On Wednesday, April 22, 2015, Northrop Grumman Chairman, Chief Executive Officer and President Wes Bush addressed the Metropolitan Club in Washington, D.C. Below are his remarks.
Cyber Security: The New Threat; The New Normal
I feel honored and humbled to have a conversation today about cyber security.
My topic may strike some as technical and obscure.
It may raise unanswered questions about the implications of certain actions – or worse – certain in-actions. But I believe this topic is critical to our future. This is because ours is the information age. And it is still quite young. It’s so young, and changing so quickly, that we would be wise to avoid predictions of what is going to happen in the coming decades. But there are a couple of observations that are self-evident.
First, we know our use of digital technology is absolutely pervasive. Every developed economy on the globe – and every citizen therein – is dependent on digitized information. From the food we eat, to the medical care we receive, to the daily jobs we perform, to our bank accounts; from the entertainment that we enjoy, to the ways we communicate, and transport the goods we depend on. It goes on and on. Everything we do is connected digitally and with near complete interdependence.
The other observation we can make is that our increasing reliance on digital technology makes us vulnerable. There is a struggle going on as we seek to defend our digital assets from attack by criminal elements, by nation states, by terrorists, and by those who are seeking an unfair business advantage. It is a constant “measures-countermeasures” struggle in which “we’re not winning,” according to the FBI’s former assistant director responsible for cyber crime. Not only are we not winning, but the acceleration of these threats shows no sign of slowing.
There has always been a direct relationship between the scope and pervasiveness of the cyber threat, and the capability of the technology. Not long ago, for example, cyber-crime might have been limited to computer fraud and swindles perpetrated by single actors against the unsuspecting. Those days are long gone.
The capabilities of the technology, and the expansion of networks – and with it, the scope of vulnerabilities – has made possible what private businesses and citizens suffer to this day. Those penny-ante swindles of years past have given way to extortion; identity theft; money laundering; service disruption; theft of proprietary information; reputational damage; and increased national security risks. And much of it conducted by organized criminal enterprises; and even a combination of organized crime in allegiance with lawless governments or terrorist organizations.
The tools could include everything from worms and viruses to malware, botnets, cons and social engineering. And they are becoming easier to use and available to anyone.
Motives used to be limited to harassment or financial gain. Now they often include things more difficult to understand and counter, terrorism, geopolitical activism, and, as a recent Reuters article reported, destructive maliciousness.
Governments are fully invested in these capabilities too. Russia unleashed the cyber weapon against Estonia in 2007; the former Soviet state of Georgia in 2008; and Ukraine in 2014. And it has been reported that China has fully integrated cyber into their warfighting doctrine. The Pentagon defends itself against millions of cyber attacks every day. You all may have read the recent news reports of Russian hacking of our State Department. And foreign government attacks against the private sector are also now a reality.
The urgency of this problem has been recognized for several years. A Bloomberg article three years ago documented the boom in Chinese corporate espionage.
It quoted the then-director of the National Security Agency, who said that government-sponsored intellectual property theft against the United States represents, quote, “the greatest transfer of wealth in history,” unquote. It is with good reason that the President earlier this month signed an executive order declaring the cyber threat a national emergency.
The evolution of the cyber threat demonstrates the different tiers that the problem permeates. For example, to most Americans cyber security is a personal concern, primarily focused on identity theft.
On another tier is business, which has to protect its own proprietary and business-sensitive information, as well as that of third parties, customers and employees. And it now also must protect its assets from malicious, destructive attack.
Then there is a third tier tied directly to our national security. It requires our Government to protect its own networks and data, but there is also Government responsibility to help protect the network security of those enterprises that provide the critical infrastructure for our nation. I’m talking about our nation’s energy suppliers, banking and finance, transportation, and companies like Northrop Grumman, which supply the means by which our nation defends itself.
The cyber threat will be with us for the foreseeable future and will, to an ever-greater degree, drive our national security posture. It will not be solved by any one breakthrough or political party. And, though it will require progress in both technology and policy, it is the policy piece that has consistently proven the most challenging.
Yes, there are security measures that many companies still have yet to utilize. But, in the bigger picture it’s the policy piece of this issue that provides the main difficulties for a company trying to defend itself against cyber attack. Case in point: The legal obstacles to information sharing.
Right now, many organizations are facing cyber threats alone. Currently, as soon as a potential cyber attacker learns of a software or hardware vulnerability, every single company that uses that product is immediately at grave risk. However, when the private sector can share threat information with each other -- and between itself and the government – that risk of cyber attack is greatly reduced. This is because we leverage our collective cyber defenses by sharing threat information – like attack methods, known bad sites, malware, or social media probes. Yes, there are legitimate privacy and liability concerns. However, an effective cyber threat information sharing framework can balance these issues while also providing enhanced cyber protection for all of us.
This need is even more obvious at the public-private tier. Critical infrastructure providers currently find information sharing with their government partners in the national intelligence and law enforcement communities very, very difficult because it raises sensitive and complex issues.
Individuals value their privacy, particularly when the Government is involved. But the fact remains that the cyber defense of our critical infrastructure simply is not possible without cyber threat information sharing between those three communities.
One example from awhile back, related in congressional testimony, told of an incident in which the National Security Agency detected a foreign entity trying to steal three gigabytes of information from an American defense contractor. The information-sharing rules would not let the NSA warn the contractor of what was about to happen to them. The head of the NSA at that time likened it to seeing a cyber-intrusion happen at network speed but then being required to warn the company under attack with a letter sent through the conventional mail.
Legislative efforts to deal with the information-sharing issue occur every few years. Currently, another effort seems to be building. Those of us who watch this issue have our fingers crossed. I’m guardedly optimistic. First, because this issue has been elevated by recent cyber attacks on large companies: Sony, J.P. Morgan, Target, Anthem, Home Depot and others. And they have focused attention on the issue among the most powerful people in America – the taxpayers – voters who feel less and less secure about their personal information and bank accounts.
The other reason I’m optimistic is because, legislation or not, government and the private sector have not been idle. What hampered the last legislative effort were concerns over the regulatory burden. In the wake of that last legislative effort, the National Institute of Science and Technology – NIST for short – worked together with industry to develop and issue a framework for improving critical cyber security infrastructure. It was intended as a voluntary set of guidelines. But now at its one-year mark, it has become the de facto standard for private sector cyber security as viewed by regulators and lawyers.
The framework helps a company to critically assess its cyber security health, capabilities and efforts; then the company can perform a risk/return analysis to determine where it wants its cyber security capabilities to be, and when. It then develops a plan to get itself from its current state, to its intended end point. Companies utilizing this framework are motivated toward improvement because, in the event of a successful attack against them, any company would have to explain to customers and creditors why it chose not to participate in a security improvement program that its competitors are likely using. It also doesn’t hurt that the framework is being used as an industry baseline for cyber insurance underwriting.
The NIST Cyber Security Framework has been a tremendous success that goes beyond what a company would achieve with a static or mandated compliance check-list. As I said: The framework standards are voluntary, making them versatile and making compliance relatively inexpensive at the same time. Not only has it improved the cyber defenses of companies and industries, it has also pushed the conversation outside of the traditional cyber security community. And it has proved that cyber security can co-exist with our national traditions of privacy.
Despite the success of the NIST Framework, more work is needed at a higher level. To be candid, the limited policy successes we have achieved have done little more than patch holes. Something more comprehensive is needed and the Administration’s and Congress’ renewed focus on cyber policy and strategy is justified.
One piece of a more comprehensive strategy concerns retaliation. To its credit, the federal government has now come to recognize the deterrent value of retaliation as a critical component of cyber defense. It has already declared as policy that it may construe a significant cyber attack the same as a conventional act of war, to be responded to in a conventional, kinetic way. And President Obama has recently established a policy of using economic sanctions to respond to malicious cyber activities. In other words, it is national policy that there is necessarily no longer any difference between a damaging physical attack and a damaging cyber attack.
But how do private businesses respond to a successful cyber attack? We are rightly not allowed such deterrent options. The approach is similar to the way we deal with physical security. When it comes to physical security, society generally recognizes that companies have a responsibility to provide an initial layer of protection, whether that be in the form of alarm systems or security guards or other means for physical security. Companies have a similar responsibility for taking prudent defensive steps to protect their cyber security. But, we depend on the government for dispensing punishment and ensuring justice is achieved. The defense industry has an additional responsibility. Our industry helps to ensure that government has every tool available to enable every option possible.
I’ve discussed some of what I would call the “baby steps” of cyber-information sharing, enabled by legislation and by companies stepping up to better defense of their own systems. But we, collectively, need to be looking ahead with a broader strategy, and not simply responding. One element of a more comprehensive strategy concerns how we build and acquire our systems – not just our information technology, but the hardware with which we build our products because almost every element of hardware operates on the software embedded within it. And this applies not just to the companies within the defense industrial base; it applies to any company that builds anything digital.
Bolted-on fixes and contingency solutions are less and less effective against cyber attacks. We have reached a point where cyber defenses need to be designed into a system from its earliest conception. Yes, I’m talking about warships and advanced aircraft. But I’m also talking about the robotic systems that build automobiles; the systems that monitor and manage a city’s power grid, or subways, or water treatment.
If a system has an IT component to it, it is vulnerable to cyber attack and bolted-on fixes will prove a dead end against the growing sophistication of offensive cyber capabilities. This so-called “embedded cyber” is a growing part of national defense acquisition. But this is not just about defense articles. We all need to weigh the expense of embedding cyber defenses in our systems against the costs of devastating attacks.
To protect our networks, we need to be perfect every time while an attacker just needs to get it right once to accomplish their objective. Embedding cyber defenses into our business systems in the initial design and acquisition phase flips the equation to give defenders the upper hand. It’s not without costs, but those costs could ultimately prove to be pennies on the dollar.
A second element of a broader cyber security strategy is the creation of an inherently more secure Internet architecture. Our current Internet was not designed with security in mind, but a new one can be.
The last piece of a comprehensive cyber security strategy that I will mention is the need for a capable cyber security workforce. The most critical piece of cyber security is people. The nation needs to ensure it has the trained cyber professionals to stay ahead of evolving threats and to develop the solutions of the future. Currently we are falling short in that area.
I believe a key part of the solution to this shortfall is innovation and committed partnerships between industry, government and academia. I’ll describe one such effort to illustrate the point -- it is a program our company is supporting through the University of Maryland, and with the collaboration of BHEF – the Business Higher Education Forum.
This program is the nation’s first undergraduate honors program in cyber security. It represents a new education model that pools highly talented, diverse students from multiple majors – computer science, engineering, business, public policy, and social sciences – in an intensive living-learning environment that focuses them on the multifaceted aspects of cyber security and develops team-building skills.
It represents a fresh new kind of collaboration between educators and the employers who will be looking to hire these specialists upon graduation. These exceptional young men and women are taking on an advanced cross-disciplinary curriculum developed between the University of Maryland and the companies and agencies that need the expertise of these students. They are interacting directly with industry and government cyber security mentors. For the students, the program represents a competitive advantage in the quest for employment after graduation – employment in fascinating, important, well-paying work.
This is just one example – we also have programs at University of Maryland Baltimore County and Cal Poly San Luis Obispo and many other universities.
For companies like Northrop Grumman, these programs represent a chance to more effectively recruit, retain, and engage new cyber security professionals who will already have practical experience when they enter the workforce. The old paradigm is simply not supplying the human capital this problem requires. These programs represent the kind of innovation and partnerships the problem demands.
“May you live in interesting times,” goes the old curse. But it’s a blessing too. Yes, our age is full of challenges, dangers and threats. But it is just as full of wonders, discoveries and achievement. And more are available to us provided we can assure the security to deliver on their promises. Government and industry each have their roles to play. While only government can codify those roles in law and policy, industry must be proactive in taking the steps needed to create the security in our infrastructure.
This is going to require the brave to traverse over new ground. It will require that laws and policies be written, debated, compromised on, and passed, frequently in the absence of precedent. But that new ground must be traversed, even in the absence of perfect clarity about the actors or the threats they pose. We may not get it exactly right in the first steps we take. If a law warrants amendment, it can be amended. If a system needs to be changed, we can change it. But I am hard pressed to envision a more reckless strategy for the defense of our nation, our economy, and our society than standing by, waiting for clarity. The one policy that is certain to fail us is inaction.
Yes, there are many demands on our government’s and our private sector’s manpower and resources. But hasn’t that always been the case? In 1969, our nation was fighting a hot war in Southeast Asia and a Cold War around the world. We were financing the costs of expanding government under President Johnson’s Great Society, and all of that at a time of tremendous social upheaval. Oh yes – and we still managed to land men on the moon. Our nation can multi-task – when we work together.
The age in which we live depends on information, and information is digital. There is no way around this fact. But we will never be able to defend the digital information so critical to every dimension of our lives unless, together, we take meaningful action. It is not simply a technological problem. It is a problem that requires the efforts of all of us – policy makers, business people, engineers, politicians, and citizens.
I encourage you to engage on this issue and I am eager to work with each of you toward that objective.