On Thursday, Nov. 3, Kathy Warden, corporate vice president and president, Northrop Grumman Mission Systems, spoke at the Northern Virginia Technology Council (NVTC) Cyber Summit. Below are her remarks.
Cybersecurity: Responding to the New Normal
Thanks, Wes. It’s great to be here with you today and I want to echo what Wes said about how fortunate we are to have Senator Warner and his leadership in this really important area of cybersecurity. His efforts are tireless and effective for us in Congress and I truly do appreciate it.
I also want to thank Bobby Kilberg and the staff here at NVTC. This council has been a wonderful resource for us. This is one of many topics that the council has addressed over the years that have really helped to galvanize action amongst industry, academia and our leadership in Congress. Today I expect to be no different. There is an amazing program lined up for us today and what I hope to do in my remarks is to lay out a framework for our thinking in the discussions that will follow over the next few hours.
There was a time, and it wasn’t too long ago, when the perception of cybersecurity was very technical and somewhat obscure, and not something that impacted most companies, and certainly not most people and consumers.
But I believe that time is past now. With the daily information we all receive about cyberattacks at the national level on our infrastructure, on companies from which is stolen proprietary information, and even the consumer who is impacted with threats to their personal information or financial security is at risk, we are now in a very different place. I’m glad that we have a forum like this to discuss this topic because it is going to take all of us working together to have successful outcomes.
I think about this as a domain. Those of you who work in the federal government or industry have long heard us talk about the domains of land, sea, air and space. Cyber is that fifth domain. It is a domain in and of itself because it is a place where not only technology exists, but warfare exists. And not just in the traditional sense of warfare, but in the sense that there are sophisticated capabilities that are in place for good and for harmful purposes. We have to be managing this domain because it is critically important, not only to our national security, but also to our economic security.
Today we find ourselves on guard from a number of attacks against our digital assets from criminal elements, nation states and terrorist organizations. They are seeking to disrupt our way of life. We need to ensure that we are constantly vigilant to address these threats.
So, the bottom line? Cyber is now fundamental to human advancement and it must be secured. For this reason, this summit is timely because we are going to talk about some very specific paths to ensuring that.
It is also appropriate that this summit is being held in Northern Virginia. I don’t want to discount the important work going on in Silicon Valley; there is some tremendous capability coming out of that region. But there is no region like Northern Virginia. It has collected a group of talent; it’s at the hub of the federal government’s efforts in cybersecurity; and we also have phenomenal academia located in this region from Richmond to Baltimore. These are great capabilities for us to leverage in this fight and NVTC is certainly a cornerstone in our efforts to do so.
This morning I’d like to offer a few thoughts on the four areas necessary for success. First is policy; next is innovation; third, people; and finally partnerships.
I placed policy at the top of my list for a reason. Policy is fundamental; it’s foundational. Cyber is an issue that policymakers will grapple with for generations. This is not about finding the easy policy fix we can put in place today, then move forward. There are a number of efforts that have already been undertaken. Senator Warner mentioned one – the Information Sharing Act. But despite the progress we’ve made, many companies and individuals still don’t practice basic cyber-hygiene. We need to ensure that everyone who uses technology—be it smartphones, computers or even Bluetooth devices—understands the risks and vulnerabilities that need to be addressed in this infrastructure. It requires us to think about our daily behaviors and how it either contributes to a solution or creates vulnerabilities.
For example, although we may really, really want to click that link that tells us a package has arrived for us. But we need to stop to think, “Did I order a package?” If the answer is no, we have to be diligent; we have to be disciplined. We need to be part of the system that is securing our entire environment.
I’m pleased that last year Congress finally passed legislation addressing the need for information sharing.
But it’s not a silver bullet. It relies on us in industry to take advantage of it and to actually share information into the network that helps each of us to have stronger defenses. We have reaped the benefit of this at Northrop Grumman. In working with many of the aerospace and defense companies, we’ve been able to thwart cyberattacks against our networks because of information shared from others in industry. I strongly encourage each of you to think about that participation in your own organizations.
I also applaud the Administration for taking steps to increase our collective cyber security – including signing the Cyber National Action Plan and Cyber Incident Response Coordination Executive Order. These were two important steps forward. But, as I said, we still have work to do in policy. I hope that our next president, whoever it might be – and I’m not going to comment on that – continues the progress of the previous administration’s work and continues to make cyber a national priority.
Important though it is, the policy aspect is only one among four that I want to touch on. To be successful, we need to address the issue on multiple fronts.
The second element of a more comprehensive strategy concerns innovation and technology. Regarding the solutions to this problem, Senator Warner has said that they cannot be reactive. We have to begin to think about designing our systems with security in mind. That includes the software as well as the hardware with which we build those systems. A concept we have used when thinking about this is the concept of resilience.
Think about the most resilient system you know. For me it’s the human body. It is able to detect germs and viruses it has never been exposed to before, respond to the effects of those germs and viruses, and restore the body to a normal state. That’s exactly what we want out of our systems.
Today we’re largely using firewalls and things that are bolted on to protect our networks and systems. We’re trying to build high perimeters. But the reality is that the threat is already inside. Bolt-ons and firewalls are only so effective and they are not going to secure us against the most impressive threats that our adversaries have to throw at us. As we know, nation-states with those high-end capabilities are not just going after our federal government assets; they are also going after corporate assets and personal information. It is particularly important for us to think about technology innovation with that in mind.
I also want to talk about the area that I think may be the most critical for us right now – our workforce. Wes has said that all of this comes back to people. We simply don’t have enough of them.
If you think about how our workforce has been put together, it has been built over that past number of years through re-purposing individuals who have a technical or engineering degree into this field. This is because cybersecurity wasn’t a field in which our universities had built programs and encouraged students to come to study. I‘m happy to say we’re making change in that regard and we’re doing that by working together – companies and academia – to create new programs.
One of those programs – created through a partnership between Northrop Grumman and George Mason University – is a “first.” It is a cyber-engineering program intended to not only produce great engineers, but engineers who really understand this field with the applied skills to come into our industry and make a difference right from the start.
I don’t mean just the aerospace and defense industry. We are thinking about how this program could be applied to robotics; building automobiles; thinking about how this applies to infrastructure management, the power grid and water systems. These are skills that are pervasive across all industries that are of interest to all of us.
With that said, it makes this workforce gap even more critical. There is a study published last year that asserts the information security workforce shortfall is widening. 62 percent of companies who participated in the study said that they have a shortfall in information security professionals. This compares to 56 percent two years ago. The trajectory is going in the wrong direction. The shortfall is anticipated to reach one-and-a-half million jobs this year. This is critical for all of our companies. We have to be taking action and not just looking for that talent that does not currently exist.
That problem exists here in Northern Virginia, where that shortfall is among the greatest in the nation because we have such a high demand.
In addition to our partnership with George Mason University, we are working to fill this workforce gap through partnerships with University of Maryland, Cal Poly San Louis Obispo, and the University of Cincinnati. All across the country we are putting programs in place. But we’re just one company. We all need to be thinking about this, and I know many of your companies are doing the same. Through these efforts we will start to put a dent in this workforce gap.
Finally, I would like to talk about partnership. What I have mentioned between companies and academia is one form of partnership. Information sharing is another form of partnership. But we also need to think about partnership in the context of working with our customers and our community to raise awareness. Senator Warner has spoken to the efforts in Congress he has taken on to educate and make sure that this platform is not just understood by the hundreds of us sitting in this room, but that the national and economic security underpinnings in every industry are understood. It must also be understood that this important effort must be adequately resourced and funded within our nation.
This is the kind of partnership that we need and it needs to be coming from all sectors and all dimensions.
Let me summarize as I bring my remarks to a close, what I think a summit like this can do for us today. I mentioned we have a great line-up of activity. But I hope that you won’t just sit and listen. I hope that you will actively engage because we’re early in this journey and it is a time when all ideas need to be brought to the table. That is exactly what a summit like this can do. Your idea can spark the idea of someone else, and we then build upon that as we grow together.
I’ll leave you with some words that are particularly relevant to the challenges we face today. They come from the great cultural anthropologist, Margaret Mead. She said: “Never doubt that a small group of thoughtful, committed citizens can change the world. Indeed, it is the only thing that ever has.”
I believe that small group or thoughtful individuals is coalesced here today in this room, led by NVTC. And I believe that we do have the opportunity to come up with ideas that in small part will help to change our world. We have that responsibility, and I’m pleased to say that my company – and all of yours – is here with an interest to do so and I’m glad to be a part of it.
Thank your for your time today. I look forward to interacting with you.