will be up-front to tell you we are not very far along on this — we have to develop a new security model. I’ve talked to some people about this here, so forgive me for being redundant. We’ve got to develop a new security model for this country that recognizes the dynamism of the American society and the American economy, but still is agile and flexible.

We continue to operate a security model — and I’ll use an analogy — that’s little like the fence around the outside of your yard. You know, you see a hole in the fence, you quick go over and try to patch the hole, and maybe post a guard there for a little while and do something, but it is wholly inapplicable when you’re dealing with an economy now where American products are routinely built overseas, when business processes are inherently interconnected with other companies and many of them are overseas.

We still have a security model that revolves around the nationality of the board of directors of the corporation, not the underlying business activity. And that is not to say we cannot. Our friends on the Hill criticize us on export controls, and they say we ought to toughen security by moving satellites back to the State Department, away from Commerce. We will take the criticism — we haven’t paid enough attention — but you are also giving me a naive solution to a very complicated problem. That isn’t going to solve the problem. It’s a much more complex problem than that, and we need to develop a much more sophisticated security model for dealing with it.

We’ve launched a number of efforts to do that, and we’ve asked the Defense Science Board to lead an effort to reach out to all of you, and I would hope that you would be willing to participate with us as we are thinking our way through this. Frankly, you are all confronting the same thing, in many ways.

Dennis Picard [Raytheon Chairman and Chief Executive Officer], with his vast new empire, is trying to get his arms around it, and that means putting his hands on disparate management systems. How do you know what that’s like? That’s exactly the same problem we’re confronting, isn’t it, in a way? It’s the same sort of difficulty. I know that you’re doing the same thing, Jim [James W. Evatt], at Boeing.

So, all of you have exactly the same problem in a different way, and it requires both technical solutions, process solutions, organizational changes. You’re wrestling with that dilemma of how do you retain your agility as a corporation at the same time you’re trying to protect your security? That’s exactly what we’re going to have to find, a new model to do that here in the United States, and I would ask for your help on that.

I think a third thing we’re dealing with is consequence management. We have really never dealt with that in the Department of Defense before. We’re responding all the time to emergencies, natural disasters, for example. We do literally thousands of things every year. We probably augment police forces 2,000 times a year to help them with suspicious packages and things of that nature. But if there is an incident, a terrorist incident, it’s going to be very different if it involves chemical or biological weapons. It’s going to require the mobilization of capabilities that are just unprecedented, and we have not done any real concrete thinking about that in the Department of Defense.

The reason for that is we never assigned the United States to one of our CINCs, our Commanders-in-Chief, as an area of responsibility. There are only four countries in the world that were never in the area of responsibility for one of our commanders, and that was the Soviet Union, the United States, Canada and Mexico, Canada and Mexico just because they were next to the United States. We never had a CINC who was worrying about homeland defense of America before. And that’s where we do our concrete contingency planning and thinking. That’s where you do the matching up of requirements and resources and lay out a program for the future. We’ve never done that before, and we’re going to start doing that.

I think we’re going to have some decisions here in the next two or three days that will finally provide a sense of direction. DoD will always be in a supporting role because, as I said, we don’t own any of these infrastructures directly, and we don’t have organizational responsibility for them. But I’ll tell you, that’s going to be no excuse the day after. We’re going to get the call, so we’re going to have to do something about that.

The fourth thing we’re doing is spending a lot of time and effort — and, frankly, money — to try to figure out how to protect ourselves in cyber space. We had a cyber attack yesterday. It was almost comical. Some little group — we’re not exactly sure, we think they’re in Germany — decided that we were supporting the Mexican government’s efforts to suppress the Zapatistas, and so they decided the best way to attack us was to flood our Department of Defense homepage, DefenseLINK. We probably saved America the boredom of reading our homepage, but nonetheless they were going to try to just freeze up our homepage with cyber attack. They had automated a little attack — and this was very simpleminded and easy to blunt, and we did — but it’s another incident. It’s starting.

In the last year, we have pulled together enormous disparate efforts to try to get our arms around protecting our infrastructure. Frankly, nine months ago we didn’t even have a good handle on how many networks we have. We didn’t have any idea about their configuration, had very little idea about the operating systems inside. The people who were running them did, but we didn’t have in any central way. When we got the solar sunrise attack in February, frankly, we were running from behind to try just to get up with the basics. I think we’ve done a great job, and hats off to the Air Force that led the way for the entire Department, in putting in place the infrastructure to do that. [Lieutenant General] Bill Campbell has just done a heroic effort in the last nine months — the last six months, frankly — to get the Army up to speed. But we are finding ourselves enormously vulnerable as we operate in this electronic space, and we haven’t thought about it very well. We haven’t thought about it in a disciplined way from a security standpoint, and we’re working hard to get caught up. We have finally assigned the mission to a military unit. Brother Kelley [LTG Kelley] here has that duty now as Joint Task Force Commander for Computer Network Defense. That gets stood up, I think, this fall, Dave, I’m not sure when that happens.

LTG Kelley: I think it’s the beginning of January.

Dr. Hamre: Beginning of January. It is just a first step, but it is something that we’re finally getting off the ground. We are standing up our contribution to the NIPC. We’re slow in getting that done, frankly, because as Jeff Hunker [Director, PresidentÕs Critical Information Assurance Office] said, we’ve got too few computer experts, and we’re spreading them all over the place right now. We’re trying to get that effort up and running.

We are, I think, very near — I don’t mean to steal Bruce McConnell’s pitch here — we’re very near taking a very important step on getting the Government’s focus on encryption here. We’re literally within days of finally getting a path, and here our dilemma has been trying to find ways to reconcile the very important conflicting values that collide on this issue — the privacy values, the economic incentives, the dynamism that this sector has brought to American industry and that we want to keep moving, and the security dimension. We’re trying to reconcile those. We’re very close, and literally within days I think we’re going to be able to finally start the path. And let me say it’s not the endpoint, it’s the starting point, but I think it’s going to be a very important development when we can do that.

Finally, one thing — and just harkening to what Dr. Hunker said — I think we very much need a place to turn to. NSTAC right now is the only place to turn to. We very much need a place to turn to to help us understand what’s going on in this very dynamic industry. We don’t really have that. We, DOD, don’t really have that, (a) because we tend just to be plugged into our defense buddies. I mean, I can call Travis [D. Travis Engen, Chairman, President and CEO of ITT Industries] or I can call Vance [Dr. Vance D. Coffman, CEO and Vice Chairman of Lockheed Martin], because we work with these guys, but I don’t have routine contacts into the telecommunications sector, or into the banking industry. We don’t know how to do that here, and yet this is the infrastructure that very well could be attacked and become a national security problem.

We’ve talked a bit with [former Defense Secretary] Bill Perry and [former Deputy Defense Secretary] John White, who have been very pioneering here in thinking about this and wanting to stand up some capabilities. It would be entirely based in the private sector, entirely consensus-oriented, and involves things where we could interface and get problems solved for us and insights from you. And I think John is going to talk to us a little later about that, but it will be enormously important for us to try to get something like that going because we don’t have it right now.

We don’t have a good way to interface outside of this group, and that’s why we hold onto this as such an important venue for us as a way to interact with this sector because the telecommunications industry — there are three crucial backbones — this one, power and finance — and if those things either don’t make it for Year 2000 or don’t make it because of a cyber attack, this country is going to be in real trouble. We can always handle getting spammed at the DOD homepage; that ain’t going to be the end of the world, but if something bad happens to you gents, we’re in deep trouble.

I think the inherent dynamism and resiliency of this industry provides a level of basic protection that gives us all confidence, but I don’t think any of us can be naive about what we’re confronting here. It doesn’t take enormous resources any longer for a foreign power to wage war on the United States — not to win on a battlefield, but to intimidate us into political outcomes that we otherwise wouldn’t even consider. That’s what we’re going to have to work on together. I would ask you to think about finding ways to work with us in either working with Bill Perry or John White, or however else, and, Chuck, I’d leave that to you and, Van [Van B. Honeycutt, Computer Sciences Corporation President and CEO, and new NSTAC chair] to you, as one of the issue items that you may want to tackle later on.

Let me again conclude where I started, which is to say a very sincere thank you to all of you who are willing to take time out of your private lives where they are so demanding, to still pull on the « uniform of public service » for this period to help us wrestle with some really tough issues, tough issues that as Americans we know we’re going to have to get our arms around over the next three, four years.

And, unfortunately, the normal way that we get these things done, with the kind of Government thinking constructively about it and laying out a path, is a little unclear right now, for a combination of reasons. And so we’re going to really have to count on a dialogue with the full spectrum, the multi-spectral leaders, in American society, and ask for your help in doing that. I’m very grateful that you let me come and talk to you, Chuck, thank you for arranging that for me. And if there’s anything I can do, I’d be delighted to help either the NSTAC directly, or any of you individually. Thank you.