Paris '07 Workshop
THE POWER AND CHALLENGES OF THE INTERNET
The Honorable John Grimes
|U.S Assistant Secretary of Defense John Grimes (2nd from left), with (from left to right) Henri Serres, Chief Information Officer in the French Defense Ministry, Microsoft Executive Director Tim Bloechl, Lt. Gen. Ulrich Wolf, Dir of NATO's CIS Service Agency, Estonian Defense Minister Jaak Aaviksoo, and Dep Assistant Secretary of Defense Robert Lentz.|
"The threats we face
in the information environment can come from anyone, from harmless teenagers
to criminal organizations, non-state actors, and nation-states that are intentionally
infiltrating and corrupting our systems."
It is a pleasure and an honor for me to talk to all of you today. Actually, though, I feel like a fish out of water, because usually I talk to my own kind of folks—techies—and we talk about networks and systems and that kind of thing. But I believe I can add a few things to the discussion, although this morning I sat in on the first session, which was very enlightening, and a number of my points were discussed. But global security can mean different things to different people. Security is a perception—what you see depends on where you stand.
THE POWER AND CHALLENGES OF THE INTERNET
Let me start by talking about connections. As we all know, we live in a global society whose pace has been accelerated by the advent of the telephone, data networks, jet airplanes, television, and now the Internet. Some historians think that globalization started with the 707 and the telephone back in the early '50s, and of course it is gaining speed every day. You cannot overestimate what the Internet is now doing. It is pervasive. You can get connected just about anywhere. And it has moved us beyond the Industrial Age into the Digital Age or the Knowledge Age, in what some call a borderless society. To understand it better, you may want to read The World Is Flat, which is about as good a reference as you can read if you want to understand the impact of information on our society.
In my own work the key thing I am charged with is information sharing, and the only way you can share information quickly is through the Internet. But the 9/11 Commission that certain government elements—law enforcement, foreign intelligence—did not share information. Some of the difficulties associated with the lack of sharing came from activities conducted by DOD intelligence and counter-intelligence units during the 1960s and 1970s when the United States experienced significant civil demonstrations and protests. Over time, information on the legitimate political positions and expressions of U.S. persons was collected and shared with law enforcement authorities. These acts were determined to be abuses of Constitutional rights and laws were passed to prevent DOD, law enforcement and intelligence agencies from collecting and sharing certain information. As national security concerns evolved – particularly in light of 9/11 – the US Patriot Act loosened restrictions in certain situations.
Of course, technology plays a bigger role than ever before. Now the Internet is heavily involved. A few months ago, when I had breakfast with representatives of the Federal Reserve Bank, we discussed their concerns about all the international finance transfers that are taking place at night—$12.4 trillion have been transferred. Their concerns are not only about the physical aspects of transfers but also the connectivity involved. It is the same with international air traffic control and with worldwide public health and with the military. We had some scares when misinformation was put on the Net. So we benefit from Internet technology capabilities but they also bring us problems.
The downside to Internet technology, of course, is that information can be stolen or damaged and service can be denied. Personal identities can be stolen, money, credit cards, intellectual property—we see it every day. In the military, the Department of Defense, the amount of information that is being ex-filtrated from our unclassified networks is just unbelievable—and supposedly we have some of the best defense.
FACING THE LOSS OF CRITICAL INFRASTRUCTURE
In the public's mind, the fastest-growing problem right now is the criminal element. The non-state actors – like terrorists – are all exploiting the capabilities and vulnerabilities of the Net. And the Net does have vulnerabilities—just ask Microsoft. Before they even get out a fix for a problem, another problem hits.
I do not want to sound like an alarmist, but I want to give you some empirical data about how devastating it can be if you lose a critical infrastructure. About a year and a half ago, off the coast of China, an earthquake took out an undersea cable. Although most of the traffic was rerouted, the capacity really went down, and if several such events happened simultaneously, you would have consequences you do not want to even think about. That cable going out was not catastrophic, but it definitely disrupted a lot of information sharing and of course the enormous amount of trade that takes place between China and us.
Another issue is satellite systems, which we do not often think about. But we have become more dependent on satellites, especially in remote areas without infrastructure or wireless capabilities, and satellites are now used to back up special undersea cable connections. One issue with satellites is that there has been intentional interference with GPS signals. Of course, GPS signals are critical—we all depend on them one way or another, whether for locations or for system timing. Not long ago there was an attack on Brazil's power grid, the SCADA network, which caused major disruptions. We are working with industry to prevent more of these kinds of attacks from happening.
The threats we face in the information environment can come from anyone, from harmless teenagers to criminal organizations, non-state actors, and nation-states that are intentionally infiltrating and corrupting our systems. Recently, when I was in Brussels, a serious broadband cyber-attack was perpetrated on Estonia—the aggressor patched together a network of more than a million compromised computers using public domain machine-launched waves of denial of service attacks that lasted for nearly a month. Telephones switches were flooded, data packets and emergency numbers were temporarily unreachable, and e-mail was crippled for four days. This was no haphazard attack—it was orchestrated. General Wolf's team provided some assistance—most people do not realize that NATO has a cyber-space center of excellence in Estonia. These are the kinds of things that can inflict severe damage and loss of life.
THE GLOBALIZATION OF THE SUPPLY CHAIN
The Internet is now quickly moving to wireless communication to enable mobility. I live and die by this PDA (holding up a BlackBerry). As an aside here I want to mention an issue related to the Internet—at the International Telecommunication Union (ITU, a U.N. organization) meeting, a worldwide radio conference in Geneva this October, there is going to be some very serious discussion about the spectrum that supports the Internet, because any time you broadcast in free space someone is probably able to intercept what you send and break it down.
But back to information sharing and the globalization of supply chains. As you know, many of our contractors and many of our businesses build and assemble products on a global basis. Boeing and Airbus are prime examples. Both have contractors in all part of the world, both are connected and sharing parts, and we are very concerned about that because many supplies are coming on- and offshore. So we are working to ensure production continues and we can depend on getting critical components in times of national emergency.
One of the most critical elements in this is software. Every major program I have that is in trouble, be it a weapons system or a business system, invariably involves software. A lot of software code is written overseas, a piece here and a piece there, and then all the code is integrated. We are always concerned about what may be in that code. You may wish to ask Tim Bloechl when he speaks about Microsoft regarding what the company is doing to protect software code for both its business and government customers.
PROTECTING KEY INFORMATION SYSTEMS
One of the elements of the Riga Declaration underscores how critical NATO believes command and control information is—the declaration speaks for the first time about protecting key information systems against cyber-attacks. But we are going to have to address this subject in all that we do, and here I will talk about another area of ITU. When General Jones was at EUCOM, he pushed very hard for what we call stabilization or reconstruction of nations. That means going into a nation before you have to put in weapons to train people, establish an infrastructure, and develop communications and technology. We are making this kind of critical effort now and I believe other countries are as well, especially to assist Third World countries that need that kind of help to stabilize their government. All too often destabilization occurs when nations do not have an infrastructure in which the government can operate and provide services to support the people. Our new command, AFRICOM, is going to have State Department inter-agency organizations as well as two deputies, so we are doing what General Jones urged—we are out there for peaceful purposes, stabilizing and reconstructing and restoring peace.
PROTECTING THE ECONOMY
Now I want to comment about something that happened recently. Last May the FBI took down a guy from Ghana who was going to take out JFK airport. Two comments he made that the FBI intercepted are 1) just by taking down JFK America will be demoralized, and 2) through military or business means we will take down the American economy. That is the focus of many terrorist groups now, whether they are religious groups or otherwise.
Immediately after 9/11, the president decreed that the National Security Telecommunications Advisory Committee to the President, which I was chairing, ensure that Wall Street was back up on the following Monday morning. We broke all the rules and we got Wall Street back up to signal to the world America's economic base was still functioning. Everyone was concerned the devastation would snowball, just as the Wall Street plunge snowballed during the Great Depression. The president realized the terrorists were focusing on our economy and worked to prevent them from taking it down.
THE NEED FOR INTERNATIONAL COOPERATION
The ITU, with its global cyber-security agenda, plans to help increase technical and legislative cooperation among its 191 members. To do this they are going to establish teams to help nations in need but they are also going to encourage nations to do more on their own. The Department of Defense is also encouraging cooperation among agencies and partners. For example, and the work to limit the damage of the cyber-attack on Estonia ended up involving NATO as well as EU Justice ministers. The way ahead, at least for the foreseeable future, will involve cooperation between international organizations involved in Internet or radio systems if we are going to have safe and assured use of the Internet, because it is under continual major attack by numerous and varied actors. Like our air traffic systems and our water systems, all of our information systems are fragile and subject to being brought down.