On Monday, April 9, 2012, Northrop Grumman Chairman, Chief Executive Officer and President Wes Bush addressed George Washington University in Washington, D.C. as part of the Maxon Lecture Series. Below are his remarks.
Effective Cyber Security – Perspectives on a National Solution
We all know that ours is the information age. We live in an information age that is still quite young – only a few decades old. It’s so young and changing so quickly that we would be wise to avoid predictions of what is going to happen in the coming decades. But we can make a couple of self-evident observations that pertain to the topic we are here to discuss this evening.
First, we know our use of digital technology is absolutely pervasive. Every developed economy in the globe – and every citizen in them – is dependent on digitized information – from the food we eat, to the medical care we receive, to the jobs we perform every day, to our bank accounts, the entertainment that we all enjoy, communications, transportation – it goes on and on. Everything we do is connected digitally. There is extraordinary interdependence.
The other observation we can make is that our increasing reliance on digital technology makes us vulnerable. There is a struggle going on as we seek to defend our digital assets from attack by criminal elements, by nation states, and by those who are seeking an unfair business advantage. It is a constant “measures-countermeasures” struggle in which, to quote the FBI’s top cyber-expert, “we’re not winning.”
Complicating this is the fact that these cyber security challenges are many and diffuse. And they exist on different tiers, each of which has its own constituencies, interests, and imperatives. For example, to most Americans cyber security is a personal concern, primarily focused on identity theft. That is certainly an important tier.
But on another tier, businesses today face increasing pressure to ensure they adequately address the security of the information on their networks, whether it is their own proprietary or business sensitive information, or that of third parties, or the personal information of their customers and employees.
Then there is a third tier tied directly to our national security. Our Government must focus not only on the protection of its own extensive networks and data but also the network security of those private companies that provide the critical infrastructure for our nation. Their network security then becomes a matter of national security. Examples would include our nation’s energy suppliers, banking and finance, transportation, and companies like the one I lead, which supply the means by which our nation defends itself – collectively referred to as the Defense Industrial Base. This tier in particular requires a healthy public-private partnership to address the concerns.
These cyber security challenges are what I’d like to discuss with you this evening. I won’t spend too much time on the first tier – that of personal identity theft. Instead, in keeping with your focus on business, I thought I would focus on the other two – those that concern businesses in general and critical infrastructure providers in particular.
But before I do, I think it’s important to state at the outset that the complexity surrounding the issue of cyber security necessarily drives diverse views on solutions. The number of elements, dimensions and interests is matched by the number of different viewpoints, approaches and angles to the problem. I’m here to give you my views and I look forward to hearing some of yours this evening, because any problem of this complexity is best addressed through the power of a broad, diverse debate.
So, what, in my view, do we need to do to address these risks? Well, first, we need to recognize the magnitude of the stakes, and I think that is sometimes taken for granted as an issue. I will tell you that when I interact with other companies and agencies, I find there is a wide range of understanding as to the magnitude of the stakes. The potential costs to every business of proprietary information loss and intellectual property theft are truly enormous. An example can be found in a Bloomberg article last month, entitled, “Inside the Chinese Boom in Corporate Espionage.”
It documents the intellectual property theft and industrial espionage activities of the Chinese government and the nominally private Chinese companies it controls. It also quotes General Keith Alexander, commander of U.S. Cyber Command and director of the National Security Agency, saying that such government-sponsored intellectual property theft represents, quote, “the greatest transfer of wealth in history,” unquote.
Much of this industrial espionage is related to pure, good ol’ economic competition. Often the theft of intellectual property that took one company many years and great investment to create can be stolen, replicated, and used to offer similar products without the cost of the development factored into the pricing.
The cyber security threat to those businesses that comprise our nation’s critical infrastructure, however, is a particular concern that goes beyond a battle for product market share.
A study released last year by the Center for Strategic and International Studies found that more than half the companies running critical infrastructure – power grids, energy supplies, etc. – have sustained cyber attacks or stealth infiltrations into their networks.
Those attacks were greatest among oil and natural gas companies – 71 percent claiming to have been targets. The cost of these attacks in downtime has been an average of $6.3 million per day, per corporation. A graphic illustration of these infrastructure vulnerabilities was performed through an experiment by a group of scientists and engineers from the Department of Energy back in 2007. They wanted to see if they could destroy a power generator just by using the internet. I’m sure many of you have seen the video clip of this happening, so you all know that they could, and they did – I think more quickly than they anticipated going into the experiment. And they concluded that such a cyber attack would knock a power plant out for months.
We can all postulate the “cyber Pearl Harbor” scenarios based on exploiting our national digital vulnerabilities, whether in our critical infrastructure industries or the networks our government depends on to conduct its own business. But even without a single large calamity, these daily attacks hurt our economy and our individual pocketbooks. In these examples, each of us pays those costs in higher energy and gasoline bills when the costs of doing business for these corporations increases.
Finally, let’s not diminish the threat of cyber attack to our very culture and ultimately to our way of life. Those things that are best about America are also some of the things that make us vulnerable: our freedoms; our expectations of privacy; the limits on the reach of government into our private lives and businesses. Some among us might question whether those foundations on which our nation was built are worth risking to shore up our nation’s protections against cyber attacks. I suggest to you that the challenge for our economic security, and ultimately for our national security, is to strengthen those principles while protecting our information systems.
So, why is it so difficult for a company to establish an effective defense against cyber attack?
To a large extent, it’s because, particularly with respect to the critical infrastructure threat, the sharing of threat information is critical but complex at the same time. And how that information is shared is often the source of concern when the issue of privacy is considered.
If you think about it, sharing threat information between businesses, and of course between government and business, is absolutely necessary in the fight to defend a company’s digital information. Few attackers focus on only one company in a given sector. Imagine how much more effective our collective cyber security defenses would be if cyber threat information related to specific attack methodologies, such as known bad sites, malware, or social media probes, was freely shared on an efficient, timely basis among similarly situated companies.
The need for cyber threat information sharing should be even more obvious at the public-private tier. Providers of critical infrastructure currently find information sharing among their government partners in the national intelligence and law enforcement communities very, very difficult because it raises sensitive and complex issues. Individuals value their privacy, particularly when the Government is involved. But the fact remains that the cyber defense of our critical infrastructure simply is not possible today without cyber threat information sharing between those three communities.
A good example was offered – again – by General Alexander. Last month he testified before the Senate Armed Services Committee. He told them about an incident in which the National Security Agency detected a foreign entity trying to steal three gigabytes of information from an American defense contractor. Current information-sharing rules would not let him warn the contractor of what was about to happen to them.
General Alexander likened it to seeing a cyber-intrusion happen, as he said, at "network speed" and then, "trying to send a regular mail letter to them telling them they are being attacked." As he told the senators, there has got to be a better way to do that.
Let me take a moment to tell you about the National Infrastructure Advisory Council – NIAC for short. I serve on the council and have served for a number of years. I can tell you that the experience has been eye-opening for me, especially from the perspective of how other companies, who are not part of the defense industry, see this issue.
The job of this council is to provide the President with advice on the security of the nation’s various critical infrastructure sectors. NIAC recently produced a report on Intelligence Information Sharing. If you “google” NIAC, you can pull up the report on-line. The report is premised on the principle that information sharing is, quote, “perhaps the most important factor in the protection and resilience of critical infrastructure,” unquote.
What exactly do we mean by information sharing in this context? Again, referring to the NIAC report: Quote, “Information on threats to infrastructure and their likely impact underlies nearly every security decision made by owners and operators, including which assets to protect, how to make operations more resilient, how to plan for potential disasters, when to ramp up to higher levels of security, and how to respond in the immediate aftermath of a disaster.”
As I mentioned earlier, Northrop Grumman is a member of one of our nation’s critical infrastructure sectors, namely, the defense industrial base. Because the Department of Defense depends for so much of what they do on the defense companies that comprise this base, and because effective cyber defense depends on cyber threat information sharing, the DoD took an early step in this process and set up a framework agreement to facilitate cyber threat information sharing among defense contractors and the Government. More recently, it established a pilot program to help figure out how to share more sensitive Government threat information. This was an interesting pilot program, and like most good pilots, it was set up to illuminate what wasn’t working as much as what was working.
What the pilot program showed was that the technical aspects of information sharing are actually pretty easy to tackle. We know how to do this from a technology stand-point. It turned out to be the legal, and sometimes cultural obstacles to information sharing that were the biggest problems we had to work our way through.
So, how do we address these problems? In a nutshell, we need to advocate legislation and policies that put in place a workable, effective, and enduring cyber defense that includes adequate privacy safeguards and limits, particularly with respect to Government participation.
This might sound unusual: Here’s someone from the business community talking about the need for legislation, which ultimately has some regulatory dimension to it. That is what we need in this case – but it needs to be done correctly.
Any framework that allows information sharing between the government and the private sector should include the necessary legal protections and incentives that will keep the innovations coming.
It is innovation that ensures the constant improvement of our overall cyber security posture.
The specter of federal cyber security legislation may be worrisome for some – let me restate that – IS worrisome for a lot of folks. It may challenge some individual’s comfortable notions of privacy and the role of the Government in our lives. The issue of privacy is complex because the notion of privacy means different things to different people. But there seems to be a growing recognition of the need for a federal cyber security law that would enable protection of our valuable information and critical infrastructure subject, of course, to privacy safeguards.
In fact, there are several pieces of legislation currently under consideration, and making a fair amount of progress in working their way through the system. Importantly, none of them call for Government monitoring of private network activity, or for Government access to the content of email or other personal online activity.
Today, the U.S. does not have a single, comprehensive law setting forth privacy rights in the realm of data protection and cyber security. That doesn’t mean, however, that our privacy is not an important concept in our society. Our privacy laws instead come in the form of a hodgepodge of federal and state statutes aimed largely at protecting personal data from identity thieves. Given the growth of the digital world over the last 10 years, it’s not surprising that many of these laws are very, very outdated. For example, the basic framework for our current federal electronic communications laws dates back to 1986. Think of how technology has changed since then. An enormous amount of change – in fact the internet we know today wasn’t even conceived of, or thought possible, in 1986. Because they were written with 1986 technologies in mind, it is not surprising that these laws can be difficult to apply today. The uncertainities surrounding these laws raise not only the risks of costly legal disputes but create unnecessary impediments to effective cyber security.
As I related, when we went through the Defense Industrial Base Pilot program, our biggest issues were around those specific concerns, and we spent an enormous amount of time working through them, while not making progress in actually getting it done. Ultimately we were able to work our way through them, but it took an enormous amount of effort. As a result, certain legal concerns must be addressed before we can hope to establish a viable public/private initiative to address the cyber security risks to the nation’s critical infrastructure. In my view, any such bill that ultimately becomes law has to accomplish at least two basic things:
First, it has to make clear that companies have the right to electronically monitor their own networks or have them monitored by a third party for cyber security purposes. You might think that sounds obvious, but there is a lot of debate around that simple principle. With the increasing pressure on companies to protect their networks, we need to make sure we don’t limit a company's ability to electronically monitor its information systems for cyber security purposes.
And second, any law that ultimately makes it through the system has to authorize, I think, and facilitate the exchange of cyber threat information within and among industry and with the Government. I am happy to say that most of the pending cyber security bills meet these criteria.
But none of these proposed laws, taken alone, adequately address the broader privacy issues of our digital culture. They could, however, be the catalyst for the national conversation about the proper balance of privacy with data security that I contend we need to have before we can hope to defend ourselves. It’s how you set the bar. If we set the bar that any legislation coming through now has to solve all the problems and address all the issues, I think we’ll be waiting a long, long time for legislation. I think we have to take this a step at a time.
The age in which we live depends on information, and information is digital. There is no way around this fact. If we hope to maintain our freedoms, security, and standards of living in this new age, we must figure out a way to defend that digitized information. So I hope this conversation intensifies because the stakes are high.
The time has come for a federal cyber security law that adequately addresses the increased need to protect our citizens, our businesses and our nation from those who threaten our values, our interests and our way of life. I know that effective, responsive cyber defense is technically feasible. We see this in several arenas. That is a confidence born of years of association with some of the most remarkable technical innovators our nation has produced. Frequently, that innovation happens in the private sector. But it often happens in institutions like this university, which provide our future innovators with the foundational scientific and technical knowledge they must have to work their magic.
I am delighted to learn of the interdisciplinary emphasis George Washington University is placing on this issue of cyber security – on the linkage between cyber security and business and the many other disciplines that are out there. This is because, as I have tried to stress tonight, we will never be able to defend the digital information that is so critical to every dimension of our lives if we choose to simply sit around and await a technological solution. We need to find a solution that encompasses these broad aspects of the challenge. It is not simply a technological problem. It is a problem that requires the efforts of all of us – policy makers, business people, engineers, politicians, and citizens.
I don’t think it overstates matters to say that the problem is urgent. By extension, the need for a solution is urgent. And consequently, the need for legislation addressing the challenges I have spoken about tonight also is urgent. We all are at risk, and to one degree or another when we think about the broad profile of this threat and one way or another, we all have a role to play in the solution. I encourage all of us to pull together. The first step won’t be perfect, but let’s take that first step.