28 July 1998
Jump to remarks on infosec and encryption
Date: Tue, 28 Jul 1998 11:20:01 -0400
From: dltranscripts_sender@DTIC.MIL
N E W S B R
I E F I N G
OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE
(PUBLIC AFFAIRS)
WASHINGTON, D.C. 20301
====================================================
DoD Speech to Fortune 500 Chief Information Officers Forum
Deputy Secretary of Defense John J. Hamre
Aspen, Colorado
Tuesday, July 21, 1998
Secretary Hamre: Thank
you, Petre, You're very kind. And I appreciate being invited to come
out to be with all of you. It's more than anything, just to get out
of Washington, to be blunt. (Laughter) To tell you the truth.
Let me apologize at the
outset. I did have a speech prepared to give you, but this morning,
I had a very interesting experience on the way. I stopped at Cincinnati
to talk with folks at General Electric who do engine work to learn about
how they're doing six sigma . And frankly, that changed a lot of my
thinking, and so, I'm afraid you're going to get a much rougher speech.
I'm going to try to bring together a number of different strands, talk both
about our war fighting side as well as our business side and how we
use information technology, and at least try to give you a sense of
what we're facing.
First, if I may, and as Petre
said, I function as the chief operating officer for the Defense Department.
Let me, if I may, to ground you in what this organization is like. As Petre
mentioned, it's a large organization. We have 1.4 million men and
women who serve in the uniformed services, active duty, and about 800,000
civilians that work for the department. Every year, we recruit about
200,000 new people to join the armed forces. And we separate about
220,000 people. So about 30% of our organization is either coming
or going every year. We are spread out all over the world, as you
know. We have about 250 major installations. We operate 550
public utility systems, everything from gas, water, electricity, and natural
gas distribution.
We are one of the largest school
systems in the world. We have 126 high schools and elementary schools.
We are the world's largest daycare provider. (Laughter) Seriously,
we have 300,000 kids that go to Department of Defense day schools--daycare
centers-- because we've become a very different military over the last 25
years. Twenty-five years ago, it was still a conscript military and
it was largely bachelors. Today, it's very much a married military
and lots of single parents. And you've got to reassure parents that
somebody's going to be taking care of their kids if they get mobilized on
short notice. So we spend a lot of money on daycare. We're the
largest daycare provider in the world.
We have 28,000 separate systems
that we're tracking for Year 2000. Twenty-eight hundred of them are
mission critical. I used to be the comptroller, so I'm a little more
familiar with some of this, but we cut 5 million paychecks a month.
We cut about 400,000 bonds every month. We pay about 600,000 travel
vouchers a month, 800,000 contract actions a month , most of them are small.
Out at Columbus, Ohio, where we do our large contract management administration,
we have about 360,000 contracts under administration. We disburse
about $43 million an hour. (Laughter) An hour.
We have operations under way
in every time zone. There isn't a time zone on the planet that we
don't have military personnel operating someplace. Today, there are
about 115,000 military personnel who are deployed. And that's in addition
to the 200,00 who are permanently stationed overseas. We operate over
400,00 vehicles. Now, that's everything from sedans and buses to street
sweepers, we use to clean runways, to combat vehicles to tanks, armored
bulldozers. As an organization, one of our real challenges is to span
about 70 years worth of technology at any one point in time. We operate,
on a daily basis, aircraft that were designed back in the early '50s and
you still have to maintain them, buy spare parts for them and keep them
updated. At the same time, we are working on research and development
programs for systems that won't be fielded, it's first flight will be in
2017. Managing that spectrum of technology is a real challenge. A real struggle.
In information technology, we
operate some of the most advanced computers. And yet, just last year,
we moved a bunch of Burroughs punch card readers to a new mega center because
we were still operating in a punch card environment. So, it's an astounding
spectrum of technology that we try to manage. It is, I would argue,
not only the largest, but probably most complex, organization in the world.
Now, this is an organization
that has had its budget cut for 15 consecutive years. In part, this
is okay. The Cold War is over, I, and I don't think it's inappropriate
that it is reduced. But our budget is about 46% smaller than it was
in 1986. We've undergone significant reductions. This is, as I mentioned,
an organization that is operating at 46% of its budget resources only 12
and 13 years ago, has a third of its personnel coming and going in any one
year and is still able, within a month, to send 60,000 people to the Persian
Gulf along with 400 combat aircraft and 500 cruise missiles and could carry
out war tomorrow if we had to.
So, I say that to frame an observation
and a dilemma that at least I experience. That is this: I firmly
believe that we are a world class organization in what it is we're supposed
to do, which is to fight and win wars. There isn't anybody who is
as good as we are. But I've also got to be honest and say we're a
second sigma organization when it comes to business practices. And
that's the curious dilemma that I see and that I'd like to talk with you
about today.
First, let me talk a bit about
the war fighting side of the house. We have been engaged in an unprecedented
change in the way we think about warfare. It's been going on for some
time and it's ready to enter into a much more sophisticated dimension.
It really took off in the late '70s and the early '80s when we were starting
to bring microprocessors into weapons systems. That's when it got
started. That probably wasn't as revolutionary as was the revolution
in training technology that we developed in the late '70s and into the early
'80s. And that's been, I think, far more important, frankly, as most
of the senior commanders in the Persian Gulf-- Norm Schwartzkopf--we were
talking earlier with Petre. We could have switched equipment during
Desert Storm and still beaten the bejesus (?) out of them. Just because
of the people and the skills that we grew over that time. For us,
training technology, growing our most important asset, people, is by far
the most important thing we do, not just the hardware that's sitting out
on a ramp.
So for what we're supposed to
do, we're a world class organization. And I've got to tell you, frankly,
we're getting better. Dramatically better We're already without peer.
I know this sounds boastful. I don't mean it to be that way, but we're
already without peer as a fighting force and ten years from now, we're going
to be, I think, significantly stronger. Let me give you an example.
We are on the edge of breaking
through in what we call network centric warfare. Prior to this time,
we largely fought about the business, I'm sorry, this is a little blunt,
a little coarse, but the business of destroying things, is what you
try to do in a very focused way without doing lots of damage to things that
you don't want to destroy. We try to do that, we've done that before
by largely putting very lethal and accurate capabilities on whoever was
doing the shooting at the time. We're now moving into a much more
interesting and highly leveraged dimension where the person that launches
the missile doesn't have to see the target. We're going to be sharing
information across a network and still be able to attack and destroy an
opponent. This dramatically improves the survivability of our own forces,
of course. It is going to be revolutionary. The situational awareness
that will be on our side of the battlefield will be three or four orders
of magnitude better than our opponents.
This really comes from the way
we've brought information technology into the core of war fighting.
For example, one of the things-- it's not with us today, but I don't think
it's many years away. We will have a device about the size of a watch
that will be on our average soldier that will monitor vital signs so that
when that squad is out at night, the sergeant doesn't have to wonder if
a private has fallen asleep in a foxhole. He can see it. If one of
our soldiers got hit, you don't necessarily have to send out a couple of
guys to try to get him and find out that he's already dead and then put
more lives at risk when you're in a firefight. It's that kind of knowledge
and that kind of skill-based control that we're going to bring to the fight
that will be without peer, in the world of warfare.
I know this isn't
necessarily a pleasant thing to talk about, but it's part of our business
and we do it so that we quickly get in, quickly get out and leave very,
very few people behind. And there isn't going to be anybody as good
as we are.
We're doing this, with a very
systematic application of information technology and warfare. And
it's really unbelievable the way it's happening. They're prototypes,
but we're putting computers on-board airplanes along with pilots that serve
as a copilot for all practical purposes, giving that pilot extra situational
awareness, queuing and advice. We're going to be able to put inside
a tank a picture of the entire battlefield for that tank commander.
You can't imagine how limiting your perspective is when you're inside a
tank, buttoned up, trying to have some idea where your enemy is and where
your own friendly forces are in a vehicle that's bouncing all over.
You may be in chemical gear. Now you're going to be able to look at a computer
screen and see it in front of you. It's going to be absolutely revolutionary
for what we can do.
In the past, the dilemma of warfare
was always how to bring mass together for its effect over your opponent
without giving your opponent lots of targets to shoot at. Classic
dilemma. One of the reasons there were so many casualties during the Civil
War was because firepower technology had gone so much further than communications
technology. We were still massing people close to each other, side by side,
marching in the face of huge firepower disadvantages so that our cannons
mow people down. That's why there were so many casualties in the Civil
War, because communications technology still relied on people standing close
enough to hear an order. We're now going to be in a wholly different
world where people don't have to see each other and yet, they can operate
together as a combined arms team. It's dramatic what we're going to
be able to do.
Now, I contrast that with where
we are in our business operations. And here, and I'm not trying to
criticize the people who are working very hard. These people are working
very hard to try to make the system work. But I'd have to be honest
and say that we're a second sigma organization for most of our supporting
structure. We are still largely dominated by stovepipe organizations.
We automated our stovepipes to reinforce their bureaucratic rigidity.
Does this sound familiar? (Laughter)
And of course, what happens?
This is one of the reasons we have 28,000 Year 2000 problem systems.
What happens when you automate manual processes is that then you have to
invent interconnections to get them to work together, right? And of
course, those are all basically failure points in a system. So, on
the average, between a decision to buy something and getting a check cut,
out the door, it takes 105 paper transactions in the Department of Defense
right now. Now we're trying to glue together lots of different, old-fashioned,
manual procedures that were designed during the '50s and '60s and '70s that
have all been automated. Great. We are an enormously paper-bound
organization.
When I was the comptroller, I
was responsible for all the finance and accounting operations of the department,
and that included our disbursing operations. I mentioned our
finance center out at Columbus, Ohio. We have about 3,000 people there
cutting checks to all of our vendors. They are administering 370,000 contracts.
It takes 15 linear miles of shelf space to hold the contracts. When
we sign a contract, we issue a contract, we print up 17 copies on the average
on the contract. One of them goes to Columbus. So we've got
miles and miles and miles of shelf space every place, administering what's
in essence a paper-bound system.
And again, you know, I'm just
trying to be honest. This is what happens when you get such a huge,
complicated organization as ours. You get these very old fashioned
-- I went out to Columbus. The first time I went out there, there
were great, big sorting wheels just to sort the documents that were coming
in every day. I mean, this is 1930's office technology, but that's
kind of where we were at.
So, these two phenomena, which
I find it very curious, you know, we are so advanced in some areas and it
just would dazzle you to see some of the things we can do. I can walk
into the Pentagon, I can go down the hall and I can see real time video
footage of a camera taking pictures over Bosnia. It's startling some
of the things we can do. And yet, I go to places where we're still
using 1930's sorting wheels for the documents. (Inaudible) to reconcile
this and they're related in a very important way. As I said, our budget's
been cut now for 15 years. We happen to think we're absolutely at
a rock bottom. But I don't know that there's a lot of support for
dramatically increasing our budget. So if we're going to be able to
sustain the kind of war fighting modernization that we need for the future,
then we're currently not buying enough things for the long term modernization
of the department. We're going to have to create our own spending
power. And we're going to have to do that by shaking loose dollars
out of the support structure of this department. We've got too much
that's being consumed by old-fashioned business practices.
So, when the Secretary Cohen
came in a year ago, I was the comptroller, and he said, we've got to do
something about this. He put me in charge of an effort to try to come
up with ways to bring in business, modern business practices. There
are four basic things that we're trying to do. One was trying to streamline
our headquarters operations. We cut out about a third of the direct
office supporting the Secretary. There were actually 3,000 people
who were involved in that and we've cut out a thousand of them. And
we've cut back about 30,000 out of our defense agencies, our support agencies.
We're trying to launch a wide set of changes in our business practices and
I'll describe a few of those in just a moment.
Second, we're trying to compete
government jobs against the private sector. We know from experience
we've done about 2,000 competitions. This is governed by a process
called the A-76 process, a circular that OMB maintains. We know that
when we compete jobs head to head, on the average, the government wins half
of the time and the other half of the time the private sector wins.
When the private sector wins, the savings are usually about 40% and when
the government wins the savings are usually about 20%. So we know
we can save substantial sums. So we're going to compete 200,000 of
our jobs over the next four years and try to shake dollars out of
the system. Will generate, when we're finished, annual savings over
$2.5 billion.
Third, we need to close bases.
We've gone through four rounds of base closures. We're still doing
base closures. Last year, we closed a base a week. Some of them
were small, but we're closing a lot of structure. But we still have
to go for another couple of rounds of base closures. This has not
been gladly received by Congress. We did not get permission to proceed.
I don't know what we're going to do exactly, but we have too much physical
infrastructure that we're having to support. We're going to have to figure
some way to streamline that physical infrastructure because it's taking
dollars away from what we really need it for, which is modernization of
programs in our war fighting.
Within our bases, we're trying
everything we can. We're going to, over the next four years, knock
down 8,000 buildings that we consider obsolete. We will break even on the
fifth year. We've got a lot of old structure, going back to World War II.
The phenomena is if you've got a base and you've got heat going into it,
people move into it. (Laughter) Get the building down.
We are on a path. We would like
to try to privatize all of our utility systems over the next five years.
We've got, as I said, about 550 utility systems. Now, some places,
that's very plausible- San Diego, Norfolk. But you get into the middle
of the desert, it's probably not very plausible that we're going to be able
to do that. But again, we're on a detailed plan to try to privatize
our utility system.
Now, let me, if I may, just talk
briefly about some of the business practice things that we're trying to
do. For example, we're trying desperately to move to what we call a paper
free acquisition environment. I described to you a current system
that is enormously paper-bound- 15 linear miles of shelf space. We
found some very innovative ways to do that. We're essentially shifting
over our acquisition system to an Internet-based system. We had some
clever folks who said, you know, before that contract ever turned into paper,
it was electrons on it's way to a printer. If you can intercept those electrons
and drop them in a server, you can access them with standard search tools
and get enterprise-wide imaging, you know, on the cheap. You don't
have to buy all those Kodak scanners, nothing against Kodak. You don't
have to buy those scanners if you can find a way just to borrow the electrons
at the outset. One of the advantages of course is, that you don't have to
have everybody come on board the system to get an enterprise-wide solution.
People can get on board it when they want to and when it's in their purposes.
We'll break even just with file clerk costs alone in the first two years.
We're making very good progress
on this. We're probably posting about a hundred thousand contracts a month
now that way alone. It never turns into paper.
We've been able to shift over
to a paper free process for our technical drawings-about 65% of all of our
technical drawings, and we have a lot of them. We have 5 million items in
our active stock list that we're buying from industry. Many of them have
to have technical specs behind them for competition. Now, 68% of them
are only in electronic format and we only compete them in electronic format.
So, we're trying very hard to shift over to this sort of a world.
I think some of the greatest
promise lies in some of the new, but not exotic, technology.
For example, electronic malls. We are now shifting over in a very
dramatic way to using electronic malls. It's not just cheaper, but
it's a revolutionary way of approaching acquisition. You're "democratizing"
the acquisition process. You take your acquisition professionals and you
have them develop the underlying contractual instrument for the acquisition,
Then you turn it over to a first sergeant and let him buy his own batteries
or his own spark plugs. We don't have to have an acquisition system
that's buying it for him and then a finance system that's paying the bill
later on. You know, we can integrate all that together into one instrument.
For the first time, we now have a department wide electronic mall.
It's limited. We've got virtually all our food stuffs, and, when you
feed 1.2 million people a day, there's an awful lot of food in the messing
system. So it's having dramatic implications already.
Now, where are we with this agenda?
I'm very gratified at the progress that we've made, but it is still slow.
I think if I were to give us a grade, I'd give us a B+ on effort and a B-
on progress. You know, we're doing better than, I think, the average,
but we have a long ways to go. I think there are a lot of promising,
leveraging technologies that we are putting in place. We've got a lot of
building blocks for dramatically improved performance. But we're still
fighting organizations that know the old way of doing business and don't
want to give it up. We're having to find ways to push them over the edge
to adopt new practices.
Now, as I'm actually going to
give you two speeches today. This is the end of the first one.
I'll be honest, I'm campaigning here. And I want to talk to you about
information security and infrastructure protection.
This country
is wide open to attack electronically. A year ago, concerned for this,
the department undertook the first systematic exercise to determine the
nation's vulnerability and the department's vulnerability to cyber war.
And it was startling, frankly. We got about 30, 35 folks who became
the attackers, the red team. We gave them enough money to go down
to CompUSA or where ever. They only could buy stuff off the shelf.
They were given no special software. The only software they were allowed
to use was stuff they either develop themselves or they downloaded from
hacker web sites. They spent three months getting ready. We didn't really
let them take down the power system in the country, but we made them prove
that they knew how to do it.
Now, why are we so vulnerable
as a country? We're vulnerable because of the enormous productivity
improvements that we've sought through information technology in the last
20 years. You're familiar with the term SCADA system, Supervisory
Control And Data Acquisition Systems? These kind of system are used
to control remote switches on a power grid that will open additional switches
or bring on new transformers or pipelines that are used to regulate the
flow of oil through a pipeline. It's used for water irrigation systems
in the west. It's used for everything and anything you can imagine.
They're basically being run now through these Supervisory Control And Data
Acquisition Systems, SCADA systems. They're commercial products off
the shelf.
Increasingly, American business,
in order to save money and to shed itself of the cost of proprietary networks
is moving these systems onto an Internet-based control system. So
we're finding increasingly, America's business and utilities are controlling
the infrastructure through a technology that's wide open. It was never
was designed with security in mind.
The Defense Department, is surprisingly
vulnerable, too. The reason is that over the last 10 years, we have
been dramatically shifting our infrastructure over to commercial structure
rather than government-owned. I remember the first time I ever went
out to Strategic Air Command 15 years ago. You'd go out there and
there'd be five phones sitting on the desk. You know, there's a gold
phone and a red phone and blue phone and all this kind of stuff. But
they were all government-owned phones and government switches and government-unique
lines. We had our own system. Well, we don't do that anymore.
Ninety-five percent of all of our communications now is over commercial
channels. And one of the things that surprised us during Eligible
Receiver, was the degree to which we had become vulnerable to penetration
because we were riding on these networks.
Now, it brings me to the subject
which is the bottom line here. I understand this is a bit controversial,
but ultimately you are no different from us . You are going to increasingly
do your business over a media that was never designed with security in mind.
It was designed as a research tool. We invented it. We in DoD
invented it. It was designed as a research tool. And the protocols
are wide open. Everybody knows how to plug in. That's why it's
so powerful now in business applications.
So how do you protect yourself?
How do you provide security in an environment and a media that inherently
is insecure? A lot of things you have to do as a company.
We are, because of these experiences, shift hundreds of millions of dollars
over into information security. But one of the things that is essential
is the (inaudible) of this is encryption. Now, I know this is a hot
debate and part of the discussion I had with Petre while we were waiting
the issue of encryption. Petre's first question was, "Are you
with law enforcement or are you with commerce?" This s the debate
that's occurring in Washington. It's occurring all over. It
isn't exactly analogous to Justice versus Commerce,-- There are law enforcement
concerns and Justice and the FBI are responsible for those. We want them
responsible for those. Then there are economic concerns and frankly, civil
liberty concerns. Those are contending values of equal value in our
democracy . Equal weight, in my mind. I do not believe that
it's more important to protect ourselves against terrorists if it means
it comes at the expense of civil liberties in the United States.
But I also don't believe that
civil libertarians or cyber libertarians have a right to say we as a government
have no responsibility to protect American society against criminals or
terrorists. We're going to have to strike a balance here. I personally
believe that the debate of whether America's government is threatening our
civil liberties is a fraudulent debate. We've never proposed anything that
was any different than the mechanism we use every day to balance privacy
versus law enforcement and security. Our police don't break into people's
houses without a search warrant. I mean, we know how to do that.
We know how to protect America's privacy, and we know how to safeguard that.
There's a very -- (inaudible) we fight wars. It's for these values,
these civil liberty values.
We know how to balance them in
this country, and we know how we'd balance them as well in this area.
And I think that frankly, the debate that's emerged has been, and I'm sorry,
I hope I don't offend people when I say this,-but a fraudulent debate because
we know we can do that if we can ever move ahead. Now, you may say
that that means I'm siding with law enforcement. I'm not. I think
that it's impossible to find a technical solution to this problem.
But I do think it's essential we find technical solution for protection
if you're going to operate through the Internet.
Our position in the Department
of Defense, and I frankly think it should be your position as well-is that
if you're going to operate through these public, insecure modalities, you
have to secure yourself. And you have to do that through encryption.
But I've also got to say the most dangerous thing in the world for us as
a war fighter is to get an encrypted message that's a spoofed message.
There's an authenticity that comes with an encrypted message that gives
you the implication that that's valid because it's encrypted. You
have to be able to determine the validity of the individual who is sending
it to you.
Now, from a business standpoint,
I can't imagine any of you as business people who would turn over to your
employees the right to spend your dollars or cut checks or ship technical
information and not require those employees to leave an electronic fingerprint
on it when they do it. It's a basic of internal control.
So your interests and our interests
are no different. What it leads me to say is I'm not picking sides
between the law enforcement community and the commerce community, as it
were, in this debate. I'm saying we have to go right down through
the middle. We have to protect ourselves in this environment and it's
got to be with encryption and some form of security management, key recovery
in our case. But we're going to make it voluntary. It's our
choice and we're going to buy it. We're not going to ask that it be
mandated through law on anybody. We're going to pay for it.
And we've entered into contracts with a number of large houses to help us
bring that that kind of architecture. We'll get the first one running
this fall with Netscape, and hopefully, it'll be operational in October.
But I'm telling you, this is
something that you've got to do for own companies and it's something we
all have to do, frankly, for the country. It's in your narrow interests
as companies and it's in our broader national interest to do this.
And I would ask you to step past this debate that we're having on cyber
liberties versus law enforcement. We're going to have to get to a
more sophisticated understanding of this problem, and we don't have a lot
of time.
I'm going to stop there and I
hope that I've stimulated enough interest that there might be some questions.
Fortunately, only about seven people have fallen asleep. (Laughter)
So, let me start with you, Dave.
Q
It strikes me that the key recovery argument is a little like gun control.
Under the key recovery system, maybe only the outlaws will have strong encryption.
How do you respond to that kind of an argument?
A
Well, I think that's sadly right in one sense. Again, I am interested
in encryption and key recovery to protect myself. And I need it for
the department so that we know we can talk to each other reliable without
manipulation of the data and know who it is we're talking to. Frankly,
you as a businessman have exactly the same interests.
Now, that does not answer law
enforcement's problems and concerns. And I'm very sympathetic on this
issue to Director Louis Freeh and to Attorney General Janet Reno.
I don't want terrorists able to talk with each other openly through encrypted
messages. But I don't know how to get at that within the context because
I don't think America is prepared for a mandatory key recovery system in
this country. As much as I think Director Freeh is right, we need
to find a technical solution here.
Now, we're wrestling with that,
but we're going to have to find other solutions to it. We don't listen
in, we don't put wiretaps on everybody's telephone in order to do wiretaps.
I mean, there are processes that we have to go through to identify these
people, that there's enough reason that we want to listen to these people
that you can go to an independent judge and have that judge say yes, but
under these conditions you can do it, and then you're empowered to go ahead.
That's exactly the same thing we would do here. But it means, ultimately,
the bad guys still have to enter in and out of American society and in and
out of the infrastructure, the communications infrastructure. And
we believe that if we get going here on a voluntary basis to build up security
structure in this country, they're going to have to operate in and out of
an environment we do control. But we'd control it under our terms,
yours and my terms. You decide what's good for your company, I'll
decide what's good for the department.
Q
I have a two part question. First, I'd like to commend you on electing
to spend your life in the civil service of our government. I think
that's very commendable. I happen to know what you go through.
But more importantly, I have a two-part question. Part one is on your
business applications. I'm intimately familiar with some of your problems.
I think that if you did a better marketing job to businesses and to the
general American public, I think your job of finding those dollars to support
your non-combative initiatives would be found much easier. That's
number one.
Number two, on the area of security,
I hope I don't offend you, but I'm a very blunt-spoken individual.
I find that the biggest problem with security in terms of the federal government
is a credibility gap. That credibility gap becomes paramount when
you look at some of the non-media attention laws concerning the Internet,
laws that have been published -- that have been passed, I'm sorry, as well
as some of the encryption criminality of using it in an overseas environment
in a non-Department of Defense environment. I think that again, we're
back to credibility. I believe you believe what you're saying.
I believe you're saying what's in your heart, but I'm not sure that everything
you're saying falls into the perspectives that you're presenting.
A
Okay. Let me take each of them. As to whether or not we need
to do a better marketing job as you describe it to explain it, that's why
the hell I flew out here. (Laughter)
Now, on the second issue, first
of all, there are no laws. So I think what you're commenting on is
the government's current position prohibiting the export of strong encryption
overseas. Now, I need to explain first of all, that the government
is currently permitting the export of 56 bit encryption algorithms.
Now, I know that there's some huffing and puffing about whether that's strong
encryption or not. But again, I say let's put this in context.
There was a flap here the other day when, ta-da, somebody invented a computer
that could break 56 bit encryption in 30 hours or 40 hours or whatever the
time was, right. You took 40 hours to decrypt a two-second message.
And it was good only for that one message. You've got to start all
over again on the next two-second message. Tell me that that isn't
strong encryption. I mean, there isn't anybody in the world that could
routinely bust that level of encryption in the same time sequence it takes
to issue it. I mean, so everybody still has this mental model that
encryption is like World War II cipher codes, you get it once, it's good
for everything. Well, it isn't.
So, first of all, we're not prohibiting
anybody from using enormously strong encryption today. Now, the department
is working very actively with law enforcement and with commerce on a strategy
that we think will help break through this. We do not want to block
American business from being able to export strong encryption. We
do want them to manage this over time. I'm not talking about dozen
of years. But managing this in a way where we can honestly balance
these national security concerns with American economic concerns, commercial
interests and privacy concerns.
I hope that in the next several
weeks, we'll be able to finally hammer this out. I believe we have
a framework. I'm sorry that I really can't go into it right now because
it's still tied up in a fair amount of discussions inside the department
or inside the executive branch. But believe me, we are working this
hard. And we're not trying to block American business and American
productivity. But I'd also ask American business not to make a campaign
out of just trying to bust through export controls as though somehow there
was a God-given, inherent right to send the strongest encryption to anybody
in the world, no matter who they are. I don't agree with that.
I will never agree with that. The last thing I'm going to agree to
is that American encryption gets used by terrorists overseas without any
effort on our part to control that.
Now, it's striking a balance
between who gets that and then not punishing American business, not losing
American jobs, having America dominate this industry over time, and I want
all of that. Don't get me wrong. I want every bit of that.
But we're going to have to balance those, too. I hope over the next
three to four weeks, we'll finally be able to get through with something
that will help work that problem.
Forgive me for not -- I know
it's frustrating for me not to be able to give you the answer. I know
what it is up here, I just don't have agreement yet in what I think will
be the system that works out.
Let me go over here. Yes,
sir.
Q
You mentioned that the prepared speech you were going to give this morning,
you kind of tore up because of a change in your thinking after a visit to
General Electric. I'm wondering if you can tell us in a sentence or
two what the change in your thinking was.
A
Well, in all candor, the change in my thinking was -- I haven't resolved
it yet. But I came to realize -- I went to visit a world class organization
and I came to realize, we, DoD, we're world class in our own way.
In what's important to us, we're world class at that. There isn't
anybody that's even close to us. GE had an approach, Jack Welsh (?)
has an approach, very interesting guy. He talks about the front office
and the back office. I'm worrying about holding onto the front office
because that's what's got GE written on it and the back offices, I want
to give that to somebody else who considers that their first line of work.
My problem is the front office
stuff, which is going to war, we're going to always to do that. Frankly,
we don't have a lot of volunteers to do it for us. (Laughter)
So we're always going to do that. But I can't shed the back office
the same way Jack Welsh can because we've got interests around the country
that don't want to lose depots and don't want to lose bases and this sort
of thing. I don't know how to wrestle this problem, but I was going
to initially just talk to you about how broken we were in our business practices.
And that would have been, I think, misleading because we're not a broken
organization when it comes to using information technology. In many
ways, you know, we're astoundingly successful at it. So I was going
to mislead you if I gave you the speech I was originally going to give and
I was going to give you kind of a negative impression about the department.
Having said that, we've got our
hands full trying to get at the support side.
Yes, sir.
Q
I don't want to beat the encryption issue to death, but I really don't think
I fully understand the position on export restrictions on encryption.
I mean, it's not like supercomputing where clearly, without billions of
dollars to do research and development, you aren't going to basically be
able to duplicate supercomputing in Tehran. But all it takes to do
strong encryption is somebody with good intellectual capabilities and a
$3,000 personal computer. So, I mean, can we really, through export
restrictions, prevent incredibly strong encryption being developed all over
the world where we don't have any control. I mean, I guess I just
don't understand -- feel like we're over here trying to get the barn door
closed and there is no back to the barn. (Laughter)
A
No, I don't agree with that because it isn't just a smart guy thinking up
an algorithm and putting it on a PC. You know, it's creating the infrastructure
for a security environment that that encryption rides on. That turns
out to be much more demanding than you think. After all, PGP (Pretty
Good Privacy) is out on the net, right? There aren't that many people
that are able to pick up -- you just can't set up PGP between you and somebody
else. And if you do, it's a good thing to look at.
So, at the same time that we're
working this, we're going around to our colleagues and friends in other
countries and encouraging them to establish a legal framework to manage
security infrastructure in their countries. I've been around to seven
or eight or nine of our NATO allies encouraging them to establish the kind
of security structure that we're going to try to create over here by buying
it. We've been working very closely with Ambassador Erins (?[probably
"Arons"]) of the Rosana (?[probably "Wassenaar"])
process to get this thing and we've made great progress, I think, during
the last five, six months.
So, I don't agree with
the representation that this is simply an issue of a smart guy knowing how
to do an algorithm and putting it on a PC. That is a far different
thing from having widespread encryption use systematically. What we
would like to see is widespread systematic encryption that has a backdrop
of a security architecture. That's appropriate for all the different
countries. Our only interest -- and some of the allies initially thought
that I was over there wanting them to buy our stuff. I'd be happy
to do that, I'd like you to buy our stuff. But develop your own if
that's what your concerns are. But for heaven's sake, develop a security
structure around it first and one that is mutually reliable with us.
Because ultimately, we want American business that's operating in Italy
to be able to interchange, if they want to add a system that's unique to
Italy, fine. We just need to be able to exchange with that. This is
a matter of us working through. It's the nexus of a technology challenge
and a political imperative. Not political in a partisan sense, but
a policy imperative. And I think it's something we just have to work
our way through. It's an enormously complicated problem, but it's
one I think we're obligated to try to fix if we can.
I actually think that the trends
in the industry are heading in our direction. I think that the market
forces that are under way -- I've been around to talk to a lot of the big
companies that are in this business and talk to the technical directors
and I think the dynamic is heading in our direction that we'll ultimately
support a security architecture around this industry. But let's do
it where we have it grounded at least that's in a matter consistent with
American values and American society.
Yes, sir.
Speaker: We're about out
of time. We'll take one more question.
Q
Just a question on Year 2K. As you read a lot about that, there's
a lot of concern about the companies as well as the government being ready.
What do you see or what are your concerns on an international basis?
You talk about terrorism and vulnerability and those types of things.
I would think that as a country and as a bunch of corporations, if we're
not ready, it leaves ourselves pretty vulnerable.
A
Well, let me first say what we're doing and, I think, what keeps me awake
at night. As you heard, we have about 28,000 systems that we're monitoring,
2,800 of them are what we consider to be mission critical across the board.
That's everything from the GPS satellite system to an accounting system.
It is critical for that particular community's mission. We fixed about
a thousand of those 2,800. We know, by system, the status of the others,
that is where it is in the renovation or testing, that sort of thing.
Several things make me very nervous.
One is interfaces and interconnections. They are not well mapped out,
so we've required every system owner to go through a methodical process
of documenting through MOA's who was changing what and the interfaces back
and forth. That's only a sufficient first step. You then have
to go through a system of enterprise testing. Not just stovepipe testing
for that system, but enterprise-wide testing. I got that from Armand
when we talked about that. So we have placed a fair amount of effort
in trying to find methods for enterprise testing for systems. For
example, our average payroll system is connected to 65 feeders, I think.
So it doesn't matter where it breaks down, it's going to work on pay problems.
So it's in our interest to figure out where that is. So that's one
of the things that keeps me awake at night.
Another thing that keeps me awake
at night is, you know, we operate so many old systems. I mean, and
a lot of these old systems, you know, in the '80s, the fad was to put a
graphic user interface in the front of it, the veneer. And so it may
look like it's Windows NT, hey, we're good. But underneath it is 30
year-old code that nobody knows how to program in and the last guy that
did died two years ago. (Laughter) So, it's scary because you say
are you Year 2000 compliant and say yeah, look at it, that's Windows.
But you don't know what's really crunching underneath it. That worries
me.
We're very concerned about the
embedded chip problem because we have bought so many things off the shelf
here in the last five years. We've pressed so hard and there wasn't
kind of the rigor and discipline to know where that is. You may take
three things that all have exactly the same label on the front of them and
test them and they fail differently because there are different chips in
the them. And frankly, the company didn't know that in some cases.
So that worries us.
Knock on wood, we're going to
have some embarrassing episodes, I don't doubt that, when it happens.
I don't believe our nation's security is going to be at risk. We're,
for example, taking each one -- there are 76 systems that are involved in
nuclear command and control. And we're taking every one of those and
we're doing dedicated enterprise testing on those to make sure there isn't
any problem there. We operate 25% of all the air traffic control in
this country, DoD does. We have to make sure that we're not going
to have a problem there.
But I think we're probably going
to be the poster child for failure. Nobody cares if the Park Services
computers don't come on. Okay? But what's going to happen if
some do in DoD? Let's face it, we're going to be the poster child
for failure if something happens, even if it's trivial in scale, people
are going to really try to make fun of us. And so we know that.
And it's not just to avoid the ridicule. I mean, I'll take that.
I get that every day. It's to try to make sure there isn't something
real that's behind that.
Now, you asked about international
and we're frankly, a bit concerned here. Some people are, of course, doomsday
minded and say we're going to have a global recession and all that.
I'm not smart enough to know anything about that. We are concerned that
we have communications links that are reliable with our primary -- five
years ago, I would have said opponents. I don't know if I'd call them
opponents now. But we want to make sure that Russia's early warning
system works on the 1st of January, Year 2000. And if there are problems,
we're perfectly willing to sit down and share early warning information
with them in a controlled manner so that if something does happen, there's
a confidence arrangement that we've established in advance. We think
we're going to have to do some of that.
But frankly, we've got our hands
full just trying to get our own problems fixed. We're reaching out
and I think will indeed to try to launch -- I'm a little constrained talking
about it right now, but I think a couple of programs to try to help with
areas where we need to know with confidence that communications links with
other countries are going to be operational. That their eyes and ears
will function and if they don't they've got other eyes and ears they can
use during that period, things of that nature .So it's got us nervous but
we're working on it.
- END -
16
NOTE: This is a plain text version of a web page.
If your mail reader did not properly format this information,
the original is online at http://www.defenselink.mil/news/
====================================================
DoD Anthrax Vaccination Program information is at
http://www.defenselink.mil/other_info/protection.html
====================================================
Unsubscribe from this mailing list:
http://www.defenselink.mil/news/subscribe.html
====================================================
Jump To Personal Cryptography
Return to Home Page
Email