U.S. Strategic Command

 

Speeches

2010 Cyberspace Symposium: Keynote - Interagency Perspective

By The Honorable Howard Schmidt | Omaha, Neb. | May 27, 2010

COL. GILBERT:

Ladies and gentlemen if I can have your attention, please. At this time I would like to recognize and thank Kinetic for sponsoring our fantastic meal today. It also goes without saying, but I'm going to say it any way, thank you to the staff at the Qwest for the service. They do a fantastic job.

Please welcome to the stage General John Dubia, executive vice president of AFCEA International.

LTG DUBIA:

Thank you very much, Colonel Gilbert. I appreciate you recognizing our lunch sponsor, and I want to echo those in representing Kinetic today, Lieutenant General, Retired, U.S. Air Force Thad Wolf. Thank you very much to each and every member of industry who has been here. You should have found yourself in exciting times, and we still have two more exciting hours to go in this great conference. But I do want to recognize some additional sponsors because it is your support that helps make this conference what it is, the interface with industry. And I'd like to recognize today, Mr. Azel Osby, Senior Vice President, Global Law Enforcement and National Security from CACI. Also I'd like to recognize Carlos Solari, Vice President Cyber Technology and Services, CSC. I'd like to recognize Lieutenant General Harry Raduegue, United States Air Force, Retired, Director, Deloitte. And here, you heard our governor yesterday. So representing the Omaha area, Rod Moseman, Vice President Economic Development, Greater Omaha Economic Development Partnership. Again, the Director of the Omaha field office, Raytheon, Mr. Tom Reardon. To each and every one of you, you are critically important. You're important to the partnership of government and industry, you're important here in the Greater Omaha area, and you're very, very important to the men and women in uniform and those that support them.

COL. GILBERT:

Ladies and gentlemen, it is my privilege to introduce our keynote speaker, the Honorable Howard Schmidt, White House Cybersecurity Coordinator. In December 2009, Mr. Schmidt was named as the United States top computer security advisor to President Obama. Previously, Mr. Schmidt served as cyber advisor in George W. Bush's White House and served and supported the Department of Homeland Security. He has testified before in congressional committees on computer security and cyber crime, has been featured on various worldwide TV and radio shows discussing cybersecurity, investigations and technology. With some 40 years of experience in government, business and law enforcement, Mr. Schmidt brings a unique and deep experience to this important issue. Please help me welcome the Honorable Howard Schmidt.

HON. SCHMIDT:

Thank you very much for that kind introduction, and if I've never felt old before, I do now. It's great to be back in Omaha. General Chilton, thank you very much for the invitation to be a part of this wonderful event, well attended. I spent a little bit of time last night talking with some other folks and it's a great event, so thank you for the opportunity to be here.

General Dubia, thank you for AFCEA support in putting on this event. It's one of the groups that really understood private/public partnerships before it became a term that everybody uses very loosely, I very much appreciate it.

The sponsors, the Chamber, what a great event last night. Thanks to the Chamber folks for putting out their best foot of Omaha and putting together an enjoyable baseball game as well, I might add. And ladies and gentlemen, thank you all for participating here.

I think it's no surprise particularly at this stage in the symposium that we all fully recognize that cyberspace touches pretty much everything that we do and everyone that we work with. It provides a platform for innovation and prosperity that we've never seen before overall in the general welfare of this society as well. So it's something we've built, something we depend on, and something we will depend on for the rest of our lives. With the broad reach of cybersecurity and the ubiquitous nature of what we do, one of the things we're all very much aware of, the vulnerabilities and the resilience of cybersecurity is probably not where we want it to be at this point. We see great risks that face us from the nation-state issue, to private enterprises, including individual rights, and I'll speak about that in a few moments. But the government does have a responsibility to address these strategic vulnerabilities, and of course, the component of the government that has it done better and for the longest amount of time is our U.S. military, and I'm very, very happy to say that with the standup of Cyber Command last week and the promotion of General Alexander, probably the best person in the world to be the first commander of that, we're well down the path of doing the right thing to indeed reduce those strategic vulnerabilities we have so we can actually realize the full potential of what information technology can bring to us as a country.

So my comments this afternoon, what I want to take a little bit of time to frame are what I would call some of the highlights of what the White House priorities are for cybersecurity. It's been almost a year now since the President did a historic speech talking about cybersecurity being not only a strategic national asset but clearly a national security issue as well as an economic issue. In coming off the heels of the economic issues we dealt with last year when the President created this position, it was clearly with the idea of taking into account the national security component but also being dual-hatted with the national economic council with full recognition that clearly these things are so inextricably connected we can't do national security without considering economic impact as well. So, part of the role we have is to coordinate and prioritize not only the work across the government but also in concert with our private sector partners, and we also make sure the two governing documents that we work with currently, the CNCI, the Comprehensive and Cybersecurity Initiative, which as we're now calling "CNCI Plus" because we've actually broadened some of the components of it, but also the President's Cyberspace Policy Review which set out some ten short-time goals to look at. But when we look at the strategy we're working on, I think it's best to sort of break it into the four discreet categories, and the principles that I use for that are the areas of deterrence, resilience, privacy and partnership. And when we start looking at everything that we do and where it fits in that bucket, clearly the first one that comes up is the deterrence piece of it. We need to make sure whether our adversaries are coming at us from a cyber crime component or economic espionage perspective, that they're paying a price for it.

In the cyber crime component, one of the things we discuss most often is how can we make it less profitable for those who are looking to attack our companies, steal identities, break into our bank accounts and steal money, whether it's local government or whether it's a business, how can we raise the bar on how much it's going to cost to do it because currently it doesn't cost very much. So deterrence in that regard is making sure it costs them more than what it's worth to do it. The second part of that piece of it clearly relates to what we've seen a sort of a deficit over the years when it comes to those identified those doing these sort of things and the way they're held accountable. And clearly in the most recent past we've seen one of the landmark cases. We've seen people involved in this sort of activity for the first time not only be successfully investigated, prosecuted and spend serious sentences of 20 years. Believe it or not, that has indeed sent a chilling message across those that look at the easy ways, or at least what they believe to be the easy ways that they can affect our economy, by doing things such as cyber criminal activity I mentioned. Twenty years is an awful lot of time to be spending for doing the things they're doing.

But beyond the deterrence piece, we have to look further than that. Because unlike other discussions we've had over our history about deterrence, we don't have the ability to do the accountability that we've had in the past. You don't get to go out and count how many computers are involved with something and say, "Now we know the strength of the adversaries we're dealing with." So when we start to look at this how exactly can we get into position where once again it's not in their best interest to do these things. One of the challenges that we have constantly is that we have such tremendous dependency. It's not just the military, it's not the defense professional base; it's not our private critical infrastructure partners. But across the 29.6 million businesses in the United States alone they depend on the same piece of technology. So making sure that someone doesn't have the ability to even have the desire to affect our systems is a real challenge, and it's a new path that we've not gone down before. But we need to figure out a way to actually deny our adversaries from doing anything to us that basically rises to the level of what they consider to be success. Apparently it's a tennis match. One side goes then the other side goes and we score a point and go back and forth. We've got to change that matrix to where we deny the capability for the adversary to have.

One of the key things that relates to the second point of this is the area of resilience. One of the ways to deny is to become more resilient, and that's where we need to increase our ability to now bounce back. As a nation, as a military we're always good about recovery. We've always been the first on the scene about our ability to show up at a national disaster. And the first thing people say, "How can we get the military planners, how can we get the military to teach the people in here doing the things they do best?" We've got to become more resilient. We have to make sure our IT systems we depend on, if indeed there is a failure, it's a graceful failure so we can basically shift things, we can move assets around, we move resources so we have the ability to sit there and actually depend on these things. There are critical systems connected to our IT systems, so when we look at the resiliency piece we need to constantly look at the ways we build that and in some cases it requires a new way of thinking. Because while we've got a certain segment of technology to deal with currently, that doesn't mean we're always going to have it. So while we may be challenged by trying to do security and vulnerability management in today's world, we have to look at where we want to be five years from now, and it may not be the same infrastructure. In many cases, we expect it to be different infrastructure and we've got to start looking at that direction. I'm going to talk about some of the R&D efforts we're looking at. But when we start looking at the resiliency pieces of another piece that I think we oftentimes overlook and that's the piece that goes back to the old phrase about, "The only fear is the fear itself." When we see people that are afraid to use the technology because of what they feel may or may not happen in the future. They actually deprive us as a society from realizing the full capabilities, the rich, robust capabilities we see with technology today.

So resilience is also sort of overcoming that social resistance to say this is good technology, but here's the rules of the road. Here's the way you can actually benefit from the technology whether you're a business, whether you're an end user, a consumer, whether you're a defense component or part of the civilian government, including our international partners, to be able to sit there and say we have that level of resilience and trust in the system that we built.

Which goes to the next issue and that's the issue of privacy. The President was very clear in his speech. We look to increase security; we cannot do that at the expense of civil liberties and privacy. And those are not mutually exclusive. As a matter of fact, many of us have been saying for a long time that security and privacy are two sides of the same coin. Data protection in the first perspective because we need to do a better job dealing with data protection. We start looking at data breaches that have occurred over the past ten years alone and look at the tens of millions of records that have been exposed that by today's standards, even if one has not been affected by that directly, we don't know if ten years down the road that same information basically doesn't seem to die. At some point in the future somebody may actually start using it. So the privacy that we have lost just by data breaches alone is a tremendous challenge for us, so that means as we improve security, we do a better job about data protection.

But when we start looking at the individual layer, we have to break it up another level. And that's the things we do as a government, things we do as businesses, because we're all part of an enterprise somewhere in some form of fashion. So the responsibility we have as the owners and operators of these enterprises whether it's in the .mil, .gov or .com space is to protect the privacy of our employees, the people that work hard every day to help us be successful in the jobs that we do today. So when we start looking at this, we have to look at areas of security and actually become privacy enhancing. And it's not to give up the ability to do attribution to the extent we can even do it today. That doesn't keep us from reaching out there and saying, "Yes, we want to hold somebody accountable for the things they've done either to us as individuals or against our enterprises." But we can do that while still making sure that we're protecting privacy and civil liberties. And the President is committed to make sure as we move forward implementing the CNCI, implementing the cyberspace policy review that indeed we're doing just that.

The last thing is partnerships. As I mentioned that the long relationship AFCEA has had with the private sector and the government institutions, clearly we have to move that to another level. And one of the biggest things we start to talk about in private and public partnerships and sort of the phrase I like to use inside the beltway is the definition of a good meeting in many cases with our private sector partners is everyone walks out and says, "Hey, we had a good meeting." We need to move beyond that. We need to have the substantial ability to make long-term changes in the way our IT systems are configured and secured. But that requires equal footing. That means when we bring our private sector partners to the table, it's an equal footing. It's not we'll give you a dribble of something here and there that says, "Okay, now we've checked that box off and we've shared information." We need to do it in a manner by which the information we share with our private sector partners is not only timely, but it's also actionable.

And it goes both ways because what the private sector sees most of the time may be different than what we see in the .mil or .gov domain. So bringing the resource the private sector has, the expertise they have, the network operation centers, the threats that they're seeing out there, the vulnerabilities they recognize, and bringing that and give us the better ability to protect our own space is vitally important. It's also got to be timely in action. So as a consequence, as we look at the partnership, we have to sit down and take a good hard look at that because we've talked about public-private partnerships for more years than I can count, but I think this is a unique opportunity in the history of this country to be able to sit there and really do something well. That's a challenge I think all of us have. The trust that we need to build from the .mil to the DIBs to the .gov or the .com space, we've got to sit down at the table and say, "It's not just good enough to have a good meeting. We have to look at some ways of changing this."

So when you start looking at these overarching principles that we look at when we do the work, there's four additional goals that we have come out of these priorities, one of which basically very, very proud and very happy to say our friends in CYBERCOM are going to be the leaders of this and that's protecting the government networks. There's three basic areas that we're looking to do that. Assistant Secretary Schaffer from DHS probably talked about that, and that's looking at a way to take the government space and make it more manageable.

In the technology world we talk about how complexity is the enemy of security. That's very much the case in the way we've involved on enterprises over the years. We need to wind up looking at what we call the TIC, Trusted Internet Connections, to create an environment where we have an idea what comes in and out of our networks. For a long time we've not had that level of visibility that's necessary for us to be able to run our systems the way we need to as well as do it in a secure and privacy protection manner.

The other piece we look at is the further deployment of Einstein 2 and Einstein 3. And as I've been very public about for many years, if there's any organization in the world that I want to help secure my government networks, it's General Alexander and the folks up there and the members of the new CYBERCOM. Those are the people that have tremendous expertise and give us visibility across the government to help protect our systems. I'm talking about the normal unclassified day-to-day systems that range from the Internal Revenue Service to NOAA. Everything in between we have the capability. We know how to defend them, and we just need to make that a priority. So deploying Einstein 2 fully, deploying Einstein 3 will give us that unique capability.

But once again, going back to the private partnerships, there's tremendous technologies available currently out there in the private sector. I met with some folks yesterday that not only have done it for a long time but have done it well for a long time. So when I talk about what I refer to as the hybrid model, we use the government technology we have, the visibility and the capabilities that the Department of Defense has to help make things more secure but also bring the capabilities of the private sector, and they're unique capabilities and that's what we see in the future of Einstein 3 as we go forward.

The other part of the first goal is HSPD-12, and that's the Homeland Security Presidential Directive-12 effectively moving forward with a real live regime of two-factor authentication. Not only will you actually add the equivalent of the CAC card, but you get to use it. You get to use it no matter where you go across government or .mil space. This is a priority. One of the most significant issues we deal with in security of our government systems is the fact that we still rely on user ID and password in many cases. And HSPD-12 was very specific about moving forward with that, and we'd like to enhance that and bring that even further.

The last thing, as far as protecting government networks, is the issue of FISMA [Federal Information Security Management Act]. And in many cases, when you use the term FISMA, people start shying away and say, "We're not sure we want to deal with this." I think many of us recognize for years that FISMA was recognized as an environment where you could be FISMA compliant but still not be secure. And with Yevette Cubra at OMB, Peter Orzag and the team at DHS working together, we're looking to turn that around. As a matter of fact, what the plan is now is by being secure, you become compliant. And work with the leadership up on the hill to make sure that we have a FISMA regime out there that actually pushes us toward better security, less on generated reports to become effectively shelved the day after they're released.

The other goal we have is protecting the national networks and one of the initiatives we have currently is the National Strategy for Secure Online Transactions. We look beyond our environment, in the .mil and .gov space. We look out in the .com space. We start looking at the end users, consumers, the 29.6 million businesses out there who we need to truly build a stronger identity ecosystem and to encourage the adoption of securing more privacy enhancing and interoperable identity solutions. We should not have to carry a necklace of different types of identity with us to be able to do the things we need to do whether it's the end user, consumer or enterprise user-type environment. It's going to be out there because if you start to think of some of the ways we look at the type of technology we use to authenticate ourselves; one size does not fit all.

So as a consequence, the President has directed us to create a national strategy, and we are in the final phases of the second draft, and probably before the end of this summer that strategy will be released. But once again, we are doing this in concert with our private sector partners on an equal footing. Getting input from them, getting input from a lot of the organizations out there that see this as not only a way to better secure the government systems but also a business enabler because there's got to be that economic component to it as well that we look at.

I mentioned the information sharing regime. Cheryl Roby, Deputy Secretary Lynn, Bob Butler and the whole litany of leadership in the Department of Defense has been working hard to make sure there is an information sharing regime through the DIB and a project they put a lot of time and effort into. And while many describe it as a work in progress, we're making good progress on that to do, as exactly as I described a few moments ago, come up with timely, actionable information. With respect to the source of that information to come from, you're actually able to do something to make your environment more secure. The days of giving someone a briefing that says, "This is really vital information," I can go back and tell my network operations people to look for this IP address, look for this particular hash, look for this signature, and they say, "No you can't do that." That's not a partnership and DIB has been leading that area making that happen, and we see it expanding and doing more in the future.

The other thing we're working on with our partners both in DHS and DoD is the National Cyber Response Plan. There should never be a question in anybody's mind anywhere particularly in a private sector. Who do I call if we start seeing the beginning of national cyber incident?

You heard from a CEO earlier today, the expectation is indeed we have another event like we've seen a number of years back. There's no question about how do we engage the resource of the government, bringing them to bear on the issue affecting the private sector, which, in turn, affects all of us. So working on the National Cyber Response Plan is a key initiative we're working on, and once again, we'll see the results of that very soon. And that's tied to the DHS overall national response framework that they're working on as we basically bring the key resources of both groups together.

And then, the other piece of protecting national networks is looking at security as an innovation enabler, and oftentimes we don't think about that. Security can really give us the capability of doing what we've never seen before. We look at things such as a smart grid. The President's Health IT and Electronic Health Records Initiative, look at the broadband deployment. Look at the recent broadband plan that was released by the FCC. There's specific language in there. Not only are we going to do a great broadband deployment, we're going to do it with security in mind.

When I met with our friends at Department of Energy looking at the smart grid, if you are going to deploy it, here's the path forward and make sure we do securely. The issue would be in an environment where we're deploying new technologies and then later on decide we'll secure them once we have them deployed. It's got to be built in from the very beginning. And looking at this innovative way of doing things where we have effectively, and what we would hope to achieve someday self-healing, self-preparing, and self-configuring environments. I'll speak to that a little bit more.

And the next goal is sort of building the future. And I think there's no organization, no group of folks anywhere in the world that have done a better job of building for the future through the education than workforce development. I remember the early days when I was at OSI [Office of Special Investigations]. We would have a communicator come in and would do a tour with us as an agent, but in order to make it through the chain of command to be where General Alexander is today, they would have to leave the cyber realm to go back and get what is oftentimes referred to as a real job. We don't see that anymore.

The Department of Defense moved forward with career paths to give us the ability to be more security conscious, to build a career around cyber and the cyber warriors we see today, whether it's the first level of schooling they go through, or the advanced war college environment. And clearly that's the leadership roles, I think, that resonates well across the rest of the government.

So as we start looking at some of the initiatives that play into this, one is clearly the issue of the public awareness for the nongovernment side of the folks, looking at the formal education piece as we see with the combination of NSA, DHS, and the National Science Foundation Program with the Centers of Academic Excellence, training the next generation of Information Assurance, Information Security professionals helping with the government funding.

I think in two weeks from now we're going to have the next rollout, the next group of universities including, now for the first time, community colleges that are participating in the Center of Academic Excellence Program. But we also look at the federal workforce structure. Are we indeed hiring people with the right skill sets? Do we have in the civilian work force, a career path, once we get somebody trained and qualified, do they have a career path? We bring them in as great technologists, and we also give them the capabilities to be good managers, executives and great leaders. And we also look in our private sector partners, what are the needs we have in the hiring work force outside of the government and the .mil space? How can we bring that together? We have a core task force working as part of the President's initiative. And the other piece of that is the research and development as I mentioned a couple of times. There are sort of different environments we look at. One, and first and foremost, that's looking at our current environment and how to actually create an environment where we're doing the moving target defense, where we wind up seeing an exploited indoor IT system that's affected once and once only, where we have the ability to move it off to where we have the ability to configure and move things are effective once if at all.

There's a tremendous program going through the science and technology policy at the White House working with a lot of the R&D organizations across government including the most recent website that's been set up by IUD looking for input on how we can do this and actually providing grants to move this forward.

The other piece, once again looking at our current environment, is how we can create using what we've got now and moving into the future and refer to it as tailored-trusted spaces, where basically the price of admission is strong authentication getting on board. We're using the tools of encryption and the latest technology, IPv6, IPSEC, DNS-SEC, all the sort of technologies that we are now beginning to slowly implement how we wind up creating an environment where we can trust this environment.

That's not suggesting there's other pieces that we're going to push the bubble on, but we have to have an environment where we have better trust in some of these environments. So looking at the tailored-trusted spaces where we know we can do transactions, whatever they may be, in a more structured environment.

And the third piece is the market forces. Now, while I don't agree with some of the people that say we need to do more regulation, we need to push more on private sector, those market forces are not working, I don't agree with that. The industry has moved mountains to get to where we are today. Sure we have a long way to go and it's not suggesting for a moment our work is done, but when you start looking at what industry is bringing to the table, the entrepreneurship, the innovations that are taking place not only solving tactical problems but also moving forward in a generation of doing better security in the future but for those that need an incentive is one of the things we're looking at. What indeed are some of the incentives? What are some of the things we can look at? For example, in one of the groups we're working with is the insurance industry. How can we provide an incentive to where companies say," Yeah, if I do security better, I'll get a better break on my insurance." That's truly an area that's been unexplored. We've been talking about it for a long time. Now we're trying to move forward with that.

And the fourth goal, and I think one of the ones that is most important, is we need to strengthen our law enforcement, our military intelligence and diplomatic efforts. When we start looking at the cyber crime, the ability for a law enforcement officer anywhere in the world to have visibility into what's going on in other parts of the world is very limited today. And oftentimes what we see, whether it's defense criminal investigation organizations such as CID, OSI, NCIS ,we start looking at that group, they have limited visibility in what's going on in civil law enforcement. We've got to strengthen that relationship because there should never be an instance where somebody sits down at a table in any environment, let alone something like this, and says, "Oh, I didn't know that was going on," when we have the ability to see firsthand what's going on and be able to change and shift the balance of some of the activities going on out there. But we have to look at across the intelligence mechanism.

As General Chilton and I were talking earlier, as we start looking at it, oftentimes we use the term cybersecurity which sort of brings everything to bear in one. But we start breaking it down and looking at specific areas. These are all solvable problems, and clearly the role of intelligence in all spectrums comes into play in this because without that information, without the ability we have, we're not going to make the changes we need for a long-term basis. We have to work with our international partners, not only those we used to work with on a day-to-day basis but also those that oftentimes we're in competition with in other environments because as a global environment we all depend on this. We all thrive on it. Or we will all end up having losses as a result of it.

So in closing, I want to once again salute General Chilton, the troops here, General Alexander, the new members of CYBERCOM. I've seen some of the badges now. That is just wonderful architecture. Whoever designed that really did a great job with that. But I think as CYBERCOM moves forward, we have to understand that this is a new command. We have to provide the support, supplemental leadership, and the expertise we have in there not only from the White House perspective but from our private sector partners as well. As you know, General Chilton has exhibited strong leadership in cybersecurity over the years and strategic vision of why this is important as a nation.

And another person we get to work with on a regular basis is General Cartwright. When I sit in meetings with him and listen to his understanding of cyberspace and what it means to defense is really heartwarming to see the focus that he has and the understanding he has of this space.

So as I close, I look forward to continuing great work with those. Our ability to support the mission you have which is rightly important not only to the Department of Defense but to our nation as a whole, our international partners. As we bring all this to bear, I start looking for what we're going to be able to do as we come back and say, "Here's what we've done in the past year to actually meet the President's vision of better cybersecurity," but also look at what are we going to do in the future, what are the changes that we can make and what each of us can do to help secure our part of cyberspace.

Ladies and gentlemen, thank you very much once again.

COL. GILBERT:

We certainly had a busy two days here at the Qwest. Before I go into closing remarks, I just want to quickly thank General Dubia, Mr. Steve Stripolli, the STRATCOM volunteers, Liz Brown and the protocol staff, the Qwest Center staff. It's a world-class facility. There's a world-class staff to run it. That's exactly what they have, and finally some GISC members who really were the folks that made this happen. Ms. Liz Durham-Ruiz, Mr. Ron Moranville, Major Chris Fowler, just outstanding, outstanding.