Deputy Secretary Lynn Details Anti-Cyber Threat Strategy

PARIS, June 16, 2011 — The world is at a cross­roads in the devel­op­ment of threats in the cyber realm, Deputy Defense Sec­re­tary William J. Lynn III said here today.

More destruc­tive attack capa­bil­i­ties are being devel­oped but haven’t yet been used, Lynn told par­tic­i­pants in the Cen­ter for Strate­gic Deci­sion Research’s 28th Inter­na­tion­al Work­shop on Glob­al Secu­ri­ty. And the ter­ror­ist groups most like­ly to use such capa­bil­i­ties to attack cyber sys­tems, he told the group, have yet to acquire them.

“This sit­u­a­tion will not hold for­ev­er,” the deputy sec­re­tary said. “Ter­ror­ist orga­ni­za­tions or rogue states could obtain and use destruc­tive cyber capa­bil­i­ties.” The win­dow of oppor­tu­ni­ty to devel­op stronger defens­es before that hap­pens is of uncer­tain dura­tion, he added.

Lynn said three avenues of action are nec­es­sary to pre­vail against the spec­trum of cyber threats.

“First, we must raise the lev­el of pro­tec­tion in gov­ern­ment and mil­i­tary net­works,” he said. “We must ready our defense insti­tu­tion to con­front cyber threats, because it is clear that any future con­flict will have a cyber dimen­sion. Future adver­saries will seek to use our reliance on infor­ma­tion tech­nol­o­gy against us. We must be pre­pared to defend our net­works effec­tive­ly.”

The U.S. Defense Depart­ment is mov­ing aggres­sive­ly to counter the cyber threat, Lynn told the audi­ence, not­ing that as a doc­tri­nal mat­ter, the mil­i­tary must be able to defend and oper­ate freely in cyber­space.

“Over the past two years, we have deployed spe­cial­ized active defens­es to pro­tect mil­i­tary net­works, and we have estab­lished the U.S. Cyber Com­mand to oper­ate and defend them,” he said. “And we are devel­op­ing a com­pre­hen­sive cyber strat­e­gy that will guide how each mil­i­tary ser­vice trains, equips and com­mands its forces for the cyber mis­sion.”

And as the Unit­ed States pre­pares its own forces to face the cyber chal­lenge, Lynn said, it must pur­sue a sec­ond avenue of action: work­ing with allies and part­ners on col­lec­tive cyber defens­es to strength­en their col­lec­tive abil­i­ty to mon­i­tor and respond to intru­sions.

“In cyber­space, the more attack sig­na­tures you can see, and the more intru­sions you can trace, the bet­ter your defense will be,” he explained. “In this way, the Cold War con­struct of shared warn­ing has appli­ca­tions to cyber­space today. Just as our air and space defens­es are linked with those of our allies to pro­vide warn­ing of air­borne and mis­sile attacks, so too can we coop­er­a­tive­ly mon­i­tor our com­put­er net­works for cyber intru­sions.”

The Defense Depart­ment has worked with NATO nations and oth­er part­ners to strength­en cyber engage­ments, Lynn said.

“For the Depart­ment of Defense,” he added, “the inter­na­tion­al strat­e­gy pro­vides a frame­work for our con­tri­bu­tion to an effort that has many facets, from Inter­net free­dom and e‑commerce to cyber­crime law enforce­ment and inter­na­tion­al norms of behav­ior.

“Ulti­mate­ly,” he con­tin­ued, “this strat­e­gy will help us build a coali­tion of nations whose mutu­al inter­est in secur­ing cyber­space will ensure the ben­e­fits we derive from it flow unin­ter­rupt­ed.”

A con­sen­sus for action on cyber­se­cu­ri­ty is emerg­ing in Europe, Lynn said.

NATO is unan­i­mous in acknowl­edg­ing the need to ele­vate its treat­ment of net­work secu­ri­ty,” he said. “The new strate­gic con­cept names cyber­se­cu­ri­ty as a lead­ing pri­or­i­ty for NATO in the 21st cen­tu­ry.” In addi­tion, he said, NATO made a high-lev­el com­mit­ment to cyber­se­cu­ri­ty when the heads of state and gov­ern­ment of its mem­ber nations met in Lis­bon, Por­tu­gal, last year.

As a result, Lynn said, NATO has under­tak­en efforts to bet­ter defend its net­works.

“The com­mit­ment to take NATO’s Cyber Inci­dent Response Cen­ter to full oper­at­ing capa­bil­i­ty by 2012 is a sig­nif­i­cant step in the right direc­tion,” he said, adding that the alliance’s defense min­is­ters approved final cyber secu­ri­ty pol­i­cy guid­ance when they met last week.

The Euro­pean Union also is mov­ing rapid­ly to address cyber­se­cu­ri­ty, Lynn said, not­ing that he has con­ferred with EU’s high rep­re­sen­ta­tive, and Home­land Secu­ri­ty Sec­re­tary Janet Napoli­tano has met with EU’s home affairs com­mis­sion­er.

“And a joint cyber exer­cise slat­ed for lat­er this year will help estab­lish how our com­put­er inci­dent response cen­ters can work in part­ner­ship with the EU’s new cyber secu­ri­ty unit,” he added.

The third avenue of action is to form pub­lic-pri­vate part­ner­ships with the oper­a­tors of crit­i­cal infra­struc­ture, Lynn told the group.

“We need to work with indus­try to raise the lev­el of net­work defens­es in indus­tri­al sec­tors that are cru­cial to our econ­o­my and to the func­tion­ing of our mil­i­taries,” the deputy sec­re­tary said. “This is, in many ways, the most con­se­quen­tial to the secu­ri­ty of our soci­eties.”

Cyber threats tar­get much more than mil­i­tary sys­tems, Lynn explained. “Cyber intrud­ers have already probed many U.S. gov­ern­ment net­works, our elec­tri­cal grid, and our finan­cial sys­tem,” he said. “The fail­ure of any one of these could cause mas­sive phys­i­cal dam­age and eco­nom­ic dis­rup­tion.”

Pro­tect­ing crit­i­cal infra­struc­ture not only is essen­tial to the func­tion­ing of dai­ly life, Lynn said, but also is cru­cial to nation­al secu­ri­ty. He not­ed that in the Unit­ed States, as in Europe, mil­i­tary bases and instal­la­tions are part of — and not sep­a­rate from — the civil­ian infra­struc­ture that sup­ports towns and cities.

“Nine­ty-nine per­cent of the elec­tric­i­ty the U.S. mil­i­tary uses comes from civil­ian sources,” he said. “Nine­ty per­cent of U.S. mil­i­tary voice and Inter­net com­mu­ni­ca­tions trav­el over the same pri­vate net­works that ser­vice homes and offices. We also rely on the nation’s trans­porta­tion sys­tem to move mil­i­tary freight, we rely on com­mer­cial refiner­ies to pro­vide fuel, and we rely on the finan­cial indus­try to pay our bills.”

Dis­rup­tions to any one of these sec­tors would sig­nif­i­cant­ly affect defense oper­a­tions, and a cyber attack against more than one could be dev­as­tat­ing, Lynn said.

“In short, secure mil­i­tary net­works will mat­ter lit­tle if the pow­er grid goes down or the rest of gov­ern­ment stops func­tion­ing,” he told the audi­ence. “Pro­tect­ing the net­works that under­gird crit­i­cal infra­struc­ture must be part of our nation­al secu­ri­ty and home­land defense mis­sions.”

Mak­ing pro­tec­tion of crit­i­cal infra­struc­ture part of the defense mis­sion will require a strong part­ner­ship with agen­cies that have juris­dic­tion over sys­tems crit­i­cal to mil­i­tary effec­tive­ness, Lynn said. In the Unit­ed States, he added, the Home­land Secu­ri­ty Depart­ment has respon­si­bil­i­ty for pro­tect­ing the “dot-gov” domain and for lead­ing gov­ern­ment efforts to pro­tect crit­i­cal infra­struc­ture in the “dot-com” domain.

“In the past year, we have signed a mem­o­ran­dum of agree­ment with the Depart­ment of Home­land Secu­ri­ty that cod­i­fies our com­mit­ment to seam­less­ly coor­di­nat­ing cyber­se­cu­ri­ty efforts,” he said. “We have estab­lished a joint plan­ning capa­bil­i­ty and exchange of per­son­nel in our cyber watch cen­ters, and we are help­ing Home­land Secu­ri­ty deploy advanced defen­sive tech­nolo­gies on our gov­ern­ment net­works.”

The crit­i­cal infra­struc­ture upon which the defense estab­lish­ment depends also extends to the pri­vate com­pa­nies that pro­duce mil­i­tary equip­ment and weapons, the deputy sec­re­tary said. He out­lined a pro­gram called Defense Indus­tri­al Base Cyber Pilot, estab­lished last month, in which the Defense Depart­ment, in part­ner­ship with the Depart­ment of Home­land Secu­ri­ty, shares clas­si­fied threat infor­ma­tion and the know-how to employ it with par­tic­i­pat­ing defense com­pa­nies or their Inter­net ser­vice providers to help them defend their com­put­er net­works from attack or exploita­tion.

“With­out ques­tion, devel­op­ments in cyber­space have rede­fined the front lines of nation­al secu­ri­ty,” Lynn said. “With­in a few short years, infor­ma­tion tech­nol­o­gy has tran­si­tioned from a sup­port func­tion to a strate­gic ele­ment of pow­er in its own right. As a result, future con­flicts will unques­tion­ably have a cyber dimen­sion. The doc­trine, orga­ni­za­tion­al struc­ture, and resource allo­ca­tion of our defense min­istries must change to reflect this new real­i­ty.”

But efforts can­not end there, he added, as the chal­lenges in cyber­space are not amenable to nar­row solu­tions.

“No sin­gle agency can tack­le the required issues,” he said. “No one nation can devise or enforce a sus­tain­able solu­tion. And no com­bi­na­tion of nations can suc­ceed with­out part­ner­ing with pri­vate-sec­tor com­pa­nies. The range of actions nec­es­sary to enhance cyber­se­cu­ri­ty will require engage­ment in our defense insti­tu­tions, across our gov­ern­ments, between our nations, and between the pub­lic and pri­vate sec­tors.

“In short,” Lynn con­tin­ued, “we must work togeth­er, as every­one — from ordi­nary cit­i­zens, to the own­ers and oper­a­tors of crit­i­cal infra­struc­ture, to our warfight­ers on the front lines — has a stake in cyber­se­cu­ri­ty.

“Like oth­er secu­ri­ty chal­lenges that gal­va­nize like-mind­ed nations, cyber threats can be more ably defeat­ed through col­lec­tive action,” he added. “And just as we have for the last 60 years, I am con­fi­dent that we can act col­lec­tive­ly against this threat and make the invest­ments in capa­bil­i­ty and inter­op­er­abil­i­ty nec­es­sary for us to pre­vail.”

U.S. Depart­ment of Defense
Office of the Assis­tant Sec­re­tary of Defense (Pub­lic Affairs)

More news and arti­cles can be found on Face­book and Twit­ter.

Fol­low on Face­book and/or on Twit­ter