28 July 1998

Jump to remarks on infosec and encryption

Date: Tue, 28 Jul 1998 11:20:01 -0400
From: dltranscripts_sender@DTIC.MIL

N  E  W  S      B  R  I  E  F  I  N  G

DoD Speech to Fortune 500 Chief Information Officers Forum
Deputy Secretary of Defense John J. Hamre
Aspen, Colorado
Tuesday, July 21, 1998

        Secretary Hamre:  Thank you, Petre, You're very kind.  And I appreciate being invited to come out to be with all of you.  It's more than anything, just to get out of Washington, to be blunt.  (Laughter)  To tell you the truth.

         Let me apologize at the outset.  I did have a speech prepared to give you, but this morning, I had a very interesting experience on the way.  I stopped at Cincinnati to talk with folks at General Electric who do engine work to learn about how they're doing six sigma .  And frankly, that changed a lot of my thinking, and so, I'm afraid you're going to get a much rougher speech.  I'm going to try to bring together a number of different strands, talk both about our war fighting side as well as our  business side and how we use information technology,  and at least try to give you a sense of what we're facing.

        First, if I may, and as Petre said, I function as the chief operating officer for the Defense Department.  Let me, if I may, to ground you in what this organization is like. As Petre mentioned, it's a large organization.  We have 1.4 million men and women who serve in the uniformed services, active duty, and about 800,000 civilians that work for the department.  Every year, we recruit about 200,000 new people to join the armed forces.  And we separate about 220,000 people.  So about 30% of our organization is either coming or going every year.  We are spread out all over the world, as you know.  We have about 250 major installations.  We operate 550 public utility systems, everything from gas, water, electricity, and natural gas distribution.

        We are one of the largest school systems in the world.  We have 126 high schools and elementary schools.  We are the world's largest daycare provider.  (Laughter)  Seriously, we have 300,000 kids that go to Department of Defense day schools--daycare centers-- because we've become a very different military over the last 25 years.  Twenty-five years ago, it was still a conscript military and it was largely bachelors.  Today, it's very much a married military and lots of single parents.  And you've got to reassure parents that somebody's going to be taking care of their kids if they get mobilized on short notice.  So we spend a lot of money on daycare.  We're the largest daycare provider in the world.

        We have 28,000 separate systems that we're tracking for Year 2000.  Twenty-eight hundred of them are mission critical.  I used to be the comptroller, so I'm a little more familiar with some of this, but we cut 5 million paychecks a month.  We cut about 400,000 bonds every month.  We pay about 600,000 travel vouchers a month, 800,000 contract actions a month , most of them are small.  Out at Columbus, Ohio, where we do our large contract management administration, we have about 360,000 contracts under administration.  We disburse about $43 million an hour.  (Laughter)  An hour.

        We have operations under way in every time zone.  There isn't a time zone on the planet that we don't have military personnel operating someplace.  Today, there are about 115,000 military personnel who are deployed.  And that's in addition to the 200,00 who are permanently stationed overseas.  We operate over 400,00 vehicles.  Now, that's everything from sedans and buses to street sweepers, we use to clean runways, to combat vehicles to tanks, armored bulldozers.  As an organization, one of our real challenges is to span about 70 years worth of technology at any one point in time.  We operate, on a daily basis, aircraft that were designed back in the early '50s and you still have to maintain them, buy spare parts for them and keep them updated.  At the same time, we are working on research and development programs for systems that won't be fielded, it's first flight will be in 2017. Managing that spectrum of technology is a real challenge. A real struggle.

        In information technology, we operate some of the most advanced computers.  And yet, just last year, we moved a bunch of Burroughs punch card readers to a new mega center because we were still operating in a punch card environment.  So, it's an astounding spectrum of technology that we try to manage.  It is, I would argue, not only the largest, but probably most complex, organization in the world.

        Now, this is an organization that has had its budget cut for 15 consecutive years.  In part, this is okay.  The Cold War is over, I, and I don't think it's inappropriate that it is reduced.  But our budget is about 46% smaller than it was in 1986. We've undergone significant reductions. This is, as I mentioned, an organization that is operating at 46% of its budget resources only 12 and 13 years ago, has a third of its personnel coming and going in any one year and is still able, within a month, to send 60,000 people to the Persian Gulf along with 400 combat aircraft and 500 cruise missiles and could carry out war tomorrow if we had to.

        So, I say that to frame an observation and a dilemma that at least I experience.  That is this:  I firmly believe that we are a world class organization in what it is we're supposed to do, which is to fight and win wars.  There isn't anybody who is as good as we are.  But I've also got to be honest and say we're a second sigma organization when it comes to business practices.  And that's the curious dilemma that I see and that I'd like to talk with you about today.

        First, let me talk a bit about the war fighting side of the house.  We have been engaged in an unprecedented change in the way we think about warfare.  It's been going on for some time and it's ready to enter into a much more sophisticated dimension.  It really took off in the late '70s and the early '80s when we were starting to bring microprocessors into weapons systems.  That's when it got started.  That probably wasn't as revolutionary as was the revolution in training technology that we developed in the late '70s and into the early '80s.  And that's been, I think, far more important, frankly, as most of the senior commanders in the Persian Gulf-- Norm Schwartzkopf--we were talking earlier with Petre.  We could have switched equipment during Desert Storm and still beaten the bejesus (?) out of them.  Just because of the people and the skills that we grew over that time.  For us, training technology, growing our most important asset, people, is by far the most important thing we do, not just the hardware that's sitting out on a ramp.

        So for what we're supposed to do, we're a world class organization.  And I've got to tell you, frankly, we're getting better.  Dramatically better We're already without peer.  I know this sounds boastful.  I don't mean it to be that way, but we're already without peer as a fighting force and ten years from now, we're going to be, I think, significantly stronger.  Let me give you an example.

        We are on the edge of breaking through in what we call network centric warfare.  Prior to this time, we largely fought about the business, I'm sorry, this is a little blunt, a little coarse, but the business of destroying things,  is what you try to do in a very focused way without doing lots of damage to things that you don't want to destroy.  We try to do that, we've done that before by largely putting very lethal and accurate capabilities on whoever was doing the shooting at the time.  We're now moving into a much more interesting and highly leveraged dimension where the person that launches the missile doesn't have to see the target.  We're going to be sharing information across a network and still be able to attack and destroy an opponent. This dramatically improves the survivability of our own forces, of course. It is going to be revolutionary.  The situational awareness that will be on our side of the battlefield will be three or four orders of magnitude better than our opponents.

        This really comes from the way we've brought information technology into the core of war fighting.  For example, one of the things-- it's not with us today, but I don't think it's many years away.  We will have a device about the size of a watch that will be on our average soldier that will monitor vital signs so that when that squad is out at night, the sergeant doesn't have to wonder if a private has fallen asleep in a foxhole.  He can see it. If one of our soldiers got hit, you don't necessarily have to send out a couple of guys to try to get him and find out that he's already dead and then put more lives at risk when you're in a firefight.  It's that kind of knowledge and that kind of skill-based control that we're going to bring to the fight that will be without peer, in the world of warfare.

          I know this isn't necessarily a pleasant thing to talk about, but it's part of our business and we do it so that we quickly get in, quickly get out and leave very, very few people behind.  And there isn't going to be anybody as good as we are.

        We're doing this, with a very systematic application of information technology and warfare.  And it's really unbelievable the way it's happening.  They're prototypes, but we're putting computers on-board airplanes along with pilots that serve as a copilot for all practical purposes, giving that pilot extra situational awareness, queuing and advice.  We're going to be able to put inside a tank a picture of the entire battlefield for that tank commander.  You can't imagine how limiting your perspective is when you're inside a tank, buttoned up, trying to have some idea where your enemy is and where your own friendly forces are in a vehicle that's bouncing all over.  You may be in chemical gear. Now you're going to be able to look at a computer screen and see it in front of you.  It's going to be absolutely revolutionary for what we can do.

        In the past, the dilemma of warfare was always how to bring mass together for its effect over your opponent without giving your opponent lots of targets to shoot at.  Classic dilemma. One of the reasons there were so many casualties during the Civil War was because firepower technology had gone so much further than communications technology. We were still massing people close to each other, side by side, marching in the face of huge firepower disadvantages so that our cannons mow people down.  That's why there were so many casualties in the Civil War, because communications technology still relied on people standing close enough to hear an order.  We're now going to be in a wholly different world where people don't have to see each other and yet, they can operate together as a combined arms team.  It's dramatic what we're going to be able to do.

        Now, I contrast that with where we are in our business operations.  And here, and I'm not trying to criticize the people who are working very hard.  These people are working very hard to try to make the system work.  But I'd have to be honest and say that we're a second sigma organization for most of our supporting structure.  We are still largely dominated by stovepipe organizations.  We automated our stovepipes to reinforce their bureaucratic rigidity.  Does this sound familiar?  (Laughter)

        And of course, what happens?  This is one of the reasons we have 28,000 Year 2000 problem systems.  What happens when you automate manual processes is that then you have to invent interconnections to get them to work together, right?  And of course, those are all basically failure points in a system.  So, on the average, between a decision to buy something and getting a check cut, out the door, it takes 105 paper transactions in the Department of Defense right now.  Now we're trying to glue together lots of different, old-fashioned, manual procedures that were designed during the '50s and '60s and '70s that have all been automated.  Great.  We are an enormously paper-bound organization.

        When I was the comptroller, I was responsible for all the finance and accounting operations of the department, and that included our disbursing operations.   I mentioned our finance center out at Columbus, Ohio.  We have about 3,000 people there cutting checks to all of our vendors. They are administering 370,000 contracts.  It takes 15 linear miles of shelf space to hold the contracts.  When we sign a contract, we issue a contract, we print up 17 copies on the average on the contract.  One of them goes to Columbus.  So we've got miles and miles and miles of shelf space every place, administering what's in essence a paper-bound system.

        And again, you know, I'm just trying to be honest.  This is what happens when you get such a huge, complicated organization as ours.  You get these very old fashioned -- I went out to Columbus.  The first time I went out there, there were great, big sorting wheels just to sort the documents that were coming in every day.  I mean, this is 1930's office technology, but that's kind of where we were at.

        So, these two phenomena, which I find it very curious, you know, we are so advanced in some areas and it just would dazzle you to see some of the things we can do.  I can walk into the Pentagon, I can go down the hall and I can see real time video footage of a camera taking pictures over Bosnia.  It's startling some of the things we can do.  And yet, I go to places where we're still using 1930's sorting wheels for the documents. (Inaudible) to reconcile this and they're related in a very important way.  As I said, our budget's been cut now for 15 years.  We happen to think we're absolutely at a rock bottom.  But I don't know that there's a lot of support for dramatically increasing our budget.  So if we're going to be able to sustain the kind of war fighting modernization that we need for the future, then we're currently not buying enough things for the long term modernization of the department.  We're going to have to create our own spending power.  And we're going to have to do that by shaking loose dollars out of the support structure of this department.  We've got too much that's being consumed by old-fashioned business practices.

        So, when the Secretary Cohen came in a year ago, I was the comptroller, and he said, we've got to do something about this.  He put me in charge of an effort to try to come up with ways to bring in business, modern business practices.  There are four basic things that we're trying to do. One was trying to streamline our headquarters operations.  We cut out about a third of the direct office supporting the Secretary.  There were actually 3,000 people who were involved in that and we've cut out a thousand of them.  And we've cut back about 30,000 out of our defense agencies, our support agencies.  We're trying to launch a wide set of changes in our business practices and I'll describe a few of those in just a moment.

        Second, we're trying to compete government jobs against the private sector.  We know from experience we've done about 2,000 competitions.  This is governed by a process called the A-76 process, a circular that OMB maintains.  We know that when we compete jobs head to head, on the average, the government wins half of the time and the other half of the time the private sector wins.  When the private sector wins, the savings are usually about 40% and when the government wins the savings are usually about 20%.  So we know we can save substantial sums.  So we're going to compete 200,000 of our jobs over the next four years and  try to shake dollars out of the system.  Will generate, when we're finished, annual savings over $2.5 billion.

        Third, we need to close bases.  We've gone through four rounds of base closures.  We're still doing base closures.  Last year, we closed a base a week.  Some of them were small, but we're closing a lot of structure.  But we still have to go for another couple of rounds of base closures.  This has not been gladly received by Congress.  We did not get permission to proceed.  I don't know what we're going to do exactly, but we have too much physical infrastructure that we're having to support. We're going to have to figure some way to streamline that physical infrastructure because it's taking dollars away from what we really need it for, which is modernization of programs in our war fighting.

        Within our bases, we're trying everything we can.  We're going to, over the next four years, knock down 8,000 buildings that we consider obsolete. We will break even on the fifth year. We've got a lot of old structure, going back to World War II.  The phenomena is if you've got a base and you've got heat going into it, people move into it.  (Laughter)  Get the building down.

        We are on a path. We would like to try to privatize all of our utility systems over the next five years.  We've got, as I said, about 550 utility systems.  Now, some places, that's very plausible- San Diego, Norfolk.  But you get into the middle of the desert, it's probably not very plausible that we're going to be able to do that.  But again, we're on a detailed plan to try to privatize our utility system.

        Now, let me, if I may, just talk briefly about some of the business practice things that we're trying to do. For example, we're trying desperately to move to what we call a paper free acquisition environment.  I described to you a current system that is enormously paper-bound- 15 linear miles of shelf space.  We found some very innovative ways to do that.  We're essentially shifting over our acquisition system to an Internet-based system.  We had some clever folks who said, you know, before that contract ever turned into paper, it was electrons on it's way to a printer. If you can intercept those electrons and drop them in a server, you can access them with standard search tools and get enterprise-wide imaging, you know, on the cheap.  You don't have to buy all those Kodak scanners, nothing against Kodak.  You don't have to buy those scanners if you can find a way just to borrow the electrons at the outset. One of the advantages of course is, that you don't have to have everybody come on board the system to get an enterprise-wide solution.  People can get on board it when they want to and when it's in their purposes. We'll break even just with file clerk costs alone in the first two years.

        We're making very good progress on this. We're probably posting about a hundred thousand contracts a month now that way alone.  It never turns into paper.

        We've been able to shift over to a paper free process for our technical drawings-about 65% of all of our technical drawings, and we have a lot of them. We have 5 million items in our active stock list that we're buying from industry. Many of them have to have technical specs behind them for competition.  Now, 68% of them are only in electronic format and we only compete them in electronic format.  So, we're trying very hard to shift over to this sort of a world.

        I think some of the greatest promise lies in some of the new, but not exotic,  technology.  For example, electronic malls.  We are now shifting over in a very dramatic way to using electronic malls.  It's not just cheaper, but it's a revolutionary way of approaching acquisition.  You're "democratizing" the acquisition process. You take your acquisition professionals and you have them develop the underlying contractual instrument for the acquisition, Then you turn it over to a first sergeant and let him buy his own batteries or his own spark plugs.  We don't have to have an acquisition system that's buying it for him and then a finance system that's paying the bill later on.  You know, we can integrate all that together into one instrument.  For the first time, we now have a department wide electronic mall.  It's limited.  We've got virtually all our food stuffs, and, when you feed 1.2 million people a day, there's an awful lot of food in the messing system.  So it's having dramatic implications already.

        Now, where are we with this agenda?  I'm very gratified at the progress that we've made, but it is still slow.  I think if I were to give us a grade, I'd give us a B+ on effort and a B- on progress.  You know, we're doing better than, I think, the average, but we have a long ways to go.  I think there are a lot of promising, leveraging technologies that we are putting in place. We've got a lot of building blocks for dramatically improved performance.  But we're still fighting organizations that know the old way of doing business and don't want to give it up. We're having to find ways to push them over the edge to adopt new practices.

        Now, as I'm actually going to give you two speeches today.  This is the end of the first one.   I'll be honest, I'm campaigning here.  And I want to talk to you about information security and infrastructure protection.

        This country is wide open to attack electronically.  A year ago, concerned for this, the department undertook the first systematic exercise to determine the nation's vulnerability and the department's vulnerability to cyber war.  And it was startling, frankly.  We got about 30, 35 folks who became the attackers, the red team.  We gave them enough money to go down to CompUSA or where ever.  They only could buy stuff off the shelf.  They were given no special software.  The only software they were allowed to use was stuff they either develop themselves or they downloaded from hacker web sites. They spent three months getting ready. We didn't really let them take down the power system in the country, but we made them prove that they knew how to do it.

        Now, why are we so vulnerable as a country?  We're vulnerable because of the enormous productivity improvements that we've sought through information technology in the last 20 years.  You're familiar with the term SCADA system, Supervisory Control And Data Acquisition Systems?  These kind of system are used to control remote switches on a power grid that will open additional switches or bring on new transformers or pipelines that are used to regulate the flow of oil through a pipeline.  It's used for water irrigation systems in the west.  It's used for everything and anything you can imagine.  They're basically being run now through these Supervisory Control And Data Acquisition Systems, SCADA systems.  They're commercial products off the shelf.

        Increasingly, American business, in order to save money and to shed itself of the cost of proprietary networks is moving these systems onto an Internet-based control system.  So we're finding increasingly, America's business and utilities are controlling the infrastructure through a technology that's wide open.  It was never was designed with security in mind.

        The Defense Department, is surprisingly vulnerable, too.  The reason is that over the last 10 years, we have been dramatically shifting our infrastructure over to commercial structure rather than government-owned.  I remember the first time I ever went out to Strategic Air Command 15 years ago.  You'd go out there and there'd be five phones sitting on the desk.  You know, there's a gold phone and a red phone and blue phone and all this kind of stuff.  But they were all government-owned phones and government switches and government-unique lines. We had our own system.  Well, we don't do that anymore.  Ninety-five percent of all of our communications now is over commercial channels.  And one of the things that surprised us during Eligible Receiver, was the degree to which we had become vulnerable to penetration because we were riding on these networks.

        Now, it brings me to the subject which is the bottom line here.  I understand this is a bit controversial, but ultimately you are no different from us .  You are going to increasingly do your business over a media that was never designed with security in mind.  It was designed as a research tool.  We invented it.  We in DoD invented it.  It was designed as a research tool.  And the protocols are wide open.  Everybody knows how to plug in.  That's why it's so powerful now in business applications.

        So how do you protect yourself?  How do you provide security in an environment and a media that inherently is insecure?  A lot of things you have to do as a company.   We are, because of these experiences, shift hundreds of millions of dollars over into information security.  But one of the things that is essential is the (inaudible) of this is encryption.  Now, I know this is a hot debate and part of the discussion I had with Petre while we were waiting the issue of encryption.  Petre's first question was, "Are you with law enforcement or are you with commerce?"  This s the debate that's occurring in Washington.  It's occurring all over.  It isn't exactly analogous to Justice versus Commerce,-- There are law enforcement concerns and Justice and the FBI are responsible for those. We want them responsible for those. Then there are economic concerns and frankly, civil liberty concerns.  Those are contending values of equal value in our democracy .  Equal weight, in my mind.  I do not believe that it's more important to protect ourselves against terrorists if it means it comes at the expense of civil liberties in the United States.

        But I also don't believe that civil libertarians or cyber libertarians have a right to say we as a government have no responsibility to protect American society against criminals or terrorists. We're going to have to strike a balance here.  I personally believe that the debate of whether America's government is threatening our civil liberties is a fraudulent debate. We've never proposed anything that was any different than the mechanism we use every day to balance privacy versus law enforcement and security. Our police don't break into people's houses without a search warrant.  I mean, we know how to do that.  We know how to protect America's privacy, and we know how to safeguard that.  There's a very -- (inaudible) we fight wars.  It's for these values, these civil liberty values.

        We know how to balance them in this country, and we know how we'd balance them as well in this area.  And I think that frankly, the debate that's emerged has been, and I'm sorry, I hope I don't offend people when I say this,-but a fraudulent debate because we know we can do that if we can ever move ahead.  Now, you may say that that means I'm siding with law enforcement.  I'm not. I think that it's impossible to find a technical solution to this problem.  But I do think it's essential we find technical solution for protection if you're going to operate through the Internet.

        Our position in the Department of Defense, and I frankly think it should be your position as well-is that if you're going to operate through these public, insecure modalities, you have to secure yourself.  And you have to do that through encryption.  But I've also got to say the most dangerous thing in the world for us as a war fighter is to get an encrypted message that's a spoofed message.  There's an authenticity that comes with an encrypted message that gives you the implication that that's valid because it's encrypted.  You have to be able to determine the validity of the individual who is sending it to you.

        Now, from a business standpoint, I can't imagine any of you as business people who would turn over to your employees the right to spend your dollars or cut checks or ship technical information and not require those employees to leave an electronic fingerprint on it when they do it.  It's a basic of internal control.

        So your interests and our interests are no different.  What it leads me to say is I'm not picking sides between the law enforcement community and the commerce community, as it were, in this debate.  I'm saying we have to go right down through the middle.  We have to protect ourselves in this environment and it's got to be with encryption and some form of security management, key recovery in our case.  But we're going to make it voluntary.  It's our choice and we're going to buy it.  We're not going to ask that it be mandated through law on anybody.  We're going to pay for it.  And we've entered into contracts with a number of large houses to help us bring that that kind of architecture.  We'll get the first one running this fall with Netscape, and hopefully, it'll be operational in October.

        But I'm telling you, this is something that you've got to do for own companies and it's something we all have to do, frankly, for the country.  It's in your narrow interests as companies and it's in our broader national interest to do this.  And I would ask you to step past this debate that we're having on cyber liberties versus law enforcement.  We're going to have to get to a more sophisticated understanding of this problem, and we don't have a lot of time.

        I'm going to stop there and I hope that I've stimulated enough interest that there might be some questions.  Fortunately, only about seven people have fallen asleep.  (Laughter)  So, let me start with you, Dave.

        Q       It strikes me that the key recovery argument is a little like gun control.  Under the key recovery system, maybe only the outlaws will have strong encryption.  How do you respond to that kind of an argument?

        A       Well, I think that's sadly right in one sense.  Again, I am interested in encryption and key recovery to protect myself.  And I need it for the department so that we know we can talk to each other reliable without manipulation of the data and know who it is we're talking to.  Frankly, you as a businessman have exactly the same interests.

        Now, that does not answer law enforcement's problems and concerns.  And I'm very sympathetic on this issue to Director Louis Freeh and to Attorney General Janet Reno.  I don't want terrorists able to talk with each other openly through encrypted messages.  But I don't know how to get at that within the context because I don't think America is prepared for a mandatory key recovery system in this country.  As much as I think Director Freeh is right, we need to find a technical solution here.

        Now, we're wrestling with that, but we're going to have to find other solutions to it.  We don't listen in, we don't put wiretaps on everybody's telephone in order to do wiretaps.  I mean, there are processes that we have to go through to identify these people, that there's enough reason that we want to listen to these people that you can go to an independent judge and have that judge say yes, but under these conditions you can do it, and then you're empowered to go ahead.  That's exactly the same thing we would do here.  But it means, ultimately, the bad guys still have to enter in and out of American society and in and out of the infrastructure, the communications infrastructure.  And we believe that if we get going here on a voluntary basis to build up security structure in this country, they're going to have to operate in and out of an environment we do control.  But we'd control it under our terms, yours and my terms.  You decide what's good for your company, I'll decide what's good for the department.

        Q       I have a two part question.  First, I'd like to commend you on electing to spend your life in the civil service of our government.  I think that's very commendable.  I happen to know what you go through.  But more importantly, I have a two-part question.  Part one is on your business applications.  I'm intimately familiar with some of your problems.  I think that if you did a better marketing job to businesses and to the general American public, I think your job of finding those dollars to support your non-combative initiatives would be found much easier.  That's number one.

        Number two, on the area of security, I hope I don't offend you, but I'm a very blunt-spoken individual.  I find that the biggest problem with security in terms of the federal government is a credibility gap.  That credibility gap becomes paramount when you look at some of the non-media attention laws concerning the Internet, laws that have been published -- that have been passed, I'm sorry, as well as some of the encryption criminality of using it in an overseas environment in a non-Department of Defense environment.  I think that again, we're back to credibility.  I believe you believe what you're saying.  I believe you're saying what's in your heart, but I'm not sure that everything you're saying falls into the perspectives that you're presenting.

        A       Okay.  Let me take each of them.  As to whether or not we need to do a better marketing job as you describe it to explain it, that's why the hell I flew out here.  (Laughter)

        Now, on the second issue, first of all, there are no laws.  So I think what you're commenting on is the government's current position prohibiting the export of strong encryption overseas.  Now, I need to explain first of all, that the government is currently permitting the export of 56 bit encryption algorithms.  Now, I know that there's some huffing and puffing about whether that's strong encryption or not.  But again, I say let's put this in context.  There was a flap here the other day when, ta-da, somebody invented a computer that could break 56 bit encryption in 30 hours or 40 hours or whatever the time was, right.  You took 40 hours to decrypt a two-second message.  And it was good only for that one message.  You've got to start all over again on the next two-second message.  Tell me that that isn't strong encryption.  I mean, there isn't anybody in the world that could routinely bust that level of encryption in the same time sequence it takes to issue it.  I mean, so everybody still has this mental model that encryption is like World War II cipher codes, you get it once, it's good for everything.  Well, it isn't.

        So, first of all, we're not prohibiting anybody from using enormously strong encryption today.  Now, the department is working very actively with law enforcement and with commerce on a strategy that we think will help break through this.  We do not want to block American business from being able to export strong encryption.  We do want them to manage this over time.  I'm not talking about dozen of years.  But managing this in a way where we can honestly balance these national security concerns with American economic concerns, commercial interests and privacy concerns.

        I hope that in the next several weeks, we'll be able to finally hammer this out.  I believe we have a framework.  I'm sorry that I really can't go into it right now because it's still tied up in a fair amount of discussions inside the department or inside the executive branch.  But believe me, we are working this hard.  And we're not trying to block American business and American productivity.  But I'd also ask American business not to make a campaign out of just trying to bust through export controls as though somehow there was a God-given, inherent right to send the strongest encryption to anybody in the world, no matter who they are.  I don't agree with that.  I will never agree with that.  The last thing I'm going to agree to is that American encryption gets used by terrorists overseas without any effort on our part to control that.

        Now, it's striking a balance between who gets that and then not punishing American business, not losing American jobs, having America dominate this industry over time, and I want all of that.  Don't get me wrong.  I want every bit of that.  But we're going to have to balance those, too.  I hope over the next three to four weeks, we'll finally be able to get through with something that will help work that problem.

        Forgive me for not -- I know it's frustrating for me not to be able to give you the answer.  I know what it is up here, I just don't have agreement yet in what I think will be the system that works out.

        Let me go over here.  Yes, sir.

        Q       You mentioned that the prepared speech you were going to give this morning, you kind of tore up because of a change in your thinking after a visit to General Electric.  I'm wondering if you can tell us in a sentence or two what the change in your thinking was.

        A       Well, in all candor, the change in my thinking was -- I haven't resolved it yet.  But I came to realize -- I went to visit a world class organization and I came to realize, we, DoD, we're world class in our own way.  In what's important to us, we're world class at that.  There isn't anybody that's even close to us.  GE had an approach, Jack Welsh (?) has an approach, very interesting guy.  He talks about the front office and the back office.  I'm worrying about holding onto the front office because that's what's got GE written on it and the back offices, I want to give that to somebody else who considers that their first line of work.

        My problem is the front office stuff, which is going to war, we're going to always to do that.  Frankly, we don't have a lot of volunteers to do it for us.  (Laughter)  So we're always going to do that.  But I can't shed the back office the same way Jack Welsh can because we've got interests around the country that don't want to lose depots and don't want to lose bases and this sort of thing.  I don't know how to wrestle this problem, but I was going to initially just talk to you about how broken we were in our business practices.  And that would have been, I think, misleading because we're not a broken organization when it comes to using information technology.  In many ways, you know, we're astoundingly successful at it.  So I was going to mislead you if I gave you the speech I was originally going to give and I was going to give you kind of a negative impression about the department.

        Having said that, we've got our hands full trying to get at the support side.

        Yes, sir.

        Q       I don't want to beat the encryption issue to death, but I really don't think I fully understand the position on export restrictions on encryption.  I mean, it's not like supercomputing where clearly, without billions of dollars to do research and development, you aren't going to basically be able to duplicate supercomputing in Tehran.  But all it takes to do strong encryption is somebody with good intellectual capabilities and a $3,000 personal computer.  So, I mean, can we really, through export restrictions, prevent incredibly strong encryption being developed all over the world where we don't have any control.  I mean, I guess I just don't understand -- feel like we're over here trying to get the barn door closed and there is no back to the barn.  (Laughter)

        A       No, I don't agree with that because it isn't just a smart guy thinking up an algorithm and putting it on a PC.  You know, it's creating the infrastructure for a security environment that that encryption rides on.  That turns out to be much more demanding than you think.  After all, PGP (Pretty Good Privacy) is out on the net, right?  There aren't that many people that are able to pick up -- you just can't set up PGP between you and somebody else.  And if you do, it's a good thing to look at.

        So, at the same time that we're working this, we're going around to our colleagues and friends in other countries and encouraging them to establish a legal framework to manage security infrastructure in their countries.  I've been around to seven or eight or nine of our NATO allies encouraging them to establish the kind of security structure that we're going to try to create over here by buying it.  We've been working very closely with Ambassador Erins (?[probably "Arons"]) of the Rosana (?[probably "Wassenaar"]) process to get this thing and we've made great progress, I think, during the last five, six months.

        So,  I don't agree with the representation that this is simply an issue of a smart guy knowing how to do an algorithm and putting it on a PC.  That is a far different thing from having widespread encryption use systematically.  What we would like to see is widespread systematic encryption that has a backdrop of a security architecture.  That's appropriate for all the different countries.  Our only interest -- and some of the allies initially thought that I was over there wanting them to buy our stuff.  I'd be happy to do that, I'd like you to buy our stuff.  But develop your own if that's what your concerns are.  But for heaven's sake, develop a security structure around it first and one that is mutually reliable with us.  Because ultimately, we want American business that's operating in Italy to be able to interchange, if they want to add a system that's unique to Italy, fine.  We just need to be able to exchange with that. This is a matter of us working through. It's the nexus of a technology challenge and a political imperative.  Not political in a partisan sense, but a policy imperative.  And I think it's something we just have to work our way through.  It's an enormously complicated problem, but it's one I think we're obligated to try to fix if we can.

        I actually think that the trends in the industry are heading in our direction.  I think that the market forces that are under way -- I've been around to talk to a lot of the big companies that are in this business and talk to the technical directors and I think the dynamic is heading in our direction that we'll ultimately support a security architecture around this industry.  But let's do it where we have it grounded at least that's in a matter consistent with American values and American society.

        Yes, sir.

        Speaker:  We're about out of time.  We'll take one more question.

        Q       Just a question on Year 2K.  As you read a lot about that, there's a lot of concern about the companies as well as the government being ready.  What do you see or what are your concerns on an international basis?  You talk about terrorism and vulnerability and those types of things.  I would think that as a country and as a bunch of corporations, if we're not ready, it leaves ourselves pretty vulnerable.

        A       Well, let me first say what we're doing and, I think, what keeps me awake at night.  As you heard, we have about 28,000 systems that we're monitoring, 2,800 of them are what we consider to be mission critical across the board.  That's everything from the GPS satellite system to an accounting system. It is critical for that particular community's mission.  We fixed about a thousand of those 2,800.  We know, by system, the status of the others, that is where it is in the renovation or testing, that sort of thing.

        Several things make me very nervous.  One is interfaces and interconnections.  They are not well mapped out, so we've required every system owner to go through a methodical process of documenting through MOA's who was changing what and the interfaces back and forth.  That's only a sufficient first step.  You then have to go through a system of enterprise testing.  Not just stovepipe testing for that system, but enterprise-wide testing.  I got that from Armand when we talked about that.  So we have placed a fair amount of effort in trying to find methods for enterprise testing for systems.  For example, our average payroll system is connected to 65 feeders, I think.  So it doesn't matter where it breaks down, it's going to work on pay problems.  So it's in our interest to figure out where that is.  So that's one of the things that keeps me awake at night.

        Another thing that keeps me awake at night is, you know, we operate so many old systems.  I mean, and a lot of these old systems, you know, in the '80s, the fad was to put a graphic user interface in the front of it, the veneer.  And so it may look like it's Windows NT, hey, we're good.  But underneath it is 30 year-old code that nobody knows how to program in and the last guy that did died two years ago. (Laughter)  So, it's scary because you say are you Year 2000 compliant and say yeah, look at it, that's Windows.  But you don't know what's really crunching underneath it.  That worries me.

        We're very concerned about the embedded chip problem because we have bought so many things off the shelf here in the last five years.  We've pressed so hard and there wasn't kind of the rigor and discipline to know where that is.  You may take three things that all have exactly the same label on the front of them and test them and they fail differently because there are different chips in the them.  And frankly, the company didn't know that in some cases.  So that worries us.

        Knock on wood, we're going to have some embarrassing episodes, I don't doubt that, when it happens.  I don't believe our nation's security is going to be at risk.  We're, for example, taking each one -- there are 76 systems that are involved in nuclear command and control.  And we're taking every one of those and we're doing dedicated enterprise testing on those to make sure there isn't any problem there.  We operate 25% of all the air traffic control in this country, DoD does.  We have to make sure that we're not going to have a problem there.

        But I think we're probably going to be the poster child for failure.  Nobody cares if the Park Services computers don't come on.  Okay?  But what's going to happen if some do in DoD?  Let's face it, we're going to be the poster child for failure if something happens, even if it's trivial in scale, people are going to really try to make fun of us.  And so we know that.  And it's not just to avoid the ridicule.  I mean, I'll take that.  I get that every day.  It's to try to make sure there isn't something real that's behind that.

        Now, you asked about international and we're frankly, a bit concerned here. Some people are, of course, doomsday minded and say we're going to have a global recession and all that.  I'm not smart enough to know anything about that. We are concerned that we have communications links that are reliable with our primary -- five years ago, I would have said opponents.  I don't know if I'd call them opponents now.  But we want to make sure that Russia's early warning system works on the 1st of January, Year 2000.  And if there are problems, we're perfectly willing to sit down and share early warning information with them in a controlled manner so that if something does happen, there's a confidence arrangement that we've established in advance.  We think we're going to have to do some of that.

        But frankly, we've got our hands full just trying to get our own problems fixed.  We're reaching out and I think will indeed to try to launch -- I'm a little constrained talking about it right now, but I think a couple of programs to try to help with areas where we need to know with confidence that communications links with other countries are going to be operational.  That their eyes and ears will function and if they don't they've got other eyes and ears they can use during that period, things of that nature .So it's got us nervous but we're working on it.

- END -


NOTE: This is a plain text version of a web page.
If your mail reader did not properly format this information,
the original is online at http://www.defenselink.mil/news/

DoD Anthrax Vaccination Program information is at
Unsubscribe from this mailing list:

Jump To Personal Cryptography

Return to Home Page