Hi everyone, it’s Kevin. Today is Thursday, March 18th (date recorded). Two weeks ago Kurt Hesch and I talked about the great opportunities on our plate because our nation needs more and better submarines. This need is driven by the great power competition with our adversaries, namely Russia and China, who in developing their submarine fleets work hard to steal United States technology and intellectual property. On today’s podcast I’m speaking with Eric Rommal, our Director of Security, to talk about the threats we face and what each one of us needs to do to keep our technology U.S. technology.
So Eric, thank you for joining me today on the podcast. Please give our listeners a bit of background about you.
Eric Rommal (ER): Thanks Kevin, I appreciate the opportunity to be here today. I went to the University of Maryland. I got an engineering degree and went off to work for the Shell Oil Company. After that I joined the FBI and studied counter intelligence and intelligence collection before becoming the special agent in charge of the New Orleans Field Office. After I retired, I wanted to continue my tradition of being a patriot, and I sought a company that could use my skills and that I would be excited to work for. That was, of course, Electric Boat.
Security is something you and I talk about quite a bit; it’s a huge topic covering a lot of areas and underpins every single thing we do, from the point we walk into the gate in the morning to the point we log in on our computers and work to protect our information. Let’s start by outlining first the context of the threats we face.
ER: Well boss, threats come in many flavors, but basically there are people and countries who want to do harm to us, either personally, politically or ideologically. Simply put—they want to gain any advantage they can and undermine our liberties and freedoms. Some of those threats come in a physical form; this happens through an act of violence or even intimidation such as the Navy Yard back in September 2013 and then the Pearl Harbor shooting in December of 2019.
Some countries want to harm us in a different way through the collection or theft of our information and technology. Russia and China are prime examples of this. Russia operates with a well-practiced, surgical style methodology for collection. They’re still using Cold War tactics and techniques but have proven themselves to be agile in cyber space. They have a desire to focus on capabilities of their submarines and missiles as well as their asymmetric threats.
As an example, Russia turned to a modern platform to conduct traditional, old-school recruiting in the form of LinkedIn. As you know we had a few instances at Electric Boat where very attractive women purported they worked for EB and requested some of our current employees be their connection. I refer to that as “click-bait.” They put a pretty picture on a profile, and we gravitate toward that, click on it and some relationship is formed. That’s where it starts. In this instance, neither one of them were EB employees, and those pictures were not representative of who was on the other side of that profile either.
The recent SolarWinds attack is another example of Russia’s cyber efforts. Russia hacked into SolarWinds and installed malware onto their servers, which lay dormant until SolarWinds did a patch update—they had to connect to the Internet to do an update. During that time they pushed that malware out to thousands and thousands of their clients, to include Electric Boat. The good thing is, we got ahead of it and they did not hack into our systems at all.
China has a very different strategy, which I refer to as “death by a thousand cuts.” They are about volume; they want to collect as much of everything as they possibly can, it doesn’t matter if it’s militarily related or personal. They just want to collect everything they can and they sift through it later at home.
I need to set one thing straight. China has no privately owned companies and rarely has any citizens who are independent from the government. They are very loyal to their government, and they have a thing called the five-year plan, which includes being better at everything that the government supports. The way they do that is that every individual has the obligation to give the government, all of their efforts, everything they can collect, they give it back to the government.
Back when I was in the FBI, I had a case on Huawei and ZTE; they are Chinese telecom companies with hundreds of phones, tablets, and watches which have built-in back-door features which allow China to hear and see all of your data, your information and whereabouts. Right now there is a ban in place by the U.S. government, but it is limited to future technology imports, not current items you may have.
Something more aligned with what EB does is China’s theft of technology, trade secrets, and intellectual property. Take some time to research the Chinese J-20 fighter jet as an example. So when I mentioned that China was trying to increase their military stance, they have a plan to build six nuclear submarines by 2030. This will further their ability to threaten surface ships in the Pacific, something we all need to be worried about.
The Russian and Chinese submarines are built on the backs of everyone who works at EB. It took nuclear submarine technology 120 years to get to the point where we are, yet Russia has done it in half that time and China even less. How? Are they smarter than us? No, they’re not. They’ve just stolen the technology; they’ve collected it in bits and pieces over a long period of time. They reverse engineer that information and they just outright steal it. Everything they have was created in the U.S. It is the aggregate of that data that has done us harm. We need to do better in protecting the next generations from our adversaries.
It’s sobering to think about how present the threat is, and it is everywhere—it can’t be underestimated. While we don’t want to make people paranoid, we want to make sure people have a healthy awareness of it and are skeptical of some of those things they can confront out there. Let’s talk about the different types of security that our employees are familiar with every single day. One, to ensure our safety, and two, to preserve our technical advantage in the face of these efforts by our adversaries.
ER: At EB, we have a number of different security programs embedded under my department. All of the them interact with one another; that’s the beauty of our security programs. First and foremost is our physical and personnel security. Our guard force is in place to protect us from those physical threats that we talked about earlier. We also have our badging and access control to make sure we keep the right people in and the wrong people out.
Part of the background check and the clearances process is making sure that when we’re hiring someone, we’re not bringing someone on just solely based on their skill set. We want to make sure they’re the right fit for Electric Boat, and if they have a dark past, we need to know about that before we give them a job.
For physical threats the threat is larger than just Groton or Quonset Point. With the advent of social media, we’ve seen some civil unrest in communities over the last number of months, and as soon as that hits social media, it now gets spread across the globe and introduces itself into Groton or Quonset Point, where it didn’t used to be before. Now there’s a platform where people can hear that message and they can incite a little bit of violence or uproar in an area that traditionally never had it.
Another part of the security program is our insider threat program. Insider threats are very concerning. I don’t know if you know, but there’s been an increase of nearly 50% of cases in the last two years. A lot of that has to do with COVID and working from home. People are under extraordinary stress, financial concerns, and of course the politics behind the COVID pandemic—this has driven people to behave very differently than they used to. For insiders, they often feel marginalized and perhaps even victimized by their company resulting in a need, in their mind, to set things straight. Employees, vendors and contractors who have ill intent can do a lot of damage to EB. Sometimes it’s in the form of violence, but often comes in the form of stealing or mishandling data. As an example, Edward Snowden believed he was doing the right thing, righting a wrong, “the end justifies the means.” Whichever cliché you choose, he gave away classified information to our adversary. It caused irreversible damage to the United States and put lives in danger. Edward Lin is another example. He was a Lieutenant Commander in the Navy who had direct interaction with the Chinese and Taiwanese governments. He committed espionage because he wanted to impress a woman. It just turned out that the woman was an undercover FBI agent.
Another part of the security team that I have is cyber and supply chain. The SolarWinds example I mentioned earlier is something the cyber team keeps an eye on. Just to put a point on it, EB had 28 billion attempts of hacking on our network just last month. I’m happy to say none of those were successful. Even beyond the earlier LinkedIn example, cyber and social media is our Achilles heel. It’s not just EB, but this social media generation loves to share. We share intimate details of our lives, our friends, our whereabouts and likes/dislikes. China and Russia have never been in a better position to recruit you than they are today. Stop sharing all of that information.
Maintaining our advantage and keeping our technology U.S. technology is of the utmost importance. Specifically, as it relates to our technology and our supply chain, we have to make sure that the data that we are sending to our vendors is done safely and securely and that they also are storing it safely and securely. In order to do that, we work closely with Supply Chain and Purchasing to determine levels of risk associated with third-party vendors.
The last portion is something new to Electric Boat but not new to those of you who may have served in the military. It’s called Operational Security or OPSEC. OPSEC encompasses all security traits. It alerts us and keeps an eye on us when we’re on the phone and we’re talking about things maybe we shouldn’t be talking about on an open phone line. When we publish photos for others to see, public release information, we have to be mindful of what those photos contain and who may be interested, other than your audience.
We talk about shipbuilding as a team sport; the same is true for security. How does your team coordinate with other parts of the business to make sure we’re maintaining our security?
ER: Security is definitely a team sport. Internally we work with HR on vetting employees with background checks and clearances as we talked about. Again, I don’t want to bring someone into EB just because they have a certain skill; I want to make sure they are the right person as well.
We also work with engineering, design and the program offices to carefully review what material is shared both inside and outside EB.
Externally, I take advantage of my previous life and work very closely with the FBI, NCIS and other “three letter” agencies to keep abreast of new and actionable intelligence. So if there is something new coming out of China or Russia and their tactics, I have those relationships as does my team so we can make ourselves a little bit stronger and a little bit smarter. We use these relationships not only to react to new things but to strategically plan for the future, much like we have a multi-year forecast for the Virginia and Columbia programs; we have the same mentality for Security.
So I want to make sure all of our employees understand what we can do to ensure our technology remains U.S. technology and we don’t give the bad guys a leg up here. Can you briefly talk about that—what can each of us do?
ER: Each one of us plays a very important role in this—it matters not whether you’re the President or a front-line worker. We all play a part. So some of the things we can do to be more safe and secure is to just be mindful of what data you can and cannot share. Who are you talking to outside of EB? Who is listening in the background? Are you taking your badge off when you walk out at night so you can’t be identified right away as an EB employee? Just be mindful of those things.
Certainly physical threats are terrible when they happen; they have a lasting impact. Something that is very emotional and they can literally scar you. We never want those to happen. But equally damaging to the United States are those long-term cyber and counter-intelligence threats that we talked about. Those things are chronic and they take decades to play out. We may not see them in our lifetime at EB but it will hurt the next generation at EB and our nation. I just need you to be mindful of those things. I don’t want to be all doom and gloom; I just want people to be aware and thoughtful about the data and the information that they have in their possession. Just make sure you take care of it.
Thanks Eric. I agree; while we don’t want our folks to be overly paranoid about it, we need to be healthy with our skepticism when it comes to the security threats we face from our adversaries. You and I live with this information on a daily basis, and frankly this feels like the Cold War days that I grew up with in the 70’s and 80’s. I think some of that may have waned a bit with some of our younger folks. We need to make sure that we’re impressing it upon each of us that these threats are real, and that we need to understand the threats and then ultimately we need to keep our company and nation’s security top of mind in our daily work. I encourage everyone listening to check out the links Eric has provided— there are a number of links attached below. They are pretty short reads, but you won’t forget them. They are real-life examples of espionage caused by our adversaries, and it’s recent and relevant to the work we do.
Thank you everyone; we’ll talk soon.
Links:
https://www.cdse.edu/documents/cdse/case-study-hongjin-tan.pdf
https://www.cdse.edu/documents/cdse/case-study-edward-lin.pdf
https://www.cdse.edu/documents/cdse/case-study-shannon-stafford.pdf
