Former Defense Secretary Cohen's Remarks at the 2001 Summit

The Honorable William S. Cohen
Chairman and CEO
The Cohen Group
(Former U.S. Secretary of Defense)

March 6, 2001

"That's the first introduction I've had with music accompaniment, but thank you, Jim, very much for the introduction. And I thank you for your exaggerations in terms of my career but I relish every description you gave.

"I believe that you are about to depart here in about 15 minutes and go to Capitol Hill where you will be entertained and spoken to by among others Senator Warner. Senator Warner is my senior by one day in the United States Senate, and you might ask him how that occurred as a matter of conversation.

"But he is the Chairman of the Senate Armed Services Committee. He also is the sponsor and the creator of a new subcommittee on the Senate Armed Services Committee called Emerging Threats and Capabilities. He also sponsored a scholarship program to encourage more students to become information security specialists. So he has played a critically important role in a field in which you are deeply engaged.

"I will be brief because the buses I am told will not leave before I finish but I want them to leave reasonably on time.

"You were addressed I believe earlier this morning, or afternoon, you heard from Congressman Dave McCurdy, Senator Bob Bennett and Mike Vatis about global infrastructure of security. I'd like to take a little bit different tack here today, this afternoon, and talk about a different aspect of national security.

"It seems to me that virtually every cover story that I see about IT in recent magazines has been about security. The good news is it's helping to raise public awareness and corporate awareness about the issue of protecting secure information. The bad news, I think, is that you're basically seeing what I would call off Broadway productions when the real show was taking place in Times Square itself.

"The media attention is focused upon teenagers who are defacing websites, launching denial of service attacks or juvenile extortionists who steal and threaten to post credit card numbers. These are serious problems with very large amounts of money attached to them, but the threat to privacy and proprietary information is about to explode in a world that many of you are designing and building and one in which the capabilities are embedded into devices all around us and soon even within us. These devices are interconnected to a network that spans the globe. If John Chambers were here, he would describe this as the virtual global ecosystem.

"Now, hackers and crackers, they are mere nuisances compared to another growing threat that I've tried to focus on and one I want to discuss with you today, and that is the convergence of the world's second oldest profession with the latest technology and its implications for the business community. Corporate espionage has always been, or at least it should have been, a concern for the business community, because while the average cost of a hacking attack or denial of service is said to be roughly $150,000 in terms of the costs to a company, according to the FBI the average loss of a corporate espionage incident is much larger.

"There is a survey that was conducted in 1999 by ASIS, the American Society for Industrial Security, and over half of the manufacturers who were surveyed reported being a victim that year with an average loss of $50 million per incident. Nearly half of the companies surveyed were, they described themselves as high tech firms and they reported these incidents, and while they lost only a half a million dollars per incident where the loss could be valued, they were successfully targeted more than 60 times during the course of the year. So you can see this can add up to many tens of millions of dollars.

"Despite the fact that the heavy focus is on Internet hacking as such, the incident for corporate spying is roughly the same. You have roughly the same amount of attacks on the penetration attempts for corporate proprietary information as you do for denial of service attacks. And so others have now indicated that over a third of U.S. companies are now the target of industrial espionage with the numbers that are quadrupling since the beginning of the last decade every year, and there is no end in sight.

"I mention this because in spite of the legislation that's been passed, I helped to author an act called the 1996 Economic Espionage Act along with Senator Specter, making it a crime to engage in such activity. But a significant portion of those corporate espionage activities are actually sponsored by foreign governments.

"I think it is somewhat of a paradox that state-sponsored espionage has become even greater at the end of the cold war than it was during. In fact, a number of these espionage apparatuses, apparati I guess it would be called now, were redirected to spy on behalf of the businesses in their country.

"I am not talking to you now as a former Secretary of Defense but calling upon my experience of a total of 24 years on Capitol Hill and draw upon the statements that I made at that time. It was nearly a decade ago when Boris Yeltsin gave a very historic speech on the floor of the United States House of Representatives to a joint session of Congress, and you may recall this. He said, 'No more lies.' I think because of the thunderous applause that he received people thought he said, 'No more spies.' And yet we know from recent events and recent revelations, that clearly is not the case.

"The point is that we should have known this all along. If anyone got the impression at the end of the cold war that that meant that there is no one left to come in from the cold, then they didn't get that impression from Moscow because after the collapse of the Berlin Wall, the head of the KGB Vladimir Karyoshkov[?], he publicly announced that his agents would be busier than ever with an enhanced focus on industrial espionage.

"The KGB is far from being alone in this regard. Not long after the Director of the KGB made his announcement Pierre Marion[?], the former director of French intelligence directorate, publicly admitted that he directed the intelligence forces of France to secretly collect and pass on to French companies information they were able to secure from their competitors in the United States and elsewhere.

"And our friends in the French intelligence service provide a full range of services. Among those that are most widely publicized are cases in which they stole proprietary technical data from a U.S. computer manufacturer and then provided it to a French competitor.

"Another case in which we had a French national working for a U.S. fiber optics company sold trade secrets to the French intelligence, which then in turn passed it on to the French competitor. And in the case that Monsieur Marion was particularly proud of, the French intelligence acquired the pricing proposal from a U.S. aircraft manufacturer, which enabled its French rival to underbid it in a billion dollar contract.

"In short, the espionage threat is no longer solely focused on state secrets. It's primarily targeted against trade secrets. And the threat comes not from just our adversaries, but ironically enough from our allies. And while the threat to the technology is real, they don't have to steal the technology itself. In fact, it may be more difficult for them to work with technology that's stolen. What they really want is the information on which you price your product, and they want to be able to underbid you and then offer it to their competing firms.

"Now, some of you might be aware that the European Union, or the European Parliament I should say, is currently conducting an inquiry as to whether the U.S. intelligence agency is providing information to American businesses. Let me say that the allegation is false. It is unfounded. U.S. intelligence agencies do not, they cannot and they will not steal information from foreign companies to benefit U.S. companies, and there are many practical reasons why this is the case. We cannot do so, but more importantly U.S. officials across a number of administrations have made it clear as a matter of principle that we would never do so.

"Corporate espionage and even corporate espionage conducted by foreign governments, their intelligence services is nothing new. The point I want to make today is it is intensifying at ever growing rates, and what is making it even more difficult for us is that we are becoming increasingly more vulnerable because most of the companies that you represent you are adopting information based systems to manage research, design, production, finances, customer relations and as companies have adopted new business models and new technology, they have also created new vulnerabilities. Let me give you just a few examples.

"What is a code word that constantly is invoked if you're trying to streamline, get more efficient, downsize? You outsource. We did a good deal of this in the Pentagon itself, but there has been an increasing accelerative move on the part of businesses to outsource anything that's not regarded as a core competency in activities that were done in-house from the back office functions to logistics to production, and a company will often give its supplier privileged access to facilities and increasingly to its network so they can become an effective member of the team. But the suppliers are also electronically networked in ways that you have never even thought of. They themselves face pressures of outsourcing some of their non-core competencies. And so you have a series of a chain of trust being delegated to relationships upon relationships until you finally have complete strangers who are interconnected to your innermost working databases.

"Outsourcing of software production I think it's very clear is growing every year that software production is being outsourced overseas. And we think of the three I's. India, Ireland and Israel are the most obvious examples. But the phenomenon is global. You can hire online a programmer in Pakistan with a Master's degree, three years of program experience for roughly $1,200 a month, and one that has 12 years of experience for about twice that much.

"This creation of the global labor force is a great boon to our industries, and it's also helping develop economic situations around the world. But it also creates unprecedented vulnerabilities.

"Another thing is taking place, consolidation. How many of you in the audience are under pressure to increasingly consolidate, to merge with various companies? Those who survive this consolidation are not really focused on the networking systems of emerging partners. They are not worrying enough about the in-laws that they are marrying up with. And whether you merge or acquire a company, you take on board those external relationships with outsourcing suppliers and agreements that cover that relationship no matter how inadequate.

"As you all know computing capability is being embedded in devices all around us. In copiers, coffee pots, cars, clothing, even in our bodies. These embedded devices are now being interconnected with our offices. They operate our factories. They tie our suppliers and industrial partners, and they reach around the globe.

"I want to say this afternoon that promiscuity in the cyber realm is equally dangerous to your health and presents the same risks as promiscuity in the physical realm. Every one of your partners has his own set of partners who in turn have their own partners, and you are effectively sleeping with every single one of them. The result can be a contagion of what I would call STD, sensitive technology distribution, for which there may be no cure. Drug companies can rest assured that there is no patent to be infringed upon here.

"A decade ago, I'll give you some examples, a decade ago there was a good deal of attention focused on a Dallas computer maker that he learned that his pricing information somehow had gotten into the hands of a South Korean rival. That rival had used that information to tailor its own bids and take away the competition.

"So the Dallas company hired a private detective agency. They discovered a coat closet at corporate headquarters had a small box inside that room containing a radio transmitter that was wired to a cable that led to one of the company's fax machines. The bug had been planted by a new employee who had been a mole for the South Korean company. So in order for that Dallas computer company to be penetrated a decade ago, the Korean mole had to gain access to the fax machine, splice in a tap, hide the radio transmitter in the closet.

"Today, it's much easier, and I want to cite just one example. Today most printers and faxes and other peripherals that have infrared ports for data exchange and so does your Palm Pilot, or I have up here a little demonstrative evidence, a Visor. As I walk into your conference room for a meeting, my Visor can communicate with your printer, which may be connected to your network. If I can beam into your printer, I can own your network. Oftentimes companies have printers, fax machines and other desktops right in line of sight as people enter the premises.

"So you want to think about this the next time a bicycle courier drops into your office. And I want to give you another practical insight as to what can take place.

"When I was in the Senate, there was a common scam being run by unscrupulous bicycle couriers who visited virtually every office and they would ask to use the phone to call the dispatcher after they had dropped off their package to your office. Of course, they had set up a 1-900 number which they were collecting either a dollar or two on every call that was being made and placed.

"Now, if they can be creative enough to put a system like that together where they can make quite a few dollars, imagine if they carry and come in with a little infrared device that can download information off one of your printers or fax machines. So you have to be careful what is available to them.

"As this chain of connectivity grows exponentially, the number of weak links is going to grow even faster, and no one -- I will say no one -- is properly prepared to protect themselves in this emerging embedded, networked environment. And so there are quite a few people who are working very hard to exploit your vulnerability.

"As I was looking over the material for today's conference, I also came across something in Newsweek last week. It was in the Cyberscope, and it had two new items that it called the reader's attention to. One is called Beamie Baby, and it talks about taking your Palm Pilot or your Visor, walking through an airport and they would have a cereal size box which you could download your e-mail or get information off the Internet. Well, if you are beaming up from your Palm Pilot or your Visor or other PDA that you might have information you pull of the Internet, you can also have a situation where they're pulling information out of your Palm Pilot. So if you have any kind of proprietary data which has been downloaded so you can travel conveniently, you'd better take care that that information is fully protected.

"Microsoft, also it says 'Microsoft's latest trick, a phone with a PC built in,' and it has a nice photograph of the PDA and a phone, which is very convenient to have it all in one. One of the problems, of course, is that your phone can be put on remotely. Assuming your phone is turned off and you're in a conference room, you should take care to take the battery out of your phone because your phone can be activated and serve as a receiver and the entire conversation can be picked up remotely. And so this PDA combination phone that's great and is convenient, it also can be a device depending on what you have in it that can be extracted remotely in a matter of nanoseconds.

"Now, there are some business opportunities associated with this kind of espionage. You have lawyers who are more than willing to bring a lawsuit on behalf of shareholders or your partners or the company that you might be merging or acquiring for your breach of fiduciary duty to protect proprietary information. So you must take care. You are charged as a fiduciary with protecting proprietary information and you must personally undertake to make sure that you have all the proper barriers and the kind of protective techniques to protect that information. Otherwise you may find yourself subject to a lawsuit.

"Secondly, there are insurance companies in their personal and commercial and industrial policies that are very careful to exclude any coverage for loss of IT information. They are more than happy to sell you additional policies to cover this sort of information, however. So there is another business opportunity there, but that's not the kind I think that you would like to promote.

"So the question is these are the problems as we become more and more connected and wired together we become increasingly vulnerable to people who are pulling that information from our very midst. There is a two-edged sword of technology. You can have firewalls. You must erect firewalls to protect your information, but be careful. The people who may be marketing the firewalls may also have a trap door in the firewall so that they can pull all of the information out either for their companies or for their countries who may be sponsoring the companies who are selling the firewalls.

"There is available exportable encryption public key infrastructure and so forth, but this technology really can't overcome faulty human beings who create these vulnerabilities so we need other things. We need to have effective information security policies, training and regular re-training because the technology is changing so rapidly we've got to constantly update our awareness of what is possible and what is potential.

"We have to have effective early warning systems. The U.S. government does not do offensive warning as such. It will warn companies if they know they are being targeted. So if you are a U.S. company and you are being targeted by another intelligence service to gain information for proprietary information for your competition, they will alert you to this. They do not provide you with any information. So we have to have effective early warning systems, and the private sector should be willing to work more closely with the U.S. government. There is great reluctance on the part of the private sector to establish too much of a close relationship with the U.S. government. I think that's a mistake. But there is a lack of trust there that you're number one afraid to report that some of your systems either have been compromised, that you have been the subject of external attempts to penetrate your systems, that this information might somehow be disseminated in ways that would injure your company. But I believe that if you're going to have protection in the future, then we have to find ways of sharing information and setting up a trust relationship with various agencies within various departments in the U.S. government that can help you protect your proprietary information.

"Because you bear liability, because you are held responsible, it is important that you not leave it simply to the hired help. It is important that your probe the security of your partners and your suppliers and people who you hire on a temporary basis. How many of you here have found the situation, I certainly have found it, that suddenly one of your key secretaries is out and you have a temporary that comes in. Who checks the background of the temporary? How much access does he or she have to your networking systems? You have got to adopt a very aggressive, affirmative duty to check all of this out. Otherwise, you open yourself up to the liability.

"So outsourcing prudence, subject your contract and your temporary employees to the same personnel checks you would your permanent workforce, and be very, very careful and deliberate in deciding what access they have.

"Finally, the public wake-up that needs to take place. I mentioned ASIS before. They surveyed companies who see foreign competitors, especially foreign intelligence services, as a low threat. The FBI reports nearly a quarter of economic espionage involved foreign nations and the threat is emanating from some 23 countries today.

"So this is something. It is serious. It is growing. You should be aware of it. You should focus on it. The goal, of course, is to protect the mission. No system is foolproof. No human is faultless. Perfection is not the objective, but the objective is to protect the corporation's mission. And remember that includes protecting your partners and your customers.

"There is a wonderful quote from T.S. Eliot. He asked the question where is the wisdom we have lost in knowledge and where is the knowledge we have lost in information. And I would add to that where is the business we have lost in the information that's being stolen.

"Thank you very much."