Home : Media : Speeches

Adm. Winnefeld's Remarks at the West Point Cyber Conference


By Adm. James A. Winnefeld Jr.
West Point —

WINNEFELD: Well, good afternoon everybody, how sweet it is to be up here and not in Washington. It feels sort of like a refreshing [inaudible] for a minute. From the Pentagon Jail.

I want to support, salute the West Point Cyber Center for hosting this inaugural Joint Cyber Security Summit and Mark, thank you, I really enjoyed your remarks earlier today. I was ticking off points of my speech while you were talking; I think that’s a good thing although we’ll see what happens. By the way, none of you are allowed to fall asleep, I know it’s after lunch, so I’m going to try to get your peak of sugar high here before it fades away and it will fade during the question and answer session I’m sure. But if you fall asleep, remember what happened to the North Korean Defense Minister recently? We had to mount an anti-aircraft gun outside, manned by a stellar west point cadet – ready to go. So I’m watching, I’m watching. We have the enforcers here.

It’s wonderful to see General Pace and Admiral, is Admiral Allen here? I heard he was going to be here, but he didn’t make it. I do see my old mentor, Admiral Fallon here, and it’s really great to see you and more of our countries top tech CEOs than I could possibly name. But among them, I would like to single out Byron Colley, are you here? Byron? Ok, he scared the be-Jesus out of Chairman Dempsey when he sat with Goldman Sachs’ security team to learn about the breadth of cyber-attacks the financial sector faces every day. He came back and scared the be-Jesus out of us, you know, after that. When he’s scared, we’re like really scared.

I also want to call out the exceptional leadership of Major General John Davis, who’s been a rock in OSD’s Cyber Policy Shop and a prime mover behind the progress that we’ve made under Eric Rosenbach’s leadership, so thank you guys. Also, Major General Paul Nakasone, who held down the cyber portfolio in the Joint Staff, early in my own tenure here as vice chairman, and then Greg Conti, making a real contribution to leading the Army Cyber Institute. Also, Mark McLaughlin for helping to organize veterans in Silicon Valley and for his service as a one man bridge between industry, government and the military, and of course he’s here, Mike Rogers is here because I’m giving him a ride back to Washington. So he’s stuck. But it was really great to hear him speak today and we really are lucky to have him at the helm of U.S. Cyber Command, and we’re grateful for what he does every day.

Now, Since one of today’s themes is “jointness,” I’d like to point out something about our Chairman of the Joint Chiefs of Staff, Marty Dempsey and myself. To show just how “joint” we are, he has actually visited the Naval Academy’s Cyber Center where I have never been and today I am visiting the Army’s Cyber Center, where he has never spoken. We just hope the Air Force Academy doesn’t take too much offense that neither of us has visited their cyber center. It’s probably a good thing because it‘s far too nice out there – and you want to talk about a work release program - we might not come back to Washington if we went out there. By the way, please don’t throw your rolls at me when I say this, congratulations to the U.S. Naval Academy for winning the inter-service academy Cyber Defense Exercise this year. I’ll say in talking tonight that it was not an easy competition. And it was very, very close until the very end, so that’s very comforting to somebody like me to see we’ve got cyber warriors coming up from the very lowest ranks of our officer corps that know the business. I can tell you that my son is a plebe at the Naval Academy and he tells me that the hardest course he took his first semester at the Naval Academy was the cyber course. So it wasn’t just fluff, it was a really meaningful course that was tough for them.

I want to zoom out for a bit, I know that Admiral Rogers has already shared how we’re building out our cyber forces and talked a bit about our newly released cyber strategy, that Secretary Carter launched last month on his trip to Silicon Valley.

I want to zoom out for a bit and shine a light from a different perspective on what I see happening with the Department vis-à-vis technology in general and cyber in particular because trends that we’re seeing today make your conversation and our conversation together even more important.

Now, all of you here today from industry are part of a revolution in commercial technology that’s changing our world. It’s certainly changing my world. You are also part of a post-Cold war shift in innovation from an R&D economy driven primarily by federal investment to an innovation economy driven by private investment. If you think about it, Google today has more than twice the market capitalization of General Dynamics, Northrop Grumman, Lockheed Martin, and Raytheon combined. Apple has twice the market capitalization of Google. Tim Cook could pay cash for the entire defense industry, cash.

Just as the commercial economy in technology has taken off, the R&D portion of our pie has fallen at the same time – over 40 % in some places, within the defense department. The defense industry, itself, has shed a lot of its own R&D capability, although not all of them I would also say. If you compare federal to non-federal R&D over the last 20 years, you can see, if you look at it on a graph, just how dramatically the locus of innovation has shifted towards the commercial sector in the post-Cold War era.

While this macro-shift in technology was underway, our potential adversaries have learned a lot from us – and rapidly. They’ve either watched what we’ve done, or they’ve read what we’ve done, or they have just gone about stealing what we’ve done from our own defense contractor and, in some cases, our own military networks. We are hemorrhaging information at a dizzying rate, evidenced by the uncanny similarity of some of our potential adversaries’ new weapons to the ones we’ve been developing ourselves. In your business, industrial espionage is illegal. In my business, it can be fatal.

Our adversaries have also learned how to tap into the global technology market that you’re driving forward, which has many wonderful benefits for humankind and especially for teenagers, who can now share their pictures quicker than they ever have before. But this global market for macro and microelectronics is making it easier for our adversaries to catch up. For instance, if you look at our electronic warfare systems today, 96% of our most advanced systems are assembled using commercially available components. We only add around 4% “special sauce” on top of those components. What this means is that our adversaries can quickly mimic—or in some cases surpass—our state-of-the-art systems, simply with globally sourced components.

 

Now, we’ve long counted on capability and capacity overmatch to overcome the twin tyrannies of initiative and distance that our most capable, potential adversaries have. In other words, if we’re going to fight Russia or China, we’ve got to go a long way to do it, and we’re not going to be the ones to start it. But, we’ve always counted on our impressive capability and our impressive capacity to overcome that, but those gaps are closing very rapidly. Our pacing threats are now only a step or two away from actual technological parity with us. Our margins are thinner in many places than they’ve ever been, and we’re asking ourselves, how do we dig ourselves out of this hole? We will do this by doing what we’ve always been good at doing as a nation, and that is innovation. And a large part of our answer, in innovation, as I pointed out earlier, where the R and D is shifting, is going to come from you, it’s going to come from the commercial sector. We understand this.

You stand at the intersection of two important communities – the U.S. military and the deep well of technological innovation that comes from the commercial sector. And those of you, graduates of the military academies, understand this better than anyone else in the technical industry. You are an important part of a Venn diagram we think needs to grow. A robust and enduring partnership between the Department and the arteries of innovation in the commercial technology economy is foundational now to our nation’s warfighting prowess. By interacting more systematically with the technology economy, the Department can better harness the fruits of what’s coming out of that technology economy.

To catalyze this interaction, as Mike referred to earlier, Secretary Carter is pursuing two related initiatives, and I think this goes to a question that was answered earlier in your session. The first is called the Defense Innovation Initiative, sounds pretty blasé right? Oh yah, we’ve done this before. But this is a very serious effort that was started by Secretary Hagel, cooked up and continued by Secretary Carter and Deputy Secretary of Defense Work and I are at the forefront of, along with a very important teammate named Stephanie O'Sullivan, who is the Deputy Director of National Intelligence, because it’s so fundamental to making sure that we can do what we need to do in this area. This effort is intended to reinvigorate our high-end warfighting capabilities in four essential ways. By concentrating on getting the most qualified possible people we can find into our business, millennials who I will talk about in a second, becoming much more efficient from a business perspective, and then two more, integrating new types of technology and operational concepts together, the two cannot exist in a vacuum, the concept developer has to be able to dream and say “gosh, if I could only do this” and have the technologist come up and say “well, I can do that for you, I just need to put a few of these things together and disparate ideas and I can make that happen.” At the same time, if the technology developer is coming up with something really cool, it would be nice for the concept developer to understand that and say “gosh, I can weave that into what I’m trying to do in this new way of fighting wars.” By doing all of this, we intend to regain our margin over our near pair adversaries. And you may have heard of an initiative called the Advanced Capability and Deterrence Panel and that’s what this is all about, where we have had major technological edges over adversaries in the past that have eroded and then we’ve created a new technological advantage, over, that has again eroded, and now we’re on the same track to try and regain that edge.

Cyber is going to be a very important part of the Defense Innovation Initiative. Cyber is what I would call the land, the gray zone, fading borders, is really what I use to refer to it. The borders are fading between state and individual. The borders are fading between war and peace. The borders are fading between espionage and war. The borders are fading between civil and military, and private and public. It is a very very important piece that’s obviously why we are all here today.  It is foundational to both our military’s offensive and our defensive capabilities. So look at how good we have become in something called network warfare. There really are two principled things that we’ve learned in the last 15 years that have really advanced our militaries state of the art and how we do business. One of those is Intelligence Operations Integration, or believe it or not, our Special Operations Forces actually taught us how to integrate intelligence and operations like we’ve never done it before. And the other thing is how we do network warfare. We can fight faster than anybody on the planet right now, which is a huge advantage, but it’s also a huge vulnerability.

Now, I’ll get to a few imperatives in cyber in a few moments, but first I want to tell you, in order to strengthen how we’re interacting with industry in cyber and on other emerging technologies, we’re taking a couple of important steps, and Mike alluded to these a little bit. One thing we’re doing is creating a first of its kind unit in Silicon Valley called Defense Innovation Unit X. Sexy name, I know, I didn’t make it up, but it’s called Defense Innovation Unit X. It’s going to be staffed by some of our brightest active duty and civilian personnel and augmented by a new reserve unit custom-designed for those who work as technologists in their civilian life. And I know many of you are probably reservists. Their mission is to strengthen the connection between the Defense Department and the firms and startups in Silicon Valley and to help scour for new technologies, without being obtrusive and, you know, frightening in the process. Defense Innovation Unit X will also be one way we help bring new talent to the department.

We are also starting a DoD branch of the U.S. Digital Service. I have never heard of this thing until about a month ago. But it was an elite group of programmers, who were brought in by the White House, to help fix healthcare.gov, when it didn’t roll out so well. We are beginning also a partnership with In-QTel, the CIA’s venture capital arm, you’re well familiar with, and reorienting the Secretary’s Fellows Program, which allows some of our best uniformed personnel to gain experience in companies like Oracle, Cisco, and FedEx, 3N and the like. These fellows will essentially spend a year with one of those companies, which they already do, and then they will be required to spend a year actually leveraging what they learned in industry into something that will help us in DoD. They bring back two things with them. The most important thing, to me, they bring back is they can capture how commercial industries are actually doing innovation, and it doesn’t matter, for that particular thing, whether they go back into something they were doing in industry or not, because they can help run a BCT, a brigade combat team, with that kind of innovative spirit, better than they could if they didn’t have it. But if they can also put the icing on the cake by coming back into something that they were actually doing, it really works. And believe it or not, we don’t do that very well. We have sort of the poster child on the joint staff right now, where we have a Marine lieutenant colonel, who went off and worked with Microsoft for a year and we actually, believe it or not, we actually brought him back under the Joint Staff, into the J6, and he works in our J6, which is our, obviously our, networking directorate. And he’s doing great work coming back from there. I’m also, and this will make some of you old guys roll over in your, in your sleep or in on your beds or whatever, we’re going to try and get them some joint duty credit for the time they spend with industry, because we think it’s so important that we bring this commercial expertise back into the military. But we’ll make sure they get a little “jointness”, buffing up while they do it. Anyway, we’re going to do that, we’re going to work very very hard at getting this particular program rolling.

Now, these innovations are part of Secretary Carter’s "force of the future" initiative, that some of you may have heard about in the media. He intends to chip away at the wall that has over time been erected between the military and industry, making it so hard for those who serve on one side to also take a tour on the other.

What this means also is that those cadets coming up from the Academies’ cyber programs will have very different career paths than what you all might have experienced in your early years in the military.

When many of you left active duty, you faced an all or nothing choice – to stay or go, when you reach the end of your commitment. In the past, the National Guard did not have purpose built units for civilians working in the cyber security world. There was no Defense Innovation Unit X, with its reserve unit for technologists. And the Department wasn’t putting its energies into recruiting top talent from industry to serve in exchange programs, as the DoD CIO is actually doing today.

So let’s say you’re one of the dynamo warriors out there at Mike’s CYBERCOM, who after several years is itching to found a start-up or join a hot new company out in the Bay Area. By the time the Secretary’s future of the force initiative is complete, that cyber dynamo may also have a chance to leave but join a Reserve Unit based right at Moffett Field, in the heart of Silicon Valley or come back to the Department for a year as a civilian IT expert. I can’t tell you how many guys have come up to me and said, “you know, it’s getting a little old showing teenagers how to share their pictures with each other more efficiently, I want to do something for my country.” Ok, so their willing to do this kind of thing, to come back and work with us for a year. Many of them have made all the money they need to make anyway, and they just want to serve. But, we’re very very interested in more permeable ability for that kind of participation.

All of these changes will be especially attractive to what we call the millennials. We’re in the middle of a generational turnover in our workforce just as you are in yours. As you know from your own companies, the crowd coming in has different preferences and different habits from what we old fogies have who lead them. They like challenge. They like change. They want to do something positive in the world, and they want to do it quickly. They’re very impatient. They prefer very small teams rather than large organizations. They’re mobile, and are unlikely to stay at a company for twenty years. And they are not as willing as we were to automatically grant credibility to others on the basis of age or experience.

Millennials have grown up in a world of ubiquitous burst communications - cell phones, the Twitter-verse, Facebook, Instagrams, and new snap chat. Things I’ve never even heard of. But, they have by the very nature of the world around them also been educated differently. On balance, they're a remarkable group who populate the best military I've seen in my 37 years of service. And I’m often asked, “isn’t it hard to lead those millennials?” I say “No, they’re perfect for us. We love them. Especially because they’re the Xbox Generation and they make hellacious fighter pilots. Better than I ever was. And what I really love about them is they hate bureaucracy, which puts pressure on us. So it’s a great thing and we’re going to need their talent, especially in the cyber world. Because we face tough challenges in that domain that all of you very well appreciate. I want to talk a little bit about how we handle those challenges – by talking about two of our paradigms of cyber defense and to how we effectively deter cyber-attacks. Three things

For a long while now, signature based defenses have anchored our approach to thwarting malicious attacks. That’s the first paradigm. Mark alluded to that a little bit earlier in saying that we want to make sure that only the first attack gets through, right, the first vector. We are dependent to a large degree on dissecting a previous attack that we’ve experienced, developing a counter to that type of attack, and then equipping our global sensor network and individual networks, and individual boxes, in some cases, to detect and counter that type of attack. In short, we are only able to recognize and defend against punches that have been thrown at us before, when a new type of punch comes at us, we have to take the blow, then take time to figure out what happened, then equip our brains to recognize and defend against it. And while all that is happening, we are essentially defenseless unless we simply shut down our networks. Which might very eloquently earlier said, is not really an option for us if we’re going to keep being the best military in the world at using network warfare.

So, we’re entering an era where that will no longer work. We can no longer afford to base our defenses on only stopping malicious code that we’ve seen before. A single attack can be so destructive that we can’t even allow one to slip past the moat. For that reason, I think we need to build a new paradigm of cyber defense, one that’s extremely challenging, one that’s built on new technological architectures. We have to be able to detect a new type of attack as it’s occurring, and stop it in its tracks, and you know, technologists know, how very hard that’s going to be. Or, we have to render the term “attack” irrelevant by configuring our networks and the software running on them in ways that make it impossible for an adversary to attack them in the first place.

A handful of you are helping pioneer whole new ways of doing this, but as I’ve said – it’s not an easy problem.

The businesses and start-ups you run are inventing new ways to wrap firmware and OS-code in layers of encryption; new ways to embed secure enclaves onto chips themselves, so hardware and software work in tandem to detect deviations; and new ways to use data analytics to detect penetrations. You’re also using what I’ll call “crazy math” and “crazy programming” to randomize, fragment, reconfigure, and make continually unique ways of running software and systems, so that an adversary who finds a way to break in once will not succeed the next time. But, it’s one thing to navigate your way into a single operating system. It’s another thing to figure out your way into its 64-million permutations.

What I’m saying is that we desperately need the help of industry to speed our passage into a new paradigm of cybersecurity dominated by technologies other than signature-based detection. This is a Big Data problem that connects data, analytics, placement and visualization within a complex ecosystem of ISPs, cyber security firms, software providers, hardware manufacturers, and data storage companies.

To me, this kind of big data is a big deal. To me, it’s the Manhattan project of cyber defense. So while signatures are going to continue to be a large part of cyber security for years to come, and we know that, my hope is that one of you in the audience is already well on your way to ensuring that they are only layer of defense, that there’s a better layer actually.

Another paradigm I’m particularly passionate about is that cyber security is not all about technology. It most decidedly is not all about technology, and Mark alluded to this earlier as well. While the technologies of cyber security are important, we should not overlook the element of human performance that is a significant part of network operations.

Secretary Carter disclosed last month that Russian hackers accessed one of our dot-mil networks. I think Mike talked about it earlier. They got in by attacking an old vulnerability that had simply not been patched in a legacy platform. And there are countless examples like that in the military and in industry where something like this has happened.  Click on a spear fishing e-mail. Insert a corrupted thumb drive into your computer.  You name it. Hackers affiliated with ISIL, you know, briefly took control of U.S. Central Command’s twitter account because we were using single factor authentication. More consequentially, as Mike alluded too, a foreign nation broke into the U.S. Navy’s unclassified network by exploiting a known security flaw unknowingly left in a public facing website. The most serious breach of a U.S. classified network occurred several years ago when a thumb drive loaded with malware was inserted against protocol directly into a secure desktop machine, because somebody was in a hurry.

The fact is that mistakes made by network administrators and users are frequently, most often I would say, the genesis of a successful attack. Human error is the bigger factor, I know of, in cyber security. It’s a bigger factor than I think most of us realize. One of the most important lessons emerging from our experience is that, while upgrades to system administration and layers of technical defenses have played a crucial role, minimizing human error in network operations has been arguably the most important factor behind security gains we have achieved. And we have much more that we can and should do in this area.

What it means is that when it comes to cyber defense, people matter as much or more than technology. Inculcating network operators and users with the tenets required to perform with the highest degree of precision and reliability is to me one of the new frontiers of cyber security. It is not enough to build flawlessly configured technical systems. It is also critically important to build a culture of performance among those who manage and actually use IT.

Many of you who came up through the military have been part of a culture of high performance somewhere else —whether it’s the nuclear program as Mike mentioned, or special operations forces or advanced aircraft technologies or the space program, you name it. Whether you were part of a unit, or the crew of an airplane, it doesn’t matter, each of those, each of you have an experience that gives you special insight into how leaders organize teams of people to perform and minimize critical mistakes. What you want to avoid is the little mistake that can cascade into a big one. So as you approach your own careers as cyber security experts, I would urge you to not lose sight of the human dimension. I actually view this as a national security imperative. One of our challenges going forward now is how to build a stronger culture of human performance around network operations, and we’re trying very hard to do that in the military.

I’d like to close by talking a little bit about cyber deterrence. It’s crucial for us to all not overlook how potentially destabilizing cyber can be. If you’re familiar with the terminology used in nuclear deterrence it’s eerily familiar to what we should be talking in terms of cyber deterrence. Because we’re talking about weapons of war that on the click of a mouse can change the physical reality of faraway places, in a dramatic way, even entire nations. Cyber weapons are powerful, they’re secret, and they carry their own mystique.

For that reason, they’re potentially destabilizing strategically. With dozens of militaries moving forward with offensive cyber programs, having clarity of deterrence in the cyber domain is even more important.

This is not the first time states have been faced with technologies that complicate the calculus of how to interact with one another, and I just talked about the nuclear age. For that reason, it’s important to think about, in new ways, about deterrence in the cyber regime, it will be vital to ensuring the potential volatility of the cyber domain does not manifest it in a sudden and unexpected escalatory exchange, between us and a large nation, or even a moderate sized nation. It’s especially important when we have more to lose from such an attack than our potential adversary does.

Now, the President made our position very clear in his 2011 International Cyberspace Strategy, he said, “When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country, and we recognize that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners.”

Now, we deter in several different ways. I would list three. First, we deter by denying the adversary any benefit from an attack. Second, we deter by making our systems so resilient that a successful attack is repaired quickly. We call that resilience. But we also can deter by threatening to impose costs on an adversary by holding at risk the assets that that adversary values the most.

This is reiterated in our new cyber strategy which specifically refers to “convincing a potential adversary that it will suffer unacceptable costs if it conducts an attack on the United States.” To be sure, those costs that we might impose on that adversary, could involve a non-cyber response to a cyber-act. It’s important to make clear in the mind of an adversary that an action was actually a reaction, which is not always easy for us to do in cyberspace.

And we also want to respond in ways that exploit a perpetrator's true vulnerabilities, and not surprisingly, not all the countries that threaten us are vulnerable in cyberspace as we would like them to be -- certainly not to the extent we are. So, options such as the cyber executive order the administration produced in the wake of the Korean attack on Sony are definitely part of the set of cyber response options.

But, in my personal view, and depending on the situation, part of cyber deterrence has to be cyber offense – but it’s a complex tool that we certainly do not want to take lightly.

To borrow lingo again from the world of nuclear deterrence, response options for both counterforce – namely, targeting an adversary’s military forces – and counter value – namely, targeting the other things that he holds dear, are an essential part of cyber deterrence, it’s especially true if a potential adversary has already, himself, pursued those pathways.

In the counterforce world, Chief of Staff of the Air Force Mark Welsh recently discussed with remarkable candor what some of these options are in the air domain.

Which of our, counter force or counter value, cyber capabilities we disclose and when we do so could be a decision for policy makers, but our adversaries need to have a sense for just how vulnerable they are in the cyber domain, if they should choose to attack us.

In this spirit, Secretary Carter said last month that one of the three missions of the military in cyber is to “provide cyber offensive options that, if directed by the President, can augment our other military systems.” Making this clear is important because of how it affects an adversary’s calculus and thus the overall stability, or instability, of the cyber domain. In the place I don’t want to be, is where an adversary assumes that we have a cyber-retaliation capability if we really don’t. So we need to make sure that we have that, and that it’s robust.

So, in closing, before I respond to questions, if your blood sugar is going back down, I’d like to thank each one of you for being here today. I know it’s a big sacrifice for you to leave your very productive businesses and careers to come all the way to West Point and sit down together and put your heads together on where we’re going on this very very important discipline. So thank you for being here. You are what we Navy people call plank owners of a Venn diagram that’s very very vitally important to our nation and to nation’s security, and you understand that better than anybody else in the business.

The challenges that I talked about will be with us for some time to come. It’s another long war. We need to move with a sense of urgency and purpose in the areas that I’ve talked about, and that Mike talked about. Emerging technology will be a crucial ingredient in doing so, especially in cyber, but also in other technical areas, that overlap what you do every day.

We will do this in the cyber arena by making the wall between the Department of Defense and industry much more permeable, so our nation’s brightest minds can bring more leverage to helping us keep our nation safe. I would urge each of you, and I think you are because you’re here, to be a part of the solution. Harness the very best of what America is doing today in this domain.

Work well for your customers--any time you make progress in securing their networks, you make our nation safer. Let’s also work well together—let’s join forces to ensure we can maintain an edge over our potential adversaries in this complicated, very fruitful, but inherently dangerous domain. In so doing, I think we’ll all, together, provide a very important service to our nation.

And with that, I thank you very much for inviting me up here today. I’ve enjoyed the earlier session I was fortunate enough to attend, and I hope that you keep that momentum going and get a lot out of the rest of today and tomorrow. Thank you very much, and I would be happy to take a couple questions.

Q: [Off mic] I’m [name inaudible] I like hearing you talk about this [inaudible] signatures and the more robust cyber defense and asking the industry to [inaudible] more secure. My question is that only the only protection of us that makes sense is the world, it’s everybody, any technology that’s [inaudible] and built will be used by everyone, nation state, and non-nation state. So anything we do to increase our resilience, increase our security, will naturally make Admiral Rogers intelligence and attack jobs much harder and are you ok with that?

WINNEFELD: Yes. I think Mike’s ok with that also. He has, that’s a really really good question. We call it IGO. Everybody know what IGO stands for? Intel-Gain-Loss, and there’s this constant tension between the operational community and the intelligence community when a military action could cause the loss of a critical intelligence node, and we live this every day. In fact, in ancient times, when we were collecting actual signals in the air, we would be on the operational side, “I want to take down that emitter” so that it would make things safer for the airplanes to penetrate the airspace and they’re saying, “no, you need to keep that emitter up, because I’m getting all types of intelligence from it.” So this is a familiar problem. But I think we would all win if our networks are more secure. And I think I would rather live on the side of secure networks and a harder problem for Mike on the intelligence side than very vulnerable networks and an easy problem for Mike and part of that, it’s not only is the right thing to do, but part of that goes to the fact that we are more vulnerable than any other country in the world, on our dependence on cyber. I’m also very confident that Mike has some very clever people working for him, who might actually still be able to get some good work done. But, it’s an excellent question. It really is.

Q: [Off mic] [name inaudible] retired. Would you mind adding some more information on how best to create a culture, of I think you said human performance?

WINNEFELD: Yah, I think that, and I want to be careful because I’m actually writing an article for a magazine on this, so I could get in trouble with the editors, right. But, if you take a look at the organizations that are out there, ok, you can find them and pick them, who find themselves at greatest risk for human error, where a catastrophe can occur when a single human makes an error, however small. And what those companies, or government organizations, or what have you, have done to eliminate that human performance risk without being crazy about it, what techniques have they used? What principles do they espouse? I think you’ll find a motherlode of, again, operational experience, operational excellence that you can tap into that is directly applicable to the cyber world. So, run off and find those guys, whether it’s NASA, which has been through some trouble, right? I mean they’ve had very tough problems, but they’ve attacked them with gusto and have turned themselves into a very reliable organization. You can look at the Navy Nuclear Propulsion program. You can look at the Air Force Nuclear Weapons Program, they’ve gone through a very difficult time, and have really come out of that very well. And where are the companies that are particularly vulnerable to that sort of [inaudible]. What is the New York Stock Exchange done? I don’t know if they have that sort of an ethic, but find what they’ve done, what principles they espouse and I think you’ll tap into some pretty good ability there to eliminate human error. What have other people done in other domains?

Ok, one more question? Unless there are none. Blood sugar? Oh, ok, alright. Well, thank you very much for inviting both Mike and I up here and God bless you for what you do and thank you.

[END]