DoD Speech to Fortune 500 Chief Information Officers Forum
Deputy Secretary of Defense John J. Hamre
Aspen, Colorado
Tuesday, July 21, 1998


Let me shift now to a new subject. I'm actually going to give you two speeches today. This is the end of the first one. I'll be honest, I'm campaigning here. And I want to talk to you about information security and infrastructure protection.

This country is wide open to attack electronically. A year ago, concerned for this, the department undertook the first systematic exercise to determine the nation's vulnerability and the department's vulnerability to cyber war. And it was startling, frankly. We got about 30, 35 folks who became the attackers, the red team. We gave them enough money to go down to CompUSA or where ever. They only could buy computers off the shelf. They were given no special software. The only software they were allowed to use was stuff they either develop themselves or they downloaded from hacker web sites. They spent three months getting ready. We didn't really let them take down the power system in the country, but we made them prove that they knew how to do it.

Now, why are we so vulnerable as a country? We're vulnerable because of the enormous productivity improvements that we've sought through information technology in the last 20 years. You're familiar with the SCADA system, Supervisory Control And Data Acquisition Systems? These kinds of systems are used to control physical networks, for example remote switches on a power grid that will open additional switches or bring on new transformers or sensors, valves and pumping stations that are used to regulate the flow of oil through a pipeline. These systems are used for water irrigation systems in the west. America's infrastructure is being run now through these Supervisory Control And Data Acquisition Systems, SCADA systems. They're commercial systems.

Increasingly, American business, in order to save money and to shed itself of the cost of proprietary networks, is moving these systems onto an Internet-based communications network. So we're finding increasingly, America's business and utilities are controlling the infrastructure through a technology that was never designed with security in mind.

The Defense Department, is surprisingly vulnerable, too. The reason is that over the last 10 years, we have been dramatically shifting our infrastructure over to commercial structure rather than government-owned communications systems. I remember the first time I ever went out to Strategic Air Command 15 years ago. You'd go out there and there'd be five phones sitting on the desk-- a gold phone and a red phone and blue phone and all this kind of stuff. They were all government-owned phones and government switches and government-unique lines. We had our own system. Well, we don't do that anymore. Ninety-five percent of all of our communications now is over commercial systems and networks. And one of the things that surprised us during Eligible Receiver was the degree to which we had become vulnerable to penetration because we were riding on these networks.

Now, this brings me to my bottom line here. I understand this is a bit controversial, but ultimately you are no different from us. You are going to increasingly do your business over a media that was never designed with security in mind. It was designed as a research tool. We in DoD invented it. It was designed as a research tool. And the protocols are wide open. Everybody knows how to plug in. That's why it's so powerful now in business applications.

So how do you provide security in an environment and a media that inherently is insecure? Many things are required, one of the things that is essential is encryption. Now, I know this is a hot debate and part of the discussion I had with Peter while we were waiting was the issue of encryption. Peter's first question was, "Are you with law enforcement or are you with commerce?" This is the debate that's occurring in Washington. It isn't exactly analogous to Justice versus Commerce. There are law enforcement concerns and Justice and the FBI are responsible for those. We want them responsible for those. Then there are economic response concerns and frankly, civil liberty concerns. Those are contending values of equal importance in our democracy, equal weight, in my mind. I do not believe that it's more important to protect ourselves against terrorists if it means it comes at the expense of civil liberties in the United States.

But I also don't believe that civil libertarians or cyber libertarians have a right to say we as a government have no responsibility to protect American society against criminals or terrorists.

We're going to have to strike a balance here. I personally believe that the debate of whether America's government is threatening our civil liberties is a fraudulent debate. We've never proposed anything that was any different than the mechanism we use every day to balance privacy versus law enforcement and security. Our police don't break into people's houses without a search warrant. We know how to protect America's privacy, and we know how to safeguard civil liberties. There's a very real reason we fought wars--for these values, these civil liberty values.

We know how to balance them in this country, and we know how we'd balance them as well in this area. And I think that, frankly, the debate that's emerged has been a fraudulent debate, I hope I don't offend people when I say this. We know how to protect the individual and society in America.

Now, you may say that that means I'm siding with law enforcement. I'm not. I think that it's impossible to find a technical solution to this problem. But I do think it's essential we find technical solution for protection if you're going to operate through the Internet.

Our position in the Department of Defense, and I frankly think it should be your position as well, is that if you're going to operate through these public, insecure modalities, you have to secure yourself And you have to do that through encryption. But I've also got to say the most dangerous thing in the world for us as a war fighter is to get an encrypted message that's a spoofed message. There's an impression of authenticity that comes with an encrypted message. You have to be able to determine the validity of the individual who is sending it to you.

Now, from a business standpoint, I can't imagine any of you as business people who would turn over to your employees the right to spend your dollars or cut checks or ship technical information and not require those employees to leave an electronic fingerprint on it when they do it. It's a basic premise of internal control.

So your interests and our interests are no different. What it leads me to say is that I'm not picking sides between the law enforcement community and the commerce community, as it were, in this debate. I'm saying we have to go right down through the middle. We have to protect ourselves in this environment and it's got to be with encryption and some form of security management, key recovery in our case. But we're going to make it voluntary. It's our choice and we're going to buy it. We're not going to ask that it be mandated through law on anybody. We're going to pay for it. And we've entered into contracts with a number of companies to help us develop a security infrastructure. We'll get the first one running this fall with Netscape, and hopefully, it'll be operational in October.

But I'm telling you, this is something that you've got to do for own companies and it's something we all have to do, frankly, for the country. It's in your narrow interests as company executives and it's in our broader national interest to do this. And I would ask you to step past this debate that we're having on cyber liberties versus law enforcement. We're going to have to get to a more sophisticated understanding of this problem, and we don't have a lot of time.

I'm going to stop there and I hope that I've stimulated enough interest that there might be some questions.