PARIS, June 16, 2011 — The world is at a crossroads in the development of threats in the cyber realm, Deputy Defense Secretary William J. Lynn III said here today.
More destructive attack capabilities are being developed but haven’t yet been used, Lynn told participants in the Center for Strategic Decision Research’s 28th International Workshop on Global Security. And the terrorist groups most likely to use such capabilities to attack cyber systems, he told the group, have yet to acquire them.
“This situation will not hold forever,” the deputy secretary said. “Terrorist organizations or rogue states could obtain and use destructive cyber capabilities.” The window of opportunity to develop stronger defenses before that happens is of uncertain duration, he added.
Lynn said three avenues of action are necessary to prevail against the spectrum of cyber threats.
“First, we must raise the level of protection in government and military networks,” he said. “We must ready our defense institution to confront cyber threats, because it is clear that any future conflict will have a cyber dimension. Future adversaries will seek to use our reliance on information technology against us. We must be prepared to defend our networks effectively.”
The U.S. Defense Department is moving aggressively to counter the cyber threat, Lynn told the audience, noting that as a doctrinal matter, the military must be able to defend and operate freely in cyberspace.
“Over the past two years, we have deployed specialized active defenses to protect military networks, and we have established the U.S. Cyber Command to operate and defend them,” he said. “And we are developing a comprehensive cyber strategy that will guide how each military service trains, equips and commands its forces for the cyber mission.”
And as the United States prepares its own forces to face the cyber challenge, Lynn said, it must pursue a second avenue of action: working with allies and partners on collective cyber defenses to strengthen their collective ability to monitor and respond to intrusions.
“In cyberspace, the more attack signatures you can see, and the more intrusions you can trace, the better your defense will be,” he explained. “In this way, the Cold War construct of shared warning has applications to cyberspace today. Just as our air and space defenses are linked with those of our allies to provide warning of airborne and missile attacks, so too can we cooperatively monitor our computer networks for cyber intrusions.”
The Defense Department has worked with NATO nations and other partners to strengthen cyber engagements, Lynn said.
“For the Department of Defense,” he added, “the international strategy provides a framework for our contribution to an effort that has many facets, from Internet freedom and e‑commerce to cybercrime law enforcement and international norms of behavior.
“Ultimately,” he continued, “this strategy will help us build a coalition of nations whose mutual interest in securing cyberspace will ensure the benefits we derive from it flow uninterrupted.”
A consensus for action on cybersecurity is emerging in Europe, Lynn said.
“NATO is unanimous in acknowledging the need to elevate its treatment of network security,” he said. “The new strategic concept names cybersecurity as a leading priority for NATO in the 21st century.” In addition, he said, NATO made a high-level commitment to cybersecurity when the heads of state and government of its member nations met in Lisbon, Portugal, last year.
As a result, Lynn said, NATO has undertaken efforts to better defend its networks.
“The commitment to take NATO’s Cyber Incident Response Center to full operating capability by 2012 is a significant step in the right direction,” he said, adding that the alliance’s defense ministers approved final cyber security policy guidance when they met last week.
The European Union also is moving rapidly to address cybersecurity, Lynn said, noting that he has conferred with EU’s high representative, and Homeland Security Secretary Janet Napolitano has met with EU’s home affairs commissioner.
“And a joint cyber exercise slated for later this year will help establish how our computer incident response centers can work in partnership with the EU’s new cyber security unit,” he added.
The third avenue of action is to form public-private partnerships with the operators of critical infrastructure, Lynn told the group.
“We need to work with industry to raise the level of network defenses in industrial sectors that are crucial to our economy and to the functioning of our militaries,” the deputy secretary said. “This is, in many ways, the most consequential to the security of our societies.”
Cyber threats target much more than military systems, Lynn explained. “Cyber intruders have already probed many U.S. government networks, our electrical grid, and our financial system,” he said. “The failure of any one of these could cause massive physical damage and economic disruption.”
Protecting critical infrastructure not only is essential to the functioning of daily life, Lynn said, but also is crucial to national security. He noted that in the United States, as in Europe, military bases and installations are part of — and not separate from — the civilian infrastructure that supports towns and cities.
“Ninety-nine percent of the electricity the U.S. military uses comes from civilian sources,” he said. “Ninety percent of U.S. military voice and Internet communications travel over the same private networks that service homes and offices. We also rely on the nation’s transportation system to move military freight, we rely on commercial refineries to provide fuel, and we rely on the financial industry to pay our bills.”
Disruptions to any one of these sectors would significantly affect defense operations, and a cyber attack against more than one could be devastating, Lynn said.
“In short, secure military networks will matter little if the power grid goes down or the rest of government stops functioning,” he told the audience. “Protecting the networks that undergird critical infrastructure must be part of our national security and homeland defense missions.”
Making protection of critical infrastructure part of the defense mission will require a strong partnership with agencies that have jurisdiction over systems critical to military effectiveness, Lynn said. In the United States, he added, the Homeland Security Department has responsibility for protecting the “dot-gov” domain and for leading government efforts to protect critical infrastructure in the “dot-com” domain.
“In the past year, we have signed a memorandum of agreement with the Department of Homeland Security that codifies our commitment to seamlessly coordinating cybersecurity efforts,” he said. “We have established a joint planning capability and exchange of personnel in our cyber watch centers, and we are helping Homeland Security deploy advanced defensive technologies on our government networks.”
The critical infrastructure upon which the defense establishment depends also extends to the private companies that produce military equipment and weapons, the deputy secretary said. He outlined a program called Defense Industrial Base Cyber Pilot, established last month, in which the Defense Department, in partnership with the Department of Homeland Security, shares classified threat information and the know-how to employ it with participating defense companies or their Internet service providers to help them defend their computer networks from attack or exploitation.
“Without question, developments in cyberspace have redefined the front lines of national security,” Lynn said. “Within a few short years, information technology has transitioned from a support function to a strategic element of power in its own right. As a result, future conflicts will unquestionably have a cyber dimension. The doctrine, organizational structure, and resource allocation of our defense ministries must change to reflect this new reality.”
But efforts cannot end there, he added, as the challenges in cyberspace are not amenable to narrow solutions.
“No single agency can tackle the required issues,” he said. “No one nation can devise or enforce a sustainable solution. And no combination of nations can succeed without partnering with private-sector companies. The range of actions necessary to enhance cybersecurity will require engagement in our defense institutions, across our governments, between our nations, and between the public and private sectors.
“In short,” Lynn continued, “we must work together, as everyone — from ordinary citizens, to the owners and operators of critical infrastructure, to our warfighters on the front lines — has a stake in cybersecurity.
“Like other security challenges that galvanize like-minded nations, cyber threats can be more ably defeated through collective action,” he added. “And just as we have for the last 60 years, I am confident that we can act collectively against this threat and make the investments in capability and interoperability necessary for us to prevail.”
U.S. Department of Defense
Office of the Assistant Secretary of Defense (Public Affairs)