After 36 years in the United States Congress, Norm Dicks returned home to the 6th District of Washington last night and took his place at a podium less than a few hundred yards from the nuclear aircraft carrier, the U.S.S. Ronald Reagan, anchored in the Bremerton Naval Shipyard. Earlier in the day, only a few miles up the road, a mysterious mini-submarine, described as a SEAL team delivery vehicle, was spotted on maneuvers in Tracyton, in proximity to the Bangor Naval Submarine base.
As the ranking member of the powerful Defense Appropriations Committee, Norm Dicks has had a guiding hand in each of these military assets. And yet, on this occasion, after eight years serving on the Defense Intelligence Committee, Dicks was at the lectern to discuss a threat that neither an aircraft carrier or a Navy Seal team operation could handle. This was a risk to our nation’s infrastructure of a different kind, something General Keith B. Alexander of the National Security Agency has labeled a threat that could potentially represent “the greatest transfer of wealth in history.” Even more insidious, the threat used tactics that practically any individual on the planet could easily deploy on their desktops or with the Smartphones in their shirt pockets or purses — Internet access!
“I have to wonder whether it is going to take a “Cyber 911″ to wake the nation up to the profound cyber threat that we face,” said Congressman Dicks.
Herein are the eight-term Congressman’s excerpted remarks on “Cyber Security” from his address to the Western Washington Summit on Leadership and Innovation presented by the West Sound Technology Association. The address was an extraordinary climax to a political career that has spanned presidents, a transformed homeland defense infrastructure, and a whole new breed of threat to our national security.
UPDATE [11.14.12]
President Obama has signed a secret directive that effectively enables the military to act more aggressively to thwart cyberattacks on the nation’s web of government and private computer networks.
Presidential Policy Directive 20 establishes a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace, according to several U.S. officials who have seen the classified document and are not authorized to speak on the record. The president signed it in mid-October.
The new directive is the most extensive White House effort to date to wrestle with what constitutes an “offensive” and a “defensive” action in the rapidly evolving world of cyberwar and cyberterrorism, where an attack can be launched in milliseconds by unknown assailants utilizing a circuitous route. For the first time, the directive explicitly makes a distinction between network defense and cyber-operations to guide officials charged with making often-rapid decisions when confronted with threats.
The policy also lays out a process to vet any operations outside government and defense networks and ensure that U.S. citizens’ and foreign allies’ data and privacy are protected and international laws of war are followed.
“What it does, really for the first time, is it explicitly talks about how we will use cyber-operations,” a senior administration official said. “Network defense is what you’re doing inside your own networks. . . . Cyber-operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes.”
The policy, which updates a 2004 presidential directive, is part of a wider push by the Obama administration to confront the growing cyberthreat, which officials warn may overtake terrorism as the most significant danger to the country.
“It should enable people to arrive at more effective decisions,” said a second senior administration official. “In that sense, it’s an enormous step forward.”
Legislation to protect private networks from attack by setting security standards and promoting voluntary information sharing is pending on the Hill, and the White House is also is drafting an executive order along those lines.
James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies, welcomed the new directive as bolstering the government’s capability to defend against “destructive scenarios,” such as those that Defense Secretary Leon E. Panetta recently outlined in a speech on cybersecurity.
“It’s clear we’re not going to be a bystander anymore to cyberattacks,” Lewis said.
The Pentagon is expected to finalize new rules of engagement that would guide commanders on when and how the military can go outside government networks to prevent a cyberattack that could cause significant destruction or casualties.
The presidential directive attempts to settle years of debate among government agencies about who is authorized to take what sorts of actions in cyberspace and with what level of permission. [24×7]
Congressman Norm Dicks: “Having served on the Defense Appropriations Subcommittee, and on the Intelligence Committee, I strongly supported the creation of Cyber Command, intended to oversee and protect our defense information networks, assure that the United States and our allies have global access to cyberspace, and that we have the ability to deny such access to our adversaries. In this regard, I believe we are making advances, and that we possess greater capability, both defensive and offensive.
“But as Richard Clarke, the former special advisor to President Clinton on cyber-security has noted in his book, there is no such coordinated protection of our non-defense networks upon which U.S. citizens rely so heavily today. Clarke paints a frightening picture of the chaos that could follow a serious cyber-atack.
“When you realize who is at work here, including governments that are developing offensive capabilities in cyberspace, you have to understand that the threat is real. It is serious. And it not going away. It is only increasing with our increasing reliance on immediate access to digital information in nearly every aspect of our lives.
“Most of our data is shifted to the cloud leading to more and more of our information that is not stored on the hard drive of a desktop computer or the printer in our office but rather on a network of computers in other locations that allow us to read our email or iPhones and pay bills remotely. That is a personal convenience for us to be sure. But also a factor that introduces its own vulnerability related to the security and protection of our information.
“For discussion purposes today, I’d like to address the national security situation first. As I said, I supported the creation of Cyber Command within our Defense Department. I’ve worked with the Department of Homeland Security to provide funds for the protection of critical networks and systems and I’m aware of the immense capability that we have, particularly within the NSA to monitor cyberspace and to develop offensive capabilities of our own.
“Given what we know about the enemies and potential adversaries that exist, their intent to harm our people and our economy, it is imperative we remain on the cutting edge of technology and that we recruit personnel with the skills and abilities to continue to keep our nation safe.
“In this regard, I’m encouraged by the recent efforts of DARPA, the Defense Advanced Research Projects Agency, to develop our own capabilities through a robust “Plan X” program, which is an attempt to help the Defense Department understand how to plan for and manage cyber warfare in realtime dynamic network environments. In the same way DARPA has functioned successfully to stimulate revolutionary developments in many aspects of hardware technology, Plan X is intended to develop the analytical capabilities to help the military understand and function in the cyber battle space, something we must and should be pursuing.
U.S. Repelling Tens of Thousands of Attacks Everyday
“As we guard against and repel the tens of thousands of attacks that take place everyday against U.S. government systems, one of the many challenges we face is to determine where and from whom an attack is coming, and to do so in realtime.
“We see intrusions coming from China, from Iran, from Russia and networks in other countries. But what is also true about cyber attacks is that they are asymmetrical. Rogue groups or factions can often have the same capabilities as nation states, so our ability to discriminate becomes even more important. And just as we must be concerned with keeping US government networks and systems secure from intrusion, the government also has an obligation to work with private industry since the communications networks over which nearly all of our data rides is essentially non-governmental.
“It is in our national interest to insure a unified response to any incidents that occur, and to help state and local governments as well as the private sector protect and harden their critical infrastructure.
“Congress has been wrestling with these issues for the past several years though we have not devolved real consensus over any type of legislative solutions, and frankly that worries me.
“To be fair, there are serious questions about privacy, constitutional protections, the proper role of government, and legal liability when you attempt to devolve a national regime for protecting data across areas of jurisdiction.
“Can our government compel a bank or another private business to provide the sufficient transparency that assures we know what is happening and when? And should the United States government be responsible for setting standards?
“On that question, I come down strongly on the side that we need to be helping set standards.
“Those are two of the serious questions that have complicated the passage of serious cyber-security legislation in the House and Senate. There is an understandable reluctance in Congress to establish mandatory reporting requirements. For example, obligating a business to tell the government when and in what form a cyber-attack takes place, presenting the obvious legal liability if such knowledge becomes public.
“Conversely, if you do not make such a transparency requirement mandatory, can you really be sure you are fully protected? To date, we have not resolved that conundrum. Nor does it appear likely that it will be done before this session of Congress expires at the end of the year.
“Hereagain, I have yo ask the rhetorical question. How would these concerns be viewed after a major cyberattack occurred?
“What if one or more major American banks were suddenly compromised and millions of customers attempting to withdraw funds were precluded for an extended period of time? Or, if a major city’s water system were shut down by a computer attack that left Chicago or Los Angeles virtually paralyzed?
“I’m not one who is hoping or predicting that such catastrophic attacks will occur. But I am one who believes that it is helpful to put ourselves in that frame of reference in order to assure the American people that we are taking adequate measures as a government to keep them safe and secure. There’s no magic formula here. No way that we can guarantee in an interconnected world that we are keeping all the bad guys from harming us.
“But what we simply must do, and soon, is find a way to encourage and assure that all levels of business and government are working better together than they are today. At the very least, with regard to cyber security, we should be working to assure that the national interest is at least one of the concerns considered in corporate board rooms. And that American businesses recognize that we all have a stake in protection of critical data and critical infrastructure.
“In addition, if we put ourselves in the frame of reference that I mentioned, we must assign a higher premium on action after nearly ten years without any consensus in Congress on legislative solutions. In this regard, and it’s blasphemous for a member of Congress to even think about this, I believe thoughtful and relevant Executive Orders, under existing law, should be proposed and implemented by the administration if there are actions that the president truly believes will protect Americans and our economy in what could easily be the catastrophic impacts of a cyber attack.
“The president does have broad authority and responsibility as Commander-in-Chief, and through there would obviously be a review of executive orders on Capitol Hill, particularly in the House. I think there would be some reluctance to blocking reasonable measures that can in some way give us protection from our adversaries that the American people would expect us to do.
“That is my message to both houses of Congress as we watch another session come to a close with no consensus on what I believe is one of the most important national security and homeland security concerns. All of us remain at risk. It is my hope that we will act before it is too late.”
Congressman Dicks added, “We are very good on offense as we have shown in repeated instances, but on defense we are very vulnerable. As an old linebacker, I can tell you that when your defense is vulnerable, you sometimes lose.” [24×7]
