Lynn: Cyberspace is the New Domain of Warfare

WASHINGTON, Oct. 18, 2010 — With the cre­ation of the U.S. Cyber Com­mand in May and last week’s cyber­se­cu­ri­ty agree­ment between the depart­ments of Defense and Home­land Secu­ri­ty, DOD is ready to add cyber­space to sea, land, air and space as the lat­est domain of war­fare, the Deputy Defense Sec­re­tary William J. Lynn III said.

“Infor­ma­tion tech­nol­o­gy pro­vides us with crit­i­cal advan­tages in all of our warfight­ing domains so we need to pro­tect cyber­space to enable those advan­tages,” Lynn said dur­ing an Oct. 14 Pen­ta­gon Chan­nel inter­view.

Adver­saries may be able to under­mine the military’s advan­tages in con­ven­tion­al areas, Lynn said, by attack­ing the nation’s mil­i­tary and com­mer­cial infor­ma­tion tech­nol­o­gy, or IT, infra­struc­ture.

This threat has “opened up a whole new asym­me­try in future war­fare,” the deputy defense sec­re­tary said.

DOD’s focus on cyberde­fense began in 2008 with a pre­vi­ous­ly clas­si­fied inci­dent in the Mid­dle East in which a flash dri­ve insert­ed mal­ware into clas­si­fied mil­i­tary net­works, Lynn said.

“We real­ized we could­n’t rely on pas­sive defens­es and fire­walls and soft­ware patch­es, and we’ve devel­oped a more-lay­ered defense,” he said.

Lynn laid out a draft cyber­strat­e­gy in the September/October issue of “For­eign Affairs” mag­a­zine. He said DOD is work­ing to final­ize the strat­e­gy.

“There’s no agreed-on def­i­n­i­tion of what con­sti­tutes a cyber­at­tack,” Lynn said. “It’s real­ly a range of things that can hap­pen — from exploita­tion and exfil­tra­tion of data to degra­da­tion of net­works to destruc­tion of net­works or even phys­i­cal equip­ment, phys­i­cal prop­er­ty. What we’re doing in our defense cyber­strat­e­gy is devel­op­ing appro­pri­ate respons­es and defens­es for each of those types of attacks.”

One ele­ment of the strat­e­gy –- work­ing with Home­land Defense to pro­tect crit­i­cal mil­i­tary and civil­ian IT infra­struc­ture -– was put into place Oct. 13, when Defense Sec­re­tary Robert M. Gates and Home­land Secu­ri­ty Sec­re­tary Janet Napoli­tano announced a new agree­ment to work togeth­er on cyber­se­cu­ri­ty.

The agree­ment includes a for­mal mech­a­nism for ben­e­fit­ing from the tech­ni­cal exper­tise of the Nation­al Secu­ri­ty Agency, or NSA, which is respon­si­ble for pro­tect­ing nation­al secu­ri­ty sys­tems, col­lect­ing relat­ed for­eign intel­li­gence, and enabling net­work war­fare.

Anoth­er ele­ment is what Lynn calls a “lay­ered defense, where you have intru­sion detec­tion and fire­walls but you also have a … lay­er that helps defend against attacks.”

In his draft strat­e­gy, Lynn describes the defense-lay­er com­po­nent of cyber­se­cu­ri­ty in terms of NSA-pio­neered sys­tems that “auto­mat­i­cal­ly deploy defens­es to counter intru­sions in real time. Part sen­sor, part sen­try, part sharp­shoot­er, these active defense sys­tems rep­re­sent a fun­da­men­tal shift in the U.S. approach to net­work defense.”

And, since no cyberde­fense sys­tem is per­fect, DOD requires “mul­ti­ple lay­ers of defense that give us bet­ter assur­ance of cap­tur­ing mal­ware before it gets to us,” Lynn said.

“We need the abil­i­ty to hunt on our own net­works to get [intrud­ers] that might get through and we need to con­tin­u­al­ly improve our defens­es,” he con­tin­ued. “We can’t stand still. The tech­nol­o­gy is going to con­tin­ue to advance and we have to keep pace with it.”

Envi­sioned attacks on mil­i­tary net­works could impair mil­i­tary pow­er, nation­al secu­ri­ty and the econ­o­my, Lynn said.

Ene­my cyber­at­tacks could deprive the mil­i­tary of the abil­i­ty to strike with pre­ci­sion and com­mu­ni­cate among forces and with head­quar­ters, he said, and it could impair logis­tics or trans­porta­tion net­works and elim­i­nate advan­tages that infor­ma­tion tech­nol­o­gy has giv­en mil­i­tary forces.

“Beyond that, cyber­at­tacks con­ceiv­ably could threat­en the nation­al econ­o­my if [adver­saries] were to go after the pow­er grid or finan­cial net­works or trans­porta­tion net­works, and that, too, would be a nation­al secu­ri­ty chal­lenge,” Lynn said. “And over the long run there’s a threat to our intel­lec­tu­al prop­er­ty … basi­cal­ly a theft of the life blood of our econ­o­my.”

Work­ing more close­ly with allies is an impor­tant ele­ment of the strat­e­gy, he said, to ensure a shared defense and an ear­ly warn­ing capa­bil­i­ty.

The NATO 2020 report right­ly iden­ti­fied the need for the alliance’s new 10-year strate­gic con­cept — a draft of which is an expect­ed prod­uct of the 2010 NATO Sum­mit slat­ed for Nov. 19–20 in Lis­bon, Por­tu­gal –- to fur­ther incor­po­rate cyberde­fense con­cepts Lynn wrote about in For­eign Affairs.

U.S. tech­no­log­i­cal advan­tages are a crit­i­cal part of the cyber­strat­e­gy and the Pen­ta­gon already is work­ing with indus­try and with the Defense Advanced Research Projects Agency to put these to work, Lynn said.

As part of a pub­lic-pri­vate part­ner­ship called the Endur­ing Secu­ri­ty Frame­work, Lynn wrote in his For­eign Affairs arti­cle, chief exec­u­tive offi­cers and chief tech­nol­o­gy offi­cers of major IT and defense com­pa­nies meet reg­u­lar­ly with top offi­cials from Defense, Home­land Secu­ri­ty and the Office of the Direc­tor of Nation­al Intel­li­gence.

DARPA also is work­ing on the Nation­al Cyber Range, a sim­u­lat­ed mod­el of the Inter­net that will enable the mil­i­tary to test its cyberde­fens­es before deploy­ing them in the field.

The Pentagon’s IT acqui­si­tion process also has to change, Lynn wrote in For­eign Affairs. It took Apple Inc. 24 months to devel­op the iPhone, he said, and at DOD it takes on aver­age about 81 months to devel­op and field a new com­put­er sys­tem after it is fund­ed.

“The Pen­ta­gon is devel­op­ing a spe­cif­ic acqui­si­tion track for infor­ma­tion tech­nol­o­gy,” Lynn wrote in For­eign Affairs, and it also is bol­ster­ing the num­ber of cyberde­fense experts who will lead the charge into the new cyber­war era.

The military’s glob­al com­mu­ni­ca­tions back­bone con­sists of 15,000 net­works and 7 mil­lion com­put­ing devices across hun­dreds of instal­la­tions in dozens of coun­tries, Lynn wrote. More than 90,000 peo­ple work full time to main­tain it, he said, but more are need­ed.

Through the estab­lish­ment of U.S. Cyber Com­mand and the bol­ster­ing of cyber­se­cu­ri­ty at oth­er defense agen­cies “we’ve great­ly increased the num­ber of cyber pro­fes­sion­als we have at DOD and will con­tin­ue to increase that,” Lynn told the Pen­ta­gon Chan­nel.”

U.S. Depart­ment of Defense
Office of the Assis­tant Sec­re­tary of Defense (Pub­lic Affairs)

More news and arti­cles can be found on Face­book and Twit­ter.

Fol­low on Face­book and/or on Twit­ter