Lynn: Cyberwarfare Extends Scope of Conflict

WASHINGTON, Oct. 1, 2010 — Infor­ma­tion tech­nol­o­gy, and the world’s reliance on it, has rede­fined the front lines of nation­al secu­ri­ty, Deputy Defense Sec­re­tary William J. Lynn III said at the Coun­cil on For­eign Rela­tions in New York City yes­ter­day.

“Any major future con­flict will almost cer­tain­ly include ele­ments of cyber­war­fare,” he said. “And the threat posed by cyber­war­fare extends far beyond mil­i­tary oper­a­tions – it extends to the very heart of our econ­o­my.”

The depart­ment was always aware of the threats posed by hack­ers, nation states or ter­ror groups in the cyber­world, but DOD expe­ri­enced a wake-up call in 2008 when an intru­sion into mil­i­tary net­works extend­ed to the clas­si­fied realm.

“Up to that point, we did not think our clas­si­fied net­works could be pen­e­trat­ed,” Lynn said.

The com­pro­mise, he said, occurred when some­one in the Mid­dle East used a thumb dri­ve to trans­fer data from the unclas­si­fied net­work to the clas­si­fied net­work. The depart­ment launched Oper­a­tion Buck­shot Yan­kee to repair the breach and spent a lot of time, ener­gy and mon­ey to rem­e­dy the sit­u­a­tion. The attack led to a new approach to cyber secu­ri­ty in the Pen­ta­gon, Lynn said.

Lynn expand­ed on a recent arti­cle he wrote for the council’s For­eign Affairs mag­a­zine. He detailed the attrib­ut­es of the threats in cyber­space. First, he said, cyber is an asym­met­ric threat. It costs very lit­tle to devel­op a cyberthreat, while defend­ing against it costs quite a lot. He gave an exam­ple.

“Some of the most sophis­ti­cat­ed defense soft­wares that are com­mer­cial­ly avail­able now have between 5 mil­lion and 10 mil­lion lines of code,” he said. “They are mas­sive, work inten­sive, dif­fi­cult prod­ucts to devel­op.”

How­ev­er, “the aver­age mal­ware has stayed con­stant over the last decade at 170 lines of code,” Lynn said. This mis­match between cyber offense and defense is sub­stan­tial, he said, and will be a fact of life for the imme­di­ate future.

A sec­ond attribute of the cyberthreat is the dif­fi­cul­ty of find­ing out who launched the attack, Lynn said, not­ing a key­stroke can fly around the world in sec­onds.

“The foren­sics of iden­ti­fy­ing an attack­er can take weeks, months — or even years — if you can do it at all,” the deputy sec­re­tary said.

This sit­u­a­tion, Lynn said, breaks down con­ven­tion­al deter­rence strat­e­gy that was employed dur­ing the Cold War. “If you don’t know who to attribute an attack to, you can’t retal­i­ate against that attack, so you can’t deter through the threat of pun­ish­ment,” he said.

A third attribute, Lynn said, is that cyber­war­fare is offense-dom­i­nant. The Inter­net, he said, was not devel­oped with secu­ri­ty in mind. Instead, he added, the Inter­net is open, trans­par­ent and encour­ages ease of tech­ni­cal inno­va­tion.

“Struc­tural­ly, you will find the defend­er is always lag­ging behind the attack­er in terms of devel­op­ing mea­sures and coun­ter­mea­sures,” Lynn said. “Adept pro­gram­mers will always be able to find vul­ner­a­bil­i­ties and chal­lenge secu­ri­ty mea­sures.”

Giv­en the nature of the cyper­threat, Lynn said, DOD can­not adopt a bunker-type, defen­sive men­tal­i­ty — hun­kered down behind a seem­ing­ly impen­e­tra­ble wall, but in real­i­ty exposed to dan­gers.

“We need to be more inno­v­a­tive and active,” Lynn said.

The bot­tom line, he said, is that cyber is a new domain of war­fare, like land, sea, air and space. The new domain needs poli­cies, doc­trine, plan­ning, resources and strat­e­gy like the oth­er domains, Lynn said, not­ing this is one rea­son why the depart­ment stood up U.S. Cyber Com­mand in May.

Cyberde­fens­es need to be active, Lynn said. While com­put­er hygiene and perime­ter defens­es will catch and stop about 80 per­cent of cyberthreats, he said, the final 20 per­cent need active defens­es. So, DOD needs tools that search and hunt down cyberthreats inside net­works, he added.

Lynn said the depart­ment also needs to par­tic­i­pate in pro­tec­tions to crit­i­cal infra­struc­ture such as pow­er grids, trans­port and finan­cial net­works. Though the Depart­ment of Home­land Secu­ri­ty has the cyberde­fense lead for the U.S. gov­ern­ment, DOD can pro­vide exper­tise when need­ed, he said.

Cyberde­fense also is a shared activ­i­ty, Lynn said, with the more attack sig­na­tures iden­ti­fied, the bet­ter the pro­tec­tion. Shared warn­ing among allies –- a basis of Cold War strat­e­gy –- is just as impor­tant today, he said, not­ing the Unit­ed States is shar­ing infor­ma­tion with the Unit­ed King­dom, Aus­tralia and Cana­da.

The Unit­ed States is now look­ing to NATO to expand that cyberde­fense umbrel­la, the deputy sec­re­tary said, not­ing there will like­ly be a strong state­ment on cyber­se­cu­ri­ty dur­ing the Novem­ber NATO sum­mit in Lis­bon, Por­tu­gal.

“We need to con­tin­ue to lever­age [the] U.S. tech­no­log­i­cal base to retain the cyber advan­tage,” Lynn said. Amer­i­ca also needs to use tech­ni­cal inno­va­tion to change the terms of the offense-defense equa­tion, he added.

“Over time, we can devel­op tech­niques that will even out offense and defense to a greater degree than we see now,” Lynn said.

The Defense Advanced Research Projects Agency and oth­er DOD orga­ni­za­tions, he said, are look­ing at this offense-defense bal­ance and ways it may be made more equal.

Source:
U.S. Depart­ment of Defense
Office of the Assis­tant Sec­re­tary of Defense (Pub­lic Affairs)

More news and arti­cles can be found on Face­book and Twit­ter.

Fol­low GlobalDefence.net on Face­book and/or on Twit­ter

Team GlobDef

Team GlobDef

Seit 2001 ist GlobalDefence.net im Internet unterwegs, um mit eigenen Analysen, interessanten Kooperationen und umfassenden Informationen für einen spannenden Überblick der Weltlage zu sorgen. GlobalDefenc.net war dabei die erste deutschsprachige Internetseite, die mit dem Schwerpunkt Sicherheitspolitik außerhalb von Hochschulen oder Instituten aufgetreten ist.

Alle Beiträge ansehen von Team GlobDef →