West Point, NY – U.S. Senator Sheldon Whitehouse (D-RI) gave the opening address yesterday evening at a major cybersecurity conference at the United States Military Academy in West Point, NY. The Senator, who chaired the Senate Select Committee on Intelligence’s Cybersecurity Task Force in 2010 and has been active in efforts to craft cybersecurity legislation, spoke about the cybersecurity challenges facing the military and the nation, and the need to increase public awareness of cyber threats.
The text of Whitehouse’s speech, as prepared for delivery, is below.
Thank you for that kind introduction and for the invitation to be with you today to discuss our nation’s cybersecurity. I am very pleased to join you at the United States Military Academy.
As a Senator for my home state of Rhode Island, I have the great privilege of nominating young men and women to become cadets here. I am also privileged to serve with my senior Senator Jack Reed, who is a graduate and a member of your Board of Visitors.
I am very proud of this Military Academy for its continued excellence in preparing the next generation of leaders for our Army and for our nation. I’m also glad to be joined at the conference by my colleague from Rhode Island, Jim Langevin, a renowned expert on cyber security.
This conference on cybersecurity is timely given the scale of the cyber threats facing our country.
Consider the following expert assessments. Secretary of Defense Leon Panetta has stated: “[t]he next Pearl Harbor we confront could very well be a cyber attack.”
In a letter to Senate Majority Leader Harry Reid, former Secretary of Homeland Security Michael Chertoff, former Defense Secretary William Perry, former Vice Chairman of the Joint Chiefs of Staff General James Cartwright, and others wrote that “[t]he threat is only going to get worse. Inaction is not an acceptable option.”
And Secretary of Homeland Security Janet Napolitano has stated: “prior to 9/11, there were all kinds of information out there that a catastrophic attack was looming . . . . The information on a cyberattack is at that same frequency and intensity and is bubbling at the same level, and we should not wait for an attack in order to do something.”
These threats are posed by a wide range of adversaries, including national intelligence services and armed forces, hacktivists, cybercriminals, and terrorists. Adding further complexity, are the techniques used to compromise our systems: remote intrusions, spear-phishing and social engineering, physical access to networks through agents or disgruntled insiders, wireless access, and compromised or counterfeit parts.
The consequences are profound.
A single data breach of an American company – for example a retailer or a financial company – can result in countless Americans’ credit card numbers and sensitive personal information being sold to the highest bidder on illegal “carder” forums run by international organized crime groups.
Individuals and corporations are subject to massive amounts of fraud and intellectual property theft. The 2011 Norton Cybercrime Report, for example, calculates the cost of global cyber crime as $114 billion per year. A substantial part of this enormous volume of theft is permitted, encouraged, or conducted by foreign nations.
As former NSA Director Admiral Mike McConnell, former Secretary of Homeland Security Chertoff, and former Deputy Secretary of Defense William Lynn recently explained, “China intends to build its economy by intellectual-property theft rather than by innovation and investment in research and development.”
The Office of the National Counterintelligence Executive similarly explained that “Chinese actors are the world’s most active and persistent perpetrators of economic espionage,” and that “Russia’s intelligence services are conducting a range of activities to collect economic information and technology from U.S. targets.”
I have argued that these attacks, together with online piracy, have put the United States on the losing end of the largest illicit transfer of wealth in the history of mankind.
The security company McAfee recently agreed, writing that what “we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth.”
The current Director of NSA, and Commander of U.S. Cyber Command, General Keith Alexander, likewise agreed that we are suffering from “the greatest transfer of wealth in history.” We cannot let this drain on our economy continue.
The threat is not only financial.
The Stuxnet worm attack, which targeted particular industrial control systems, demonstrated the ability of cyber attacks to “leap the grid” and destroy physical infrastructure.
In 2008, a CIA official noted several incidents overseas where hackers were able to disrupt, or threaten to disrupt, the power supply of foreign cities.
The compromise of government networks, for example that of the Economic Development Agency within the Department of Commerce in February this year, jeopardizes the mission, weakens confidence in government, compromises privacy, and advantages foreign nations in their dealings with our country.
Cyberattacks also imperil military effectiveness. The Wall Street Journal reported in 2009 that computer spies broke “into the Pentagon’s $300 billion Joint Strike Fighter project – the Defense Department’s costliest weapons program ever. . . and were able to copy and siphon off several terabytes of data related to design and electronics systems . . . potentially making it easier to defend against the craft.” These attacks were reported to have originated in China.
Former Deputy Secretary of Defense Lynn likewise revealed in 2008 that “the U.S. Department of Defense suffered a significant compromise of its military computer networks” by a foreign intelligence agency in what “amounted to a digital beachhead, from which data could be transferred to servers under foreign control.” This incident, according to Deputy Secretary Lynn, was “the most significant breach of U.S. military computers ever.”
And in 2009, the press reported that the U.S. Navy was investigating an unauthorized user in Iran accessing blueprints and other information for the President’s helicopter, Marine Corps One.
The scale of the cyber threats facing America begs the question whether we are responding adequately as a nation. We are not.
One basic problem is the lack of appropriate public awareness about the severity of the cyber threat.
Businesses consistently decline to reveal that they’ve been victimized, for fear that doing so will scare customers and investors, encourage competitors, and draw unwelcome attention from regulators. Many of them don’t even know.
When the FBI-led National Cyber Investigative Joint Task Force informs an American corporation that it has been hacked, nine times out of ten the corporation previously had no idea. I am glad that the Securities and Exchange Commission, after prompting by Senator Rockefeller, myself, and others, issued guidance covering when registered companies must disclose breach information. But more must be done to draw back the veil of secrecy covering cyber events in the private sector.
The government exacerbates the public awareness problem by over-classifying information relating to cybersecurity. Jim Lewis of the Center for Strategic and International Studies recently explained that “[c]ybersecurity . . . has a unique problem in that some of the most reliable data is classified.”
Some information must be classified, for obvious reasons, but we nonetheless can do much better. To that end, I’ve been working with Senator Jon Kyl on the Cybersecurity Public Awareness Act, which would help ensure that Americans properly understand the scale of the cyber threats facing us.
A second significant challenge we face is the fact that the business community alone has proven incapable of securing its own networks. There are at least two reasons for this problem.
First, there is a gap in cybersecurity awareness. Carnegie Mellon’s CyLab recently reported that “boards and senior management still are not exercising appropriate governance over the privacy and security of their digital assets . . . These findings are consistent with complaints by [Chief Information Security Officers and Chief Security Officers] that they cannot get the attention of their senior management and boards and their budgets are inadequate . . . There is still an apparent disconnect . . . .”
In recognition of this, Edison Electric Institute has begun to bring CEOs and CIOs together, to foster better awareness of damages to the electric grid.
The second reason is market failure; existing economic incentives are not generating adequate cybersecurity. “[T]he market place,” former Secretary of Homeland Security Chertoff has explained, “is likely to fail in allocating the correct amount of investment to manage risk across the breadth of the networks on which our society relies.”
An example of this type of market failure is the decision of gas, electric power, and water utility industries to forgo implementation of a powerful new encryption system to shield substations, pipeline compressors, and other key infrastructure from cyberattack because of cost concerns. The cost, it should be noted, only would have been approximately $500 per vulnerable device.
The inadequacy of corporate defenses has been highlighted in a steady stream of reports. FBI Director Robert Mueller recently explained: “there are only two types of companies: those that have been hacked and those that will be.”
The McAfee report on the “Shady RAT” attacks similarly stated that it is possible to divide “the entire set of Fortune Global 2,000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”
And Kevin Mandia of the leading security firm Mandiant has explained: “[I]n over 90% of the cases we have responded to, Government notification was required to alert the company that a security breach was underway. In our last 50 incidents,” he said, “48 of the victim companies learned they were breached from the Federal Bureau of Investigation, the Department of Defense or some other third party.”
The weakness of corporate cybersecurity is most troubling in the case of companies that operate critical infrastructure such as our electric grid, our dams, and the servers that process our financial transactions. These companies are clear targets, but too many are failing to meet minimum cybersecurity standards. Hardening those critical infrastructure targets would be an obvious improvement.
We also should find a way to position America’s most capable defenses and countermeasures to defend our critical infrastructure.
To achieve that goal we need to define critical infrastructure, so we know what it is and can protect it. The NSA and other military agencies have substantial expertise that should be leveraged in defense of critical infrastructure. This will not be easy, however. The NSA’s Defense Industrial Base pilot proved that the government can share classified information with trusted corporations, but revealed significant risks and limitations, particularly if the government were to share its most sensitive information with a broad set of private companies.
By identifying critical infrastructure on which our safety and economic and national security depend, we also define what does not qualify. That’s important because that defines where privacy concerns outweigh national security concerns. Nobody wants government in our chat rooms, emails, or social media; everyone understands why government should protect the electric grid that brings power to our homes.
Government also is responsible for enforcing our criminal laws. What work has been done has been excellent. Last year, for example, the Justice Department and the FBI took down the Coreflood and Rustock botnets. Actions like these should be a regular occurrence, but are not because we have not properly scaled up our law enforcement resources.
It is time for a fundamental rethinking of our approach: both the level of resources and the manner in which they are structured; what FBI Director Mueller called a “substantial reorientation of the Bureau.”
We should be discussing whether cybercrime should have a dedicated investigatory agency akin to the DEA or ATF, particularly given the exceptional complexity of the technical, international, legal, and inter-agency aspects of cyber investigations.
I am working in the Senate for legislation to harden critical infrastructure systems, improve information sharing, reform security practices at federal agencies, and support cyber research and development. I am optimistic that we can come together to pass meaningful legislation in this important area. Democrats and Republicans are working together, so hopefully success is in sight.
Outside our legislative arena, the United States military has taken numerous important steps to date, including recognizing cyberspace as an operational domain, establishing a cyber strategy, standing up the U.S. Cyber Command, and interacting more with private industry. The NSA, under the leadership of General Alexander, is at the cutting edge of modern cybersecurity.
The Guard, too, has adapted for cyber operations. In my home state of Rhode Island, the Rhode Island National Guard’s 102nd Network Warfare Squadron protects DoD equipment and performs Command Cyber Readiness Inspections to certify and accredit DoD networks at bases, deployed sites, and forward operating locations.
Important issues still remain to be worked through; in particular, rules of engagement in cyberspace. The rules of engagement, laws of war, and conventions of nationhood, sovereignty, and borders in the physical world are well-established. Clear understandings in these areas made possible the policies of deterrence that kept the Cold War cold, by assuring enemies of a defined and decisive response to aggression.
Similar clarity does not exist in cyberspace, in part because of attribution problems, and in part because principles in geographic space do not translate readily to cyber space. Without this clarity, we cannot adequately deter cyber threats.
Issues relating to covert action are deeply classified, but at a minimum I can say that clear executive policies and procedures, and vigilant congressional oversight, are required.
Finally, our armed forces also must secure their supply chains from the insertion of malicious code, backdoors, and other cyber threats. There is good reason to be concerned. Chinese companies are actively working to extend their reach into the international telecommunications market. Military material often has components manufactured in China. Compromise of the U.S. military’s supply chain could damage military effectiveness.
Congress has given the Department of Defense the necessary authority, and the Defense Department must work hard, to keep counterfeits and the products of hostile companies out of its supply chain.
This is a long list of challenges. As our military takes them on, it would be wise to keep in mind some historic instances in which we have had to adapt to technological advances.
In the wake of World War I, for example, the U.S. military was skeptical about the possibilities of air power. Deputy Chief of the Air Service – which was then part of the U.S. Army – Brigadier General William “Billy” Mitchell only began to win over skeptics by demonstrating that bombers could sink a retired German World War I battleship, the Ostfriesland.
Field Marshal Douglas Haig, who was a British senior officer during World War I, famously claimed after World War I that “the value of the horse and the opportunity for the horse in the future are likely to be as great as ever. Aeroplanes and tanks are only accessories to the man and the horse, and I feel sure that as time goes on you will find just as much use for the horse – the well-bred horse – as you have ever done in the past.”
With our nation facing ever greater cyber threats, today’s U.S. military stands at a similarly pivotal moment in the history of combat. I urge you all to continue your good work to get off the horse, get on the plane, and bring the military’s capability for excellence to bear in this new theater of operations.
Thank you again for the opportunity to be here with you today.