Deputy Secretary Lynn Details Anti-Cyber Threat Strategy

PARIS, June 16, 2011 — The world is at a cross­roads in the devel­op­ment of threats in the cyber realm, Deputy Defense Sec­re­tary William J. Lynn III said here today.

More destruc­tive attack capa­bil­i­ties are being devel­oped but haven’t yet been used, Lynn told par­tic­i­pants in the Cen­ter for Strate­gic Deci­sion Research’s 28th Inter­na­tion­al Work­shop on Glob­al Secu­ri­ty. And the ter­ror­ist groups most like­ly to use such capa­bil­i­ties to attack cyber sys­tems, he told the group, have yet to acquire them.

“This sit­u­a­tion will not hold for­ev­er,” the deputy sec­re­tary said. “Ter­ror­ist orga­ni­za­tions or rogue states could obtain and use destruc­tive cyber capa­bil­i­ties.” The win­dow of oppor­tu­ni­ty to devel­op stronger defens­es before that hap­pens is of uncer­tain dura­tion, he added.

Lynn said three avenues of action are nec­es­sary to pre­vail against the spec­trum of cyber threats.

“First, we must raise the lev­el of pro­tec­tion in gov­ern­ment and mil­i­tary net­works,” he said. “We must ready our defense insti­tu­tion to con­front cyber threats, because it is clear that any future con­flict will have a cyber dimen­sion. Future adver­saries will seek to use our reliance on infor­ma­tion tech­nol­o­gy against us. We must be pre­pared to defend our net­works effec­tive­ly.”

The U.S. Defense Depart­ment is mov­ing aggres­sive­ly to counter the cyber threat, Lynn told the audi­ence, not­ing that as a doc­tri­nal mat­ter, the mil­i­tary must be able to defend and oper­ate freely in cyber­space.

“Over the past two years, we have deployed spe­cial­ized active defens­es to pro­tect mil­i­tary net­works, and we have estab­lished the U.S. Cyber Com­mand to oper­ate and defend them,” he said. “And we are devel­op­ing a com­pre­hen­sive cyber strat­e­gy that will guide how each mil­i­tary ser­vice trains, equips and com­mands its forces for the cyber mis­sion.”

And as the Unit­ed States pre­pares its own forces to face the cyber chal­lenge, Lynn said, it must pur­sue a sec­ond avenue of action: work­ing with allies and part­ners on col­lec­tive cyber defens­es to strength­en their col­lec­tive abil­i­ty to mon­i­tor and respond to intru­sions.

“In cyber­space, the more attack sig­na­tures you can see, and the more intru­sions you can trace, the bet­ter your defense will be,” he explained. “In this way, the Cold War con­struct of shared warn­ing has appli­ca­tions to cyber­space today. Just as our air and space defens­es are linked with those of our allies to pro­vide warn­ing of air­borne and mis­sile attacks, so too can we coop­er­a­tive­ly mon­i­tor our com­put­er net­works for cyber intru­sions.”

The Defense Depart­ment has worked with NATO nations and oth­er part­ners to strength­en cyber engage­ments, Lynn said.

“For the Depart­ment of Defense,” he added, “the inter­na­tion­al strat­e­gy pro­vides a frame­work for our con­tri­bu­tion to an effort that has many facets, from Inter­net free­dom and e‑commerce to cyber­crime law enforce­ment and inter­na­tion­al norms of behav­ior.

“Ulti­mate­ly,” he con­tin­ued, “this strat­e­gy will help us build a coali­tion of nations whose mutu­al inter­est in secur­ing cyber­space will ensure the ben­e­fits we derive from it flow unin­ter­rupt­ed.”

A con­sen­sus for action on cyber­se­cu­ri­ty is emerg­ing in Europe, Lynn said.

NATO is unan­i­mous in acknowl­edg­ing the need to ele­vate its treat­ment of net­work secu­ri­ty,” he said. “The new strate­gic con­cept names cyber­se­cu­ri­ty as a lead­ing pri­or­i­ty for NATO in the 21st cen­tu­ry.” In addi­tion, he said, NATO made a high-lev­el com­mit­ment to cyber­se­cu­ri­ty when the heads of state and gov­ern­ment of its mem­ber nations met in Lis­bon, Por­tu­gal, last year.

As a result, Lynn said, NATO has under­tak­en efforts to bet­ter defend its net­works.

“The com­mit­ment to take NATO’s Cyber Inci­dent Response Cen­ter to full oper­at­ing capa­bil­i­ty by 2012 is a sig­nif­i­cant step in the right direc­tion,” he said, adding that the alliance’s defense min­is­ters approved final cyber secu­ri­ty pol­i­cy guid­ance when they met last week.

The Euro­pean Union also is mov­ing rapid­ly to address cyber­se­cu­ri­ty, Lynn said, not­ing that he has con­ferred with EU’s high rep­re­sen­ta­tive, and Home­land Secu­ri­ty Sec­re­tary Janet Napoli­tano has met with EU’s home affairs com­mis­sion­er.

“And a joint cyber exer­cise slat­ed for lat­er this year will help estab­lish how our com­put­er inci­dent response cen­ters can work in part­ner­ship with the EU’s new cyber secu­ri­ty unit,” he added.

The third avenue of action is to form pub­lic-pri­vate part­ner­ships with the oper­a­tors of crit­i­cal infra­struc­ture, Lynn told the group.

“We need to work with indus­try to raise the lev­el of net­work defens­es in indus­tri­al sec­tors that are cru­cial to our econ­o­my and to the func­tion­ing of our mil­i­taries,” the deputy sec­re­tary said. “This is, in many ways, the most con­se­quen­tial to the secu­ri­ty of our soci­eties.”

Cyber threats tar­get much more than mil­i­tary sys­tems, Lynn explained. “Cyber intrud­ers have already probed many U.S. gov­ern­ment net­works, our elec­tri­cal grid, and our finan­cial sys­tem,” he said. “The fail­ure of any one of these could cause mas­sive phys­i­cal dam­age and eco­nom­ic dis­rup­tion.”

Pro­tect­ing crit­i­cal infra­struc­ture not only is essen­tial to the func­tion­ing of dai­ly life, Lynn said, but also is cru­cial to nation­al secu­ri­ty. He not­ed that in the Unit­ed States, as in Europe, mil­i­tary bases and instal­la­tions are part of — and not sep­a­rate from — the civil­ian infra­struc­ture that sup­ports towns and cities.

“Nine­ty-nine per­cent of the elec­tric­i­ty the U.S. mil­i­tary uses comes from civil­ian sources,” he said. “Nine­ty per­cent of U.S. mil­i­tary voice and Inter­net com­mu­ni­ca­tions trav­el over the same pri­vate net­works that ser­vice homes and offices. We also rely on the nation’s trans­porta­tion sys­tem to move mil­i­tary freight, we rely on com­mer­cial refiner­ies to pro­vide fuel, and we rely on the finan­cial indus­try to pay our bills.”

Dis­rup­tions to any one of these sec­tors would sig­nif­i­cant­ly affect defense oper­a­tions, and a cyber attack against more than one could be dev­as­tat­ing, Lynn said.

“In short, secure mil­i­tary net­works will mat­ter lit­tle if the pow­er grid goes down or the rest of gov­ern­ment stops func­tion­ing,” he told the audi­ence. “Pro­tect­ing the net­works that under­gird crit­i­cal infra­struc­ture must be part of our nation­al secu­ri­ty and home­land defense mis­sions.”

Mak­ing pro­tec­tion of crit­i­cal infra­struc­ture part of the defense mis­sion will require a strong part­ner­ship with agen­cies that have juris­dic­tion over sys­tems crit­i­cal to mil­i­tary effec­tive­ness, Lynn said. In the Unit­ed States, he added, the Home­land Secu­ri­ty Depart­ment has respon­si­bil­i­ty for pro­tect­ing the “dot-gov” domain and for lead­ing gov­ern­ment efforts to pro­tect crit­i­cal infra­struc­ture in the “dot-com” domain.

“In the past year, we have signed a mem­o­ran­dum of agree­ment with the Depart­ment of Home­land Secu­ri­ty that cod­i­fies our com­mit­ment to seam­less­ly coor­di­nat­ing cyber­se­cu­ri­ty efforts,” he said. “We have estab­lished a joint plan­ning capa­bil­i­ty and exchange of per­son­nel in our cyber watch cen­ters, and we are help­ing Home­land Secu­ri­ty deploy advanced defen­sive tech­nolo­gies on our gov­ern­ment net­works.”

The crit­i­cal infra­struc­ture upon which the defense estab­lish­ment depends also extends to the pri­vate com­pa­nies that pro­duce mil­i­tary equip­ment and weapons, the deputy sec­re­tary said. He out­lined a pro­gram called Defense Indus­tri­al Base Cyber Pilot, estab­lished last month, in which the Defense Depart­ment, in part­ner­ship with the Depart­ment of Home­land Secu­ri­ty, shares clas­si­fied threat infor­ma­tion and the know-how to employ it with par­tic­i­pat­ing defense com­pa­nies or their Inter­net ser­vice providers to help them defend their com­put­er net­works from attack or exploita­tion.

“With­out ques­tion, devel­op­ments in cyber­space have rede­fined the front lines of nation­al secu­ri­ty,” Lynn said. “With­in a few short years, infor­ma­tion tech­nol­o­gy has tran­si­tioned from a sup­port func­tion to a strate­gic ele­ment of pow­er in its own right. As a result, future con­flicts will unques­tion­ably have a cyber dimen­sion. The doc­trine, orga­ni­za­tion­al struc­ture, and resource allo­ca­tion of our defense min­istries must change to reflect this new real­i­ty.”

But efforts can­not end there, he added, as the chal­lenges in cyber­space are not amenable to nar­row solu­tions.

“No sin­gle agency can tack­le the required issues,” he said. “No one nation can devise or enforce a sus­tain­able solu­tion. And no com­bi­na­tion of nations can suc­ceed with­out part­ner­ing with pri­vate-sec­tor com­pa­nies. The range of actions nec­es­sary to enhance cyber­se­cu­ri­ty will require engage­ment in our defense insti­tu­tions, across our gov­ern­ments, between our nations, and between the pub­lic and pri­vate sec­tors.

“In short,” Lynn con­tin­ued, “we must work togeth­er, as every­one — from ordi­nary cit­i­zens, to the own­ers and oper­a­tors of crit­i­cal infra­struc­ture, to our warfight­ers on the front lines — has a stake in cyber­se­cu­ri­ty.

“Like oth­er secu­ri­ty chal­lenges that gal­va­nize like-mind­ed nations, cyber threats can be more ably defeat­ed through col­lec­tive action,” he added. “And just as we have for the last 60 years, I am con­fi­dent that we can act col­lec­tive­ly against this threat and make the invest­ments in capa­bil­i­ty and inter­op­er­abil­i­ty nec­es­sary for us to pre­vail.”

Source:
U.S. Depart­ment of Defense
Office of the Assis­tant Sec­re­tary of Defense (Pub­lic Affairs)

More news and arti­cles can be found on Face­book and Twit­ter.

Fol­low GlobalDefence.net on Face­book and/or on Twit­ter

Team GlobDef

Team GlobDef

Seit 2001 ist GlobalDefence.net im Internet unterwegs, um mit eigenen Analysen, interessanten Kooperationen und umfassenden Informationen für einen spannenden Überblick der Weltlage zu sorgen. GlobalDefenc.net war dabei die erste deutschsprachige Internetseite, die mit dem Schwerpunkt Sicherheitspolitik außerhalb von Hochschulen oder Instituten aufgetreten ist.

Alle Beiträge ansehen von Team GlobDef →