Symposia

Foundation Forum

Lt. Gen. Kenneth A. Minihan
Director, National Security Agency
AFA Air Warfare Symposium
January 30, 1997

"Conflict in the Information Age"

Good afternoon. It's a great day to be in sunny Orlando. It's almost as good as Texas ­ definitely better than Washington. It's always a pleasure to participate with the Air Force Association in the terrific work you do supporting education and training. I'm especially pleased to have the opportunity to speak to you about an important topic ­ conflict in the information age.

The end of the cold War was not, as some declared, the end of history. The world has continued to change, and that change has been shaped largely by two key factors ­ the changing distribution of geopolitical power and the revolution in information technology.

Since the end of the Cold War we've gone from a two-superpower world to one in which power is diffusing to many new actors, some regional or global in scope and many more at the sub-national level. The international actors, such as the new regional trade associations, have gained influence largely with the consent and support of the countries that comprise then. A number of the smaller actors ­ separatist movements, terror groups, and criminal cartels ­ have gained influence through access to more powerful means of destruction, such as truck bombs, nerve has, and biological agents.

From a threat perspective, these smaller actors present a difficult challenge. Their new weaponry gives them the capability to inflict strategic levels of damage on modern societies, yet they are small enough to remain elusive and anonymous. They can pursue their objectives by striking when they choose against a wide range of undefended targets, and frequently they have no territory of their own to hold at risk of retaliation.

Dealing with the physical threats posed by these new actors won't be easy, but in doing so we'll be operating on relatively familiar ground. However, in the information age physical attacks are just one option. Others are emerging, made possible by the revolution in information technology. We are moving into a security environment unlike any we have seen before; a more complex world where conventional threats still exist, where weapons of mass destruction are more readily attainable by rogue actors, and where all forms of warfare are made more potent by inexpensive and proliferating technology.

We face a fundamentally new form of danger in the cyber dimension. In recent years the nation has become highly dependent on networked information systems to conduct essential business, including military operations, civil government, and national and international commerce. This technology has become simultaneously one of our most important sources of competitive advantage and one of our most serious strategic vulnerabilities. Those of us responsible for defending our country need to help the nation understand the national security implications of its vulnerabilities in cyberspace.

With the growth of networking, our borders and our boundaries are no longer identical. In the domain of cyberspace our boundaries extend well beyond our shores. Unlike our physical borders, they are diffuse, constantly changing, and easily penetrated. Through global interconnectivity, our systems can be accessed from almost anywhere in the world.

Our ability to network has far outpaced our ability to protect networks. The efficiency that networking has made possible has come at the price of increased vulnerability of data and systems to attack. Information in unprotected of poorly protected networks can be accessed, changed, or destroyed. Unprotected systems can be controlled, damaged, or shut down.

In a world where information systems control key functions and critical infrastructures, logic bombs rival iron bombs in their power to bring operations to a standstill. The emergence of cyberspace has opened a path over which an attacker could strike powerfully against our military readiness and our economy through cyber attacks against the data and systems on which they depend. The traditional geographically-based strategic sanctuary that America has enjoyed for much of our history has been lost.

With cyberspace offering new avenues of attack and new requirements for defense, conflict in the information age will be multidimensional. It will extend across both the physical and virtual domains, with events in one domain interacting with events in the other. This environment will be messy and highly ambiguous. Attacks in the virtual domain can take subtle, difficult-to-detect forms. The diffusion of power from nation-states to global and sub-national entities will make identification of adversaries far more difficult. It will become increasing difficult to answer the questions "Are we under attack, and, if so, by whom?"

Are we under attack? Test attacks conducted against thousands of DoD computers have drawn only a handful of sporadic, apparently unrelated detections. How far could a coordinated campaign, conducted across the entire information infrastructure, progress before it was recognized for what it was?

Who is attacking us? Unlike conventional warfare, this type of campaign would offer few indications of impending attack. The forces used would be small, highly mobile, and could launch cyber attacks from any point on the global network. Above all this form of campaign would be cheap, putting it within reach of most nations and many terrorist groups. If desired, a campaign against the information infrastructure could be cloaked in plausible deniability. Even if you want to fight back, you may have a problem finding a target.

We must also recognize that future conflict may involve significant asymmetries in vulnerabilities and combat operations. The threat could be structured or unstructured and no doubt it will be messy in time and content. With its well-developed information infrastructure, America has a lot to lost to information attacks. Many of our potential adversaries have no corresponding infrastructure to hold at risk.

The scale of networking in the United States and the degree to which we rely on information technology to carry out essential functions make us highly vulnerable to information attacks. The technology to exploit our vulnerabilities exists now. It is known to have been used against a broad range of targets, and it is highly probable that the known attacks are only a small fraction of the total activity. A large-scale campaign against our information infrastructure ­ an attempt to launch an "electronic Pearl Harbor attack" against us, if you will ­ is technologically feasible. All that is needed is intent.

The vulnerability of our infrastructure to disruption through the use of new cyber attack techniques puts our economy, public safety, and military readiness at risk in new and potentially far-reaching ways. We need to explore this risk in greater detail and consider what steps might usefully be taken to reduce it.

I'd like to send the rest of my time with you today exploring what this new security environment means on three levels. First, I want to talk about what it means for us as a nation. Second, I want to look at what it means for us in the military. Finally , I want to discuss what it means for us in the business if intelligence.

National Security in the Information Age

The nation will increasingly require a safe, trustworthy information infrastructure to support virtually all aspects of our national life. Since information systems security depends heavily on encryption technology, one of our first tasks is to decide how we as a nation want to deal with that technology. We are now engaged in a national discussion on how to balance the privacy interests of individuals and business with he public safety interests of law enforcement and national security. How we resolve this discussion will shape the infrastructure we build to implement our security solutions.

If we overemphasize the public interest, we risk a world with too much government access and too little security. If we overemphasize the private interest, we risk a world with perhaps too many secrets ­ for example, a world in which terrorists, organized crime, and hackers acquire means of communications as secure as those available to military forces. Both of these extremes are unpalatable. We need to strike a balance that provides adequate protection for both individuals and businesses and for society as a whole.

The White House recently defined a policy initiative that is designed to help foster the shared effort between industry and government needed to bring security to the nation's information infrastructure. In the broadest sense the initiative deals with the preparations we must make as a nation to use information technology to its full potential. It is an attempt to create an environment in which an international framework will grow to support the use of strong encryption.

One of the fundamental questions on this issue is whether to provide a key recovery feature in the infrastructure ­ that is, a mechanism to make the keys to encrypted communications available in case they are lost by the owner of the data or needed by properly authorized law enforcement officials. Key recovery adds complexity, and arguments have been advanced to support proceeding without it. There are, however, three very good reasons for designing it into the infrastructure.

First, key recovery is good business practice. It protects information from loss by allowing users to regain access to their encrypted data when encryption keys are lost or corrupted. Key recovery is analogous to systems administrators recovering forgotten passwords or maintaining spare door and desk keys for emergency use.

Second, key recovery makes it possible for law enforcement, with proper authorization, to be able to access the keys. This is n essential component of a solution that protects the public interest. There is a clear societal interest in preventing cyberspace from developing into a sanctuary for global, instantaneous, and secure control of operations for criminals, terrorists, and rogue nations.

Finally, Key recovery may probe essential in making encryption usable on an international basis. We are not the only country wrestling with the public safety implications of unbreakable cryptography. France, Israel, and Russia recently imposed import and domestic use restrictions. Several Asian, South American, and African countries have had similar restrictions in place for years. Others may impose them as strong cryptography proliferate.

For many overseas as well as here, the logic of the need to balance business imperatives with public safety concern argues for key recovery. The European Union and other confederations are considering key recovery-based key management infrastructures. The world's major standards bodies are designing future standards so that key recovery can be accommodated.

International standards and protocols for key recovery may probe essential in heading off national restrictions, establishing a broad export market for cryptography, and establishing an infrastructure acceptable for general international use. This would accelerate the realization of the promise of information technology, and that would be in everyone's interest.

The vulnerability of our infrastructure is a shared vulnerability. The risk it poses is common to government, business, and citizen alike. We're all on the same net, and our requirements are inextricable intertwined. Reducing that risk will require coordinated effort within and between the private and public sectors. The need for infrastructure protection creates a zone of shared responsibility and potential cooperation for industry and government.

Working in partnership, government and industry together need to build up the infrastructure needed to sustain and strengthen information security for America. I wish to emphasize that the infrastructure will be built by industry as a commercial venture. This task is huge. Collaboration among many partners will be essential if we are to establish a key management infrastructure that promotes the use of encryption worldwide. We should seek cooperative engagement in the areas of standards, technology, and collaboration on vulnerabilities.

The standards we develop must enable our infrastructure to meet five key requirements. These include confidentiality through encryption, verification of data integrity, authentication of originators, proof of participation by parties to a transaction, and availability of service on demand. These features are equally key to network operations in support of electronic commerce, vital public services, and national security. We need mutually agreed upon technical standards and operating protocols, comparable to building codes and traffic regulations, to ensure that the infrastructure is sound, that it will permit interoperability, and that anomalous activity on the net can be identified and isolated. If you'll let me use the term speeders, the Government needs to set the standards to regulate the speeders ­ the speed limits, the lane widths, the no passing zones.

NSA/CSS has made major changes in its approach to this issue. We are working with industry to develop the infrastructure, and as it comes on line we are prepared to support relaxation of export controls. We have to work together to make our own system work. After we have agreed among ourselves we can begin to work on bilateral encryption. Policy agreements with other countries.

In the area of technology the key focus will be the technical development of the public key infrastructure. The technical solutions we develop together must help the U.S. information technology industry maintain global technological leadership and dominant market share, provide for scalability and interoperability, and permit access for law enforcement. A strong key management infrastructure is essential, but it can be based on a voluntary system of commercial certificate authorities operating within prescribed policy an performance guidelines.

In the area of vulnerabilities, key areas for cooperation are vulnerability analysis and warning. These activities will be crucial to preventing surprise. Much of the information needed for these efforts, however, is held closely by industry. Industry and government need to explore how this information can be shared among all who need it without adversely affecting the competitiveness of individual companies or industrial sectors.

Summarizing, a key talk to ensure national security in the years ahead will be to build an infrastructure that promotes American competitiveness, protects government and private sector information and systems, and denies covert use of cyberspace to criminals, terrorists, and hostile nations. Government has a key role to play in this effort, but cannot do the job alone. First, the technologies needed to build the infrastructure are to a growing degree no longer controlled by government. Second, in the information age to be connected to anything is to be connected to everything. Some 95% of defense communications travels over the public switched networks. You cant fortify your own organization and ignore the security of the system as a whole. All of us will stand or fall together.

Let's look now at what the emergence of cyberspace means for military operations.

Military Operations in the Information Age

For most of the 20th century we spoke of battlefields. Now we are beginning to speak of battlespace, a multidimensional full contact chessboard with both physical and cyber components. In the physical dimension the forces supposing each other in the battlespace will seek high levels of mobility, dispersion, and operational tempo for their own side while striving to locate and engage the other with speed and precision. Each of these activities is highly information-dependent. The ability to use cyberspace while denying or exploiting your opponent's use of it will be key to surviving and winning in the 21st century.

This concept is called information superiority, and it plays a key role in Joint Vision 2010, the template for how Americas armed forces will operate in the years ahead. Together with technological innovation, it provides the foundation for the Joint Vision's new operational concepts ­ dominant maneuver, precision engagement, full-dimensional protection, and focused logistics.

Dominant maneuver involves high tempo positioning an employment of widely dispersed joint forces to compel adversaries to react from a position of weakness or quit. Information superiority will help lift the fog of war to give these forces a far clearer picture of enemy and friendly locations than that available to their opponents. It will also allow joint commanders to coordinate widely dispersed units, receive accurate feedback, and execute more demanding, higher precision requirements.

Precision engagement will use an information-intensive system of systems to locate targets, provide responsive command and control, assess our level of success, and retain the flexibility to reengage with precision when required. Information operations will tie together high fidelity target acquisition, prioritized requirements, and command and control of joint forces within the battlespace.

Full-dimensional protection will allow our forces to deploy, maneuver, and engage while providing multi-layered defenses at all levels. It will be built upon information superiority, which will provide identification of all forces on the battlefield, awareness, and assessment. Information operations will support this effort by protecting our information systems and processes while denying similar capabilities to adversaries.

Focused logistics will be the fusion of information, logistics, and transportation technologies to deliver tailored logistics packages rapidly and flexibly at all levels. Information technologies will enhance airlift, sealift, and prepositioning capabilities to lighten deployment of smaller but more capable forces with smaller logistics footprints, decreasing the vulnerability of logistics lines of communications.

These four new concepts will enable us to dominate the full range of military operations from humanitarian assistance, through peace operations, up to and into the highest intensity conflict. Information superiority ­ the capability to collect, process, and disseminate an uninterrupted flow of information while exploiting or denying an adversary's ability to do the same ­ is what makes these concepts possible. It allows us to shape the battlespace.

Because of the critical importance of information superiority, NSA/CSS has a key role to play in carrying out Joint Vision 2010. As the nation's cryptologic organization, we provide and protect vital information from the battlefield to the White House. We protect the security of U.S. signals and information systems while providing intelligence information derived from those of our adversaries.

Intelligence and information systems security complement each other. Intelligence gives us an information advantage over our adversaries and competitors. Information systems security prevents others from gaining a comparable advantage over us. The two functions make up a team dedicated to a single goal ­ information superiority for America and its allies.

The information age has some profound implications for intelligence, and I'll be getting to those shortly. But before I do I'd like to talk for a moment about the defensive aspects of information superiority and what NSA/CSS is doing in this area.

Information systems security is the main line of defense against intelligence exploitation, alteration or destruction of data, and system shutdown. Our command, control, communications, computing, and intelligence networks depend on this discipline for security and resilience throughout the conflict spectrum. Information systems security also has a key role to play in ensuring that information-dependent support and weapon systems, including communications and navigational satellites, cruise missiles, and future aircraft, can function effectively in information warfare environments.

One of our key goals in this area is to reduce the vulnerability of information networks serving our customers in the national security community. The Joint Security commission chartered by the Secretary of Defense and the Director of Central Intelligence reported in February 1994 that it considered "the security of information systems and networks to be the major security challenge of this decade and possibly the next century". Cost-effective protection for systems handling unclassified but sensitivity Department of Defense functions such as finance, procurement, acquisition, personnel, and research is needed now. High assurance solutions will be needed soon, as networking technology is applied to tactical command, control, and intelligence support. Our goal is to support the development of a resilient Information Infrastructure capable of withstanding attacks from hackers, terrorist groups, or other countries.

NSA and the Department of Defense have a great deal of experience in building information infrastructures for military operations worldwide. We are currently building an infrastructure to support two million users of the Defense Messaging System to provide e-mail service and browser service to DoD users. The next step will be to tackle tying in support for electronic commerce with the 350,000 vendors who do business with the Department of Defense.

A second key defensive goal to support information superiority is to meet all requirements for our national security customers who require the highest level of protection for their information and systems. Customers operating outside public switched networks, particularly military customers such as the nuclear command and control system, will continue to require government-intensive development and maintenance of unique and highly reliable security solutions. NSA/CSS will lead these initiatives, provide the expertise and resources needed for implementation, and support the infrastructure to sustain their effectiveness, modernizing where possible to improve efficiency and reduce cost.

Now let's take a look at intelligence in the 21st century.

Intelligence in the Information Age

National borders in the post-Cold War era are increasingly ineffective as boundaries in restricting the movement of people, money, and, in particular, technology. How you know your adversary depends to an increasing degree on tracking the movement of technology and understanding the technology base ­ the technology template, if you will ­ that your adversary has assembled or is in the process of assembling. To use networks as an example, from an intelligence perspective one would be interested in an adversary's installed systems, the systems available in the technology market that the adversary may be considering purchasing, and the systems on the drawing board that might make logical follow-ons over the four to ten year range.

This focus on technology requires a good deal of precision. You have to understand not just individual facilities but the technologies and algorithms that control their operation as a system and the function that system performs. In general, more detail is needed, there's less time to collect it because of the accelerating pace of technology turnover, and the technologies of interest are increasingly commercial in nature.

Once you have opened the technology window into your adversary's operations, intelligence becomes available in sufficient time to allow you to shape the battlespace. I touched in some detail earlier on how awareness of adversary locations, capabilities, and intentions permits effective positioning of joint forces against them, allows highly effective precision engagement, and enables us to keep our forces out of harm's way. In each case the basic principle is the same. Effective intelligence gives friendly forces at all levels higher operational tempo and greater precision by reducing decision time and uncertainty within the command loop.

With the quality and especially the timeliness of intelligence now key tools in shaping the battlespace, it's time for intelligence professionals to see their role less as supporting the warfighter and more as participating with the warfighter. A generation ago intelligence was a collection of specialized, highly stovepiped functions. In the age of jointness we have become synergistic ­ now we have stovepipes in chimneys. But as we move toward 2010, we must move beyond traditional stovepipes and function as a seamless, integrated, highly responsive virtual organization. As technology advances, I expect the traditional functions of operations, intelligence, and communications will be integrated into a seamless and simultaneous process. Simultaneity is essential if we are to keep our command loop inside that of our adversaries and retain the initiative to shape the battlespace.

I'd like to touch on one specialized but very important way that intelligence will help shape the battlespace, and that is by enhancing the effectiveness of information systems security. In the pre-network era of dedicated circuits, security meant protecting the confidentiality of information while it was being transmitted. In the networked environment, information systems security includes not only confidentiality but protection of systems from viruses and other attacks intended to deny service, protection of data from alteration or destruction, and assurance that data exchanges are originated and received by valid participants.

This is clearly a more active concept than simply encrypting information for transmission. Providing security in a large-scale information attack may involve sealing off or restricting access to critical segments of the infrastructure, either cryptologically or physically. In this environment, information systems security will need help from intelligence. We will need warning and targeting intelligence for information operations at levels of detail and timeliness comparable to those achieved for conventional and nuclear warfare.

Conclusion

Summarizing, we as a nation face a real and growing risk. Powerful cyber capabilities are available for use in attacks against the information infrastructure. The vulnerability of our infrastructure to these threats has been heightened by the advanced levels of complexity, interdependence, and efficiency made possible by information technology. Employed in a systematic attack against the U.S. infrastructure, the new threats have the potential to trigger widespread disruption of services and substantially damage the economy, public safety, and military readiness. Such an attack could be launched with a high probability of surprise and a plausible chance of maintaining anonymity by most nations an a growing number of terrorist and criminal organizations. Just remember, though the technology that poses the threat is also the source of our greatest advantage.

For much of its history the United States enjoyed a geographically-based strategic sanctuary, separated from its rivals by thousands of miles of ocean. That sanctuary has been swept away by the information age. If we are to reconstitute a new strategic sanctuary for the 21st century, we must look to the readiness, reliability, and resilience of our infrastructure to provide it.

Today's security environment is increasingly shaped by a system-wide risk. The interconnectedness of our national life precludes entrenching our own individual organizations and leaving the growing system-wide aspect of risk to chance. We must look beyond our organizational boundaries and begin to map out a zone of cooperation between the private and public sectors to deter attacks, lessen their effects if they occur, and speed recovery.

For the armed forces, as for the nation as a whole, the information age offers both great promise and potential danger. The key operational concepts of Joint vision 2010 ­ dominant maneuver, precision engagement, full-dimensional protection, and focused logistics ­ depend on information superiority. Information superiority, in turn, rests on a foundation of networked information technology.

Risk is inherent in networking. With the best of precautions, in a networked environment some risk will remain. With information technology advancing dynamically, today's effective solution will be obsolete tomorrow. The situation is not made easier by the competitive imperatives driving us. We cannot wait for the perfect infrastructure to be put in place. We must manage risk through continuous improvement of our information defenses.

Defensively, we rely today on passive point defenses for information systems security, permitting attackers to concentrate efforts against weak links at will. We should begin to work toward a layered defense, supplementing close-in protection with methods of detecting and engaging incoming attacks in cyberspace. We will need a robust and sophisticated information defense to make Joint Vision 2010 a reality.

Finally, for those of us in the intelligence business, the information age is a time of unparalleled opportunity. Networking technology and the new organizational processes it makes possible will enable us to integrate seamlessly as full participants in the operational process, and make intelligence a key tool in shaping the battlespace. Intelligence and information systems security will be integral to each other in this environment. Information systems security will permit the rapid networked distribution of intelligence that Joint Vision 2010 will require, while intelligence will help protect the networks on which information superiority depends.

Return to the Orlando '97 Foundation Forum Page



 

 

AFA is a non-profit, independent, professional military and aerospace education association. Our mission is to promote a dominant United States Air Force and a strong national defense, and to honor Airmen and our Air Force Heritage. To accomplish this, we: EDUCATE the public on the critical need for unmatched aerospace power and a technically superior workforce to ensure U.S. national security. ADVOCATE for aerospace power and STEM education. SUPPORT the total Air Force family, and promote aerospace education.

SEARCH  |  CONTACT US  |  MEMBERS  |  EVENTS  |  JOIN AFA  |  HOME

The Air Force Association, 1501 Lee Highway, Arlington, VA 22209-1198
Design by Steven Levins | Some photos courtesy of USAF | AFA's Privacy Policy