2010 Cyberspace Symposium: Keynote - USSTRATCOM Perspective

By General Kevin P. Chilton | Omaha, Neb. | May 26, 2010


Thank you for the kind introduction. Thank you so much. Wow, this is awesome. What a great turnout.

You know, I think every one of these symposiums each has its own character. When I came to the Space Symposium, people were all over the place like they were in low earth orbit. I come in this morning, and everybody is at their table all ready to go. I take that as a sense of enthusiasm and focus that I really appreciate. But I really appreciate the tremendous turnout at our second ever STRATCOM Cyberspace Symposium. Thank you all for coming here.

Governor Heineman coming up from Lincoln, I just know what your schedule must be like and all your responsibilities in the state. Thank you for taking the time to come up here and be a part of this. It's so important to us. Your support for United States Strategic Command and for the men and women in uniform in the state of Nebraska and your heartfelt words for all are greatly appreciated by me and all of us who gladly serve in the defense of the United States of America. Thank you, Governor, for being here with us today.

General Dubia, Becky Nolan, AFCEA, what a team, what a partner to have in this conference.

Our focus was to have the United States Strategic Command Cyberspace Symposium conference and do it first-class, and you enable us to do it in a first-class fashion.

The reception last night at the Durham was just unbelievable. Thank you for being such good partners with United States Strategic Command and helping us bring this group together in a forum to discuss critically important things for the United States of America. All our flag officers that are joining us here, our SES leadership, military members, we've got representatives from every combatant command, from every service certainly. Our international partners are absolutely essential to the dialogue and our members of the interagency that are here today too, particularly at OSD Headquarters, thank you so much for coming.

You are all part of the solution set, and we understand at United States Strategic Command, we do not have a corner on all the answers. So what we're all about here today is examining and exploring issues, learning from each other so we can move the ball forward. Our industry partners, you deliver the goods that we need to make ourselves successful in this arena, so thank you also for being here with us today. And we look forward to interacting closely with you during the breaks and one another. Colonel Tom Gilbert, members of the GISC, my staff that has worked so hard from protocol, to every element of the staff, the J5, et cetera, the chief and CD, thank you so much for all the efforts you have put in to get us to this point today.

Ms. Liz Durham-Ruiz who was really a big part of working this is at the Air Force Academy today watching her son graduate. So after doing all this hard work, she didn't get to witness the success but we send our best wishes to her and congratulations to them as well. Those of you who know me know I'm a big baseball fan, specifically a Dodger baseball fan, but I'll quote one of my very favorite baseball philosophers of all time, Yogi Berra this morning as I begin. He once said, "I'd give me right arm to be ambidextrous." Whenever Yogi speaks, you have to pause and try to absorb what he meant by that.

But you know if we're going to be successful in meeting the challenges that we have in cyberspace, we're going to have to be ambidextrous. It's going to take all the arms, all the legs, all the capability of the people in this room, all the organizations that are behind you pulling together to help us be successful because this is a challenging battle space and challenging domain, and we want to summon all the talent that we can to address this.

So why are we here? Why do we bother to have these symposiums? We'll have these symposiums at least once a year at Strategic Command to bring focus to the problem set, to make sure to check ourselves. Have we made progress from last year? What are the new challenges that we need to take on and what are the activities and actions we need to take in the coming year to move the ball further forward down the field as we address the issues that face us today?

We need this performed not only for ourselves at STRATCOM, but I think the entire community needs it. And bringing our international partners into these forums is vitally important because this, in particular, cyberspace, is certainly a global domain with global solution sets as opportunities are in front of us. It's about bringing the team together, about reflection, but it's also about looking forward.

It's also about education. It's also about bringing together the young folks both in uniform and in our civil service corps who are just coming into the service who are going to be the leaders of tomorrow in United States Strategic Command and all our services and all our combatant commands who are going to have to speak and understand this mission area. We're going to rely on them to lead us into the future. It's a mission area we have a lot to learn about in discovering. But we can also learn a lot from others.

You know, I think it's kind of funny whenever you get together with a group and you start talking about something as difficult as cyberspace, you'll find someone that says, I've been working cyberspace since 2000. Someone else says I've been working it since 1991. The other day I was talking to somebody that told me they'd been working cyberspace their entire life. It was my 14-year-old daughter.

We can learn from the youth. We can learn from the youth in this area. They have grown up with this. Our junior young officers coming in, our young civil servants that we're bringing on board, they are perhaps more tech savvy than I'll ever hope to be before I reach the end of my career.

It's a unique area, space. There's a lot of lessons learned, a lot of things we can bring from our historic past. In deterrence, we found we skipped a generation of knowledge, and we're struggling to educate these folks. But in this domain, the people in the back of the room are just as knowledgeable as the people in the front of the room in many, many areas, and we need all your help as we move forward. I can't believe it's been over a year since our first Cyberspace Symposium, February of last year when we first gathered. And a lot has happened over this time period.

Last year, my main talking points were about the changes we needed to make in culture, conduct and capability. And remember in February of last year we were still sweeping up the broken glass after an event called Buckshot Yankee. A seminal event in cyberspace, I call it the Minot incident, if you will, in cyberspace. It got our attention. It really helped us focus on culture, conduct and capability, and we benefited from that focus.

And so this morning I'd like to take a look back and see how much progress we have made and celebrate that progress, but I also want to look forward. And again, to quote Yogi Berra, "You have to be careful if you don't know where you're going because you might not get there."

So where do we want to go? Where do we want to go in the next year and the years in front of us with regard to culture, conduct and capability?

Culture. Last year, I bemoaned the fact that we were looking at the cyberspace domain in the military more as a convenience than as a mission essential part of our military. We had not really crossed the threshold to understand that when we get on the networks, these are vital networks that we're on and that we need to treat them as vital networks and understand the vulnerabilities that we can open up if we don't behave properly. I don't believe we clearly focused on understanding that if these networks were not available to us that land, sea, air and space operations would slow to a crawl, to the detriment of our joint and combined forces.

I think we've made progress in this area. It has almost become trite to hear someone stand up and say cyberspace is essential to military operations. People get it. We don't need to stop talking about it though because people can forget. I think we've made significant progress in the cultural approach to the domain itself.

Another area that I think and in fact, I know we were not doing a year ago is cyberspace was not commanders' business. Cyberspace was the sys-admin guy's business or someone in your outer office when there's a problem with machines business. It wasn't commander's business.

Well, ladies and gentlemen, I can tell you in a year, that has changed, it's changed dramatically. And you see it right from the very top down in our services. The Chief of Staff of the Air Force and the Army, the Commandant of the Marine Corps, and the Chief of Naval operations, you see their focus on this mission area in a laser beam fashion like you have not seen in the past, and it's reflected in this past year in organizational changes, in the stand up of new commands with commanders put in place who are responsible for cyberspace operations. They're responsible for organizing, training and equipping forces to supply the U.S. Strategic Command for this mission space.

24th Air Force, 10th fleet, a brand-new organization, the Army and Marines have designated services ARFORCYBER and MARFORCYBER. And in the Navy, as in the other services, they've looked at how they're going to manage the people in the profession of cyberspace, the Information Dominance core they call them, so they're going to track it in their personnel system. There will be a career path for these individuals. They will have a future and a plan, and they're going to report to organizations, through commanders and support the missions.

Today we've seen the results of this command level focus, senior level focus, and it's palpable not only in organizational changes but in resource investments. And I think perhaps the most significant and biggest change organizationally that we've seen in the past year, which was just a little over a year and a half ago directed by the Secretary of Defense, was the stand up of the brand-new U.S. Cyber Command.

I was very proud and fortunate to participate in the establishment of this new command last Friday back in Fort Meade and be part of the team that took the flag from this brand-new organization from the Secretary of Defense and handed it to a brand new commander, the Army's newest Four-Star, General Keith Alexander. That is commitment to the mission.

And with that commitment and with that leadership and focus comes resources, comes unity of command, comes unity of effort. That's a change and it happened in one year, and I think that is absolutely significant, and it will impact our culture.

Another piece of feedback and I hear this from General Pollett. General Pollett I want to commend him for his leadership in this area and particularly his leadership in turning the way we do inspections from one of just compliance and staff assistance visits to one of readiness and holding commanders accountable for the readiness of their networks, being welcomed in by their commanders to come in and look at my networks at senior levels, come in and tell me what's wrong and outbrief me personally.

That level of command, folks, has changed in the past year, and it's changed because of the leadership of General Pollett and his focus and his team, both at GNO, but also the power that DISA brings to bear in support of the broader networks have been absolutely significant.

Culture, however, we must remind ourselves, does not change overnight. We can backslide very quickly. It will take a generation of focus in this area at least to ensure that this cultural change we've seen in the past year becomes embedded into our very core, until it becomes something you don't even think about anymore.

And as we think about culture and imprinting this culture on folks, we need to think about the new generation that's coming into our Armed Forces. When I look at my children today, how they communicate, you know, I have four young daughters. I remember back in those days when they were growing up and I was thinking I can't wait until they become teenagers because then when I'm sitting there on a Sunday watching a football game or a baseball game on TV and the phone rings, I don't have to get out of my chair.

Because I remember what it was like when I was a teenager. We raced each other to the phone to answer. It was one of our buddies. Well, that day finally arrived. I have teenage daughters. I'm watching the ball game, the phone rings and rings and rings. Finally I said, "Is anybody going to get that?" And they said, "It's not for us, Dad. Our friends text us. It's obviously for you." So I'm still answering the darn phone at the house, and I'm looking for the upside to these teenage years.

It's a completely different way of thinking and it's a little foreign to us, for me anyway. They're coming in with a new way of communicating, a new way of sharing information. If you think of the stuff they put on Facebook and go, "why did you put that out there?" "Well, why not, Dad?"

That culture coming into a military environment where we value certain things like operational security (OPSEC), we're going to have to help them understand that sharing of information is important to the way we do business certainly when we share amongst each other militarily and with coalitions. But operational security means you're a little careful about how you share it and what you post on Facebook and what you post in general.

So this cultural change is going to continue. It's not a stagnant event. We need to keep paying attention to it.

Conduct. How we actually operate in this domain. I complained last year about the lack of standardization in reporting, and we got into Buckshot Yankee and I asked simple questions like how many computers do we have on the network in various flavor, what's their configuration, and I couldn't get an answer in over a month. And part of the issue was everybody was doing it their way on how they were doing their business and reporting. Today we have things like the Joint CERT Database (JCD), Vulnerability Management System and other systems.

Again, we're starting to see some unification in effort and reporting driven by leadership from JTF-GNO, now handed to, in part, U.S. Cyber Command that needs to continue, ladies and gentlemen. Standardized formats for reporting are just fundamental to the way we do military operations. We've seen dramatic strengthening and funding for schoolhouses and training.

Last year I talked about the fact that once a year I got a pop-up e-mail on my screen to do my training, and that's how I got trained in cyberspace, once a year when the adversary was changing TTPs [training, tactics and procedures] every day. Today we're seeing investment in the services both for accessions, continuing education and in joint schools. Particularly down in Pensacola the Secretary of Defense has added funding toward growing those capabilities and this focus on training is absolutely essential and it needs to continue.

We need to make this domain and understanding of this domain, its capabilities, threats and vulnerabilities, something that everybody understands as second nature.

The services have also stepped up in this particular area as I've mentioned both in their professional schoolhouses, whether it be Armed Forces, staff college, air war college, naval post graduate school, et cetera.

Accident investigations when an airplane crashes, when a boat runs aground, when a ship runs aground, something bad happens in another domain, we conduct an accident investigation, get to the root cause and figure out why it happened and how we can prevent it from happening in the future, what are the lessons learned.

We're starting to see this in cyberspace. We need to see more of it. Part of it is education, investigation, lessons learned and closing with accountability. That is very important in this particular area.

Expect what you inspect is an old saying. And the inspections have gone to a new level as I've already mentioned thanks to General Pollett and his focus in this area. We are changing in compliance to "Are you ready, are you ready to fight tomorrow, are you ready to be attacked tomorrow?" That's a completely different mindset from "Did you install this particular patch when we told you to?" Now, that's important, but that change in the conduct and the change in the focus of leadership for inspections has been absolutely dramatic, but we need to continue that focus and sustain that.

When General Pollett told me this just the other day, he said, "A year ago if we can't send a team out to do an IAVA compliance inspection, typically what you would find from the organization being out briefed was maybe the Deputy J6 showing up for the out brief. Today the commander shows up, and the commander is briefed by either General Pollett or his deputy on the results of their inspection and their readiness status. That's a change in conduct. That's absolutely significant to moving forward.

Capabilities. Capabilities are about technology, tools, but they're also about people. We've seen some good work done in fielding, partially fielding, a really critical tool called HBSS, host-based security system. A year ago the plan was to have it fielded by 2015. Today, it's being fielded right now.

Although it's not complete, the amount of effort and work and the acceleration in fielding this tool which will give us some of the insights and automation that we need to do a better, more efficient job, and a more effective job at understanding the health and statuses of our networks and adjusting them for defenses as adversaries adjust their TTPs, and understanding who's on our networks specifically, and what is happening there. Getting this system in place is absolutely essential, and we're making great progress.

We're implementing intrusion detections and prevention systems, network management technology to improve detection. And with this, with these technologies, we're working on moving the ball forward to achieving the goal of eliminating threats against our network at network speeds, not at the speed of "Something happened, let's study it, understand it, and a month later figure out what happened and what we need to do to fix it."

Bringing those technologies to bear are absolutely essential, and we've made good progress, but there's more work to be done. More work to be done by the services in this area to complete the fielding, and we're looking forward to teaming with you to get it completed.

The BRAC transition of DISA and JTF-GNO from Arlington Ridge to Fort Meade is something we were worried about last year, worried about retention of talent, worried about the transition of the move over, worried about hiring talent to successfully complete that move. Again, under the leadership of General Pollett and working closely with General Alexander, that move is in progress and we're getting new talent into the command, the hiring is going on, and a lot of the hurdles we were worried about a year ago are being overcome.

This is a capability that is really fundamentally essential, and that's the human capital that we need to run and execute the mission in cyberspace. So I want to extend my personal congratulations to the folks who have worked this so hard at the component level but also at the STRATCOM level, the J1 shop has bent over backwards to make this successful, and I think we're seeing some good focus there.

But I'm not satisfied. I'm not satisfied with the capabilities that we have today. I'm not satisfied with the capabilities that we have in training. I think we need more in this domain.

And you're not going to be surprised in what the first thing I'm going to ask for because I've asked for it in our other important domain of space. It's something that's fundamental to military operations, a common operating picture of what is going on in the battle space. That is what General Alexander needs to know as the commander of USCYBERCOM.

It's a question that not only does he need the answer, but it's something that every commander needs to understand, a shared common operating picture. I don't just mean a common operating picture for U.S. Strategic Command. I mean a common operating picture shared with services and with the other combatant commanders, other levels of command so they can understand what's going on in their particular area of the world, but a broad understanding as well of the global domain of cyberspace that U.S. Strategic Command and U.S. Cyber Command have been chartered to operate and defend for the Department of Defense. We can't just be thinking about software attacks if you will in this domain. We have to understand the physical vulnerability in this domain. So the common operating picture has got to show to commanders the physical linkages, the physical locations.

I don't like the description of the internet as being a cloud; I never have. It's wires and boxes. It's physical. There are a lot of them. But there are not so many of them that it's a cloud. They're finite in number and understanding the health and status of the fiber optics, copper, the satellite linkages, ground stations, teleports, et cetera, are really an important essential element in a common operating picture, and understanding that a commander would need to conduct operations.

You can't just give us a snapshot of what's going on in crisis. It's got to provide us a picture of steady state operations. How are things going every minute of every day? What's our status in peacetime? What's our status as people start messing with our networks? How is it starting to change, and how can we anticipate change should we approach conflict?

Finally, this common operating picture has to have an element of it that assists us in the mission of attribution. It will be one of the first questions asked by every commander. Who is doing this to the network? I guarantee it will be one of the first questions asked by our senior civilian leadership all the way up to the president. So with this technology we need to help get us there. People need to understand that the attribution problem is a tough problem. But it is not impossible. We make progress in this area all the time and will continue to make progress in it, but we also need to continue to focus on the tool sets that will make it easier for us in the future.

Now I want to talk about another need, and I'll tell you my feeling on this particular area is that we got it wrong in the space business, and I don't want to get it wrong in the cyber business, and that has to do with training.

Today our space operators get to train on equipment that they use to fly satellites. That does not make sense. They can't go off and train against a red force. We can't go and attack and give them problems with their equipment or with their connections because if we do, we're going to have problems with the real satellites. We have not given them a training environment, and now we're having to back our way into that to give them the tool sets they need.

I don't want to be ten years from now backing my way into training environments modeling and simulation environments, ranges, if you will, for our cyber operators. Now is the time to get it right as we stand up this Cyber Command, as we see these new commands come together in the Army, Navy, Air Force, and the Marines. Now is the time to build a red flag for cyberspace. They tell me, "Look, we've got lots of ranges." I know we do.

Before a red flag there were lots of air ranges in the United States of America. But we didn't have the focus of an OPFOR, a red force that trained and studied potential adversaries' tactics, techniques and procedures. Who is that prepared to host an element from the Air Force or the Navy or an allied partner on that range and give them a scenario that challenged their ability to operate, both at a tactical level, and after many years, at the operational level of war. Red flag was stood up so that we could increase the survivability rate in the first 10 sorties for our lieutenants and captains as they went into combat because it was dismal. That's where most people died in the first 10 sorties. That was the highest percentage of attrition. So how could we bring that realistic environment to the United States, train them in advance, get those 10 sorties under their belt so when they show up in combat they can be more combat effective and reduce our losses?

How can we do that in cyberspace today without putting our operational assets at risk? I'm not going to do an OPFOR against a network we're depending on today for current operations. We need a network that's separate from that but is configured like current networks with current equipment with adversaries that are trained, that have expected or known adversary capabilities, a trained OPFOR, the aggressors. We need that platform to train in. We need training objectives established to come in and a building block set of lessons that teaches our cyber warriors at all levels, a tactical and operational level war, how to react to the problems that we know, as men and women in the military, that we will face in any conflict in the future.

We need those tools, and there's no better time than right now to get moving out in that particular direction. And it's not just about the operators on the network. We can use this type of approach to train our intelligence officers, our engineers that support the networks, our NOSCs, our planners. Every level of military operation will benefit from this if we get it right. TTPs will be developed. Holes in our capabilities which will lead to new requirements and new investments to strengthen our ability to operate and defend this domain. It will make us a more ready and capable cyber force to support the regional combatant commanders in any fight they may get in the future.

Culture, conduct and capability. Ladies and gentlemen, we have made great progress in the last year. In fact, progress that I don't think was anticipated a year ago. Progress that has been achieved by focused leadership by all of you in this room, telling a story and being a part of a solution and pushing it forward. But there's more that we need to do, even beyond culture, conduct and capability.

Let me throw a few challenges on the table. We hear debates all the time about are we under attack or not today? What is a cyber attack? Let's get on defining what an attack is. We don't have a problem defining that in air, land, sea or space domain. Let's get on with it. I think I can do that fairly quickly, but I want to be sure I get it right.

What is an attack? That's so important to a military organization to understand not only when you're under attack, but more importantly, when do you see a pending attack developing? What are the indications and warnings that would tell you to either strengthen your defenses or perhaps act preemptively as military organizations have done throughout history when required and when adequately informed?

We need to examine our rules of engagement, our standing rules of engagement, our rules of engagement that guide us in peacetime. Do we have those right? Do we have those set right so the people we turn to at U.S. Cyber Command and say "We demand you to operate and defend our networks do," they have the rules of engagement to do that today? And if not, what do they need and let's get it for them? Let's get the debates over and move forward and set the conditions for the inevitable attack that we know will come. We need to normalize this domain, normalize this domain, normalize this domain.

Air, land, sea, space, cyberspace. These are domains. We operate in it. We will operate through it. We depend on it as we do on every other domain. We need situational awareness in this domain. We need the ability to command and control this domain. We need the ability to assess the health and status of this domain just like every other domain.

And just like every other contingency, any other crisis, we in the Department of Defense, STRATCOM, and U.S. Cyber Command also, must be prepared for the inevitable day when the phone will ring from another agency in the United States of America that says we need your help.

And there's a hurricane down in New Orleans. It doesn't take very long before FEMA picks up the phone to the Department of Defense and says, "What can you do to help us out?" The oil spill in the Gulf, it didn't take very long before the phone rang and the Department of Defense asks, "What can you bring to the problem set to help out?" If critical infrastructure in the United States of America becomes challenged, it won't be long before the Department of Homeland Security, whose job it is to protect and defend that, will pick up the phone and ask the Department of Defense for help. We need to anticipate that phone call and be ready for that phone call.

We need to never, ever look at cyberspace as a stand-alone mission set for the sake of cyberspace. It's all about an integrated mission set, integrated with space, land, air and sea operations. If we lose sight of that, then we'll lose sight of the true power of bringing cyberspace effects to bear and in making sure that those other domains can operate successfully in conflict. It's one of our big challenges at STRATCOM. We're about global security for America.

We're about delivering that every day withg global capabilities and global domains of space and cyberspace and a global mission set of deterrents and global strike. Our challenge is to figure out ever better ways to bring integrated space, cyber, global strike effects to bear to support regional combatant commanders, air, land and sea operations. That is our challenge so that all domains can be integrated together for the successful operations in any region or any place on the planet.

Ladies and gentlemen, in the cyber arena, back to a baseball analogy if you'll permit me, spring training is over. It's the show. The ball game and the season has started. We're in the pennant race right now, and you know it's not that long until October. The October classic. The problems will arise faster in this domain than we will anticipate today. It is not a time for stretching and easing into the race. It's time to start sprinting. It's time for moving out and getting things done quickly. Time is not on our side in this domain.

Here's another way to think about it. In a few decades from now, ten, twenty years, can you imagine that we'll be talking about a society, a major threat that we talk about today of weapons of mass destruction being unleashed upon our society as much as we might be talking about catastrophic effect of some bad behavior in cyberspace? I think we'll see a transition, and I think the potential mass effects that we could have in our society as a result of a successful cyber attack on our nation will become a focus in the future and a vulnerability that is realized if we don't do the work that needs to be done today, quickly.

Addressing such a challenge then will be far too late. We need to pursue the right culture, conduct and capabilities in cyberspace today that we will need to ensure that security of America in the future. If we have that in place, it will work right into another key STRATCOM mission and that's deterrence, in showing that strength, showing that capability. That in and of itself gives us hope that we can deter any bad behavior on our networks or any adversary's intent to come after us.

But our mindset always must be if deterrence fails we must be prepared to operate in a domain that will be challenged, that will be attacked. And we're going to have to ensure that we can continue to deliver the cyberspace capabilities, the flow of information, the availability of accurate and timely information to commanders around the world if we are to be successful in any particular regional combatant command.

Those are challenges in front of us, ladies and gentlemen, and I'm sure, by the end of the symposium, we'll have them all lined up and knocked off or at least know how the way ahead on how to address them to ensure the security of this domain and to ensure its effectiveness in continued operations in time of conflict, should that occur in the future.

I need your participation in this conference. Think of tough questions. Pose them to our panelists. Weed out the thoughts and the opinions and positions that are on the table today so we can go home and study them and come back with the best solutions that we need. Be a participant. If you don't get an opportunity to ask your question in the room, be a participant in the breaks. Do your networking out there. Get to know one another. Find different folks who want to challenge and question, whether they're senior leaders or operators in this particular area and have those very valid discussions in the breaks we have today. That's going to be important to the success of this conference.

And then I challenge you to go back home with fire in your belly and commitment to continue to strengthen our culture, conduct and capabilities for the betterment of the United States of America. Ladies and gentlemen, thanks again for coming to the second annual symposium. I look forward to an exciting two days.

God bless you all.