2010 Cyberspace Symposium: Keynote - The Industry Perspective

By Col. Tom Gilbert, USAF, Mr. Daniel R. Hesse | Omaha, Neb. | May 27, 2010


Welcome back to the final day of the United States Strategic Command's Cyberspace Symposium. We had a great day yesterday and we have another fantastic day planned before adjourning at 2 o'clock, but it's going to be a fast, fast paced accelerated time. We have great speakers and panel. It's going to be a fantastic day, so let's get started.

We are very fortunate to have with us this morning Mr. Dan Hesse, CEO of Sprint Nextel Corporation. He'll be speaking to us about cyberspace from the industry perspective. Mr. Hesse has an impressive educational background including degrees from Cornell, MIT and Notre Dame. He's been recognized as person of the year, executive of the year, and the most influential person in mobile technology. He has over 30 years of experience in the business leading some of the largest and most successful companies in the nation. It is my sincere pleasure to welcome to the stage Mr. Dan Hesse.


Well, good morning. Thank you, Colonel Gilbert, for that fine introduction, kind introduction and thanks to the Armed Forces Communications Electronics Association and USSTRATCOM for inviting me to be here. I really feel at home with a military audience. I'm actually seeing and visiting my dad on Tuesday of this week, and he just got back from his 65th reunion at West Point. And you know I grew up as the prototypical military brat. I actually spent one civilian year here in Omaha when I was in the sixth grade which is my mom's hometown and her parents were here while my dad served in Vietnam and also I am named after my mother's brother who died in the Second World War just after graduating and being commissioned from the U.S. Naval Academy in Annapolis. So I really appreciate what everybody here does and the sacrifices that our men and women in the military make.

I'm here today to talk about the ways that the wireless industry can help you do some of your most critical work, and that is protecting commander's freedom of action in cyberspace. AFCEA and USSTRATCOM have done a great job of bringing together so many distinguished representatives from the industry, from our uniformed and civilian national security agencies. I suspect if we tried to organize this about 10 years ago, it would be a much smaller group. Back then, threats to cybersecurity were mainly bored teenagers and loose, disorganized bands of hackers. Cybersecurity was mainly a concern of corporations trying to protect consumers from scams, and cyber attacks were directed mainly at wired networks. Wireless really wasn't the major target yet.

Today cyber attacks have been a serious national security and economic threat. You heard General Chilton describe the threat in his keynote yesterday, and President Obama himself has said that the cybersecurity threat, quote, "Is one of the most serious economic and national security challenges we face as a nation."
Highly skilled and organized professionals now launch very targeted assaults on corporate assets, information and networks. Last year, cyber criminals worldwide stole intellectual property from businesses worth up to $1 trillion. Malicious code is more rampant than ever. In 2009, more than 240 million distinct new malicious programs were identified, a 100 percent increase over 2008. Massively disruptive attacks like Conficker, the 2009 computer worm that targeted the Microsoft Windows operating systems and Hydrack, this year's trojan that impacted Microsoft Internet Explorer, was used as an entry point for a coordinated set of cyber attacks on dozens of large enterprises, and these of course made national headlines.

And perhaps most importantly, while the cyber threats are growing more dangerous, cyberspace itself is changing. The flow of information is becoming more and more dependent upon mobile devices. In fact, wireless information is becoming the life blood of our economy and, more importantly, to national security for several reasons.

First, wireless has been evolving from voice to data. As a matter of fact, last year was the very first year that there was more data traffic on wireless networks than voice travel. Wireless is the most rapidly adopted technology in the history of the world. The first commercial cell phone call was made less than 30 years ago. There are now more mobile phones in use worldwide than automobiles, televisions and PCs combined. Yes, more than cars, TVs and PCs combined. Again, that's less than 30 years. Today's mobile phones are smart devices that can be as powerful as your desktop.

I have a little ad here. The HTC EVC™ 4G, which I carry here, this has, for example, a one gigahertz processor. That's 500 times faster than the Apollo flight guidance system on a small device like this. The phone you're using today offers just a hint of what mobile devices will be able to do tomorrow. This one, for example, has a front facing-camera, and by the way, cameras are also a security issue, front-facing camera, an eight megapixel digital camera, a high definition quality camcorder. And it also has a built-in wireless router in it so you can connect up to eight other devices wirelessly to this and be connected to the Internet.

So for example, you could be in your car with this device making a phone call downloading a movie to your device which might be hooked. This has a high definition HDMI output to a screen in the backseat, another kid could be on a gaming device connected to the Internet at the same time. Your wife could be on the PC. Another kid could be on the network all moving down the road on one wireless connection from this single device.

One research firm predicts that there will be two and a half billion connected data-centric mobile devices in use worldwide by 2014, and only half of these will be mobile phones. Wireless chips are going to be embedded into all sorts of devices. It's going to be used in monitoring, medical monitoring, system monitoring, vending machines, ATMs, all sorts of systems, as well as things like gaming devices, PCs. So wireless is going to proliferate; it's not just about phones any more.

Sprint is the first national carrier deploying 4G services, what we call fourth generation, and we're aware that this will bring new cyber challenges. Fourth generation is a wireless network basically being built for data. It's more capacity, more speed and it will generate more and even greater proliferation of the use of wireless data and wireless devices. So we believe protecting wireless data is one of the great cybersecurity challenges of the 21st Century.

Earlier this year I was invited by the White House to talk about how wireless can help meet the challenges facing a number of industries and including making the government more efficient. Meeting the cyber threat will require a national effort that includes government action, industry action, and a new level of industry and government cooperation.

Let me start with government action. To address cybersecurity, Sprint is working closely with a number of government agencies including the Department of Homeland Security and the FBI. We also cooperate with government in the area of telecommunications policy and regulation which can both have a very significant impact on the effectiveness of cybersecurity missions.

Winston Churchill once said, quote, "The Americans will always do the right thing after trying all other alternatives." An alternative of today's Internet, the way the Internet is regulated or unregulated is being considered right now. Congress and the FCC are considering an issue that at first glance might not seem like it has a whole lot to do with cybersecurity and that issue is net neutrality.

Advocates of net neutrality want the FCC to adopt new regulations that would require providers of broadband Internet services to ensure open access and non-discriminatory treatment to all Internet users and to all devices.

Sprint supports the goal of an open Internet, but we are also very concerned that new rules on net neutrality could have unintended consequences, including undermining a carrier's efforts to protect our networks and customers from a variety of cyber attacks. We and other broadband Internet access providers, both traditional ISPs and wireless network operators, are continually developing methods and tools necessary to protect our networks from cybersecurity threats.

We must be able to deploy these newly-developed protective measures very rapidly if they're to be effective because, as you know, the bad guys move very quickly as well.

We believe, therefore, that any net neutrality regulations should preserve a carrier's ability to respond quickly, constantly shifting issues facing modern broadband networks and that we are allowed to keep the techniques we use confidential if they're to be effective. We sometimes need to take proactive, not reactive measures to protect our networks, and we need the flexibility to do so.

We have that today. Regulations that would require allowing any user to launch any application of their choosing should be balanced against the need for carriers to protect our vital communications networks from harm. Wireless is also different than wired networks because wireless spectrum is in limited supply.

Wireless networks are more susceptible to what we call bandwidth over-utilization, for example, consuming all the capacity available on a network. An attack could be in the form of launching bandwidth hogs in a sector which would not let critical traffic like 911 traffic or first responder traffic get through in a second. To its credit, the FCC has said broadband providers should have maximum flexibility to take measures to counter traffic that is harmful or unwanted to users. It is crucial that if new net neutrality regulations are adopted that these new regulations do not conflict with protecting networks and consumers and their computers and devices from harm.

Now, most of the country's communications infrastructure has been built by private enterprise, not the government. Corporate engineers and security personnel have done extensive work to protect these complex systems, creating a body of best practices. Experts within the wireless industry are at the forefront of practical cybersecurity and IT forensics. They work closely with hardware and software vendors to harden and secure their products while building features to secure networks from attack. Computer emergency response teams, user groups and direct communication with one another help each other take on the latest vulnerabilities, exploits and attacks.

The industry knows it needs to do more. The Wireless Trade Association, the CTIA, of which I'm the vice chair, recently created our first cybersecurity working group and will be working closely with the FCC, the Department of Homeland Security and the Department of Defense to address the new and evolving cybersecurity challenges that are facing our nation.

At Sprint we take the issue of cybersecurity very, very seriously. As one of the largest providers of wireless and wireline communications to millions of customers, including over 160 government agencies, we know we have to ensure that we can protect our assets, safeguard our customers' data and stay ahead of current security threats.

Our country's networks face attacks by organized professionals working on behalf of criminal enterprises or foreign governments with high value targets in mind. The attacks range from denial of service onslaughts to botnets which are groups of computers infected with malicious code and unknowingly controlled by a malicious master, to malware, which is software designed to infiltrate or damage the computer without the user's consent or knowledge. They use sophisticated techniques that require constant vigilance and constantly evolving countermeasures.

Recent cyber attacks against some companies succeeded because attackers were able to exploit vulnerabilities in the web browser or the associated plug-ins that enable the Internet experience. Some of these were Zero Day attacks. Zero Day attacks are basically an attack that exploits vulnerabilities unknown to the software developer and one that a patch might not exist yet for. Others exploit the patch cycle that corporate IT departments follow. So it is very much a race against time.

At Sprint we face a broad range of attacks too. Let me give you just a couple of examples. I imagine most of you are familiar with LinkedIn, which is a business-oriented social networking website. It's a useful site. Many people use it. Our company has a spot on LinkedIn. We have many employees that use it and past employees as well. But last year several of them were approached by a company on LinkedIn offering money if the employees would provide critical telecom industry information. The company said they were a start-up looking for information to start up this new venture.

It was a scam to get proprietary data. We caught it soon after it was launched and immediately posted an article on our intranet, which we call iConnect, to alert employees of the scam and reminded them of their commitment to protect Sprint data now and even after they leave the company.

On the other end of the spectrum is an attack we faced a few years ago by a sophisticated gang of hackers in Europe. The gang attacked a major online bill paying service that uses our networks. They were redirecting people from the service's website to a malicious site where the hackers not only stole customer information but took over customers' computers. At stake were billions of dollars of business and the credit identity of millions of people. The IP addresses the hackers were using were identified by our computer incident response team which we call the CERT. And this team watches for emerging threats 24/7, monitoring everything from our internal systems, to security-related forums blogs, 24-hour news sites, and both white-hat and black-hat security.

So we were ready. As soon as the attacks started, the team put up internal fire walls and rules to block the hackers from accessing our networks. We increased our monitoring of those hackers and quickly got the word out to at-risk customers and employees so they knew exactly how to deal with the situation. As a result, what could have been a financial and privacy disaster turned out to be little more than a nuisance to secure our network from threats both sophisticated and basic. We take a multilayered defense-in-depth approach. We #1 protect, #2 detect, and #3 respond by being both reactive and proactive.

Our first layer is protection which includes tried and true technologies including fire walls, web traffic, and e-mail filtering plus our antivirus software. It also includes Sprint's wide ranging security policies, like the ones I just mentioned, and our employee awareness programs, like the LinkedIn example I gave.

Our second layer, detection, begins with internal network protection elements such as fire walls, web filtering and antivirus systems to provide early warning of attack. These sources provide a tremendous amount of information. In fact, our security event information management system aggregates and analyzes more than 100 million events each and every day. As we did with the European hackers when a threat or attack is detected from this vast supply of data, we respond on multiple levels by reaching out to Sprint business units and to employees throughout the company and to contractors as needed.

Our computer incident response team is at the center of #3, our response layer. The response team adjusts rules and signatures on fire walls, web filtering systems antivirus software and its own monitoring systems to counter new threats and attacks. Again, it's a constant battle because as the people in the room know, attackers frequently modify their malicious code to escape detection.

Last year our response team opened investigations involving malicious code attacks, unauthorized access, suspicious activity, bad practices and unauthorized use of services. Thanks to our multilayer approach we have been able to defeat major attacks like the one I've described. Our cybersecurity defenses don't stop on our own network's information, of course. They extend to our customers' networks and business transactions.

Sprint has several security products designed to protect our government and enterprise customers. They are designed to stop malicious, unwanted traffic in cyber threats such as spam, trojans, denial of service attacks, malicious code, botnet activities and worms and viruses.

For example, we provide our wireline IP or Internet Protocol customers with a network-based, distributed, denial of service monitoring/detection/mitigation service. This IP defender verifies and filters unwanted or malicious traffic, delivering only legitimate traffic to our customers. We're getting great response from our customers for this clean Internet pipe.

This technology monitors the customers' networks that determine a normal or baseline state, and then it compares all future traffic to that baseline. So it helps us detect potentially dangerous patterns or new signatures as they happen.

Being able to identify and counter security threats very early on has been absolutely critical to our ability to manage our customers' networks and to protect them. New challenges are emerging and we're partly to blame for that. Mobile phones are evolving into a digital wallet with infinitely more vital information than you ever carried in that leather one in your pocket or purse. You can use your mobile phone to manage your bank accounts, order credit reports or make mobile payments in stores. While mobile banking is currently most advanced in the far east, it's growing in North America and in Western Europe, and it's estimated that global revenue from mobile banking will exceed $10 billion this year, and it will grow very rapidly.

So far, I've talked about our cybersecurity as it relates to networks. We also apply the defense in-depth approach to wireless devices. Unmanaged and untested devices have the potential to disrupt network availability if they do not conform to standards. To address this, we work directly with device manufacturers and application developers to provide multiple levels of protection.

The first level consists of security features on the phone itself. The second layer is safety that we build into the applications. And the third layer is Sprint's own systems, our IT systems for building account access or what have you. In addition, we have extensive security and business continuity plans in place to protect our business functions and critical infrastructure. Physical security, if you will, which include protecting our cell sites, our switching centers and our cable landing facilities.

So in summary, whether it's a software attack, massive network outage, device intrusion, service interruption or security breach, Sprint takes our security role very, very seriously. And we have systems in place to minimize risks to both our customers and to our network infrastructure and our devices.

Let me conclude with a few thoughts on how we might work together. Many of you know about Vannevar Bush, who was an electrical engineer and the founder of Raytheon whose 1945 essay, "As We May Think," laid the intellectual seeds for today's world wide web. He was also President Roosevelt's advisor on military technology during the Second World War. And as the war came to an end, Bush was asked by President Truman for his ideas on how to preserve the strength of American technology in peacetime.

Bush called for innovative interactions between government and non-governmental research institutions, interactions that would use the special strengths of each group so that the partnership is greater than the sum of the parts. He helped to forge such a partnership between the federal government and research universities that the result was really one of stunning technological progress that helped win the Cold War and fueled our country's post war economic prosperity.

Industry-government relationships strengthen cybersecurity by leveraging the strengths of each. We currently cooperate. The wireless industry is already sharing expertise with the government through our participation in federal advisory committees such as the FCC's communications security reliability and inter-operability council. And, you know, for those of you who watch 24, you know that Sprint helped Jack Bauer and Chloe save the world from terrorists.

As a company, Sprint discusses best practices, lessons learned in network behaviors with a number of federal agencies. That's especially true for the Department of Homeland Security. We're involved with the DHS National Communications Systems and National Security Information Exchange. We also provide on-site support to DHS National Cybersecurity and Communications Integration Center for Coordination with Public and Private Entities during national security or disaster-related events.

We need to be creative, forward-thinking, and we need to be proactive. As Howard Ruff observed, it wasn't raining when Noah built the ark. Many believe that the most likely and potentially harmful attack on this country will be a cyber attack. So we look forward to working with you to defend our vital resources. Thank you very much.


Thank you for opening our program today. What a great start to the day. Just a quick reminder, we encourage you to engage with our panels. You can text questions to the panel members or you can use the pieces of paper on your table or raise your hand.