10.20.09 - REMARKS BY GENERAL GENE RENUART at the AFCEA Defending America, Cyber 2010
General Gene Renuart: Thank you, appreciate that very kind introduction and you know, those of you that have had a chance to speak in front of large audiences, you know that the introductions are always may more positive than reality, so it’s kind of nice to listen to that every once in a while and know that somewhere my mother is smiling. She’s proud of me because she believes all those things that happened, that are outlined in the introduction.
A great opportunity to be with you today. I appreciate the chance to spend some time today and hopefully we’ll have the opportunity for you to raise a few questions. This is a good group and I appreciate not only the commercial sponsors, the presenters, out the hallway the contractors who help us be successful, but of course, the organizing agency that worked so hard to put this on and it’s an appropriate topic critical to our time today.
I’ve been in command of NORAD/NORTHCOM for about three years, so I’m getting to the end of my tenure, so I can speak with some expertise and certainly a lot of passion and opinion and the topic of the integration of the cyber enterprise into what we do every day, not only in our particular roles and responsibilities but certainly across all of the Department of Defense and even more importantly across the enterprise that is our nation, the economy, education, defense, information management, personnel management, all of those things are touched by this domain. We sometimes have a tendency to create this cocoon around something called cyber and say it should stand alone and maybe in those early days when we didn’t quite understand what that domain really was, how pervasive it was to the conduct of operations in our economic environment, in our military environment, our political environment, I think maybe that was a natural reaction but, in fact, we found that it is pervasive across everything we do and frankly, I’m probably not a good person to talk about this because I’m too old, I have too much hair, I don’t wear flip flops every day and I can’t text at the speed of heat. So we are also about trying to find the right people to grow up, and frankly most of you are too old to do that, too, I might add. How do we grow the next generation of leaders that can operate in a cyber-dependent environment and have it be protected, have it be secure, have it be innovative and have it be supportive of the developments that are going to occur in the coming days? Tough, tough challenge. So this is a good forum to be able to discuss that.
My good friend Jim Stavridis who is the Commander of U.S. European Command the Supreme Allied Commander of Europe and the leader of all of our NATO military forces made an interesting observation a day or two ago. We were talking about actually just this topic at the Defense Senior Leaders Conference earlier in the week and as part of that I think he had Mr. Butler out earlier to talk about, mention that a little bit. We had a cyber table top, and we were all musing about how inadequate we were at that table in this domain. Frankly we talked about how inadequate the nation is to provide for the safety and security of that domain and Jim said, “You know, I was a destroyer commander back a few years ago and we thought that the command control capability, the integrated systems on board were pretty cool.” He said, “Until I realized that my daughter’s iPhone has more computing power and better communications capability and more integration of systems than I did on that destroyer,” and it’s pretty amazing but it’s true. I bought my wife an iPhone about a year and a half ago for Christmas. When iPhone first came out, there’s all these cool apps. The iPhone first came out I guess three years or three-and-a-half years ago and there was a lot of publicity about the fact that there’ll be some apps that’ll go on it and you know I think we started out with, three, four, five, eight applications that were cool. I don’t know the exact number today, you guys probably know better than I do, but I think there’s better than 75,000 applications that you can load on your iPhone to give you better access, better connectivity, better situational awareness. I think my wife has 72,000 on hers.
So the explosion that is occurring in the tactics, techniques and procedures of cyber are sometimes mind-boggling and certainly they are things that are going to have to be dealt with I think in the coming days in ways that we haven’t really anticipated. It also is not a place that is benign. There is an article in the Washington Post today, as a matter of fact, “Google Attack: Part of a Vast Campaign.” I don’t know if you saw that by chance, but if you get Washington Post on your iPhone app you can read that article, but what it says is that cyber attacks on Google, that the search giant says originated in (not my words, their words) China (don’t know that to be a fact but certainly it’s a possibility), these are “part of a concerted political and corporate espionage effort that exploited security flaws and e-mail attachments to sneak into the networks of major financial, defense and technology companies and research institutions in the United States.” That’s not the Commander of Cyber Command; that’s not the Commander of Strategic Command; that’s not the Commander of Air Force Space Command saying that, that’s Google. I bet if we took a poll in here, we’re in the 92, 93, 94% of you that use Google as kind of almost everything you do. Certainly, in my NORAD mission tracking Santa is critical for that. I can’t afford mission degradation when it comes each year to that time of the year when we need to keep Santa safely along his way. So, there is a threat out there and it’s not just from a nation state, it’s from non-nation state actors as well.
Another article in The Wall Street Journal. “Web Is the New Front Among Cold War Foes.” China, Russia, Iran, North Korea, Al-Qaeda, Hamas, Hezbollah, Venezuela. You pick it, people are beginning to expand into environments that can be strategically significant for them and don’t challenge us militarily, necessarily. They found ways to exploit the seams and gaps around U.S. and other nations’ military structures. If you happen to be a citizen of Estonia, you know well what at least a nation state-supported attack can do to a nation. Estonia invoked Article 5 of the NATO agreements in that regard and NATO has struggled with “how do you respond to that?” Is a cyber attack like that an Act of War? Don’t know. A lot of lawyers out there had a tough time coming to grips with that question and it’s going to get more significant not less. Russia invades Georgia and a massive cyber attack occurs that clearly has some nation state support behind it. So you see not just an element of influence, but a strategic piece of a military operation focused on an opponent. The legal battles in all of this are significant. There’s another article in The Post today, “British Hacker Wins Delay of U.S. Extradition.” The U.S. has said, hey, we have no objection to the U.K. extraditing this hacker who had been diddling, I guess to coin a term of some political leaders, diddling with networks that affected the U.K. The U.S. said we’re happy to extradite and this individual has taken good use of his legal rights and blocked that extradition. So there are legal challenges, not just in the technology of cyber, but in the courtroom as we try to figure out what these attacks constitute in terms of legal and illegal activity. Are they threats to nations? Are they threats to individual’s safety? Are they threats to economic tools? So welcome to that world out there and it’s going to get more complicated rather than less.
What’s interesting to me as I talk to folks around the country, I realize that from a natural disaster piece or a terrorist piece there are some that say, ah, it’s been awhile since we’ve had a terrorist attack, there’s probably not a big threat anymore; things are getting better. Of course, until the December 25th underwear bomber, all of a sudden there’s a bellwether event that refocuses our understanding of the terrorist threat, but a lot of people would like to make that go away. They want to get back to normal. Please don’t make me have to go through the TSA stuff.
Interestingly when you talk about cyber, it’s a little different because all those same people want to get on their iPhone or their computer or whatever it is and if they have a virus, if they have an interruption of service, that hits them at the very core of their existence because they rely on that domain to shop, to travel, to communicate with their family. You know, bad thing to interrupt a grandma who’s doing a Skype with their grand baby. So we’ve come to expect this enabler to our daily life and so people seem to be much more sensitive to cyber interruptions in their life and, of course, if you’re like me, I don’t even know what a bank statement is anymore and my kids don’t carry cash anymore. Well, if you begin to interdict that, you begin to have significant challenges. By the way, when you interdict that, my kids don’t know how to find a bank statement, so there’s two parts of this problem not only in the operation and protection of the domain, but in the resiliency if the domain is degraded, and we’ll come back and talk about that in a little bit.
Now, I can’t get off stage here this morning without also giving you a little bit of a tutorial, and I know some of you know NORAD and NORTHCOM well. They’re familiar with how we work, who we work with and many of you have heard a little of this before, but I think it’s important to set the scene for why for me, as the war fighter in the homeland, enabling, defending, actively using the cyber domain ensures that we can do what our nation has asked us to do and that is to keep you safe, to keep your family secure, to ensure that we have freedom of maneuvering in all of those environments and that we can continue to operate when Mother Nature takes her own decision to try to slow us down.
I talked about the two commands. NORAD has been in existence over 51 years and it started out being the guardians against Russian bomber attack. As time went along we saw the innovation of long-range intercontinental ballistic missiles. NORAD picked up the role of warning of that and it was really to tell us two things, one, we’re under a massive attack. Mr. President, Mr. Prime Minister, you’d better launch whatever retaliatory capability you have because the second part of that is, everybody needs to go run under their school desk and put a sheet over their head because that’s what we thought we had to do to protect ourselves from those Russian nuclear attacks years and years ago, or build a bomb shelter in your backyard and be prepared to survive that kind of attack. NORAD has grown substantially since that time and its reliance on, its participation in, and its use of the cyber domain has increased with each one of those advancements. Certainly, missile defense, space situational awareness, today maritime domain awareness and maritime warning. None of that happens without reliance on the digital environment to collate information, to consolidate information, to analyze and decrypt information, to present it in a way that is decision quality for the Commander and then for the National Command Authorities. So we continue that mission every day and by the way, much of that warning, sensor, observance piece of this also has to come inside the borders of our country because on September 11th, we saw that the air transportation industry can be used as a weapon of mass destruction and we can no longer assume that the only threat comes from a nation state and that only comes from outside our borders. That also was the time when NORTHCOM was formed to help defend against those kinds of threats and to be prepared to support civil authorities when disaster strikes, in the air, in space, on land, in the maritime and certainly in the cyber domains. Homeland defense is active and it’s passive, it’s preventative and it’s resilient and if we’re not focusing on all of those, we are failing.
A couple of years ago when I took command, we added a single word to our mission statement that was “anticipate.” You know, if you’re only responding, you’re late, and if you’re late to your mom’s house when there’s a disaster striking, you know, she doesn’t generally take that very well. So
we want to be in front of those things. We want to help to evacuate. We want to help to prevent when we can. We want to understand that there really is an underwear bomber that could get on a plane in Nigeria and maybe not let him get all the way to short final in Detroit before you can do something about that. Our NORTHCOM missions include all the traditional defense capabilities, missile defense, air and maritime defense, support to law enforcement in border security. So we’ve got those traditional defensive roles, but we also have a role to support civil authorities when disaster strikes and certainly Katrina was a great example of how not to do that. Gustav and Ike, great examples of when you actually plan ahead, when you anticipate a challenge and you prepare for it, you can actually do a lot better job. We provide that kind of support within our areas of responsibility, North America, Canada for sure, U.S. and Mexico. With Mexico we also have a huge role of supporting both their military in their counter-narcotic fight, but also our law enforcement officials as they are working to stem the flow of illicit trade and traffic from the south to the north and from the north to the south. Money and guns moving into Mexico at an alarming rate to support the drug traffic which is coming north at an alarming rate. Two hundred and thirty cities around our country are plagued with drug-related gang violence and in virtually every case your kids are being exposed to drugs smuggled here by those drug trafficking cartels and supported by gangs in your cities that partner with drug traffickers in order to make money and it is a business bigger than you can imagine. So all of those things are areas that NORTHCOM focuses on every day and all of them are dependent upon this domain that you all are so intimately involved in every day. We focus on communication, coordination, collaboration, integration and cooperation amongst many partners, 49 states, three territories and the District of Columbia. Nearly 60 federal agencies from the governments of the U.S. and Canada and Mexico all live and reside with us and partner with us and plan with us and we want to be prepared for that next event. We are the supporting agency to the emergency support functions within the national response plan, so we constantly focus on the what-ifs of this and how do we prepare. We have a lot of support that we provide to some unique activities as well, the inauguration, U.N. General Assemblies, the G‑20, national political conventions, the space shuttle launches, we talked about disasters like the wild land firefighting in California, hurricane response, fighting drugs and illicit trafficking, and some really good things to do as well, ensuring that we provide the right kind of support to Canada as she prepares for the Winter Olympics here in Vancouver just in about a month from now will be opening ceremonies. So at the direction of the Secretary we can provide support to any federal agency and I’ll just make one more real good example of that point. As you know catastrophic earthquake in Haiti, that is SOUTHCOM’S area of responsibility. We are, in fact, as we sit here at this moment, mobilizing and moving a major portion of the forces we use and train to prepare for homeland disasters to be ready to help SOUTHCOM and move in and assist Haiti, so we can move those capabilities outside, and by the way, you talk about a cyber challenge, no communications, no airport traffic control, a critical need for information movement, evacuee and victim accountability, all of those things are working right now and that’s what we do in NORTHCOM and NORAD every day, so we’re lending that to General Doug Fraser down at SOUTHCOM to try to be value added for him.
You heard in my intro that I fly airplanes and fighter pilot by trade, so you know I’ve probably exceeded my capacity for long sentences and big words, so we do what fighter pilots do best. We show game video or cockpit video, so what I’d like to do is just run a short video here that will capture all of those things that I’ve talked about that we do, and I’d like you to look at it from the perspective of, where does the cyber environment touch us?, and then I’ll come back to some specific challenges that we have here in just a minute. So if I can get you to roll that video for me, please.
Command Video Played
General Renuart: Good videos are always nice to watch. I just want to maybe capture one of those last scenes for you and it defines who our customer is. Now for those of you in business out there, you would say your customer is the Department of Defense, the international banking industry, other contractors. I’d say that’s a bit of a myopic view. Your customer is really that family you saw there at the end in the sunset. Especially in this domain. Your customer is ensuring that we all partner together to make certain that that family has a safe, secure environment to live and work and play, to be educated, to be financially secure and to have a secure environment to operate in. We tended to look at cyber as a cylinder as we began this journey and so we said, ah, well, it’s computers, so we give it to the J6s of the world; it’s com stuff, and then somebody said, well, but yeah, we use that capability for the Intel folks because they’ve got to fuse together all this information, and so we said, okay, well, yeah, Intel has to play in that, and then we said, well, space and cyber are kind of cool together because you’ve got to move signals up and down in and out of space and cool sensors are out there taking picture on how we move that data so it must be a space thing. Well, folks, it is everything and we can no longer afford to look at, address challenges in cyber space as a cylinder that we just focus on. Nothing we do to defend our nation can be done without the capability, the quality, the assurance, the agility and the speed that cyber space can afford us and yet we have to ensure that’s always secure and protected so that that speed and agility can be taken advantage of.
I have a number of roles in the cyber arena and I’d like to maybe just talk about a couple of those. First, obviously to support the defense of the global information grid as we use it in the homeland and my partners aren’t just DOD. It’s lucky to be the CENTCOM JFACC and his AOC and he’s got this war-fighting theatre that he owns the air space and all the partners and he can deal out cyber participation as he chooses. Doesn’t work for me. I told you who my partners are. My coalition village is over 110 or 15 or nearly 20 partners and only probably five or six or seven of them live in the .mil domain. Most live in the .gov, .com, .net, .edu, in fact, most live in the com/net.edu domain. So what authority do I have as a combatant commander to mandate security in that environment? I don’t. I’ve got to coerce, collaborate, coordinate, encourage, invite and that’s the uncertain world that we live in, so defending the global information grid is an interesting concept, except I’m only a bit player in that. So I’ve got to put a demand signal on our department and our partners like the Department of Homeland Security and on the private sector to ensure that we collaborate on ways to create basic network defense for all of us.
The second role I have is input, to USSTRATCOM, soon input will be to Cyber Command, and then I have a piece outside of the .mil world to work with the Department of Homeland Security to ensure that their grid, their network, is compatible with ours, protected like ours needs to be, but accessible as well, and then to help partner with our friends in DHS and others to ensure that they have this benefit of the same kinds of experiences and expertise that we’ve worked ourselves through.
I haven’t said much about the private sector, but again you realize this. Most of you don’t deal in .mil or .gov; you deal in the other environments, the other networks, and so we’ve got to have participation from industry, from enterprises across the globe to ensure that we partner with for the right kinds of secure operating environments, with resiliency when they come under attack, with alternate capabilities when they’re impeded so that we can continue to do the things that make the engine of our nation so successful. And then I think the third role is really to be the bridge in between all of those. I don’t have a lot of forces. Mike Curry, my Deputy J6 is here, and his boss Admiral Dianne Webber would say, hey, we’re not very deep in all this, but we can certainly push our demand signal out there in a big way and that’s what we’ve asked for them to do, to figure out how from a homeland war fighter perspective we can sensitize the rest of the environment to respond to the kinds of challenges that we see. We have a unique view on the world, maybe unlike any other of those agencies out there and so we see that we have a role to play in assisting at the national level to create the growth in cyber capabilities that we must demand of all of you for the future. Lots of challenges and we continue to work on those. As I said, we’re not very deep in some of those areas, so we try to take advantage of other folks’ expertise and we work closely with General Chilton and his team at STRATCOM for sure. We partner with independent agencies. We’ve just completed a recent look by an independent study group that we chartered to help us work through the kinds of challenges that we ought to pay attention to in our homeland environment and maybe I’ll jump ahead a minute or two and talk about a couple of those because I think that might set the tone and then I’ll stop for questions because we want to get to that
We have an independent strategic assessment group made up of senior experts from a whole variety of disciplines across military and civilian organizations that I bring in on a routine basis and we ask them to take a look at our roles and responsibilities, capabilities, authorities and organization for cyber operations in the future especially as they focus on the homeland unique missions, whether it’s defense or defense support of civil authorities, and they gave us an out-brief here about 10 days ago and it was well and good to see that we were already on the right track in many of those areas. We had already completed or are in the process of conducting most of the actions recommended and that we are on the right track, but they made some interesting points. DOD alone has 4,000 bases and installations, 15,000 networks, 7 million computers, 120,000 com circuits and probably no one individual, no one organization yet has the responsibility to set priorities for the defense of all of that, and for us that means that the networks we use every day are owned and operated by a broad variety of partners and unless we are collaborating with each of them, we can’t be sure that we will have an adequately defended set of networks that we can operate with. So the recommendations that we really took on and I think I’m excited about are a few of these. Collaborating with stake holders to defend the most important segments. We’ve got to analyze what are the things that are most important to us, prioritize them and decide how do we defend them passively or actively. Establish machine-to-machine situational awareness relationships, both in and out of the defense focused networks. Create and incorporate automated indications and warning that are smarter than we are. They know when an attack might be occurring and can warn us ahead of time instead of telling us that something has occurred. Create the ability to characterize better. Look for the cause, the risk and the mitigation of an event. Interesting comment out of this group that people need to be reminded that the networks aren’t the mission, the networks support the mission, and I think there was a period of time where we maybe kind of strayed a little bit and looked at cyber as its own art form and it was the mission and, in fact, like space it enables all of those missions to occur and if we’re not looking at it from that broad enterprise aspect we will probably not be successful. So we continue to work on some of those and we’ve got a good action plan. COL Mike Curry and RDML Dianne Diane Webber and their team in our cyber warfare cell are pushing hard on those to look for collaborative ways to succeed, but we have to be ever watchful.
Secretary Napolitano a while back said the thing that she fears most is complacency and I’ll say I hope she took that from my quote because I’ve been asked many times, you know, what keeps you awake at night? and what really does keep me awake at night is that people will begin to get complacent, they’ll think that everything is okay, that we’ve had a long period of time go since the last event, whatever it may be, and that we must have solved the problem, and the fact of the matter is that our adversaries, whether they are terrorists or cyber adversaries are looking for the next seam, the next gap, the next vulnerability and they will take it at a time of their choosing, not necessarily a time of our choosing, but like Mother Nature, and if we’re not prepared, if we don’t anticipate, if we don’t assume that it will happen and be prepared to interdict it before it occurs, then we’re going to suffer another catastrophic event and I fear that in the cyber arena that’s not just a military event, it is a national event, and so all of you are necessary in this team approach to ensure that we don’t get that unplanned attack that takes us to our knees, that it doesn’t bring our economic engine to its knees, that it doesn’t impede our educational systems in a way that we can no longer create the kind of expertise that we need in the future.
So with that I think I’ll stop and I’ve got a few minutes that we can cover some questions, if there’s some that you’d like to fire away at me, I look forward to that. Thank you.